Skip to content

July 25 2015

August 3, 2015

25 July 2015


Blog URL


Drones continue to hurt Southern California fire-fighting efforts

by Press • 18 July 2015


When a drone grounded aircraft that were trying to fight the North fire on Friday afternoon, it was only the latest in a series of recent incidents where a drone interfered with local firefighters — and, officials said, risked lives.

San Bernardino County Board of Supervisors Chairman James Ramos on Friday said enough was enough, and that the board will be discussing at its next meeting on July 28 what it can do to crack down on drone operators endangering the safety of county citizens and public safety officials.

“When you’re inhibiting the response of the first responders, then you infringe on the safety of the residents of San Bernardino County,” Ramos said.

The board will discuss its options regarding the enforcement of existing laws on illegal drone use, as well as the possibility of offering a reward for information leading to the arrest and conviction of illegal drone operators who disrupt firefighters and police during emergencies.

Existing law includes a $1,000 fine for misdemeanor interference with firefighting efforts.

Other recent efforts to strengthen drone regulations include a federal bill by Paul Cook, R-Apple Valley, and state legislation proposed by Assemblyman Mike Gatto (D-Glendale) and Senator Ted Gaines (R-El Dorado).

Efforts to fight recent wildfires have been repeatedly hampered by drones:

• Southern California’s first major wildfire of the season, the Lake fire in the San Bernardino Mountains, was interrupted on its first day by a drone.

It forced the air tanker pilots to jettison a total of about 2,000 gallons of retardant at a cost of roughly $15,000, U.S. Forest Service spokesman John Miller said. It also forced the grounding of three aircraft, including two air tankers preparing to drop retardant along the eastern flank of the fire.

“More importantly, it could’ve killed everybody in the air,” Miller said at a news conference the next day, which was held specifically to address the drone situation.

• Later the day of the news conference, a second drone interfered.

• Firefighters battling the Sterling fire in late June encountered two drones, one of which officials determined was flying legally. The other was over the fire, which is considered restricted airspace.

• During a 54-acre fire in the Yucaipa Ridge area last weekend, aerial firefighting had to be halted when fire officials spotted a private drone flying near the scene, authorities said.

Staff writers Ryan Hagen and Joe Nelson contributed to this report.




Governors order National Guardsmen to be armed

By Gary Fineout, The Associated Press 1:59 p.m. EDT July 19, 2015


TALLAHASSEE, Fla. — Governors in at least a half-dozen states ordered National Guardsmen to be armed in the wake of an attack on two military facilities in Tennessee, and Florida Gov. Rick Scott went a step further Saturday by immediately relocated recruiters to armories.

In an executive order, the Republican governor said he wants Guard recruiters to move from six storefront locations into armories until state officials can evaluate and make security improvements, including possibly installing bullet-proof glass or enhanced surveillance equipment.

Scott ordered the guardsmen to be armed, as did governors in Texas, Louisiana, Arkansas, Oklahoma and Indiana.

Security for the recruiting centers has come under scrutiny since the Tennessee shootings because some people believe they are too vulnerable. U.S. military officials have said security at recruiting and reserve centers will be reviewed, but the Army’s top officer, Gen. Ray Odierno, said it’s too early to say whether the facilities should have security guards or other increased protection.

Scott, however, said during an interview with CNN that recruiting centers could be targets and that’s why he wants the National Guard moved until officials are “comfortable” that they will be safe.

“We’ve got to understand that you know we have people in our country that want to harm the military,” Scott said. “They need to be safe and they need to be armed.”

As governor, Scott oversees the Florida National Guard and can act without federal involvement. He ordered officers to make sure all full-time members of the guard are armed “in the interest of immediately securing Florida National Guardsmen who are being targeted by ISIS.”


Exclusive: Russian Hackers Target The Pentagon

07.18.154:38 PM ET

Shane Harris


A sophisticated group of hackers, who earlier targeted the White House and State Department, have launched a stealth phishing campaign on the Pentagon.

Hackers linked to Russia who penetrated the computer networks of the White House and the State Department have turned their sights on the Pentagon, The Daily Beast has learned. And this time the hackers are using more sophisticated technologies that make them exceptionally hard to detect and that allow them to cover their tracks.

The Daily Beast obtained an email notice that the Defense Department sent Friday warning “at least five” DOD computer users have been targeted in the latest campaign. The notice linked these attacks to penetrations of unclassified networks at the White House and State Department that began last year and were reported in April. The notice doesn’t specify whether any information has been stolen, nor does it indicate which agencies the targeted victims work in.

But based on the technical details contained in the notice, the hackers are upping their game and employing even more advanced methods to trick users into downloading viruses onto their computers that can then siphon off files, messages, and other sensitive information.

“The sophistication of this attack far surpasses anything we have seen to date from any state actors,” said Michael Adams, a computer security expert who served more than two decades in the U.S. Special Operations Command. The Daily Beast shared the technical details of the malware with Adams, who said it employed tools that make the intruder extraordinarily difficult to detect.

“To use a military analogy, the level of sophistication of this attack is like comparing a World War I propeller-driven fighter plane to a stealth bomber coming in under the radar, completely destroying its target, and leaving before the enemy even realizes they have been attacked,” Adams said.

In the new campaign, which the notice says was detected on July 8, the victims received emails that purported to come from the National Endowment for Democracy, a prominent non-profit organization in Washington that receives congressional funding. The group supports pro-democracy efforts around the world, including in Russia and China, where hackers who recently stole personal records from more than 22 million current and former U.S. government employees are believed to be based.

The emails contained a link that, when clicked, takes recipients to an infected server on the organization’s network. It then downloads malicious software on to the victim’s computer.

A spokesperson for the National Endowment for Democracy didn’t respond to requests for comment.

“To use a military analogy, the level of sophistication of this attack is like comparing a World War I propeller-driven fighter plane to a stealth bomber.”

The notice says that the campaign is using a “variant” of the the malware reported in April, but this campaign appears to be more advanced in several respects. The hackers are using multiple forms of encryption and secure communication channels. They’re also able to erase traces of the intrusion, which can make it difficult to know what the hackers stole and whom they infected.

In another clever trick, the infected server at the pro-democracy group actually delivers two documents to the intended victim—one a “benign document” such as a pdf or audio file, and the other a “malware loader” that starts running unbeknownst to the victim.

The malware works in stages. Once implanted, it calls out to another server and downloads a second file containing more malicious software. That communication occurs via an encrypted connection designed to avoid eavesdropping.

A Defense Department official acknowledged that the notice had been sent but declined to comment further on the hacking campaign. “There are thousands of attempts to hack DOD every day. We have processes and procedures in place to mitigate those attempts,” the official told The Daily Beast.

A spokesperson for the National Security Council referred queries to the Pentagon.

The notice, which was distributed to Defense Department contractors and others cleared by the Pentagon to receive security warnings, says that it was as an “anticipatory intelligence product,” which may indicate that the Pentagon thinks it caught onto the hacker campaign early. But it provides no information on how many Defense employees may have been targeted or infected, beyond the five people to whom the legitimate-looking emails, known as spear phishes, were sent. And the notice doesn’t say whether any of those employees clicked on the dangerous link and downloaded the malicious software.

“While I am somewhat comforted to hear that the malware was discovered on some systems, it is a virtual certainty that there are more instances of this malware inside the DOD and whatever other parts of our infrastructure this enemy has targeted,” Adams said.

A separate notice sent Friday by the FBI, also obtained by The Daily Beast, warns that hackers are now targeting “U.S. government agencies and private sector companies” via a vulnerability in Adobe Flash. That vulnerability was publicly disclosed earlier this month when the Italian company Hacking Team, which collects and sells information about flaws in software, was itself the victim of a massive penetration that exposed the company’s inner workings and its business dealings with the U.S. government as well as a host of despotic regimes around the world.

The FBI warning is apparently unrelated to the one from DOD. But it underscores the pervasiveness of hacking campaigns in the U.S. today, and how government security officials find themselves scrambling to prevent more intrusions.


US Air Force Implements Cloud Email Using Office 365

by CloudWedge Staff | Jul 20, 2015


In efforts to reduce costs, the United States Air Force has just announced that they will begin implementing Office 365 for service members. Using the Defense Logistics Agency, the USAF was allowed to procure over 100,000 licenses for Office 365.

The new deal will allow the US Air Force to cut computing costs over the next three years, while providing service members with an intuitive interface to access their emails, create robust documents and collaborate with other airmen by utilizing a secure interface.

“The Air Force will have access to secure e-mail, calendaring, Office Web Applications, Skype for Business, and other important collaboration tools, helping the agency communicate more easily across active, civilian, and reserve personnel and move toward a consolidated mobile and messaging platform,” says Leigh Madden from Microsoft.

“Just as important, the Air Force anticipates that the migration will help it realign critical resources to better support its mission in a trusted cloud environment,” adds Madden.

The deployment of Office 365 will not begin until the next fiscal year for the US government. It should be noted that the Air Force’s migration to Office 365 is the largest commercial cloud contract in the Department of Defence’s history.

The migration to cloud for the US Department of Defense helps the government achieve one of its major goals: to be able to provide on demand data and information to those who need it most. By implementing Microsoft’s Cloud, service members are able to gain real time information which helps the government make smarter decisions throughout its daily operations.

The Air Force has built its Office 365 deployment using the DoD’s Enterprise Email initiative. This initiative implements best practices which ensures tight security concerning the cloud email offering.

“No organization deserves a more enterprise- and security-ready approach than the Air Force,” says Microsoft in a blog post. More information about the Air Force’s migration to Office 365 can be found on the Microsoft blog.


Old technology, poor governance to blame in OPM breach, report finds

July 20, 2015 | By Stephanie Kanowitz


Millions of Americans’ personal information is at risk not because the data breaches at the Office of Personnel Management were so sophisticated, but because OPM’s systems were so antiquated, a new report finds.

“In terms of advanced persistent threats, the OPM breach was not a sophisticated attack,” states a July report (pdf) from the Institute for Critical Infrastructure Technology.

“The failure of [the Homeland Security Department] or OPM systems to detect the breach does not indicate a level of sophistication on behalf of the adversary; rather, it only shows that the breach was sophisticated for 1970’s legacy systems that operate on COBOL mainframe applications that have not been updated since the Y2K bug,” add report authors who include researchers from Carnegie Mellon, (ISC)​2, HP and Securetronix, among others.

In a recent survey on Federal IT Reform, Senior government IT executives laid out their vision for the coming year, detailing challenges and identifying priorities. To read more about these timely results click here to download the summary today.

OPM’s failure to adhere to cybersecurity practices set by the National Institute of Standards and Technology or comply with the Federal Information Security Management Act are additional reasons why a series of attacks on OPM and its contractors between November 2013 and last month left 22.5 million former, current and perspective U.S. employees and their families, friends and known associates at risk, the report states.

For instance, in 2014, only 75 percent of OPM’s critical systems had valid authorizations in accordance with FISMA regulations, and in January, an inspector general audit of OPM that deemed the agency’s cybersecurity sufficient relied on unverified data simulation, the report adds.

Another hole that might have let the hackers in could have been an unpatched vulnerability in existing or unsecured systems, the report found.

The nature and duration of the breaches suggest that an Advanced Persistent Threat, or APT, was to blame, and although many fingers point to China or a Chinese-sponsored APT group called Deep Panda, the report warns against jumping to conclusions. After all, it states, many groups use the same types of malware.


OPM could have benefited from several cyber defense approaches, the report states:

• Additional encryption.

• A User Behavioral Analytics System, which monitors user activity to create a profile baseline.

• A comprehensive governing policy, including educating users about cyber safety.

• A centralized information technology staff.


Despite media and congressional attention on the OPM breach, “very little focus has been dedicated to learning from this calamitous event and proactively utilizing that information to prevent such occurrences in the future,” the report states.

The government should seize on the public awareness following the breaches to shore up its cybersecurity efforts and regain public trust, the report states.

“Post breach education of the information security best practices helps to demonstrate to the American public and the entire world that America will not remain a vulnerable target and that the breach has not caused a chasm of distrust between people and government,” it states.




Lockheed Snatched Up Sikorsky For a Steal

July 20, 2015 By Marcus Weisgerber


The No. 1 weapons builder flexed its muscle as other bidders for the Connecticut-based helicopter maker wilted in the face of military-civil monopoly rules.

But there’s more. Because of a tax loophole, Lockheed will get nearly $2 billion back, bringing Sikorsky’s price tag down to just $7.1 billion. On top of that, the Bethesda, Md.-based company, which already partners with Sikorsky on Black Hawk helicopter projects for the Navy and Air Force, will save $150 million by running those joint projects as a single company.

If the U.S. government approves the deal, which was announced Monday morning, Sikorsky will improve its chances of winning international business, said Roman Schweizer, an aerospace and defense policy analyst with Guggenheim Securities.

“It’s definitely a transformative deal, partly from a company perspective but also from an industry perspective,” Schweizer said. “Now Lockheed will build everything from the helicopters, some of the sensors, the cockpits to the missiles and things that get launched off of them.”

The deal is being treated as an asset purchase, which gives Lockheed $2 billion in tax breaks over 15 years. Lockheed and United Technologies Corp., Sikorsky’s parent, want to finalize the deal by the end of this year.

If the deal goes through, Sikorsky’s roughly 18,000 employees will be nested under Lockheed’s 17,000-person Mission Systems and Training division, headquartered in Washington. Lockheed will retain the Sikorsky name and brand, which stretch back to the 1920s when Igor Sikorsky founded the company. Sikorsky is expecting to generate $6.5 billion in revenue in 2015, with its business equally split between U.S. and foreign customers.

Lockheed also announced this morning that it would review its government IT and technical services projects in preparation to spin off or sell the $6 billion business.

“The bigger, interesting issue for [the Defense Department] is: how much bigger can Lockheed Martin get?” said Byron Callan, an analyst with Capital Alpha Partners.

Lockheed Chairman CEO and President Marillyn Hewson said she does not expect the government to oppose the deal since it would not decrease the number of helicopter manufacturers in the global market.

“Our portfolios are very complementary,” Hewson said in a call with investors Monday. “There’s very little overlap between our two portfolios. In that sense, I would expect that that would not be a concern of theirs going forward.”

Pentagon acquisition chief Frank Kendall is “closely monitoring” the deal, according to his spokeswoman Maureen Schumann. Lockheed informed the Defense Department before publicly announcing the agreement Monday.

“The department intervenes in the marketplace only when necessary to maintain appropriate competition — balanced against market efficiency pressures,” Schumann said. “This includes being watchful for consolidations that eliminate competition or cause market distortions that are not in the department’s best interest.”

Lockheed, the world’s largest defense company by defense-related earnings, has been working to diversify its portfolio, taking on more commercial projects in recent years to make up for a reduction in global military spending. Sikorsky makes about three-quarters of its revenue from military contracts.

Some analysts were surprised that more companies did not express interest in buying Sikorsky, which has built thousands of Black Hawk helicopters for dozens of countries over the past 25 years. Large defense firms, including Northrop Grumman, Raytheon and BAE Systems, all could have used the same rationale Lockheed used to go after Sikorsky, Callan said. “There are clearly other companies that do other things on people’s different platforms,” he said, referring to companies that perform modifications on aircraft built by different firms. Lockheed installs avionics and other equipment in some Sikorsky helicopters. Others said to be interested in Sikorsky were: Textron, the parent of Bell Helicopter; European behemoth Airbus; and Boeing.

But most potential suitors faced higher regulatory hurdles than Lockheed. If Textron had purchased Sikorsky, for example, it would have a large share in the civil helicopter market. If Boeing purchased Sikorsky, it would have a monopoly in the military market. As a foreign company, Airbus would have faced hurdles, particularly in the military market.

Lockheed also likely will run Sikorsky differently than United Technologies, which had trouble building new military helicopters in recent years, particularly with the CH-53K King Stallion heavy lift helicopter for the Marine Corps. There have also been development problems with Canada’s CH-148 Cyclone, a military version of Sikorsky’s S-92. “The downside for Sikorsky’s competitors is you’re going to have a much more tuned-in corporate parent who wants to take advantages on a company basis,” Schweizer said.

While the Pentagon has purchased hundreds of V-22 Osprey tiltrotor aircraft in recent years, it still relies heavily on traditional helicopters. Over the past decade, Sikorsky’s Black Hawk and Boeing’s Chinook have been the workhorses in Iraq and Afghanistan, essential to moving troops around rugged terrain. Special operations forces rely on helicopters for nearly every one of their high-value missions.

Lockheed’s announcement Monday solidifies business for its Owego, New York, modification facility where it already installs military equipment on Black Hawk and other Sikorsky helicopters. Just one year ago, the future of the site there was being debated as Navy business slowed. Sikorsky and Lockheed won a contract in June 2014 for 112 Air Force search-and-rescue helicopters, which will undergo modification work in Owego. The same plant will also do work on new Marine One choppers.

But its future in Connecticut could be up for debate, experts say, if not immediately. Many large defense firms have been moving business to non-union facilities in the southern United States.

If Lockheed had structured Sikorsky under its Texas-based aeronautics division, it would send more a signal that a change in location could be on the table, Callan said. Besides the history and legacy in Connecticut, Sikorsky has a trained workforce there. Sikorsky builds the Black Hawk in Stratford, but it also builds international versions of the aircraft in West Palm Beach, Florida.

What is unclear is how the deal impacts the Army’s long-term helicopter project, called Future Vertical Lift. Bell and a Sikorsky-Boeing team are building concept helicopters for the Army. Lockheed is part of Bell’s team, meaning it would be on both teams after the deal to purchase Sikorsky is complete.

“Our intention is to continue the relationships that we have today on those programs,” Hewson said. “We want to bring the best solution to our customer and we have some good partnerships that we’re working on and we intend to continue those partnerships going forward.”

However, Bruce Tanner, Lockheed’s CFO, noted that the Army Future Vertical Lift program is still 15 to 20 years away, over which time a lot could change.

“You tell me when it’s going to happen, the quantities and so forth,” Tanner said. “There’s a lot of chance between now and then for people to change ideas, thoughts, requirements, etc. So whether that ends up being the program that we think it is today or not is anyone’s guess.”



IARPA funds program to predict next wave of cyberattacks

Aaron Boyd, Federal Times 4:09 p.m. EDT July 20, 2015


To-date, cybersecurity has largely been reactionary — stopping infiltrators before they can do too much damage to a system. A new initiative from the Intelligence Advanced Research Projects Agency is trying to get ahead of the next attack by combining traditional security techniques with information culled from unconventional sources to block currently unknown threats.

The Cyberattack Automated Unconventional Sensor Environment (CAUSE) is a framework for coupling known threat indicators — whether internal or through shared information environments — with external information sources such as social media and search engine trends.

The goal is to create an automated “probabilistic warning system” to identify new attack vectors as they emerge.

“Cyberattacks evolve in a phased approach,” according to a broad agency agreement (BAA) announcing the program, which notes detection usually happens in later phases of an attack. “Observations of earlier attack phases, such as target reconnaissance, planning and delivery, may enable warning of significant cyber events prior to their most damaging phases.”

IARPA will be offering funding to foster the development of these systems. The amount of funding released will be determined based on the number of proposals that make it through the first phase of the program, slated to begin in February.

One of the biggest challenges in creating an early warning system using outside data sources will be cutting through the noise.

The unconventional sensors — large, freely available data streams that aren’t traditionally used for cybersecurity — churn out tons of data on a daily basis, most of it irrelevant to security issues.

Following conventional cybersecurity chatter on Twitter won’t be enough. A system will be judged on how it choses sensors and culls out the pertinent information.

“Information extracted from social media has been useful in forecasting non-cyber events and is expected to be useful in the cybersecurity domain as well,” the BAA notes. “However, it is expected that an offeror’s complete solution will extend its unconventional sensor exploration beyond just social media.”

IARPA suggests looking at sources beyond cyberspace, as well, such as economic trends and cultural shifts.

Developers that make it through this first phase will be granted access to internal threat data maintained by participating companies in a second and third phase. The projects will have to merge the internal and external data sources into a single automated system and run tests against simulated cyberattacks.

The entire process — all three phases — is expected to take three and a half years.

IARPA plans to release multiple funding awards through the BAA, as well as procurement contracts for successful tools. The competition is open to commercial vendors, research and academic institutions, government agencies and federally-funded research and development centers.

Those interested should submit a preliminary proposal to IARPA by Sept. 14.


The OPM Cyber Blunder is America’s Fault, not China’s

Matthew Hipple    

July 21, 2015 · in Commentary


America has been abuzz about the new revelations about OPM’s incredible loss of personal data — it’s being called a “hack,” the “biggest cyberattack in U.S. history.” Though the number of personnel compromised is said to reach 21.5 million, that total will increase exponentially due to the information about friends, family, and associates contained in each of those investigations. It is an incredible defeat for America.

Yet despite calls for retaliation and questions about whether this is a new high-water mark in “cyberwar,” the “OPM Hack” seems to have not been a real hack — let alone a cyberattack. Rather, the OPM “heist” was completely the fault of a blundering, incompetent bureaucracy that quite literally handed the secrets of our security-cleared citizens to a strategic adversary. We can hardly blame the Chinese for gratefully receiving such an intelligence treasure trove.


Own Goal

When we think of “hacking” or “cyberwar” we tend to picture the virtual equivalent of someone tunneling into a bank or cutting the brake lines on a car. At least one contractor with root access to the OPM database was physically based in China. DHS cybersecurity experts have rightly stated that encryption would not have helped in this case. The OPM heist is the equivalent of the Berlin CIA station chief asking someone who works in the Russian embassy to hold on to his vital papers during a meeting.

Mature adults realize that all nations, even allies, conduct intelligence operations against one another. American and European intelligence experts’ frustration at the faux outrage caused by Snowden’s revelations of common inter-state intelligence practices tells us as much. China maintains a vast and insidious campaign to penetrate and compromise government and corporate networks in the United States, but we cannot consider the OPM heist part of China’s catalogue of crimes. This was incompetence on our part; a cyberblunder, not a cyberattack. If China had decided to give American personnel root access to their databases, it would be criminally negligent for our intelligence agencies not to take advantage of the situation.

Still, perception matters; this fiasco’s public image may encourage even greater levels of cyber subterfuge against the United States. The scale of the intelligence haul projects an image of aggression the OPM heist likely did not require. The public dissemination of its success combined with U.S. inaction creates an appearance of Chinese impunity reaching new heights as compared to other known Chinese cyber operations. Unfortunately, the reality is a case of high-return, easy cyberespionage, enabled by our folly. A response of similar effort would hardly produce the same results; you cannot force your adversary to make your mistakes. A response of similar effect would require an uncomfortably disproportional response; you cannot start a fight because you punched yourself in the face.



So if China did nothing but pick up the secret documents we let them babysit, wrath should fall on those whose willful apathy is responsible for our failure. In this case, it is a clear failure of OPM leadership. We cannot forgive three years of apathy about grave cybersecurity warnings made to OPM, let alone the OPM’s open knowledge of malicious activity on its network since June 2014. Director Katherine Archuleta insisted on retaining her office almost a month after the full scope of OPM’s failure under her tenure was revealed. She was not ousted ignominiously, but allowed to resign with a bizarrely triumphal statement touting her success at OPM, particularly in the office’s cybersecurity initiatives. Meanwhile, any number of unknown federal employees or contractors whose job it was to resolve these cybersecurity issues remain nameless and secure in their jobs. We have institutionally allowed the risk to fall on the warfighters, intelligence agents, ground-level bureaucrats, and the American people they serve. Appointees and their staff who abandon their duties are able to retire quietly to the lecture circuit for cocktail party awards celebrating the minor tactical successes they pursued at the cost of strategic failure.

This lack of consequences has created a situation allowing for apathetic appointee leadership. As a first line of defense, presidents must be more willing to take decisive action against their more useless appointees — there’s no political risk in a president being decisive against dead weight. Bowsher v. Synar prevents Congress from enacting laws enabling the legislative dismissal of political appointees following incompetence or dereliction of duty. Symbolic congressional votes of confidence might add some spice. Perhaps Congress could even find a way to dock or even suspend the specific pay of appointees openly flouting their responsibilities.

Ultimately, there is no administrative or policy solution to this problem. You cannot design a regulation for every blatantly obvious cybersecurity blunder such as “no contractors in China” or “no campfires in the server room.” Without an answer to Bowsher v. Synar, turning the screws of accountability against institutional inertia could be hard, though the coming congressional investigation into OPM’s decisions is helpful and necessary. It falls upon Congress and the president to be more discerning in their selection and approval of appointees on the front end, demanding that appointees have the qualification for and dedication to their critical roles. For problem federal employees and contractors — better appointees will care enough to lead, reform, or fire them.

Now, while we want superstars for our appointees, not everyone is a Christine Fox. We could live with mere positive stewards, people with the maturity and humility to understand the scale of their office, the public trust, and the challenges we face. While we may presume to pursue a “comprehensive cybersecurity strategy” to defend us from our opponents, it is of far lesser importance than finding the right kind of people — the ones in whose hands a strategy would succeed. Until then, we cannot blame an adversary for exploiting our barefaced incompetence.


Matthew Hipple is a U.S. Navy Surface Warfare Officer. A graduate of Georgetown University’s School of Foreign Service, he is president the Center for International Maritime Security — where he hosts the Sea Control Podcast. The venn diagram sections of “his opinions” and “official representation of the U.S. Navy, Department of Defense, or Government,” do not intersect. Follow him on twitter: @AmericaHipple


Jeb Bush: Strip Feds of Automatic Pay Raises and Due Process

By Eric Katz

July 20, 2015



Jeb Bush on Monday outlined how he would overhaul the federal civil service if he is elected president, including a proposal to transform the pay raise system for all federal employees.

Speaking at Florida State University in Tallahassee, Fla., the former Florida governor said the current practice of awarding the approximately 2.1 million federal employees an across-the-board pay raise each year should be done away with. Billed as a policy address to spell out his economic agenda, Bush detailed the importance of modernizing what he called an outdated federal personnel system.

Bush said the civil service, like much of federal government, operates problematically without anyone “stopping to ask why.”

He added: “It’s a system in the old ways, rule by inertia and unaccountable to the people. With more than 2 million people on the federal payroll, these programs and these problems carry a heavy cost, and a few serious reforms will go a long way.”

The first reform of a theoretical Bush administration would be to institute a federal hiring freeze. Over the next five years, Bush said with a smile on his face, it is a “fairly safe bet” that not everyone who retires needs to be replaced. Therefore, he explained, his administration would fill just one out of every three vacancies created by departing federal workers. The plan echoes the one outlined in the budgets of Rep. Paul Ryan, R-Wis., which were twice approved by Republicans in the House.

Like the Ryan budget, Bush would make exceptions for national security positions. He said the strategy would allow for a 10 percent reduction in the size of the federal workforce within five years. Coupled with other reforms, however, Bush said he would slash more than 10 percent of the workforce within his first term and save “tens of billions of dollars without adding to unemployment.”

Bush called the current personnel system a “relic of the 1970s” under the Jimmy Carter administration, which “didn’t have the taxpayers’ interest foremost in mind.”

“The whole idea of management is to reward good performance and make the best the standard,” Bush said. “And that’s not the system we have in Washington, D.C., right now.”

The two-term governor’s next significant reform would be to undo the notion of rewarding “longevity instead of performance.” He said federal employees earn, on average, $1,500 more in annual salary than their private sector counterparts, and $16,000 more in benefits.


The private-federal pay gap has long been disputed, with conservative groups finding feds earn more than their private sector peers, federal employee groups finding non-public employees earn more, and the non-partisan Government Accountability Office concluding there was no clear way to make the determination.

Regardless of that debate, Bush said the current pay system does not provide the proper incentives to “bring out the best” in public servants or to improve the morale of the federal workforce.

“Just like in the real world, compensation should depend on the type of work, and the quality of the work,” Bush said.

To fix that issue, Congress and the White House should no longer approve across-the-board pay raises, he said. Instead, Bush said the government should move to a merit-based pay system. Bush’s brother, former President George W. Bush, oversaw moving the Senior Executive Service to a pay for performance system.

“If we respect and recognize skill and dedication when we see them,” Bush said, “then I promise you we’ll see a lot more excellence in the ranks of civil service and we’ll attract new talent as well.”

Additionally, Bush proposed giving bonuses to managers who identify ways to cut spending at their agencies, similar to a proposal put forward by another 2016 Republican presidential contender — Sen. Rand Paul, R-Ky. — earlier this year.

“When federal employees are found squandering money, we should call them out on it,” Bush said. “And when they find ways to save money, we should reward them.” Bush noted he instituted a program while governor of Florida, the Davis productivity awards, to that effect. Employees that find ways to “shrink government” deserve bonuses, he said.

The third tenet of Bush’s civil service reforms, which he called “long overdue,” would make it easier to fire federal workers. Bush did not lay out specifics of which civil service laws he would attempt to change, but did promise to maintain “civil rights and whistleblower protections.” Otherwise, he said, the time it takes to “remove an unproductive employee should be weeks, rather than years.”

“There are a lot of exemplary employees in the federal workforce, but they’re treated no better than the bad ones,” Bush said. “And the bad ones are nearly impossible to effectively discipline or remove.” He added that “job security is one thing; job entitlement is another.” Every removal of a federal employee should not be a “federal case,” Bush said.

The son and brother of former presidents hailed his ability to transform the personnel system in Florida during his eight years as the state’s chief executive.

In his first term in office, Bush introduced his “Service First” reforms to remake much of the state’s workforce. Bush successfully stripped Florida’s 16,000 career managers and supervisors of due process protections by turning them into at-will employees. Also during his governorship, Bush changed the policy for “cause” from a specific list of fireable items to the much broader “sound discretion of an agency head.” He coupled those policies with a directive to all state agencies requiring them to issue blueprints for reducing their workforces by 25 percent.

Florida had already ranked 50th in the nation among states in spending in government salaries per citizen, but Bush successfully trimmed the number of state employees by 25 percent within five years.

Bush placed his federal civil service reforms in the broader context of cutting agency spending and reducing the size of government in general.

“We’re going to turn off the automatic switch of discretionary spending increases and weigh budgets only on its merits,” Bush said. “Too much of federal government runs on automatic.”



Were Background Investigations Falsified During the OPM Hack?

By Aliya Sternstein

July 21 2015


There are growing concerns among some security experts that whoever stole data on 21.5 million federal personnel and family members might have falsified background check information, but U.S. officials say they have no evidence of tampering right now.

One motivation for meddling with investigations could be to embed a foreign operative into the U.S. intelligence workforce, according to uneasy security experts and a federal watchdog.

The Obama administration would neither confirm nor deny officials have been able to check the integrity of the compromised records, which were maintained by the Office of Personnel Management. The attack — a suspected Chinese spy mission — began more than a year ago but was only discovered in April.

“There is no information at this time to suggest any misuse or further dissemination of the information that was stolen from OPM’s systems,” an administration official told Nextgov on Monday.

Federal agencies often do not do their due diligence to verify that data has not been tainted after a cyberincident, one Government Accountability Office auditor said.

“That’s one of the areas that a lot of times gets lost,” Gregory Wilshusen, GAO director of information security issues, said during a brief interview last week. He said he does not know if the authenticity of the affected investigation records has been confirmed.

The focus after a breach is on “unauthorized disclosure of information, which is a big problem, but certainly the integrity of the information can be even more problematic for the agencies if that’s not accurate,” Wilshusen added.

An attacker, for example, could “insert some new information or a new record,” he said. “That’s a big problem, and it’s often not getting a lot of attention.” Wilshusen was speaking about data breaches generally.

The OPM intruders gained “privileged access,” or carte blanche control, to certain agency systems, administration officials said during hearings last month.

Fifty-year intelligence veteran Charles Allen on Friday urged that all personnel investigations be sequestered until officials can assure the details documented are correct.

The forms compromised — including “Standard Form 86” — are filed by contractors and government employees applying for a security clearance to handle classified secrets.

“Security clearance practices are dependent upon trust in data integrity,” Allen, a former high-level CIA official, said in a FedScoop op-ed. “The manipulation of this database could include the alteration of clearances or the deletion of records as a means of disrupting our workforce and obfuscating the insertion of falsified records.”

Even before the administration revealed the extent of the background check breach July 9, some cyber experts questioned the reliability of hacked clearances.

“Is the person sitting in the high-security facility in fact an agent for another government whose clearance was inserted into the system?” HP Security Strategist Cynthia Cullen pondered July 3. “When you have intruders in your network for such a long period of time,” there is “potential that they may be modifying, deleting or creating data within these systems.”

The adversaries were inside OPM’s network from May 2014 through April 2015, according to the Department of Homeland Security.

While lingering, “they could easily be creating security clearances for moles, that may be difficult to detect,” Cullen said.



OPM Says 84,000 Hack Victims Still Not Notified

By Aliya Sternstein

July 14, 2015


Nearly 40 days after the Office of Personnel Management divulged that attackers copied millions of government employee personnel records, the agency says it’s alerted 98 percent of affected employees. That, however, still leaves 84,000 individuals who have not been notified their privacy has been compromised, according to OPM statistics.

The challenge of warning 4.2 million feds about the threat to their financial and personal security raises questions about the ability to inform more than 21 million victims of another related hack of OPM background investigation files.

A majority of the past and current employees who fell victim to the first breach – 3.6 million – are part of the separate incident, which also affected family members, contractors holding security clearances and other individuals cleared to see classified material. OPM has not yet hired an identity protection firm to alert the larger batch of victims, which the agency enumerated for the first time Thursday.

Both data breaches have been tied to a Chinese espionage operation.

Nextgov has heard recently from former federal employees who say they could be caught up in the OPM hack but haven’t yet been notified.

A Federal Reserve staffer, who retired in 2006, and could be among the 4.2 million cohort, said he thought he was unaffected because the Fed is not considered part of the civil service.

A Defense Department civilian, who joined the private sector in 1999, and an OPM employee, who left 18 months ago, expect they are affected, but have not yet formally been alerted to the fact that their Social Security numbers and other identifying information was accessed.

The OPM and Defense employees, separately, expressed bewilderment over what they described as another failure to protect their privacy.


Are You Affected? There’s A Hotline to Call

OPM officials recommended these individuals, as well as any other unsure current and past personnel, call a toll-free number, 1-844-777-2743, to find out if they are affected.


While the security clearance hack affects investigative forms going back to at least 2000, no such time parameters have been identified for the personnel records breach, OPM officials said.

“That’s one of the reasons why there was a mechanism set up for individuals to self-verify,” an agency official told Nextgov Monday night.

“We believe we have contacted over 98 percent of the 4.2 million individuals affected in the first breach,” the OPM official said. “If individuals could not be reached by email, attempts were made by mail. Attempts were also made by using the National Change of Address Database at the U.S. Postal Service.”

ID protection firm CSID was paid $20 million to notify and provide 18 months of free anti-fraud services to the 4.2 million past and present federal personnel.


Emails Bounced Back and Snail Mail Was Undeliverable

“OPM provided CSID with the most up-to-date contact information for affected employees it had on record. In rare instances when that information was outdated, CSID took additional steps to track down any missing contact information,” Patrick Hillmann, a representative for CSID, said in an email. “Less than 2 percent of those that were sent notifications had no forwarding address or [were] return[ed] to sender, but all attempts have been made.”

If emails bounced back during an initial round of outreach, CSID sent additional notifications in late June, OPM said last month.

Earlier in June, Sen. Mark Warner, D-Va., and some notified employees groused over long wait times on CSID’s hotline and reported receiving incorrect credit histories. The company has since boosted call center staffing and OPM says almost 900,000, or about 18 percent, of individuals notified have registered for the ID protection program.

No notifications have gone out about the background investigation breach announced last Thursday, OPM officials said.

If a person underwent an investigation through OPM, by filing special forms “SF 86,” “SF 85,” or “SF 85P” for a new investigation or periodic reinvestigation, “it is highly likely that the individual is impacted by this cyber breach,” OPM spokeswoman Jennifer Dorsey said in an email. Earlier investigations could also be affected, although it is less likely, she said.

“In the coming weeks,” OPM, working with the Pentagon, will begin to send notification packages to these individuals, Dorsey said. Educational materials will be included to help victims prevent ID theft, secure their personal and work-related data, and “become more generally informed about cyber threats and other risks presented by malicious actors.”

The packages also “will provide details on the incident” and instructions on how to obtain three years of free ID protection services, Dorsey said.


Next dashboard warning may be, ‘Your car has been hacked!’

By Ashley Halsey III July 21 at 2:10 PM 


“Your car has been hacked!” may be the next warning light to flash on your car dashboard as the result of a bill introduced Tuesday in the Senate.


The legislation by Sens. Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.) is intended to address fears about the vulnerability of onboard car computers to hackers, particularly with connected-vehicle technology and autonomous cars on the horizon.

“Drivers shouldn’t have to choose between being connected and being protected,” Markey said in a statement. “We need clear rules of the road that protect cars from hackers and American families from data trackers.”

The bill tasks the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) with establishing standards intended to protect car computers from hackers who could manipulate a vehicle’s behavior or violate the driver’s privacy.

“This legislation will set minimum standards and transparency rules to protect the data, security and privacy of drivers in the modern age of increasingly connected vehicles,” Markey said.

Automakers are well aware of the risks and worry that car buyers may be put off if they fear hackers can access their vehicles. Last week they announced the establishment of a joint Information Sharing and Analysis Center intended to assess hacking risks on an ongoing basis.

While dashboard warning lights might not show up in all vehicles, Markey and Blumenthal want federal regulators to create a “cyber dashboard” to tell drivers how well their cars are protected against an attack.

“Rushing to roll out the next big thing, automakers have left cars unlocked to hackers and data-trackers,” Blumenthal said in a joint statement with Markey. “Federal law must provide minimum standards and safeguards that keep hackers out of drivers’ private data lanes. Security and safety need not be sacrificed for the convenience and promise of wireless progress.”

The bill instructs NHTSA to work with the FTC in developing standards that would:

• Isolate onboard critical software systems to protect against hackers.

• Protect all data that is stored on the computer.

• Equip cars with technology that can detect and report hacking attempts in real time.


The bill also requires that car owners be made aware of data that is collected, retained or transmitted while driving, that drivers can opt out of that data collection and retention, and it prohibits the use of any collected data for advertising or marketing unless the driver agrees.

In addition to real-time communication with a driver when a car is hacked, the bill says federal regulators should display on the window sticker of cars at dealerships how well the vehicle is protected against hacking.

“As America’s vehicles become more and more connected to the internet, and wireless vehicle to vehicle technology adds important safety to tomorrow’s cars, vital security and privacy concerns need to be addressed as well,” Jack Gillis, of the Consumer Federation of America, said in a statement. “Senator Markey and Blumenthal’s [legislation] will help prevent hacking attacks and [ensure] personal privacy as new vehicle safety and monitoring technology is introduced.”

Although vehicles already are vulnerable to hacking, the possibilities will be amplified with the advent of connected vehicles and autonomous cars.

Connected vehicle systems extend many current systems such as radar, laser sensors and lane-control devices into a network of communication with other cars and roadside detection devices. Rather than just communicate data to the car’s driver, connected vehicles will share that information with computers in other vehicles via a short-range broadband network.

That shared information will make driving safer, provided it’s not susceptible to hackers who could compromise the system.


Defense bill could lift restrictions on guns on military bases

July 21, 2015, 03:19 pm

By Cristina Marcos


Congress could vote to lift a ban on military personnel carrying guns at bases in the aftermath of last week’s attack in Chattanooga, Tenn.

House Majority Leader Kevin McCarthy (R-Calif.) told reporters during a briefing Tuesday that a provision allowing members of the military to carry weapons could be included in the conference report reconciling the House and Senate versions of the annual National Defense Authorization Act (NDAA).

“Right now, we have the NDAA and that’s being discussed in conference as well, that provision,” McCarthy said. “It could be in the NDAA conference because they have that issue inside there where it could allow the base commander to have the determination.”

Negotiators on the defense authorization are trying to hammer out an agreement before the monthlong August recess, meaning a conference report could potentially hit the floor next week.

A provision previously adopted during consideration of the House version of the defense bill this year would clarify that post commanders have the ability to authorize soldiers to carry concealed weapons on military bases.

Such a provision in the defense bill would be different from legislation that the Tennessee congressional delegation introduced Monday that would repeal the ban on members of the military carrying guns on bases.

Multiple GOP lawmakers in both the House and Senate have urged a repeal of the ban since the shootings last Thursday at two military facilities in Chattanooga, Tenn., that killed six. The Tennessee lawmakers’ bill stands out because the two Democrats in the delegation have signed on to it, arguing that members of the military should be able to maintain self-defense.

“Our men and women in uniform must have the ability to protect themselves regardless of where they are serving,” Rep. Scott DesJarlais (R-Tenn.), the chief GOP sponsor of the bill, said in a statement.

Unlike the aftermath of previous mass shootings, calls for new gun restrictions have been relatively muted since the attack in Chattanooga.

Time is running short for many more bills to be considered before Congress leaves Washington for its August break. McCarthy gave no indication that a patent reform bill that was originally scheduled for a vote this week will come up.

The California Republican further suggested a bill pushed by conservatives that would ban the federal government from discriminating against churches or charities for views opposing same-sex marriage still needed a coalition to form a majority.


China’s New Intelligence War Against the United States

Peter Mattis    

July 22, 2015 · in Analysis


The Chinese intelligence threat is set to change dramatically as hackers believed to be linked to China’s civilian intelligence agency, the Ministry of State Security (MSS), acquired millions of personal records from the U.S. Office of Personnel Management (OPM). Although the full extent of the damage remains unknown, fears have emerged about the compromise of data gathered during security clearance background checks, including foreign national contacts. Security experts are right to suggest this information is a treasure trove for an intelligence service trying to penetrate the U.S. national security community. Such treasure is only as valuable as the motivation to use it and, for the MSS, such information would provide the foundation for a new espionage campaign against the United States and demonstrate its value to Chinese policymakers who have had good reason to be skeptical about what the MSS brings to the table. The OPM data offers a way for Chinese intelligence to focus on Americans that matter rather than relying on the creativity of individual agents to find ways to bridge China’s domestic intelligence base with national security professionals abroad.


The Misadventures of the MSS

To the unschooled observer, China might seem like a master of intelligence operations targeting the United States. This is only partially true. Since the arrest in 2005 of Chi Mak, a San Diego-based engineer with defense contractor Power Paragon, the FBI has arrested several dozen individuals for espionage on behalf of China — most recently in May. Meanwhile, Chinese collectors in cyberspace have made headlines every month as governments and companies admitted gaping breaches of information. The MSS, however, could claim little of the glory. China’s successes predominantly belonged to the People’s Liberation Army’s (PLA) intelligence departments. Hackers reportedly working for the PLA’s signals intelligence department, such as those indicted by the FBI, stole terabytes of corporate and government data, and human intelligence collectors from the General Staff Department’s Second Department (2PLA) penetrated the Pentagon and sensitive programs related to the Virginia-class submarine and the Aegis Combat System.

However, to the extent that it can be gauged, the record of the MSS is far from enviable.

Of recent Chinese human intelligence cases in the United States, the MSS probably was responsible for only one: Glenn Duffie Shriver. And that can hardly be called a success. In 2010, U.S. counterintelligence caught Shriver during his background and security check while applying to work for the CIA. He had already failed twice to join the State Department’s diplomatic corps. The MSS paid him $70,000, but failed to gather a single piece of intelligence. The money may not seem like much; however, multiply those costs by even a few attempts and such failed efforts become costly.

In the last three years, the MSS has lost three senior vice ministers to scandal. The first, Lu Zhongwei, fell in 2012 owing to reports that one of his personal aides spied for the United States since the 1980s. The next, Qiu Jin, fell in 2014 because he and a protégé at the Beijing State Security Bureau politicized MSS investigations to support the agenda of disgraced former security chief Zhou Yongkang. Politicization may be a feature of a communist system’s security apparatus, but Deng Xiaoping created the MSS in 1983 to move Chinese intelligence away from internal party politics and refocus it on legitimate counterespionage and intelligence-gathering abroad. Earlier this year, another vice minister, Ma Jian, became mixed up in a corruption investigation involving crooked real estate dealings and was removed from office. The MSS might weather such a storm if its intelligence operations bore more fruit, but, as is, the Chinese leadership may be wondering whether the MSS continues to be effective.


The Shortcomings of Chinese Intelligence Collection

Most Chinese intelligence operations are launched from within China, even those targeting foreign governments and militaries. In contrast to the more familiar scenario of intelligence personnel posing as diplomats working the cocktail scene in foreign capitals, Chinese intelligence officers regularly approach their targets inside China, in many different guises — from municipal office workers to think tank scholars to businesspeople — sometimes without even a fig leaf to hide their intelligence affiliation. Reviewing the history of Chinese espionage cases, only two cases we know of (and now a possible third in Taiwan) have involved recruitment of foreign agents outside China.

Having so many agents recruited inside China necessarily leaves blind spots, and the skills required for this approach are very different than working the diplomatic cocktail circuit. The most obvious implication is that Chinese sources must travel to China. Although the number of people traveling to China for any reason has expanded dramatically, those who do so regularly, especially foreign government officials, tend to have China or Asia portfolios. The MSS, then, is more likely to do well on issues that are directly related to China than on, say, U.S. or European policy in the Middle East. Finding potential agents inside China also means sifting through these visiting foreigners and expatriates — a task made easier by the ability to download and sort a person’s electronic data when they leave their personal devices unattended.

The MSS, like its other ministerial counterparts, is really a system with a central ministry supported by provincial departments and municipal bureaus that perform most of the system’s day-to-day operations. The capabilities and performance of the different sub-national elements vary widely as each is responsible for recruiting its own personnel. The Beijing and Shanghai state security bureaus, for example, can readily pull from the best pool of Chinese university graduates, whereas the Shaanxi and Gansu state security departments may only get similar talent if recent graduates are forced back to their original homes because of China’s internal migration controls. There may also be other differences that affect the quality of MSS elements, such as access to technology or those skilled in its use, as well as foreign language capability. The responsibilities for state security undoubtedly vary across locations. Though Beijing may be well suited for operations against foreign countries, the huge number of foreign officials and businesspeople living in and transiting the city probably keep the focus on counterintelligence.

The unevenness of MSS capabilities means that, without a central database of dossiers, the ability of state security elements to identify and research persons of interest is limited. Identifying a person and why they are potentially valuable, however, is only the first step toward recruitment. Personal relationships must be developed; vulnerabilities must be identified or manufactured. Finally, an intelligence officer has to make the recruitment pitch, which, in the words of former British intelligence chief Sir Richard Dearlove, must be “asked in the right way, by the right person, at the right time.” For many of the backwoods state security departments, completing all of these tasks — even identifying potentially useful individuals — might be beyond their capabilities without operational leads and support from MSS headquarters.

With China developing more and more foreign interests, the MSS almost certainly faces an imperative to expand its operations overseas. A few small operations, such as the MSS handling in Sweden of a Uighur arrested in late 2010, suggest the ministry is becoming more aggressive in pursuit of intelligence abroad. The ministry, however, must overcome a legacy of inaction on overseas clandestine operations. Back in 1985, Deng Xiaoping placed draconian restrictions on MSS operations from Chinese embassies and other official platforms. The Ministry of Foreign Affairs reportedly persuaded Deng that MSS officers getting caught running clandestine operations from official facilities could derail the international aspects of his revolutionary Reform and Opening policy of market-based reforms. Building up a robust, foreign-based collection effort takes time, and intelligence services need practical training based on experience. The ability to do dead drops, covert communications, and the other hallmarks of clandestine tradecraft are important because a spy service is asking agents to place their lives and freedom in the service’s hands.


The Practical Application of OPM Data for Chinese Intelligence

The theft of the OPM files on current and former U.S. government employees with security clearances, along with their foreign contacts — including Chinese contacts — will give the MSS (or other parts of the Chinese intelligence apparatus) an incredible resource for building an intelligence program targeting the United States. As I mentioned above, marginal cases like that of Glenn Duffie Shriver indicate the MSS so far has struggled to mount a serious and sustained program that is producing results for Beijing. That could now change.

One of the keys to success in China’s spying against Taiwan appears to be China’s substantial knowledge of the island’s government, military, and intelligence officials, as well as their families and their retired colleagues. In almost every case — including the 33 Taiwanese convicted of espionage-related crimes in the last five years recently highlighted by Taiwan’s National Security Bureau (NSB) director — Chinese intelligence has identified and recruited former officials traveling through or working in the mainland and then used them to draw out their colleagues still in government. Instead of having to evaluate the thousands of Taiwanese traveling in and out China, the MSS just needs to check whether a particular person is one who should be approached. In 2000, the then-personnel director at the NSB retired into a job based in China, and, even if he did not betray personnel lists, numerous others in intelligence and counter-espionage have provided the names and backgrounds of their undercover colleagues to Chinese intelligence.

The information on former U.S. officials with past security clearances may be even more valuable than information on current employees. First, former officials do not face the same travel restrictions or requirements to report foreign contacts or meetings with foreign intelligence services. Second, because they can travel more freely, they can be debriefed in a more leisurely fashion, allowing for questions without immediate operational relevance and time to confirm their responses and thereby further validate the sources themselves. Third, former officials almost certainly will function better than the agents most recently used by Chinese intelligence to gain access to U.S. secrets. Sources like Louisiana furniture salesman Kuo Tai-shen may be able to move and shake their way into access — Kuo did get two U.S defense officials to betray their confidences — but they do not necessarily have a natural set of trusted relationships within national security circles. They have the ability to elicit information without raising alarm bells and evaluate the potential of their former colleagues to a recruitment pitch.

The information on Chinese contacts of cleared U.S. government officials raises the danger of the lost OPM data in MSS or other Chinese intelligence services’ hands. Beijing’s security agents may be willing to detain U.S. officials and citizens at the airport for a few hours, but anything beyond catch-and-release is unlikely. Beijing, however, treats all ethnically Chinese people as PRC citizens, subjecting them to far harsher punishments than those of purely foreign stock, which endangers Chinese family members and contacts named in the stolen OPM data. As a pressure point, being placed in an uncomfortable position or detained for a few hours is one thing; knowing your friend or family member could be detained indefinitely is something completely different. In case this sounds fanciful, it did occur in 2012 to the wife of a Taiwanese intelligence official who visited a friend in Shanghai. Chinese authorities detained her and forced her to write a letter to her husband pleading for him to come to the city. The official stayed in Taiwan, but his wife remains in prison despite Taipei’s efforts to release her. There is little reason to think that an MSS desperate to prove its value to policymakers with intelligence on Washington will hold back from such aggressive efforts to collect intelligence, especially if Beijing is accepting greater risk in its intelligence operations.



The MSS’s possible acquisition of OPM data does not guarantee Chinese success in penetrating the U.S. government; however, it does improve the beleaguered ministry’s chances. Its disparate components can focus on real targets rather than trying to identify, research, and approach every American passing through their jurisdictions. In baseball terms, the OPM data is like a team beginning every inning with runners on base. Each success could be just a bit better than the past.


Peter Mattis is a Fellow in the China Program at The Jamestown Foundation and the author of the recently-published Analyzing the Chinese Military: A Review Essay and Resource Guide on the People’s Liberation Army.


OPM Takes Steps Toward Finding a Contractor to Notify Hack Victims

An information request put out to interested companies indicated a mid-August contract award is the “best case.”

By Kaveh Waddell


July 22, 2015 Nearly two weeks after announcing that more than 21.5 million people had their information hacked from government servers, the Obama administration is moving to hire a contractor to notify and provide identity-fraud-protection services to affected individuals.

But it won’t be until at least mid-August until one is hired.

The Office of Personnel Management, which was hit last year by a massive hack that officials have privately linked to China, is working with the Defense Department to find a contractor to notify the affected individuals and provide them with identity-fraud-protection services, according to an OPM spokesperson.

CSID, the contractor that provided those services to the 4.2 million employees affected by the smaller data breach announced in June and was heavily criticized for how it handled the process, will face competition for the new contract from LifeLock and other large fraud-protection services. They will be vying to provide services at a scale five times the previous breach—21.5 million individuals will need to be notified and protected.

OPM has promised at least three years of credit-monitoring and identity-theft protection to the affected people.

In the first formal step toward securing a contractor, the General Services Administration on Thursday put out a request for information, notifying potential contractors about the scope of work the government will expect and soliciting information from the interested companies.

Included in the request was a rough time line of the contracting process. After the hopeful companies convened in a “virtual meeting” on Monday, responses to the GSA request were due by Tuesday night.

According to the preliminary time line, which represents the “‘best effort’ plan of action,” no contract will be awarded until Friday, August 14. Notifications would likely begin to go out the following week, at the earliest.

The GSA request did not make any mention of the potential length of coverage. Although OPM has said it will offer at least three years of services for free, some lawmakers are pushing to provide lifetime protection for individuals affected by government data breaches.

As CSID gears up to bid again on the second contract, executives from the Austin-based company and its contracting partner, Winvale, have spent recent days on a public-relations tour of Washington.

The campaign is designed in part to counteract the intense criticism the contractor received from lawmakers, federal worker unions, and the press, as it dealt with the first round of notifications and service provision.

Sen. Mark Warner, a Democrat who represents tens of thousands of Virginia-based federal workers, wrote a letter in June to CSID with complaints from Virginians who encountered three-hour-long wait times at the contractor’s call center or incorrect information on their accounts after they signed up.

But as CSID President Joe Ross and Winvale CEO Kevin Lancaster take their message to the press and members of Congress, they are arguing that the hiccups that afflicted their operations as they got off the ground were unavoidable and that many, in fact, were caused by government mismanagement.

Complaints about wait times, for example, stemmed from a decision to make public the 1-800 number for the call center intended for data-breach victims, Ross told National Journal Tuesday, opening the floodgates to a deluge of calls from worried current and former federal employees who did not receive notifications.

Why exactly the number was made public was unclear as CSID and Winvale began their media blitz. Politico reported Monday that CSID “felt compelled by the public interest” to release the number, but according to The Washington Post on Monday, Ross said it was the government’s decision to share the number. Ross said Tuesday it was a combination of the two.

“Were there long hold times? Yes,” said Ross Tuesday. “Was it the right thing to do? Yes.”

The crux of CSID’s pitch is that the work it did for 4.2 million could easily be scaled up to accommodate the 21.5 million people affected by the breach announced this month.

“The thing about this is you’ve got people hitting the website, and that’s repeatable. You’ve got a notice process—you just build a schedule for that. You’ve got the mailing houses that we utilize, so we spread the notifications across three mailing houses,” Ross said.

“So the scaling is pretty easy, and the main thing is we’ve developed a kind of rapport,” he continued. “We have daily stand-ups with OPM on a daily basis, we’ve got the reporting in place, so the scalability is the key. If it was to come down to the next 21.5, it’s just that we’re positioned to scale.”

Ross trumpets that more than 22 percent of the 4.2 million individuals who were notified that their information was compromised—that’s nearly 1 million people—have signed up for CSID’s service.

LifeLock, one of CSID’s larger competitors, itself hit an obstacle Tuesday when the Federal Trade Commission accused it of violating a previous settlement with the agency. The commission said LifeLock was putting out false advertising and failed to notify paying users when their identities were used or to protect their data.

CSID—along with its competitors—will be given a chance to prove itself to the government. Each interested contractor was given until 8 p.m. Tuesday to submit the answers to eight detailed questions in the GSA’s request for information, which asked about the “maximum volume” each company has processed in response to a data breach and whether the company could handle sign-ups from more than 20 percent of the 21.5 million people who were affected by the breach.

The request also asked how each company’s call-center employees are vetted, since they will need to handle sensitive information over the phone, and whether the company can meet government cybersecurity and data-hosting standards.

But Lancaster, Winvale’s CEO, said Tuesday that Winvale and CSID did not submit a response before the deadline.



A drone is going to bring down an airliner: why are we waiting for that to happen?

by Press • 22 July 2015

by Karen Walker in ATW Editor’s Blog


Sooner or later – and I personally believe it will be sooner – an airliner full of passengers and crew is going to be brought down after colliding with a drone.

There – I’ve said it, though most in the industry won’t. That’s understandable, but it’s still not right.

We must have an urgent, honest discussion about what is happening in the skies today. Even more urgent, we must do something about the rapidly escalating danger that drones – unmanned aerial vehicles – pose to commercial air transport.

If further evidence of the critical situation were needed, look at what happened yesterday close to Warsaw airport. A Lufthansa Embraer E-195 with 108 passengers aboard narrowly missed a collision with a so-far unidentified drone. We now sit just 330 feet away from a different story entirely – one that would have been an instant global newsflash and would have dominated the headlines for weeks; “Airliner brought down by drone: at least 100 dead”.

That’s not hyperbole. It’s true. This incident, which follows an alarming increase in the number of reported near-misses between airliners and drones close to major commercial airports – requires immediate attention. I would argue the issue of drone oversight and control should take priority over airliner tracking (post MH370’s disappearance), military/intelligence agency communications with commercial air transport authorities (post MH17’s missile shootdown), and psychological monitoring of pilots (post Germanwings 9525 crash). Why? Because the threat to airliners from drones is more likely and more imminent than the scenarios that led to any of these tragedies.

If (when) an airliner is brought down by a drone, there will be outrage, there will be calls for immediate action, there will be task forces, there will be finger-pointing, and there will be hundreds – likely thousands – of reported near-miss incidents to point to. There will be new legislation restricting the use of drones near airports, requiring drone users to be registered, certified, and take some level of training. And there will be stiff penalties for non-compliance. My question is, why are we waiting?

Regulating and monitoring drone use, especially small UAVs, is not easy and won’t be cheap. But that’s the case with most safety practices in commercial air transportation. It won’t be popular with drone enthusiasts and the UAV industry. But popularity surely does not trump an industry that will be responsible for safeguarding almost 4 billion passengers by 2017 and which generates trillions of dollars of economic benefits to countries everywhere?


So why aren’t we – by which I mean FAA, ICAO, IATA, aircraft manufacturers, the airlines, law enforcement agencies and governments everywhere – not making UAV regulation and control their top priority?

I have an awful suspicion, and one best illustrated by comparing the drone threat to that of the German threat in World War II. Germany had its Enigma encryption machine for encoding and communicating top-secret messages. Famously, British cryptologists created a machine that cracked the Enigma code and allowed intelligence services to read those German communications and hence know about planned strikes. But they often didn’t act on that knowledge because to do so would have given away the fact that they had cracked Enigma, potentially extending the war if Germany then changed the code. The costs of an extended war were deemed higher than those of individual losses, such as planned allied city bombings or warship strikes, which were known about thanks to the decryption machine but could not be acted upon.

With today’s UAV problem, as complex and expensive as it will be to resolve, I wonder whether another cost calculation is being considered? Getting sufficient funds, resources and commitment to implement an effective, global drone-control regime in place will be very challenging and likely a slow process. Unless. Unless an airliner, let’s say a western airliner with some 300 people onboard, is brought down by a drone. Whether that act by the UAV operator is unintended or deliberate, the game changes overnight and the path to drone regulation and legislation becomes much easier to fund and implement. Three hundred lives is a very high cost, but perhaps worth the greater good of thousands of lives saved by an expedited UAV-control system?

I don’t want to wait for the “enigma solution”. The question is, what are we going to do about it?


Drone pilots warned after close call with passenger jet

by Press • 22 July 2015


An Airbus A320′s wing passed 6m (20ft) below a drone hovering at Heathrow, said the Civil Aviation Authority.

It said drone pilots would face prosecution if they put the safety of other aircraft at risk.

News about the mid-air encounter comes only days after a Lufthansa jet nearly collided with a drone on the approach to Warsaw’s international airport.


Prison terms

The CAA said it had recorded six other incidents between May 2014 and March 2015 at airports around the UK in which drones and piloted craft almost collided.

“Drone users must understand that when taking to the skies they are entering one of the busiest areas of airspace in the world,” said Tim Johnson, director of policy at the CAA, in a statement.


Drone owners must be aware of the rules and regulations surrounding the flying of their craft, he said.

Recklessly endangering an aircraft is a criminal offence, said Mr Johnson, and those convicted could face a five-year jail sentence.

The authority has issued a set of safety guidelines which, it said, should help ensure drone flights do not impinge on other aircraft.

The “dronecode” says recreational drone owners should always keep their craft within their line of sight, about 500m (1,640ft), and must not fly higher than 122m. In some of the near-collisions, drones were flying at heights of about 2,000ft, it said.

The code also says that drones carrying cameras must stay at least 50m away from people, vehicles and structures and must not approach a large group of people closer than 150m.

It urged owners to exercise common sense when flying their craft and to avoid the congested airspace around airports.

“Drone operators need to put safety at the forefront of their minds when flying though, and ensure there is no conflict with commercial manned traffic,” said Stephen Landells from the British Airline Pilots Association.



The city of Greensboro will consider a $5.7 million citywide unmanned aircraft system

by Press • 22 July 2015

Katie Arcieri Reporter Triad Business Journal


A drone technology firm is looking to break into the Triad, with a proposal to install a $5.7 million unmanned aircraft system that arrives at emergency incidents before police do.

Olaeris will present a plan to the Greensboro City Council on Tuesday for the installation o f the AEVA aircraft system, which launches automatically once a 911 call is received. The unit arrives at the destination in 90 seconds or less and begins transmitting live video from above to police dispatch centers so officers “can actually see what’s happening at the scene,” said Ted Lindsley, CEO of the Thailand-based company.

“What we are talking about is an aircraft that is bigger than a king-sized bed, and it is operated by a certified pilot, just like a helicopter pilot on the ground, ” he said.

The system, which could go into operation as early as 2017, would have a fleet of about 12 aircraft. It would be similar to a $5.7 million county network that Macon, Ga., last week unanimously approved.


Lindsley said his company has formed a partnership with HAECO Americas, which would manufacture Olaeris’ AEVA systems, possibly within a High Point building where HAECO is considering adding 147 jobs.

Wesley Reid, assistant city manager for Greensboro, said the council will hear Olaeris’ plan at a 4 p.m. work session on Tuesday. A vote could come in August based on the council’s reaction Tuesday, he said.

If the system is approved, Olaeris would establish a regional support office in Greensboro that would support a six-state Mid-Atlantic region.

Macon, meanwhile, would support the Gulf region. Olaeris is also talking to multiple cities in the Midwest now.

Greensboro would begin paying for the system only after Olaeris demonstrates the fully operational system and the city is satisfied that the company has delivered on its promises, Lindsley said. The system would be expected to cost the city less than $100,000 per month.

“If we fail in any way, they owe nothing,” Lindsley said. “When we succeed, the city will have the fastest 911 response capabilities in the country and work far more efficiently than ever before.”

HAECO also would assist with the system’s Federal Aviation Administration certification, which could take 13 to 24 months, he said. The AEVA system would be classified as a remotely piloted aircraft, he said, which is different from a drone or an unmanned aerial vehicle.

Olaeris unveiled its AEVA technology in 2012 and began scouting cities to become early adopters of the technology. Lindsley said Olaeris was contacted by Kyle Snyder, director of the NextGen Air Transportation Center at N.C. State University.

“North Carolina wasn’t even on my radar. I kind of chuckled when he said, ‘I’m from North Carolina,'” Lindsley said. “He said ‘North Carolina wants to be a leader in unmanned aircraft systems and you represent 2025 technology that we want here.'”

Lindsley said Greensboro came close to considering a deal with Olaeris in 2013, but city officials hesitated because there was not a state framework for operating such systems at the time.

“They got nervous because they said, ‘Look, we feel like we’re stepping out here all alone. North Carolina has no operating rules for these aircraft yet,'” he said.

Reid said the city felt more comfortable once North Carolina’s legislature passed a law that creating a framework for unmanned aerial vehicles.

“There had been a lot of advances and a lot things that had changed,” he said. “So we were willing to hear them again.”

Reid added that the company’s relationship with HAECO, a major employer, also added credibility to Olaeris’ plan.

“That piqued our interest,” he said. “The partnership that they were building with HAECO was a huge one for us.”



Brits use TV signals to track aircraft

Michael Peck, Contributing Writer 2:42 p.m. EDT July 23, 2015


“Following Doctor Who, stay tuned to BBC One for air traffic control.”

Regular TV signals might be able to replace radar, according to several British companies who have been testing the concept, according to an announcement by NATS, which provides air traffic control services in Britain. Thales and Roke Manor are also involved in the testing.

The test was carried out primarily over London with a Thales concept demonstrator using signals from the Crystal Palace transmitter in Bromley, according to NATS. Roke Manor validated the results.

The researchers were able to track up to 30 aircraft at a time at altitudes of up to 10,000 feet. Additional equipment would have expanded the capability, according to the research team.

The results demonstrate that not only can TV transmissions be used to locate aircraft; they can do it well enough to meet the standard separation requirements for air traffic control, the researchers concluded.



Raytheon Backs Cyberspace Push as Rivals Bail

Defense contractor expects cyberventure to be accretive in two to three years

By Doug Cameron

Updated July 23, 2015 1:55 p.m. ET


Raytheon Co. said Thursday that its big push into commercial cyberspace services would pay off a year ahead of schedule, even as rival defense contractors bailed out of the sector because of tough competition.

The maker of Patriot missile-defense systems in May paid $1.6 billion for control of Websense Inc. and combined it with its government-focused cyberbusiness in an effort to cross-sell to customers seeking protection from a dizzying array of Internet threats.

At the time, the deal was the largest defense acquisition in a decade and followed more than a dozen smaller purchases, but met with skepticism from some investors and analysts, with Raytheon shares underperforming peers amid concerns the company would find it tough to secure profitable growth.

However, Raytheon said the cyberventure would be accretive in two to three years, 12 months earlier than expected. Its shares were recently up 7.7% at $104.53.

“It’s not as dilutive as we thought,” Chief Financial Officer Toby O’Brien said of Websense in an interview after Raytheon reported forecast-beating quarterly earnings. It also lifted its full-year sales forecast, targeting a rise of up to 2% from 2014, reversing annual declines stretching back to 2010. Mr. O’Brien said the return to growth was a year ahead of its prior expectations.

Raytheon is the Pentagon’s fourth-largest supplier by revenue and a closely watched barometer of the industry’s health because of its relatively large overseas exposure, a run of domestic contract wins and its efforts to tap commercial as well as core defense markets.

The cyber push has attracted even more scrutiny as rivals gave up on their own efforts to leverage their prowess in military and intelligence markets into winning deals for customers such as banks and utilities. Lockheed Martin Corp. this week announced plans to sell or spin off its commercial cyberbusiness, and Boeing Co. and General Dynamics have already exited a segment both built through acquisitions.


Defense companies have found they lack the sales skills to tap nongovernment clients and lacked the scale of some established commercial operators such as Symantec Corp. and FireEye Inc. to do so.

Raytheon Chief Executive Tom Kennedy said there was pent-up demand from commercial and government customers for what he called defense-grade cyber solutions, with Websense’s main product having double-digit sales growth in the June quarter.

Patriot sales have been boosted by tensions in the Middle East, and international orders climbed to a record 46% of its backlog at the end of the quarter, boosted by around $7 billion in deals for the Patriot booked in recent months.

With international sales growing at mid single-digit levels and U.S. business flat or slightly down this year, Mr. O’Brien said he expected domestic sales to turn up again late next year or in early 2017.

His comments came as Raytheon said profit from continuing operations rose to $504 million from $499 million, with per-share earnings climbing to $1.65 from $1.59, above analysts’ expectations.

The company trimmed its 2015 earnings guidance to a range of $6.47 to $6.62 from $6.67 to $6.82 to reflect the Websense deal, ahead of analysts’ expectations, and boosted its share-buyback plan.

The company raised its 2015 sales guidance by $400 million, with Austin, Texas-based Websense expected to add an extra $100 million and the unit that builds the Patriot missile-defense system boosting revenue by an additional $300 million.

Patriot sales helped lift revenue by 2.8% to $5.85 billion in the quarter, with $7.6 billion in orders boosting its book-to-bill ratio to 1.3.



‘You’ve been fleeced’: Congress grills Kerry, Obama officials on Iran nuke deal

Published July 23, 2015



Secretary of State John Kerry found himself on the defensive Thursday at a Senate hearing where he was hard-pressed to find support for the Iran nuclear deal from either side of the aisle — and sharply sparred with Republicans who accused him of being “fleeced” and “bamboozled.”

The Senate Foreign Relations Committee hearing was the first on the controversial deal to lift economic and other sanctions in exchange for concessions of the Islamic state’s nuclear program. With Congress taking up the deal and expected to vote on it sometime in September, the hearing underscored the deep resistance the Obama administration faces from both parties.

“From my perspective, Mr. Secretary, I’m sorry … I believe you’ve been fleeced,” Committee Chairman Bob Corker, R-Tenn., told Kerry, claiming the agreement paves the path for Iran to eventually develop a nuclear bomb.

Critics repeatedly suggested the Obama administration’s negotiating team gave in to pressure from the Iranians on key points. They question whether sanctions indeed can be reinstated once they’re lifted; whether Iran might be able to stall international inspectors; and whether Iran might be closer to a weapon once the deal expires.

Sen. James Risch, R-Idaho, said: “You guys have been bamboozled.”

Kerry, though, vigorously defended the agreement, calling it “fantasy, plain and simple,” to think the United States failed to hold out for a better deal at the bargaining table.

“Let me underscore, the alternative to the deal we’ve reached isn’t what I’ve seen some ads on TV suggesting disingenuously,” he told the Senate Foreign Relations Committee. “It isn’t a quote better deal, some sort of unicorn arrangement involving Iran’s complete capitulation.”

Energy Secretary Ernest Moniz also said the deal is not “built on trust.”

Some lawmakers tried to play referee when the hearing got heated. Sen. Barbara Boxer, D-Calif., said the remarks from Corker and Risch were “disrespectful and insulting.”

“If you were bamboozled, the world has been bamboozled — that’s ridiculous,” Boxer told Kerry.

Kerry still had to contend with skeptical Democrats, notably Sen. Bob Menendez, D-N.J., who questioned whether the language in the deal is tough enough and like Corker said the deal aids Iran in building an “industrial-scale” nuclear program.

Kerry earlier warned that Iran will not come back to the negotiating table to pursue a new deal, voicing frustration that: “We’ve got 535 secretaries of state.”

The hearing comes as lawmakers raise new concerns about alleged secret “side deals” struck with Tehran over its nuclear program.

Sen. Tom Cotton, R-Ark., and Rep. Mike Pompeo, R-Kan., first brought attention to them Tuesday, saying they learned from the International Atomic Energy Agency (IAEA) that there were two “side deals” between Iran and the IAEA.

According to the lawmakers, one agreement covers inspection of the Parchin military complex, and the other concerns potential military aspects of Iran’s nuclear program. On the former, they said, Iran would be able to strike a separate arrangement with the IAEA concerning inspections at Parchin.

House Speaker John Boehner and Senate Majority Leader Mitch McConnell joined Cotton and Pompeo in sending a letter to President Obama on Wednesday requesting that the agreements be made available to Congress so that they can be reviewed.

“We request you transmit these two side agreements to Congress immediately so we may perform our duty to assess the many important questions related to the JCPOA [Joint Comprehensive Plan of Action],” the letter says.

National Security Adviser Susan Rice, while defending the overall nuclear agreement, appeared to acknowledge the existence of the side deals on Wednesday. She said the matter of the Iran nuclear program’s “possible military dimensions” (PMD) has long been an issue between Iran and the IAEA. She said they “negotiated and concluded an agreement to deal with this issue of PMD, which was one of the major sticking points in our dealings.”

She added: “These documents are not public, but nonetheless, we have been briefed on those documents, we know their contents, we’re satisfied with them and we will share the contents of those briefings in full in a classified session with the Congress. So there’s nothing in that regard that we know that they won’t know.”

Pompeo also asked Kerry about the secret deals in a briefing Wednesday and said afterwards that Kerry “confirmed that there were in fact side deals and himself had not seen the agreement.”

“I was incredibly surprised to learn there were components of the deal that Congress was not going to be privy to,” Pompeo said, adding that he had expected that American negotiators would have demanded to see the side deals being cut.


Kerry said after Thursday’s hearing, though, “there are no side deals.”

The letter to Obama expressed concern that Congress was being kept in the dark.

“Most troubling, Iran and the IAEA reached agreement to resolve issues related to research at Parchin, but Congress will not have the ability to review this agreement, nor will we know the results of the IAEA’s assessment until December 15,” the letter says.

It goes on to request access to the side deals so that Congress can effectively review the deal as a whole:

“Failure to produce these two side agreements leaves Congress blind on critical information regarding Iran’s potential path to being a nuclear power and will have detrimental consequences for the ability of members to assess the JCPOA,” the letter says.


From → Uncategorized

Comments are closed.

%d bloggers like this: