Skip to content

July 4 2015

July 6, 2015


4 July 2015


Blog URL


After Historic Hack, OPM Chief’s 15-Point Plan May Be Too Little, Too Late

June 29, 2015 By Aliya Sternstein Nextgov

In the wake of a major hack, agency director Katherine Archuleta outlined a series of steps to counter future breaches.

A cyber strategy announced last week by the head of the agency that hackers robbed of sensitive dossiers on federal employees has potential to deter future attacks, say private investigators who probe computer espionage campaigns. 

“I would like to see OPM emphasize the need to hunt for adversaries now, and institutionalize detection and response for the intrusions that will happen in the future,” said Bejtlich, who also serves as a nonresident senior fellow at the Brookings Institution.

Other investigators praised the plan’s premise that attackers are never completely gone from a system.

The agency prefaces its agenda by stating that, “simply because there is no evidence that this particular threat remains active does not mean that we can decrease our vigilance.”

Malcolm Harkins, global chief information security officer at cyber forensics firm Cylance, said all organizations must embrace the same philosophy.

“We are on a journey with no finish line when it comes to information security and ensuring the privacy our employees and customers,” he said.

Archuleta’s steps are broken up into four sections. The first three — security improvements, consultations with outside experts, and system upgrades — are necessary but insufficient to confront growing risks, Harkins said. However, the fourth section — which involves accountability — adds the missing piece, he said. 

“Within almost any organization, there is a tendency for structure to drive behavior and for execution toward goals to be the ones that are measured by management,” Harkins said. “By publicly demonstrating the leadership of accountability,” OPM will surely “be able to stay on top of future risks because they will have the structure to drive prevention of issues and learn from incidents that may occur.”

Cylance late last year published an analysis labeling Iran a rising power in cyberspace, comparable to China, and specifically cited a campaign dubbed Operation Cleaver. On Friday, The Hill reported the group behind that series of attacks provided WikiLeaks with about 70,000 confidential cables from Saudi Arabia’s Foreign Ministry. 

While OPM’s tactics might work, bureaucracy has a way of impeding good intentions, some information security researchers say.

“Lots of strategies. The question is whether they get implemented,” said James Lewis, a cybersecurity analyst at the Center for Strategic and International Studies.

House Republicans seem unconvinced that Archuleta and OPM Chief Information Officer Donna Seymour are capable of following through on any security operations.

On Friday, Oversight and Government Reform Committee Chairman Rep. Jason Chaffetz, R-Utah, who heard testimony from Archuleta twice over the past two weeks, and other GOP lawmakers wrote President Barack Obama a letter requesting their removal. 

“We have lost confidence in Director Archuleta’s ability to secure OPM’s networks and protect the data of millions of Americans,” they said in that letter. “We have also lost confidence in OPM CIO Donna Seymour’s ability to do the same. This country’s hard-working federal employees deserve better, and Americans with security clearances whose lives may now be at risk deserve better.”

Archuleta’s Plan to Thwart Future Cyber Theft

1. Finish activating two-step ID checks — All users will be required to login with a password and a smartcard by Aug. 1 (The OPM attackers busted through the agency’s network using password data stolen from a contractor, according to officials.)

2. Expanding continuous monitoring  There is a governmentwide mandate to deploy a regime of sensors, security analysts and other technology that can monitor network controls in near-real-time. OPM does not have a robust continuous monitoring operation, according to the agency’s inspector general. OPM intends to speed rollout and order contractors to do the same, where feasible.

3. Ensuring permission to probe contractor systems — OPM will write language into prospective contracts spelling out that the agency is allowed access to a contractor’s systems in the event of a cyber incident. (OPM claims background check provider USIS obstructed a federal inspection of the company’s networks after a data breach was detected last year.)

4. Reviewing encryption of databases  Wherever possible, the agency will render database records indecipherable to intruders. A review to determine which currently unencrypted databases can be converted will be completed by July 15. (Encryption would not have foiled the hackers, in this case, because they used the contractor’s authorized credential to unlock the data copied.)

Tapping Outside Expertise

5. Hiring a cybersecurity adviser  A private sector cyber expert will join the agency by Aug. 1. 

6. Consulting private sector technology and cyber experts Archuleta is inviting industry chief information security officers who “experience their own significant cybersecurity challenges” to a workshop in the coming weeks to discuss future steps. 

7. Seeking more counsel from the inspector general  Archuleta will meet with the inspector bi-weekly to obtain advice. (The two officials have been at odds over whether OPM’s systems comply with government security statutes.)

Upgrading Systems

8. Transitioning to a new IT setup — OPM is overhauling the agency’s IT environment to make it easier to apply the latest security controls. Once a new operating infrastructure has been developed, existing IT systems will be transitioned. Some OPM technology dates back to the 1980s and runs off esoteric programming language. 

9. Finalizing the budget and scope of the overhaul by the end of the fiscal year. 

10. Evaluating all contracting options  Going forward, “OPM will conduct a thorough analysis on the most reasonable and appropriate course of action, and explore all available contracting avenues to determine the best option for the health of its modernization project and for the taxpayer.” (A contractor hired, without an open competition, to help secure OPM’s systems was accused by a government watchdog this year of possibly misusing $135 million of taxpayer money after videos appeared to show its employees high on drugs and alcohol while working on a U.S. Army contract in Afghanistan, according to The Washington Post.)

11. Requesting additional congressional funding  OPM will provide lawmakers with a list of IT enhancements that require more appropriations. 


12. Assessing IT project performance  Every month, Archuleta will meet with Seymour and the new cyber adviser to review IT efforts “to ensure continued progress and accountability.”

13. Holding regular cyber awareness education sessions  All employees and contractors handling sensitive information will undergo a refresher on cyber hygiene on a bi-annual basis.

14. Establishing protocols on incident response  OPM will document standard operating procedures for partnering with other agencies in the event of a future incident. 

15. Complying with federal computer security laws  OPM will hold system owners responsible for following the Federal Information Security Management Act. (The agency has had a history of struggling to comply with FISMA and has been running systems not authorized to operate, according to the IG.)

The Bejtlich Detect and Respond Approach

Phase 1: Compromise Assessment: Dispatch teams across government networks to hunt for intruders and, if possible, remove them. “I suspect the ‘remove’ part will be more than these teams can handle, given the scope of what I expect they will find,” Bejtlich writes in a blog post. 

Phase 2: Improve Network Visibility: 

1. Fast-track the activation of EINSTEIN 3A, the latest version of a governmentwide intrusion detection and prevention system.Agencies are required to convert next year, according to the White House. “Waiting until the end of 2016 is not acceptable,” Bejtlich says. “Equivalent technology should have been deployed in the late 1990s.” 

2. Ensure the Department of Homeland Security has authority to centrally monitor all EINSTEIN sensors deployed governmentwide.Agencies should be given access to their own data, and there should be a dialogue among agencies and Homeland Security on who should be responsible for acting on EINSTEIN’s findings. 

3. Hire enough DHS staff to analyze and act on EINSTEIN discoveries.

4. Make hunting and squashing malicious operations a coordinated, routine practice.

5. Collect metrics on the effectiveness of defensive operations and tailor future countermeasures based on lessons learned. 

Phase 3. Deploy continuous monitoring and reduce the number of access points to the public Internet


Open Source Dronecode Project Attracts New Investment and Members

by Press • 30 June 2015


Dronecode, the nonprofit organization developing a common, shared open source platform for Unmanned Aerial Vehicles (UAVs), today announced six new commercial members and several nonprofit and academic drone projects that are supporting the effort.

New silver members announced today include Arsov RC Technology, Erle Robotics, Event 38 Unmanned Systems, Parrot, Team Black Sheep and Walkera.

New sponsor members include OpenRelief, Open Source Robotics Foundation, The Autonomous Systems, Control, and Optimization Laboratory (ASCO) at Johns Hopkins, Team Tiltrotor and Uplift Aeronautics.

Formed in late 2014, Dronecode brings together existing open source drone projects and assets under one umbrella organization governed by The Linux Foundation. It currently coordinates and prioritizes funding for six initiatives, 28 Dronecode members and more than 1,200 developers who are collaborating on a de facto standard platform for consumer and commercial drone/robotics open projects.

Dronecode’s significant influx of financial and technical support is driving rapid, diverse UAV progress in areas like vision processing, obstacle avoidance, and environmental and situational awareness. While still a nascent market, industry experts estimate that the commercial drone market will reach $1.27 billion by 2020. Backing for Dronecode is taking off as many begin pursuing drones for humanitarian aid, ecological, agriculture, logistics and parcel delivery purposes.

“We’re thrilled to welcome today’s new members and sponsors so soon after forming Dronecode as a neutral, transparent initiative for advancing UVA technology,” said Amanda McPherson, Chief Marketing Officer at The Linux Foundation. “Their participation affirms the collaborative development model, enabling more parties to provide resources and support to the already vibrant drone community. From improving wildlife protection and search and rescue, to 3-D mapping and precision farming, drones can change our world for both goodwill and economic gains.”

More about today’s new silver members:

Arsov RC Technology: designs and manufactures PX4 compatible flight controllers and other electronic accessories used in UAV vehicles.

Erle Robotics: focuses on making Linux-based artificial brains for robots and drones. They also design, construct and deliver different robots based in Linux.

“We are delighted to join the Dronecode Foundation and collaborate pushing forward the next generation of robots and drones. Linux-based, low-cost and affordable robots, together with the creativity and passion of thousands of developers, will lead the next technological revolution,” said Víctor Mayoral Vilches, CTO of Erle Robotics.

Event 38 Unmanned Systems: provides high endurance UAVs, optical sensors and its cloud based Drone Data Management SystemTM designed specifically for aerial photogrammetry and map making. Its UAVs feature easy-to-use autonomous operation, extended flight times, and large payloads for the agriculture and surveying markets around the world.

“We are excited to officially join the Dronecode Foundation and look forward to helping shape the future of open source drone technologies,” said Jeff Taylor, Founder, Event 38 Unmanned Systems Inc.

Parrot: Headquartered in Paris, Parrot creates, develops and markets advanced technology wireless products for consumers and professionals. The company innovates and develops in the civil drones market with leisure quadcopters and solutions for professional use. Parrot continues to expand in the commercial drone market, building out its expertise and focus on three target markets:

Geographic information systems (GIS) for the environment, mining / quarrying and city planning sectors,

Surveillance of sensitive areas (warehouses, industrial sites, hypermarkets), protected locations (natural environments) or accident sites (disasters),

Precision farming, made possible by the combination of drones, sensors and algorithms for conversion into agricultural recommendations.

“The market for consumer-friendly drones is skyrocketing,” said Henri Seydoux, Founder and CEO of Parrot. “Consumers have a strong appetite for UAV novelty; drones that don’t just only fly, but also do amazing videos, jump, skim the ocean and maneuver at night with headlights. Linux and open source are leading the way, and we’re excited to collaborate with other drone companies, universities, and nonprofit organizations to advance the technology even further.”

Team Black Sheep: was founded out of passion for “First Person View” aerial videos broadcasting live from above. Known for trilling YouTube videos shot all over the world, the company sells FPV aircrafts and accessories.

“Consumer drones have fundamentally changed the way we shoot videos and see the earth from above,” said Raphael Pirker, Pilot at TBS Avionics. “We are happy to recognize that open source software has spearheaded the technology and our industry. At TBS, we want to be a part of this development and help shape the way that people use drones in the near future.”

Walkera: a professional aero-model manufacturer based in China with offices in the United States that unifies UAV product research and development, production, marketing, and services. The company also recently introduced the DroneCode APM copter, the QR x350 Premium, the first model of the iUAS 2015 series.

“We believe Dronecode Project is off to a strong start managing, guiding and aligning resources to best advance the drone revolution,” said Lucy Chen, President at Walkera. “It’s providing a clear path for corporate and open source collaboration and innovation, and we’re excited to share our drone expertise with this growing initiative.”

More about today’s new sponsored members:

OpenRelief: provides open, crowd-sourced information solutions for disaster relief, enabling the right aid gets to the right places when needed. OpenRelief uses an open source approach that ensures everyone, anywhere, can access its technology.

Open Source Robotics Foundation: is a nonprofit organization that supports the development, distribution and adoption of open source software for use in robotics research, education and product development.

“By working with Dronecode, we’ll be able to make our tools even more useful for UAV projects,” said Tully Foote, ROS Platform Manager at OSRF. “With demand for ROS and Gazebo in UAV development on the rise, Dronecode and OSRF are natural partners. The alliance will organically stimulate greater sharing of knowledge, tools and capabilities between the general robotics and aerial robotics communities.”

Team Tiltrotor: is an Vertical Take Off and Landing (VTOL) initiative from aerospace engineers Trevor Strand and Mike Remaly to develop APM-powered tiltrotors. Tiltrotors combine the qualities of vertical lift for low speed vertical landings and forward thrust for high speed, long range airplane flight.

“As today’s small, affordable drones progress from toys to tools, the tiltrotor will fill roles that traditional fixed wing and multirotor cannot,” said Team Tiltrotor.

The Autonomous Systems, Control, and Optimization Laboratory (ASCO) at Johns Hopkins: is part of the Laboratory for Computational Sensing and Robotics (LCSR) and is focused on creating robots with unprecedented agility and robustness that can fully exploit their dynamical and sensing abilities to operate in natural environments.


“Robotics is an exciting, fast-growing industry that greatly benefits from working with other engineers, developers and commercial parties to help advance the design and usefulness of such systems as quickly as possible,” said Marin Kobilarov, Assistant Professor in Mechanical Engineering at the Johns Hopkins University. “With so much UAV innovation happening in all corners of the world, Dronecode plays an important role transforming research and ideas into real-world applications.”

Uplift Aeronautics: is a 501(c)3 nonprofit organization with a mission to empower and aid communities through innovative aviation technology. Uplift is run entirely by volunteers who are passionate about helping communities develop sustainable aviation solutions that help address social problems. They have a special interest in reaching inaccessible or hard-to-access populations.

“Uplift Aeronautics has been steadily improving its fixed-wing cargo delivery capabilities,” said Mark Jacobsen, Founder, Uplift Aeronautics. “It recently flew a 130km sortie with its Waliid aircraft, a variant of the X-UAV Talon, delivering a 1kg package by parachute at the 70km point. Uplift also developed and tested a lighting system that can be toggled on and off by the autopilot, which could be useful for covert deliveries of humanitarian supplies in conflict zones. Uplift is also developing a custom MAVProxy module called ‘testpilot’ that automatically generates attractive reports with flight performance tables and plots like power, endurance, and range at various airspeeds. Testpilot can be used to compare different configurations of an aircraft and optimize an aircraft for maximum performance.”

3DRobotics and Yuneec International Co. Ltd. are Platinum, founding members of Dronecode, which includes the APM/ArduPilot open source UAV platform, and PX4, an independent, open-source, open-hardware autopilot project. More than 1,200 developers are working on Dronecode with more than 150 code commits a day on some projects. Under the neutral guidance of Dronecode, other qualified parties and developers are encouraged to participate in the development and direction of the software.


About Dronecode Project

Dronecode Foundation is a nonprofit organization working on a common, shared open source platform for Unmanned Aerial Vehicles (UAVs). Dronecode brings together existing and future open source UAV software projects, including the APM UAV software platform originally developed by 3DRobotics. More than 1,200 developers are working on Dronecode’s six projects focused on maximizing adoption of the project’s cost-effective, reliable and technologically advanced UAV software. A Linux Foundation Collaborative Project, Dronecode is an independently funded software project that harnesses the power of collaborative development to fuel innovation across industries and ecosystems.


Defense Officials: Times are Good for Small Business Contractors


By Sandra I. Erwin

June 28 2015


Just less than two years ago, the Pentagon warned in a report to Congress that “continued uncertainty will hit smaller, innovative, and niche product companies particularly hard due to a lack of capital resources.”

But Pentagon officials offered a much cheerier outlook last week as they unveiled the results of the fiscal year 2014 small business federal scorecard.

The federal government overall awarded 24.9 percent of all prime contracts to small businesses in 2014, or about $91.7 billion. And defense contracts accounted for more than half, at $54.3 billion, a figure that earned the Pentagon high praise from the Obama administration.

“This is the highest percentage of contracting dollars ever awarded to small businesses since the 23 percent goal was established in 1997,” said Small Business Administrator Maria Contreras-Sweet, who appeared at a Pentagon news conference June 26 with Undersecretary of Defense Frank Kendall.

“Small businesses now are filing more patents than ever,” she said. “So they’re also driving innovation.”

The Pentagon has made a deliberate effort over the past five years to boost small business contracting, said Kendall. The Defense Department’s “better buying power” procurement guidelines specifically promote the use of small businesses, “both for innovation and for efficiency and to control costs,” he said. “Small businesses, particularly in the services industry, tend to be leaner and more anxious to get work, and thus tend to be more economic in many cases for the department.”

Defense officials’ upbeat talk about small business contracting is a far cry from pessimistic forecasts that followed the military spending downturn between 2009 and 2013. CEOs of large prime contractors repeatedly warned that they feared losing small business suppliers, especially those that make specialized defense-unique products.

Under Kendall, the Pentagon’s industrial policy office launched a sweeping “tier by tier” study of the defense supply chain out of concern for the financial health of small suppliers.

Today, there are no reasons to worry, said André J. Gudger, acting deputy assistant secretary of defense for manufacturing and industrial base policy.

“We don’t have a weak supply chain. We have a very healthy one,” he said. “There’s areas of concern that we have that we focus on, but yes, we have overall a healthy industrial base set up from our first tier to our sub tier suppliers.”

Kenyata L. Wesley, acting director of the office of small business programs, credits Kendall’s better buying power for the improved climate. “Better buying power strategically focuses on small business as well as technology and innovation,” he said. “If you look at better buying power 3.0, which is now the third iteration, there’s a lot more initiatives based on small businesses, because we’re not stopping, we’re not taking the foot off the gas. … It’s not a political statement that they’re the economic engines. They’re technology engines.”

Gudger said he continues to monitor the state of the industry. “I’m responsible for the industrial base and ensuring that it’s a modern, healthy, robust industrial base. And we look at the fragility and criticality of all businesses, not just small. That includes the medium and the large, to see where we have critical capability where we might have an industrial base that’s thin or weak.”

Today, he said, “there is no systemic crisis” concerning defense suppliers. “Our industrial base looks very healthy. We have improved it.”

The SBA has programs to help cash-strapped federal contractors, said Contreras-Sweet. One is called “emerging leaders,” she said. “We take experienced companies, as we help them grow to scale, put them through what we call a mini-MBA.” Another is called “quick pay,” aimed at suppliers with cash flow problems.

Defense Department service contracts appear to be the sweet spot for small businesses. About half of all defense contracts are for services. “The Department of Defense made a decision to focus on areas that were very healthy for small businesses,” said Gudger. “We focused on areas such as knowledge base services, electronic and communications, and facilities management.”

In the federal scorecard, the SBA gave the Defense Department an “A” grade. Eighty percent of the grade is based on the actual prime contracting dollars, said John Shoraka, associate administrator for government contracting and business development at SBA. Ten percent of the grade comes from the amount of subcontracting dollars, and the remaining 10 percent is based on subjective factors such as specific leadership efforts.

Shoraka noted that the federal government also broke a new record for contracts awarded to businesses owned by our military disabled veterans. The goal is 3 percent, but in 2014 that percentage rose to 3.7.



OPM Attack Raises Delicate Political Questions

By Joe Gould 2:30 p.m. EDT June 27, 2015

WASHINGTON — In public remarks, US officials appear to be split over whether to blame China for a pair of major breaches that compromised deeply personal data for millions of federal employees, suggesting a potential policy gap and uncertainty about how best to respond.

One day after National Security Agency (NSA) Director Adm. Mike Rogers declined to confirm China was the culprit at an intelligence conference here, Director of National Intelligence James Clapper called China “the leading suspect.”

If the US was going to point fingers over the mass collection of personal data, China might just tell Rogers — as the public face of an agency that broke US privacy rules — to look in the mirror, an analyst said. Plus, it comes amid the awkward revelation of extensive eavesdropping by the NSA on the private conversations of French officials, including three presidents.

“The US has been calling China out when breaches occurred in the areas where the US has a high moral ground, such as intellectual property theft and free speech,” said Klara Tothova Jordan, of the Brent Scowcroft Center on International Security’s Cyber Statecraft Initiative.

“The US is involved in state espionage, so it would be hypocritical to call China on something the US is doing. I think the US wants to preserve its weight for the situation where there is a legitimate reason to call China out.”

Rogers is the director of one intelligence agency, and Clapper is the nation’s top intelligence official, responsible for integrating intelligence across multiple agencies. “He naturally should have more insights into what is happening that anyone else,” Tothova Jordan said.

Clapper made the comments June 25 at the GeoInt Symposium, an intelligence conference in Washington, where a moderator asked if he could name China as responsible for the breaches at the Office of Personnel Management (OPM).

“I mean, that’s the leading suspect,” Clapper replied. Clapper was the first administration official to name China publicly, though the New York Times and Washington Post cited unnamed government officials in their reporting that China was the top suspect.

“On the one hand — please don’t take this the wrong way — you’ve got to salute the Chinese for what they did,” Clapper said earlier in his talk. “If we had the opportunity to do that, I don’t think we’d hesitate for a minute.”

Finding the best response to these attacks has been a sticking point for US decision-makers. While military leaders in the cyber domain have made clear the US possesses cyber capabilities to retaliate, it does not appear that those capabilities have been used.

“That has been a struggle for us because of concerns about unintended consequences,” said Clapper, who emphasized the need to further develop methods of deterrence in cyberspace while also improving defenses.

A day before Clapper’s remarks, Rogers — also at GeoInt — was asked about the attack and said he did not accept the “assumption” in the question that the breach is attributable to China.

“I think first of all, I’m not getting into the specifics of attribution,” he said. “That’s a process that we’re working through on the policy side. That’s ongoing.”

For the US, there are separate matters of technical attribution and political attribution, said Michael Sulmeyer, a former Pentagon cyber policy official and now director of the Cyber Security Project at Harvard University. Sulmeyer said he suspected the government is working through both.

Once the US follows the digital footprints to a computer, the questions get trickier, Sulmeyer said. Who was sitting at that computer? Who ordered that person to do it? Who forbade that person from doing it but did it anyway

Officially, an FBI investigation is ongoing. The government, which learned of the breach in April, may be working not only to determine what happened, but the appropriate response from policy and legal perspectives.

“I think that at this stage — without being able to attribute in a publicly verifiable way and finding an argument why what China did was wrong— naming China would be more counterproductive than anything else,” said Tothova Jordan.

The timing would also be inconvenient with the Seventh China-U.S. Strategic Economic Dialogue ongoing the week of June 22, and discussions being conducted on bigger issues: the South China Sea, US-Chinese military relations, trade, energy and climate change, among many others.

State Department Spokesman John Kirby in a mid-June briefing would not confirm that the OPM hack would be raised in discussions with China and, on June 23, danced around questions over attributing the attack to China.

“Don’t try to distill what I’m saying down to some, like, there’s going to be specific charges levied against them for this or that incident,” Kirby said.

In the case of North Korea’s hack against Sony, in November 2014, the US did not name North Korea for weeks. “That was because nobody knew what to do about it,” said Richard Bejtlich chief security strategist of cybersecurity company FireEye, which was involved in the response.

The US has taken a hard line against Chinese state-sponsored cyber theft from US companies. In May 2014, the US indicted five Chinese military hackers who targeted companies in the US nuclear power, metals and solar products industries.

“The norm we have been trying to push is when it’s government-on-government, military-on-military, that’s expected, but when it’s private companies getting hacked by the Chinese military to steal their IP and commercialize it, that’s beyond the pale,” Bejtlich said.

“It’s an awkward situation to say, ‘Well, it’s the Chinese,’ because what are you going to do about it? Nothing, because it’s OK by our norms,” Bejtlich said.

In a post on the national security website Cipher Brief, retired Air Force Gen. Michael Hayden, former NSA and CIA director, called the OPM hack, “legitimate state espionage, one government going after another for information that could contribute to its national security.

“As director of the National Security Agency, given the opportunity against similar Chinese information, I would not have hesitated for a second and I wouldn’t have had to get anyone’s permission to do it,” he said.

Hayden rapped the executive branch over being “late to need” on cybersecurity, and Congress for its failure to pass cybersecurity legislation that would have given liability protection to firms sharing cyber threat information with one another and with the government. In particular, he chided Rep. Jason Chaffetz, R-Utah, and chairman of the House Oversight Committee, who presided over hearings about the OPM hack.

“And Chairman Chaffetz was an enthusiastic supporter of the USA Freedom Act designed to rein in the allegedly renegade National Security Agency and its wanton depredations of American privacy,” Hayden said. “Little more than 48 hours after voting to limit the nation’s most powerful cyber force, Chaffetz and the rest of Congress was demanding to know how the personal records of millions of Americans could have been violated by a foreign power. Perhaps they misidentified the real threats to American privacy.”

More than deterrents, which have become a central part of the conversation about the OPM hack, the government needs to take a hard look at how to strengthen defense, Sulmeyer said.

“I’m not so comfortable dismissing the defense question here,” he said. “If you are saying this information is crucial and look how damaging its theft is, you should also be asking what — as they say in Vegas — are we doubling down on in terms of defense of your most crucial data is for tomorrow and the next day.”

However, Sulmeyer credited the White House’s deliberate way of attributing these types of incidents and crafting responses, targeting weaknesses to deterrent effect.

Economic sanctions against North Korea hit its reliance on illicit funds while the indictment of Chinese hackers hit China’s desire for regime legitimacy, Sulmeyer said.

“Sometimes it can seem like a policy gap, or that there’s an inability to respond,” Sulmeyer said. “But what actually may be at issue is its not always clear how the US links certain actions it undertakes, relative to what prompted it.


Union sues feds over hack, says agency had ample warning


Jun. 29, 2015 6:36 PM EDT


WASHINGTON (AP) — The largest federal employee union filed a class action lawsuit Monday against the federal personnel office, its leaders and one of its contractors, arguing that negligence contributed to what government officials are calling one of the most damaging cyberthefts in U.S. history.

The suit by the American Federation of Government Employees names the Office of Personnel Management, its director, Katherine Archuleta, and its chief information officer, Donna Seymour. It also names Keypoint Government Solutions, an OPM contractor.

Hackers suspected of working for the Chinese government are believed to have stolen records for as many as 18 million current and former federal employees and contractors last year. Detailed background investigations for security clearances of military and intelligence agency employees were among the documents taken.

OPM acknowledged the hack earlier this month, and has come under withering criticism from lawmakers and outside experts ever since. The agency’s inspector general told Congress he had been warning for years that the agency’s information security was inadequate but those warnings went largely unheeded.

The lawsuit alleges that OPM was negligent when it failed to improve its security and safeguard employee information despite the warnings. The suit says an earlier hack of Keypoint systems allowed the attackers to obtain credentials that led to the later breaches.

“Since 2007, officials at OPM have been alerted to their lackluster data security policies and protocols and failed to take appropriate steps to safeguard the information,” AFGE National President J. David Cox Sr. and other union officials said in a joint statement. “Although they were forewarned about the potential catastrophe that government employees faced, OPM’s data security got worse rather than better.”

The suit seeks unspecified monetary damages and calls for more extensive credit monitoring for employees who had their personal information stolen, saying the 18 months of monitoring offered by OPM is inadequate.

“We want the OPM and other responsible parties to take responsibility, do everything feasible to remedy the problem and ensure that our clients do not suffer any further harm as a result of their information being compromised,” said Daniel Gerard, the lawyer representing the union.

OPM and Keypoint did not immediately respond to requests for comment.

The suit came on the same day that OPM said it has shut down a massive database used to update and store background investigation records after discovering a new flaw that left the system vulnerable to additional breaches.

The database is known as e-QIP, short for Electronic Questionnaires for Investigations Processing.


There is no evidence the vulnerability has been exploited by hackers, agency spokesman Samuel Schumach said in a statement, adding that OPM took the step protectively after analyzing its networks for security flaws. He said the system could be shut down for four to six weeks.

The shutdown is expected to hamper agencies’ ability to initiate investigations for new employees and contractors, as well as renewal investigations for security clearances, Schumach said.

But, he added, the federal government will still be able to hire, and in some cases grant clearances on an interim basis.


Pentagon Releases National Military Strategy

By Aaron Mehta 9:32 a.m. EDT July 2, 2015


WASHINGTON — The Pentagon has released a new National Military Strategy, the first update to that document since 2011 — one that warns the threat of major war with another nation is “growing.”

The strategy is being updated to reflect the new global security situation, one in which the US is facing near-peer adversaries like Russia and China while simultaneously having to handle diffuse militant groups like the Islamic State.

“Since the last National Military Strategy was published in 2011, global disorder has significantly increased while some of our comparative military advantage has begun to erode,” Chairman of the Joint Chiefs of Staff Gen. Martin Dempsey wrote in his introduction to the strategy document.

“We now face multiple, simultaneous security challenges from traditional state actors and transregional networks of sub-state groups — all taking advantage of rapid technological change,” Dempsey continued. “We are more likely to face prolonged campaigns than conflicts that are resolved quickly.”

The contents of the document should be no surprise to those who follow the Pentagon. It is a straightforward military document, devoid of politics. The words “budget” and “sequestration” are nowhere to be found.

Instead, the document focuses on the importance of partnerships to maintain the delicate security balance around the globe, something Pentagon officials have been pushing over the last several months.

Speaking after the release of the document, Dempsey said the strategy acknowledges that American success “will increasingly depend on how well our military instrument supports the other instruments of national power, and how it enables our network of allies and partners.

The strategy specifically calls out Iran, Russia and North Korea as aggressive threats to global peace. It also mentions China, but notably starts that paragraph by saying the Obama administration wants to “support China’s rise and encourage it to become a partner for greater international security,” continuing to thread the line between China the economic ally and China the regional competitor.

“None of these nations are believed to be seeking direct military conflict with the United States or our allies,” the strategy reads. “Nonetheless, they each pose serious security concerns which the international community is working to collectively address by way of common policies, shared messages, and coordinated action.”

Later, the strategy authors note that “today, the probability of U.S. involvement in interstate war with a major power is assessed to be low but growing.”

However, “hybrid conflicts” — not just the Islamic State, but forces such as the Russian-backed rebels in Ukraine — are likely to expand.

The strategy also hits on the concerns, highlighted by Secretary of Defense Ash Carter and Deputy Secretary Bob Work over the last six months, that the US is no longer guaranteed technological superiority, or that in conflicts with groups like the Islamic State, that technological superiority may not be a guarantee of victory.


New Export Rule for Defense-Funded Technology Raises Alarms
By Sandra I. Erwin


U.S. manufacturers have hailed the Obama administration’s six-year effort to ease the red tape for exporters. Defense companies that make products with commercial applications especially have benefitted from reforms that have sought to draw a clear distinction between technologies that are uniquely military and those that are dual use.

One of the key goals of the reforms was to specify what items are regulated as “defense articles” by the State Department — as opposed to commercial products regulated by Commerce — and end the ambivalence that has vexed exporters.

So it might come as a surprise to Pentagon contractors that a new rule that affects electronic equipment would by default classify as a “defense article” any electronics developed with Defense Department funding, regardless of whether the technology is a sensitive military system or intended also for civilian applications.

The regulation, which affects electronic systems whose development is funded by any Defense Department contract dated July 1 or later, has the potential to become a compliance nightmare for companies that rely on government contracts to design products that they hope to commercialize later.

The rule has industry attorneys scratching their heads because it seems to run counter to the spirit of the administration’s export control reform effort. Many industry CEOs have said the reforms have helped simplify the licensing process and removed onerous red tape from the exports of commercial technologies that once were categorized as defense articles under the U.S. Munitions List.

The electronics provision could have significant ramifications, said Jason M. Silverman, a partner at McKenna Long & Aldridge who specializes in government contracting. “Basically anything with a digital component that was developed with Defense Department funds would be controlled under ITAR.”

The International Traffic in Arms Regulation controls exports of defense-related products and services. The U.S. Munitions List has 21 broad categories of products that are subject to the ITAR. The reforms have focused on each separate category. Electronic equipment and systems fall under category 11. The newly introduced federal regulation applies to “developmental electronic equipment or systems funded by the Department of Defense via contract or other funding authorization.”

The definition of what is being regulated under ITAR is very broad, Silverman told National Defense. The government arguably is departing from the original purpose of export control reforms, which was to stop using catchall designations for product categories. “There’s no clarity on what is developmental,” he said. “This definitely has the potential to expose companies” that may not be aware that the technology they are developing under a defense contract falls under ITAR control. “I can see people being caught off guard.”

The specific impact of the rule on exporters might not be known for years, but attorneys like Silverman and others are warning of a possible regulatory quagmire particularly for small businesses that might not have the legal expertise. Big defense contractors have a compliance apparatus in-house to deal new regulations, but startups and commercial firms may be ill equipped to handle complex regulatory requirements, said Silverman.

A sticky situation would be, for instance, a company developing technology that, even though it was funded by the Pentagon, would have applicability in civilian markets such as medical devices or surveillance sensors. In such cases, the only way to avoid ITAR control would be to have the contract specifically state that the technology is both for “military and civilian applications.” Another option would be to file a “commodity jurisdiction” request to the State Department that would exempt that product from the ITAR.

The rule could come into play for any U.S. company that does any offshore research, development or manufacturing.

“Government contracting officers and contractors are going to have to be sensitive to this,” said Silverman. For contractors, especially, there is a lot at stake if all of a sudden they find themselves having to comply with regulations of which they were not aware. This is precisely the type of confusion that export control reforms were intended to avert, he said. “There’s supposed to be added clarity to these categories. You’re supposed to be able to classify items as either military or commercial and the reform was supposed to facilitate that process.”


Under the new rules, contractors might have to factor the cost of ITAR compliance into their negotiations with the government, or they could work out an agreement so the contracting officer states the product has commercial applications and therefore would not be ITAR controlled.

The notion that a product is ITAR controlled by nature of its funding is not new in export regulations, Silverman pointed out. “But this takes it a step further.”

A similar provision was put in category 15 for space systems. Hosted payloads and other subsystem development funded by the Defense Department would automatically be ITAR controlled unless it is exempted by language in the contract or by a State Department commodity jurisdiction ruling. Under category 8 (aircraft) the same rule covers developmental aircraft funded by the Defense Department.

The issue with category 11 is that, unlike aircraft, the lines between military and civilian application in electronic equipment and systems are much fuzzier so the rule could impact a wider universe of companies that make products in this category.

It is conceivable that, as a result of this rule, commercial companies might think twice before taking Pentagon money for any development work out of fear of falling under the ITAR regime, although that should not be a deterrent, said export attorney TJ Ogden. Companies should not use the ITAR as a crutch or fear the regulations, but should make sure they have proper knowledge of export control rules and set up a compliance program to deal with both the State and Commerce departments, said Ogden, who is director of defense exports at Defense Export & Logistics, a division of Pacific Propeller International.

Most of the export control reforms in general have been “very positive,” he said, although the electronics rule is likely to cause some confusion. “It would be important for the government to make sure they make regulation more specific as opposed to broad brushing all electronic systems.”


Dempsey’s Final Instruction to the Pentagon: Prepare for a Long War

July 1, 2015 By Marcus Weisgerber


The U.S. military needs to reorganize itself and prepare for war that has no end in sight with militant groups like the Islamic State and nations that use proxies to fight on their behalf, America’s top general warned Wednesday.

In what is likely his last significant strategy direction before retiring this summer, Gen. Martin Dempsey, chairman of the Joint Chiefs of Staff, said at the Pentagon that “global disorder has trended upward while some of our comparative advantages have begun to erode,” since 2011, the last update to the National Military Strategy.

“We are more likely to face prolonged campaigns than conflicts that are resolved quickly… that control of escalation is becoming more difficult and more important… and that as a hedge against unpredictability with reduced resources, we may have to adjust our global posture,” Dempsey writes in the new military strategy.

Dempsey, the president’s senior military advisor, criticizes Russia, Iran, North Korea and China for aggressive military actions and warns that the rapidly changing global security environment might force the U.S. military to reorganize as it prepares for a busy future.

The military has been shrinking since 2012, when the Obama administration announced plans to pivot forces to the Asia-Pacific region as troops withdrew from Afghanistan and Iraq. But since then, Obama slowed the Afghanistan withdrawal as fighting continues there, and thousands of American military forces have found themselves back in the Middle East and North Africa conducting airstrikes, gathering intelligence and training and advising Iraqi soldiers that are battling ISIS. Since U.S. forces are not deployed to Iraq in a combat role, significantly fewer numbers are needed compared to the hundreds of thousands troops that were sent to Iraq and Afghanistan over the past decade. Still, U.S. commanders have repeatedly said it will take decades to defeat ISIS, and a stronger nonmilitary effort to defeat the ideology that fuels Islamic extremist groups.

We must be able to rapidly adapt to new threats while maintaining comparative advantage over traditional ones.

Non-state actors, like ISIS, are among the Pentagon’s top concerns, but so are hybrid wars in which nations like Russia support militia forces fighting on their behalf in Eastern Ukraine threaten national security interests, Dempsey writes.

“Hybrid conflicts also may be comprised of state and non-state actors working together toward shared objectives, employing a wide range of weapons such as we have witnessed in eastern Ukraine,” Dempsey writes. “Hybrid conflicts serve to increase ambiguity, complicate decision-making, and slow the coordination of effective responses. Due to these advantages to the aggressor, it is likely that this form of conflict will persist well into the future.”

Dempsey also warns that the “probability of U.S. involvement in interstate war with a major power is … low but growing.”

“We must be able to rapidly adapt to new threats while maintaining comparative advantage over traditional ones. Success will increasingly depend on how well our military instrument can support the other instruments of power and enable our network of allies and partners,” Dempsey writes.

The strategy also calls for greater agility, innovation and integration among military forces.

“[T]he 2015 strategy recognizes that success will increasingly depend on how well our military instrument supports the other instruments of national power and how it enables our network of allies and partners,” Dempsey said Wednesday.


The military will continue its pivot to the Pacific, Dempsey writes, but its presence in Europe, the Middle East, Latin America and Africa will evolve. The military must remain “globally engaged to shape the security environment,” he said Wednesday.

The Russian campaign in Ukraine has military strategists questioning if traditional U.S. military force as it is deployed globally is still — or enough of — a deterrence to hybrid and non-state threats like today’s terrorism. “If deterrence fails, at any given time, our military will be capable of defeating a regional adversary in a large-scale, multi-phased campaign while denying the objectives of – or imposing unacceptable costs on – another aggressor in a different region,” Dempsey writes.

The chairman also criticizes Beijing’s “aggressive land reclamation efforts” in the South China Sea where it is building military bases in on disputed islands. In the same region, on North Korea, “In time, they will threaten the U.S. homeland,” Dempsey writes, and mentions Pyongyang’s alleged hack of Sony’s computer network.

Dempsey scolds Iran, which is in the midst of negotiating a deal with Washington to limit its nuclear program, for being a “state-sponsor of terrorism that has undermined stability in many nations, including Israel, Lebanon, Iraq, Syria, and Yemen.”

Russia, Iran, North Korea and China, Dempsey writes, are not “believed to be seeking direct military conflict with the United States or our allies,” but the U.S. military needs to be prepared.

“Nonetheless, they each pose serious security concerns which the international community is working to collectively address by way of common policies, shared messages, and coordinated action,” Dempsey said.


The 9 Scariest Things That China Could Do with the OPM Security Clearance Data

July 2, 2015 ·

The theft of the SF-86 security clearance records of millions of current, former, and prospective U.S. government employees and contractors from the Office of Personnel Management (OPM) probably has the Chinese government doing a happy dance. This data breach may affect up to 6 percent of the entire U.S. population. What use can the data be to China? Here are nine things that can now be done on an industrial scale.

1. Identify undercover officers. It is unclear if Chinese intelligence could have gained access to information about intelligence agency personnel through OPM. It may not matter much. Some particularly security-conscious agencies do no not process their clearances through OPM, but with a complete list of people whom the OPM has investigated, it is child’s play to identify people who work for those particularly interesting agencies. If the Chinese Ministry of State Security wants to know whether Jane Doe is a CIA officer, it can check whether she shows up in the OPM data. If not, she probably is. This is precisely why the State Department stopped publishing its Biographic Register of Foreign Service Officers in 1974.

2. Neutralize U.S. government officials. If China finds itself vexed by a particularly effective or vocal anti-Chinese policy official, or a particularly aggressive intelligence officer, it could “neutralize” that person by framing him or her for some form of malfeasance that would cost a security clearance or a Senate confirmation. Things like this really happen. Remember when somebody framed Senator Robert Menendez for sexual improprieties? It almost got him arrested by the FBI. A deception operation always works best if it plays to something that the target already suspects. Hence, China could use the SF-86 data to find the weakest point of a clearance holder — be it money, psychological issues, sex or something else — the one that U.S. security officials would already be most worried about, and then structure their framing around that weakness.

3. Threaten overseas family members. China could use the SF-86s to identify any relatives of cleared Americans who live abroad. They could then threaten those relatives with harm unless the American cooperates. Alternately, China could share selected SF-86 data with other countries so that those countries could harass clearance holders who work there.

4. Harass clearance holders or their families in the United States. Are you a Chinese-American clearance holder in the United States? Chinese intelligence can make your life miserable right here in America. Operations like this are old hat for the Chinese government. For years, it has intimidated Chinese citizens, in both the United States and Australia, whom it identified as members of Falun Gong, as Tibetan activists, or simply as too pro-democracy in their inclinations.

5. Wire you for sound. Now that China knows where you live, its operatives can bug your house just like the KGB did to the chief of the CIA’s Afghan Group in season 3 of The Americans. Think that’s implausible? Russia managed to bug a conference room inside the secured State Department sixteen years ago. China should be able to do the same thing to your relatively unsecured home.

6. Figure out exactly what it takes to get a security clearance. China could do a statistical study of the SF-86s to find out what peccadilloes, degree of foreign contacts, or extent of debt applicants can have and still get clearances. This would be useful information to Chinese intelligence in its efforts to penetrate the U.S. government by recruiting young people like American student Glenn Shriver even before they have clearances.

7. Publish the data. If China wanted to go this route, it would probably do it through a cutout. The Chinese government could do this either as one big data dump or by publishing a selected list of people they sought to discredit by naming them as CIA or other undercover officers even if they were not actually such. This has happened in the past. In the late 1960s the East German Stasi sponsored the publication of a book called Who’s Who in the CIA. Most of the 3000 people named in the book did not work for the agency, though some did, such as Richard Welch, who was murdered in Athens several years later.

8. Guess passwords. Did your password incorporate your birthdate? The name of your home town? Your wife’s middle name? Congratulations, the Chinese intelligence service now knows those things thanks to the OPM hack. A simple algorithm can generate a password dictionary with decent odds of getting into your system.

9. Spear phish. China now has lots of data to make spear phishing possible. Why wouldn’t you click on the link apparently sent by your mother Edna Jones about the 4th of July parade in downtown Dubuque, where you grew up? If you do, however, you could lose control of your computer. That could be disastrous. Maybe you wrote some notes on your computer for your big briefing at work tomorrow. Or you mentioned your upcoming deployment in an email. Or maybe the Chinese retrieved copies of your love notes to your mistress. Now they have potential blackmail material. Or maybe they scarfed up the password to your online banking account. Now they can steal your money and swoop in to recruit you in your time of financial crisis. Or, if they get you on your unclassified work computer, you’ve got even bigger problems. Ask Sony how they feel about spear phishing.


Rasmussen Reports

What They Told Us: Reviewing Last Week’s Key Polls

Bottom of Form

Saturday, July 04, 2015

Americans continue to rank Independence Day second only to Christmas as the nation’s most important holiday but also express increasing frustration with the government born that day.

The Declaration of Independence, the foundational document that Americans honor on the Fourth of July, says that governments derive their authority from the consent of the governed, but just 25% believe that to be true of the federal government today.

Only 20% now consider the federal government a protector of individual liberty.  Sixty percent (60%) see the government as a threat to individual liberty instead.

Despite strong, longtime support for more border control, most voters continue to believe the federal government is a supporter, not an opponent, of illegal immigration.

Following the recent controversial rulings on Obamacare and gay marriage, negative views of the U.S. Supreme Court are now at their highest level in nearly nine years of regular surveying.

Voters also believe more strongly that individual states should have the right to ignore the federal courts.

Most voters have long believed that the Supreme Court justices have their own political agenda,  and they still tend to feel that that agenda is more liberal than conservative.

Voters are closely divided in their opinions of the Obamacare and gay marriage rulings, but younger voters are more supportive than their elders are, especially in the case of gay marriage.

President Obama’s daily job approval appears to have improved slightly since the Supreme Court rulings, but his monthly job approval rating of -16 in June ties his worst showing this year.

The president announced this past week that the United States and Cuba are restoring relations after over 50 years of diplomatic estrangement. While that chapter of the old Cold War is coming to a close, U.S. voters worry that a new Cold War between the United States and Russia is coming.

New Jersey Governor Chris Christie, once considered a formidable contender for the 2016 Republican presidential nomination, tracks in the lower tier of GOP hopefuls now that he has made his candidacy official.

Here’s a look at how all the announced presidential candidates stack up so far.

In other surveys last week:

Just 26% of voters think the country is heading in the right direction, tying the low for the year first reached in April.

— The rogue Internet site WikiLeaks has released more illegally obtained classified U.S. documents, this time showing that America has spied on the last three French presidents. Forty-nine percent (49%) of voters consider the leaking of these classified documents to be an act of treason.

— California Governor Jerry Brown recently signed one of the strictest school vaccination laws in the country, and most voters think more states will follow suit.

— Many things Rasmussen Reports asks about are pocketbook issues for Americans, and it appears offshore oil drilling is another one of them.

— A new FDA ruling requires the food industry to phase out partially hydrogenated oils, the main source of trans fats, over the next three years, and voters are generally okay with that. But most of the time they don’t want the federal government telling them what to eat.


From → Uncategorized

Comments are closed.

%d bloggers like this: