Brookings: Experts - Noah Shachtman

Pentagon Paying China — Yes, China — To Carry Data

Noah Shachtman — Mon, 29 Apr 2013 00:00:00 -0400

The Pentagon is so starved for bandwidth that it’s paying a Chinese satellite firm to help it communicate and share data.

U.S. troops operating on the African continent are now using the recently-launched Apstar-7 satellite to keep in touch and share information. And the $10 million, one-year deal lease — publicly unveiled late last week during an ordinarily-sleepy Capitol Hill subcommittee hearing — has put American politicians and policy-makers in bit of a bind. Over the last several years, the U.S. government has publicly and loudly expressed its concern that too much sensitive American data passes through Chinese electronics — and that those electronics could be sieves for Beijing’s intelligence services. But the Pentagon says it has no other choice than to use the Chinese satellite. The need for bandwidth is that great, and no other satellite firm provides the continent-wide coverage that the military requires.

“That bandwidth was available only on a Chinese satellite,” Deputy Assistant Secretary of Defense for Space Policy Doug Loverro told a House Armed Services Committee panel, in remarks first reported by InsideDefense.com. “We recognize that there is concerns across the community on the usage of Chinese satellites to support our warfighter. And yet, we also recognize that our warfighters need support, and sometimes we must go to the only place that we can get it from.”

The Apstar-7 is owned and operated by a subsidiary of the state-controlled China Satellite Communication Company, which counts the son of former Chinese premier Wen Jiabao as itschairman. But the Pentagon insists that any data passed through the Apstar-7 is protected from any potential eavesdropping by Beijing. The satellite uplinks and downlinks are encrypted, and unspecified “additional transmission security” procedures cover the data in transit, according to Lt. Col. Damien Pickart, a Defense Department spokesperson.

“We reviewed all the security concerns, all of the business concerns with such a lease,” Loverro said. “And so from that perspective, I’m very pleased with what we did. And yet, I think the larger issue is we don’t have a clear policy laid out on how do we assess whether or not we want to do this as a department, as opposed to just a response to a need.”

Every new drone feed and every new soldier with a satellite radio creates more appetite for bandwidth — an appetite the military can’t hope to fill with military spacecraft alone. To try to keep up, the Pentagon has leased bandwidth from commercial carriers for more than a decade. And the next decade should bring even more commercial deals; in March, the Army announced it was looking for new satellite firms to help troops in Afghanistan communicate. According to a 2008 Intelligence Science Board study (.pdf) — one of the few public reports on the subject — demand for satellite communications could grow from about 30 gigabits per second to 80 gigabits a decade from now.

The Chinese are poised to help fill that need — especially over Africa, where Beijing has deep business and strategic interests. In 2012, China for the first time launched more rockets into space than the U.S. – including the Chinasat 12 and Apstar-7 communications satellites.

Relying on Chinese companies could be a problematic solution to the bandwidth crunch, however. U.S. officials have in recent years publicly accused Chinese telecommunications firms of being, in effect, subcontractors of Beijing’s spies. Under pressure from the Obama administration and Congress, the Chinese company Huawei was rebuffed in its attempts to purchase network infrastructure manufacturer 3Com; in 2010, Sprint dropped China’s ZTE from a major U.S. telecommunications infrastructure contract after similar prodding. Last September, executives from the Huawei and ZTE were brought before the House intelligence committee and told, in effect, to prove that they weren’t passing data back to Beijing. “There’s concern because the Chinese government can use these companies and use their technology to get information,” Rep. Dutch Ruppersberger, said at the time. The executives pushed back against the charges, and no definitive links to espionage operations were uncovered. But the suspicion remains. And it isn’t contained to these two firms.

“I’m startled,” says Dean Cheng, a research fellow and veteran China-watcher at the Heritage Foundation. “Is this risky? Well, since the satellite was openly contracted, they [the Chinese] know who is using which transponders. And I suspect they’re making a copy of all of it.”

Even if the data passing over the Apstar-7 is encrypted, the coded traffic could be used to give Chinese cryptanalysts valuable clues about how the American military obfuscates its information. “This is giving it to them in a nice, neat little package. I think there is a potential security concern.”

And even if the Chinese don’t intercept the data, there’s always the danger of them suddenly deciding to block service to the American military.

For his part, Loverro says the Department of Defense will be reviewing its procedures to ensure that future satellite communications deals both let troops talk and let them talk in private. The Pentagon will get another opportunity shortly: the Apstar-7 deal is up on May 14, and can be renewed for up to three more years.

Authors

Noah Shachtman

Publication: Danger Room (Wired)

These Classy Defense Contractors Are Already Looking to Cash In on Boston

Noah Shachtman — Fri, 26 Apr 2013 00:00:00 -0400

The newly-limbless victims from the Boston Marathon attack are still being treated, and the alleged bomber has only been in custody for a few days. But for a handful of defense and intelligence contractors, it’s never too early to start pimping their products as the solution to the next terrorist strike.

“The Boston Marathon bombing has proven the need for real time video and data analysis from all types of cameras, including user mobile devices, surveillance cameras, and network footage,” Chris Carmichael, CEO of Ubiquity Broadcasting Corporation, says in a press release. As it happens, his company offers an intelligent video system that does just that.

Piggybacking on big events a long-standing trick of the PR trade. It’s a way to garner attention for products that might ordinarily get ignored. So dress-makers jump on the Oscars. Social media monitors issue “analysis” of Twitter’s reaction to the Presidential debates. And the night after the Boston bombings, an explosive detection outfit called Implant Sciences emailed reporters to say that its “quantum sniffer” was the kind of “technology needed to prevent attacks like this… It is the most sensitive detection system ever created and it can save lives.”

Not to be outdone, a publicist from a facial recognition firm, FaceFirst, boasted to reporters a few days later that “this technology can identify individuals with prior arrests, terrorists and persons of interest in a matter of seconds.” He also sighed that “the last few month [sic] have been pretty hectic for due to the use of face recognition in the finding of the Boston Marathon Bombers and other high profile cases.”

One small problem: facial recognition wasn’t used to catch Dzhokhar and Tamerlan Tsarnaev, the accused attackers.

Thankfully, some of the companies boasting of their roles in the bombing response actually did help in that response.

During its quarterly earnings call this week, iRobot CEO Colin Angle was happy to let reporters know that, yes, one of the firm’s PackBot machines certainly was used to investigate a car driven by one of the bombing suspects. ”The company’s response to the Boston Marathon bombings continues a long tradition of iRobot’s responsiveness in a time of crisis and speaks to our values and commitment as an organization,” he crowed.

The Emergency Communications Network firm not-so-humble bragged in a statement that ”on Monday alone, more than 228,000 calls, tens of thousands of texts and emails, in addition to 700 CodeRED Mobile Alert app notifications kept citizens informed of critical public safety messages specific to their areas… On Tuesday, ECN client Massachusetts Institute of Technology used the CodeRED system to notify students, faculty and staff of a suspicious package on campus. More than 20,000 calls were launched in 11 minutes and 18,000 text messages were sent in three minutes, allowing MIT to proactively communicate with their campus community during a time of heightened awareness and vigilance.”

Others trying to ride the attack’s media wave had, at best, tangential connections to the tragedy. Afront group set up by outdoor advertising companies to promote billboards in Los Angeles decided that the bombing was a perfect excuse to renew its call for digital signs alongside L.A.’s freeways. An anti-Islam outfit pounced on the attack to demand that Muslims be stripped of their Constitutional rights. And when the news broke that bombing suspect Tamerlan Tsarnaev purchased hundreds of dollars’ worth of fireworks, the American Pyrotechnics Association quickly issued a statement defending its industry.

“Could these consumer fireworks devices be used to produce a pipe bomb or pressure cooker bomb like the bombs involved at the Boston marathon? Perhaps; however, it would take a significant volume of these small aerial shells to extract the volume of chemicals necessary to create a significant blast,” reads the press release. “Contrary to media reports, consumer fireworks have rarely been used in such destructive activities.”

Book publishers were also quick turn the awful attack that left three people dead into a marketing opportunity.

“This terrorist event left millions of citizens concerned about their family’s personal safety and wondering what they should do to plan and protect themselves,” notes one press release. ”Those answers are at your fingertips,” said Rob Stern, principal of Defense Research LLC, developer of the ‘Citizens’ Emergency Response Guide.’

“Can the reasons for the Boston Marathon bombing be understood by reading a 39 page book?” asks another press release, this one from a publisher hawking a novel from some guy named Morris Matthews.” Revered by America’s traveling carnival community, he brings a blend of ancient Ayurvedic wisdom and ‘Middle American’ horse sense to his writings.

If only he had used that horse sense to stop this press release before it was issued.

– with Spencer Ackerman

Authors

Noah Shachtman

Publication: Danger Room (Wired)

Image Source: © Jim Bourg / Reuters

Security Challenges During a Time of Transition

Wed, 13 Mar 2013 10:00:00 -0400

Event Information

March 13, 2013
10:00 AM - 4:00 PM EDT

Falk Auditorium
Brookings Institution
1775 Massachusetts Avenue NW
Washington, DC 20036

Register for the Event
The 21st Century Defense Initiative’s Fourth Annual Military and Federal Fellow Research Symposium

On March 13, the 21st Century Defense Initiative at Brookings hosted its fourth annual Military and Federal Fellow Research Symposium, featuring the independent research produced by the members of each military service and the federal agencies who have spent the last year serving at think tanks and universities across the nation. Organized by the fellows themselves, the symposium provides a platform for building greater awareness of the cutting-edge work that America’s military and governmental leaders are producing on key policy issues.

The theme of this symposium was “Security Challenges During a Time of Transition,” reflecting the war drawdowns, new fiscal realities, and upcoming Quadrennial Defense Review. Panel discussions focused on fellows’ independent research findings in the areas of military leadership, the composition and structure of military forces, an increasing reliance on technology, and emerging maritime challenges. Thomas E. Ricks, senior fellow at the Center for a New American Security, delivered opening remarks, and Dr. Arati Prabhakar, director of the Defense Advanced Research Agency, gave a keynote address.

Transcript

Transcript (.pdf)

Event Materials

20130313_security_challenges_transcript

Brookings Launches the Center for 21st Century Security and Intelligence (21CSI)

Tue, 12 Mar 2013 16:40:00 -0400

Washington, D.C. — The Brookings Institution announced today the establishment of the Center for 21st Century Security and Intelligence (21CSI). The new center will be unique in addressing defense, cybersecurity, arms control and intelligence challenges in a comprehensive manner, seeking not just to explore key emerging security issues, but also how they cross traditional fields and domains.

“With the launch of the Center for 21st Century Security and Intelligence, Brookings will be at the forefront of research and public debate on the critical security issues of our time,” said Strobe Talbott, president of the Brookings Institution. "21CSI will bring together the extraordinary array of scholars already working on defense and security issues at Brookings, along with adding new experts in fields that range from cyber to intelligence policy."

The Center for 21st Century Security and Intelligence will be housed in the Foreign Policy program at Brookings and Peter W. Singer will serve as its founding director. One of the world’s leading experts on modern warfare and author of the New York Times bestseller, Wired for War (Penguin, 2009), Singer has founded and managed two previous projects at Brookings, the Project on U.S. Relations with the Islamic World and the 21st Century Defense Initiative.

The center will encompass four key focal points of policy research on security and defense issues:

A Defense Policy team will be led by Michael O'Hanlon, one of the most influential and widely published defense scholars in the world, who also serves as director of research in the Foreign Policy program. He will be joined by other resident and nonresident scholars including Senior Fellow Vanda Felbab-Brown, a leading expert on counterinsurgency and illicit networks, and Senior Fellow Stephen Cohen, a pre-eminent expert in South Asian security issues. The team will also comprise the Federal Executive Fellows (FEFs), career officers from each military service and the Coast Guard, who spend a year in residence researching and writing on defense topics.
The new Intelligence Project, focusing on the nexus of intelligence and policymaking, will be led by Senior Fellow Bruce Riedel, a 30-year veteran of the intelligence community who also served on the National Security Council staff for three presidents. Riedel will be supported by a team of resident and nonresident scholars, including Paul Pillar and John McLaughlin, as well as career officers seconded from the intelligence community, and an advisory group of distinguished former senior intelligence officials and policymakers. The Intelligence Project is the first of its kind to be established at a major research institution.
The Arms Control Initiative will combine a focus on existing challenges of nuclear and conventional disarmament with new policy research on the Iranian and North Korean challenges to the nuclear nonproliferation regime. It is led by Senior Fellow Steven Pifer, a former special assistant to the president with substantial arms control experience. Robert Einhorn, currently the State Department’s special adviser for Nonproliferation and Arms Control, is expected to join later this spring as a Senior Fellow. The Initiative will also house a new program designed to cultivate and mentor the next generation of arms control and nonproliferation scholars.
The new Cybersecurity project will bring together the work of Visiting Fellow Ian Wallace, a former senior official at the British Ministry of Defence, who helped develop British cyber strategy, as well as its cyber-relationship with the United States, and a team of nonresident fellows, including Noah Shachtman, national security editor at Wired magazine, recently named one of the top 10 cybersecurity writers in the world; Ben Hammersley, a war journalist, noted technology writer, and author of the upcoming book Approaching the Future: 64 Things You Need to Know Now for Then; and Ralph Langner, the cybersecurity expert credited with “decoding” Stuxnet.

21CSI will focus on cutting-edge, in-depth, policy-relevant research and programming, designed to help shape the public policy debate and inform policy-makers. Bringing together a diverse group of experts and scholars, it will seek to promote collaboration across the various policy domains, in order to better understand the rapidly evolving, increasingly complex 21st century battlefield.

“We’ve created 21CSI in response to the enormous changes playing out in the global security environment,” said Martin Indyk, vice president and director of the Foreign Policy program at Brookings. “To address the diverse range of issues in this field, we’ve assembled a world-class team of researchers, who are some of the leading voices on the current challenges driving security policy today, as well as how we should think about tomorrow.”

Eleven Body Parts Researchers Will Use to Track You

Noah Shachtman and Robert Beckhusen — Fri, 25 Jan 2013 11:19:00 -0500

Cell phones that can identify you by how you walk. Fingerprint scanners that work from 25 feet away. Radars that pick up your heartbeat from behind concrete walls. Algorithms that can tell identical twins apart. Eyebrows and earlobes that give you away. A new generation of technologies is emerging that can identify you by your physiology. And unlike the old crop of biometric systems, you don't need to be right up close to the scanner in order to be identified. If they work as advertised, they may be able to identify you without you ever knowing you've been spotted.

Biometrics had a boom after 9/11. Gobs of government money poured into face and iris recognition systems; the Pentagon alone spent nearly $3 billion in five years, and the Defense Department was only one of many federal agencies funneling cash in the technologies. Civil libertarians feared the worst as face-spotters were turned on crowds of citizens in the hopes of catching a single crook.

But while the technologies proved helpful in verifying identities at entry points from Iraq to international airports, the hype -- or panic -- surrounding biometrics never quite panned out. Even after all that investment, scanners still aren't particularly good at finding a particular face in the crowd, for example; variable lighting conditions and angles (not to mention hats) continue to confound the systems.

Eventually, the biometrics market -- and the government enthusiasm for it -- cooled off. The technological development has not. Corporate and academic labs are continuing to find new ways to ID people with more accuracy, and from further away. Here are 11 projects.

The Ear

My, what noticeable ears you have. So noticeable in fact that researchers are exploring ways to detect the ears' features like they were fingerprints. In 2010, a group of British researchers used a process called "image ray transform" to shoot light rays at human ears, and then repeat an algorithm to draw an image of the tubular-shaped parts of the organ. The curved edges around the rim of the ear is a characteristic -- and most obvious -- example. Then, the researchers converted the images into a series of numbers marking the image as your own. Finally, it's just a matter of a machine scanning your ears again, and matching it up to what's already stored in the system, which the researchers were able to do accurately 99.6 percent of the time. In March of 2012, a pair of New Delhi scientists also tried scanning ears using Gabor filters -- a kind of digital image processor similar to human vision -- but were accurate to a mere 92 to 96.9 percent, according to a recent survey (pdf) of ear biometric research.

It may even be possible to develop ear-scanning in a way that makes it more reliable than fingerprints. The reason is because your fingerprints can callous over when doing a lot of hard work. But ears, by and large, don't change much over the course of a lifespan. There's a debate around this, however, and fingerprinting has a much longer and established history behind it. A big question is whether ear-scanning will work given different amounts of light, or when covered (even partially) by hair or jewelry. But if ear-scanners get to the point of being practical, then they could possibly work alongside fingerprinting instead of replacing them. Maybe in the future we'll see more extreme ear modificationcome along as a counter-measure.

Odor

In the early and mid-2000s, the Pentagon's blue-sky researchers at Darpa dabbled in something called the "Unique Signature Detection Project," which sought to explore ways to detect people by their scent, and maybe even spot and identify individuals based on their distinct smells. Darpa's work ended in 2008. The following year, the Department of Homeland Security fielded a solicitation for research in ways that human scent can indicate whether someone "might be engaging in deception," specifically at airports and other ports of entry.

Odor detection is still just a research project at the moment. The science is intricate, involving more than 300 chemical compounds that produce human odor. Our personal stinks can change depending on everything from what we eat to our environment. But it may be possible to distinguish our "primary odor" -- separate from "secondary" odors based on our diet and "tertiary" odors based on things like soaps and shampoos. The primary odor is the one linked to our genetics, and there have already been experiments with mice, which have been found to produce distinct scents unique to individuals. In 2007, the government's counter-terror Technical Support Working Group even started a program aimed atcollecting and storing human odors for the military's dog handlers. Dogs, of course, have been used to track people by smell for decades, and are believed to distinguish between humans based on our genetic markers.

Heartbeat

Your chest moves, just a little, every time your heart beats or your lungs take in air. For years, researchers have been monkeying with radars that are sensitive enough to to detect those minuscule chest movements -- but powerful enough to do it from hundreds of yards away. Even reinforced concrete walls and electromagnetic shielding won't stop these radars, or so claim the researchers at the small, Arizona-based defense contractor VAWD Engineering, who are working on such a system for Darpa's "Biometrics-at-a-distance" program.

The key is the Doppler Effect -- the changes in frequency when one object moves relative to another. We hear it all the time, when a fire engine passes by, siren blaring. VAWD says their vehicle-mounted Sense Through Obstruction Remote Monitoring System (STORMS) can pick up even small fluctuations of chests.

STORM "can be used to detect, classify and identify the specific cardiac and pulmonary modulations of a... person of interest," a company document boasts. By itself, a heartbeat or a breathing rate won't serve as a definitive biometric. But combine it with soft biometrics (how someone subtly sways when he or she stands) and you've got a unique signature for that person that can't be hidden or covered up.

VAWD says these signature will help improve disaster relief and medical care by providing a "reliable, real time medical status equal to or better than the current devices, while increasing the mobility and comfort of the patient."

But the company also notes that its system performs "automated human life-form target tracking" even when construction materials like "Afghan mud-huts" are in the way. STORM "has already been deployed by the United States Army on one of its most advanced ground vehicles," the company adds.

Does any of that sound like hospital work to you?

Voice

Most people are likely to be familiar with voice readers on gadgets like the iPhone. But what if there was software that could quickly analyze the voice of thousands, and even use those voices to identify specific people?

Russian biometrics firm Speech Technology Center -- known as SpeechPro in the U.S. -- has the technology. Called VoiceGrid, the system is able to automatically recognize a person's voice as their own, provided your voice is pre-recorded in a database and can be recalled by the computer. The company has also developed a version for "large city, county, state or national system deployments."

It's seen use in Mexico, according to Slate, "where it is being used by law enforcement to collect, store, and search hundreds of thousands of voice-prints." The National Security Agency has taken interest in similar technology. So has the FBI. A 2012 presentation from the National Institute of Standards and Technology -- with the assistance of the FBI -- also speculated on potential uses including identifying and clearing people 'involved in illegal activities," locating serial killers and identifying arms traffickers(.pdf). Iarpa, the intelligence community's research agency, has also been looking into ways to solve some of its problems: audio interference mainly. In 2011, the agency concluded its Biometric Exploitation Science and Technology Program (or BEST), which made "speaker recognition advances which included improving robustness to noise, reverberation, and vocal effort, and by automatically detecting these conditions in audio channels," spokesperson Schira Madan told Danger Room in an email. But we wonder if it'll detect autotune.

The Iris

Imagine a scanner than can look deep inside your eye -- from 10 feet away. Actually, you don't have to think that hard. The technology is already here. Scanners have been developed that can focus in and scan irises from a distance of 10 feet, such the IOM PassPort, developed by government contractor SRI International. The company promises the machine can scan irises at a rate of 30 people per minute -- like in high-traffic areas such as airports and train stations. SRI also claims it can see through contact lenses and glasses.

But the longer-range scanners could also see other uses, aside from airports. U.S. troops field existing, short-range and handheld iris scanners to build databases of Afghan eyes as part of a plan to use biometric data to tell civilians apart from insurgents. The Department of Homeland Security has tested iris scanners at a Border Patrol station along the Texas-Mexico border. The FBI has been working on an iris database for federal prisoners, and Google uses them at company data centers. But these systems can be fussy, and require that the targets don't move too much.

There might be another way. The Pentagon's scientists at Darpa have funded a research project at Southern Methodist University to develop cameras that can automatically zoom-in and scan irises, kinda like what happened to Tom Cruise in Minority Report -- and without being blocked by pesky obstructions like eyelashes and glare from light. But another problem is that iris scanners are not the most secure means of identifying people. In July 2012, a group of researchers from the U.S. and Spain discovered a way to spoof the scanners by duplicating iris images stored in databases and creating synthetic copies. That means someone could conceivably steal your eyes, in a way.

Periocular

Spotting someone by their irises is one of the best-developed biometric techniques there is. But Savvides and his Carnegie Mellon colleagues think there may be an equally-promising approach in the area around the eye -- also known as the "periocular" region.

The "periocular region has the most dense and the most complex biomedical features on human face, e.g. contour, eyelids, eyeball, eyebrow, etc., which could all vary in shape, size and color," they wrote in a 2011 paper. (.pdf) "Biologically and genetically speaking, a more complex structure means more 'coding processing' going on with fetal development, and therefore more proteins and genes involved in the determination of appearance. That is why the periocular region should be the most important facial area for distinguishing people."

And unlike other biometrics -- the face, for instance -- the periocular region stays remarkably stable as a person ages. "The shape and location of eyes remain largely unchanged while the mouth, nose, chin, cheek, etc., are more susceptible to changes given a loosened skin," the researchers note. In other words, this is a marker for life.

Nearby, Savvides and his colleagues think they've found a second biometric: the shape of the eyebrow. Face-scanners are sometimes thrown off when people smile or frown. But the eyebrow shape is "particularly resilient to certain (but not all) expression variations," the researchers note in a separate, yet-to-be-published paper. And the eyebrow can still be seen, even when the subject has most of his or her face covered.

What's not fully clear is how the eyebrow biometric responds to threading, shaving or waxing. Saavides, who responded to tons of questions about his research, says there's no fullproof means to avoid this kind of spoofing. But Saavides is also working on sensors that can analyze multiple facial cues and features, while incorporating algorithms that detect the possibility of a person changing one or two of them. A pair of plucked eyebrows might be a weak match compared to the bushy ones the computer has on file -- but the computer could also be smart enough to recognize they've been plucked.

Long-Range Fingerprint Scanners

Most fingerprint scanners today require physical contact, but constantly being soaked with finger-oil and dirt can also muck-up the machines. For that reason, among others, one developer is working on a scanner that may one day read your fingerprints at a distance of 20 feet.

But first, scanners with a 20-foot distance haven't hit the market quite yet. One machine called the AIRprint, made by Alabama firm Advanced Optical Systems, has a range of nine feet, and uses two 1.3 megapixel cameras that receives light in different wavelengths: one horizontally polarized, and the other vertically polarized. To sort out the different wavelengths, a device beams light at your fingerprints, which bounce back into the lenses, which then combines the separate wavelengths into a clear picture. A spin-off company called IDair also has a commercial scanner that reaches up to six feet and is marketed toward "security personnel." IDair's 20-foot-range machine is currently in development, and is described as functioning similar to satellite imagery.

The military is reportedly an interested customer. The MIT Technology Review surmised that Marines may use them for scanning fingerprints from inside the relative safety of an armored vehicle or behind a blast wall. It beats exposing yourself to the possibility of a suicide bomb attack. For the civilian market, that seems better than pressing your fingertips against a greasy scanner, if you're comfortable with the idea of having your prints scanned from far away.

Gait

Even before 9/11, researchers were floating that notion that you could pick out someone by how he or she walks. And after the Towers fell, Darpa made gait recognition one of the cornerstones of its infamous Total Information Awareness counterterror program.

The problem is that gait can be kind of hard to spot. A briefcase or a bum leg prevents the recognition system from getting a clear view. So filming someone walk didn't make for a particularly reliable biometric system. Plus, the same person may have multiple gaits -- one for walking, and another for running, say.

But the spread of smartphones has opened up a new way of identifying someone's stride. Androids and iPhones all have accelerometers -- sensors that measure how far, how fast, and with how much force an object moves.

"By using the accelerometer sensor in the cell phone, we are able to capture a person's walking pattern. As it turns out, these patterns are very good biometric traits for people identiﬁcation. Because it does not require any special devices, the gait biometrics of a subject can even be captured without him or her knowing," write Carnegie Mellon University professor Marios Savvides and his colleagues in a recent paper. (.pdf)

In a small, preliminary study, Savvides and his fellow researchers at the CyLab Biometrics Center claim they were able to get a 99.4% verification rate with the system when the subjects were walking. 61% of the time, they were even able to match someone's fast-paced gait to their slower one. In other words, you can run.... but with a phone in your pocket, it's going to be harder to hide.

Sweat

The Army wants to see some sweat. No, not workout sweat, but sweat that can betray hostile intentions. In 2010, the Army awarded a nearly $70,000 contract to California security firm Irvine Sensors Corporation to develop software that can use sensors to recognize at "abnormal perspiration and changes in body temperature." The idea was to determine "harmful intent in such military applications as border patrol, stand-off interrogation, surveillance and commercial applications" including surveillance at businesses and "shopping areas." It's a bit out there, and still very much in the research stage, but makes a certain kind of sense. Elevated stress levels could give a suspect away when scanned by hyperspectral sensors that read changes in body temperature.

Though a reliable system will have to work in combination with other biometric signals: threatening body movements, facial expressions, iris scans -- all of these will also have to be factored into determining whether someone is up to no good. The Army contract, dubbed Image Analysis for Personal Intent, also sought to develop sensors that read these signs from a distance of nearly 150 feet. Perhaps a bit optimistic. But in 2002, a group of scientists in Minnesota managed to determine if military recruits were engaging in deception by scanning for changes in temperature around their eyes. So if you're at all freaked out about the idea of sweat-scanners, now might be time for a cold shower.

Advanced Face Recognition

Most machines that scan and recognize your face require taking a good, clean look. But now researchers are working on replacing them with scanners that only need a few fragmentary snapshots at much longer ranges than ever before.

One machine that can do it is being developed by defense contractor Progeny Systems Corporation, called the "Long Range, Non-cooperative, Biometric Tagging, Tracking and Location" system. Once a person of interest is spotted, the system captures a 2D image of the person's face before converting it into 3D. Then, once the image has been converted and filed in a database, it can be quickly recalled when the system spots the person for a second time. That's because 3D reduces the number of pixels needed to analyze the image, speeding up the process and allowing the system to identify a person with a mere glance. The company also claims the machine works at more than 750 feet.

But a face alone may not be enough to recognize a person with a machine. Everything from lighting conditions to distance can make it harder to get a clear picture, especially if the person being scanned is on the move, in a crowd, or ducking in and out of buildings. Using 3D models makes it easier, but the technology will likely have to be combined with "soft biometrics" like an individual's gender, height, weight, skin color and even tattoos.

Slightly creepy, no? Well, it gets creepier, like the group of Swiss scientists working on scanning facial features to detect your emotions. Developers at Carnegie Mellon University have also developed a mobile app called PittPatt --which has since been acquired by Google -- that can scan your face and match it up with images you've shared over the internet, all in less than a minute.

Rapid DNA Testing

It used to be that DNA testing took months to perform, from the time when a DNA sample was picked up on a swab, to analyzing it and creating a DNA profile. Now there are machines that can do it in less than 90 minutes, and the Pentagon wants them.

This month, researchers at the University of North Texas are beginning to test a $250,000 machine for the Defense and Justice Departments, and the Department of Homeland Security, so that "casualties and enemies killed in action can be quickly identified in the field," according to the Biometrics Research Group. But according to the October issue of Special Operations Technology magazine, rapid DNA testing systems co-developed by defense giant Northrop Grumman had already been delivered to "unspecified government customers" beginning back in August. One of those customers is believed to be the FBI. California company IntegenX also has a portable rapid-DNA machine that can analyze molecules taken off everything from clothing to cigarette butts. There's a simple reason why police are so interested. For a burglar who's breaking nto houses and leaving a DNA trail, the machines could clue-in faster than the burglar is able to continue the spree.

Authors

Noah Shachtman
Robert Beckhusen

Publication: Wired

Image Source: Caroline Purser

U.S. Shoots Down Secret Report That Syria Used a Chemical Weapon

Noah Shachtman — Wed, 16 Jan 2013 00:00:00 -0500

The State Department is publicly discounting claims made by its own diplomats about a chemical weapons attack in Syria.

On Tuesday, Foreign Policy detailed a secret and previously unknown cable from the U.S. consulate in Istanbul which came to the explosive conclusion that Syrian government forces dropped a hallucinogen known as “Agent 15″ on rebels in the town of Homs on December 23.

But less than a day later, State Department spokesperson Victoria Nuland has denied the report, saying that the Foreign Policy story ”did not accurately convey the anecdotal information that we had received from a third party regarding an alleged incident in Syria in December.”

“At the time we looked into the allegations that were made and the information that we had received, and we found no credible evidence to corroborate or to confirm that chemical weapons were used,” she added. That’s a major deal, because the international community has repeatedly told the Assad Regime in Syria that the use of chemical weapons is beyond unacceptable. The White House issued a statement along similar lines.

U.S. officials contacted by Danger Room said the information in the cable originated from a contractor hired by the State Department to monitor opposition media coming from Syria. After the attack in Homs, rebel activists posted gut-wrenching videos to YouTube of gasping victims crying out in agony. In the clips, opposition figures claimed that they had been hit with a poison gas — maybe a nerve agent, maybe a hallucinogen.

American experts could find little in the videos that corroborated either chemical weapons story. (For one thing, hallucinogens and nerve agents have almost opposite symptoms and treatment regimes.) In the hours after the attack, U.S. officials expressed skepticism about the rebel claims. The bit about Agent 15 seemed particularly odd; while the U.S. military experimented on its own troops with a similar hallucinogen called BZ, there was yet to be a proven case of the the agent being used in anger on the battlefield. Nevertheless, according to CNN, the State Department did ask “a U.S. partner” to follow up, interviewing Syrian doctors and chemical weapons specialists.

CNN says that the gas was determined to be a “riot control agent” — a broad category of weapons that includes tear gas, pepper spray, and Agent 15. None of these agents are designed to be deadly. But they’re also not designed to be inhaled in large quantities. “Just like with tear gas, if you breathe in an entire canister, that can have a severe effect on your lungs and other organs,” one official tells CNN.

In other words, if a chemical was used in Homs, it wasn’t a weapon of mass destruction.

It almost certainly wasn’t a hallucinogen, either. CNN also interviewed a doctor who said he treated victims in Homs with atropine. If that’s true, it rules out the use of a hallucinogen like Agent 15 or BZ. Both are anticholinergic agents, blocking the neurotransmitters in the parasympathetic nervous system. One would only enhance the effect of the other. CNN says experts concluded that the Homs attack “was later determined not to be Agent 15.”

The issue of chemical weapons continues to loom over the conflict in Syria. The regime’s stockpiles are enormous, and they’ve been shown the willingness to prepare at least some of the agents for a possible attack. But for now, the U.S. government appears to have decided that, whatever happened in Homs, it didn’t cross the chemical “red line” that the President on down had pledged would trigger outside intervention into the civil war.

Update: Dr. James Ketchum, who oversaw the American military’s hallucinogen weapon experiments (and wrote about them in his book Chemical Warfare Secrets Almost Forgotten), doesn’t believe such agents were used in the Homs attack, either.

Ketchum watched the YouTube videos of the aftermath, and doesn’t see the signs of a hallucinogen like Agent 15 or BZ in the victims’ responses. It’s “Definitely not BZ or related anticholinergic,” he writes in an email to Danger Room.

Those recovering from the attack “are all coherent and respond to questions with good attention. Most seem to complain of tightness in the chest and some require oxygen, but none show confusion, abnormal movements or dry mouth. Their pupils are not easy to see. All show anxiety — instead of being drowsy, restless, or non-responsive due to stupor from BZ-like drug,” he adds. “Hours must have passed to get them all in beds and under medical care. BZ would have them in delirium by that time and they would be performing phantom acts (e.g. invisible cigarette being smoked).”

Ketchum wonders if a nerve agent like sarin wasn’t used in Homs — it can produce some delirium during its early stages, and the atropine would’ve worked as a treatment. But U.S. experts quickly ruled out sarin or some other hyper-lethal nerve agent, because the gas had a strong odor (which sarin usually does not) and the victims in Homs manage to inhale a lot of the gas without dying.

So what was that mystery gas in Homs? Raffi Khatchadourian of the New Yorker puts together the clues, and comes up with the most credible suspect yet.

There are similar chemicals out there that cause the same symptoms but are not nearly as potent and do have an odor. They are orgaonphosphate pesticides, which happen to be among the most common pesticides in the world and are also cholinesterase inhibitors. They can cause symptoms identical to their military counterparts, including death, and are treatable with atropine. If the chemical used in Homs was a commercial pesticide, then it appears that someone has manufactured a crude, poor-man’s chemical weapon out of a commonly available item.

Authors

Noah Shachtman

Publication: Danger Room (Wired)

Image Source: © Goran Tomasevic / Reuters

Pentagon Looks to Fix "Pervasive Vulnerability" in Drones

Noah Shachtman — Mon, 31 Dec 2012 00:00:00 -0500

Drones may be at the center of the U.S. campaign to take out extremists around the globe. But there’s a “pervasive vulnerability” in the robotic aircraft, according to the Pentagon’s premier science and technology division — a weakness the drones share with just about every car, medical device and power plant on the planet.

The control algorithms for these crucial machines are written in a fundamentally insecure manner, says Dr. Kathleen Fisher, a Tufts University computer scientist and a program manager at the Defense Advanced Research Projects Agency. There’s simply no systematic way for programmers to check for vulnerabilities as they put together the software that runs our drones, our trucks or our pacemakers.

In our homes and our offices, this weakness is only a medium-sized deal: developers can release a patched version of Safari or Microsoft Word whenever they find a hole; anti-virus and intrusion-detection systems can handle many other threats. But updating the control software on a drone means practically re-certifying the entire aircraft. And those security programs often introduce all sorts of new vulnerabilities. “The traditional approaches to security won’t work,” Fisher tells Danger Room.

Fisher is spearheading a far-flung, $60 million, four-year effort to try to develop a new, secure way of coding — and then run that software on a series of drones and ground robots. It’s called High-Assurance Cyber Military Systems, or HACMS.

Drones and other important systems were once considered relatively safe from hack attacks. (They weren’t directly connected to the internet, after all.) But that was before viruses started infecting drone cockpits; before the robotic planes began leaking their classified video streams; before malware ordered nuclear centrifuges to self-destruct; before hackers figured out how to remotely access pacemakers and insulin pumps; and before academics figured out how to hijack a car without ever touching the vehicle.

“Many of these systems share a common structure: They have an insecure cyber perimeter, constructed from standard software components, surrounding control systems designed for safety but not for security,” Fisher told a group of researchers earlier this year.

It’d be great if someone could simply write some sort of universal software checker that sniffs out any program’s potential flaws. One small problem: Such a checker can’t exist. As the computer science pioneer Alan Turing showed in 1936, it’s impossible to write a program that can tell if another will run forever, given a particular input. That’s asking the checker to make a logical contradiction: Stop if you’re supposed to run for eternity.

Fisher became fascinated by this so-called “Halting Problem” as soon as she heard about it, in an introduction to programming class at Stanford. “The fact that you can prove something is impossible is such an amazing thing that I wanted to learn more about that domain. That’s actually why I became a computer scientist,” she says. The instructor for the class was a guy named Steve Fisher. She was interested enough in him that she wound up marrying him after school, and taking his last name.

But while a universal checker is impossible, verifying that a particular program will always work as promised is merely an exceedingly-freakin’-difficult task. One group of researchers in Australia, for example, checked the core of their “microkernel” — the heart of an operating system. It took about 11 person-years to verify the 8,000 lines of code. Fisher is funding researchers at MIT and Yale who hope to speed that process up, as part of one of HACMS’ five research pushes.

Once the software is proven to work as advertised, it’ll be loaded onto a number of vehicles: Rockwell Collins will supply the drones – namely, small, robotic Arducopters; Boeing will provide a helicopter; Black-I-Robotics will supply a robotic ground vehicle; another firm will provide an SUV.

In another phase of the program, Fisher is bankrolling research into software that can write near-flawless code on its own. The idea is to give the software synthesizer a set of instructions about what a particular program is supposed to do, and then let it come up with the best code for that purpose. Software that writes more software may sound crazy, Fisher says. But Darpa actually has some history of doing it.

“There was a project led here at Darpa a few years ago [to write software for] synthetic aperture radar. They had a non-expert specify [what should go into a synthetic aperture] radar program,” Fisher adds. “It took the system about 24 hours to produce an implementation…instead of three months [for the traditional version] and it ran twice as fast. So — better, faster and a lower level of expertise. We hope to see things like that.”

You couldn’t ask a program to write the equivalent of PowerPoint — it does too many different things. “By the time you’ve finished the specifications, you might as well have written the implementation,” Fisher says. But the software that controls drones and the like? Ironically, that’s way more straight-forward. ”The control theory about how you do things with brakes and steering wheels, how you take sensor input and convert it to actions is described by very concise laws of mathematics.” So synthesized (and secure) software should be possible to produce.

The goal at the end of HACMS is to have the robotic Arducopter running only fully verified or synthesized software. (The other vehicles will have some, but not all, of their “security-critical code” produced this way, Fisher promises.) And if the project works out as Fisher hopes, it could not only help secure today’s largely remote-controlled drones. It could make tomorrow’s drones fly on their own — without being hacked.

In the remaining component of HACMS, researchers from Galois, Inc. will work on a fully-verified, hack-proof software monitor that can watch a drone’s autonomous systems. If those systems operate the robotic aircraft in a normal fashion, the monitor will sit back and do nothing. But if the drone suddenly starts flying itself in some weird way, the monitor will take over, perhaps passing control back to a flesh-and-blood operator.

In other words, a drone won’t just be protected from an outside attacker. It’ll be protected from itself.

Authors

Noah Shachtman

Publication: Danger Room (Wired)

Image Source: © Fabrizio Bensch / Reuters

How Joe Biden Accidentally Helped Ensure E-Mail Privacy

Noah Shachtman — Mon, 17 Dec 2012 15:03:00 -0500

In the late ’80s and early ’90s, Phil Zimmermann was a Colorado peacenik with a half-written program that he swore would one day let people exchange messages without Big Brother peering inside. The problem was, with a freelance job and two kids, Zimmermann could never quite find the time to finish the damn code — until Joe Biden came along.

Then-Senator Biden inserted a few words into an anti-terrorism bill that might make it easier for Big Brother — or, at least, Uncle Sam — to do exactly the kind of snooping Zimmermann wanted to stop. Zimmermann had a reason to finish the program. He worked day and night for months on the thing. All his half-formed plans to build a business around the software, he put aside. “When the Biden bill hit,” Zimmermann recalls, “we knew we had to change the facts on the ground.” He felt he had to get people communicating secretly, before Congress did something to make secret communications exceedingly difficult.

Finally, in June of the 1991, Zimmermann introduced a program called Pretty Good Privacy, which really did allow ordinarily folks to make their e-mail all-but-unreadable to outsiders. Zimmermann made PGP available for free, and it spread like a bad weed, eventually enabling millions to communicate in private.

For bringing cryptology to the masses, Zimmermann was inducted earlier this year into the Internet Society’s Internet Hall of Fame, alongside such pioneers as Vint Cerf, Bob Kahn, Charles Herzfeld, and Sir Tim Berners-Lee. (Maybe Biden will be invited in the next round, even though he eventually rescinded his non-binding resolution.)

PGP relied on a breakthrough that had happened more than a decade before, involving the most essential (and most vulnerable) element in any secret communications scheme: the key that turns plain text into coded text, and vice versa. If I want to send Spencer an encrypted message, I have to give him the key that unlocks the code first. But if I send Spencer that key out in the open, it could be intercepted — making our secret communications not so secret any more. So the question becomes: How do you exchange keys?

For the longest time, the only reliable way seemed to be hand-to-hand, which wasn’t exactly convenient for the burgeoning information age. But mathematicians had recently discovered a better solution, in “one way” mathematical functions that are incredibly difficult to unravel. For example, I can multiply two really big prime numbers, and it’ll take you forever to guess what those primes are based on the result. (OK, not quite forever; when the idea was first introduced with a king-sized product of primes in 1977, the two factors were finally figured out — in 1994.) Alternatively, think of these functions, as Simon Singh suggests in The Code Book, like colors. I can show you a purple color, but it’s not easy to tell which particular shades of blue and red produced the tint.

These functions allow you to have public encryption keys, ones that don’t have to be hidden. Because even if someone intercepts our purple-colored key, there’s no chance of pulling apart its red and blue components.

It was a ground-breaking idea — “the greatest cryptographic achievement since the invention of the monoalphabetic cipher, over 2,000 years ago,” according to Singh. Translating that idea into something usable was a whole different challenge, however.

“It was largely an exercise in petri dish cryptography,” Zimmermann says. “They were doing calculations just to see if they could work.”

Zimmermann, on the other hand, saw a whole community that could use crypto. He and his wife were active in Colorado’s liberal politics – attending nuclear freeze rallies, and even getting the paperwork together to move to New Zealand in case the atomic doomsday clock edged much closer to midnight. Dissidents, Zimmermann felt, could use a tool for secure communication. So he, um, borrowed the patented algorithms for public key encryption and got going on what would become PGP. After Biden’s resolution, Zimmermann devoted so much time to it that he missed five mortgage payments in a row. “This was not a commercial product. It was a human rights project,” he says.

Version 1 was kind of rickety; a good code-breaker could snap it open. But it was better than the publicly available alternative: nothing. The program and its creator become cult figures in the computer underground of the early ’90s. My colleague Steven Levy profiled Zimmermann in the second-ever issue of Wired. Activists as far away as the Baltics thanked Zimmermann for the tool.

Version 2 was much better, and not just because it was harder to crack. It also solved one of the outstanding issues with the public key concept: who would validate which keys were real and which ones were frauds. The prevailing wisdom at the time, as Levy notes in his landmark book Crypto, was to have a centralized authority handle the certification duties. Zimmerman had a different idea: Let people decide for themselves who’s legit. If I trust Spencer and Spencer trusts Steve Levy, then I should be able to trust Levy, too. No central clearinghouse needed.

The new PGP made Zimmermann extremely popular — with two notable exceptions. The first were the folks who held the public key patents; they were convinced that Zimmermann had violated their intellectual property rights. The second were the agents from the U.S. Customs Service, who were pretty sure Zimmermann had broken the law.

Back then, American arms control regulators treated crypto software like a munition. Exporting such a program overseas was a violation of their regulations. And since Zimmermann worked with fellow geeks around the planet on Version 2 of PGP, “I was quite guilty,” he says. Customs agents based in San Jose, California called Zimmermann February 1993, and told him they were flying out to interview him.

A federal grand jury was impanelled in San Jose. Prosecutors subpoenaed his e-mail records, and Zimmermann could only communicate with his one-time overseas collaborators through their lawyers. The investigation dragged on for three long years, jumbling Zimmermann’s already topsy-turvy life even further.

The attention only made PGP more desirable to “netizens,” as the online public was then known. Zimmermann turned his human rights project into a business. The export control laws were rewritten after it became painfully obvious that software couldn’t be contained like rocket motors. The case against PGP was dropped.

But somewhere along the way, the world took a series of ironic twists. PGP was eventually sold off to Symantec, which all but killed the consumer version of the software; it’s strictly for suits these days, while an open source consortium tries, with limited success, to provide secure communications for the great unwashed. The reliance on cloud-based mail and social media — and the reluctance of those firms to embrace crypto — means most of us chat in the clear. The U.S. government gives dissidents tools for anonymous online communication, even as they give themselves to right to see our conversations without a warrant.

And then of course, there’s that whole bit about Joe Biden being a heartbeat away from the presidency. Strange, his role as inadvertent stepfather of consumer crypto never appeared on any campaign website.

Authors

Noah Shachtman

Publication: Danger Room (Wired)

Image Source: © Edgard Garrido / Reuters

Pentagon Cries Poor, Starts $10 Billion Nuclear Weapon Upgrade

Noah Shachtman — Wed, 28 Nov 2012 00:00:00 -0500

The Pentagon is facing its worst cash crunch in more than a decade, with potential cuts of up to a half-trillion dollars over the next decade if Congress doesn’t act soon. Yet the U.S. military still somehow found the money on Tuesday to put a down payment on a $10 billion upgrade of its nuclear weapons in Europe — y’know, just in case there’s another Cold War.

The $178 million, three-year contract with Boeing is for a prototype “tail kit” for the B61 nuclear weapon. The fins and control systems will be similar to the ones on today’s conventional, GPS-guided bombs, potentially making this enhanced version of the B61 the most accurate weapon of mass destruction ever. It’s one part of a bigger package of improvements to the B61 that the Pentagon insists it needs in order to keep this slice of its nuclear arsenal ready for war, if needed. Everything from the spin rocket motors to the electronic neutron generators will be refreshed. Total cost: an estimated $10 billion.

Just about the only thing that won’t change is the weapon’s nuclear “pit,” and who the U.S. military plans on dropping the thing on. “Who’s the target? The Red Army. The Red Army that’s sitting in East Germany, ready to plunge into Europe,” explains Jeffrey Lewis, a nuclear weapons expert at the James Martin Center for Nonproliferation Studies. “No, I’m serious.”

The U.S. has other bunker-busting nuclear weapons that might be employed if, God forbid, there was ever an atomic showdown with North Korea or Iran. These so-called "B61 mod 12s" are meant to replace the 180 or so earlier models that are currently deployed in Western Europe. And those weapons are meant to assure our allies that if Russia is ever in the mood to invade, America will be there with a capital-B Bomb. “Continued funding support is essential to the long-term safety, security, and effectiveness of our nation’s nuclear deterrent force,” Gen. Robert Kehler, the head of U.S. Strategic Command, told Congress last year.

The B61 was first fielded in 1968. Unless critical components of the weapons are replaced — especially the radioactive tritium gas that makes the nuclear blast more efficient — the B61s might have to be withdrawn from the Continent by the end of the decade. “Old parts mean less-safe nukes. 60 years without an accidental detonation. We have a keen interest in keeping that record going,” says John Noonan, a former U.S. Air Force nuclear missile officer and a spokesman for the House Armed Services Committee.

A 2008 Secretary of Defense task force report (.pdf) cautions against underestimating the “political value our friends and allies place on these weapons, the political costs of withdrawal, and the psychological impact of their visible presence.” But the same report notes that U.S. European Command — the Pentagon’s top generals in the region – ”believ[e] there is no military downside to the unilateral withdrawal of nuclear weapons from Europe.” After all, America has thousands of additional warheads that could be delivered by intercontinental ballistic missiles, long-range bombers, and submarines.

All of which would make the push for the mod 12 upgrades tough to fathom under almost any conditions. But it’s particularly odd now, when the Pentagon is under more fiscal pressure than it’s felt since the 1990s. Just Tuesday, for example, the Chief of Staff of the Army announced plans to pare back the ground force’s spending by likely cutting the number of troops to their lowest levels since before World War II. On January 3, 2013, the Defense Department will automatically lose another 9.4 percent of its budget — more than $500 billion over 10 years — unless Congress reverses the automatic, across-the-board cuts it previously put in place.

In other words: every billion counts. But while the rest of the Defense Department is looking to save money, the costs for the mod 12 program keep going up. In May, the project — which entails upgrading an estimated 400 weapons — had a price tag of $6 billion. By July, that number had grown to $10 billion. That’s not only the equivalent of two-thirds of what the federal government plans to spend on all nuclear weapon enhancements over the next twenty years. “It would be less expensive to build solid-gold replicas of each of the 700-pound B61s, even at near-record gold prices,” as Lewis recently noted in Foreign Policy.

One reason why: the mod 12 project — even though it’s billed as a “life extension program” — isn’t just about replacing the components of the weapons that are decaying or corroding. (Independent experts say that would take a mere billion or two.) When you swap out the B61′s parachute for satellite-guided tail fin assembly, it introduces a new complication, Lewis adds. “An atomic bomb dropped without a parachute will explode before the airplane is safely away. That means [the federal government] must also redesign much of the packaging and components to survive ‘laydown’ — i.e., thudding into the ground and then exploding a few moments later.” An internal Pentagon audit showed 15 of the 29 planned changes for mod 12 are still technologically immature.

But if the improvements aren’t made soon, advocates say, they’ll only get more expensive. “Modernization is expensive because we keep delaying it. Now we’re at a point where, instead of making pragmatic annual investments in lab, stockpile, and delivery modernization — we have to do it all at once,” says Noonan, the former missileer.

Pretty soon, there will be a choice: upgrade these nuclear weapons, or put them out to pasture. What would you do, if you were a cash-strapped Pentagon chief?

Authors

Noah Shachtman

Publication: Danger Room (Wired)

Image Source: © STR New / Reuters

Bank Hackers Deny They’re Agents of Iran

Noah Shachtman — Tue, 27 Nov 2012 00:00:00 -0500

A slew of American officials have blamed Iran for attacks on the servers of Bank of America, Well Fargo, HSBC, and other western banks. But the hackers taking credit for the sophisticated distributed denial-of-service strikes say that’s all wrong; they claim they hit the financial institutions because they were pissed off about “The Innocence of Muslims,” the infamous viral video making fun of the Prophet Muhammad. Tehran didn’t have a thing to do with it.

“We are not dependent on any government. We merely wanted to protest against the insulting movie,” people claiming to be part of the Izz ad-Din al-Qassam Cyber Fighters tell the Flashpoint Partners research group in an interview (.pdf).

There’s no telling if the denial is legitimate — or if the people being interviewed are behind the bank attacks at all. But the interviewees are dead on when they say that ”there are some ones who want to portray this action [the bank hacks] as political.” Shortly after the U.S. Defense Secretary talked about the bank jobs, unnamed American officials began whispering that they were the work of Iran.

The bank attacks this fall weren’t typical DDOS operations, which merely seek to overload servers with junk traffic. For one, they generated up to 100 gigabits per second of data — 10 to 20 times more than what it usually takes to knock a site offline. The attackers overwhelmed routers, servers, and server applications all at once; typical DDOSers target just one. They specifically targeted the banks’ Domain Name Server architecture, which translates website names (“cash.com”) into numerical internet-protocol addresses. And their traffic largely came from legitimate IP address, making it tough for the banks to filter. The websites for PNC Bank, Wells Fargo, Bank of America, and other institutions buckled in quick succession; customers had trouble transferring funds and paying bills online.

Prolexic, a company that specializes in stopping these sorts of attacks, blamed a toolkit called “itsoknoproblembro” for the DDOS assaults. The Cyber Fighters took responsibility as each site went down. But some security researchers believed the attacks to be so sophisticated, they could’ve only been pulled off with government help. ”This isn’t consistent with what hacktivists are capable of,” Michael Smith, a security specialist at Akamai, said in September.

Pretty soon, American politicians starting blaming one government in particular: the one in Tehran. ”I think this was done by Iran and the Quds Force, which has its own developing cyber-attack capacity,” Sen. Joe Lieberman told C-Span around the same time. “And I believe it was in response to the increasingly strong economic sanctions that the United States and our European allies have put on Iranian financial institutions.” The press began to speculate that the bank attacks were in some way a payback for the U.S.-led campaign of online sabotage against Iran’s nuclear program.

In October, Defense Secretary Leon Panetta raised the stakes further, warning of a cyber strike “as destructive as the terrorist attack of 9/11.” He then presented as harbingers of the coming catastrophe an attack on the Saudi energy company ARAMCO — as well as the DDOSes on the banks. “While this kind of tactic isn’t new, the scale and speed was unprecedented,” he added.

In the following day, anonymous U.S. officials told reporters that Iran was behind both attacks, without sharing details about why they thought this was so.

The al-Qassam group says that’s baloney, claiming that they’re merely “volunteer hackers which share the beliefs about [the] insulting video and [the] protest against it.”

When Flashpoint asked if the organization was “supported or funded by any government,” the group’s representatives simple answered: “Nope.”

There’s no guaranteeing the group is telling the truth, of course. Nor is there any assurance that the people who spoke with Flashpoint are really from the al-Qassam organization. The interviewees even claim that some statements previously attributed to the group are false. That’s one of the tricky things about cyber security. While the systems for tracing an attack back to a particular computer are much improved, there are often lingering questions about who’s really behind the hack.

Authors

Noah Shachtman

Publication: Danger Room (Wired)

Image Source: © Sergei Karpukhin / Reuters

Suicide Drones, Mini Blimps and 3D Printers: Inside the New Army Arsenal

Noah Shachtman — Wed, 21 Nov 2012 00:00:00 -0500

Editor's Note: View the photo gallery for this article here.

Flying grenades. Mini spy blimps. Robotic bomb-busters. Suicide-vest spotters. Battlefield 3D printers. The Army is retooling for a very austere, very remote way of war. And the gear that's required is very different from the hardware that came before.

Most American soldiers used to live and fight from massive bases, complete with all sorts of creature comforts and heavy defenses. Today's troops don't have it so good. They're increasingly operating from small, isolated outposts, where they need to spot and ward off attacks without all the gun turrets and heavy armor and surveillance towers found on the old super-bases.

Coming up with that new gear has become a top mission for the Rapid Equipping Force, the Army office charged with getting tools and gadgets out to troops in a hurry. They showed off their latest kit at Ft. Belvoir, Va. just before Thanksgiving. Here's a sample.

Battle Lab in a Box

At Camp Nathan Smith outside of Kandahar, there's a 20-foot cargo container loaded with a 3D printer, a computer-controlled machine for cutting metal, and a couple of Ph.D.s. It's one of three REF "expeditionary labs" placed around Afghanistan that can quickly design and prototype tools for troops on the ground right now.

The Nathan Smith team, on the screen above, printed up new bolt links for the M240 machine gun on their remote weapons system when the old ones broke. They coded a program that plots enemy attacks on Google Earth. And over the course of three weeks, they built in the lab new adapters that extended the battery life of their metal detectors from 45 minutes to 30 hours. The Army liked the adapters so much, they ordered up another 2,000, which will be distributed all over Afghanistan.

Flying Grenade

Don't call it a drone. Sure, it looks just like a small unmanned aerial vehicle -- right down to the little wings and the cameras. And yes, it's remotely flown. But the Lethal Miniature Aerial Munition System is more like a tiny, flying grenade. The 5.5-pound device contains just enough explosive material -- a little more than a shotgun shell's worth of tungsten pieces -- to make a single target's day unpleasant in a way no small drone can.

The REF has sent 44 of the munitions over to Afghanistan, according the Army's Heather Gleason (pictured above). None have been used to attack militants yet (the lone attempt was scotched because of a dud warhead). But that could change very soon. The LMAMS can be launched in less than two minutes, as opposed to the 20 or 30 minutes it ordinarily takes to call in mortars or artillery rounds. The quick turnaround time -- plus a range of up to six miles, a speed of up to 85 knots, a proximity fuze, and directional blast radius of just a few feet -- should make it a rather interesting option for a platoon or a squad in the middle of an Afghan firefight. It might not be mistaken for a drone for very long.

Armorer

Traditionally, the folks who buy the military's battlefield gear don't have a whole lot of firsthand experience actually fighting a war. REF chief Col. Peter Newell would be an exception to that rule.

A former armor officer and member of the Army's Ranger Regiment, Newell was involved in some of the worst fighting of the Iraq conflict: 2004's second battle of Fallujah, which left more than 330 men dead. His troops won the Army's highest unit honor for what they did during the nearly two-week-long battle. Newell earned a Silver Star for bravery after he helped rescue a mortally wounded soldier.

The fighting made his already-bad hearing a whole lot worse -- years of riding around in tanks and jumping out of helicopters will do that to a guy. But it left Newell with a pretty decent sense of what troops under fire really need.

Robotic Bomb-Roller

When Col. Peter Newell took over the REF in 2010, he heard one thing over and over again: do something about the pressure plate mines that were blowing apart U.S. troops as soon as they stepped on them. "The pressure plate problem was driving people batty," Newell tells Danger Room. "Commanders were not overly polite in saying, 'If you do anything, do this.'"

"We've done a good job armoring vehicles," Newell adds. "But for the dismounted soldier, he's got a stick waving on the ground like he did in World War II."

Part of the problem was that the Army didn't really understand how the crude anti-personnel mines worked. They didn't know, for example, how much pressure it really took to set them off, or how much pressure a soldier's foot created.

Newell commissioned studies from the FBI and from the military academies to find out. The answers astounded him. The modern soldier lugs around so much gear that he can not only trigger a bomb. He generates more pressure than even a tank creates. "A tank could technically drive over these things and not set them off," Newell says. "But a soldier can."

That meant the REF needed something big and heavy to detonate these bombs before a soldier's foot did. So they took a T110 Bobcat track loader, and stuck a set of mine-rolling wheels on the front. Then they outfitted the thing with a robotics kit -- a half-dozen cameras and a set of radios so someone could remotely drive it.

The REF calls the thing the Minotaur. There are 25 of them currently in Afghanistan. And they are setting off bombs every week or 10 days. Better a robot's wheels than a soldier's foot.

Solar Drone

The Army and Marine Corps have bought thousands of hand-held drones, which can spy on a small piece of the battlefield. But the small eyes in the sky have a major weakness: they can only fly for about an hour before the batteries die. The REF believes it can double that endurance, by outfitting the drone's wings with these flexible solar cells.

The paper-thin cells are space-grade, with three layers of gallium arsenide semiconductors built inside. If they can withstand the punishment of Afghanistan, these most plentiful of drones could become way more useful.

All Terrain

It's just like a regular Kawasaki all-terrain vehicle. Except for the run-flat tires. And the infrared lights. And the litter carrier. And the skid plates. And the machine gun mount. And the detachable roll cage, which allows the ATV to be carried by a helicopter.

REF contractor Steve Hill shows off the "Light Tactical ATV," about a hundred of which are in action overseas.

Blast Monitor

In the last decade, an estimated 200,000 troops have suffered a traumatic brain injury. Yet the military's understanding of how these injuries occur -- and its treatment of these wounded troops -- remains woefully inadequate.

This so-called "Integrated Blast Effect Sensor Suite," incorporated into a soldier's protective vest, is one small way the Army is trying to address the problem. In the front are four pressure sensor, each about an inch square. In the back is an accelerometer. If the soldier gets hit with an improvised bomb, the suite will measure the impact of the blast.

The data is then incorporated into a soldier's medical record -- which is important, because troops with TBIs are too often denied treatment by the Pentagon or the Veterans' Administration because of inadequate evidence of injury. It's a start to a solution. Barely.

Suicide Spotter

On Wednesday, a suicide bomber made his way to an American base in Kabul, and set off his explosive vest. Two Afghan security guards were killed.

The loss of life would have been greater still, if the guards hadn't spotter the bomber and his accomplice first. The REF is trying to provide even an earlier warning, with an infrared camera called the Sapphire. The Army claims can spot hidden suicide vests from up to 250 meters away by looking for telltale heat differentials from the bombs.

130 Sapphires are now at bases around Afghanistan, the REF says. Whether the sensors could've stopped this latest suicide attack, we'll never know.

Lighter-Than-Air Power

Floating over every big military base in Afghanistan is a spy blimp that watches for incoming attacks. But U.S. forces are leaving those big bases for much smaller, more isolated outposts. And at those remote locations, there's no room for the dozen or so people required to set up and operate one of the big blimps.

The REF's answer is Altus. It's a smallish, helium-filled tethered aerostat that can carry about 10 pounds' worth of surveillance gear -- and doesn't need a huge crew to maintain. Once it's up and running, a single soldier can operate the Altus and a half-dozen other air and ground sensors from one workstation. When one camera or radar spots someone coming, the other sensors automatically slew to that spot to see what's going on.

But if that other surveillance equipment isn't around, it may not matter. The blimp can still have an effect. "You put up a balloon and change the locals' behavior. Maybe all you need is a half-pound dummy sensor," Newell says.

The REF has sent four different aerostats to Afghanistan, each a little different from the next. The hope is to have a dozen blimps flying over small bases soon. Watch out.

Authors

Noah Shachtman

Publication: (Danger Room) Wired

Image Source: © Skip Peterson / Reuters

YouTube Refuses to Yank Israeli Kill Video as Hamas Attacks Jerusalem

Noah Shachtman — Fri, 16 Nov 2012 00:00:00 -0500

YouTube is rejecting calls to take down a video showing the assassination of Hamas’ military leader, despite the video-sharing service’s apparent ban on “graphic or gratuitous violence.”

Israel launched its “Operation Pillars of Defense” on Wednesday by blowing up Ahmed al-Jabari as he was driving his car down the street in Gaza. Hours later, aerial footage of the kill shot was posted to YouTube — and instantly went viral, racking up nearly two million views.

The video not only kicked of a fierce battle of opinion on social media that’s roughly paralleling the rockets-and-airstrikes conflict. It also appeared to violate YouTube’s community guidelines, which tells users: “if your video shows someone being physically hurt, attacked, or humiliated, don’t post it.”

But a YouTube employee, speaking on condition of anonymity, says the guidelines are just that — guidelines, not hard-and-fast rules. Users can flag a video as potentially objectionable, but the decision to take a clip down ultimately rests with YouTube’s global team of reviewers. The calculations get complicated, especially for warzone footage.

“We look at videos on a case-by-case videos when they’re flagged,” the employee tells Danger Room. “And we look at the context, the intent with which something is posted.”

A snuff film, posted just for the sick thrill of it, won’t last long. But a similarly graphic clip, posted in “documentary fashion” or for political effect, “will be judged differently,” the employee adds.

Hamas and its military wing, the al-Qassam Brigades, are trying to provoke sympathy and outrage over the caught-on-video slaying of Jabari, and over the civilian deaths that have come from Israel’s air attacks on Gaza. But any good will may have just evaporated. Hamas — which claims to be an Islamic movement — is now firing rockets at Jerusalem, Islam’s third-holiest city, and bragging about it on Twitter. (Remember, these are unguided projectiles that could land on a school or a mosque as easily a military checkpoint.) That’s in addition to shooting off hundreds of missiles and rockets at the civilian centers like Ashdod, Tel Aviv, and Beersheba. In the last year, more than 700 rockets, mortars, and missiles have been launched from Gaza.

The Israeli missile defense system known as Iron Dome has been remarkably capable, stopping 184 rockets in recent days, the AFP reports. But it has not been perfect. Three Israeli civilians were slain on Thursday in the southern town of Kiryat Malakhi.

This is the second time in recent months that YouTube’s guidelines have become an international political issue. Back in September, the White House asked Google, YouTube’s corporate parent, to double-check if the incendiary anti-Islam video “The Innocence of Muslims” violated YouTube’s guidelines. The video-sharing service declined to do so — although YouTube did block it in several Muslim countries. President Obama later spoke up in favor of the free flow of information. (Separately, a California judge rebuffed an “Innocence” actress’ request to pull the video on copyright grounds.)

YouTube has become one of the primary windows into the world’s far-flung conflicts — especially ones like the Syrian civil war, which has only a handful of outside journalists reporting from the battlefields. But the video-sharers deny that they’re setting any kind of precedent by leaving the disturbers video of Jabari’s death on YouTube. That’s just not how YouTube works, apparently. “This is not about who you are but what you post,” the employee says. “Everything’s done a-fresh.”

Authors

Noah Shachtman

Publication: Danger Room (Wired)

Image Source: © Mohammed Salem / Reuters

Post-Petraeus CIA Should Kill Less and Spy More, Former Chief Says

Noah Shachtman — Mon, 12 Nov 2012 00:00:00 -0500

When David Petraeus got the job of CIA chief, he knew what job #1 was: find out everything he could about al-Qaida and its allies — and then assist in their removal from the land of living. Fourteen months and more than 110 drone strikes later, the breaking of al-Qaida’s core that began under Petraeus’ predecessors is almost complete. Yet a major chunk of the nation’s intelligence community remains singularly focused on terrorism.

It’s time to give that a rest, a former leader of the Central Intelligence Agency says — especially with Petraeus gone. There’s a whole world out there that needs to be snooped on.

“We have been tremendously focused on counterterrorism for the last 11 years [since 9/11]. How do you now begin to make sure that you cover other necessary things without making the country less safe?” asks former CIA director and retired Gen. Michael Hayden.

Nearly every major international security concern facing Petraeus’ successors is, in essence, a question of intelligence: What is Iran’s nuclear capability, really? Which way will the Syrian civil war go? Why is China building up its Navy so fast? What the hell is Kim Jong-Un up to? “Those are things that you’re not going to learn through diplomacy or through press reporting. And that takes you to intelligence,” notes John E. McLaughlin, the CIA’s former acting director. He doesn’t believe the counterterrorism necessarily needs to be pared back. There are just all these other jobs that the nation’s spy agencies have to handle. “The biggest challenge may be the sheer volume of problems that require intelligence input.”

That broader mission set carries all kinds of risks for the U.S. intelligence community, beyond the obvious ones of resource allocation. The counterterror focus has kept morale afloat at Langley, even when there’s enormous turnover at the top: five directors in eight years. The last time Washington’s spies were left to juggle so many different jobs was the 1990s, which are now seen by American intelligence professionals as a demoralizing, aimless chapter in their history.

Nor is it clear how much help the skills honed since 9/11 will be in these new missions. The intelligence agencies are going to have to redouble their efforts to listen in on phone calls, steal documents, and find well-placed sources in foreign capitals who can be turned to work for America’s interests. They’ll need the analysts who can tease out of these complex, often contradictory sources of information subtle meanings on political developments and strategic shifts. The White House isn’t about to order a paramilitary raid on Beijing, after all.

“We have been laser-focused on terrorism, OK? And some of that is very high end, very sophisticated, very nuanced. But an awful lot of that, when you step back, looks more like targeting than it does classical intelligence,” Hayden tells Danger Room.

Hayden knows a bit about targeting militant suspects. The CIA-led drone war in Pakistan began to really ramp up in the late summer of 2008, when Barack Obama was just a presidential candidate — and Hayden was in charge of the agency. He says he constantly had to be careful not to let the manhunt become the entire job.

“I knew how much of my day would have been consumed with counterterrorism if I had not tried to discipline myself — and more broadly, the agency — to work hard to have a broader perspective. That’s not a criticism [of the CIA today]. But you can’t always let the urgent drown out the important,” Hayden says. It’s a tension that’s even more acute today, he adds: “If anything, the operational tempo has only increased.”

Of course, the nation’s spies haven’t just been chasing al-Qaida. There’s been an active campaign of espionage and sabotage against the Iranian nuclear program, for instance, and a quiet effort to keep dictators like Bashar al-Assad of Syria from getting the gear and chemicals needed to make nerve gas and other weapons of mass destruction. The monitoring of China’s and Russia’s leadership has not exactly ground to a halt.

A few days before he abruptly resigned, Petraeus’ spokesperson told Danger Room that he was in no way allowing the drone strikes and the counterterror raids to dominate his day. ”From his first day on the job, Director Petraeus has sought to achieve a balance between our counterterrorism efforts and ensuring the Agency’s ability to cover the full range of national security challenges facing the U.S.,” Jennifer Youngblood said in an e-mail. ”While counterterrorism remains a top priority, the Agency is equally determined to enhance our capabilities against the enduring threats from strategic competitors and adversaries that will always be at the core of our mission. In fact, Director Petraeus has overseen the development of an initiative to increase global coverage significantly, and that effort is now ongoing.”

But according to one person who used to brief Petraeus, the CIA director didn’t seem to be completely locked in when discussing matters outside the Middle East and Central Asia. “He was focused on his legacy in the sandbox,” the former intelligence official tells Danger Room.

Almost of the candidates currently floated as Petraeus’ replacements have something of a drone warrior reputation: Michael Morrell, Petraeus’ deputy, helped his boss carry out the whack-a-militant mission; White House counterterrorism czar John Brennan presides over the administration’s “matrix” of who deserves a robotic end; Pentagon intelligence chief Michael Vickers has been battling off and on in the Afghanistan and Pakistan region since the 1980s, when he was the “principal strategist for the largest covert action program in the CIA’s history,” as his Pentagon biography puts it.

Which means the new occupant of Petraeus’ chair will have to take on some rather unfamiliar tasks — while protecting the agency as it comes under criticism for its performance in Libya. Even before Petraeus’ resignation, the CIA was being condemned for downplaying its role in the events that led up to the attack on the U.S. mission in Benghazi, for ignoring cries for help from its field operatives in Benghazi, and then for pulling its employees from Benghazi after the assault. A closed-door hearing of the Senate Intelligence Committee on Benghazi is scheduled for Thursday.

So add one more task to the substantial to-do list awaiting the next CIA chief: keeping the reputation it built up during the drone-and-night-raid years. As if keeping tabs on the entire world wasn’t enough.

Authors

Noah Shachtman

Publication: Danger Room (Wired)

Military Stats Reveal Epicenter of U.S. Drone War

Noah Shachtman — Fri, 09 Nov 2012 10:46:00 -0500

Forget Pakistan, Yemen, Somalia, and all the other secret little warzones. The real center of the U.S. drone campaign is in plain sight — on the hot and open battlefield of Afghanistan.

The American military has launched 333 drone strikes this year in Afghanistan. That’s not only the highest total ever, according to U.S. Air Force statistics. It’s essentially the same number of robotic attacks in Pakistan since the CIA-led campaign there began nearly eight years ago. In the last 30 days, there have been three reported strikes in Yemen. In Afghanistan, that’s just an average day’s worth of remotely piloted attacks. And the increased strikes come as the rest of the war in Afghanistan is slowing down.

The secret drone campaigns have drawn the most scrutiny because of the legal, geopolitical, and ethical questions they raise. But it’s worth remembering that the rise of the flying robots is largely occurring in the open, on an acknowledged battlefield where the targets are largely unquestioned and the attending issues aren’t nearly as fraught.

“The difference between the Afghan operation and the ones operations in Pakistan and elsewhere come down to the fundamental differences between open military campaigns and covert campaigns run by the intelligence community. It shapes everything from the level of transparency to the command and control to the rules of engagements to the process and consequences if an air strike goes wrong,” e-mails Peter W. Singer, who runs the Brookings Institution’s 21st Century Defense Initiative. (Full disclosure: I have a non-resident fellowship there.) “This is why the military side has been far less controversial, and thus why many have pushed for it to play a greater role as the strikes slowly morphed from isolated, covert events into a regularized air war.”

The military has 61 Predator and Reaper “combat air patrols,” each with three or four robotic planes. The CIA’s inventory is believed to be just a fraction of that: 30 to 35 drones total, although there is thought to be some overlap between the military and intelligence agency fleets. The Washington Post reported last month that the CIA is looking for another 10 drones as the unmanned aerial vehicles (UAVs) become more and more central to the agency’s worldwide counterterror campaign.

In Pakistan, those drones are flown with a wink and a nod, to avoid the perception of violating national sovereignty. In Yemen, the robots go after men just because they fit a profile of what the U.S. believes a terrorist to be. In both countries, people are considered legitimate targets if they happen to be male and young and in the wrong place at the wrong time. The White House keeps a “matrix” on who merits robotic death. Congress (outside of the intelligence committees) largely learns about the programs through the papers.

None of these statements is true about the drone war in Afghanistan, where strikes are ordered by a local commander, overseen by military lawyers, conducted with the (sometimes reluctant) blessing of the Kabul government, and used almost entirely to help troops under fire. The UAVs aren’t flown to dodge issues of sovereignty or to avoid traditional military assets. They’re used because they work better — staying in the sky longer than traditional aircraft and employing more advanced sensors to make sure the targets they hit are legit.

The U.S. military is now launching more drone strikes — an average of 33 per month — than at any moment in the 11 years of the Afghan conflict. It’s a major escalation from just last year, when the monthly average was 24.5. And it’s happening while the rest of the American war effort is winding down: There are 34,000 fewer American troops than there were in early 2011; U.S. casualties are down 40 percent from 2010′s toll; militant attacks are off by about a quarter; civilian deaths have declined a bit from their awful peak.

Even the air war is shrinking. Overall surveillance sorties are down, from an average of 3,183 per month last year to 2,954 in 2012. (Drones flew 860 of those sorties in 2011, and now fly 761 per month today.) Missions in which U.S. aircraft fire their weapons have declined, too. That used to happen 450 times per month on average in 2011. This year, the monthly total dropped to 360.

In other words, drone strikes in Afghanistan now make up about 9 percent of the overall total of aerial attacks. Last year, it was a little more than 5 percent. The UAVs are growing in importance while the rest of the military campaign is receding.

“The numbers are yet another powerful data point illustrating the fact that unmanned systems are here and they are here to stay. They show their growing use, even as overall air strikes go down,” e-mails Singer, who first noticed the drone strike increase.

When Barack Obama began his first term in the White House, many in his administration pushed for keeping the number of troops in Afghanistan relatively small while boosting the number of drone strikes. At the time, Obama decided to go in a different direction. But now, as he gets set for the start of his second term, the president appears ready to embrace his internal critics, and leave Afghanistan to the robots.

Authors

Noah Shachtman

Publication: Danger Room (Wired)

Pentagon Chief Reveals ‘Classified’ Cyber Threats

Noah Shachtman — Thu, 11 Oct 2012 00:00:00 -0400

It was billed as the first major address by an American Secretary of Defense on cybersecurity — complete with newly declassified information about the nature of the network threat.

In the end, it was another helping of heated rhetoric on cybersecurity from a Pentagon that regularly produces panicky pronouncements. And the classified information? Stuff you could’ve read on our sister blog Threat Level or other cybersecurity sites back in August.

Appearing in New York City before the tuxedo-clad Business Executives for National Security, Defense Secretary Leon Panetta issued a familiar warning, that “a cyber attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11. Such a destructive cyber terrorist attack could paralyze the nation.”

It’s an alarm he’s sounded before. But in the following sentences of Thursday’s address aboard the retired aircraft carrier U.S.S. Intrepid , Panetta presented what he called new examples “of the kinds of attacks what we have already experienced” — harbingers, if not perfect examples, of a coming catastrophe.

“In recent weeks, as many of you know, some large U.S. financial institutions were hit by so-called ‘Distributed Denial of Service’ attacks. These attacks delayed or disrupted services on customer websites,” Panetta said. “While this kind of tactic isn’t new, the scale and speed was unprecedented.”

He’s right: DDoS attacks aren’t new at all (even if this particular attack did cause some financial institutions’ online banking operations to flutter). But Panetta is off about these strikes’ unprecedented nature.

“These are big, but we’ve seen this big before,” said Neal Quinn, chief operating officer of Prolexic, a firm that specializes in mitigating DDoS attacks. “We’ve seen events this big in the past.”

Panetta then proceeded to describe what was, in his words, “probably the most destructive attack that the private sector has seen to date.” This was a disclosure that senior defense officials billed as a major public unveiling of previously unclassified information.

Panetta described the Shamoon malware, which infected tens of thousands of computers at the Saudi Arabian state oil company Aramco and at Qatar’s RasGas company. “This routine replaced crucial system files with an image of a burning U.S. flag. It also put additional ‘garbage’ data that overwrote all the real data on the machine,” he said.

30,000 machines eventually had to be disinfected before they could be brought back online, making this an extremely serious attack. And the websites for the two energy companies went down for days. But it’s unclear exactly how destructive the infection really was. Aramco and RasGas both said their “core businesses[es] of oil and gas exploration, production and distribution” were unaffected by the malware. If that’s the case, then Shamoon may not have been quite such an apocalyptic moment Panetta described.

None of this is news, if you’ve been paying attention to the steady stream of public pronouncements from security researchers and from the companies themselves — not to mention the coverage of the attacks by reporters on the cybersecurity beat. But senior defense officials said Panetta’s words on Shamoon were, in fact, secret information — until the Pentagon chief took the step of declassifying them.

“To my knowledge, there’s been no one who’s officially acknowledged these attacks. And we have deemed them to this point classified and our knowledge of them to be classified,” a senior defense official, who spoke under condition of anonymity, told reporters before the speech.

As Foreign Policy recently noted, it’s not easy for Pentagon officials to talk about network defense, much of which the military deems classified. But what often undercuts these officials’ message is that it’s the U.S. — and not some outside adversary — that launched the most damaging cyber attack publicly acknowledged to date. Stuxnet, which helped destroy a thousand Iranian centrifuges, was the work of American and Israeli forces. It’s the fear that a similar sort of strike could be turned on us that keeps many within the Pentagon and intelligence community tossing in their beds. Panetta can keep calling our current state of network security “pre-9/11.” But if you follow the analogy, we’re the ones who are flying planes into buildings.

Recently, the military and the White House have cracked open the once-deadbolted door of secrecy on U.S. offensive cyber operations. In August, the U.S. Air Force announced its interest in finding new methods to “destroy, deny, degrade, disrupt, deceive, corrupt, or usurp the adversaries [sic] ability to use the cyberspace domain for his advantage.” The week before, a former top American commander in Afghanistan bragged to a technology conference about his troops’ ability to hack militant communications. The day before that, the Pentagon’s leading research division announced a new, $110 million program to help warplanners assemble and launch online strikes in a hurry and make cyber attacks a more routine part of U.S. military operations.

Yet these offensive activities were largely left out of Panetta’s talk Thursday night. Instead, the Defense Secretary mentioned simply that “if a crippling cyber attack were launched against our nation, the American people must be protected. And if the Commander-in-Chief orders a response, the Defense Department must be ready to act.”

Compared to his description of the network threat, it was a rather understated assertion.

Authors

Noah Shachtman

Publication: Danger Room (Wired)

30 Issues Election Year Series: Big Military

Noah Shachtman — Wed, 10 Oct 2012 00:00:00 -0400

Editor's Note: In an interview with Brian Lehrer on October 10, 2012, Noah Shachtman answers questions about emerging issues of modern warfare and the near future of the U.S. military in the run-up to the 2012 U.S. presidential election. Read an excerpt from the interview below and listen to the full show online.

Brian Lehrer: Is the use of drones more cost-effective?

Noah Shachtman: Absolutely not. It’s not in any way a cost savings; it’s not, in any way, a personnel savings either. All you’re really doing is transferring the personnel from the front lines to maybe a base back in Nevada. But it’s in no way a cost or personnel savings. In fact, the head of the Air Force has often said that his greatest manning issue is unmanned systems because it takes so many people to operate these drones and to analyze the intelligence coming from them.

Lehrer: That’s interesting, but isn’t it part of a larger view of a smaller military? Which is that in the post 9-11 era, if the enemy is essentially Al Qaeda, that there is so much waste in mounting these large ground wars, which have only been marginally successful in Iraq and Afghanistan, that it makes much more sense, from a military efficiency standpoint as well as a national security standpoint, to be smaller and flexible and go after individual terrorists or small groups of terrorists wherever they may be found?

Shachtman: Right. There is definitely a logic to that, but whether that can be accomplished solely through drone strikes is pretty questionable. The drones are only as good as the intelligence that drives them. And we’ve seen over and over again drone strikes go awry, which can only increase the support for militant groups. Drones are a mixed bag for sure.

Authors

Noah Shachtman

Publication: The Brian Lehrer Show

Feds Hired British Security Firm to Protect Benghazi Consulate

Spencer Ackerman and Noah Shachtman — Mon, 17 Sep 2012 00:00:00 -0400

The State Department signed a six-figure deal with a British firm to protect the U.S. consulate in Benghazi, Libya just four months before a sustained attack on the compound killed four U.S. nationals inside.

Contrary to Friday’s claim by State Department spokeswoman Victoria Nuland that “at no time did we contract with a private security firm in Libya,” the department inked a contract for “security guards and patrol services” on May 3 for $387,413.68. An extension option brought the tab for protecting the consulate to $783,000. The contract lists only “foreign security awardees” as its recipient.

The State Department confirmed to Danger Room on Monday that the firm was Blue Mountain, a British company that provides “close protection; maritime security; surveillance and investigative services; and high risk static guarding and asset protection,” according to its website. Blue Mountain says it has “recently operated in Afghanistan, Iraq, Pakistan, the Caribbean and across Europe” and has worked in Libya for several months since last year’s war.

A representative for Blue Mountain, reached at its U.K. offices Monday, said no one was available to comment.

The State Department frequently hires security companies to protect diplomats in conflict zones. It usually is done through what’s known as the Worldwide Protective Services contract, in which a handful of approved firms compete to safeguard specific diplomatic installations. In 2010, State selected eight firms for the most recent contract. Blue Mountain wasn’t among them, and the State Department did not explain why the Benghazi consulate contract did not go to one of those eight firms.

It isn’t known how the Blue Mountain contractors performed Tuesday when the consulate came under sustained attack by small arms fire. In an official account provided Wednesday by the Obama administration, embassy security staff — both American and Libyan — failed to break the assault. They required help from Libyan security forces, assisted by a sympathetic Libyan militia, to regain control of the consulate’s main building and end a pitched battle that raged for 4.5 hours.

Nor is it clear if two former Navy SEALs killed in the assault were Blue Mountain employees. One of them, Glen Doherty, told ABC News last month that he was part of a mission sent to Libya to lock down Moammar Gadhafi’s missiles to prevent them from reaching the black market. Blue Mountain’s contract doesn’t refer to safeguarding thousands of rockets and missiles that have gone missing in the aftermath of the 2011 war.

But the call for contract security came at an opportune moment. Shortly after the department issued the contract, extremist elements active in Libya began targeting U.S. and allied installations. On June 5, the consulate sustained a rocket attack shortly after news spread that Abu Yahya al-Libi, a Libyan member of al-Qaida, was killed in a drone strike in Pakistan. Another rocket attack in the city attempted to kill the visiting British ambassador on June 11. (Both attacks allegedly were by the same extremist organization, the Imprisoned Omar Abdul Rahman Brigades, which may have played a role in last week’s consulate assault.)

The final modification to the contract came on June 15. It is unknown when Blue Mountain contractors arrived to help secure the consulate. The State Department would not specify how many guards Blue Mountain had posted in Benghazi during last week’s attack. (A department official said that Nuland misspoke about State not hiring private guards in Libya.)

Blue Mountain representatives have yet to respond to an inquiry about the contract. UPI reported in December that the firm “has been operating with Western companies in Libya for several months.”

Much remains unclear about the attack on Benghazi. But the presence of private security guards in the lightly-defended compound helps explain how approximately 25 to 30 diplomatic staff held out for over four hours against a crowd of possibly hundreds armed with rifles, rockets and other small arms without massive loss of life.

Authors

Spencer Ackerman
Noah Shachtman

Publication: Wired Magazine's Danger Room

Obama Finally Talks Drone War, But It’s Almost Impossible to Believe Him

Noah Shachtman — Thu, 06 Sep 2012 00:00:00 -0400

President Obama doesn’t like to talk about how he uses drones to kill suspected militants — including American citizens. Explanations about who gets picked for remote-control death and who does the picking are left to underlings and aides. Just a few days ago, for example, Obama blew off a local Cincinnati television reporter who asked the president about his “kill list.”

On Wednesday, however, CNN’s Jessica Yellin managed to get Obama to open up, just a little, about his criteria for approving drone attacks. His comments may have been the president’s most extensive so far on robot warfare. They were also total baloney, outside experts say.

As the Bureau of Investigative Journalism notes, Obama told CNN that a terror suspect had to pass five tests before the administration would allow him to be taken out by a drone. “Drones are one tool that we use, and our criteria for using them is very tight and very strict,” the president said.

1. “It has to be a target that is authorised by our laws.”

2. “It has to be a threat that is serious and not speculative.”

3. “It has to be a situation in which we can’t capture the individual before they move forward on some sort of operational plot against the United States.”

4. “We’ve got to make sure that in whatever operations we conduct, we are very careful about avoiding civilian casualties.”

5. “That while there is a legal justification for us to try and stop [American citizens] from carrying out plots … they are subject to the protections of the Constitution and due process.”

At least two of those five points appear to be half-truths at best. In both Yemen and Pakistan, the CIA is allowed to launch a strike based on the target’s “signature” — that is, whether he appears to look and act like a terrorist. As senior U.S. officials have repeatedly confirmed, intelligence analysts don’t even have to know the target’s name, let alone whether he’s planning to attack the U.S. In some cases, merely being a military-aged male at the wrong place at the wrong time is enough to justify your death.

“What I found most striking was his claim that legitimate targets are a ‘threat that is serious and not speculative,’ and engaged in ‘some operational plot against the United States,’ That is simply not true,” emails the Council on Foreign Relations’ Micah Zenko, who has tracked the drone war as closely as any outside analyst. “The claim that the 3,000+ people killed in roughly 375 nonbattlefield targeted killings were all engaged in actual operational plots against the U.S. defies any understanding of the scope of what America has been doing for the past ten years.”

A third point — that an American citizen is given the “protections of the Constitution” before he’s approved for unmanned killing — is dubious. Yes, there is a process that the White House uses to vet proposed drone targets. Several government officials review a suspected terrorist’s dossier before an attack on that person is okayed. This is an internal review by presidential aides, not subject to any kind of independent authority, and obviously not one in which a target’s representatives can contest the case. It’s enough to condemn someone to death. The Obama administration has argued that this is the same as the “due process of law” guaranteed in the Bill of Rights.

Legal scholars have found the argument flimsy — with no coherent standard of evidence that amounts to an instant death sentence, and no limits to where that sentence can be carried out. in a January Google Hangout — one of the few other times Obama has even mentioned the drone campaign — he said that targeting decisions were not managed by “a bunch of folks in a room somewhere just making decisions.” Actually, it appears to be something rather close to that.

When Yellin pressed further, asking Obama if he himself made the ultimate decisions about who should live and who should die, Obama demurred, saying, “I’ve got to be careful here. There are classified issues… I can’t get too deeply into how these things work.”

But, as Zenko notes, “that is total BS. The President has the authority to declassify anything. That authority was reaffirmed by the White House in one of its first executive orders,” issued in 2009. If the president felt like talking about the drone approval process, he could. Obama doesn’t have to leave the discussion up to unnamed officials, former subordinates, and authored leakers. He chooses to do so, presumably because the issues involved are so thorny.

Twice in the interview, Obama complained about “misreporting” by the media about the drone campaign. “A lot of what you read in the press that purports to be accurate isn’t always accurate,” Obama said. What he didn’t mention was his own role in perpetuating the confusion.

Authors

Noah Shachtman

Publication: Danger Room (Wired)

Image Source: Tim Chong / Reuters

"Degrade, Disrupt, Deceive": U.S. Talks Openly About Hacking Foes

Noah Shachtman — Tue, 28 Aug 2012 00:00:00 -0400

There was a time, not all that long ago, when the U.S. military wouldn’t even whisper about its plans to hack into opponents’ networks. Now America’s armed forces can’t stop talking about it.

The latest example comes from the U.S. Air Force, which last week announced its interest in methods “to destroy, deny, degrade, disrupt, deceive, corrupt, or usurp the adversaries [sic] ability to use the cyberspace domain for his advantage.” But that’s only one item in a long list of “Cyberspace Warfare Operations Capabilities” that the Air Force would like to possess. The service, in its request for proposals, also asked for the “ability to control cyberspace effects at specified times and places,” as well as the “denial of service on cyberspace resources, current/future operating systems, and network devices.”

The Air Force says it will spend $10 million on the effort, mostly for short programs of three to 12 months; the service wants its Trojans and worms available, ASAP. And they should be available to both the top brass and to the “operational commander,” too. In other words, cyber strikes shouldn’t just be the prerogative of the president, to be launched at only the most strategically important moments. Malware should be a standard component of a local general’s toolkit.

These digital weapons could even be deployed before a battle begins. The Air Force notes that it would like to deploy “technologies/capabilities” that leave “the adversary entering conflicts in a degraded state.”

Such an open discussion — even one so vague — might seem like a bit of a surprise, considering the Obama administration is actively investigating leaks to the press about America’s online espionage campaign against Iran. The Senate Intelligence Committee considered the disclosure so dangerous, it passed a controversial bill last month that creates new punishments for leakers of classified information.

But this isn’t 2007, when the Pentagon was still insisting that it had a “defensive mindset” in cyberspace. New pieces of military-grade malware — apparently linked to the broader U.S. cyberspying push — are being discovered constantly on Middle Eastern networks. Besides, the Air Force is hardly alone in talking about its desire for — and use of — network attacks. They are becoming a regular part of the military conversation — so normal, in fact, that generals are even beginning to talk about their troops’ wartime hacking.

Lt. Gen. Richard Mills, who led coalition forces in southwestern Afghanistan in 2010 and 2011, bragged at a technology conference last week that his troops had broken into militants’ communications. “I can tell you that as a commander in Afghanistan in the year 2010, I was able to use my cyber operations against my adversary with great impact,” Mills said. “I was able to get inside his nets, infect his command-and-control, and in fact defend myself against his almost constant incursions to get inside my wire, to affect my operations.”

Mills added that the Marines had recently put together a company of Marines, stationed at the headquarters of the National Security Agency, to give the Corps “an offensive capability.” A second company “will be designed to increase the availability of intelligence analysts, intelligence collectors and offensive cyber operations and place them in the appropriate unit, at the appropriate time, at the appropriate place, so that forward deployed commander in the heat of combat has full access to the cyber domain.”

The day before Mills’ talk, the Pentagon’s leading research division announced a new, $110 million program to help warplanners assemble and launch online strikes in a hurry and make cyber attacks a more routine part of U.S. military operations. The effort, dubbed “Plan X” by the Defense Advanced Research Projects Agency, isn’t supposed to formally get underway until Sept. 20. But Darpa has already awarded a no-bid, $600,000 contract to the Washington-area cybersecurity firm Invincea to start work on “Plan X.”

Invincea wasn’t immediately able to comment on the “Digital Battlefield Understanding Study and proof-of-concept demonstration” that it intends to produce for Darpa. But a military document justifying Invincea’s sole-source contract notes that the company submitted an “unsolicited proposal” for the project on June 26. Less than a month later, it was approved. “Invincea is the only source who possesses the particular commercial software and knowledge necessary to rapidly address technical insights in modeling a cyber battlespace and optimizing digital battle plans,” the document notes.

Invincea isn’t the only military contractor working on the tools of cyber war, however. These days, the build-up of America’s online arsenal has become the subject of all sorts of open talk and deal-making.

Authors

Noah Shachtman

Publication: Danger Room (Wired)

Image Source: Hyungwon Kang / Reuters