Skip to content

September 28 2015

September 28, 2015




26 September 2015


Blog URL


U.S. and China Seek Arms Deal for Cyberspace



WASHINGTON — The United States and China are negotiating what could become the first arms control accord for cyberspace, embracing a commitment by each country that it will not be the first to use cyberweapons to cripple the other’s critical infrastructure during peacetime, according to officials involved in the talks.

While such an agreement could address attacks on power stations, banking systems, cellphone networks and hospitals, it would not, at least in its first version, protect against most of the attacks that China has been accused of conducting in the United States, including the widespread poaching of intellectual property and the theft of millions of government employees’ personal data.

The negotiations have been conducted with urgency in recent weeks, with a goal to announce an agreement when President Xi Jinping of China arrives in Washington for a state visit on Thursday. President Obama hinted at the negotiations on Wednesday, when he told the Business Roundtable that the rising number of cyberattacks would “probably be one of the biggest topics” of the summit meeting, and that his goal was to see “if we and the Chinese are able to coalesce around a process for negotiations” that would ultimately “bring a lot of other countries along.”

But a senior administration official involved in the discussions cautioned that an initial statement between Mr. Obama and Mr. Xi may not contain “a specific, detailed mention” of a prohibition on attacking critical infrastructure. Rather, it would be a more “generic embrace” of a code of conduct adopted recently by a working group at the United Nations.

One of the key principles of the United Nations document on principles for cyberspace is that no state should allow activity “that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public.” The goal of the American negotiators is to have Chinese leaders embrace the principles of the United Nations code of conduct in a bilateral agreement with Washington.


Continue reading the main story

But it seems unlikely that any deal coming out of the talks would directly address the most urgent problems with cyberattacks of Chinese origin, according to officials who spoke on the condition of anonymity to describe continuing negotiations.

Most of those attacks have focused on espionage and theft of intellectual property. The rules under discussion would have done nothing to stop the theft of 22 million personal security files from the Office of Personnel Management, which the director of national intelligence, James R. Clapper Jr., recently told Congress did not constitute an “attack” because it was intelligence collection — something the United States does, too.

The agreement being negotiated would also not appear to cover the use of tools to steal intellectual property, as the Chinese military does often to bolster state-owned industries, according to an indictment of five officers of the People’s Liberation Army last year. And it is not clear that the rules would prohibit the kind of attack carried out last year against Sony Pictures Entertainment, for which the United States blamed North Korea. That attack melted down about 70 percent of Sony’s computer systems.

Sony is not, by most definitions, part of the nation’s “critical infrastructure,” although the Department of Homeland Security does include “movie studios” on its list of critical “commercial facilities,” along with stadiums, museums and convention centers.

Still, any agreement to limit cyberattacks in peacetime would be a start. “It would be the first time that cyber is treated as a military capability that needs to be governed as nuclear, chemical and biological weapons are,” said Vikram Singh, a former Pentagon and State Department official who is now vice president for international security at the Center for American Progress.

Within the Obama administration, the effort to design “a set of norms of behavior” to limit cyberattacks has been compared to President John F. Kennedy’s first major nuclear treaty with the Soviet Union in 1963, which banned atmospheric nuclear tests. That accord did not stop the development of nuclear weapons or even halt underground tests, which continued for decades. But it was a first effort to prevent an environmental disaster, just as this would be a first effort by the world’s two biggest economic powers to prevent the most catastrophic use of cyberweapons.

Joseph S. Nye, a Harvard professor known for his studies of American power, said the concept of a “no first use” doctrine for cyberattacks had been “gestating for some time” in a variety of international forums. “It could create some self-restraint,” Mr. Nye said, but he added that the problem was, “how do you verify it, and what is its value if it can’t be verified?”

That problem goes to the heart of why arms control agreements in the cyberspace arena are so much more complicated than better-known agreements covering nuclear weapons.

In the Cold War and still today, nuclear arms remain in the hands of states, meaning they can usually be counted and their movements observed. Cyberweapons, too, are often developed by countries — the United States, Russia, China and Iran are among the most sophisticated — but they can also be found in the hands of criminal groups and teenagers, neither of which negotiate treaties.

Moreover, it was usually clear where a conventional attack had originated; the trajectory of a missile could be tracked by radar or satellite. Mr. Obama himself noted last week the difficulty of tracing a cyberattack, and thus of deterring it — or retaliating with confidence.

Earlier efforts to get Mr. Xi and other senior Chinese leaders to address cyberattacks have largely failed. Mr. Obama spent a considerable amount of time on the issue during a summit meeting with Mr. Xi at Sunnylands, a California estate, in 2013. But even after that session, the Chinese denied that their military was involved in attacks, and portrayed themselves as victims of attacks from the United States.

It was not an entirely spurious claim: Classified documents released by Edward J. Snowden showed a complex effort by the National Security Agency to get into the systems of a Chinese telecommunications giant, Huawei, though the United States maintained that the effort was for national security surveillance, not for the theft of intellectual property.

The recent Chinese movement on cybersecurity can be traced to several events, officials say.

The Office of Personnel Management breach, which went undetected for roughly a year, was traced to Chinese sources, and one official said evidence had been presented to Chinese officials. In August, Susan E. Rice, Mr. Obama’s national security adviser, took a trip to Beijing to meet with Mr. Xi and other officials, and used it to increase pressure on China, suggesting that newly devised economic sanctions could be imposed. Mr. Obama referred to that possibility in two recent speeches, suggesting that he would hold off only if there was progress with Mr. Xi.

Last week, a high-level Communist Party envoy, Meng Jianzhu, who is responsible for state security, came to Washington and met with Ms. Rice, several American intelligence officials and the director of the F.B.I., James B. Comey. That session focused on coming up with some kind of agreement, however vaguely worded, that Mr. Obama and Mr. Xi could announce on Friday.

For the United States, agreements limiting cyberweapons are also problematic. The country is spending billions of dollars on new generations of weapons, and in at least one famous case, the cyberattacks on Iran’s nuclear enrichment site at Natanz, it has used them.

American cyberwarriors would be concerned about any rules that limited their ability in peacetime to place “beacons” or “implants” in foreign computer networks; these are pieces of code that monitor how foreign computer systems work, and they can be vital in determining how to launch a covert or wartime attack. The Chinese have littered American networks with similar technology, often to the consternation of the Pentagon and intelligence agencies.

“One of the things to look for are any rules that bar ‘preparing the battlefield,’ ” said Robert K. Knake, a senior fellow at the Council on Foreign Relations who worked in the White House cybersecurity office earlier in the Obama administration.

Mr. Obama, who has said little about the United States’ development of cyberweapons during his presidency, has begun to talk about it in recent days. “If we wanted to go on offense, a whole bunch of countries would have some significant problems,” he told the Business Roundtable on Wednesday.


Senate Maneuvers to Avoid Shutdown

By Joe Gould 4:16 p.m. EDT September 22, 2015


WASHINGTON — US senators are poised to consider a stop-gap funding bill that keeps the federal government running through Dec. 11 and strips funding from Planned Parenthood — expected to set the stage for a more viable bill later this week.

The $1.017 trillion measure conforms to spending caps ordered in the 2011 Budget Control Act, but adds $74.7 billion for defense through the Overseas Contingency Operations account, which is exempt from the caps. The OCO amount is roughly $13 billion more than the president’s budget request.

Democrats who oppose defunding Planned Parenthood are expected to filibuster the measure when it comes up for a vote Thursday — the same day Pope Francis addresses Congress.

Senate Majority Leader Mitch McConnell is reported to be planning a continuing resolution later this week that omits the Planned Parenthood provision, which Senate Minority Leader Harry Reid said he would welcome.

“This is yet another case of the Republican leader wasting time before we address the real deal,” Reid, D-Nev., said on the Senate floor Tuesday. “We read in this morning’s papers that the Republican leader intends to bring a clean continuing resolution before the Senate later this week. That’s not a day too soon.”

Democrats have called for an equal increase on the non-defense side for any increase above budget caps on the defense side.

As GOP members entered a closed-door caucus meeting Tuesday afternoon, Senate Appropriations Committee Chairman Thad Cochran, R-Miss., voiced support for the bill.

“Our committee has approved all 12 of the annual appropriations bills required to meet our national security and domestic priorities. Most of these bills have bipartisan support,” Cochran said in a statement.

An analysis of the current Senate bill said it prohibits the Pentagon from starting new programs, entering into multi-year contracts or increasing production rates. Nor does it provide for any activities that were not funded in 2015.


Budget Gridlock Looms Over AFA

By Lara Seligman 10:53 a.m. EDT September 20, 2015


NATIONAL HARBOR, Md. — In recent years, the undercurrent at the US Air Force Association’s annual Air & Space Exposition has been the sequester, with the military and industry alike decrying the impact of devastating budget cuts on readiness levels.

But this year, a new shadow loomed over the conference. With less than two weeks left for Congress to reach an agreement to fund the government, the Pentagon is waking up to the possibility of an unprecedented, full-year continuing resolution.

Last week, top Air Force officials hammered home the message that if the Pentagon is forced to operate under a stop-gap spending measure next year, the service’s ability to buy new aircraft and modernize its existing fleet is in peril.

A full-year CR would actually be worse than sequestration-level budgets in fiscal 2016, Secretary Deborah Lee James said in an interview with Defense News. A long-term CR would impact about 50 large and small Air Force programs, she said.

“A full-year continuing resolution or any form of a long-term CR would actually [be] less money than sequestration-level budgets in terms of our top line number, and it would impact, we estimate, on the order of 50 programs in the Air Force,” James said, “Seventy-five percent of which are smaller programs, but that doesn’t mean they are not important, because they are, and 25 percent would be larger programs.”

James pointed to the B-2 communications upgrade, the Huey helicopter replacement and several space programs as examples of major initiatives a CR could derail, adding that a stopgap spending measure would also limit resources for other service priorities. A CR by law prohibits new-start programs and limits resources for platforms currently in production to prior year funding levels.

If the Pentagon is forced to adopt a CR, the Air Force’s effort to upsize its nuclear, cyber and maintenance forces are also at risk, James said.

Gen. Ellen Pawlikowski, head of Air Force Materiel Command, stressed in an interview with Defense News that a major challenge under a CR would be keeping up with aircraft depot maintenance. If the Air Force is trapped at last year’s budget for flying hours and weapon system sustainment, work begins to pile up at the depots, creating a backlog for years to come.

“If those numbers don’t have the appropriate ramp up, that means that I will not be able to put the throughput through the AOCs, which means that coming out of it I’m going to have some real issues in ’17 because I’m going to have planes that should have gone through depot that didn’t go through depot,” she said. “It is going to create a backlog, if you will, on those programs.”

The Air Force can choose to seek exemptions from the CR for its top priorities. But the service has only so much negotiating power, and some programs may fall through the cracks.


KC-46 Contract Breach

Should a CR take effect Oct. 1, arguably the Air Force’s most pressing concern is the possibility it will be forced to break a contract with Boeing on the KC-46 tanker.

Brig. Gen. Duke Richardson, the program executive officer for the Air Force’s next-generation tanker, told an audience at the convention that a CR would create a “very large problem” for the program.


But how big a problem wasn’t clear until after his speech, when he told Defense News that the CR could potentially break the contract with Boeing.

According to Richardson, the contract requires the Air Force to award eight aircraft at minimum in the second low rate initial production lot, planned for FY-16. But if a CR scenario occurs, the Air Force is by law limited to last year’s funding levels. In FY-15, the Air Force only budgeted for seven aircraft in LRIP 1. If the service is only allowed to buy seven aircraft again in FY-16 due to a yearlong CR, that would breach the terms of the contract, Richardson said.

Even if the Air Force gets some relief from Congress, the service could be forced to pay a fine, Richardson added. If LRIP 2 does not hit the “sweet spot” of 12 aircraft in FY-16, the Air Force will pay a per-year penalty.

A CR “breaks the contract, so we would have to reopen it up,” Richardson said. “We don’t want to do that, we think the terms of the contract are favorable.”

When pressed on whether the Air Force would rebid the program if a breach is forced, Richardson declined to answer, saying: “I don’t want to answer a hypothetical until it actually happens.”

The Air Force is likely to seek relief from a CR for the tanker, analysts said, particularly given the favorable terms of the contract. The service’s liability for the engineering and manufacturing development phase of the tanker program is capped at $4.9 billion; anything over is paid by Boeing. So far, technical issues have cost Boeing $1.2 billion in pretax overages on the program.

“This is arguably the most favorable and most important contract at risk … I don’t think Airbus is suddenly available to make a tanker,” said Rebecca Grant, president of IRIS Independent Research. “It’s uncharted waters if they break the contract, and I think everyone from Congress on down should do everything they can to make sure they don’t break the contract.”

Boeing must deliver 18 operational tankers to the fleet in August 2017. Despite the technical challenges and repeated delay of a critical milestone — first flight — Richardson said he remains confident the company will meet the deadline.

“They are applying company resources to make this program and so they are committing to us that they are going to meet the August of ’17,” Richardson told Defense News. “They’ve got a pretty good cache of resources at their disposal, so I think if they apply those resources they can do it. We’re not going to back away from helping them meet it. I’m not ready to entertain what happens if they don’t meet it.”

Richardson noted during the panel that Boeing Defense recently brought in Scott Fancher, senior vice president of Boeing Commercial, to help with the tanker program after a mislabeled chemical was mistakenly loaded into the test aircraft’s refueling line during testing. The accident caused the company to delay first flight, planned for late August or early September, by one month.

First flight will now take place Sept. 25, Richardson announced during the panel. Afterward, he emphasized the need to begin flying the aircraft before the end of September in order to meet major test points and reach a Milestone C decision — formal approval for production — as planned between January and April 2016. With the latest delay, Milestone C is slipping to the end of April, he told reporters.

“I am cautiously confident,” Richardson said during the presentation, although he added: “There’s no doubt that the schedule margin is gone on the program, and I think that if you look at what the secretary, the chief [of staff] have been saying, they are not happy with where we are at on the schedule and neither am I.”

The Air Force is still reviewing Boeing’s master schedule to make sure the program is on track to meet its deadlines, an initiative James announced late last month, Richardson told Defense News.


F-35 Production & Software Development


The CR also threatens to derail another major Pentagon recapitalization program: the F-35 joint strike fighter.

Next year, the Air Force plans to buy 44 F-35As, 16 more than the service bought this year. Meanwhile, the Marine Corps is slated to buy three additional F-35Bs next year compared to this year, Lt. Gen. Chris Bogdan, head of the F-35 joint program office, told reporters during the conference. If the Pentagon is trapped in a yearlong CR, the JPO won’t be able to buy these additional 19 aircraft in FY-16, Bogdan said.

“If we are capped at the ’15 dollars, those 16 Air Force model A airplanes and those three Marine Corps airplanes, they are orphans, I can’t buy them,” Bogdan said. “I won’t have the authority nor the money to buy them in FY-16, so we will have to figure out something because those airplanes are being built right now.”

Lockheed Martin is in the midst of building the Lot 10 aircraft, and is slated to deliver the jets within two years, Bogdan said.

If a CR occurs and the F-35 program does not get relief, the Air Force may be forced to move the buy to the next fiscal year, Bogdan said.

“We’ve got to do something because there’s 19 US service airplanes that are at risk now for a full-year CR, and that’s just not good,” Bogdan said. “It’s not good for industry, it’s not good for the services, it’s not good for us.”

At $100 million each, those 19 aircraft are worth on the order of $2 billion — a significant amount of money for Lockheed and the lower-tier suppliers to lose, Bogdan stressed. Plus, the government will likely incur an added cost if the JPO is forced to push the buy.

Development of the jet’s follow-on Block 4 software, which will come online sometime in the 2020s, would also feel the impact of a long-term CR, Bogdan said. The JPO is slated to spend about $120 million on planning for the as-yet undefined Block 4 in FY-16, about three times as much as the joint office is spending this year, he said.

“If a continuing resolution occurs, we will be capped at that in ’16, and that’s about a third of what we intended on spending in 16 to do that planning to get to follow-on development,” Bogdan said.



Failure to pass a 2016 budget would also stall several new classified and unclassified programs aimed at improving the government’s space protection activities, according to the head of US Air Force Space Command.

“We have some significant space recommendations that are in the ’16 President’s Budget, many of those are classified, we wouldn’t be able to get started on those,” Gen. John Hyten told reporters during the conference. “All that stuff just gets put on hold — that’s just bad.”

The Pentagon is pushing a strategic effort to boost its space surveillance and counterspace spending by $5 billion in the face of a growing threat from Russia and China to US operations in space. Much of these dollars would go to classified programs.

The CR could also derail a new effort to create a US-based alternative to the Russian-made RD-180 engine the US military currently uses for space launch.



Cyber: The opposite of the Cold War?

Amber Corrin, Senior Staff Writer 11:27 a.m. EDT September 21, 2015

The cyber domain draws many comparisons to the domains and conflicts that came before it in military history. But in most cases it’s a very different ball game in many respects — and while there may be some adversaries common with the Cold War, there remain fundamental differences.

“In the Cold War, we almost always assigned one organization to conduct operations and manage risks,” said Lt. Gen. Kevin McLaughlin, deputy commander of U.S. Cyber Command. “That doesn’t exist anymore period, particularly in cyber. The interdependencies mean we can’t be turf-oriented — this is about the mission we’re trying to get done. We have to find partners with partners with shared equity…and figure out how to do that together.”

McLaughlin, who spoke Sept. 17 at the Billington Cybersecurity Summit in Washington, underscored the evolving nature of the Defense Department’s nascent efforts to militarize the cyber domain. When the first stage of that evolution is complete, CYBERCOM will comprise 133 cyber teams and roughly 6,200 personnel dedicated to cyber offense and defense.

The initial phases of building out the nation’s cyber forces aren’t yet complete, but that doesn’t mean they aren’t already engaged in battle.

“We aren’t waiting for these forces to be fully manned before we deploy them. You probably don’t see that in other domains, but in some cases we’re deploying before they’re even at initial operating capability,” McLaughlin said. “The need is so dire that we’re deploying lots of young, new capabilities and, as a result, learning a lot about it. We’re aggressively putting a lot of capability into the fight, but it’s a young force. If you want 20 years’ experience, it’s going to take 20 years, and we’re rapidly building a framework for that to occur.”

The battle essentially has preceded the Pentagon bringing its cyber organization online. Joint Force Headquarters-DoD Information Networks, the Fort Meade-based organization tasked with operating and defending the military’s networks, was in existence for mere days before it was thrown into the fray.

“We are less than a year old, and from Day 3 we were thrown into the fight” with an unspecified incident, said JFHQ-DoDIN Deputy Commander Brig. Gen. Robert Skinner. “From that point [forward], we have been in a constant state of — I won’t say chaos, but a constant state of aggressive actions and a constant state of moving forward.”


GOP Candidates Obsess Over Iran Threat, Ignore Russian Nuclear Menace


Sep 18, 2015 @ 09:17 AM 1,432 views

Loren Thompson



This week’s debate among Republican presidential candidates brought harsh condemnations of the multi-nation agreement with Iran that would avert, at least for the time being, that country’s efforts to acquire nuclear weapons. Several of the candidates said they would rip up the agreement the day they entered the White House, and even the more restrained opinions that were expressed indicated deep concern about the nuclear threat Iran might one day pose to its neighbors, and to America.

No doubt about it, nuclear threats have become a big issue in the early days of the campaign season, and not just those coming from Iran. North Korea comes in for occasional mention too. But there is something wildly out of whack with the way the candidates are approaching the issue: nobody is talking about Russia’s nuclear arsenal. At last count, in April, Russia had 1,582 nuclear warheads capable of reaching the United States, and thousands more that might be used against U.S. overseas forces and allies.

Iran has no nuclear weapons. North Korea has a handful, but they can’t reach America — in fact, they may not be deliverable anywhere beyond the Korean Peninsula. Russia, on the other hand, could wipe out American civilization before sundown today. Just one-percent of its warheads could kill more Americans than all of the nation’s wars combined, and ten-percent could collapse the entire economy. Electricity would fail, medical treatment would become unavailable, water would be contaminated.

A sizable number of Americans think that the United States has built defenses against this danger. It hasn’t. There are no defenses. What we have is a retaliatory force of offensive weapons — sea-based ballistic missiles, land-based ballistic missiles and manned bombers — that can deliver fearsome destruction against Russia if it ever launches a nuclear attack. The strategy is called deterrence. But by the time U.S. forces began retaliating in a future nuclear exchange, they might be the only thing in America still working, because we have no defenses against a big nuclear attack.

Ronald Reagan thought this strategy was crazy. He thought Russian leaders couldn’t be trusted any more than the lunatics in Tehran and Pyongyang, and that threatening to kill millions of innocent civilians was immoral if an alternative existed. So in March of 1983, he set out to create such an alternative. It was called the Strategic Defense Initiative, and it became the signature military project of his administration. The basic idea was to use advanced technology like lasers to shoot down attacking missiles, technology so efficient that it would cost the Russians more to buy additional missiles than it would cost America to buy additional defenses.

The plan was scaled back and then forgotten after the Soviet Union collapsed — even though the prospect of such a defense contributed to the Evil Empire’s demise. But the Russian nuclear arsenal didn’t go away. It is still sitting at military bases scattered across Eurasia today, and Russian leaders say most of the 1,582 warheads capable of hitting America could be launched within a few minutes. They and their proxies have been talking about that a fair amount since the invasion of Ukraine last year, but none of the Republican candidates seems to have noticed.

In fact, in spring of 2014 the Russians conducted a massive “launch on warning” nuclear exercise in which several of their long-range missiles were shot out of silos, and a submarine in the Pacific launched a missile for the first time in more than ten years. Russia bombers also launched cruise missiles designed to hit distant targets with nuclear warheads. The exercise clearly was designed to send a message — “don’t get in our way in Ukraine” — but official Washington ignored the warnings. It has continued to ignore subsequent nuclear saber-rattling by Moscow.

So here’s where we find ourselves today. Candidates of the party likely to win the White House next year are ignoring the one threat that could wipe out American democracy in a day, while obsessing over the behavior of countries that currently pose no nuclear threat at all to the U.S. homeland. Maybe one day Iran or North Korea will build a nuclear warhead compact enough to fit on a ballistic missile, and develop a missile with sufficient range to strike America. But with or without diplomatic agreements, that day is a long way off. Vladimir Putin can hit America today.

This sure isn’t the way Ronald Reagan would have approached the world. He would have looked over Putin’s resume, stared him in the eye, and said, “This fellow can’t be trusted.” So he would have insisted on maintaining a potent nuclear deterrent, but he also would have pushed ahead with defending America against whatever aggression Putin might one day launch. When it comes to national survival, there doesn’t seem to be a single candidate in the Republican field that thinks like Reagan. Without realizing it, they have all backed into the Obama mindset of defending against the little threats, while acting like the big threat doesn’t exist.



The Pentagon’s Next Unclassified Email System May Live in the Cloud

September 22, 2015 By Frank Konkel Nextgov


The Pentagon’s next-generation unclassified email system may exist entirely in the cloud.

Before it does, the Defense Information Systems Agency – the Pentagon’s information technology arm – wants to gather “information, comments, capabilities and recommendations” from industry stakeholders according to a notice posted this month.

DISA wants to replace its three-year-old DOD Enterprise Email calendaring and email service capabilities “with a more cost-effective commercial cloud-based service” for more than 1.6 million users. The notice states DOD’s evolving security policies have the Pentagon better prepared than ever to catch up with evolving technologies.

The notice goes on to state that, “While we recognize that shared cloud environments may provide significant opportunities, they also present unique risks to DOD data and systems that must be addressed.”

That suggests the Pentagon is most interested in one of two approaches.

The first is an on-premise deployment approach in which a commercial vendor would offer cloud-based email services from within DOD facilities. In this scenario, DOD emails are stored within DOD facilities and vendors would have to define requirements for hosting data within those facilities.

In the second – and likely more cost-effective – scenario, the commercial vendor would offer cloud-based email and calendaring services from within its own facilities, with a secure connection between DOD networks and the cloud sharing data back and forth. In this scenario, DOD does not have to pay for hardware or managing data centers, which are typically large expenses.

Either scenario must conform with rigorous cybersecurity requirements that govern how DOD handles unclassified information in the cloud.

“We realize that each hosting approach is associated with a number of planning, technical and contracting considerations and we solicit vendor feedback and recommendations on approaches that would maximize effectiveness and cost efficiency,” the notice states.

Vendors and industry stakeholders have until Oct. 15 to respond. DISA officials are likely to use feedback in a potential request for proposals that could follow.


OPM Says 5 Times More Federal Employees Had Fingerprint Data Stolen in Hack Than First Believed

Jack Moore

Sep 23 2015


The Office of Personnel Management says more fingerprint data was stolen in the massive breach of government employees files than first believed.

The number of federal personnel whose fingerprint data was stolen in the hack has increased from approximately 1.1 million people to 5.6 million, according to a statement Wednesday from OPM spokesman Samuel Schumach.

However, the latest revelation of exposed fingerprint data does not increase the overall number of people affected by the hack, which stands at about 21.5 million.

Along with fingerprint data, other purloined information includes Social Security numbers and sensitive data asked of federal employees and contractors applying for security clearances, such as financial history, drug use and sexual behavior.

OPM and the Defense Department made the discovery after “analyzing impacted data to verify its quality and completeness,” Schumach said.

It’s unclear how fingerprint data could be exploited by the hackers — believed to be part of a Chinese espionage operation.

“Federal experts believe that, as of now, the ability to misuse fingerprint data is limited,” Schumach said in the OPM statement. “However, this probability could change over time as technology evolves. ”

An interagency working group made up of the FBI, DoD, Homeland Security Department and members of the intelligence community “will review potential ways adversaries could misuse fingerprint data now and in the future,” as well as potential remedies, according to the statement.

“If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach,” Schumach said.

An interagency team will continue to “analyze and refine the data” as the government prepares to mail notification letters to impacted employees and contractors.

The federal government inked an initial $133 million contract earlier this month — five months after the breach was publicly disclosed — to provide hack victims with three years of credit monitoring and identity-theft prevention services.

Working with the Defense Department, OPM will “begin mailing notifications to impacted individuals, and these notifications will proceed on a rolling basis,” Schumach said. Notifications are expected to begin later this month.

OPM has said any federal employee or contractor who has undergone a background investigation since 2000 is likely impacted by the breach.


Chinese President Xi Met With Tech Executives in Seattle. Here’s What He Wants

By Kaveh Waddell

National Journal

September 22, 2015


The White House has publicly criticized China in re­cent months for ma­nip­u­lat­ing its cur­rency, en­ga­ging in cor­por­ate es­pi­on­age, pro­pos­ing re­stric­tions for U.S. tech firms that want to do busi­ness in the coun­try, and be­ing in­volved in a spate of cy­ber­at­tacks that tar­geted Amer­ic­an com­pan­ies and gov­ern­ment agen­cies.

Des­pite this ten­sion, however, Pres­id­ent Obama will greet Chinese Pres­id­ent Xi Jin­ping with a 21gun sa­lute and a form­al state din­ner when he vis­its Wash­ing­ton this week. And while Obama has a long list of griev­ances he will likely want to take up with Xi, the Chinese pres­id­ent is com­ing with his own agenda.

Tech­no­logy and cy­bernorms will be a fo­cus of Xi’s state vis­it, which be­gins Tues­day in Seattle. There, Xi will com­mune with tech lead­ers—in­clud­ing the chief ex­ec­ut­ives of Amazon, Apple, Mi­crosoft, IBM, Google, and Face­book—be­com­ing the fourth con­sec­ut­ive Chinese lead­er to travel to the Pa­cific North­w­est tech hub.

The pres­id­ent’s vis­it comes dur­ing a tight­en­ing of re­stric­tions in Beijing on for­eign tech­no­logy com­pan­ies op­er­at­ing in China. Xi will likely try to con­vince Amer­ic­an com­pan­ies to com­ply with a series of drastic pro­pos­als that would change the way they do busi­ness in the coun­try.

One pro­pos­al would re­quire for­eign tech com­pan­ies to agree to store data about Chinese users with­in the coun­try, and main­tain “se­cure and con­trol­lable” products, a phrase which may amount to a gov­ern­ment re­quest for in­tim­ate ac­cess to sys­tems and tech­no­logy de­ployed in China, The New York Times re­por­ted last week.

A na­tion­al se­cur­ity law put for­ward this sum­mer in­cluded some of the same stip­u­la­tions about data loc­al­iz­a­tion, and would al­low the Chinese gov­ern­ment to levy fines against In­ter­net com­pan­ies that did not swiftly de­lete and re­port in­form­a­tion that Beijing finds ob­jec­tion­able.

Amer­ic­an tech com­pan­ies have in the past gone along with the laws China im­poses in or­der to pre­serve their ac­cess to the luc­rat­ive Chinese mar­ket. Chinese me­dia re­por­ted earli­er this year that Apple be­came the first for­eign tech­no­logy com­pany to sub­mit to Chinese “se­cur­ity checks.”

But Obama has pushed the busi­ness com­munity to back up the ad­min­is­tra­tion’s po­s­i­tions by air­ing their own griev­ances with the Chinese gov­ern­ment.

“Don’t tell us on the side, ‘We’ve got this prob­lem, you need to look in­to it, but leave our names out of it be­cause we don’t want to be pun­ished’ kind of thing,” he told busi­ness lead­ers at a speech to the Busi­ness Roundtable last week.


“Typ­ic­ally, we are not ef­fect­ive with the Chinese un­less we are able to present facts and evid­ence of a prob­lem,” Obama con­tin­ued. “Oth­er­wise, they’ll just stone­wall and slowwalk is­sues.”

When Xi heads to D.C., cyberes­pi­on­age and cy­ber­space norms will fig­ure prom­in­ently in sched­uled meet­ings, which will come on the heels of ne­go­ti­ations between Amer­ic­an and Chinese of­fi­cials over the rules of cy­ber­war.

The White House is walk­ing a tightrope in its re­la­tions with China, try­ing to sim­ul­tan­eously re­spond firmly to China’s ag­gres­sion while keep­ing lines of com­mu­nic­a­tion open and pro­duct­ive.

The ad­min­is­tra­tion has con­sidered im­pos­ing eco­nom­ic sanc­tions on China to pun­ish it for cy­ber­at­tacks, but has made clear the dis­tinc­tion between the theft of trade secrets, which it says is an an­ti­com­pet­it­ive prac­tice, and con­ven­tion­al es­pi­on­age.

“We have re­peatedly said to the Chinese gov­ern­ment that we un­der­stand tra­di­tion­al in­tel­li­gencegath­er­ing func­tions that all states, in­clud­ing us, en­gage in,” Obama said at the Busi­ness Roundtable speech. “And we will do everything we can to stop you from get­ting state secrets or tran­scripts of a meet­ing that I’ve had, but we un­der­stand you’re go­ing to be try­ing to do that.”

Gov­ern­ment of­fi­cials have placed the largescale breach at the Of­fice of Per­son­nel Man­age­ment in the cat­egory of tra­di­tion­al spy­ing, push­ing back against char­ac­ter­iz­a­tions of the breach as a cy­ber­at­tack. “That’s a pass­ive in­tel­li­gencecol­lec­tion activ­ity—just as we do,” said Dir­ect­or of Na­tion­al In­tel­li­gence James Clap­per at a Con­gres­sion­al hear­ing this month.

But as Wash­ing­ton braces it­self for the se­cur­ity pre­cau­tions that will ac­com­pany both Xi and Pope Fran­cis dur­ing their vis­its to the cap­it­al this week, some law­makers have ac­cused Obama of show­ing weak­ness in his deal­ings with China. Re­pub­lic­an pres­id­en­tial can­did­ates have piled on, too: Marco Ru­bio and Scott Walk­er last month called for Obama to down­play or out­right can­cel Xi’s vis­it.

Call­ing the U.S.–China re­la­tion­ship “the most con­sequen­tial in the world today,” Na­tion­al Se­cur­ity Ad­visor Susan Rice said Monday that on­go­ing en­gage­ment and ne­go­ti­ations are the only op­tion. “I know that some people ques­tion why we host China at all. That is a dan­ger­ous and short­sighted view,” she said at an ap­pear­ance at George Wash­ing­ton Uni­versity. “If we sought to pun­ish China by can­cel­ling meet­ings or re­fus­ing to en­gage them, we would only be pun­ish­ing ourselves.”

She ad­ded, “If Amer­ica chose to re­move it­self from China, we would only en­sure that the Chinese are not chal­lenged on the is­sues where we dif­fer and are not en­cour­aged to peace­fully rise with­in the in­ter­na­tion­al sys­tem that we have done so much to build.”


China’s Copycat Jet Raises Questions About F35

September 23, 2015 By Marcus Weisgerber


New technical specs about China’s new J31 fighter, a plane designed to rival the Americanmade F35 Joint Strike Fighter, popped up on a Chinese blog last week. So who has the advantage — the U.S. or China?

China’s twinengine design bears a striking resemblance to the singlejet F35. Still, the Joint Strike Fighter is expected to fly slightly farther and carry a heavier load of weapons, according to the data, which was first reported by Jane’s.

Military experts say that while the J31 looks like, and may even fly like, the F35, it’s what’s under the hood and embedded in the skin that really matters. The U.S. has the better computer software, unique sensors and other hardware, stealth coating, and engines technology—all critical attributes that make fifthgeneration aircraft different than the military jets of last century.

Exactly how long that advantage lasts is up for debate; senior Pentagon officials and experts believe American technology superiority is shrinking. That means the U.S. military’s weapons will not overmatch adversaries for as long as they have in past decades.

“It’s basically, are they producing weapon systems that have fifthgeneration characteristics that potentially nullify some of our planned advantages in the future battlespace,” said Peter Singer, a strategist and senior fellow at New America.

“[W]e were depending more so on the [American weapons] having that generationahead edge, and if we don’t have that generationahead edge, that is incredibly scary for us in various scenarios,” Singer said.

U.S. Deputy Defense Secretary Robert Work and acquisition chief Frank Kendall have spent much of the past two years warning that the U.S. military’s technology advantage is eroding.

“What it does is reduce the cost and lead time of our adversaries to doing their own designs, so it gives away a substantial advantage,” Kendall said of cyber espionage at a 2013 Senate Appropriations Defense Subcommittee hearing.

Since then, Work and Kendall have been leading projects to find technologies that will give the American military an advantage on the battlefield of the future.

China is suspected of stealing F35 design data in 2009. U.S. officials have said classified information was not stolen in that breach, but in 2011 it emerged that China was building a multirole, stealth fighter of its own that could strike targets in the air and on the ground, like the F35. The J31 flew for the first time in 2012.

The Pentagon huddled with defense companies in 2007 to urge firms to better protect their networks. Companies are attempting to beef up their cybersecurity, but there is a gap in the security talent, said Justin Harvey, chief security officer for Fidelis Cybersecurity, a firm that works with the U.S. government and private industry.

“They’re buying these tools, but they’re not investing a ton in the people,” he said. Whenever a company is attacked, they typically call Fidelis or similar cybersecurity firms to consult because they don’t have employees with the training or experience to assess the breach.

“I think 90 percent of U.S. companies are not equipped to deal with cyber espionage,” Harvey said.

The defense industrial base and financial services industry are the bestprotected, he said.

Cyber espionage allows rival companies to get access to the information gleaned during testing “for the cost of breaching your network,” Singer said.

Cyber theft allows China to save tens of billions of dollars in researchanddevelopment, the experimentation and testing a new weapon goes through before it reaches the battlefield, experts say. While the Chinese jet fighters might still be inferior to the American planes, not having to do early research and development allows them to focus on upgrades and improvements.

This means the 10 to 20year advantage an aircraft like the F35 was supposed have on the battlefield might not be there, Singer said. Those Chinese plans could then compete against U.S.made aircraft 20 years from now when the U.S. government allows more and more allies to buy the F35.

“Those future competitions will be incredibly difficult because we’ll have paid the R&D for our competitors,” Singer said.

Increased researchanddevelopment costs, ever common in Pentagon acquisition projects, often lead to a decrease in the total number of items purchased. Most recently, this was the case with the F35’s older brother, the F22 Raptor. The Air Force had wanted more than 700 planes, a number cut first to 381 and ultimately to 187.

“The expense of our fifthgeneration [fighter aircraft] means we have not been able to buy as many as we want,” Singer said.

But the F35, unlike previous aircraft, has been designed to receive upgrades over the years, which will ultimately improve its capabilities, allowing it defeat new threats.

F35 development will end in October 2017. After that the program will move into a “followon development” phase, said F35 project spokesman Joe DellaVedova. “One of the F35’s great strengths is that it’s a growth platform, so its software, its processors, its radar, its capability; there’s a lot of room for growth.”

The jet fighters will get software and hardware upgrades every two years on an alternating basis.

The F35 itself and its ground equipment undergo multiple tests each year to make sure the systems can withstand cyber attack, DellaVedova said. “We take the cyber threat very seriously,” he said.

While the Chinese planes might still have inferior systems, stealing intellectual property and subsequent R&D savings also allows Beijing to make drastic changes in prototypes.

For the J20, a Chinese stealth fighter being built to rival the F22, there have been numerous prototypes in which the plane’s design has become stealthier, Singer said.

“Their designs, their capabilities are shifting from prototype to prototype in a way that has not happening with the current way that we are building our fifthgen systems,” he said.



Cyber Security Rule Creates New Obligations for Defense Contractors

By Eleanor Hill and Alexander Haas


The Defense Department and its contractors have long recognized the need to work collaboratively to protect networks and information. The Defense Federal Acquisition Regulation supplement (DFARS) for years has required prime and subcontractors to report cyber incidents to the government.

Those requirements changed substantially when the Pentagon published a new interim rule Aug. 26 amending DFARS to require “rapid” reporting of cyber incidents that result in an “actual or potentially adverse effect” on certain information systems or defense information residing on contractor networks.

Defense took the unusual step of issuing an interim rule without first issuing a proposed rule for comment in view of “the urgent need to protect covered defense information and gain awareness of the full scope of cyber incidents being committed against defense contractors.”

The interim rule is effective immediately. It significantly expands the reporting mandate on defense contractors and their subcontractors.

First, the interim rule expands a contractor’s safeguarding and reporting duties beyond unclassified technical information. The scope is broadened to “covered defense information.” This includes controlled technical information, export controlled information, critical information, and other information requiring protection by law, regulation or governmentwide policy.

Second, the interim rule now requires contractors to report cyber incidents involving this new class of information on entire covered contractor systems as well as “any cyber incident that may affect the ability to provide operationally critical support.” It also expands the definition of “cyber incident” beyond network penetrations or the exfiltration of data. Cyber incident will now include any “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.” The rule likewise defines “compromise” broadly to mean the “disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object or the copying of information to unauthorized media may have occurred.”

Third, the interim rule modifies the baseline standards defense contractors must comply with to provide “adequate security” by referencing a different National Institute of Standards and Technology (NIST) publication. This potentially raises some immediate compliance challenges.


Fourth, the interim rule explicitly pushes down reporting obligations to subcontractors, even for commercial articles. Prime contractors must now “include the substance” of these contract clauses in all subcontracts for services that include “support for the government’s activities related to safeguarding covered defense information and cyber incident reporting, including subcontracts for commercial items.” It explicitly requires subcontractors to “rapidly” report cyber incidents directly to the Defense Department through the dibnet portal ( Subcontractors must also inform their highertier subcontractor, until the prime contractor is reached.

In short, defense contractors and subcontractors now have an enhanced obligation to protect a number of categories of unclassified information and to report cyber incidents to the government.

Further, cyber incidents trigger the reporting requirement even without adverse effects because the interim rule applies to actions that result in a “potentially adverse effect on an information system and/or the information residing therein.” When paired with the definition of “compromise,” a large swath of cyber incidents are covered that would not necessarily involve a network penetration or the known exfiltration of data.

Contractors must report relevant cyber incidents involving their subcontractors’ systems and must be prepared for lowertier subcontractors to report information to the Defense Department before the prime contractor learns of the possible cyber incident.

To be sure, the interim rule provides that a “cyber incident that is reported by a contractor or subcontractor shall not, by itself, be interpreted as evidence that the contractor or subcontractor has failed to provide adequate information safeguards for covered defense information on their unclassified information systems.” But defense officials have previously stated that the department does not intend to provide safeharbor statements related to reportable cyber incidents. It is not yet clear what other factors, beyond the mere occurrence of a properly reported cyber incident, will impact the assessment of contractor compliance with the requirement to provide adequate security measures.

Contractors should be aware that the Defense Department has substantial authority to use information provided in cyber incident reports, including contractor proprietary information not created by or for the government. Defense may release this information to entities with missions that may be affected by such information; to entities that may be called upon to assist in the diagnosis, detection, or mitigation of cyber incidents; to government counterintelligence or law enforcement investigations; for national security purposes or to certain support services contractor under particular government contracts.

In light of this new rule, contractors should examine their contractual rights to audit subcontractors’ network security safeguards; require subcontractors to notify the contractor of any cyber incidents and participate in any investigation related to a cyber incident involving a subcontractor’s network.

We believe it is likely that future audits by the Defense Department’s inspector general, other agencies’ inspectors general, or investigations by Congress could be prompted by reported cyber incidents.

Although the rule is already in place, the Defense Department will be accepting comments on the interim rule until Oct. 26.

Eleanor J. Hill ( is a partner and Alexander K. Haas ( is counsel at the King & Spalding international law firm. Attorneys Gary Grindler, John Drennan, and Nick Oldham contributed to this article.


Rasmussen Reports

What They Told Us: Reviewing Last Week’s Key Polls

Bottom of Form

Saturday, September 26, 2015

Pope Francis’ visit this week to the United States is likely to have put religion on the minds of many more Americans.

Most Americans have a favorable opinion of the new pope and think he’s good for the Catholic Church. It’s clear, too, that most see an essential place for religion in this country, but there’s been a sizable jump in the number who don’t think the government agrees.

Still, while voters have mixed feelings about the impact religious leaders have on government policy, they are quite clear that they don’t want someone in the pulpit telling them how to vote.

Speaking of voting, religion will be front and center this weekend as the Republican presidential candidates make their cases before the conservative Family Research Council’s Values Voter Summit in Washington, D.C.

Voters in the past have been narrowly divided on the importance of a political candidate’s religious faith,  but over half of voters – and 73% of Republicans agree with GOP presidential hopeful Ben Carson who says he could not vote for a Muslim to be president.

So if most voters agree, why did the media make such a big deal about Carson’s remarks? Perhaps because, as 71% believe, when covering a political campaign, most reporters try to help the candidate they want to win.

Following the second Republican presidential candidate debate earlier this month, 59% said Carson is likely to be the GOP candidate next year. Fortyone percent (41%) said the same of former HewlettPackard CEO Carly Fiorina, and 40% felt that way about Jeb Bush.

Wisconsin Governor Scott Walker this week suspended his campaign for the Republican presidential nomination. Walker started his campaign with high expectations but was quickly buried like many of the other GOP candidates in the Donald Trump phenomenon.

“The Donald” continues his downward slide, though, with this week’s Trump Change survey at its lowest level (52%) since we started the regular feature in midAugust.

It’s been a rough few months for Hillary Clinton’s presidential campaign, but her chances for the Democratic nomination hold steady in Rasmussen Reports’ latest Hillary Meter.

Right now 59% of all voters – and 37% of Democrats – think it’s likely Clinton broke the law by sending and receiving emails containing classified information through a private email server while serving as secretary of State. 

Clinton in a rare interview this past week announced that she is opposed to building the Keystone XL pipeline. Most voters have favored building the oil pipeline from western Canada to Texas in surveys for the past four years. 

The former first lady also said again that the president’s immigration agenda including protecting up to five million illegal immigrants from deportation doesn’t go far enough. Although Clinton’s views on illegal immigration are outside the mainstream as far as most voters are concerned, the media predictably didn’t make much of them

Few voters agree either with the Obama administration’s plan to increase the total number of worldwide refugees accepted into the United States to 100,000 by 2017 in response to the ongoing migrant crisis in Europe.

But the governments in Europe and the United States apparently don’t care what voters think when it comes to taking in thousands of Islamic refugees from the Middle East.

Increased media attention on the Syrian migrant crisis has raised new concerns about the global impact of that country’s ongoing civil war, but does that mean the United States should take a more active role in stemming the violence in Syria?

After hosting the pope, Obama welcomed the president of China to the White House. Should America finally get tough with China?

The two presidents reportedly will discuss some of the big differences between the United States and China. But most U.S. voters think America overlooks many abuses by the Chinese government because of that country’s economic power.

The president’s daily job approval rating continues to hover in the negative midteens.

In other surveys last week:

Just 25% now think the United States is headed in the right direction. That’s the lowest level of confidence since midDecember.

Most voters still don’t think the federal government should have the final say on gun ownership and don’t like a country in which only the government has access to guns. 

While states continue to crack down on tobacco, several are going in the opposite direction when it comes to marijuana, legalizing its sale and possession. What’s the difference between pot and tobacco? 

Volkswagen has confessed to equipping millions of diesel cars with software intended to fool emissions tests, but so far the German auto company is still more popular than General Motors and Chrysler who took taxpayerfunded bailouts to stay in business. 


From → Uncategorized

Comments are closed.

%d bloggers like this: