Digital Sandbox // Blog

The 2011 Atlantic hurricane season, which began on June 1, comes to a close tomorrow. The National Oceanic and Atmospheric Administration (NOAA) says the number of tropical storms and hurricanes that developed this year matched its pre-season predictions and “continued the trend of active hurricane seasons that began in 1995.”

There were a total of 19 tropical storms of which seven became hurricanes, including three major hurricanes (defined as Category 3, 4 or 5 with top winds of 111 mph and greater). Only one of the hurricanes—Irene—made landfall in the U.S., and it was not a major one at that. Nevertheless it did so much damage across such a wide area as to break what NOAA calls the ‘hurricane amnesia’ of not having experienced a major land-falling hurricane in the U.S. in three years.

“Irene was the lone hurricane to hit the United States in 2011,” NOAA reported, “and the first one to do so since Ike struck southeast Texas in 2008. Irene was also the most significant tropical cyclone to strike the Northeast since Hurricane Bob in 1991.”

NOAA’s press release on the 2011 season can be found here. It makes several references to the value of storm-predicting satellites, an allusion to threatened budget cuts in fiscal year 2012. Click here to view a four-minute animation of the entire season from one of those satellites (Irene appears just after the two-minute mark).

––––––––––––––––

Digital Sandbox is the leader in public safety risk management, providing analytic tools and information products to government agencies and large enterprises for optimizing risk-based strategic, policy and budgetary decisions.

The U.S. strategy for countering cyber-security threats in the past has barely kept pace with the variety and complexity of the latest digital threats. Just in time for a recent surge in attacks and intrusions, however, it seems a more coordinated and proactive approach is at last taking root.

Cyber attacks come in many guises, including denial-of-service actions designed to jam web servers; thefts of money, intellectual property and state secrets; and direct attacks on physical infrastructure using digital means.

In this latter category we recently witnessed what many experts have been warning about for decades: an apparent cyber attack on an Illinois water utility that caused one of its pumps to malfunction and burn out.

During the summer the White House explicitly linked the cyber and physical realms in its new cyber-security strategy – a move we applauded not only because it will allow for common and coordinated responses in two very different but interlinked arenas, but because it acknowledges that an attack is an attack regardless of whether or not it can be seen with the naked eye. As a consequence, a cyber attack could now plausibly result in a physical response.

More recently, the Department of Defense (DoD) issued an even more explicit statement of policy, stating that the U.S. will launch “offensive cyber operations” in response to hostile acts such as “significant cyber attacks directed against the U.S. economy, government or military” (see the full DoD policy report here).

Although not always mentioned by name, Russia and China are frequently the implied sources of cyber threats. Both countries have been accused of cyber espionage by the U.S. intelligence community, Russian hackers were fingered for the Illinois water utility incident, and China has been named in a number of others, including the infamous RSA hack in March. Former White House cyber-security adviser Richard Clarke recently said the Chinese are “the people who are doing us the most damage these days in cyber-space.”

Finally, for an interesting and well-informed perspective on the complex issues surrounding cyber-security, listen to an interview that SearchSecurity.com conducted with Tony W. Sager, Chief Operating Officer of the Information Assurance Directorate of the National Security Agency (NSA). In one videotaped segment, Sager discusses the big-picture message from this year’s major security breaches, and also why the hype about Advanced Persistent Threats isn’t fully justified. In the second, he addresses questions surrounding the likelihood of a “digital Pearl Harbor” cyber attack, the trouble identifying the origin of a major cyber attack like Operation Aurora, and why doing just enough to disrupt attackers is the ideal enterprise cyber-defense strategy.

––––––––––––––––

Digital Sandbox is the leader in public safety risk management, providing analytic tools and information products to government agencies and large enterprises for optimizing risk-based strategic, policy and budgetary decisions.

One decade after letters containing anthrax spores killed five people and infected 17 others in the Eastern United States, there has been a veritable blizzard of news articles, research reports and seminars, all aimed at answering the question: are we better prepared for a biological weapons attack now than we were 10 years ago?

A review of some of what’s been published in the last month or so seems to indicate that the consensus answer is “yes – but not as much as we could be.”

Biological threats occupy a somewhat unusual niche as compared to chemical, radiological, nuclear and explosive threats (known collectively as CBRNE). When prioritizing security risks, there is a general tendency to focus mainly on threats with the highest likelihood as well as those with the highest consequences. The trickiness with bio threats, whether contagious on non-contagious, is that they’re neither as high-consequence as a nuclear attack nor as high-likelihood as a chemical or even radiological attack, let alone one caused by conventional explosives. A bio event, furthermore, is unique in that it can be intentionally caused by humans or equally occur through a naturally-generated outbreak, which means that bio preparedness, protection, mitigation, response and recovery efforts are altogether more complex (read more agencies involved and more resources needed) than for other CBRNE threats.

So how are we doing? Participants in a seminar at the Center for American Progress yesterday catalogued several areas of progress, including:

• The creation of the Department of Homeland Security and new bio-security programs at the Food and Drug Administration (FDA) and the Centers for Disease Control (CDC), up from a single program at the Pentagon;
• A Strategic National Stockpile of antibiotics, vaccines, antitoxins and other critical medical equipment and supplies, plus related government acquisition programs;
• Government agency support for research, development and acquisition of new biological countermeasures; and
• Better coordination between the public safety and public health communities.

The speakers warned, however, that continued Congressional budget cuts to bio-preparedness programs are putting these and other advances into jeopardy. (We do wish the Center would publish a written transcript of the event, titled Anthrax Revisited: The Outlook for Biopreparedness in the United States, since the video is nearly three hours long. One of the participants did produce a paper that made many of the same points, however.)

Although the Government Accountability Office (GAO) has not published any recent reports specifically on bio-terrorism, it has addressed the issue in other 2011 reports, including ones relating to interagency duplication of effort, combating CBRNE threats, public health preparedness, and CBRNE coordination between DHS and the Department of Health and Human Services (HHS).

The most relentlessly negative assessment of the current state of bio-preparedness comes from the non-profit WMD Center, run by ex-senators Bob Graham and Jim Talent. On Wednesday, it issued a Bio-Response Report Card that gives the U.S. government poor marks for eight different categories of bio-preparedness at six different levels of event severity, from small-scale non-contagious to a contagious global crisis. For example, it gives ‘F’ grades in 15 categories on the matrix, including for how the government identifies the source of a biological event at almost every level of severity, and for the development and approval, availability, and dispensation of medical countermeasures. There are 15 ‘Ds’, seven ‘Cs’, eight ‘Bs’ (all of them in the two least-severe event levels) and no ‘As’ in the above-mentioned categories, which also include detection and diagnosis, communication, medical management and environmental cleanup. It also noted that advances in bio-preparedness have not nearly kept pace with major scientific and technological strides that could be used by terrorists in the weaponization and delivery of pathogens.

While the report received mostly uncritical coverage, one blogger said the Center’s report is the “same script they have always written: Calamity is coming if we don’t spend more of bioterror defense. And anyone can make biological weapons. Easy.” And he called the authors the “Graham-Talent sock puppet lobby” for bio-defense funding. Ouch. The Bulletin of Atomic Scientists Online similarly dissed last year’s report card, though it used more scientific language.

While much of the focus in the past month has been on bio-security preparedness, some attention is being paid to the threat side of the equation as well. For instance, intelligence gleaned from the raid on Osama bin Laden’s Abbottabad compound confirmed earlier indications that al-Qaeda is intent on acquiring or developing biological agents and weaponizing and deploying them against Western targets. And the proliferation of new delivery vehicles such as unmanned aerial vehicles presents another potential increase in the threat likelihood of a biological attack, according to some terrorism analysts. Others have focused on advances in technologies to detect bacterial threats such as anthrax by using lasers (thanks, Global Security Newswire, for both links). And a new National Academies report asks whether prepositioning antibiotics in U.S. cities could shorten response times to a bio attack.

And so the measure / countermeasure / counter-countermeasure cycle continues…

––––––––––––––––

Digital Sandbox is the leader in public safety risk management, providing analytic tools and information products to government agencies and large enterprises for optimizing risk-based strategic, policy and budgetary decisions.

U.S. government agencies have experienced a 650-percent increase in security incidents over the past five years due in large part to weaknesses in information-security policies and practices, according to a report released this week by the Government Accountability Office (GAO).

The Federal Information Security Management Act of 2002 (FISMA) requires the Office of Management and Budget (OMB) to develop and oversee the implementation of policies, standards and guidelines on information security at executive branch agencies, but in a survey of 24 of these agencies during fiscal-year 2010 the GAO found that while some progress has been made, “much work remains.”

Perhaps most disturbingly, it said that:

“most major federal agencies had weaknesses in each of the five major categories of information system controls: (1) access controls, which ensure that only authorized individuals can read, alter, or delete data; (2) configuration management controls, which provide assurance that only authorized software programs are implemented; (3) segregation of duties, which reduces the risk that one individual can independently perform inappropriate actions without detection; (4) continuity of operations planning, which helps avoid significant disruptions in computer-dependent operations; and (5) agency-wide information security programs, which provide a framework for ensuring that risks are understood and that effective controls are selected and implemented.”

It reported that all 24 agencies “had vulnerabilities in access control, configuration management, and security management” and that “[d]eficiencies in segregation of duties and contingency planning, while not reported for all of these agencies, were prevalent.”

Click here to view or download the report.

October 8 Update: After we published this post yesterday, President Obama issued an Executive Order aimed at closing security gaps in classified computer networks and safeguarding classified national security information shared across such networks. The Executive Order is here.

––––––––––––––––

Digital Sandbox is the leader in public safety risk management, providing analytic tools and information products to government agencies and large enterprises for optimizing risk-based strategic, policy and budgetary decisions.

It looks as if one major manufacturer of millimeter-wave body scanners is beginning to respond to the outcry over their potential for causing privacy violations due to rather detailed images of subjects’ bodies.

In its promo literature for the new ProVision ATD (pictured, below), L-3 Communications notes that the equipment “addresses privacy concerns by eliminating the generation and review of images.” Instead, scan data from the unit (the ATD stands for Automatic Target Detection) “is processed by software without human intervention to determine if any threats are present. Potential threat areas are then presented to the operator using a generic mannequin that resembles a human outline.”

The latest product upgrade seems to be going over well: the Transportation Security Administration (TSA) bought 300 of them today. Perhaps Germany will consider procuring a few as well.

Now, if the scanner manufacturers can only find a way to put people’s minds at ease about the potential health risks in a future upgrade.

––––––––––––––––

Digital Sandbox is the leader in public safety risk management, providing analytic tools and information products to government agencies and large enterprises for optimizing risk-based strategic, policy and budgetary decisions.

The White House has approved the first edition of its new National Preparedness Goal (NPG), one of several interagency documents called for in Presidential Policy Directive 8 (PPD-8) on National Preparedness.

PPD-8 was released in March, followed by its Implementation Plan in May (our analyses can be found here and here). Next up after the NPG is a National Preparedness System due in late November.

We will analyze the NPG in an upcoming post. Meanwhile, we’d like to hear your thoughts on it. About a month ago, the Federal Emergency Management Agency provided a short window for public comment on the NPG; if it does likewise for the NPS we will let everyone know.

View the National Preparedness Goal here.

––––––––––––––––

Digital Sandbox is the leader in public safety risk management, providing analytic tools and information products to government agencies and large enterprises for optimizing risk-based strategic, policy and budgetary decisions.

Should governments pursue the cyber-space equivalent of the Cold War era’s doctrine of mutually assured destruction, or a similar form of deterrence?

At the Brookings Institution today, two experts debated the cases for and against cyber-deterrence. Dmitri Alperovitch, a former vice president at McAfee and author of the recent report Revealed: Operation Shady RAT, faced off against Ralph Langner, who led the team that cracked the code revealing the Stuxnet malware’s final target in Iran.

According to a Brookings summary of the discussion, Alperovitch presented a case “for a strategic declaratory deterrence policy to counter highly destructive cyber threats from nation-state actors against critical infrastructure and other crucial national security and economic assets.” (This sounds similar in some ways to what the White House declared in early summer.) Langner, on the other hand, argued “that deterrence is unlikely to prevent intense cyber war and cyber-terrorist attacks because they can be carried out by small international teams and prepared months or years in advance. He also [pointed] out cyber attacks against critical infrastructure and terrorist targets such as chemical facilities and nuclear power plants can and must be prevented by solid cyber protection.”
             
In a subsequent interview with a Washington Post blogger, Langner noted: “The bigger problem that we have with Stuxnet is not the virus itself – it is that various exploits used in Stuxnet can be copied and can be used against targets .... These systems remain vulnerable. These systems cannot only be found somewhere in Iran – they can also be found, for example, in U.S. power plants, chemical facilities, in production facilities for food and beverages, et cetera.”

To listen to a podcast of the Brookings debate (one hour and 20 minutes), click here.

––––––––––––––––

Digital Sandbox is the leader in public safety risk management, providing analytic tools and information products to government agencies and large enterprises for optimizing risk-based strategic, policy and budgetary decisions.

The recent outbreak of listeriosis, which has been traced to cantaloupes from Colorado, is shaping up to be the deadliest food-borne outbreak in the U.S. in years, with the death toll expected to continue mounting through next month.

Already, the Atlanta-based Centers for Disease Control and Prevention (CDC) has issued a nationwide warning for consumers to avoid fruit “marketed as cantaloupes harvested in the Rocky Ford region” of Colorado.

The CDC reports that since mid-August, “15 persons infected with the outbreak strain of Listeria monocytogenes have been reported from 4 states.” The agency is coordinating a multi-state investigation along with the Food and Drug Administration (FDA), the U.S. Department of Agriculture (USDA) and several state and local health agencies, and it says “listeriosis illnesses in several other states are currently being investigated… to determine if these illnesses are part of this outbreak.” (The map below shows the number of infected individuals identified so far in each state.)

By pure coincidence, the listeria bacteria were starting to spread just as the Government Accountability Office (GAO) released a report entitled Actions Needed to Improve Response to Potential Terrorist Attacks and Natural Disasters Affecting Food and Agriculture, part of its mandate under the 2004 Homeland Security Policy Directive (HSPD) -9, which established a national policy to defend U.S. food and agriculture systems against terrorist attacks, major disasters and other emergencies.

In the report and in subsequent testimony on Capitol Hill, GAO reported that there is no centralized coordination or oversight of progress on HSPD-9 implementation across relevant agencies such as DHS, USDA and the Department of Health and Human Services (HHS). As a result, “the nation may not be assured that these crosscutting agency efforts are effective at reducing the vulnerability to, and impact of, major emergencies” involving the U.S. food and agriculture sector.

GAO made nine recommendations, among them:

• To help ensure that the federal government is effectively implementing the nation’s food and agriculture defense policy, the Secretary of Homeland Security should resume DHS’s efforts to coordinate agencies’ overall HSPD-9 implementation efforts.
• To help ensure that the federal government is effectively implementing the nation’s food and agriculture defense policy, the [White House] Homeland Security Council should direct the National Security Staff to establish an interagency process that would provide oversight of agencies’ implementation of HSPD-9.
• To help ensure that the federal government is effectively implementing the nation’s food and agriculture defense policy, the Homeland Security Council should direct the National Security Staff to encourage agencies to participate in and contribute information to DHS’s efforts to coordinate agencies’ implementation of HSPD-9.

––––––––––––––––

Digital Sandbox is the leader in public safety risk management, providing analytic tools and information products to government agencies and large enterprises for optimizing risk-based strategic, policy and budgetary decisions.

As we approach the 10th anniversary of the anthrax attacks that closely followed 9/11, it’s worth remembering that nature can dole out far higher casualty numbers than most terrorists, and do so with some regularity (see H1N1, H5N1, etc.).

On this subject, the blog Visual News came across an interesting graphic (click on the image below to enlarge) called Outbreak: Deadliest Pandemics in History, which “details the ten deadliest pandemics both past and present, with a key explaining normal symptoms, estimated death tolls and the years they ravaged the world.”

Since we’re big on data visualization and maps and such, we’ve also made Visual News the newest addition to our Sites We Like (right). Thanks to Homeland Security Watch blog for pointing them out.

––––––––––––––––

Digital Sandbox is the leader in public safety risk management, providing analytic tools and information products to government agencies and large enterprises for optimizing risk-based strategic, policy and budgetary decisions.

September 1st will mark the midway point of the 2011 Atlantic hurricane season. Right on cue, Hurricane Irene reminded Americans of the loss of life and significant property damage these storms can cause, and thus of the vital need for a robust forecasting capability. Too bad, then, that the National Oceanic and Atmospheric Administration (NOAA) saw its budget cut by over $140 million this year, with more reductions likely in the fiscal year beginning October 1st.

Irene finished its destructive run up the Eastern seaboard – spawning tornadoes and massive flooding along the way – only a few days before the six-year anniversary of Hurricane Katrina. It was Katrina, more than any other storm in recent memory, that highlighted the vital role of the government in preparing its people for natural hazards, and what happens when it fails at that task.

Federal Emergency Management Agency (FEMA) Administrator W. Craig Fugate, who has spent most of his career in hurricane-prone Florida, pointed to FEMA’s Irene response as the culmination of the agency’s post-Katrina turnaround. On Sunday he described what basically amounts to a doctrine of preemption for natural hazards: “[W]e shouldn’t have to wait until a state is overwhelmed to begin getting ready,” he said. “[W]e should be able to go in before the governor’s made a request, have supplies ready, have our teams in the state and work as one team, not waiting for damages to occur and that formal request to come.”

Of course in order to do that one needs a deep bench of meteorological expertise and expensive equipment like remote sensing satellites to make on-the-spot decisions, such as the one that prompted FEMA not to order mass evacuations in Florida because it (accurately) predicted Irene would make landfall in North Carolina rather than farther south.

NOAA’s total FY2011 budget appropriations are $4.52 billion, 3 percent below what was approved in FY2010. More importantly, Congressional appropriators removed a sizeable budget increase requested by the Administration for NOAA satellite programs, including the Joint Polar-Orbiting Satellite System (JPSS). NOAA’s Operations, Research and Facilities account will get $3.185 billion ($119 million below FY2010) and its Procurement, Acquisition and Construction account, which funds the agency’s satellite programs, will get $1.335 billion ($23 million below FY2010, but $865 million below the amount requested by the Administration).

In deliberations over the FY2012 budget request, the momentum for further cuts is already evident. “The future funding for our satellite program is very much in limbo right now,” NOAA Administrator Jane Lubchenco told National Public Radio in May. “Satellites are a must-have when it comes to being prepared in detecting and tracking dangerous tropical weather. Not having satellites and not applying their latest capabilities could spell disaster.” Nevertheless, she added, “[w]e are likely looking at a period of time a few years down the road where we will not be able to do severe storm warnings and long-term weather forecasts that people have come to expect today.”

The Atlantic hurricane season runs from June 1st through November 30th. As in prior years, NOAA’s National Weather Service issued a pre-season forecast, which we wrote about in mid-May. A few weeks ago it issued its regular August update to that forecast, noting that “storms through October will form more frequently and become more intense than we’ve seen so far this season.”

The agency now sees, with a 70-percent probability, a total of:

• 14 to 19 named storms (top winds of 39 mph or higher), including:
• 7 to 10 hurricanes (top winds of 74 mph or higher), of which:
• 3 to 5 could be major hurricanes (Category 3, 4 or 5; winds of at least 111 mph)

“These ranges are indicative of an active season, and extend well above the long-term seasonal averages of 11 named storms, six hurricanes and two major hurricanes,” NOAA says.

As Congress deliberates the FY2012 NOAA and FEMA budgets amidst an unprecedented wave of pressure for wholesale federal budget cuts and a move to freeze discretionary spending at 2008 levels, it should keep in mind what’s still in store for the Eastern seaboard just in the way of hurricanes – and try to remember that at least some government programs are not a complete waste of money.

––––––––––––––––

Digital Sandbox is the leader in public safety risk management, providing analytic tools and information products to government agencies and large enterprises for optimizing risk-based strategic, policy and budgetary decisions.