Thursday, July 3, 2014

NIMBY and the cloud - can a breach of DARPA's free range virus compound affect you?

I know that many of the students and educators who read this blog are on summer vacation, but this post has some required reading. Because I am merciful, I will provide my own version of copyrighted brief "Notes" that are usually found in yellow booklets with a name that rhymes with Riffs.

Required reading number one is NIMBY in Boston - the town and gown debate preventing, or causing, bioterrorism. I wrote this on Tuesday, April 22, and it describes concerns held by some members of the Boston City Council. You see, educational institutions within the city of Boston were conducting research on "Biosafety Level 4 Agents" - a fancy name for things that cause diseases for which there is no treatment. The City Council members were worried that terrorists could grab the agents and wreak havoc in Boston.

Required reading number two is YIMBY in South Carolina - maybe they can get Boston's health facility also, from Friday, April 25. The South is different from the North, and in this case South Carolina was complaining that the Feds were trying to get out of an agreement to process weapons-grade plutonium in South Carolina. You see, the state WANTS to have dangerous plutonium within its area, because of the jobs and all that.

The third and final piece of required reading is NIMBY in Cambridge (and New Haven) - the gown itself debates novel potential pandemic pathogens (and Godwin's Law). This one's more recent - I wrote it on Tuesday, May 27. We are again in Massachusetts, only this time it's the universities themselves (or at least people associated with the universities) that are sounding the alarm on working with dangerous stuff. Specifically, they allege that the H1N1 virus epidemic in 2009 resulted from some stuff that got out of a laboratory.

Continuing on the overly academic theme, it's time for a quiz on the required reading. This is a one-question quiz, and it will count for 100% of your grade in Empoprise-BI 2014 Summer School. You did the required reading, didn't you? OK, get ready to take the quiz.



1. Which of the following is true of all three situations discussed in the readings?
a. All three involve the state of Massachusetts.
b. All three involve a Belgian-Brazilian company that promotes U.S. patriotism.
c. All three involve medical threats that could impact a particular geographic location, or multiple geographic locations.

OK, turn in your quizzes. You'll receive your grade later.

As almost everyone in the United States knows by now, "viruses" are not confined to the physical world. There are virtual viruses and other online threats that can affect the electronic systems upon which we depend. Although these online threats won't cause fevers or make your hair fall out, they can do significant damage to personal systems, business systems, and military systems. Because of this potential for damage, the Defense Advanced Research Projects Agency, in cooperation with Lockheed Martin, has been starting to work on a project.

Late last month, DARPA -- the Defense Advanced Research Projects Agency -- announced an intriguing award given to the nation's biggest defense contractor, Lockheed Martin (NYSE: LMT ) . For $14.2 million, Lockheed Martin will construct and operate the U.S. Army's National Cyber Range, a virtual world where viruses of all shapes and sizes can roam free.

The National Cyber Range - which, in true government-speak, has its own acronym (NCR) - allows us a place to examine threats from the Chinese government, script kiddies, and others who do Bad Things. But we don't need to worry about this.

Designed as a "secure, self-contained facility where complex defense and commercial networks can be rapidly emulated for cost-effective and timely validation of cyber technologies"....

Whew. The facility will be SECURE and SELF-CONTAINED, and there is NO WAY that any of these viruses can escape the free range and get out into the wild.

Um, I'm sure that alarmists won't be comforted by these reassurances. Forget the recent breaches against commercial systems; as early as 2011, a Reuters special report warned that all sorts of targets were being probed - and breached.

In recent months hackers have broken into the SecurID tokens used by millions of people, targeting data from defense contractors Lockheed Martin, L3 and almost certainly others; launched a sophisticated strike on the International Monetary Fund; and breached digital barriers to grab account information from Sony, Google, Citigroup and a long list of others.

The latest high-profile victims were the public websites of the CIA and the U.S. Senate - whose committees are drafting legislation to improve coordination of cyber defenses.

Terabytes of data are flying out the door, and billions of dollars are lost in remediation costs and reputational harm, government and private security experts said in interviews. The head of the U.S. military's Cyber Command, General Keith Alexander, has estimated that Pentagon computer systems are probed by would-be assailants 250,000 times each hour.

And, of course, mention of Keith Alexander's name reminds everyone of the 2013 breach of files from the National Security Agency itself. (On a related topic, where did Edward Snowden go during his initial weeks in Hong Kong, before he checked into the Mira Hotel on June 1?)

No system is totally secure. All we need is one disaffected military person, or one person who carelessly opens a Wi-Fi port, and the "free range" virus playground may become much more free than originally desired.

So who would object to this? The civil liberties folks and the progressives are too busy worrying about the military-industrial complex to care about loose viruses. The parties involved in NCR itself obviously don't want to publicly disclose security risks, since that would endanger funding. And everyone else is worrying about 2 1/2 year old Facebook psychological experiments and doesn't really care about the potential risks of an NCR breach.

Why not? Because it's not in our backyards. It's not at a university or a nuclear facility down the street from us. It's somewhere "out there," in the cloud.

And since we can't see it, it's not a problem.

POSTSCRIPT: As many of you would note, there's no need to be alarmist about the whole thing. Certainly DARPA and the companies involved are looking at potential security risks, and are designing mitigations that can reduce those risks. And it's obvious that these specifics wouldn't be publicly discussed by the parties involved.

But why is the public discussion on this limited, or non-existent?
blog comments powered by Disqus