Thursday, March 19, 2015

OPINION: How The Shooting In Sweden Teaches Us Trust Is A Must In Security

Last night, there was a shooting which occurred in one of Sweden's suburbs involving AK-47s and innocent people being shot with two or more being brutally murdered. Within the initial moments of the rest of the Western world being notified of this tragedy, a great many of people on social media immediately began to elaborate if this was the work of Islamist terrorists, despite the police saying otherwise. The police spokesman, Ulla Brehm is quoted as saying, "The shooting happened in an area of the city with a history of gang-related violence." The media has also attributed the spokesman as saying it was "too early to speculate on the motive but said there were indications that the shooting was gang-related....There is absolutely nothing that indicates terrorism.”

As many of you know, I have experience in criminal investigations. While I won't touch on how I'd investigate this, what I would like to do is share some insight into these preliminary and often-wrong "guesstimates" and how they damage our credibility as security professionals.
  1. These "guesstimates are usually wrong. VERY wrong and miss a lot of key facts in the weird calculus that creates them. A few people I spoke with, last night, said the attacks were the work of Islamist terrorists. What's strange about that is the police NEVER EVER provided the public with ANY suspect descriptions and NO known terrorist group nor the "operators" claimed ANY responsibility, yet many people seem to be very certain this is the work of jihadists. I surmise this is the result of a spate of terrorist attacks involving guns in Western countries and our natural inclination to see correlation and make connections that may not be there.

    Another key fact missing is the lack of burning vehicles described in independent or eyewitness accounts, despite several on social media claiming this was the case. Many even used this mythology to explain their hypothesis that this was the work of Islamists. Perhaps, you missed that; so I'll repeat it: THERE WAS NEVER A SINGLE CORROBORATED ACCOUNT OF BURNING VEHICLES BUT MANY AMERICANS REPORTED THERE WERE AND THIS POINTED TO ISLAMISTS. In fact, those burning cars happened weeks ago. I know that sounds like terrible analytical practice, at worse. That's because it is, at best.
  2. Contrary to what many believe, there's always more than meets the eye. I'm a serious fan of Transformers. If you didn't get the reference, there's not much I can do for you. Just kidding. No. Seriously, nothing. I digress.

    Many on social media either simply ignored potentially exculpatory evidence or were so eager for this to be the work of terrorists they missed a key component: growing and escalating gang violence in Sweden and throughout Western Europe. That's right, folks. Sweden has gangs and many are armed to the teeth. In fact, not too long ago, Swedish media reported a gang fired "machine guns" at a police station. There's a fallacy that "gun crime" akin to what we see in America only happens in America and that only certain "guns" are the weapons of known terrorist or guerrilla groups. However; a cursory examination of Swedish media shows the AK-47 is VERY prevalent in certain violent crimes.

    The British newspaper, The Guardian reported, "There have been dozens of shootings involving criminal gangs in Gothenburg, many of them in the Biskopsgaarden area - a housing estate with a large immigrant population and high unemployment - in recent years, however fatalities are relatively rare.

    A man was shot dead in an apartment in the area in May last year and two others died in suspected gang-related shootings in late 2013.

    In January a man was shot in the leg close to the scene of Wednesday’s shooting."

    The video below shows such a "typical" crime with an AK-47 occurring in Sweden.

    There are some who will point out that many of these gangs are "Muslim youth gangs". What's striking is this ignores the existence of any corroborative and objective evidence which makes the case these gangs are "Islamic". Many are comprised of members who are young immigrants from predominately Muslim countries. However; until one of these gangs expresses some sort of jihadist ideology, they're just criminal gangs. Sweden's has a burgeoning and rapidly expanding organized crime network not always on the radar of its Western neighbors. Many of these non-Muslim gangs have had quite a history of death and mayhem in their wake. Check out what the Hells Angels have been up to there:

    Here's a list of other gangs:
    1. Albanian mafia
    2. Bandidos Motorcycle Club
    3. Black Cobra (gang)
    4. Brödraskapet
    5. Fucked For Life
    6. Hammerskins
    7. Hells Angels
    8. Naserligan
    9. Original Gangsters (gang)
    10. Outlaws Motorcycle Club
    11. Sala gang
    12. Serb mafia in Scandinavia
  3. Bad theories based on bad or missing facts diminish our credibility and the public's trust in our field. Many Americans don't "get" security and they rely on a variety of "trusted" sources to assist them in making decisions regarding security. Some of these sources are objective and reliable. Many are not. Social media is wrought with both kinds. Unfortunately, many, as we've discussed before, are biased and too eager to share faulty theories. How many times can we afford to make predictions and analysis that is blatantly wrong or follows bad analytical practices before our entire industry is treated in the same dangerous fashion as TV meteorologists who give dire storm warnings but are ignored. Like every storm, I find more and more people making security-related decisions based on the idea that anyone can "do" security. 
I expressed no theories here regarding potential motives or suspects because I don't have all of the facts. This could be the work of Islamist terrorists. Sweden has had two terrorist plots foiled recently. Sweden is also currently at odds with Saudi Arabia and the UAE. They've also "outed" a number of Russian spies and have seen an increase in Russian "aggression" and posturing. That being said, at the end of the day, this was a murder that took place at 4 o'clock in the morning in Sweden. The cops have the advantage of having a look at evidence long before the public does. Perhaps, as academics and practitioners, we should keep our hypotheses regarding motive and suspects to ourselves, until we learn more. In an era of rapid-fire tweeting and hashtag punditry rife with inaccuracies, our industry and the public could use our silence and restraint at times likes these.

Wednesday, March 18, 2015

OPINION: What Mrs. Clinton's Email Problems Can Teach Us About Security

Informal pose of Clinton, 2011
"Msc2011 dett-clinton 0298" by Harald Dettenborn. Licensed under CC BY 3.0 de via Wikimedia Commons.

Over the last two weeks, we’ve been inundated with emails and presidential candidates. I won’t spend a lot of time talking about Mrs. Clinton and what her emails may or may not contain. I could spend an entire series of blog posts on that topic. However, there are some very interesting insights this story gives us into how we perceive what security is, where we feel most secure, and whether any of that makes us more secure.

So let’s begin our discussion: NOTE: I’m no hacker or IT-guru. I’m a guy who blogs and who has a ton of opinions on this stuff. However; I’m also someone who has worked with senior-level persons and I understand how some of these components work. By no means are my opinions facts but merely points to consider.
  1.  Security is about convenience over protection. Remember when I said “security is about peace of mind”. Mrs. Clinton decided it would be more “convenient” to send her emails (personal and professional) through a single server which she owned. Why? She reasoned, because her government-issued Blackberry could not hold more than one email account, it would be better to have a single account. Many users, especially government users, bypass existing security protocols and do and have done exactly this (except many don’t have servers at home). Does this make it right? No. The government has policies in place that state this is bad security practice and a violation of certain public records laws. Yet, ask any security professional how many times they’ve witnessed an end-user potentially compromise protective measures through circumvention out of convenience and you’ll note immediately how much their eyes roll.
  2. Just because a senior-level government official is discussing something doesn’t make it “classified information”. There’s been a massive amount of speculation on the kind of information any investigation would turn up on Mrs. Clinton’s servers. Like I said, I won’t attempt to go into that. However; let’s address why we perceive there would be classified information and whether that’s likely. Sure, being Secretary of State entails having access to some of our nation’s greatest secrets. The job requires it. Some of that information is considered “classified” and others not-so-much. When pieced together with other information or on its own, that material could be extremely sensitive. The very nature of the potential discussions Mrs. Clinton could have had over emails has created a great amount of concern – as it should.

    Senior leaders are given amenities like secure telephone and other communication lines in their homes and offices to facilitate these kinds of sensitive discussions with “cleared” persons. In fact, during ASIS 2014, I had the great honor and privilege to hear Colin Powell speak about his time as Secretary of State. General(r) Powell recalled his final days in Mrs. Clinton’s old job and the day the Diplomatic Security Service agents assigned to him and the information technology staff left his residence while removing his secure lines from his home on his last remaining day. It should be noted Mrs. Clinton should have had the same amenities extended. As such, I’d be curious if the Internet service her server accessed did so via government-installed communication lines or privately-owned and installed lines. I digress, given the nature of what
    could have been discussed; it should give security practitioners who advise senior leaders on protective measures pause.
  3. Government computers and services are NOT intrinsically more secure. These last two weeks, the deluge of speculation, regarding the security of Mrs. Clinton’s email traffic being more secure had it been through government servers, has been extreme. Seriously, have we forgotten about a number of breaches on government email and sites in the past few years? We’ve caught hackers breaking into NASA, NSA, the State Department, and the Pentagon computers. Where most of this confusion comes from is not quite understanding what having your emails on a government server entails versus what a private (or as widely-and-annoyingly termed this week “homebrew”) server does. People hear “government server” and they immediately conjure up an image of a secure server with loads of encryption which would require a team of seasoned hackers to compromise. In fact, while watching a cartoon the other day with my son, a character brags “I hacked NORAD when I was six”. Hacking into these systems should be a big deal because they are. However; they are not invincible to the same kinds of human security failures and poor security mindset when they’re designed and implemented as their commercial partners. 

    Your government email service can easily be hacked in the same way your private email can. Lose your credentials to log into a government computer without noticing and use a password or PIN that is easily guessed. Sadly, that happens more times than many outside of government service would ever be willing to admit. A government server does bring one thing a private server does not always – the full extent of your government agency’s information technology team, most of whom are the best and brightest at what they do and who defeat a variety of threats constantly. In other words, when a breach occurs, this team can respond immediately and use the weight of the government to mitigate the breach. Mrs. Clinton knew this, yet felt
    she and her staff could do better. Given what little we know of what could have been breached or whether a breach even occurred, this could have been true. That being said, it doesn’t make any of her decisions right.
  4. The extent of how much protection to provide sensitive information disclosure is not up to the user but those who have the designated expertise within the organization. Mrs. Clinton, while acting as Secretary of State, had every right to make her own determinations regarding how her agency would protect sensitive information to some extent. That did not provide her with any right to decide, without consultation or coordination with her information security staff at the State Department, to forego policies she enforced on her subordinates. It is highly doubtful Mrs. Clinton would have absolved a junior-level employee who would have been caught in a sensitive information breach from their personal email account. No, we all know she would have directed her staff to punish them. However; the implied arrogance to believe you can enforce one security policy meant to mitigate vulnerabilities and lessen risk while ignoring your own failure in abiding by those very decrees, is striking, to be honest.
  5. Politics obscures our ability to ascertain the more important security issues in crises like these. Mrs. Clinton’s enemies are clamoring to be the first one to hand her an indictment or hold her letter detailing her retirement from politics. While that is unlikely, it seems to be a centerpiece in most political discussions regarding the emails. Most of this is centered around the potential for classified information being on the servers. Again, this is unlikely, given we still have zero clue about what’s on the server.

    What have not been discussed are the very relevant questions pertaining to total protection and mitigation. No one has addressed to any significant degree whether Mrs. Clinton is the only Cabinet member to have done this (she isn’t) and whether she received advice from her designated State Department IT staff (I’m betting she didn’t and relied on her political staff’s IT department who are not government employees). I’d also be curious whether the Secret Service devotes any time to protecting their protectees online as well (doubtful and perhaps an area to pursue). How many people had access to her server? At what level were they cleared? This is important because in order to read unclassified emails which contain “For Official Use Only” you need to be a “cleared” employee. Very few people are asking these questions but should.

Does any of this make us safer now that we know? In some ways? Yes. In others? No. Mrs. Clinton’s emails crisis occurred for a variety of reasons. Many of those were aggravated because she is a political entity at her core. She may have felt as though having a server she owned she was more “secure” from some threats of the political variety. While it is always good to protect yourself from threats, one should not forget the more likely and persistent threats which are present because of the job you hold. She lost sight of that and ultimately forwent some very sound security practices. Then again, she may have well had a number of mitigation measures in-place. Unfortunately, we may never know what they were and thus remain a bit unsure of our protection.

Thursday, March 12, 2015

Murphy Is In Full-Effect

There's an old adage - "If it can go wrong, it will go wrong." This week, I've had my basement flood, work pile up to my eyebrows, midterms, and WordPress (previous blogging platform) caused a fatal and unrecoverable error for my blog. Luckily, I maintain a copy for posterity and mostly, because I always figured this could happen. For the delay and confusion this has caused my very loyal readers, I'm extremely sorry. The Security Dialogue is back, though. While I get everything back to the quality you richly deserve and provide the content I know you enjoy, I'll be posting some new articles and possibly more from the podcast, The GateShack. As I tell my son, "Sit back, relax, and enjoy the ride."

About Us