Wednesday, August 20, 2008

Scientists design shield to prevent deadly pacemaker hijack

A 'cloaking' device that stops computer hackers maliciously hijacking pacemakers' radio signals could save lives, say scientists.

Doctors are increasingly using wireless pacemakers to monitor the regulation of patients' heartbeats, and can even adjust the settings remotely.

But earlier this year a team of US scientists using a radio signal were able to simulate interference with the devices and claimed that, in theory, hijackers could shut them down or deliver potentially lethal electric shocks to millions of heart patients.

Now Dr Tamara Denning, a computer scientist at the University of Washington in Seattle, has devised a cloaking device that is designed to resist any instructions that come from anyone other than the doctor. ....

Russia warns of response to US missile shield

MOSCOW (AP) - Russia says its response to the further development of a U.S. missile shield in Poland will go beyond diplomacy.

Russia's Foreign Ministry issued a statement saying the U.S. missile shield plans are clearly aimed at weakening Russia.

The U.S. says the missile defense system is aimed at protecting the U.S. and Europe from future attacks from states like Iran. ....

The Real World Order

By George Friedman

On Sept. 11, 1990, U.S. President George H. W. Bush addressed Congress. He spoke in the wake of the end of Communism in Eastern Europe, the weakening of the Soviet Union, and the invasion of Kuwait by Saddam Hussein. He argued that a New World Order was emerging: “A hundred generations have searched for this elusive path to peace, while a thousand wars raged across the span of human endeavor, and today that new world is struggling to be born. A world quite different from the one we’ve known. A world where the rule of law supplants the rule of the jungle. A world in which nations recognize the shared responsibility for freedom and justice. A world where the strong respect the rights of the weak.”

After every major, systemic war, there is the hope that this will be the war to end all wars. The idea driving it is simple. Wars are usually won by grand coalitions. The idea is that the coalition that won the war by working together will continue to work together to make the peace. Indeed, the idea is that the defeated will join the coalition and work with them to ensure the peace. This was the dream behind the Congress of Vienna, the League of Nations, the United Nations and, after the Cold War, NATO. The idea was that there would be no major issues that couldn’t be handled by the victors, now joined with the defeated. That was the idea that drove George H. W. Bush as the Cold War was coming to its end. ....

.... We would expect the Russians to get traction. But if they don’t, the Russians are aware that they are, in the long run, much weaker than the Americans, and that they will retain their regional position of strength only while the United States is off balance in Iraq. If the lesson isn’t absorbed, the Russians are capable of more direct action, and they will not let this chance slip away. This is their chance to redefine their sphere of influence. They will not get another.

The other country that is watching and thinking is Iran. Iran had accepted the idea that it had lost the chance to dominate Iraq. It had also accepted the idea that it would have to bargain away its nuclear capability or lose it. The Iranians are now wondering if this is still true and are undoubtedly pinging the Russians about the situation. Meanwhile, the Russians are waiting for the Americans to calm down and get serious. If the Americans plan to take meaningful action against them, they will respond in Iran. But the Americans have no meaningful actions they can take; they need to get out of Iraq and they need help against Iran. The quid pro quo here is obvious. The United States acquiesces to Russian actions (which it can’t do anything about), while the Russians cooperate with the United States against Iran getting nuclear weapons (something Russia does not want to see).

One of the interesting concepts of the New World Order was that all serious countries would want to participate in it and that the only threat would come from rogue states and nonstate actors such as North Korea and al Qaeda. Serious analysts argued that conflict between nation-states would not be important in the 21st century. There will certainly be rogue states and nonstate actors, but the 21st century will be no different than any other century. On Aug. 8, the Russians invited us all to the Real World Order.


Hizballah training assassination squads in Iran

Training to kill Iraqi officials. "Hezbollah Training Hit Squads In Iran: U.S.," from NewsMax, August 18 (thanks to Mackie):

WASHINGTON — Iraqi Shiite assassination teams are being trained in at least four locations in Iran by Tehran's elite Quds force and Lebanese Hezbollah and are planning to return to Iraq in the next few months to kill specific Iraqi officials as well as U.S. and Iraqi troops, according to intelligence gleaned from captured militia fighters and other sources in Iraq.

A senior U.S. military intelligence officer in Baghdad described the information Thursday in an interview with The Associated Press. He spoke on condition of anonymity to discuss sensitive intelligence.

The officer on Wednesday provided Iraq's national security adviser with several lists of the assassination teams' expected targets. ....

Obama's Backbone Deficit

LAST week raised important questions about whether Barack Obama is strong enough to be president. On the domestic political front, he showed incredible weakness in dealing with the Clintons, while on foreign and defense questions, he betrayed a lack of strength and resolve in standing up to Russia's invasion of Georgia.

This two-dimensional portrait of weakness underscores fears that Obama might, indeed, be a latter-day Jimmy Carter. ....

Democratic Platform's Hidden Soros Slush Fund

(Compiler's note: Now this is a description of internal terror to this nation!! rca)


The Democratic Party platform is like a bag of pork rinds. You never know what high-fat liberal government morsel you're gonna get.

Buried in the 94-page document is a noble-sounding proposal to create a "Social Investment Fund Network." The program would provide federal money to "social entrepreneurs and leading nonprofit organizations [that] are assisting schools, lifting families out of poverty, filling health care gaps, and inspiring others to lead change in their own communities." The Democratic Party promises to "support these results-oriented innovators" by creating an office to "coordinate government and nonprofit efforts" and then showering "a series of grants" on the chosen groups "to replicate these programs nationwide."

In practice, this Barack Obama brainchild would serve as a permanent, taxpayer-backed pipeline to Democratic partisan outfits masquerading as public-interest do-gooders. This George Soros Slush Fund would be political payback in spades. Obama owes much of his Chicago political success to financial support from radical, left-wing billionaire and leading "social entrepreneur" Soros. In June 2004, Soros threw a big fundraiser at his New York home for Obama's Illinois Senate campaign. Soros and family personally chipped in $60,000. In April 2007, Obama was back in New York for a deep-pocketed Manhattan fundraising soiree, with Soros lurking in his shadow.

No doubt with Soros' approbation (if not advice from the hands-on "progressive" activist or his advisers), Obama fleshed out his Social Investment Fund Network plan last December. In concert with his mandatory volunteerism pitch and $6 billion anti-poverty plan, Obama called for the creation of a "Social Entrepreneurship Agency" to dispense the funds in unspecified amounts. The agency would be a government-supported nonprofit corporation "similar to the Corporation for Public Broadcasting," which runs public television. (And we've all seen how fair and balanced that lib-dominated, Bill Moyers-boosting private-public enterprise turned out.)

Obama cites the Harlem Children's Zone, which provides after-school activities and mentors to children in New York, as an example of a program that should be funded. (HCZ's former senior leader Shawn Dove is now an official at Soros' Open Society Institute.) The problem with such initiatives, as Mitchell Moss pointed out in the Manhattan Institute's City Journal several years ago, is that these private-public partnerships formed under the guise of economic renewal often become nothing more than fronts that coordinate "an enormous safety net for social services." Private donations give the illusion of self-help and philanthropic independence, but in reality, the "clients" are never weaned from the teat of the welfare state. They simply learn how to milk it more efficiently.

Even more troubling is how the Democratic Party/Obama plan would siphon untold millions or billions of public tax dollars into the Soros empire without taxpayer recourse. Obama promises "accountability" measures to ensure the money is spent wisely. But who would assess effectiveness of the spending? Why, experts in the social entrepreneurship community, of course. Fox, meet henhouse.

Soros has donated some $5 billion of his fortune to left-wing nonprofit groups through the Open Society Institute -- an institution committed to Soros' militant ideology of toppling the "fascist" tyranny of the United States, which he says must undergo "de-Nazification" in favor of "justice." The mob at Obama-endorsing MoveOn, purveyors of the "General Betray Us" smear against Commanding General, MNF-I, David Petraeus, is the most notorious Soros-backed political arm. But scores of other activist nonprofits have received Soros funding under the guise of doing nonpartisan "community" or "social justice" work -- and it is exactly such leftist activist groups that would be first in line for the Democratic Party/Obama's "social investment" seed money.

Point in case: ACORN. As I've reported before, Obama's old friends at the Chicago-based nonprofit now take in 40 percent of their revenues from American taxpayers. They raked in tens of millions in federal antipoverty grants while some of their operatives presided over massive voter fraud and others were implicated in corporate shakedowns and mortgage scams across the country. Soros has donated at least $150,000 to the group, according to Investor's Business Daily, and "heads a secretive rich-man's club called 'Democracy Alliance' that has doled out $20 million to activist groups like ACORN."

Once the spigot is turned on, there's no turning back.

Where are fiscal conservatives on this far-left boondoggle? Well, if you're wondering why the McCain campaign doesn't raise hell over this proposed left-wing nonprofit/government pipeline, it's because McCain himself is a Soros beneficiary. His "Reform Institute," a tax-exempt, supposedly independent 501(c)(3) group focused on campaign finance reform, was funded by the Soros-funded Open Society Institute and Tides Foundation.

Birds of a Big Government feather flock together -- and look out for each other. Watch your wallet.

Some Democrats urge delay in building a U.S. missile system in Eastern Europe

WASHINGTON: As the Bush administration speeds ahead with plans to construct a missile defense system in Eastern Europe, some Democrats in Congress want to put on the brakes, saying it has not been adequately tested.

Secretary of State Condoleezza Rice was scheduled to be in Warsaw on Wednesday to sign an agreement on the missiles with Poland, which agreed to the basing of 10 interceptors last week, after the Russian attacks on Georgia. Justified as a defense against a missile attack on Europe by a rogue nation like Iran, the installation has provoked outrage from Russia. ....

DHS: Remarks by Homeland Security Secretary Michael Chertoff at University of Southern California National Center for Risk and Economic Analysis of...

.... today's speech, which really focuses on the issue of protection, deals with one particular, I would argue, special challenge that we face on the eve of the 21st Century and it's a challenge that lies at the core of a great deal of what we do inprotecting homeland security. It also lies at the core of a great deal of what we do protecting our financial security, our personal security, and our reputational security, and what I'm referring to is how we manage and protect our personal identities because I'm going to submit to you that in the 21st Century, the most important asset that we have to protect as individuals and as part of our nation is the control of our identity, who we are, how we identify ourselves, whether other people arepermitted to masquerade and pretend to be us, and thereby damage our livelihood, damage our assets, damage our reputation, damage our standing in our community. ....

There is a difference between being liberal and being blind

As we are all tucked into our beds for a sound night’s sleep, there are security professionals working diligently around the clock for our protection.

If we, the American public, knew about all the threats, disrupted terror plots, and near misses that have been uncovered since 9-11, we probably wouldn’t sleep at all, so say those who work in the anti-terrorism and emergency preparedness fields. ....

2006 ISNA Convention: wife-beating breakout session (10 days until ISNA convention in Columbus)

With less than two weeks before the Islamic Society of North America lands in Central Ohio for their 2008 national convention, we continue our look at past ISNA conventions to see what brand of Islam they will be bringing to our city.

At their 2006 convention, ISNA hosted a curious breakout session: “And Beat them Lightly. . .” An Analysis and In-Depth Discussion of Verse 4:34.

For the uninitiated, here’s verse 4:34 in the Quran:

Men have authority over women because God has made the one superior to the other, and because they spend their wealth to maintain them. Good women are obedient. They guard their unseen parts because God has guarded them. As for those from whom you fear disobedience, admonish them and send them to beds apart and beat them. Then if they obey you, take no further action against them. Surely God is high, supreme.
You’ll notice immediately that there’s nothing here about beating women “lightly”. One of the speakers in this ISNA breakout session was none other than Muzzamil Siddiqui, former president of ISNA and current ISNA Board of Directors member. ....

Fitzgerald: Mosques behaving badly

"'There are the bloodstains on the wall, and here it is dried on the floor,' says Abu Muhanad as he walks through a torture chamber in a Baghdad mosque where more than two dozen bodies have been found." -- from this news article

A Master-List of Mosques Behaving Badly should be compiled. It should include, from U.S. military records, all the shoot-outs in Iraq (and Afghanistan) with people who fired on American soldiers from mosques, or who ran to mosques in order to avoid capture and used them as places from which to attack Americans (until the Americans stopped, as they eventually did, from holding back).

It should also include all of the mosques in Western Europe that have been found to contain false papers (sometimes in false ceilings, as in the mosque in Milan on Viale Jenner), including forged passports. And don’t forget the mosques that have been discovered to contain AK-47s, explosives, and videocassettes of beheadings of Infidels, and audiocassettes to whip up the Believers to even greater deeds of derring-do against the Infidels. Yes, all that stuff has been found in mosques, that weaponry, those forgeries and counterfeits, those hysterical whippings-up of hatred for Infidels -- see what Saudi-supplied "literature" has been found in American mosques. By now the security services of the Western world are so used to all of that that they practically yawn at what they find, but that the rest of us have to piece it together from a story here and a story there. ....

Murtha-inspired Haditha charges called 'feckless'

By WorldNetDaily


Reinstating or restarting charges against a Marine officer over the military firefight in Haditha, Iraq, in which two dozen Iraqis died could do serious damage to the public's confidence in the military system of justice, according to lawyers for the officer.

"Unlawful command influence is 'the mortal enemy of military justice.' It is the acid that erodes an accused's right to receive a fair trial and the public's confidence in the fairness of the system," says a legal brief filed by lawyers working on behalf of Lt. Col. Jeffrey Chessani.

"Remarkably, throughout the court-martial proceedings in the case, the government utterly failed to apprehend the seriousness of a charge of unlawful command influence. This colossal failure is evidenced by the half-hearted ... way in which it treated the matter ... and the feckless arguments it has presented ... in an attempt to reverse the well-supported and well-reasoned ruling of the military judge," the law firm said.

Chessani had faced charges that he failed to investigate properly the Nov. 19, 2005, incident in which 24 Iraqi men, women and children were killed after U.S. Marines were attacked by insurgents.

The charges – four Marines were charged with murder and another four with not properly investigating the attack – came about after the case was publicized in the media, where it was compared by war critics to the infamous My Lai massacre in Vietnam.

Defense lawyers contend insurgents deliberately attacked the Marines from hiding places where they surrounded themselves with civilians to use as shields. The defense insisted Chessani promptly reported the events to his superiors and that nobody in the chain of command believed there was any wrongdoing on the part of the Marines.

A Time magazine story alleging a massacre by the Marines, according to defense lawyers, was planted by an insurgent propaganda agent. Publishing of the story was soon followed by a May 17, 2006, news conference by Rep. Jack Murtha, D-Pa. The congressman announced he had been told by the highest levels of the Marine Corps there was no firefight and Marines "killed innocent civilians in cold blood."

"All the information I get, it comes from the commanders, it comes from people who know what they're talking about," Murtha told reporters at the time.

But the military judge assigned to the case, Col. Steve Folsom, dismissed the counts June 17 without prejudice, citing defense documentation of unlawful command influence – or the idea that a military judge may be influenced by what a commanding officer may have determined. Under those circumstances, prosecutors then must prove that the influence did not exist.

"The nature of the military makes its system of justice extremely vulnerable to improper influences and pressures; influences and pressures that are systemic in a military command environment," said the appeal brief filed by the Thomas More Law Center, which is defending Chessani.

"This is an important case not only for Lt. Col. Chessani, but for military commanders whose battlefield decisions should not be second-guessed by lawyers and for the military justice system as a whole. Indeed, the Haditha cases have caused a noticeable erosion of public confidence in our military system of justice," said Richard Thompson, president of the Law Center. "Affirming the military judge's ruling will go a long way to restoring the public perception of fairness in the military courts."

The appeal is being heard by a three-judge panel of the Navy and Marine Corps Court of Criminal Appeals in Washington. The Law Center has requested oral arguments in the case, but that ruling hasn't yet been issued.

Chessani has been under investigation and prosecution since March 2006 for his role at the battalion commander of 3rd Battalion, 1st Marines during the battle of Haditha. Of the seven other cases filed after the military investigation, cases against Lance Cpls. Stephen Tatum and Justin Sharratt, Capts. Randy Stone and Lucas McConnell and Sgt. Sanick P. Dela Cruz have been dropped. First Lt. Andrew Grayson has been acquitted, leaving only the case of Staff Sgt. Frank Wuterich untested in court and the appeal of Chessani's case.

The appeal brief said prosecutors are treating the issue of unlawful command influence as "a simple pushover."

"Indeed, Gen. James T. Mattis, USMC, the former consolidated disposition authority/convening authority responsible for referring the present charges to a general court-martial, testified under oath in this case that he was not concerned with appearances," the law firm said.

However, "It is a very serious matter, one going to the very heart and core of the military justice system."

The appearance of such influence was raised by the fact that Col. John Ewers, who was assigned to develop the prosecution in the case against the Haditha Marines, also was ordered to attend meetings at which members of the military judiciary decided how to handle the cases – multiple times.

"It is without serious contradiction that Col. Ewers' presence at these meetings was for the purpose of providing legal advice," the appeal brief said. "It should be noted that these meetings did not include defense lawyers for any of the accused; Appellee's defense counsel were never invited to any of these meetings, which inevitably took on a prosecutorial atmosphere."

Even Ewers expressed concern about the appearance of influence, at one point during his testimony saying, "I just didn't think it was a particularly good idea for me to get involved on giving advice on these cases. ... Just because from the appearance, in a nutshell."

Folsom's ruling said the government failed to prove that there was no inappropriate influence, resulting in the dismissal of charges.

Jihadis shift attention to war in Afghanistan

In the wake of setbacks suffered by Al Qaeda in Iraq, Afghanistan is becoming the preferred destination for Muslims, particularly from Arab nations, seeking to wage jihad against the West.

"You can predict that Afghanistan is reemerging as a battlefield," says Nicole Stracke, a security and terrorism researcher at the Dubai-based Gulf Research Center. ....

U.S. at risk of cyberattacks, experts say

The next large-scale military or terrorist attack on the United States, if and when it happens, may not involve airplanes or bombs or even intruders breaching American borders.

Instead, such an assault may be carried out in cyberspace by shadowy hackers half a world away. And Internet security experts believe that it could be just as devastating to the U.S.'s economy and infrastructure as a deadly bombing.

Experts say last week's attack on the former Soviet republic of Georgia, in which a Russian military offensive was preceded by an Internet assault that overwhelmed Georgian government Web sites, signals a new kind of cyberwar, one for which the United States is not fully prepared.

"Nobody's come up with a way to prevent this from happening, even here in the U.S.," said Tom Burling, acting chief executive of Tulip Systems, an Atlanta, Georgia, Web-hosting firm that volunteered its Internet servers to protect the nation of Georgia's Web sites from malicious traffic. "The U.S. is probably more Internet-dependent than any place in the world. So to that extent, we're more vulnerable than any place in the world to this kind of attack," Burling added. "So much of what we're doing [in the United States] is out there on the Internet, and all of that can be taken down at once."....

Energy told to tighten cybersecurity policies

The Energy Department's inspector general on Thursday released an audit of the department's certification and accreditation procedures for national security information systems that revealed a number of potentially serious weaknesses.

Auditors concluded that the problems were similar to those that led to the theft of classified information at Los Alamos National Laboratory in 2006. "In our judgment, the findings in the report suggest the department could be at risk for similar diversions," they wrote.

Specifically, auditors found that the department had not fully developed and implemented adequate cybersecurity policies, and federal and contractor officials did not always use effective mechanisms to monitor the performance of security controls.

Auditors reviewed 65 systems at six major sites, the locations of which were omitted from the public version of the report for security reasons. The systems were managed by various components of Energy, including the National Nuclear Security Administration, the Office of Environmental Management and the Office of Science. Many of the systems reviewed were not appropriately certified and accredited for operation.

Inspectors found that information security officers for 31 of the 56 systems reviewed at five of the sites were granted system administrator access in violation of department policies. Such an arrangement is an inadequate separation of duties that essentially allows employees to supervise and approve their own work, which is why the practice is prohibited. What's more, the practice could be far more widespread, since officials at two sites told auditors similar situations existed for many of their systems that weren't selected for review.

Auditors also found that classified and unclassified systems were operating in the same environment at some locations, which raised the possibility that classified data could be transferred to unclassified computer systems. Additionally, employees at one site were allowed to manually change computer-generated passwords without oversight. User-created passwords are more vulnerable than computer-generated ones, which is why they are not permitted on national security systems.

Besides system risks, auditors found weaknesses in security and contingency planning. One of the most significant problems was that several sites did not have accurate inventories of hardware associated with and permitted for use with various systems.

"As a demonstration of the harm that can be caused by unapproved devices, we specifically identified an unapproved network device during our previous review at the Los Alamos National Laboratory that may have contributed to a significant theft of classified information," auditors noted.

The IG report recommended that Energy update its policies to reflect current security requirements. It also said the administrator of the National Nuclear Security Administration, undersecretary of Energy and undersecretary for science should immediately implement controls to protect classified information systems.

Energy officials concurred. Auditors modified other recommendations after program officials provided more technical data.

"Without improvements, the department lacks assurance that its classified data and systems are secure from both internal and external threats," the auditors wrote.

Complex risks call for well-managed IT solutions

By Robert Charette

Information technology can help agencies meet their most important mission - protecting the public.

Nearly 200 years ago, Thomas Jefferson said, "The care of human life and happiness and not their destruction is the first and only legitimate object of good government."

According to Jefferson's theory, government's first duty is to manage the public's risk, giving everyone the opportunity to pursue individual happiness — the second duty of good government.

Government manages people's risk in three fundamental ways: first, as a regulator when individuals or businesses impose risks on others; second, as a risk manager, when individuals or businesses cannot manage risk themselves; third, as a provider of services to the public, which often entails risks that the government itself needs to manage effectively.

Consider the Securities and Exchange Commission. Its duty is to protect investors; maintain fair, orderly and efficient markets; and facilitate capital formation. Without SEC's regulatory authority, how comfortable would people feel about investing?

Or take the Food and Drug Administration, whose duty is to protect and promote public health. Since May, FDA has tried to track down a salmonella outbreak that has sickened more than 1,100 people. No private organization could easily take on that role.

The risks agencies manage today are more varied and complex than Jefferson ever imagined. FDA, for instance, is responsible for monitoring potential dangers involving food, drugs, medical devices, cosmetics and radiation-emitting products, to name a few.

Consider food safety. Risks have changed as the food supply has expanded globally and the amount of imported food FDA regulates has more than tripled in the past decade, straining its ability to conduct adequate inspections. In addition, more foods are genetically engineered, increasing from just one in 1994 to more than 50 today. FDA must ensure they all are safe to eat.

With risks becoming more complex, the use of information technology is essential for managing the public's safety. For instance, to improve health care and reduce costs, the Bush administration set a goal to provide interoperable electronic health records for most Americans by 2014.

While technology can help agencies manage risk, the IT solutions themselves frequently are not managed well. The FBI's first attempt to develop a virtual case file system is one example. The bureau canceled the project in 2005 after repeated budget overruns, missed deadlines and performance issues. The snafu with developing handheld computers to support the Census Bureau's 2010 count is another example. The agency canceled its plan to use the devices when it became clear that it wouldn't be able to properly test them by census time and development costs began to increase.

When the agency announced in April that it would not use handheld computers in the next decennial count, top officials blamed poor communication between the government and its contractor, Harris Corp. But that explanation is merely a euphemism for enterprise risk mismanagement.

With so many IT project blunders, it's not surprising that federal agencies have been slow to embrace enterprise risk management. More businesses, however, are using ERM, a holistic approach to managing the full spectrum of risks. They are integrating strategic, operational, financial and insurance risk management practices to better understand the risks that confront them. That way, risks become transparent to everyone in the organization, and a coordinated and cost-effective approach to managing them is possible.

ERM also helps with managing the strategic and financial risks associated with major IT programs, which many agencies typically don't take into account. At Census, a strategic decision was made to use handheld computers for door-to-door census takers to capture and transmit data for the 2010 count. This was a reasonable decision. But the risks it created — operational, financial, contingency and, especially, how those factors interacted with one another — were not accounted for.

A robust ERM approach would have increased the chances that the bureau's handheld project would have been successful. Given all the types of risks the project faced, however, it is doubtful that even a robust IT risk management plan would have been sufficient to ensure success.

Adopting ERM at a federal agency is much harder than in business. While the fundamental business of government is the management of risk, its basic practice revolves around politics, which is about power and control. Also, identifying risk in government is viewed as a negative. Who wants to be on the Government Accountability Office's high-risk list? So, making myriad risks transparent isn't a priority for most agencies.

Still, launching ERM in government is possible. The best way is to take a middle-out approach that concentrates on managing operational risks - those posed by people, processes and technology. Chief information officers, in cooperation with chief financial officers, are well-placed to begin the process because IT touches on not only operational, but financial and strategic risks, too.

CIOs can help identify the different types of risk IT creates and mitigates. With help from CFOs, they can begin to create the underlying processes necessary to manage risk not only within IT, but throughout the agency.

Agencies will find it progressively difficult to create the complex solutions necessary to protect the public without an agencywide approach to managing risk. Without one, Jefferson's goal of good government — the public's happiness — will be at risk as well.

Requirement to scan all inbound sea cargo sparks security concerns

By Gautham Nagesh

The legislative mandate to scan 100 percent of oceangoing cargo bound for the United States without additional resources could actually reduce security, according to a report released by the Government Accountability Office on Monday.

The 2007 9/11 Act requires the Homeland Security Department's Customs and Border Protection directorate to scan 100 percent of U.S.-bound cargo by 2012, with possible exceptions for specific seaports. According to the report, the requirement could redirect the current focus on high-risk containers.

"Officials from the European Commission and CBP stated that unless additional resources are made available, 100 percent scanning could not be met … it is unclear who will pay for additional resources -- including increased staff, equipment and infrastructure — needed to implement the statutory requirement to scan 100 percent of U.S.-bound container cargo at foreign seaports," the report said.

The 2006 Security and Accountability for Every Port Act required CBP to test the feasibility of scanning 100 percent of U.S.-bound containers. The 9/11 Act then made it a requirement, much like it directed CBP to scan all cargo on passenger planes. More than 11 million containers arrived at U.S. seaports in fiscal 2007, an average of 30,000 per day.

Under the current risk-management system, CBP officers posted at foreign seaports focus on containers at high risk of containing weapons, explosives or other items that could compromise national security. This approach is called targeting.

The method relies on an automated targeting system that assigns a risk score to all cargo shipments before they depart for the United States, based on their shipping information. The system allows agents to identify containers potentially connected to terrorists or other criminals. CBP scans the cargo using nonintrusive inspection equipment, including large-scale imaging machines that use X-rays or gamma rays to create images of the contents. Officers also search the containers before they depart for the United States

"According to CBP and [World Customs Organization] officials, if the scanned images of all containers must be reviewed, the reviews may not be as thorough because customs officers could lose focus due to the sheer volume of work. If images are not properly or thoroughly analyzed, a degradation of security could result," said the report.

A European customs official added that 100 percent scanning also could hinder the flow of international commerce, with the requirement disproportionately affecting trade with developing countries.

In addition to embedding U.S. officials at foreign seaports, CBP is working with international customs organizations to establish common security standards to identify high-risk containers globally. That includes expanding a customs-to-business program that expedites processing for companies that comply with predetermined security measures all along the supply chain. So far, 154 countries have pledged to adopt international customs security standards.

How secure are your systems?

By Allan Holmes

Ever since Congress passed the 2002 Federal Information Security Management Act to improve the security of federal networks, security analysts and federal information technology managers have complained that the law has failed to make government systems more secure. The reason, they say, is that it is largely a reporting exercise that agencies must follow certain processes such as certifying and accrediting systems. What it doesn‚'t do is require agencies to measure how secure their systems actually are by taking actions such as conducting penetration tests to identify holes in networks that allow hackers in -- and then fixing them quickly.

For those reasons, security analysts say the report cards agencies receive on their compliance with FISMA are meaningless. In fact, Congress and others have charged that FISMA simply hasn't worked.

To begin a dialogue on potentially better ways to measure how secure an agency's systems are, Nextgov and the SANS Institute, a nonprofit cybersecurity research organization in Bethesda, Md., have teamed up on a Web-based tool. It's designed to provide federal officials a means to compare how secure FISMA says their systems are to what professional security analysts would say. As Alan Paller, director of research at SANS, points out, an agency can get an A on FISMA compliance, but receive an F from security analysts on how secure its systems are.

To find out how your FISMA grade stacks up with a grade that a SANS security consultant would give you, we invite you to take the FISMA vs. Security Perspective Test. The first part of the test grades your compliance with certain FISMA requirements. The second measures how well you follow what security analysts say are some of the best practices to secure systems. You'll receive a grade for each test and at the end you can compare which the two.

After taking the test, let us know your opinions about and insights from the test by going to The Forum to discuss your results and those of others. Just follow the link at the end of the test, or go The Forum by clicking here.

Commission finds U.S. vulnerable to electromagnetic pulse attack

In the early 1960s, engineers in nuclear weapons testing programs in the United States and the Soviet Union noticed an unexpected phenomenon when warheads were exploded high above the Earth's surface. The electromagnetic fields produced by the detonations often resulted in damage to electrical systems on the ground. One test 400 kilometers above Johnston Island in the South Pacific destroyed a commercial telecommunications system in the Hawaiian Islands 1,400 kilometers away.

Now, a new report by the Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack warns that a nuclear attack aimed at crippling the nation's technological backbone could be greater today than it was during the Cold War. Such an attack also would be easier to orchestrate, and potentially more devastating, than a direct hit to a major metropolitan area.

"The electromagnetic pulse generated by a high-altitude nuclear explosion is one of a small number of threats that can hold our society at risk of catastrophic consequences," the commission found.

To thoroughly understand the threat, the commission sponsored analytic tests to examine the specific vulnerabilities of critical infrastructure, including: electric power systems; telecommunications; banking and finance; petroleum and natural gas pipelines; transportation systems; food and water infrastructure; emergency services, space systems; government operations; and communications for keeping the citizenry informed. As a result, the 208-page report details the daunting complexity of modern life.

"The separation of these infrastructures into different domains tends to obscure the real interdependencies that sustain the effectiveness and daily operation of each one," the report found. To illustrate the point, the commission noted that the accidental severing of a single fiber-optic cable in New York City in 1991 resulted in a power failure that blocked 60 percent of phone calls into and out of the city, disabled air traffic control functions in the Washington-Boston flight corridor (the busiest in the nation) and crippled the operations of the New York Mercantile Exchange.

"The increasingly pervasive use of electronics of all forms represents the greatest source of vulnerability to attack by EMP. Electronics are used to control, communicate, compute, store, manage and implement nearly every aspect of U.S. civilian systems," the commission reported.

"Should significant parts of the electric power infrastructure be lost for any substantial period of time, the commission believes that the consequences are likely to be catastrophic, and many people may ultimately die for lack of the basic elements necessary to sustain life in dense urban and suburban communities," the report noted. Such is possible, the commission said, because some critical electrical system components are no longer manufactured in the United States, and acquiring them in routine circumstances can take a year.

In July, the House Armed Services Committee received a preview of the report's findings in testimony by William R. Graham, chairman of the commission. "Our vulnerability is increasing daily as our use of and dependence on electronics continues to grow in both our civil and military sectors," Graham said.

"What is significant about an EMP attack is that one or a few high-altitude nuclear detonations can produce EMP effects that can potentially disrupt or damage electronic systems over much of the United States, virtually simultaneously, at a time determined by an adversary," Failure to address the vulnerability could both invite and reward an attack.

Graham noted that an adversary wouldn't have to have long-range ballistic missile capability to deliver an EMP attack. Such an attack could be launched from a freighter off the coast of the United States, using a short- or medium-range missile loaded with a nuclear warhead.

"Iran, the world's leading sponsor of international terrorism, has practiced launching a mobile ballistic missile from a vessel in the Caspian Sea," Graham said. "Iranian military writings explicitly discuss an EMP attack that would gravely harm the United States. While the commission does not know the intention of Iran in conducting these activities, we are disturbed by the capability that emerges when we connect the dots."

The commission found that large-scale, long-term consequences of an EMP attack could be reduced below the level of catastrophe through a coordinated effort by the government and private sector. In November, the commission will report on the progress of protecting the nation from an EMP attack.