Tag Archives: Cyber Security

Mark Collins – Public Safety Canada’s Emergency Management May Suck

Just read between the bureaucratese at this report, damning stuff. The previous Conservative government cared little for this core federal responsibility; what about the new one? Not a sunny subject. From a January 2016 Public Safety Canada departmental audit:

Internal Audit of Emergency Management Planning: Leadership and Oversight

Executive Summary

Background

Under Section 3 of the Emergency Management Act (EMA [text here]), the Department of Public Safety and Emergency Preparedness is responsible for providing government-wide leadership and oversight over the emergency management (EM) activities of federal institutions – including their emergency management plans, which include the following instruments:

– Strategic emergency management plans;
– Business continuity plans; and,
– Event-specific contingency plans.

Specifically, the Department is expected to:

– Promote a common approach to EM, including EM planning;
– Establish policies, programs, measures & advice for preparation, maintenance & testing of EM plans;
– Analyze and evaluate plans of federal institutions; and,
– Conduct exercises & provide education & training.

Public Safety Canada exercises its leadership and oversight role in this area through the Emergency Management and Regional Operations Branch (EM&RO [organizational and personnel details here, webpage here]). The Branch has been in existence since 2011 and has, since this time, undergone many changes to its structure, priorities and leadership [emphasis added]. The Branch operates in a complex environment characterized by multiple inter-dependencies, numerous stakeholders with competing priorities and, as noted, change.

EM&RO delivers its mandate through a range of specific programs, implemented by its directorates, which collectively are responsible for policy, planning, program development and regional service delivery. These programs are enabled by a management regime that supports the planning and allocation of resources and the oversight of performance. Collectively, this regime is referred to as a management control framework.

Audit Objective

The audit objective was to provide reasonable assurance that the core management controls in place across EM&RO Branch are adequate and effective to:

– support robust management and decision-making, in compliance with policy and legislation; and,
– fulfill the department’s roles in relation to EM planning leadership and oversight of federal institutions, in accordance with the EMA.

Summary of Findings

The point of departure for this audit was an examination of the EM&RO management control framework, which collectively provides a foundation for good management, program integrity and results. The audit noted positive efforts to strengthen governance through the establishment of formal management committees and through the introduction of strategic planning. While positive, the audit also noted that more deliberate and cohesive policy dialogue on the tenets and principles of EM as well as the roles and focus of EM&RO is needed to focus the directions of the Branch [emphasis added].

This, coupled with needed improvements to the planning and performance management regime of the Branch will lay a stronger foundation for priority-setting and targeted resource allocation, which were also concerns.

Specifically, the audit found that resource allocation processes are not sufficiently informed by priorities, expected results, risk and past performance. Efforts to enhance these mechanisms will have positive impacts, particularly given the current fiscal challenges being faced by the Branch. Finally, the audit noted that stronger leadership, including communication and management unity is needed to support the improvements in the formal controls.

The second major line of enquiry of this audit related to the adequacy and effectiveness of the practices that Public Safety Canada has in place to lead federal institutions in the discipline of EM Planning, as well as the mechanisms they have to oversee institutional activities and results, in accordance with Section 3 of the EMA.

Public Safety Canada’s leadership role is effected through the provision of guidance and through the establishment and management of fora for discussion and engagement with federal institutions. The audit found that guidance is provided to institutions in line with the EMA and Federal Policy on Emergency Management; however, opportunity exists to streamline and consolidate guidance, to enhance clarity and reduce unnecessary complexity. The audit also noted that government-wide structures are indeed in place, but, by most accounts, are in need of improvement – both from an efficiency and effectiveness perspective. These structures exist and provide a mechanism for information sharing from Public Safety Canada to federal institutions. However, in their current form and use, there is not a sufficient forum for substantive, government-wide engagement, direction-setting or signals-checking for matters related to EM Planning [emphasis added].

The Department exercises its oversight role through a variety of monitoring activities, including the assessment of institutional Business Continuity Plans, Strategic Emergency Management Plans and through National Exercises of selected contingency plans. The audit found that the monitoring of federal institutions’ EM planning is done in a fragmented and, in some cases, insufficient fashion [emphasis added]. Opportunities exist to strengthen the monitoring mechanisms by reinstating the assessment of business continuity plans, enhancing the robustness of methodologies, and examining opportunities for more streamlined and internally cohesive approaches.

In examining the national exercise program, the audit found that the national exercise calendar is developed, but concluded that the process for its development is not robust enough to ensure all necessary inputs are considered, particularly threat information [emphasis added]. As well, we identified opportunities to strengthen internal and external coordination and dialogue around the calendar’s development.

In light of the noted weaknesses in the monitoring of federal institutions, we are concerned that the Department does not have sufficient or effective mechanisms to appropriately gauge the readiness of federal institutions in the face of emergencies. As well, lack of monitoring limits the Department’s ability to gain insight into the strengths and challenges within federal institutions which itself should inform Public Safety Canada’s directions, policy and guidance [emphasis added].

Audit Opinion

In my opinion, the governance, risk management and controls in this area of departmental activity are not yet in a sufficient enough state of maturity to provide reasonable assurance that the objectives of Public Safety Canada will be achieved [emphasis added]. Opportunity exists to build on existing practices, some of which are already being enhanced, and to strengthen the adequacy (design) and effectiveness of internal controls…

Feel confident in the feds if a balloon really goes up? I had some experience with emergency preparedness and management with the Canadian Coast Guard; my confidence in things today is minimal. The country needs a single, dedicated, emergency agency, not a part (whose personnel are public servants coming in and out as they try to climb the greasy pole) of a department with many other difficult–and sexier (terrorism!)–responsibilities.

The feds, when I was on that job, once had such agency (scroll down here to “CANADIAN INITIATIVES”, cf. on a much smaller scale the US FEMA). But, for reasons I have never understood, our Office of Critical Infrastructure Protection and Emergency Preparedness was abolished soon after having been transferred (p. 3 PDF) to Public Safety Canada from National Defence in 2003. Its functions were then assumed within and as part of the broader bureaucracy. Not a good recipe for focus and success.

The government at the top of the Canadian food chain does not like thinking about, nor planning and paying for, emergency preparedness and response (hey, no Katrina here just that pesky 1998 central Canadian ice storm–where are the votes, eh?). So how much long-term dedication developing subject expertise might one expect from those greasy pole-climbing bureaucrats now on the, er, emergency job?

Related and very relevant at Public Safety Canada:

Canadian Government’s Crisis Ops Centre Sucks

Mark Collins, a prolific Ottawa blogger, is a Fellow at the Canadian Global Affairs Institute; he tweets @Mark3Ds

Mark Collins – The Russian Way of–Hybrid–Warfare

A very interesting analysis of how the Bear works–both at home and abroad–at War on the Rocks:

Russia’s Hybrid War as a Byproduct of a Hybrid State

Whether or not “hybrid war” is the right term — a battle probably lost for the moment —Russia is indeed waging an essentially political struggle against the West through political subversion, economic penetration, espionage, and disinformation. To a degree, this reflects the parsimonious opportunism of a weak but ruthless Russia trying to play a great power game without a great power’s resources. It also owes much to Moscow’s inheritance from Bolshevik and even tsarist practices. But a third key factor behind it is the very nature of the modern Russian state, as I discuss in my new report, Hybrid War or Gibridnaya Voina: Getting Russia’s Non-Linear Military Challenge Right.

One distinctive aspect of recent Russian campaigns, from political operations against the West to military operations in Ukraine, has been a blurring of the borders between state, paramilitary, mercenary, and dupe. The Putin regime evidently believes that it is at war with the West — a geopolitical, even civilizational struggle — and is thus mobilizing every weaponizable asset at its disposal. This extends to mining society as a whole for semi-autonomous assets, from eager internet trolls and “patriotic hackers” to transnational banks and businesses to Cossack volunteers and mercenary gangsters…

The “hybridity” of Russian operations…reflects a… hybridity of the Russian state. Through the 1990s and into Putinism, Russia either failed to institutionalize or actively deinstitutionalized — however you choose to define it.

Today, Russia is a patrimonial, hyper-presidential regime, one characterized by the permeability of boundaries between public and private, domestic and external. As oligarch-turned-dissident Mikhail Khodorkovsky put it:

[W]hat distinguishes the current Russian government from the erstwhile Soviet leaders familiar to the West is its rejection of ideological constraints and the complete elimination of institutions.

Lacking meaningful rule of law or checks and balances, without drawing too heavy-handed a comparison with fascism, Putin’s Russia seems to embody, in its own chaotic and informal way, Mussolini’s dictum “tutto nello Stato, niente al di fuori dello Stato, nulla contro lo Stato” — “everything inside the State, nothing outside the State, nothing against the State.”..

In Russia, state institutions are often regarded as personal fiefdoms and piggy banks, officials and even officers freely engage in commercial activity, and the Russian Orthodox Church is practically an arm of the Kremlin. Given all that, the infusion of non-military instruments into military affairs was almost inevitable. Beyond that, though, Putin’s Russia has been characterized — in the past, at least — by multiple, overlapping agencies, a “bureaucratic pluralism” intended as much to permit the Kremlin to divide and rule as for any practical advantages. This is clearly visible within the intelligence and security realm, from the intrusion of the Federal Security Service (FSB) — originally intended as a purely domestic agency — into foreign operations, as well as in the competition over responsibility for information operations…

Moscow must also be considered the master of “hybrid business,” of developing illegal and legal commercial enterprises that ideally make money, but at the same time can be used for the state’s purposes, whether technically private concerns or not. Russian commercial institutions not only provide covers for intelligence agents and spread disinformation, but acting notionally on their own initiative, they are also used to provide financial support to political and social movements Moscow deems convenient. For instance, Marine Le Pen’s anti-European Union Front Nationale in France received a €9 million loan from a bank run by a close Putin ally. Similarly, the election of the Czech Republic’s Russophile President Miloš Zeman was partially bankrolled by the local head of the Russian oil company Lukoil — allegedly as a personal donation…

So, it is not simply that Moscow chooses to ignore those boundaries we are used to in the West between state and private, military and civilian, legal and illegal. It is that those boundaries are much less meaningful in Russian terms, and they are additionally straddled by a range of duplicative and even competitive agencies…

Dr. Mark Galeotti is Senior Research Fellow at the Institute of International Affairs Prague, and Principal Director of the consultancy Mayak Intelligence. He has been Professor of Global Affairs at New York University, a special advisor to the British Foreign & Commonwealth Office and head of History at Keele University in the United Kingdom, as well as a visiting professor at Rutgers—Newark, Charles University (Prague), and MGIMO (Moscow). Read his new report, Hybrid War or Gibridnaya Voina: getting Russia’s non-linear military challenge right.

Working towards Bad Vlad? Related:

Julian Lindley-French – Closing NATO’s Deterrence Gaps

Mark Collins, a prolific Ottawa blogger, is a Fellow at the Canadian Global Affairs Institute; he tweets @Mark3Ds

Mark Collins – Dragon Devouring Eurotech, German Section–Obama Steps In

Further to this post, the outgoing US president gets tough (our PM noticing?):

Obama Moves to Block Chinese Acquisition of a German Chip Maker

The intervention in a Chinese company’s bid to buy a German semiconductor company, Aixtron [website here], comes after Chinese companies have spent billions to acquire technology in Europe and the United States. American officials have increasingly moved to stop such deals, but Chinese companies have shown growing adeptness in getting around those restrictions to strike up relationships that could someday lead to greater access to technology.

A statement from the Treasury Department said the administration blocked the purchase of the American portion of Aixtron’s business because it posed a national security risk relating to “the military applications of the overall technical body of knowledge and experience of Aixtron.”

It wasn’t clear whether other parts of the deal could be salvaged. Officials at the German chip company and its would-be Chinese buyer, the Fujian Grand Chip Investment Fund [website here], did not immediately comment.

By rejecting the deal, the Obama administration showed how far it would go to keep China from using its wallet to acquire sensitive technology from the West. It blocked previous Chinese technology purchases only indirectly, using an advisory panel of government and intelligence officials who can discourage — but not directly kill — foreign deals. That same panel earlier expressed skepticism over the Aixtron deal.

Last year the United States accounted for more than one-fifth of Aixtron’s sales. And nearly one-fifth of its more than 700 employees are based in the United States.

That indirect strategy kept Mr. Obama from looking like a free-trade opponent, especially when the company in question was not American, and softened any potential response from Beijing. But Aixtron and its Chinese suitor tested that strategy by plowing ahead despite the panel’s concerns, forcing Mr. Obama to act…

Related:

Chicom State-Owned Firms’ Investment in US: a Good Thing?

Mark Collins, a prolific Ottawa blogger, is a Fellow at the Canadian Global Affairs Institute; he tweets @Mark3Ds

Mark Collins – “The Cyber Challenge: Final Summary Highlights from the CASIS 2016 Annual Symposium” Sept. 26

Further to this post, the document is here, “Table of Contents” at p. 5 PDF. The symposium is noted by the Globe and Mail at the latter half of this post:

Can Canada Reach a Real Cyber Deal With China?

Mark Collins, a prolific Ottawa blogger, is a Fellow at the Canadian Global Affairs Institute; he tweets @Mark3Ds

Mark Collins – Spookery Today, Especially SIGINT and Cyber Stuff

The Economist focuses almost solely on the US and UK amongst Western countries (several graphics):

Special report: Espionage

Espionage

Shaken and stirred

Technology

Tinker, tailor, hacker, spy

Governance

Standard operating procedure

Edward Snowden

You’re US government property

China and Russia
[a few other countries mentioned]

Happenstance and enemy action

How to do better

The solace of the law

Mark Collins, a prolific Ottawa blogger, is a Fellow at the Canadian Global Affairs Institute; he tweets @Mark3Ds

Mark Collins – MI5 Chief Highlights Big Bear Spooky and Cyber Threats, Jihadis

Further to this post,

The Lions’s Cyber Roar: UK Getting Really Serious, Unlike Canada

the head of Britain’s domestic intelligence service gives an unprecedented interview:

MI5 head: ‘increasingly aggressive’ Russia a growing threat to UK
Exclusive: In first newspaper interview given by a serving spy chief, Andrew Parker talks of terror, espionage and balance between secrecy and privacy

Russia poses an increasing threat to the stability of the UK and is using all the sophisticated tools at its disposal to achieve its aims, the director general of MI5 has told the Guardian.

In the first newspaper interview given by an incumbent MI5 chief in the service’s 107-year history, Andrew Parker said that at a time when much of the focus was on Islamic extremism, covert action from other countries was a growing danger. Most prominent was Russia.

“It is using its whole range of state organs and powers to push its foreign policy abroad in increasingly aggressive ways – involving propaganda, espionage, subversion and cyber-attacks. Russia is at work across Europe and in the UK today. It is MI5’s job to get in the way of that.”

Parker said Russia still had plenty of intelligence officers on the ground in the UK, but what was different now from the days of the cold war was the advent of cyberwarfare. Russian targets include military secrets, industrial projects, economic information and government and foreign policy.

The spy chief also:

– Said that 12 jihadi terror plots had been foiled by the security services in the past three years.
– Identified the size of the homegrown problem: there are about 3,000 “violent Islamic extremists in the UK, mostly British”.
– Said that budget increases would see MI5 expand from 4,000 to 5,000 officers [emphasis added–so total personnel considerably greater?] over the next five years [by comparison the Canadian Security Intelligence Service has a total strength of some 3,300)].
– Rejected criticism that the investigatory powers bill, due before parliament this week, was going too far in enabling intrusive surveillance, arguing that it correctly balances privacy and security…

Parker said the Islamic extremist threat was also enduring and generational. He broke it down into three segments: a large homegrown problem of potentially violent extremists in the UK – most of them British – about 3,000 in number; members of Daesh (Islamic State) in the conflict zones of Syria and Iraq trying to incite terror plots against the UK; and Daesh trying to spread its “toxic ideology” and promote terrorism online.

Critics of the controversial investigatory powers bill, which went before the House of Lords on Monday, say it will offer the security services access to personal data, bringing a reality to bulk surveillance. Parker said the data was necessary in the fight against terror and he thought the government had reached the right balance between privacy and security [see “UK Security Services’ Successful Bulk Data Collection; Need More Powers (Canada?)” plus “Under PM’s Thumb: Proposed Canadian Parliamentary Security/Intel Review Committee“]…

Whilst on the foreign intelligence front:

MI6: UK HUMINT Spooks Going Cyber, Including Social Media

Mark Collins, a prolific Ottawa blogger, is a Fellow at the Canadian Global Affairs Institute; he tweets @Mark3Ds

Mark Collins – The Lions’s Cyber Roar: UK Getting Really Serious, Unlike Canada

Further to this post,

Canada: “Time to get serious about cyber security”

compare us with the Brits:

UK in $2.3 bn plan to ‘strike back’ at hackers [including states]

Finance minister Philip Hammond on Tuesday [Nov. 1] warned Britain will “strike back” against states hacking into strategic networks in order to avoid a military showdown, as part of a new cyber-defence plan.

Unveiling the £1.9 billion ($2.3 billion, 2.1 billion euro) National Cyber Security Strategy, Hammond said hackers were trying to capitalise on the increasing connectivity of devices to target homes, cars, air traffic control networks and power grids.

“A small number of hostile foreign actors have developed and deployed offensive cyber-capabilities. These capabilities threaten the security of the UK’s critical national infrastructure,” he said at the London launch.

“If we do not have the ability to respond in cyber-space… we would be left with the impossible choice of turning the other cheek and ignoring the devastating consequences or resorting to a military response.

“We will not only defend ourselves in cyber-space, we will strike back in kind when we are attacked,” he added.
The finance ministry earlier called on businesses to “up their game” in the fight against cyber-crime, with Hammond adding that “government can’t deliver innovation — that’s something that only businesses and entrepreneurs can do”.

However, he promised that the government would take “a more active cyber-defence role” to “block, disrupt an neutralise malicious activity… and make Britain to be the best place in the world to be a tech business”…

Meanwhile our government appears to be resorting to wishful thinking:

Can Canada Reach a Real Cyber Deal With China?

Mark Collins, a prolific Ottawa blogger, is a Fellow at the Canadian Global Affairs Institute; he tweets @Mark3Ds

Mark Collins – US Intelligence and Insider Threat: NSA Contractor Maximum “Holy Cow!”

Further to this post, this is manque de sérieux ridiculous–who’s on the security ball (including in Canada?)? The Gray Lady does like understated headlines:

N.S.A. Appears to Have Missed ‘Big Red Flags’ in Suspect’s Behavior

Year after year, both in his messy personal life and his brazen theft of classified documents from the National Security Agency, Harold T. Martin III put to the test the government’s costly system for protecting secrets.

And year after year, the system failed.

Mr. Martin got and kept a top-secret security clearance despite a record that included drinking problems, a drunken-driving arrest, two divorces, unpaid tax bills, a charge of computer harassment and a bizarre episode in which he posed as a police officer in a traffic dispute. Under clearance rules, such events should have triggered closer scrutiny by the security agencies where he worked as a contractor.

Yet even after extensive leaks by Pfc. Bradley Manning in 2010 and Edward Snowden in 2013 prompted new layers of safeguards, Mr. Martin was able to walk out of the N.S.A. with highly classified material, adding it to the jumbled piles in his house, shed and car.

A federal judge in Baltimore ruled on Friday [Oct. 28] that Mr. Martin, 51, must remain jailed on charges of stealing government documents and mishandling classified information over two decades. Prosecutors say they will add new charges under the Espionage Act. Mr. Martin, whose arrest in August was disclosed by The New York Times this month, has admitted to taking the material but denies giving secrets to anyone else [read gobsmacking on]…

On verra. On est étonné mais pas surpris aujourd’hui.

Mark Collins, a prolific Ottawa blogger, is a Fellow at the Canadian Global Affairs Institute; he tweets @Mark3Ds

Mark Collins – China: Top Dragon Really Unfolding His Ascendant Wings

Further to these posts,

Top Dragon is now C-in-C

Top Dragon Now More Powerful than Mao?

President Xi continues his relentless consolidation of power (is our prime minister paying any attention?): two stories:

1) NY Times:

China’s Antigraft Enforcers Take On a New Role: Policing Loyalty

xi.jpg
President Xi Jinping of China at the Great Hall of the People in September. The Communist Party’s anticorruption commission has assumed a growing role as political inquisitor, investigating the commitment of cadres to Mr. Xi and his agenda. Credit Jason Lee/Reuters

The investigators descend on government agencies and corporate boardrooms. They interrogate powerful officials and frequently rebuke them for lacking zeal. Most of all, they demand unflinching loyalty to President Xi Jinping and the Communist Party.

They are the inspectors from the party’s Central Commission for Discipline Inspection, and the humbling displays they have orchestrated recently in many of China’s most influential government agencies and largest corporations are the most prominent sign of their expanding authority…

2) Washington Post:

China’s plan to organize its society relies on ‘big data’ to rate everyone

BEHIND THE FIREWALL: How China tamed the Internet |This is part of a series examining the impact of China’s Great Firewall, a mechanism of Internet censorship and surveillance that affects nearly 700 million users.

Imagine a world where an authoritarian government monitors everything you do, amasses huge amounts of data on almost every interaction you make, and awards you a single score that measures how “trustworthy” you are.

In this world, anything from defaulting on a loan to criticizing the ruling party, from running a red light to failing to care for your parents properly, could cause you to lose points.

And in this world, your score becomes the ultimate truth of who you are — determining whether you can borrow money, get your children into the best schools or travel abroad; whether you get a room in a fancy hotel, a seat in a top restaurant — or even just get a date.

This is not the dystopian superstate of Steven Spielberg’s “Minority Report,” in which all-knowing police stop crime before it happens. But it could be China by 2020…

Sweet authoritarian–totalitarian?–dreams. On the other hand:

Xi’s China: Grumbling (and Rumbling?) in the PLA

Mark Collins, a prolific Ottawa blogger, is a Fellow at the Canadian Global Affairs Institute; he tweets @Mark3Ds

Mark Collins – US Intelligence and the Insider Threat: NSA Contractor “Holy Cow!”

Further to this post, the most recent public case looks worser and worser. What was done with the material?

Government alleges former NSA contractor stole ‘astonishing quantity’ of classified data over 20 years

nsa.jpg
The National Security Agency at Fort Meade, Md. (Patrick Semansky/AP)
[The Central Security Service website]

Federal prosecutors in Baltimore on Thursday [Oct. 20] said they will charge a former National Security Agency contractor with violating the Espionage Act, alleging that he made off with “an astonishing quantity” of classified digital and other data over 20 years in what is thought to be the largest theft of classified government material ever.

In a 12-page memo, U.S. Attorney Rod Rosenstein and two other prosecutors laid out a much more far-reaching case against Harold T. Martin III than was previously outlined. They say he took at least 50 terabytes of data and “six full banker’s boxes worth of documents,” with many lying open in his home office or kept on his car’s back seat and in the trunk. Other material was stored in a shed on his property.

One terabyte is the equivalent of 500 hours’ worth of movies.

Martin, who will appear at a detention hearing in U.S. District Court in Baltimore on Friday, also took personal information about government employees as well as dozens of computers, thumb drives and other digital storage devices, the government memo said.

The government has not alleged that Martin passed any material to a foreign government, but contends that if he is released on bail he could do so…

In a complaint unsealed earlier this month, the government charged him with felony theft of government property and the unauthorized removal and retention of classified materials, a misdemeanor. The prosecutors said that when an indictment is filed, they expect charges to include “violations of the Espionage Act,” offenses that carry a prison term of up to 10 years for each count.

[NSA contractor thought to have taken classified material the old-fashioned way]

The government alleged that Martin was able to defeat “myriad, expensive controls placed” on classified information [emphasis added, what “controls”?].

They said the devices seized show he made extensive use of sophisticated encryption. He also used a sophisticated software tool that runs without being installed on a computer and provides anonymous Internet access, “leaving no digital footprint on the machine,” they said.

In August, a cache of highly sensitive NSA hacking tools mysteriously appeared online. Although investigators have not found conclusive evidence that he was responsible for that, he is the prime suspect, said U.S. officials, who spoke on the condition of anonymity because the investigation is ongoing.

That is the event that set off the search that turned up Martin, the officials said…

Swiss cheese?

Mark Collins, a prolific Ottawa blogger, is a Fellow at the Canadian Global Affairs Institute; he tweets @Mark3Ds