05.08.2011
computer security, cyber crime, cyber security, cyber warfare
War has been defined as “a state of organized, armed and often prolonged conflict carried on between states, nations, or other parties typified by extreme aggression, societal disruption, and usually high mortality.[Wikipedia]” Cyber Warfare has been defined as “politically motivated hacking to conduct sabotage and espionage. [DOD]”
While some of what we’ve recently can be construed as Cyber Warfare (including the recent hacktivism), the bulk of what’s really going (largely beneath the surface) is a) efforts by organized criminal elements using new technologies and capabilities to do what they have always done—steal money, or b) continued acts by nation states to steal military secrets (espionage) or corporate secrets (economic espionage).
While the latter (b) get the big press, I am worried that that the former (a) is actually the bigger problem of the two. I was personally hit by identity theft a few years ago when a group got access to my credit card details from a retailer I had done business with. This group proceeded to charge 250 rubles (about $9US) twice a month to one of my credit cards. While not a significant amount of money for me, I would guess that they had thousands of victims like me, and together, the monthly booty would add up quite quickly. Two hypotheses…
- More of this type of cyber-crime is occurring today than the stuff showing up on the front page of any newspaper; and
- What we mean when we say “Cyber Warfare” is really just the 21st century version of crime; criminals using cyber means.
I’m also afraid that our law enforcement forces (internationally) are nowhere near being prepared to dealing with crime using cyber technologies—two points from a National Criminal Justice Association (NCJA) Forum I recently attended:
- One of the sessions I participated in was entitled “Why Does the Crime Rate Continue to Decline?” The speaker (a well-respected professor) informed us that crime in America is actually down to the levels it was in 1964—this represents a significant drop. I asked the question “Did crime really drop or have criminals begun to use technology to steal rather than a pistol?” His response was “criminals aren’t smart enough to use computers.” I found this very hard to believe. Criminals have always adapted to stay a step ahead of law enforcement, and I fear that they now have a significant upper-hand, especially if law enforcement feels the way the speaker did and they fail to re-tool their ranks to detect, deter, and dismantle the new cyber-oriented criminal threats.
- Another session I attended was entitled “A Clear and Present Threat: A Look at Cybercrime.” In this session, one of the speakers spoke of the growing problem of crime in virtual worlds—people with avatars in virtual worlds are stealing other peoples virtual property and assets, and real lawsuits are being tried in real courts by real people. If you don’t believe me, read this article – Virtual add-ons draw real-world lawsuits – that I found in researching this further. I would submit that today’s criminals are more tech/cyber-savvy and have realized that there are safer (cyber) ways to steal money and property without having to physically point a gun at someone’s face.
Now ask yourself, how many law enforcement officers are prepare to investigate this type of crime, let alone basic identity theft, software piracy, child pornography, and cyber-extortion? And what about their readiness to preserve digital evidence in computers, laptops, routers, firewalls, servers, and handheld devices?
Today these skill sets are confined to special divisions within a police department, segregated from the bulk of the force. I would like to offer that just like the weapon, handcuffs, and radio on their utility belt,it’s time to equip many more, if not all law enforcement officers with the training and tools to understand, detect, and investigate cyber-crime…we’ll never get fully ahead of the problem, but maybe we can catch-up a bit.
your comments and thoughts welcome…r/Chuck
13.07.2009
data sharing, fusion center, Information sharing, intelligence center, Law enforcement information sharing, Uncategorized
I don’t usually plug any specific software, but I felt compelled to tell you about something I have been working with Microsoft on for about the last eight months–it’s called the Fusion Core Solution (FCS). What’s different about this project is that FCS isn’t just another application, it is an effort by Microsoft to help fusion centers do more with the many applications they currently own or have plans to invest in. First a bit of background.
Whether you like the idea of a fusion center or not, they are here to stay. At last count, there were about 70 of them, and DHS recently spoke of helping to get even more going. At their core, I believe a fusion center is responsible for doing three basic things:
- Accepting and vetting reports of unusual behavior (criminal or terrorism related);
- Providing intelligence support to major case and tactical law enforcement operations; and
- Proactively supporting federal, state, and local homeland security and community safety objectives.
To do this well, the majority of fusion centers in operation today are required to rely on an assortment of manual processes, a patchwork of incompatible software applications, and dozens of disparate information sources. Walk into the typical fusion center today and you’ll probably find that an analyst answering the phone has to enter the request for their services into one application for management purposes, enter the same information into a second application for sharing purposes, then has to manually bring up and login to anywhere from 5-15 different data sources to search for information related to the service request, then has to open up at least one or more applications to write up and package up the requested response, and then, more than likely, has to either manually fax it to whomever asked for the information or call them back on the telephone to give them the answer–a pretty painful and tedious way to work.
Today though, Microsoft announced release of a project that I have been helping them to develop for quite some time–the Fusion Core Solution. Microsoft hopes, through use of Office, SharePoint and ESRI’s ArcGIS to help ease the pain described above. The FCS uses SharePoint as a horizontal integration and workflow management platform to help an analyst go from taking in a fusion center service request, to searching for information, to analyzing that information, to producing the intelligence product without having to leave the SharePoint environment at all.
At a non-technical level, the FCS will enable fusion centers to do a couple of pretty cool things:
- Provides a common look and feel across multiple analytic tools and business processes.
- Greatly reduces the number of user names and passwords analyst must remember.
- Organizes requests for fusion center services, and tracks progress of fusion center work.
- Helps to better document and comply with 28 CFR Part 23, CUI and PCII requirements.
- Provides multiple analyst-to-analyst and fusion center-to-fusion center collaboration tools
- Helps to keep track of fusion center and extended staff capabilities and availability.
From a technical perspective, FCS fully supports NIEM conformant information exchanges and establishes a framework for supporting the service-oriented principles of the Justice Reference Architecture (JRA) as it applies to information and data sharing.
In a nutshell, “Fusion Core Solution is for a Fusion Center what Microsoft Windows is to a personal computer“–you can think of FCS as the “operating system” for a Fusion Center.
For more info, check out the Fusion Core Solution website, or email me.
r/Chuck
Added 8/4/2009: Click HERE to see Joe Rozek, Microsoft’s Executive Director of Homeland Security, and Former Senior Director for Domestic Counterterrorism at The White House Office of Homeland Security talk about Fusion Core Solution
15.03.2009
data sharing, intelligence center, privacy, security, security threats, Technology
If you’re like most folks, you stopped reading the “fine print” terms and conditions on free online appliactions like Google Apps, Windows Live, Zoho, and MySpace. I did too, until today. I caught an article on NetworkWorld.com today entitled “Privacy groups rip Google’s targeted advertising plan” that described how privacy advocates are concerned about Google’s foray into the world of behavioral targeting in its DoubleClick advertising business. So, that got me curious…what can Google (and others) do with your personal data, files, etc?
I did a quick check of four online appliactions that I use–Zoho, Windows Live, MySpace and Google Apps–here’s what I found.
- ZoHo’s terms of use states:“We store and maintain files, documents, to-do lists, emails and other data stored in your Account at our facilities in the United States or any other country. Use of Zoho Services signifies your consent to such transfer of your data outside of your country. In order to prevent loss of data due to errors or system failures, we also keep backup copies of data including the contents of your Account. Hence your files and data may remain on our servers even after deletion or termination of your Account.”
- Windows Live had a different twist:
“Microsoft does not claim ownership of the materials you provide to Microsoft (including feedback and suggestions) or post, upload, input or submit to any Services or its associated services for review by the general public, or by the members of any public or private community, (each a “Submission” and collectively “Submissions”). However, by posting, uploading, inputting, providing or submitting (“Posting”) your Submission you are granting Microsoft, its affiliated companies and necessary sublicensees permission to use your Submission in connection with the operation of their Internet businesses (including, without limitation, all Microsoft Services), including, without limitation, the license rights to: copy, distribute, transmit, publicly display, publicly perform, reproduce, edit, translate and reformat your Submission; to publish your name in connection with your Submission; and the right to sublicense such rights to any supplier of the Services.”
- MySpace pretty much mirrors Microsoft’s terms:
“After posting your Content to the MySpace Services, you continue to retain any such rights that you may have in your Content, subject to the limited license herein. By displaying or publishing (“posting”) any Content on or through the MySpace Services, you hereby grant to MySpace a limited license to use, modify, delete from, add to, publicly perform, publicly display, reproduce, and distribute such Content solely on or through the MySpace Services, including without limitation distributing part or all of the MySpace Website in any media formats and through any media channels, except Content marked “private” will not be distributed outside the MySpace Website.”
- Google had the best (or worst) of all worlds: It’s Privacy Policy states “Google processes personal information on our servers in the United States of America and in other countries. In some cases, we process personal information on a server outside your own country. We may process personal information to provide our own services. In some cases, we may process personal information on behalf of and according to the instructions of a third party, such as our advertising partners.”It’s Google Apps terms of service states “Information collected by Google may be stored and processed in the United States or any other country in which Google or its agents maintain facilities.”It’s general terms of service states “You retain copyright and any other rights you already hold in Content which you submit, post or display on or through, the Services. By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive licence to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services. This licence is for the sole purpose of enabling Google to display, distribute and promote the Services and may be revoked for certain Services as defined in the Additional Terms of those Services..You agree that this licence includes a right for Google to make such Content available to other companies, organizations or individuals with whom Google has relationships for the provision of syndicated services, and to use such Content in connection with the provision of those services.You understand that Google, in performing the required technical steps to provide the Services to our users, may (a) transmit or distribute your Content over various public networks and in various media; and (b) make such changes to your Content as are necessary to conform and adapt that Content to the technical requirements of connecting networks, devices, services or media. You agree that this licence shall permit Google to take these actions. You confirm and warrant to Google that you have all the rights, power and authority necessary to grant the above licence.”
So, what’s the moral to this story? Three things…
- Take the time to read the fine print; make yourself and others aware of the privacy and terms of service conditions for these and other (free or fee-based) online appliacations;
- If your federal, state or law enforcement agency, fusion center, or other government agency are using any of these services, make sure you have written policies about what can and cannot be posted, stored, or shared through these services; and
- Assume anything you do post or share will a) make its way outside of the United States and b) reused in some way for marketing or advertising purposes.
Play it safe; don’t assume your information posted to these services will remain private. Remember, once out, that privacy genie will be nearly impossible to get back in the bottle.
As always, your thoughts and comments are welcomed…r/Chuck
09.01.2009
CJIS, data sharing, Information sharing, law enforcement, Law enforcement information sharing, LEIS, public safety, Strategy
Some who read this may take it as a rant against agencies/providers who say we need more money for implementing law enforcement information sharing (LEIS), but in-fact, this post is really about understanding the landscape and influencing the choices and priorities of state and county policymakers and the affected law enforcement executives.
Let me first layout the agency landscape :
- There are about 14,000 state and local law enforcement agencies;
- In roughly 3,000 counties;
- That make up the 50 states of our great nation.
Now let’s layout the funding landscape:
- For 2008 the Department of Homeland Security (DHS) allocated $3,200,000,000 (billion) for state and local assistance grants;
- In that same year, the Department of Justice (DOJ) made another $2,000,000,000 available;
- For 2008 that’s a total of $4,200,000,000;
- For 2007 that number was $4,500,000,000;
- For 2009, we are hoping that number stays about the same or goes even higher.
- To all these numbers you must add funding from the Department of Defense, Department of Transportation, Department of Health and Human Services, or State funding sources for LEIS.
Finally, let me lay out the cost landscape for LEIS:
- In my eight or so years of experience of building and deploying LEIS, I’ve seen the costs associated with hooking up an agency to vary between $5,000 and $80,000 per record system connection;
- On average though, I feel the safer number is between about $20,000 and $40,000;
- For arguments sake, let’s use the high number of $40,000.
Now comes the fun part…let’s do some math…
- To be realistic, let’s say that 25% of the 14,000 agencies are already sharing information;
- That leaves about 10,000 agencies left to connect;
- At $40,000 an agency, we would need a total of $560,000,000 (Million);
- Divide that by the 3,000 counties, and we will need about $190,000 per county;
- If we do this over three years, that’s only $63,000 per county, per year for three years!
With (on average) every county getting about $1,400,000 every year for law enforcement and public safety (out of the $4.2 Billion allocated annualy), I would like to think that we (collectively) can see the benefits of LEIS enough to spare $63,000 a year for three years to get it done.
Here’s where the issue of choices and priorities comes in. If we can agree that the money IS there, what we really need to work on are ways to convince the policymakers and law enforcement exectutives in those counties that investing a little in LEIS is a better investment than whatever it is their currently spending their part of the $4,200,000,000 on. Do you agree?
I’d also like to know what role youthink the IACP, MCC and NSA would play here?
Thoughts and comments invited…and yes, I used a calculator…;-)
r/Chuck Georgo
08.01.2009
CJIS, data sharing, Information sharing, law enforcement, Law enforcement information sharing, privacy, public safety, security
The IJIS Institute announces the appointment of Chuck Georgo, founder of NOWHERETOHIDE.ORG, as the Chairperson of the IJIS Institute’s Security and Privacy Advisory Committee.
The purpose of the IJIS Institute’s Security and Privacy Advisory Committee is to provide advice and counsel to the Department of Justice’s Office of Justice Programs (OJP), as well as other national organizations, on issues of information system security and privacy as applied to integrated justice and public safety information systems, and to develop materials and seminars to educate industry and government staffs on security and privacy measures, designs, and related issues.
The Security and Privacy Advisory Committee strives to be vendor agnostic in all activities and work products and to be the authoritative source for establishing effective privacy and security measures throughout the justice, public safety, and homeland security information sharing community. Additionally, the committee’s goals include increasing government and industry awareness and understanding of technical and non-technical privacy and security requirements and improving the privacy and security posture for federal, state, local, and tribal justice information sharing efforts. In order to achieve these goals, the committee performs research, issues white papers, develops and conducts training, participates in advisory working groups, and supports technical assistance projects.
Chuck Georgo, regarding his appointment, noted that, “Successful information sharing requires trust. I believe that to get trust you need two things—honorable motive and reliability. Organizations must know that your motives benefit the social good and that your means to protect shared information from compromise is achievable and durable. While honorable motive is in the hands of law enforcement and justice agency executives, I believe that the IJIS Institute, through the Security and Privacy Advisory Committee, can help government and industry to employ effective ways for achieving the reliable means to protect that information. I look forward to working with my fellow committee members to further advance the cause of information sharing through robust security and privacy principles and practices.”
Chuck Georgo has nearly 28 years of experience in intelligence, national security, defense, and law enforcement arenas. He has served as a strategic planner, business analyst, and technologist supporting the National Security Agency, Federal Bureau of Investigation, Department of Homeland Security, Naval Criminal Investigative Service, Naval Security Group, and many other public and private sector organizations.
# # #
About the IJIS Institute — The IJIS Institute serves as the voice of industry by uniting the private and public sectors to improve mission critical information sharing for those who protect and serve our communities. The IJIS Institute provides training, technical assistance, national scope issue management and program management services to help government fully realize the power of information sharing. Founded in 2001 as a 501(c)(3) non-profit corporation with national headquarters on the George Washington University Virginia Campus in Ashburn, Virginia, the IJIS Institute has grown to more than 240 member and affiliate companies across the United States. For more information visit www.IJIS.org.
About NOWHERETOHIDE.ORG – NOWHERETOHIDE.ORG, LLC, was established to help federal, state, and local law enforcement, justice, and homeland security agencies to better achieve their public safety and national security objectives. As our name implies, we want to help these agencies become so effective that criminal elements have nowhere-to-hide from justice. We offer planning, assessment, and technology consulting services to help law enforcement, justice, and national security agencies identify and resolve the issues that currently stand in the way of achieving high performance standards. For more information visit www.nowheretohide.org.
Doris Girgis | Communications Specialist | IJIS Institute | Ph: 703.726.1096 | www.ijis.org
Realize the power of information.
Support the IJIS Institute by ordering your gifts from one of 700 stores on the iGive portal and selecting the IJIS Institute as your organization of choice.
January 6, 2009
02.01.2009
CJIS, data sharing, Evaluation, Information sharing, law enforcement, Law enforcement information sharing, LEIS, Performance Measures, Processes, public safety, SOA, Strategy, Technology, Uncategorized
Tom Peters liked to say “what gets measured gets done.” The Office of Management and Budget (OMB) took this advice to heart when they started the federal Performance Assessment Rating Tool (PART) (http://www.whitehouse.gov/omb/part/) to assess and improve federal program performance so that the Federal government can achieve better results. PART includes a set of criteria in the form of questions that helps an evaluator to identify a program’s strengths and weaknesses to inform funding and management decisions aimed at making the program more effective.
I think we can take a lesson from Tom and the OMB and begin using a formal framework for evaluating the level of implementation and real-world results of the many Law Enforcement Information Sharing projects around the nation. Not for any punitive purposes, but as a proactive way to ensure that the energy, resources, and political will continues long enough to see these projects achieve what their architects originally envisioned.
I would like to propose that the evaluation framework be based on six “Standards for Law Enforcement Information Sharing” that every LEIS project should strive to comply with; they include:
1. Active Executive Engagement in LEIS Governance and Decision-Making;
2. Robust Privacy and Security Policy and Active Compliance Oversight;
3. Public Safety Priorities Drive Utilization Through Full Integration into Daily Operations;
4. Access and Fusion of the Full Breadth and Depth of Regional Data (law enforcement related);
5. Wide Range of Technical Capabilities to Support Public Safety Business Processes; and
6. Stable Base of Sustainment Funding for Operational and Technical Infrastructure Support.
My next step is to develop scoring criteria for each of these standards; three to five per standard, something simple and easy for project managers and stakeholders to use as a tool to help get LEIS “done.”
I would like to what you think of these standards and if you would like to help me develop the evaluation tool itself…r/Chuck
Chuck Georgo
chuck@nowheretohide.org
www.nowheretohide.org
07.10.2008
data sharing, Information sharing, Technology
I had the pleasure of attending a briefing today on the Virtual Alabama (VA) Project. Jim Walker, Director, Alabama Department of Homeland Security, and Chris Johnson, VA Project Manager gave a full blown, real-time demonstration of VA’s capabilities. While just seeing Google Earth Enterprise technology is cool in itself, what was really astonishing was to see how the project has worked to get access to an amazing number of data sources–they have engaged over 1,100 agencies in implementing information sharing accross the state!
Driven by specific business needs, the VA project now supports law enforcement, fire, emergency management, business and economic development, property tax assessment, port security, emergency evacuation, and they’re only into the project about 10% (their number). Other states would do well to take a look at what they’ve done in about 18 months for about $500,000 with a team of four people. And, don’t focus solely on the specific technology they chose–the real lesson here is what they did to get Alabama agencies to share their data! This is the true accomplishment.
I hope the project can find time write up and share a white paper to document the various strategies they employed to get access to the data–arm twisting, the shame game, Friday afternoon strategy sessions at local watering holes, etc.
Here’s a YouTube movie about it: Google Earth Enterprise Case Study: Virtual Alabama
Enjoy!…r/Chuck Georgo