SOURCE: Dan Yorke State of Mind (10/17)
By Alex Kuffner
NARRAGANSETT, R.I. — The former head of oceanography and meteorology for the Navy argued for more funding for research to understand the impact of climate change while delivering the keynote speech at a science symposium at the University of Rhode Island on Tuesday.
“It’s not just science at stake. It’s our survival,” Rear Admiral (Ret.) Jonathan White said to hundreds of people at the event at the Graduate School of Oceanography campus in Narragansett.
White is president and CEO of the Consortium for Ocean Leadership, a Washington, D.C.-based group that advocates for ocean research, education and policy. His name was mentioned last year in connection with the top position at the National Oceanic and Atmospheric Administration, but President Donald Trump instead nominated Accuweather CEO Barry Myers.
Standing in front of images of the destruction wrought last week by Hurricane Michael at Tyndall Air Force Base, in Florida, and flooding around Naval Station Norfolk, in Virginia, he said that climate change is a threat to coastal military installations and, in a larger sense, to national security overall.
“Our military, the more and more they have to deal with infrastructure and the effects of climate change, whether it’s helping others or trying to get in and out of our bases, the less ready they are going to be to go on missions … all over the world,” he said.
It was a point that was also raised by U.S. Rep. James R. Langevin, who has pushed for an assessment of the military’s vulnerabilities to climate change.
“The dangers to national security are real and we must support the researchers who improve our understanding of the threat and ways to mitigate it,” he said.
The symposium’s focus was not just on security issues but on the effects of sea-level rise, more powerful storms and increased rainfall on coastal communities in general.
By Derek Hawkins
A slight majority of digital security experts surveyed by The Cybersecurity 202 say the United States should follow in the European Union’s footsteps and pass a law that requires companies to disclose data breaches quickly.
Europe’s General Data Protection Regulation requires companies with customers in the E.U. to notify regulators of a breach within 72 hours or face a severe penalty. Fifty-four percent of experts we surveyed supported a similar law in the U.S. The Network is our panel of more than 100 cybersecurity leaders from government, academia and the private sector who vote in our ongoing, informal survey on cybersecurity issues. (You can see the full list of experts here. Some were granted anonymity in exchange for their participation.)
Some experts said they favored federal legislation because it would help replace the patchwork of state laws that govern data breach notification in the United States. “Today, companies in the United States are required to comply with 50 different state laws when they suffer a data breach affecting personally identifiable information they control,” said Rep. Jim Langevin (D-R.I.), who has introduced legislation to create a national breach notification standard. “This is bad for business and bad for consumers, who are treated differently depending on where they live.”
“Europe now plays by one set of rules, while the United States plays by over 40,” added Jeff Moss, who founded the Def Con and Black Hat hacking conferences. “This is a costly, confusing and at times contradictory mess that only a national breach notification law can resolve.”
The issue has been in the spotlight in recent weeks. In late September, Facebook reported that hackers stole information that could have allowed them to take over of tens of millions of accounts. After learning of the breach, Facebook disclosed it within 72 hours even though the company did not have all the information about the breach. Google took a different approach. The search giant learned that a software bug exposed data on half a million accounts on its social media service Google in March but did not disclose it until this month — and was criticized for not being transparent.
Survey respondents disagreed on how much time companies should be given to disclose their breaches. Langevin’s bill, for instance, would offer companies more leeway than GDPR. Instead of three days, they’d have 10 days to notify regulators after discovering a breach, and 30 days to notify consumers. “These timelines allow flexibility for companies to determine the scope of a breach while ensuring prompt notification so people can protect themselves,” he said.
There are competing bills on Capitol Hill, though: Legislation introduced by Sens. Amy Klobuchar (D-Minn.) and John Kennedy (R-La.) would mirror GDPR, requiring companies to disclose a breach within 72 hours of discovering it.
And other experts said 72 hours would be the right time frame. Chris Wysopal, chief technology officer at the cybersecurity firm CA Veracode, said that window would help the victims of a data breach take quick action to protect themselves from attackers who seek to misuse their information. “Attackers want to monetize the private data the companies store,” he said. “People have a right to know and protect themselves from subsequent attacks using this data, whether it is phishing or fraud. Having a standard like 72 hours will help all companies being on a level playing field and build processes to respond in a timely way.”
Harley Geiger, director of public policy at the cybersecurity firm Rapid7, agreed — provided that the countdown begins “when the company concludes a breach has occurred, not on discovery that an incident or attack occurred.”
“The company will need time to identify and investigate the incident, determine whether data was accessed or exfiltrated, and conclude based on the evidence that a breach has actually occurred,” Geiger said. “Reporting ‘a breach’ to regulators or the public prior to that process can be counterproductive for all sides, including consumers.”
The hack disclosed by Facebook late last month illustrates the complications of reporting a breach early. While Facebook took just three days to notify privacy regulators and the public that hackers may have compromised up to 50 million user accounts, the social media giant had only just begun to investigate the incident at the time of the announcement, and Facebook officials weren’t able to offer users a clear picture of the risks. In an update Friday, Facebook revealed that the hack affected about 20 million fewer users than it previously estimated — but that hackers had stolen more sensitive information than the company initially indicated, including search histories and location data.
Mark Weatherford, a former cybersecurity official in the Department of Homeland Security, supports a breach notification law but cautioned that figuring out the scope of an incident is complex and time-consuming work. “While there needs to be a trigger that starts the process, reporting too soon leads to mistakes, revisions and recriminations that might be avoided by waiting until enough information is gathered,” he said.
Jamie Winterton, director of strategy for Arizona State University’s Global Security Initiative, said a U.S. breach notification law should be coupled with measures that provide recourse to breach victims and impose consequences on companies. “Timely notification is important. But without some guidance on what regulators — and victims — should do, it feels somewhat toothless,” she said. “They should specifically address the needs of breach victims and establish some sense of corporate responsibility.”
Yet 46 percent of respondents said the United States shouldn’t impose a breach notification standard similar to the one in Europe.
“Unfortunately, GDPR does not take into account the reality of incident response and will lead to multinational companies disclosing breaches before they can provide accurate information or even be sure their attacker has been flushed from their network,” said Alex Stamos, Facebook’s former chief security officer who is now an adjunct professor at Stanford University. “Any U.S. law should balance promoting speedy disclosure with accurate disclosure.”
Jessy Irwin, head of security at Tendermint, agreed. “Being required to report a breach so early in the investigative process, when new facts emerge and information changes rapidly, will cause much more harm than it prevents on all fronts, especially if reporting has the potential to compromise an organization’s ability to effectively coordinate with law enforcement,” she said. “This kind of instant-gratification breach reporting legislation sets up smaller teams with fewer resources for major, major failure.”
There isn’t a one-size-fits-all solution, some experts argued. “Timing isn’t always the most important part of transparency,” said Steve Weber, founder and director of the Center for Long Term Cybersecurity at the University of California at Berkeley. “And — as most people in the business know — 72 hours isn’t enough time to unravel what has really happened in even a moderately complex breach. The intention behind the law may be good, but this provision is just not sensible.”
Giving companies flexibility is reasonable, as long as they’re acting in the interest of the breach victims, said Cindy Cohn, executive director of the Electronic Frontier Foundation. “While we have been concerned about companies sitting on this bad news, there are also legitimate reasons for delay, like when either the company or law enforcement is trying to identify and catch the perpetrators or when important facts about the situation (how many people are impacted) are still unclear,” she said. “Fiduciary responsibility framing can help give some clarity here; the company must act in the interest of those whose data is impacted, not its own here.”
There could be risks to consumers, too. Some experts worried that a 72-hour timeline could wind up overwhelming users with unnecessary notifications that their information was compromised just to meet the standard. “The deadline is going to produce a lot of half-baked breach reports and lead to ‘breach notice fatigue,’ ” said Stewart Baker, former general counsel of the National Security Agency.
SOURCE: Providence Journal Editorial
PROVIDENCE, R.I. — Rhode Island benefits from experienced, hardworking leadership in Washington. For that reason, we encourage our readers to vote to re-elect U.S. Representatives David Cicilline and James Langevin. As Democrats, they could become more powerful after January, if pollsters’ predictions hold true and control of the U.S. House flips to their party.
Representative Langevin, who serves Rhode Island’s Second District, sits on the House’s Homeland Security and Armed Services committees. Far from being content to serve as a partisan back-bencher, he has been a been a strong and assertive voice on defense and security matters. He supports internet privacy protections and wants to harden cyberprotections for the critical infrastructure of Rhode Island and the country.
He has correctly identified diagnosed weaknesses in America’s cyberdefenses, even as cyberspace is increasingly a battlefield for nation-states, terrorists and criminals. He has demonstrated a grasp of the havoc that could follow a widespread, malicious attack, and consistently advocated for greater cooperation among the interdependent public and private sectors.
Mr. Langevin also has advocated for broader and deeper health care services for all, especially the disabled. As a paraplegic, he provides a unique and personal perspective on issues ranging from stem-cell research to study of the most effective ways for people to undergo rehabilitation after becoming paralyzed.
He is popular, too, with Rhode Islanders, enjoying sizable electoral majorities after successful stints as a state representative and Secretary of State.
Representative Langevin is opposed by military veteran and Republican Sal Caiozzo, who is an advocate for veterans harmed by toxins while serving. Mr. Langevin’s experience and willingness to reach across the aisle suggest he is the better choice.
In the First Congressional District, which includes Providence and Newport, former Providence Mayor Cicilline enjoys a huge party registration advantage over Republican challenger Patrick Donovan and should coast to victory.
Mr. Cicilline has been an advocate for trying to limit the spread of guns in America. He has aggressively pushed for expanded background checks for gun purchasers and a ban on assault weapons.
In Washington, Mr. Cicilline’s articulate tongue has served him well. He has been willing to appear on conservative TV programs, making the case for his party’s values and helping to bridge the yawning partisan chasm in the nation’s capital. He has also spoken out for manufacturing in America. And he has been a champion of newspapers and a free press.
Mr. Cicilline could well be leadership material. A respected member of the Congressional Progressive Caucus, he is competing for the new elected position of assistant majority leader. Little Rhode Island can use all the power it can get in Washington.
We believe Rhode Island voters would be well-served by returning its incumbent U.S. House members to office.
SOURCE: Brady Campaign to Prevent Gun Violence (Bradycampaign.org)
WASHINGTON, D.C. — With just one month remaining until the 2018 midterm elections, voters across the country are ready to make their voices heard in support of gun safety champions in their communities. The Brady Campaign to Prevent Gun Violence announced its latest round of endorsements for Senate, the House of Representatives, state office, and state ballot initiatives.
For the Senate, the Brady Campaign endorsed Sen. Tammy Baldwin (D-WI), Sen. Sherrod Brown (D-OH), Sen. Ben Cardin (D-MD), Sen. Chris Murphy (D-CT), and Sen. Elizabeth Warren (D-MA).
- Sen. Tammy Baldwin (D-WI) is a gun owner who believes the Second Amendment is consistent with stronger safety regulations. She supports a ban on rapid fire “bump stocks” and universal background checks.
- Sen. Sherrod Brown (D-OH) has demanded accountability for firearms dealers and manufacturers, voting against exempting them from lawsuits in cases of gun violence. He supports raising the minimum age to purchase firearms from 18 to 21, as well as a ban on assault weapons.
- Sen. Ben Cardin (D-MD) has called for background checks on private gun sales and transfers, and has sought to ban assault weapons and 3D-printed guns. He recently condemned a plan by Education Secretary Betsy DeVos to use federal funds to arm school teachers and staff.
- Sen. Chris Murphy (D-CT) is one of the leading gun violence prevention champions in the country, having been elected to the Senate just one month before the Sandy Hook shooting in 2012. His 2016 filibuster in the wake of the Pulse shooting was one of the longest in Senate history, reaching nearly 15 hours. He helped pass the bipartisan Fix NICS Act that strengthened our current background system, and he has fought to keep guns out of the hands of domestic abusers and for a ban on assault weapons and high-capacity magazines.
- Sen. Elizabeth Warren (D-MA) has made clear that when it comes to gun violence, thoughts and prayers are not enough – we need action. She will commit herself to taking dangerous weapons of war off of our streets, passing a universal background check bill, and fighting gun trafficking resulting from states with weak gun laws.
The Brady Campaign endorsed the following 11 candidates for Congress: Rep. David Cicilline (RI-01), Rep. Salud Carbajal (CA-24), Rep. Ted Deutch (FL-22), Rep. Jim Langevin (RI-02), Rep. Jerry Nadler (NY-10), Rep. Dina Titus (NV-01), Colin Allred (TX-32), Lizzie Pannill Fletcher (TX-07), Jahana Hayes (CT-05), Dean Phillips (MN-03), and Abigail Spanberger (VA-07).
- Rep. David Cicilline (RI-01) has been a champion for gun safety while in Congress. He has sponsored bills to ban assault weapons and high capacity magazines, as well as downloadable 3D-printed guns that enable anyone – even domestic abusers, terrorists, and convicted felons – to create an untraceable, undetectable firearm.
- Rep. Salud Carbajal (CA-24) knows the pain of gun violence firsthand, with his own family being touched by a gun suicide. He has introduced legislation to implement extreme risk protection orders, which would allow family members or law enforcement officials to petition a judge to temporarily remove guns from those who may pose a threat to themselves or others.
- Rep. Ted Deutch (FL-22) has represented the community of Parkland, FL with grace and compassion over the past year following the shooting at Marjory Stoneman Douglas High School. He supports a comprehensive, common-sense approach to gun safety, including raising the minimum age to buy guns to 21, banning assault weapons, and increasing funding for mental health services in schools.
- Rep. Jim Langevin (RI-02) has led the fight in Congress to protect children from unsecured firearms, and to hold gun owners criminally liable if their firearms are used by children. He also worked to strengthen federal oversight of gun dealers and to increase penalties for straw purchases.
- Rep. Jerry Nadler (NY-10) has been a gun violence prevention champion in Congress, having introduced legislation to keep guns from misdemeanor sex offenders who prey on children and co-sponsored a bill to ban 3D-printed guns. Should the Democratic Party take control of Congress, he would be in line to chair the House Judiciary Committee, which has jurisdiction over gun laws.
- Rep. Dina Titus (NV-01) is a member of the House Gun Violence Task Force, where she has fought for federal action to ban bump stocks and assault weapons, establish universal background checks, and to allow CDC researchers to properly study gun violence. As the Congressional representative for Las Vegas, she has seen firsthand the devastating impact that gun violence can have on a community.
- Colin Allred (TX-32), has pledged to protect the rights of responsible gun owners while pushing for common sense reforms. He will fight in Congress for background checks on all gun sales, keeping guns away from domestic abusers, and allowing courts to temporarily block access to guns from those who may be a danger to themselves.
- Lizzie Pannill Fletcher (TX-07) knows that gun violence in America is preventable, not inevitable. She will fight for common-sense gun safety measures, including a ban on assault weapons, raising the age to buy guns to 21, and requiring universal background checks on gun sales.
- Jahana Hayes (CT-05), seeking to represent the families of the children murdered at Sandy Hook in 2012, knows that the issue of gun safety isn’t being for or against guns – it’s about being anti-gun violence. She has called for universal background checks, banning gun sales to those on the terror watch and no-fly lists, and banning assault weapons.
- Dean Phillips (MN-03) will stand with the students in his district and across the country fighting for change, rather than the gun lobby. He is calling on Congress to pass universal background checks, reinstitute a ban on assault weapons, and fund CDC research on gun violence.
- Abigail Spanberger (VA-07) knows, as a former federal law enforcement officer, how important it is to take action against gun violence. She supports Gun Violence Restraining Orders, universal background checks on gun sales, banning assault weapons, and other common sense measures.
In Nevada, a week after the one year anniversary of the deadliest mass shooting in modern American history, the Brady Campaign joined with its local chapters to endorse Steve Sisolak for Governor, Kate Marshall for Lieutenant Governor, Aaron Ford for Attorney General, Marylin Dondero Loop for Senate District 8, Melanie Schiebel for Senate District 9, Jason Frierson for Assembly District 8, Michelle Gorelow for Assembly District 35, Sandra Jauregui for Assembly District 41, and Justin Jones for County Commission.
- Steve Sisolak is committed to taking action against gun violence as Nevada’s next governor. A year after the Route 91 shooting in Las Vegas, he will move to ban assault weapons, bump stocks, high capacity magazines, and silencers. He also is committed to lobbying for funding to research gun violence as a public health crisis, removing restrictions preventing local governments from enacting gun safety measures, and fighting against efforts to arm teachers.
- Kate Marshall immediately got to work in the days after the Las Vegas to work with and help survivors and victims in any way she can. She will continue to be an advocate for all victims of gun violence as she fights to end the epidemic in her state.
- Aaron Ford sponsored a bipartisan bill in the Nevada state senate to ban people convicted of stalking or are subject to a domestic violence-related protective order, which was signed into law under the state’s Republican governor. As attorney general, he will continue his efforts to expand background checks and implement and enforce other common sense gun safety measures in his state.
In Florida, the Brady Campaign and its Florida Executive Council endorsed Nikki Fried for Commissioner of Agriculture, Olivia Babis for Florida Senate District 23, Annette Taddeo for Florida Senate District 40, and Debbie Katt for Florida State House District 57.
- Nikki Fried will, upon taking office as Commissioner of Agriculture, immediately investigate her predecessor’s failure to properly monitor concealed carry permitting in Florida. She has made clear that she will not be beholden to the NRA, but will put the people of her state first and foremost. She knows that background checks save lives while remaining consistent with the Second Amendment, and will govern as such.
In California, the Brady Campaign and the California Executive Council endorsed Buffy Wicks for State Assembly District 15.
The Brady Campaign also endorsed two statewide initiative campaigns; Ban Assault Weapons NOW in Florida, and Washington State Ballot Initiative I-1639.
- Ban Assault Weapons NOW seeks to place an amendment on the 2020 ballot in Florida to ban assault weapons in the state. Led by a combination of family members of murdered Parkland students, survivors of the Pulse nightclub massacre, and elected officials, the committee seeks to take the question of whether or not weapons of war belong in places of peace directly to the people of Florida, who have borne witness to a number of high-profile mass shootings in recent years. More information can be found at bawnfl.org.
- Washington State Ballot Initiative I-1639 would, among other measures, raise the minimum purchase age for semiautomatic rifles, establish new safe-storage rules, and require safety training before the purchase of any gun. This would be one of the strongest improvements to Washington state law on gun safety, and will save lives.
“We are constantly amazed by the sheer number of remarkable candidates who are putting gun safety at the top of their agendas in 2018,” stated Avery Gardiner, co-president of the Brady Campaign. “No matter how ‘blue’ or ‘red’ a district might be, we all stand in agreement that gun violence in America needs to come to an end. Soon, we will have a Congress that stands with us in that belief.”
This election cycle, the Brady Campaign is focused on working with and supporting candidates throughout the country who are committed to preventing gun violence. A heavy focus is on whether candidates support Brady’s three-point plan, including expanding Brady background checks, banning assault weapons and high-capacity magazines, and passing extreme risk laws. A recent battleground poll commissioned by Brady clearly demonstrated the popularity of this plan throughout the country.
A resurgent Brady PAC is supporting candidates who commit to making gun violence prevention a top priority and is working to replace candidates who refuse to prioritize the safety of the American public. Brady is doing so through the candidate endorsement process and holding candidates accountable to their questionnaire answers. Brady PAC will target races across the country in support of such candidates, especially in those races targeting candidates who put gun industry profits before the safety of their constituents.
Brady is also focusing heavily on voter registration, particularly of young voters through its student initiative, Team ENOUGH. In addition to its Congressional report cards released this summer on gun safety issues, the student-led group will be holding voter registration events throughout the summer and will work to educate and mobilize high school and university students from now until November. The group is also inviting students across the country to form their own Team ENOUGH groups and host nonpartisan candidate forums.
Last November’s elections in Virginia and New Jersey, where multiple Brady-backed candidates won on a clear platform of gun safety, demonstrated that voters are engaging on the issue and are rejecting those supported by the NRA. And with recent polling showing that half of Americans want gun safety to be Congress’s top priority, it’s clear that this issue will be a leading one throughout the 2018 campaign.
Further endorsements will be announced in the weeks to come.
SOURCE: CyberScoop 2018 Leet List
As a co-founder of the Congressional Cybersecurity Caucus, Rep. Jim Langevin has helped shaped the policy debate on Capitol Hill on issues ranging from federal bug bounty programs to information sharing. The Rhode Island Democrat talks about what galvanized his interest in cybersecurity and his hopes for bipartisanship on the issue, among other topics.
CyberScoop: What sparked your sustained focus on cybersecurity?
Rep. Jim Langevin: A lot changed for me the day a couple of scientists from Idaho National Lab came and gave me a briefing on the Aurora threat [in 2007].
In the SCIF, we saw the video of the generator blowing itself up. They described to me how it could be done. It’s, at first, hard to get your arms around, but then as they further explained, this could affect not only just one generator but several, and not only just one power generation facility, [but] potentially it could shut down a whole sector of the country’s electric grid as a result of a SCADA attack. And that was very alarming.
CS: That was 2007. More than 10 years later, we hear the word “cyber” more on Capitol Hill, for better or for worse. How have your fellow lawmakers improved in paying attention to and talking about cybersecurity, and how do they still need to get better?
JL: Members of Congress have become more aware of the problem in the same way that the American people have become more aware of the problem, in many cases because of the high-profile cyber-intrusions or events that have occurred.
We’ve been at this for a long time. I’d love to say that it is because of the work that I did, or that we did together, to raise awareness. That was a part of it, of course, but unfortunately, most of it is because of the large number of cyber-intrusions and threats that the country has faced, the personal and private information that’s been stolen and compromised, the theft of intellectual property, and the list goes on and on.
CS: Do you find yourself being an educator with fellow lawmakers on cybersecurity? Do other members heed the advice of colleagues who have been paying attention to the subject longer?
JL: There are different times that a bill that I have sponsored or co-sponsored, and it’s come up for a vote, that I have members say they voted for the measure because they have a lot of respect for me on this topic and they know that I spend a lot of time on this issue.
Each member of Congress specializes in a different topic. We’re not all experts on every topic. Certain people are go-to people on any range of issues, and cyber happens to be something that I spend a lot of time on.
CS: Have we had a galvanizing moment that generates widespread momentum to drive better cybersecurity policy — the proverbial “Cyber 9/11,” to use a tortured metaphor? Was the 2016 election that moment?
JL: It was a moment, and certainly one of those things that has gotten people’s attention. But it wasn’t a Cyber 9/11, per se. I am still worried about that type of event occurring. It’s still possible, even though it may be remote at this point. It’s still a possibility. … It’s one of those things that keeps me up late at night — you wonder when or if that date will ever come. It’s probably more of a “when” not “if.”
I’ve often said that you will never have modern warfare again without some type of a cyber component to it.
The United States continues to get better at being better organized and defended against a Cyber 9/11. But you can never say never, that it won’t happen. But between the work that the Department of Homeland Security is doing, the work that U.S. Cyber Command is doing, [and] NSA, we have nation-state capabilities to defend the country. But there’s still more work to do. Remember, most of critical infrastructure is still in private hands and we haven’t completely figured that piece out yet as to how we [might] adequately defend the country if there were a Cyber 9/11.
CS: Cybersecurity has often been described as a bipartisan issue. But with all of the politicization of the aftermath of Russian hacking and information operations during the 2016 election, is cybersecurity still a bipartisan issue in 2018?
JL: I believe it is. … Some make it a partisan issue, but I don’t see it that way. Case in point: I have a bipartisan election security bill, the Paper Act, with Congressman Mark Meadows [a Republican from North Carolina].
We both see this as an American issue — not a Democrat or Republican issue, it’s an American issue – that we need to do a better job with, securing our elections infrastructure.
CS: Congress has recently moved to set up bug bounty and vulnerability disclosure programs at multiple federal agencies. What have you learned from talking to experts on what works in setting up these types of programs at agencies?
JL: What I’ve learned over the years in working on the cybersecurity issue and [from] meeting with cybersecurity researchers is that they want to help … they want to help make the internet more secure and function the way it’s intended to.
Bug bounty programs are a great way to leverage that private sector talent, as we saw with the Pentagon’s bug bounty program. It was set up the right way. You get trusted researchers who want to do the right thing, provide them a vehicle where they can lend their talents, I think [it] is a good model. I’d like to see other government departments and agencies do a similar bug bounty program.
We also need to have a vulnerability disclosure program at each of the departments and agencies so that when cybersecurity researchers do find a vulnerability they’ve got somebody they can report it to – and they know that it’s going to be acted upon.
By Sean Lygaas
In cybersecurity probes of Department of Defense weapon systems in recent years, penetration testers were able to gain control of systems with relative ease and generally operate undetected, according to a Government Accountability Office report.
“We found that from 2012 to 2017, DOD testers routinely found mission-critical cyber vulnerabilities in nearly all weapon systems that were under development,” the report states.
In one test, a two-person team gained initial access to a system in an hour, then gained full control of the system in a day, the watchdog said. In another, the pen-testers seized control of the operators’ terminals, could see what the operators saw on their screens, and “could manipulate the system,” GAO found. Many of the testers said they could change or delete data. In one case they downloaded 100 gigabytes of it.
The scathing report chalks up the insecurities in the Pentagon’s weapon systems to defense officials’ “nascent understanding of how to develop more secure weapon systems” and the fact that those systems are more networked than ever. Until recently, according to GAO, the Pentagon did not prioritize weapon-system cybersecurity. Furthermore, DOD program officials the watchdog met with “believed their systems were secure and discounted some test results as unrealistic,” the report says.
“Due to this lack of focus on weapon systems cybersecurity, DOD likely has an entire generation of systems that were designed and built without adequately considering cybersecurity,” GAO researchers added.
DOD’s evaluators did not pull out top-drawer tools to breach the weapon systems, but instead used simple techniques that were sufficient in the face of a “poor password management and unencrypted communications,” according to GAO.
The report, which focuses mainly on under-development weapon systems, is the product of a 15-month audit that included interviews with officials from the National Security Agency, military testing organizations, and DOD acquisition offices, among other agencies. GAO said its researchers will give Congress a classified briefing on their findings.
Not all of GAO’s findings were negative. The Pentagon has recently moved to improve weapon-system cybersecurity through policy guidance and initiatives to better understand vulnerabilities, according to the watchdog. And one penetration test reviewed by GAO “found that the weapon system satisfactorily prevented unauthorized access by remote users,” albeit not from insiders.
But the report makes clear that DOD’s work to date is far from sufficient in tackling the problem.
“Several DOD officials explained that it will take some time, and possibly some missteps, for the department to learn what works and does not work with respect to weapon-systems cybersecurity,” the report says.
Due to testing limitations, “the vulnerabilities that DOD is aware of likely represent a fraction of total vulnerabilities” in systems, according to GAO.
Defense officials provided technical comments in response to a draft of the GAO report. CyberScoop has requested further comment from the Pentagon.
“The GAO report released today highlighted a shocking reality: just how far behind we actually are in adequately protecting our weapons systems and industrial suppliers from cyber threats,” said Sen. Jim Inhofe, R-Okla., chairman of the Senate Armed Services Committee.
Rep. Jim Langevin, D-R.I., a member of the House Armed Services Committee, said he wasn’t surprised by GAO’s findings. “While DOD has made progress in lowering its cybersecurity risks, it has not moved fast enough,” Langevin said. That is why, he added, Congress has mandated that the Pentagon carry out cyber vulnerability assessments.
By Eric Halperin
Now that he’s been confirmed to the U.S. Supreme Court, their feelings have not changed.
In a narrow vote of 50 to 48 Judge Brett Kavanaugh was confirmed by the Senate to become a Supreme Court Justice. Two of those ‘nay’ votes came from Rhode Island’s democratic Senators Sheldon Whitehouse and Jack Reed.
Whitehouse serves on the Senate Judiciary Committee, which heard testimony about sexual assault allegations from Dr. Christine Blasey Ford against Kavanaugh.
Shortly after Kavanaugh was voted in, Whitehouse released the following statement:
“I developed deep concerns with Judge Kavanaugh early in this process. He holds a narrow view of constitutional protections for women, a troubling affinity for dark money, and a worrying disregard for precedent and important judicial principles. Also, he sides – nine times out of ten – with big Republican corporate and special interests over regular Americans. Our next justice needs to remain independent of those interests; Judge Kavanaugh signaled the opposite. That cost him my vote.
“Then came credible allegations of sexual assault against Judge Kavanaugh, and remarkable testimony from Dr. Blasey Ford. She was calm, composed, and utterly believable. President Trump called her testimony ‘credible’ and ‘compelling,’ as did many of my Republican colleagues. She even provided real evidence, including prior consistent statements, to corroborate her account.”
“We then learned the true measure of Kavanaugh. His bitter, partisan conspiracy theories ought to disqualify any nominee to the bench, let alone to the highest court in the land. Through this dark episode for the Senate and our democracy, I find reason to hope. President Trump mocked her, and Republicans ignored her, but Dr. Blasey Ford’s testimony lit a fire. Like the brave Rhode Island women who shared their own stories with me this week, Americans are shedding the long and unfair legacy of shame, fear, and stigma associated with sexual violence and trauma, to come forward with their experiences. It has been a personal honor to share this moment with these Rhode Islanders, and to be trusted with their stories, and I am very hopeful the fire they lit will lead to change.”
On Friday night, Whitehouse spoke on the Senate floor about why he believes Kavanagh is not fit for the position.
“I did not find him credible at all. I found him belligerent and aggressive, just as his Yale drinking buddies said he was when drunk in college, and evasive, and non-responsive,” Whithouse said.
Saturday morning, Whitehouse’s challenger for his senate seat called the senator out for his behavior during the Kavanaugh hearings.
“I’m here to charge Rhode Island Senator Sheldon Whitehouse with abusing his seat on the Senate Judiciary Committee and with disgracing that seat through his actions and statements throughout the tumultuous Kavanagh hearings,” Bob Flanders said.
During his event Flanders also called Kavanaugh an “outstanding American.”
Congressman Jim Langevin also issued a statement after the Senate voted saying he was ‘deeply disappointed.’
“The events of the past several weeks surrounding his confirmation hearings have convinced me that Judge Kavanaugh does not have the temperament to credibly act as a nonpartisan arbiter of justice, and many questions remain about the accusations that he sexually assaulted women in his youth,” Langevin said.
“When President Trump first nominated Kavanaugh, I expressed my grave concerns that he would represent a departure from the independent voice of Justice Kennedy. Unfortunately, as he prepares to take his seat on the high court, I fear Justice Kavanaugh’s term will only exacerbate the divisions in our society and further erode public faith in our institutions,” Langevin said.
URI faculty with expertise in storm modelling and mapping, response and resiliency, ocean and civil engineering, and geologic oceanography will participate in the symposium to be held Tuesday, Oct. 16 from 10:30 a.m. to 12: 30 p.m., in Corless Auditorium at URI’s Bay Campus, 215 South Ferry Road, Narragansett, Rhode Island. Registration is at 9:30 a.m.
A 2018 Department of Defense study indicated that more than half of the 3,500 U.S. military’s sites located both in the U.S. and internationally are affected by instances of extreme weather. Storm surge, here in Rhode Island as well as other coastal regions, can be a particular risk, with more than 200 domestic sites alone reporting flooding—an increase of more than 500 percent over the number reported in 2008.
Rear Admiral (Ret.) Jonathan W. White, former commander of the Naval Meteorology and Oceanographic Command, will deliver the keynote address. White has a B.S. in oceanographic technology from the Florida Institute of Technology and holds a master’s degree in meteorology and oceanography from the U.S. Naval Postgraduate School.
He was commissioned through Navy Officer Candidate School in 1983, and has had operational shore assignments at Jacksonville, Florida; Guam; Monterey, California; and Stuttgart, Germany, where his joint duty included Special Operations Command Europe, and strike plans officer for U.S. European Command during Operation Allied Force in Kosovo and Serbia. White commanded the Naval Training Meteorology and Oceanography Facility, Pensacola, Florida, and was the 50th superintendent of the United States Naval Observatory.
White’s sea tours as a naval oceanographer include commander, Cruiser Destroyer Group 12, where he completed deployments on board USS Saratoga (CV 60) and USS Wasp (LHD 1). He was promoted to the rank of rear admiral (upper half) in August 2012 as he assumed his duties as director, Task Force Climate Change, and Navy deputy to National Oceanic and Atmospheric Administration. Rear Admiral White retired in 2015. He presently serves as president and CEO of the Consortium for Ocean Leadership.
Symposium panelists and topics are:
- Christopher D.P. Baxter, professor, ocean, civil and environmental engineering— “Engineering’s Role in Resiliency and Educating the Next Generation.”
- Austin Becker, assistant professor, coastal planning, policy and design— “Stimulating Transformational Thinking for Long-Term Climate Resilience.”
- John King, professor, geological oceanography— “Climate Model Predictions and Trends in Observational Data for Coastal Environments.”
- Pamela Rubinoff, coastal management and climate extension specialist, Coastal Resources Center and Rhode Island Sea Grant— “Engaging Decision Makers in Resilience.”
Congressman Langevin, URI President David M. Dooley, and URI’s Vice President for Research and Economic Development Peter J. Snyder will speak at the symposium.
The event is free and open to the public, however, registration is suggested. For more information, and registration link, visit: uri.edu/coastalresilience.
US House – Rhode Island – 2nd District – Democrat
About Jim Langevin
Congressman Jim Langevin has been an avid supporter of gun safety during his nearly 30 years of public service. Congressman Langevin supports legislation to expand background checks, allow the temporary removal of firearms from people who pose a danger to themselves or others, ban assault weapons, restart federal research into gun violence, and prevent domestic abusers and stalkers from possessing guns. Congressman Langevin has also introduced legislation to prevent children from being injured by guns in their homes and to require regular inspections of firearms dealers. Congressman Langevin has voted against legislation which gives legal immunity to the gun industry, and has voted against concealed carry reciprocity legislation—currently the gun lobby’s top legislative priority—multiple times.