National Park Service on the verge of blocking most White House protests: comments due by MONDAY! / Boing Boing

Monday is the end of the comment period for a sweeping National Park Service proposal that will have a dramatic effect on the ability of Americans to protest in sight of their government.

Under the proposed new rules, protests around the White House and the National Mall would require permits, protestors would be barred from the sidewalk north of the White House. The proposal also seeks public comment on charging protesters fees for permits to gather.

You can and should comment.
— Read on boingboing.net/2018/10/13/trumplethinskin-3.html

I submitted my comment. It took about 5 minutes.

We should all vote, and we should provide candid feedback to government about things like this proposed rule change.

I don’t know or care about your politics. If your party or politicians you agree with are in power, just remember that someday they won’t be. Anyone trying to take your freedoms away should be a red flag to all.

Also on:

Global Cybersecurity Norms

www.cyberscoop.com/cyber-norms-united-nations-gge-state-department/

Fresh off the release of its national cybersecurity strategy, the Trump administration gauged interest at the United Nations in restarting talks on global cybersecurity norms. The negotiations, which collapsed last year amid reported acrimony among the U.S., Russia and others, aim to set limits on government-backed hacking at a time when offensive operations are abundant.

At a meeting Friday with representatives of more than 20 countries, Deputy Secretary of State John J. Sullivan raised the prospect of restarting the norms dialogue at the U.N. Group of Government Experts (GGE), according to a State Department statement.  Sullivan told reporters the department hopes to reconvene the GGE “to define norms of behavior that states will abide by and, if they don’t, to impose consequences.”

Worth a read. I remain skeptical governments, especially the U.S., can achieve anything meaningful.

Also on:

The 2018 DOD Cyber Strategy: Understanding ‘Defense Forward’ in Light of the NDAA and PPD-20 Changes

The 2018 DOD Cyber Strategy: Understanding ‘Defense Forward’ in Light of the NDAA and PPD-20 Changes:

DOD’s 2018 Cyber Strategy document is drawing attention because of its reference to “defense forward.” What does that mean? Let’s have a close look, in context with the recently-enacted NDAA and recent changes to PPD-20.

(Via Lawfare – Hard National Security Choices)

Dive into the article for a breakdown of the 6 page official summary (the actual document has not been released) and what defending “forward” probably means.

Also on:

Privacy Shield on Shaky Ground: What’s Up with EU-U.S. Data Privacy Regulations

Privacy Shield on Shaky Ground: What’s Up with EU-U.S. Data Privacy Regulations:

There’s a lot going on in the privacy and data protection world. But one of the most pressing issues is the uncertain fate of Privacy Shield, the framework governing the flow of data between the EU and the U.S. for commercial purposes.

The Trump Administration has been given an ultimatum: comply with Privacy Shield, or risk a complete suspension of the EU-U.S. data sharing agreement. In a letter dated July 26, EU commissioner for justice Věra Jourová wagered to U.S. commerce secretary Wilbur Ross that suspension of the EU-U.S. Privacy Shield system would incentivize the U.S. to comply fully with the terms of the agreement. But Jourová’s urging that Ross “be smart and act” in appointing senior personnel to oversee the data sharing deal is hardly new. The July letter closely echoes a European Parliament (EP) resolution passed just three weeks earlier, and the European Commission (EC) voiced similar sentiments in its review of the Privacy Shield Framework last September. Further adding to the chorus of voices raising concerns about Privacy Shield compliance are tech and business groups, which jointly called for the nomination of a Privacy Shield ombudsperson in an Aug. 20 letter.

In addition to admonishing the EC’s failure to hold the U.S. accountable thus far, the EP resolution calls for a suspension of Privacy Shield if the U.S. has not fully complied by Sept. 1—though no such suspension has yet been announced. It also expresses serious concerns regarding the U.S.’s recent adoption of the Clarifying Lawful Overseas Use of Data (Cloud) Act and the legislation’s potential conflict with EU data protection laws. With the General Data Protection Regulation (GDPR)—the EU’s new regulatory regime for the protection of individual data—having come into effect on May 25, 2018, the EP considers the EC in contravention of GDPR Article 45(5). This article requires the EC to repeal, amend, or suspend an adequacy decision to the extent necessary once a third country no longer ensures an adequate level of data protection— until the U.S. authorities comply with its terms.

So what led to this ultimatum, and what’s next on the global data protection stage?    

(Via Lawfare – Hard National Security Choices)

The article gives a level set on Privacy Shield and then dives into specific areas. I highly recommend giving this a good read.

Also on:

Don’t Fear the TSA Cutting Airport Security. Be Glad That They’re Talking about It.

Don’t Fear the TSA Cutting Airport Security. Be Glad That They’re Talking about It.:

Last week, CNN reported that the Transportation Security Administration is considering eliminating security at U.S. airports that fly only smaller planes — 60 seats or fewer. Passengers connecting to larger planes would clear security at their destinations.

To be clear, the TSA has put forth no concrete proposal. The internal agency working group’s report obtained by CNN contains no recommendations. It’s nothing more than 20 people examining the potential security risks of the policy change. It’s not even new: The TSA considered this back in 2011, and the agency reviews its security policies every year. But commentary around the news has been strongly negative. Regardless of the idea’s merit, it will almost certainly not happen. That’s the result of politics, not security: Sen. Charles E. Schumer (D-N.Y.), one of numerous outraged lawmakers, has already penned a letter to the agency saying that “TSA documents proposing to scrap critical passenger security screenings, without so much as a metal detector in place in some airports, would effectively clear the runway for potential terrorist attacks.” He continued, “It simply boggles the mind to even think that the TSA has plans like this on paper in the first place.”

We don’t know enough to conclude whether this is a good idea, but it shouldn’t be dismissed out of hand. We need to evaluate airport security based on concrete costs and benefits, and not continue to implement security theater based on fear. And we should applaud the agency’s willingness to explore changes in the screening process.

There is already a tiered system for airport security, varying for both airports and passengers. Many people are enrolled in TSA PreCheck, allowing them to go through checkpoints faster and with less screening. Smaller airports don’t have modern screening equipment like full-body scanners or CT baggage screeners, making it impossible for them to detect some plastic explosives. Any would-be terrorist is already able to pick and choose his flight conditions to suit his plot.

Over the years, I have written many essays critical of the TSA and airport security, in general. Most of it is security theater — measures that make us feel safer without improving security. For example, the liquids ban makes no sense as implemented, because there’s no penalty for repeatedly trying to evade the scanners. The full-body scanners are terrible at detecting the explosive material PETN if it is well concealed — which is their whole point.

There are two basic kinds of terrorists. The amateurs will be deterred or detected by even basic security measures. The professionals will figure out how to evade even the most stringent measures. I’ve repeatedly said that the two things that have made flying safer since 9/11 are reinforcing the cockpit doors and persuading passengers that they need to fight back. Everything beyond that isn’t worth it.

It’s always possible to increase security by adding more onerous — and expensive — procedures. If that were the only concern, we would all be strip-searched and prohibited from traveling with luggage. Realistically, we need to analyze whether the increased security of any measure is worth the cost, in money, time and convenience. We spend $8 billion a year on the TSA, and we’d like to get the most security possible for that money.

This is exactly what that TSA working group was doing. CNN reported that the group specifically evaluated the costs and benefits of eliminating security at minor airports, saving $115 million a year with a “small (nonzero) undesirable increase in risk related to additional adversary opportunity.” That money could be used to bolster security at larger airports or to reduce threats totally removed from airports.

We need more of this kind of thinking, not less. In 2017, political scientists Mark Stewart and John Mueller published a detailed evaluation of airport security measures based on the cost to implement and the benefit in terms of lives saved. They concluded that most of what our government does either isn’t effective at preventing terrorism or is simply too expensive to justify the security it does provide. Others might disagree with their conclusions, but their analysis provides enough detailed information to have a meaningful argument.

The more we politicize security, the worse we are. People are generally terrible judges of risk. We fear threats in the news out of proportion with the actual dangers. We overestimate rare and spectacular risks, and underestimate commonplace ones. We fear specific “movie-plot threats” that we can bring to mind. That’s why we fear flying over driving, even though the latter kills about 35,000 people each year — about a 9/11’s worth of deaths each month. And it’s why the idea of the TSA eliminating security at minor airports fills us with fear. We can imagine the plot unfolding, only without Bruce Willis saving the day.

Very little today is immune to politics, including the TSA. It drove most of the agency’s decisions in the early years after the 9/11 terrorist attacks. That the TSA is willing to consider politically unpopular ideas is a credit to the organization. Let’s let them perform their analyses in peace.

This essay originally appeared in the Washington Post.

(Via Schneier on Security – emphasis above is mine)

Bruce knows at least as much about this as anyone outside of TSA, and one can argue more than most inside. I always appreciate his analysis.

Also on:

DHS vulnerability scanning program offline after Virginia office loses power

DHS vulnerability scanning program offline after Virginia office loses power:

Two cybersecurity programs the Department of Homeland Security offers both states and the private sector have been temporarily knocked offline due to a power outage, while other services have been shifted to backup locations, multiple sources tell CyberScoop.

The National Cybersecurity and Communications Integration Center (NCCIC), the 24/7 hub for monitoring cyberthreats across the government and critical infrastructure, has shifted operations to a backup location in Florida. The move was made after the Arlington, Virginia, building that houses NCCIC lost power last week due to heavy rains.

Additionally, two other programs under NCCIC’s National Cybersecurity Assessments and Technical Services (NCATS) — Cyber Hygiene vulnerability scans and Phishing Campaign Assessment — have been offline since July 26.

The Cyber Hygiene program remotely detects known vulnerabilities on internet-facing services. The Phishing Campaign Assessment program is part of a remote penetration testing service. Both programs are used by hundreds of customers across the country. Thirty-four states have received vulnerability scans through the Cyber Hygiene program, according to a DHS presentation given at the National Association of State Election Directors summer conference.

DHS Assistant Secretary for Cybersecurity and Communications Jeanette Manfra told CyberScoop that the disruption to Cyber Hygiene is temporary, and that election systems will be the first to resume service once the program comes back online. Officials expect scans to resume Aug. 6.

The building housing NCCIC suffered heavy damage on when portions of the façade ruptured due to the volume of rain that fell in the Washington, D.C., region. The roof of a restaurant on the building’s ground level failed during business hours on July 26.

… A number of DHS offices are in that building.

CyberScoop has learned that due to the water damage, the building completely lost power, which prevented server rooms used by DHS from staying cool. Once the room reached a certain temperature, a sprinkler system was activated. Those sprinklers damaged servers supporting the Cyber Hygiene and Phishing Campaign Assessment programs.

On Sunday, the NCATS office sent an email to its customers informing them that Cyber Hygiene and Phishing Campaign Assessment were offline and that contingency plans have been put in place.

“In order to minimize the operational impact, we immediately implemented our contingency plans and transferred functions to other sites, including NPPD’s facility in Pensacola, Fla.,” the email, obtained by CyberScoop, reads. “We are working to restore these services as quickly as possible. We will let you know when the service and reports will resume.”

NPPD is the National Protection and Programs Directorate, which oversees NCCIC.

The power outage has had a “minimal impact” on DHS’s cybersecurity operations, Krebs said. The incident has not, for example, affected the department’s ability to respond to cyber incidents or issue warnings to the private sector.

DHS has been at the center of the federal government’s efforts to fortify U.S. voting infrastructure following the 2016 presidential election, when Russian hackers probed systems in 21 states. Last week it was revealed that the same outfit of Russian hackers that meddled in the 2016 election appears to have targeted  Sen. Claire McCaskill‘s office.

(Via Cyberscoop)

With the DHS looking to create a central Risk Management program, seeing stories like this does not instill confidence that the U.S. Government, and the DHS in particular, are up to the challenge.

This slays me:

Chris Krebs, the undersecretary of NPPD, told CyberScoop that the department is “taking this opportunity to get some efficiencies into the system, but also to build resilience and redundancy.”

Those are the words uttered after every such event.

By the way for those not in the know, there is a well-known process call Disaster Recovery and Business Continuity Planning (DR/BCP) that has been around for decades to plan for just this sort of event.

Also on:

Maybe the National Risk Management Center Will Combat Critical Infrastructure Hacks

The National Risk Management Center Will Combat Critical Infrastructure Hacks:

At a cybersecurity summit Tuesday, Homeland Security secretary Kirstjen Nielsen announced the creation of the National Risk Management Center, which will focus on evaluating threats and defending US critical infrastructure against hacking. The center will focus on the energy, finance, and telecommunications sectors to start, and DHS will conduct a number of 90-day “sprints” throughout 2018 in an attempt to rapidly build out the center’s processes and capabilities.

“We are reorganizing ourselves for a new fight,” Nielsen said on Tuesday, who described the new center as a “focal point” for cybersecurity within the federal government. Nielsen also noted that DHS is working with members of Congress on organizational changes that can be mandated by law to improve DHS’s effectiveness and reach.

(Via Security Latest)

Based on the recent news from the Boston Globe about TSA wasting resources on zero value “security”, I am skeptical of how useful this will be in the U.S. Government’s security efforts. I seem to recall something similar was in the works over a decade ago.

However, Secretary Nelson seems to have said the right things in her talk:

  • Risk-based approach
  • Threat evaluation versus threat chasing
  • Focused on specific critical industries
  • Taking an agile development approach to building out capabilities
  • Working with Congress
  • Being the focal point for government

There are unanswered questions. We will get more answers as the process moves along.

I sincerely hope this isn’t another Security Theater opportunity to waste time and taxpayer resources.

Also on:

Secret Quiet Skies surveillance program tracks citizens not suspected of wrongdoing ←

Secret Quiet Skies surveillance program tracks citizens not suspected of wrongdoing:

Federal air marshals (FAMs) told the Globe that the program is a waste of taxpayer dollars and actually makes the U.S. less safe as they are not working on “legitimate, potential threats.” Many are not even sure if it is legal, but the TSA told the Globe it is part of its “mission to ensure the safety and security of passengers, crewmembers, and aircraft throughout the aviation sector. As its assessment capabilities continue to enhance, FAMS leverages multiple internal and external intelligence sources in its deployment strategy.”

But John Casaretti, president of the Air Marshal Association, said, “Currently the Quiet Skies program does not meet the criteria we find acceptable.” He added, “The American public would be better served if these [air marshals] were instead assigned to airport screening and check in areas so that active shooter events can be swiftly ended, and violations of federal crimes can be properly and consistently addressed.”

(Via CSO Online)

I almost understand the false sense of security current airport practices provide the average Jane and John Doe.

But super secret security theater busywork?

Also on:

Homeland Security photography alert is ‘a seed of fear’

Homeland Security photography alert is ‘a seed of fear’:

“I’d be real curious to see the research telling us that terrorists are prone to stand on public sidewalks conspicuously filming their intended targets ‘in a prolonged manner,’” LoMonte says. “This just seems like an invitation for people who don’t like journalists to sic the cops on them.”

(Via Columbia Journalism Review)

DHS is a monumentally flawed organization. Read the whole article for some idea of how DHS focuses on Security Theater & propaganda instead of, oh I don’t know, doing their jobs.

Also on:

The Space Force Should Improve the Cybersecurity of Space Assets

The Space Force Should Improve the Cybersecurity of Space Assets:

President Trump offered his support last month for the creation of a Space Force within the U.S. military. In a paper released last week, my Harvard colleague Greg Falco argues that one of the first missions for this new force should be to improve the cybersecurity of space assets. This proposal is worthy of deep consideration as the cybersecurity of space assets remains a top, if underexamined, priority for national security, and the opportunity to shape the roles and missions of a new Space Force will soon pass. 

Falco does not hype the threat, but his assessment of the risks are sobering: The consequences of disrupting or degrading connectivity are striking when one considers how much of U.S. critical infrastructure relies on connectivity in or through space. His recommendations take a similarly balanced approach and offer interested policymakers a few potential steps to get started, such as modifying pertinent sections of the Code of Federal Regulations. 

One area that could benefit from future research is how to deconflict roles and missions between a Space Force (or the military in general), the Department of Homeland Security, NASA and other parts of the federal government. This specific issue is a bit beyond the scope of Falco’s paper, but it reflects a challenge that still seems to bedevil federal cybersecurity policy: Who exactly is in charge of what?  Space assets and affiliated organizations span the military, civilian government and multiple private-sector spheres. Perhaps more than any other sector of the U.S. economy and society, improving the cybersecurity of space assets really will require a whole-of-nation approach. 

(Via Lawfare – Hard National Security Choices)

It’s a stupid name. However, I generally agree that this should be job #1. The risks are simply too great to delay action in understanding, mitigating, and remediating (where possible).

Also on: