Recent Blog Posts


After Twenty Years of Cyber – Still Unchartered Territory Ahead

The general notion is that much of the core understanding of cyber is in place. I would like to challenge that perception. There are still vast territories of the cyber domain that need to be researched, structured and understood. I would like to use Winston Churchill’s words: “it is not the beginning of the end; it is maybe the end of the beginning.” In my opinion, the cyber journey is still in a very early stage. The cyber field has yet to mature, and the big building blocks for the future cyber environment are not yet in place. The Internet and networks that support it have increased dramatically over the last decade. Even if the growth of cyber might be stunning, the actual advances are not as impressive. In the last 20 years cyber defense and cyber as a research discipline has grown from almost nothing to a major global enterprise and the recipient of considerable resources. In the winter of 1996-1997, there were four references to cyber defense in the search engine of that day (AltaVista). Today, there are about 1.3 million references in Google. Cyber knowledge has not developed at the same rapid rate as the interest of, concern and resources for cyber. The cyber realm is still struggling with elemental challenges such as attribution. Traditional topics in political science and international relations such as deterrence, sovereignty, borders, the threshold for war and norms in cyberspace are still under and discussion. From a military standpoint, there is still a debate about what cyber deterrence would look like, what the actual terrain and maneuverability are like in cyberspace,...

WarTV: A Future Vision for a Common Operating Picture

and 1 MAY 2011 – ABBOTTABAD, PAKISTAN – Abbottabad, Pakistan is less than a two-hour drive from the capital city of Islamabad and 3.1 miles from the Pakistan Military Academy to the southwest. In relative terms, Abbottabad is a much less busy place than Karachi, Pakistan, and is very attractive to tourists and those seeking higher education for their children. Despite Abbottabad’s relative inactivity compared to the bustling Karachi, there were signs of digital life in 2011.     Figure 1 @ReallyVirtual, AKA Sohaib Athar, a resident of Abbottabad accidentally live tweets the Navy SEAL raid on the Bin Laden Compound.  All timestamps from the tweets are US Eastern Time.   Unwittingly, Sohaib Athar, or @ReallyVirtual live-tweeted the Navy SEAL raid on the compound that housed Osama bin Laden and his family 0.8 miles southwest of the Pakistan Military Academy from the hours of 3:58 pm Eastern Standard Time through 6:39 pm Eastern Standard Time on 1 May 2011.[i] This is just months after The Arab Spring protesters began utilizing social media, Facebook and Twitter in particular, to influence large swaths of populations into a movement of collective activism, operating outside of the purview of state-owned media platforms. At this point, the Internet had begun to grow at an accelerated rate with massive impacts traversing the virtual sphere into the physical world. At the time, most members of the military did not understand the implications social media had on the geopolitical stage. However, the military should understand social media as a magnifying glass into the human domain, and should integrate these computer-mediated technologies into operations. Fast forward to today, where...

The Increasing Necessity for a United States Cyber Service

Conducting cyber warfare is cheap and easy.[1] It affords anyone from individual hackers to nation-state actors the ability to wage destructive acts against the United States.[2] In 2009, the Secretary of Defense directed the Commander of U.S. Strategic Command to establish a sub-unified command, U.S. Cyber Command (USCYBERCOM), to prepare the Department of Defense (DoD) for the integration of offensive and defensive cyberspace operations.[3] Due to the constant rate of change in cyberspace, USCYBERCOM has experienced challenges integrating joint force cyber components. A quick examination of the US cyber force organizational chart demonstrates how complex the relationships are between service components and outside agencies. These organizational intricacies have led Admiral Michael Rogers, National Security Agency (NSA) Director and Commander of USCYBERCOM, to ask “is cyber so different, so specialized, so unique, so not well understood that it requires a very centralized, focused, unique construct to how we generate capacity and knowledge?”[4] While still heavily debated, many US government officials believe the existing organizational structure best meets current DoD requirements. However, there is an increasing necessity to transform the joint cyber construct into a stand-alone military service branch or similar entity that is separate from, yet integrated into the other military service branches. This necessity is based on cyberspace operations occurring in a separate operational domain, requiring a different organizational composition than traditional service branches, and hampered by the current joint cyber construct. The most compelling reason for creating a separate, standalone cyber service is its distinct “global domain within the information environment consisting of the interdependent network of information technology infrastructures and resident data, including the Internet, telecommunication networks,...

The False Promise of Hacking Democracy

“Probable impossibilities are to be preferred to improbable possibilities” It is immensely convenient to claim that a Federal election can be hacked; however, the reality of hacking such an election is far more difficult than one might realize. The level of complexity in the US electoral process is such that to hack the election would require a combined feat of technical and social engineering requiring tens of thousands of co-conspirators operating across hundreds of jurisdictional boundaries with divergent laws and practices. Having worked in democracy development for the better part of 10 years on elections in several dozen countries, the state of American electoral security is strong because of its immensely decentralized nature. In a case where the bewildering and often arcane complexity facilitates inefficiency, it is this inefficiency that coincidentally fosters systemic resilience. It is the organizational attributes of a national election run by state and local authorities that make the United States a poor target for any malicious actor attempting to directly affect the polling places where American’s cast their ballots. To understand why the United States is so resilient to malicious actors seeking to manipulate a national election requires understanding the nuances of federal, state and local roles in the execution of a national election. One of the best sources for understanding the complexities of the American voting process was produced by a 2014 Presidential Commission. The commission deconstructs its recommendations and thereby provides insight into the electoral procedures of states by examining issues about voter registration, access to polling locations, the management of polling places, and the technology of voting itself.[i] It should be noted...

There Is No “Cyber”

At the recent Joint Service Academy (JSA) Cyber Security Summit at West Point (20-21 April, 2016), the word “cyber” was used in multiple different facets. As a noun, cyberspace is the “Domain characterized by the use of electronics and the electromagnetic spectrum to store, modify, and exchange data…” [COL11]. This is perhaps the broadest definition possible, proposed as the Cyberspace Operations Lexicon by the Joint Chiefs of Staff. While the ambiguity with the meaning of the proper noun “Cyber” provides a difficult framework to focus meaningful actions, our use of the words “Cyber”, “Digital” and their like as adjectives serves only to create artificial divisions among researchers, practitioners, and decision-makers in the area. The term “Cyber Security” is of course ubiquitous, being the focus of the JSA Cyber Security Summit and one of the main foci of the Army Cyber Institute (ACI) at West Point; that is unavoidable. Cyber Security can be many things: at the JSA Summit it was identified as the agglomeration of practicing good hardware and software manufacturing and implementation, sourcing trusted components (again, from both a hardware and software side) and providing training and education for workers to avoid naively poking holes in those standards [CON16]. The term operational security (OPSEC) is used to describe our behaviors while conducting the mission. For those whose jobs have security considerations, OPSEC refers to not discussing their work in public places, even in an unclassified way. The phrase “Digital OPSEC” or even “Cyber OPSEC” is frequently used to discuss our behaviors on the internet, such as not connecting to public WiFi, using discretion with location services on our...

Enter the Policy and Legal Void

Soldiers are down range and have suites of tools available to them that they cannot use to their full capability. They are not technically limited, but rather constrained by the authorities and pre-requisite policies established in a pre-digital age. We tell them to go and defeat ISIS, Al al’Qaeda, or pick another future adversary, but they must do so with their hands tied behind their backs. Make no mistake, as a nation we are currently involved in a global conflict. The conflict is not defined by traditional weapons, but by bits and bytes traversing fiber lines and airwaves. This global information war collides with many of the values of Western Democracies, and the societal constraints of authoritarian regimes. The robust constraints on governmental instruments serve a valuable purpose, yet at the same time our Soldiers in the field are struggling to navigate complex legal and policy waters while corporations are drowning in data that might inform or provide context for a variety of mission sets. The volume and velocity of this data is only set to grow as globally the number of Internet enabled devices increases from approximately 17 billion to 50 billion and beyond. At the beginning of the digital age it is imperative that we, as a society, begin discussing the future we are rapidly entering. Constraints are pivotal for maintaining the fundamental civil rights Americans cherish.  Civil rights, to include various liberties such as privacy, free speech, and freedom of religion among others are challenged by data repositories that eliminate anonymity and the ability to be forgotten and to forget. Yet, we as a society are...

Critical Infrastructure Exercise 16.2 – A Transformative Cybersecurity Learning Experience

and With an increased national awareness that the critical infrastructure which keeps our country running is surprisingly vulnerable—not just to physical attacks, but also to cyberattacks that can be initiated from anywhere in the world—the State of Indiana executed CRIT-EX 16.2 on the 18th and 19th of May, 2016, at the Muscatatuck Urban Training Center. This cyberattack readiness exercise focused on improving Indiana’s overall security and responsiveness of its critical infrastructure to face advanced cyber disruption of essential water utility services – presenting an extreme public safety threat. Indiana, like the rest of the country, understands it has a short window of opportunity to prepare for a major cybersecurity event that, if successful, could be as devastating as a major earthquake or tornado. In order to effectively prepare for such a scenario, Indiana’s cybersecurity stakeholders realized they had to build high-functioning, collaborative networks that span the public and private sector. By working to collaborate on high-risk cyber issues, organizations throughout Indiana are elevating their response postures, and preparing to ratchet up their ability to confront the threats of tomorrow [1]. CRIT-EX 16.2 attendees tourthe FBI’s national Mobile Command Center (photo by Ernest Wong) “This exercise explored the intersection between critical infrastructure and cyber security,” explained Jennifer De Medeiros, Emergency Services Program Manager for the Indiana Department of Homeland Security [2]. The Indiana Department of Homeland Security (DHS) in conjunction with the Indiana National Guard, Indiana Office of Technology, Cyber Leadership Alliance, and over 16 other public and private partners developed this controlled functional cyberattack exercise allowing participants to deploy resources and communicate with response partners to mitigate adverse effects and...

The Number One Vulnerability in the Future of Cyber Security: A Critical Lesson for all Organizations

Since 1958, NASA has been the foremost symbol of American excellence in science and exploration, inspiring generations of engineers around the globe to achieve the impossible through advanced technology. With each of its defining events, NASA pushes humanity further into the future, bringing scientists more information about our universe than ever dreamt possible. But while NASA was reaching for the stars, other forces were secretly at work. In the dark recesses of the agency’s computers and network servers, intruders were lurking. After months of covert access, a hacktivist group called AnonSec obtained 276GB of sensitive data including flight logs, videos, and personal information from thousands of employees (Thalen 2016). This post examines how such an established institution of advanced technology could fall prey to cyber hacking, the glaring warning signs, and the one key lesson all organizations should learn from this historical event. The Back Story What sets the 2014 NASA data breach apart from other hacking events is the unprecedented insight provided by the hackers themselves. AnonSec, a hacktivist group claiming responsibility for compromising over 720 websites and networks, claimed the NASA breach. To support their claim they posted large quantities of supporting evidence. AnonSec also publically-posted paper called “Zine”, detailing on how they gained access to NASA’s networks and computer systems, the content they obtained, and why. Although their writings appear to focus on exposing drone and “chemtrail” technology, this was not their primary objective. When AnonSec initially hacked NASA they were looking for “interesting/profitable” data on the NASA networks (AnonSec 2015). But as they dug deeper into the systems, they discovered more than they were originally...

Indiana Exercising Plans to Combat Cyber Threats: Preparing for CRIT-EX 2016

, and On the 21st and 22nd of March, 2016, Indiana hosted its inaugural Defense Cyber Summit (DCS), which aimed to advance the state’s cyber readiness and preparations against a cyberwarfare attack. Spurred on by Admiral Michael Rogers, the Commander of the U.S. Cyber Command, who in 2014 called cybersecurity “the ultimate team sport,” Indiana has purposefully adopted a culture of collaboration between government organizations, private firms, non-profits, and academia to improve the state’s response and resiliency to a significant cyber incident. This team approach will counter cyberattacks intent on degrading Indiana’s economic capacity and threating the critical services of its citizens [1]. Under the umbrella of the Applied Research Institute (ARI), organizations such as Purdue University, Indiana University, Crane Naval Surface Warfare Center, the Cyber Leadership Alliance, the Indiana National Guard, and the Indiana Department of Homeland Security have partnered together to address and propose solutions to Indiana’s cyber security challenges. This effort is boosted by the Indianapolis-based Lilly Endowment support of nearly $16.3 million that is funded through a grant from the Central Indiana Corporate Partnership Foundation. The ARI is working to foster collaboration, research, and problem solving on cyber threats to Indiana’s critical infrastructure [2]. Purdue University Professor Joe Pekny welcomes attendees to the Inaugural Defense Cyber Summit (photo by Tony Chase)   The DCS concept was conceived during visits to US service academies by an Indiana delegation. Representatives from Purdue’s Burton D. Morgan Center for Entrepreneurship, the Purdue Research Foundation, and the Cyber Leadership Alliance, had originally concentrated on partnering Purdue University with the service academies in order to provide the most cutting-edge knowledge and technology to...

Big Data is Dead, Long Live Big Data

The Gartner Hype Cycle, which assigns emerging technologies into 5 regions: Innovation Trigger, Peak of Inflated Expectations, Trough of Disillusionment, Slope of Enlightenment and Plateau of Productivity. In 2014, Big Data was at the edge of the Peak of Inflated Expectations, where the hype has already generated an enormous amount of goodwill through amazing success stories, and on a descent towards the Trough of Disillusionment, where the rate of new successes relative to the Peak creates a depressed sense of its novelty. Big Data fell off the chart in 2015. So is Big Data dead? Not so says Gartner analyst Nick Heudecker, whose blog post is entitled “Big Data Isn’t Obsolete. It’s Normal’’ [0b]. An in-depth look of how Big Data fell off Gartner’s list is available for purchase (or via a Gartner account) [0c], but for those whose pocketbooks or (organizations’ pocketbooks) don’t allow, multiple avenues have indicated that the Internet of Things have emerged to take over Big Data’s hype [1-3]. I would posit a slightly different interpretation: as Big Data has normalized, considering Big Data as its own topic has been eschewed in exchange for considering its various theories (data mining, machine learning, natural language processing, etc.) and resulting technologies (Internet of Things, autonomous vehicles, etc.) as their own entities. And, in my opinion, rightly so. Big Data may be off the hype cycle, but it maintains healthy funding: The Defense Advanced Research Projects Agency (DARPA) has increased their spending on programs with a Big Data component from $200M in FY14 to $242M in FY15 to $243M in FY16, with 4 programs receiving more than $20M...