Why are mainstream media outlets reluctant to discuss power grid security threats? (“Don’t Ask, Don’t Tell II”?)

Since 9/11, some national security observers, generally on conservative blogs and publications, have intermittently warned Americans that they could face catastrophic destruction of the power grid and of technological civilization though either extreme solar storms with the accompanying coronal mass ejections, or electromagnetic pulse’s generated by terrorists or rogue states, usually from high altitude nuclear detonations or certain other (non nuclear) magnetic flux weapons used by the US military now in deployments. In retrospect, it’s interesting to recall at Popular Mechanics story on the threat published one week before 9/11 in 2001.

Occasionally, conservative politicians and engineers have testified to Congress on the issue, most notably Newt Gingrich, who spoke about this in March, as I recall.  He also wrote a foreword to the 2009 novel “One Second After” by William Forstschen. Around 2012, the National Academy of Sciences and Oak Ridge National Laboratory both published sobering studies on these issues (my reviews). I actually visited ORNL in 2013.  It has also been reported that Earth had a narrow miss from a huge coronal mass ejection in July 2012.  PBS Frontline apparently covered these threats to the grids (in the US, there are three major power grids) with three brief reports.

The major media has not shown any consistency in willingness to report on this problem.  However, very recently a Fox station in Chicago reported bluntly on North Korea’s apparent threat to use an EMP weapon as a “gift” to the United States, shortly after DPRK had tested what some believe was a thermonuclear weapon (fusion hydrogen bomb), right while the US is dealing with major hurricanes.  As I look through the literature, I see sporadic reports in the past, including one piece in 2015 in the Wall Street Journal that seems to have anticipated North Korea’s progress with its missiles.  Another environmentally oriented article makes the interesting point that the use of solar energy would help decentralize power distribution and make the grid harder to attack.

The most emphatic statement on the problem may be Ted Koppel’s late 2015 book “Lights Out”, but Koppel, after exploring EMP, focuses most of his attention on cyberthreats.

Sinclair broadcasting in Baltimore created a couple of interviews on the problem in August 2016 and, along with Fox, sponsored a forum from a Green Bay WI studio; but owned-station WJLA, while advertising it, did not air it (on its own News Channel 8).  I covered that on this blog before.

Why has the media waffled in talking about this problem?  Is there some kind of “don’t ask don’t tell” policy to protect the stock market?  I can imagine the conspiracy theories.  But a couple points stand out.

One point is the fact that the most obvious threat, a high altitude H-bomb, has never been carried out, even though all reputable science supports the idea that the threat is real. (There were major problems in Hawaii in 1962 after an early H-bomb test.)  Such an event has been viewed as unthinkable, although North Korea’s recent bad behavior sounds very menacing indeed.  No one has said if it is technologically easier for an enemy to explode a nuclear device at high altitude than to aim it at a city and have it survive re-entry.

Another reason is that the media has been more focused on cyber threats, such as one carried out against Ukraine in 2014.  Now, the Pentagon’s core systems are unreachable to external hackers, so it’s fair to ask, should not the same thing hold for an electric utility?  Of course, an inside job saboteur is possible.  But I fear that there probably does exist a topologically connected Internet path from my computer to the grid, even though there should not be. (Yes, I studied topology in graduate school in the 1960s, before getting drafted.)

A more subtle reason for media reticence is that the threats to the gird from EMP and solar storms need to be understood as a threat to suddenly and increasingly technology-dependent civilization, perils which can actually be decomposed into separate components and individual threats (including cyber) which individually may be more likely.

The main components are E1, E2, and E3.  The E3 is the prolonged magnetic pulse which can overload and destroy transformers.  It occurs (in slightly different forms) with both extreme solar storms and thermonuclear fusion weapons.  Major utilities don’t talk about this very much (even to their shareholders), but recently some of them have made vague statements that they are working on installing technologies that would enable transformers to survive the overloads.  The Foundation for Resilient Societies has tweeted that the necessary changes would cost about $5 per American, or about $2 billion, which would sound affordable.

E2 is more like a lightning strike and is more easily defended.  But E1 is what fries modern consumer electronics and many newer car ignitions.  It appears that an E1 is possible from a very small fission nuclear device, or from some kinds of magnetic flux guns possessed by the US Army for grand war (like for disabling IUD’s).  E1 events might be created locally by a saboteur and have effect only in a small area.  The concerns expressed by James Woolsey about North Korea’s Shining Star satellite probably relate to an E1 device without E3.

I visited a Best Buy store today an asked a clerk about this. He admitted he had heard this question from other walk-in customers before, and recommended a DVD-R optical storage pack (about $25) and writer drive (about $25).  This is now recommended for personal storage (for example, documents, music if one composes, etc).  Modern USB thumb drives and solid state “hard drives’ are supposed to be able to resist ordinary magnets (and hopefully nearby electric transmission towers which would induce magnetic fields), but they would not survive actual E1 pulses.   I immediately made an optical backup of my most critical files when I got home, after installing the Cyberlink software from a DVD.

Cloud companies are supposed to maintain multiple copies of backups in different data centers around the U.S. for redundancy, which would provide reasonable protection against regional attacks. (A lot of these backup servers are in the North Carolina Piedmont, it seems.) But it’s a good question whether data centers could construct Faraday-like protections for the consumer data in their care.

Since 9/11, there has been a lot of attention to the possibility of terrorist or saboteur-introduced or built small nuclear weapons (as opposed to the rifle, car, and pressure cooker devices that have been used), or radioactivity dispersion devices (“dirty bombs”), which could destroy and make inhabitable a lot of real estate even if they didn’t kill people. These have not been used.  But it is well to remember that during the 1980s, there was some (not widely discussed) fear that rogue communist elements could carry out attacks, which contributed to the idea of developing a “civilian reservist force” which was sometimes discussed in Sunday newspapers (pre-Internet), at least in Texas. Communism was responsible for personalized terrorism in the 1970s (Patty Hearst), but radical Islam has caught the focus of such attention since 9/11.  Recently, we’ve had to recognize the “progress” of North Korea with its WMD’s, which seems shocking now but which older articles show had been expected.  Nevertheless, the Trump administration must seek the best intelligence and wisdom from it military and civilian sources and Congressional leadership in dealing with the challenges of what sounds like an unpredictable, combative and antagonistic regime in North Korea, which may quickly be able to wreak more havoc with American civilians than we would have believed even a few months ago. So the mainstream media needs to really do the extensive fact-checking on this issue and not behave as if it were “fake news”.  I’m willing to go to work on this myself.

This topic sounds like it deserves a presidential address to the nation, but it’s hard for me to imagine Donald Trump’s addressing this one publicly.  Maybe he’ll surprise us, and not just on Twitter, before it’s too late.

(Posted: Thursday, Sept. 7, 2017 at 10:45 PM EDT)

Update: Friday, Sept. 8, 10 AM EDT

I found two very alarming opinions in the Washington Post this morning.  One is an editorial warning of cyberattack on the power grid, here. The piece discusses Dragonfly malware and spearfishing.

Another is an op-ed by a former (2002, Bush era) acting CIA director that North Korea can launch nuclear weapons on the United States now, here.  The piece seems aimed at discouraging Trump from initiating a pre-emptive strike now in response to more underground or missile tests.  But what it North Korea detonates a device over the Pacific and demands that the US withdraw completely from protecting South Korea?  The Domino Theory from my own days dealing with the draft in the Vietnam era suggests this can happen.  The most cynical interpretations of this idea could mean that China could want DPRK to attack (E3) so that China can walk in and take over the US!  Incidentally, it is well to remember that DPRK has every incentive to fire a missile test while the U.S. is preoccupied with its own natural disasters (like this weekend).

In all these discussions, the confidence in NORAD and “Star Wars” defense becomes very important as part of the deterrent.

Oddly, neither of these pieces talks about EMP.  It may be easier for an enemy to detonate a missile at high altitude than make it survive re-entry.  Has anyone looked at this idea?

The Boston Herald now has an article similar to Fox’s.

Related is the video review of mine.

Cloudflare’s action against neo-Nazi site complicates debate about service provider responsibilities and capabilities

The responsibility and capability of large private companies to decide what stays on the Internet or can be accessed by ordinary users seems to be coming into focus as a real controversy.

Just recently (Aug. 4), I’ve discussed how recent well-motivated bills in Congress aimed at inhibiting sex trafficking (usually of underage girls) could jeopardize much of the downstream liability exclusion (Section 230) that allow user-generated content to be posted on the Web (and that allow individuals to express themselves on their own through social media, blogs, and their own share-hosted websites) without expensive and bureaucratic third-party gatekeepers. This is tied with an undertone, not often argued openly, of controversy over whether “amateur” web content needs to be able to pay its own way . That latter-day proposition becomes dubious at the outset when you consider the observation made recently on CNN’s series “The 90s” that the first businesses to make money with web sites were pornography, which even was the first content source to set up credit card use and merchant accounts online.

But judging from the quick reaction of offense in the tech community to the extreme right wing march in Charlottesville, leading to a tragic death of a peaceful counter protester at the hands of a right-wing domestic terrorist who showed up. Companies do know a lot about what is getting posted. Matthew Prince of Cloudflare wrote a disturbing op-ed in the Wall Street Journal, about his second thoughts after pulling the plug on Daily Stormer. Prince, while admitting that no service provider can possibly screen every user-generated item on its site, implies that providers do have a great deal of knowledge of what is going on and can censor offensive content (like racism) if they think they have to, Prince also makes the hyperbolic and alarming statement that almost any site with even mildly controversial content will eventually get hacked (or perhaps draw a SLAPP suit). Yet Prince’s own article would qualify the WSJ as such a site.

Prince argues that there needs to be some sort of international “due process” body regarding kicking sites or content off; it’s easy to imagine how a group like Electronic Frontier Foundation will react. In fact, I see that Jeremy Malcolm, Cindy Cohn and Danny O’Brien have a thorough discussion of the private “due process” issue and all its possible components here. Particularly important is that people understand the domain name system as standing apart from content hosting. EFF also points out that relaxing net neutrality rules could allow telecom companies to refuse connection to content that they see as politically subservice.

Indeed, there are many ways for content to be objectionable. Donald Trump, in a teleprompted speech to veterans from Reno today, mentioned the need to stop terror recruiting on the Internet . (Is this just ISIS, or would it include neo-Nazi’s and “anarchists”). Twitter’s controversy over this is well known, and we should not forget that most of this process happens off-shore with encrypted messaging apps, not just websites and social media. Other problems include cyberbullying (including revenge porn), fake news (and the way social media platforms can manipulate it – again a sign that providers do know what they are doing sometimes) and also possibly asymmetrically triggering foreign national security threats (hint: the Sony Pictures hack, as well as attracting steganography). “Free speech” may indeed become a very subjective concept.

(Posted: Wednesday, Aug. 23, 2017 at 7 PM EDT)

Do security companies overstate privacy risks on social media, maybe for political motives?

Every time I go into Twitter or Facebook on my new laptop, I get a lecture from Trend Micro on my lenient privacy settings.

Particularly I get warned that the Public can see my Facebook posts and Twitter messages, that others can tag me in photos, and that others can see personal information.  On the last point, only “business address and phone” information ever gets posted online, anywhere.  In fact, I normally don’t have circles of security clearances among who can see what information about me online.  It’s all or nothing.

Some of my curiosity about this was motivated by the video in the previous post, where the speaker (a television station reporter)  said that allowing anyone but approved “Friends” (Faceook) or approved “followers” (Twitter) would create gratuitous security risks that insurance companies would find unacceptable behavior on the part of consumers.

Facebook has different concepts, like Friends, Pages, and Groups.  Many people have Pages with followers.  They cannot be made private (you can block comments from specific people).  You can make a Group by invitation only, which is closer to the concept Trend seems to be encouraging.  The conventional wisdom has been that you allow only Friends to see your posts on your Friends page.  But Facebook allows up to 5000 friends.  It is common for people to have over a thousand.  Many, perhaps most, Facebook users don’t carefully screen who gets approved as a friend.  I do allow friends from overseas (including Arabic names).  I generally disapprove of minors only.  (Posts made by others on your timeline in public mode can normally be seen by “friends of friends”).

Some people, after being friends, do behave in an unwelcome way.  Some send greetings or messages and expect to be answered back.  A couple have made pleas for “personal” help with matters I can do nothing about (at least lawfully).  One female kept making silly posts on my Timeline claiming to tag me in sexual pictures when the individual was not me.  I did unfriend her and the posts stopped.

I also had one occasion where someone created a fake copy of my account with no posts.  A legitimate friend (the person who copyedited my books) caught it and reported it to Facebook and the entry was removed before I knew about it.

Tagging has crept up as a problem, for users who allow it.  I’ve noticed that some people are more sensitive about being photographed in bars or discos than they used to be, say, before 2010.  A few social establishments have started prohibiting photography inside their facilities.

In Twitter, it is possible to set up your account so that all followers have to be approved.  Relatively few users do this, but they will block followers who seem stalky or who don’t follow supposed etiquette (by replying to too many tweets when not being co-followed), although etiquette standards are changing again rapidly.

As a practical matter, limiting visibility of posts to “Friends” or approved followers probably doesn’t increase security very much, because it is so easy to be approved and because, to be successful and have an outreach, people need friends and followers.  Indeed, it wouldn’t stop “catfishing” (as in Nev Schulman’s 2010 film “Catflish” for Rogue pictures, as with a recent incident from a fake female catfisher in Manitoba).

On Facebook, I notice that some Friends (even with privacy set to “Friends only”) will “check in” with that red dot that lets others track their movements;  I don’t think this is a good idea myself.  But part of this is that I don’t want anyone to “take me for granted”, beyond security.  Likewise, I don’t announce (even to Friends) what events I will attend, even if I report on the events after the fact on blogs.  Maybe that isn’t playing ball.  I think back to the days of my upbringing in the 50s;  my parents probably “shared” their lives with about ten other families, as with Thanksgiving and Christmas gift sharing that I remember so well (and with the Ocean City beach trips with one family I remember, too). As for services like Snapchat:  I feel that if I need a conversation that doesn’t go anywhere, I just have it by smart phone or in person.  I don’t like the idea of sharing video or photo that disappears.  (Kathy Griffin should know.)

 

All of this is interesting because Zuckerberg invented Facebook at the time that Myspace had become popular (to the extent that Dr. Phil had programs about misbehavior on Myspace), and, despite winning out over several competing ideas (the movie “The Social Network”; the books “The Accidental Billionaires” by Ben Mezrich, or “The Facebook Effect” by David Kirkpatrick).  Zuckerberg originally intended to set up Facebook for campus environments.  It wasn’t fully public until about 2007 and it didn’t get into its controversial news feed aggregation (so plagued by the fake news that is said to have helped elect Donald Trump) until maybe about 2010 (when Time Magazine honored Zuckerberg as person of the year, the “Connector”).

What such a practice would do, however, is try to discourage online self-publishing with free content.  Social media was built on the premise that known lists of people see your content, more or less like email listservers (or restricted membership sites) that were popular before modern social media.  When people are popular and have lots of “fans”, the practical effect is that social media account is public anyway. It is true that actual friends or followers are more likely to see posts even on public accounts. Blogs can also have “followers” and, with Blogger, can be made “private” (as can YouTube videos), but the normal result is that few people would see them.  Blog following has become less popular since Facebook took off, although YouTube channel subscription is still somewhat popular.

The relevant point seems to be that when you publish a hardcopy (or Kindle or Nook) book, you don’t have the “right” to know who bought it.  That’s the traditional idea or model of “open publication”.  Self-instantiation by open self-publication, with leaving a lot of content free, seems to be a morally suspect or gratuitous practice (even if it purports to offer alternative viewpoints and critical thinking as I think mine do) in the minds of some people:  if it doesn’t pay its own way, it competes unfairly with writers who do need to make a living at it;  it discourages professionalism and facilitates fake news, it can attract cultural enemies (to others as well as the self), leading to the insurance concerns, and (probably most of all) it breaks up political solidarity for those (on both the (alt) right and left) who want to recruit loyal volunteers and who want to control the (often polarized and tribally-centered) message.  “Belonging” to some group seems to be imperative.  The election and  relentlessly tribal and boorish behavior of Donald Trump seems to have brought this point home.

In fact, in the eyes of intellectual property law, this isn’t quite right.  “Publication” in defamation law is communicating the false defamatory claim to even one person who understands the message (which can be one approved friend or follower, or just one email recipient).

I opined before, back in 2000, that “open” self-publication can become an unethical practice for people in some positions (like those with direct workplace reports, when there is a concern over possible workplace results).  Now it’s a possible security issue, especially in asymmetric warfare where civilians can attract enemies who view civilians as combatants.  Yet it’s odd that security company like Trend Micro gets to define what that means, for everybody.

Some observers (like Ramsay Taplan, “Blogtyrant” of Australia) urge an inside-out approach to blogging, focusing on consumer niches that are inherently profitable, the narrower the better.  Then, he says, become aggressive in building email lists from actual customers who need you wand welcome hearing from you, which confounds the conventional wisdom today about spam.  But this practice refers to writing that supports an inherently commercial product or service, not self-expression online for its own sake or even for promoting critical thinking on political or social controversies.

(Posted: Saturday, June 3, 2017 at 11:15 AM EDT)

James Woolsey (ex CIA) warns CNN that North Korea might be capable of detonating EMP weapon from orbiting satellite soon, even now

Today, Monday, March 6, 2017 Erin Burnett gave former CIA director James Woolsey an interview in the 7:30 PM slot, and Woolsey defended his recent op-ed in the Wall Street Journal warning that North Korea could pose a much bigger and more immediate threat to the United States even now than we realize.

Specifically, he suggested that North Korea could be capable of detonating a nuclear device from an orbiting satellite now.

Erin Burnett herself introduced the word “apocalyptic”.  Woolsey said there is disagreement as to how many US transformers on the power grids could survive the overload that would result.  Woolsey’s op-ed calls for strengthening the grid right now.  Bannon’s infrastructure programs so far have not mentioned this problem.  One way to strengthen the grids would be to require utilities to have their own small original generating stations and be less dependent on load sharing with other companies.  (That brings back the whole AC vs. DC debate in the early 20th century, as one time documented on the History Channel “The Men Who Built America”, 2012 episode).  Taylor Wilson (who has been supported by Peter Thiel, who supported Trump) has proposed that these small stations be shielded underground fission reactors.

I do recall many scenarios (as in “One Second After”) proposed where scud-type missiles fire off the US coast from clandestine ships create a high-altitude EMP result. There are even some non-nuclear magnetic flux devices that could be detonated on the group (as in a  mystery Popular Mechanics article shortly before 9/11 in 2001).  But I don’t recall mention of the satellite threat before, not even in Ted Koppel’s book “Lights Out”.

I do see, however, a report about North Korean satellites with this capability on a smaller conservative web site reported back in April 2016.    Wikipedia has details on one satellite.

There have been many reports in recent days of North Korea missile test attempts.  President Donald Trump has not said (or tweeted) much about them yet (except, “not going to happen”).  CNN has a story today, questioning whether North Korean missiles could overwhelm THAAD.

In November 2015, I was reading later chapters in Ted Koppel’s book on the Metro in Washington when a college-age young man looked over my shoulder to read it.  That someone that age would notice this subject matter is encouraging.

There are some issues, for preserving freedom for everyone, that seem more pressing to me than the bathroom bills.

(Published: Monday, March 6, 2017 at 9:45 PM EST)

Update: Thursday, April 6, 2017 at 10:45 PM EST

A Facebook friend (somewhat connected to the prepper crowd) passed on this link from a family security website discussing Woolsey’s predictions about North Korea and even invoking the “fake news” idea.  Note the mention of Popular Mechanics, which had discussed non-nuclear EMP in an issue shortly before 9/11 back in 2001. (The Washington Times discussed it in 2009).  Here is the link.

Update: Tuesday, April 11, 2017  6:15 PM EDT

Common sense would say that DPRK would already need to have developed a miniaturized device that could have been placed on a satellite.  Would we know?  Or could they deploy another satellite soon? DPRK’s statements remain belligerent after the Syria intervention by President Trump.

 

 

Russia’s 2013 anti-gay propaganda law predicted the 2016 “propaganda blitz” of the US election

The  major media outlets report on President-elect Donald Trump’s meeting with intelligence chiefs Friday afternoon, with the finding that Russian president Vladimir Putin led a cyber campaign intending to spy on both political parties, but particularly the Democratic party, and influence the 2016 presidential election and make it more probable that Trump would win (or that Hillary Clinton would lose).

The New York Times has a story by Michael Shear and David Sanger, “Putin led a complex cyberattack scheme to aid Trump, report finds”. link here.   The Washington Post has a lead story by Greg Miller and Adam Entous,  “Declassified report says Putin ‘ordered’ effort to undermine faith in U.S. election and help Trump.”   Many papers have Scribd PDF copies of the actual report, “Russia’s Influence Campaign Targeting the U.S.. 2016 Presidential Election” which is rather like a non-fiction book (“Dangerous,” but not by Milo).

Not only did the effort involve hacking of emails, particularly of the Democratic Party and posting on Wikileaks, but it also involved a huge “quasi-fake news” campaign with the outlet RT, or Russia Today (or RIA Novosti). RT posts a large number of videos on YouTube which get large numbers of visits.  I have sometimes used embeds of RT videos in my own legacy blogs.  Generally, though, the excerpts I have chosen are less controversial or sensational and more likely to be credible.

The New York Times offers further analysis by Scott Shane, “Russian Intervention in American Election Was No One-Off”. Jeremy Ashkenas has a description of how some of the hacking was done by phishing.

It should be noted that both Russia and China produce printed newspaper sections that appear as sponsored content in the Washington Post occasionally.

It appears that Russia’s content was specifically intended to fool less educated white voters. Educated or intact people probably won’t be fooled by the silliest fake news stories (like the Pizza Ping Pong).

I agree with Trump that it is unlikely that the Russian hack alone explains Trump’s electoral college upset. I think it was more the insularity of the Clinton campaign, it’s failure to get out enough low income voters even in Blue Wall states, and the “politics of resentment”, a desire to “punk” (to borrow from Ashton Kutcher) the system (Michael Moore called it a political Molotov cocktail).

Trump’s lack of respect for intelligence services seems very dangerous.  Trump says he wants to depend less on analysis and more on field undercover agents overseas.

But what is so noticeable to me is Putin’s belief in the value of propaganda, and his willingness to use it to manipulate less intellectually intact people, “the Proles”.  Trump, of course, behave the same way at his rallies, getting people to chant (“Lock her up!”).  This is typical of authoritarianism, that people should get their information from those in political, familial or religious authority and stay in their justifiable “assigned station in life”.(or accept “right-sizing”).  . Vladimir Putin, before the 2014 Sochi Olympics, had defended the 2013 anti-gay propaganda law as protecting Russian youth from “propaganda”, particularly ideas discouraging less competitive men from wanting to become fathers.  The 2013 law was a warning sign that much worse behavior from Putin was to come.  The law did not itself criminalize sodomy (which was legalized in 1993); but it did outlaw talking about it publicly, in any place where minors could find it – a kind of super “Communications Decency Act” or “COPA”.  It was a kind of national “don’t ask don’t tell” for civilians.  A westerner who travels to Russia and who has public blogs or Internet writings (including public social media accounts) outing himself could probably get arrested when visiting Russia.  I doubt Milo could go safely.

One possible rationalization for (“(T)Rump’s”) bias toward Putin is that Putin would be an “ally” (maybe fake) against non-state and asymmetric enemies (that is, most radical Islamic terrorism).  On the other hand, Putin has indirectly supported state-sponsored terror against civilians in Aleppo (by Assad) on the theory that asymmetric rebel non-state enemies are infiltrating the civilians.  But Putin could create real crises (for NATO) in areas like the Baltics, possibly even Finland.

“Real Donald Trump”, Vladimir Putin is not your friend.

Evidence of Russian hacking attempt reported at an electric power utility in Vermont, on the heels of election “hackergate” and Obama’s actions

The Washington Post, in a story by Julie Eilperin and Adam Entous, reports the discovery of codes associated with Russian hacking in the computer systems of one of the two major electric power utilities in Vermont.  The code is associated with malware known as “Grizzly Bear”.  Other Russian malware has colorful names, like “Pawn Storm”, a maneuver in chess with the opposing armies are castled on opposite sides of the board (like the Yugoslav Attack against the Dragon Sicilian).

The journalists confirmed the story with DHS, which would not say which company was involved.

Malware might cause a power station to overload a large transformer connecting it to other utilities, burning it up, creating a very difficult problem for replacement in reasonable time, as Ted Koppel had explained in his Nov. 2015 book “Lights Out”.

On Nov. 5, I reported a Sinclair Broadcasting story about “Black Energy” malware discovered at one or more unspecified utilities in 2012, and being impossible to remove.

There are no reports yet of any malware causing outages, as far as reported in the media.

The Vermont infection apparently occurred when an employee opened a link or attachment in a “phishing” email disguised to look like official company workplace business.  The email might have purported to come from a vendor or a customer. It is actually more difficult to defend against phishing attacks in the workplace than it is at home for savvy users, who know their own personal operations well enough to suspect phishing emails at sight.

Normally it is very difficult to get to the grid components directly, as they are not supposed to be connected topologically to the public Internet.  This sounds like a problem Donald Trump could talk about quickly.

National security experts have cautioned president Obama about his mode of retaliation against Russia for the supposed hack of both parties during the 2016 election, backed up by circumstantial evidence. Vox has good articles by Yochi Darezan  and Timothy B. Lee .   I personally don’t think Hillary Clinton lost the electoral vote because of hacking.  Comey’s letter (on the emails), Obamacare price hikes, and poor campaigning before certain “resentful” parts of the electorate (the Rust Belt), and poor “getting out the vote” among minorities are better explanations for the loss.  Ironically, Putin played a “waiting move” with Obama today (by chess analogy) and took no action yet (NBC story). Trump, anyway, won’t be in zugzwang.

I personally visited a nuclear power plant in 1982, at Glen Rose, TX, on a weekend Sierra Club camping trip from Dallas, and have visited the grounds at North Anna, which has limited visitor displays.  Ironically, it is near Mineral, VA, where the 2011 earthquake occurred, and in an area with several “intentional” low-tech shared-income rural communities, one of which (Twin Oaks) I toured briefly in 2012.

As the video above claims, the US can also hack into the Russian power grid.

Wikipedia picture of Killington Ski Resort trail, which I visited in February 1973.

(Published: Friday, December 30, 2016 at 9 PM EST)

Update: Dec. 31 early

A newer version of the Washington Post story in print identifies the utility as Burlington Electric, and says that the malware, now called “Grizzly Steppe” was found on a laptop not connected to the grid.  No actual outages or hardware damage has occurred.   Homeland Security was notified immediately when the malware was discovered. The company has a statement about the incident on its home page now.

The Wall Street Journal weekend edition now has a story online by Jennifer Levitz here.  But Rebecca Smith has a story about a ransomware incident (resulting in bitcoin payment) at a Michigan utility (Lansing Board of Water and Light) in April 2016, here. That sounds coincidentally alarming given the problems with the Flint MI water supply (which disproportionately affect low income people and their kids) after gross mismanagement, as covered in the media  in 2016.  Smith also has a story “Fears over U.S. power grid” Dec. 30, p. B3 in print Saturday, explaining how multiple attacks in Ukraine have happened (one on Dec. 23, 2015), and the penetration of four more electric utilities (and thirteen other companies) in 2014, apparently with similar “Russian” malware.

Security companies are starting to discuss these incidents. FireEye offers more info in a downloadable subscription report, link; Root9B has resources indexed here.

Wikipedia picture of Burlington, from Lake Champlain wharves, link.  I have been there once, as a child.

Assessment of Donald Trump’s “nation in peril” claims: it’s the quality (and novelty), not quantity, of threats that matters

DSCNF208

So, let’s take another look at Donald Trump’s vision of a “nation in peril”.

The progressive establishment says that total crime and violence is down compared to decades past. Quantitatively, that’s probably true.  Since WWII, “I’ve” lived through a lot of history.  Despite racial violence today, there was much more of it in the early days of the Civil Rights movement. Mob, organized crime, and drug-related violence was legion.  Rudy Giuliani’s cleanup of New York in the 1990s did make it safer (for Trump, especially), although probably exacerbating police racial profiling problems (bolstered by some notorious wrongful convictions, like “The Central Park Five”).  Some of this lingered for a long time (Rodney King) before resurfacing in many cities recently.

In fact, until probably the late 1970s, it was generally true that the big cities were less safe places to live (even in high rise buildings) than the suburbs.  That gradually changed in the 1980s, even as “white flight” continued with many corporate relocations (especially in southern cities). With a large classical record collection, I was concerned about property crime then, and I had a couple of narrow misses for burglaries in NYC and Dallas (in suburban-looking settings) from the late 70s into the 80s. Over time, technology has provided a lot of assist in protecting property (especially automobiles).

The real question seems to be about the kind of threat, and who could be in its cross-hairs.  It is a larger concern for “upper middle class” people today (especially whites) than it used to be.  Trump is right about that.  It’s useful to walk through the main changes in “quality” and play devil’s advocate for each point.

The first point seems to be that the pace of mass shootings and mass-casualty events have gradually increased since 1982, if you follow a Mother Jones report.  Supplementary charts at the Washington Post and CNN are helpful.  Most of these events were perpetrated by mentally unstable individuals with relatively little coherent ideology (although a history of bullying and workplace or school problems is common). But one can add to these (besides OKC) some mass casualty events overseas, especially in Europe, some by means other than assault weapons.  Radical Islamic terrorism has indeed (since 2014) increased rapidly as a threat to civilians, especially in Europe, and especially as a result of the implosion of Syria and Iraq. While Obama’s policies may have something to do with this vacuum, more important are European social and policy problems.  Peter Bergen’s recent perspective on CNN is relevant. There’s also an interesting counter-perspective today in the WSJ by Max Boot, “The Terrorist Past Has a Message for the Terrorist Present”.

All of this argues, it seems, and especially in a “law and order” campaign advocated by Mr. Trump, for a progressive position on gun control (background checks, closing loopholes, banning civilians again from assault weapons), and indeed gun control might prevent a lot of “ordinary” crime.  It seems that it does in Britain and Australia, but it doesn’t in some areas of Chicago.  Once so many weapons are out there, it’s pretty hard to keep them to the “good guys”.  And gun control (as we’ve seen in France and maybe other places, even Orlando) might weaken the public from self-defense against very deliberate, very malicious attacks.

The second point has a lot to do with our growing dependence on technology, especially the power grids, and the communications (less so transportation) that emanates.  I’ve already discussed the possible extreme disruptions from large solar storms, or from large scale terror events related to electromagnetic pulse or maybe cyber-war.  Again, it’s important to reiterate that this threat is more likely from enemy states (like Iran or North Korea) than ad hoc terror groups. It’s also important to understand that non-nuclear pulse threats exists, although they have never been deployed on civilians in the West yet.  It’s important to note the possible danger of a radioactive dispersion device (“dirty bomb”), which, in Donald Trump’s world, would be an existential threat to real estate values (he never mentions that, ironically).  Bioterror remains significant (was with the anthrax attacks in 2001) but a natural pandemic (like avian influenza or a SARS-like illness) is more likely (Zika seems relatively small in the grand scale of things, however tragic for the children affected).  The best protection for the public from biological threats remains rapid vaccine development.

I’ve just gotten Gretchen Bakke’s book “The Grid”  (not to be confused with Byron Dorgan’s novel “Gridlock”)   In the introduction, Bakke mentions “microgrids” that already exist (set up by financial institutions and technology companies) and these do help to start to decentralize the grids, making them more secure.  She also notes that some utilities will not allow consumers to hook up home solar systems to their grids.  Major security concerns include also the lack of ability to repair or re-manufacture large transformers and transport them.   As the CBS interview with Ted Koppel (“Lights Out”) above indicates, the perhaps inadvertent connection of many larger utilities to the  public Internet is risky and troubling.

New Gingrich mentioned the nuclear threat at the RNC, but not the EMP threat explicitly.  It’s true that an enemy could decide to go “all out”.  But against the kind of some of our enemies, the old MAD doctrine (“Dr. Strangelove“) no longer holds, as it had against the Soviet Union and Communist China.  An existential attack on our way of life seems even more sadistic.  I was in a bizarre situation at NIH in 1962 when the Cuban Missile Crisis unfolded, a point that seems ironic today.

It is indeed true that “we” have faced quasi-existential “way-of-life” threats before — the Arab oil embargo of 1973 was a starting point.  These  potentially affected personal mobility (and lifestyle choice) then — and, however clumsily at first, we worked and produced our way out of these problems, only to find newer ones.

PICFortJaxBasicTrainingMuseum

The third major area is even a bit more disturbing.  I remember back in 1968 during Basic Combat Training at Fort Jackson, the topic of the Geneva Convention.  We were actually tested on it before graduation.  Donald Trump says he wants to gut it.  But one of the most disturbing aspects of recent attacks is the idea that ordinary civilians should become bargaining chips for retaliation for US foreign policy.  We heard this back in the fall of 2001 when the U.S. allowed Osama bin Laden’s “speech” to be broadcast on a Sunday afternoon after George W Bush announced the start of operations in Afghanistan.  Even more offensive is the idea that civilians bear personal moral responsibility (even in a religious sense) for what their governments do.  There’s no question that this was the attitude expressed explicitly by terrorists in some attacks (Boston, with Jahar’s “boat manifesto” and Paris, with explicit statements made at the Bataclan).  Indeed, as with Orlando, military style weapons have been turned on civilians, resulting in war injuries that need to be treated by military combat surgeons and rehab programs, not just by “gofundme” drives for medical bills.   Even more disturbing are scenarios that could target ordinary civilians in novel ways (as long as persons connected to them as in families) to make ideological points.  Donald Trump may have baited this idea in the past by threatening the families of individual suspected terrorists.  It’s this sort of thing that can be manipulated into rationalizations to clamp down on user-generated speech online (like “we’re at war folks”, like many European civilians during WWII, going all the way back to Londoners during the 1940 shellings, recently discussed by Sebastian Junger in his book “Tribe“).  Another personal aspect of this problem is the idea that there is something morally wrong is someone has “made enemies” even if the enemy is in some abstract sense morally wrong, too.  This was an attitude common in my early upbringing that was largely forgotten for much of my adult life, but that seems to have come back in the post 9-11 world.  Sometimes enemies appear because they feel we have brought them into a world where nothing is “earned” and where they have nothing to lose. Suddenly, as Donald Trump has (however crudely and with a lot of hypocrisy) forced us to face, it seems not so honorable to become a victim.  You still pay for the crimes of others yourself.

As for Europe especially, a booklet-length story by Rukmini Callinachi in the New York Times, front page, Thursday Aug. 4, 2016, reinforces all these concerns.

(Published: Thursday, July 28, 2016 at 4 PM EDT)

speech2

Note: I gave a 38-minute sermon on 9/11 at the Dakota Unitarian Fellowship in Rosemount, MN in Feb. 2002.

route3

Hillary Clinton’s server and email scandal(s), not quite as “bad” as Trump’s recklessness, but still a regrettable “process piece”

IMG20280

So, does the “email server scandal” really create a serious issue with Hillary Clinton’s character and her fitness to become president?  Does it still leave some lingering legal questions about some unknown future prosecutorial or impeachment threat?   Indeed, the chant “lock her up” at the RNC (to Chris Christie’s mock court and Mike Flynn’s speech) and even among Sander’s protestors yesterday, is rather sickening.

First, let’s separate this from another email scandal that erupted Monday in Philadelphia at the DNC, the apparent Russian hack intended to show prejudice against Sanders and apparently improve Trump’s chance of election.  I cover this on Blogger here.  There’s also a story by Julian Assange on the hack here.

The problem with the Hillary Email Server Problem is that it criss-crosses several other issues and competing interests.

One issue is, of course, the specialized care in handling classified information.  But ethically it is comparable to the responsibility for private companies and sometimes government agencies to protect PII for customers.

The other big issue is that most “salaried professionals” in today’s workplace do want to work from home.  This creates issues especially during travel.  Generally, workers are expected to use corporate or government computers for business use only, and sometimes that’s a legal requirement. But, especially when “out and about”, workers can’t always carry two sets of hardware around everywhere (there’s a good question as to bringing multiple laptops through the TSA – you can, but I wouldn’t want to try it).

That’s one reason why many tech businesses have allowed BYOD at work. The major exposure in most cases is live consumer PII on a worker’s own device.  There are various discussions online of the security implications, but one of the best is on Digital Guardian.  It seems important that workers not save consumer devices on their own devices, but it’s hard to see how you could stop that from happening.

There are companies that hire work-at-home customer service reps who use their own computers, although there are strict security requirements.  One example is Sykes-Alpine Access.

In the days before the Internet when a lot of computing was on large mainframes, it was common for people to take work home – even listings of parallel test results (with live consumer data sometimes) before system implementations.  A home break-in could conceivably compromise consumers, but nobody worried about this in the late 80s and early 90s. I sometimes kept listings at home for reference  —  CYA proof at all times that I had done my job properly for something now running all the time in production with millions of clients.

Production “on-call” support at night for batch cycle abends could be done either from dumb terminals taken home (which were not very effective), corporate laptops, or personal desktops or laptops (which could be equipped with PROCOMM or similar product) to log on to a work mainframe.  I usually used my own hardware because of another “conflict” which I have explained previously.  I can recall that as early as 1985, when I logged on to a mainframe terminal, I was reminded of a state (Texas, at the time) law regarding computer crime.  Employees were held accountable for any misuse of their accounts, as if someone else knew their passwords or if they left themselves signed on when they went home.

minneap1

I’d add here that in September 2001, about 2 weeks after 9/11, there was a serious email virus problem where I worked, which could have infected me at home, and which led to some uncomfortable conversations, as I recall that period (seeing “discuss issues 1:1” in your calendar).

That brings us to the subject of jobs requiring government security clearances and access to military or state-department (or other agencies, like Energy) classified information.

af4

I do have some experience to bear.  In the Army, I was stationed at the Pentagon and later Fort Eustis (1968-1970) and had a Secret clearance and occasionally handled classified documents (not often). The same was true when I worked as a computer programmer for three summers at the David Taylor Model Basin (Navy) near Washington, and later for the Naval Command Systems Support Activity at the Washington Navy Yard (from 1971-1972).  The building I worked in is still there, if fully renovated.

IMG23339

At no time did anyone take work home.  Documents were signed for.  Even when handling unclassified materials, there was a “clean desk” policy.  You had to put everything away before you went home.  Civilians took turns as post-work-hours “security inspection officer”.  All of this went on toward the end of Vietnam and during SALT talks.

IMG23194

I would never have any further experience with security clearances except in June 1988 when I interviewed for a job with Mitchell Systems as a contract IBM mainframe programmer for the State Department.  I would have gotten that job, but instead chose to go to a health care company (now The Lewin Group).

All this would seem to make Hillary Clinton’s decision to “work from home” seem reckless.  Clinton understandably needed to work from her home in New York State on weekends with “Bill” as well as in her office in DC.  It would seem to an outside observer that the State Department should have installed a server following its own security rules.  Clinton reports there were some difficulties in getting this done (the libertarian “government doesn’t work” litany) so it was much easier to go to private contractors (Geek Squad, maybe) to get her set up.

Her main defense is “mens rea” – to the best of her knowledge, she handled only unclassified emails and other unclassified materials on her home server, as explained here on ThinkProgress (a few emails turned out to be classified, and more would become classified later – and, yes, overclassification is a big problem).   There are many accounts, such as the New York Times (with timeline) and even the Washington Times.  There is an account by Michael Arnovitz on “The Policy” that puts her “conduct” in perspective when compared to Gen. Petraeus (although “two wrongs don’t make a right”, as I recall Advocates for Self-Government broadcasting from Georgia back in 1998). It’s hard to imagine how she could have worked well at home if she got a 3 AM call about a terror attack in the Middle East on one of these weekends.  That’s why it sounds as though she should have worked harder to make sure the State Department fully equipped her with legally secured connections when taking office.  Government can do this for presidents (her husband), so why not major cabinet heads like State and DOD?   I’ve thought about these issues in my own career, but Hillary Clinton had a level of responsibility I never took on, even as eventful as my own career often seemed at the time.  Indeed, this is an issue where you’re too close to the “red button” even in your own bedroom, with your own spouse.   There would seem to be more of an issue for Hillary while traveling to other places (especially overseas) but she would have had a paid security staff with her to handle the clumsiness of security logistics.  I’m reminded of my own preparations when I travel. I have no such resources.

Hillary had made other careless remarks about technology.  Like, “I love Snapchat, those messages disappear all by themselves.”  Well, not always.  But Donald Trump has made plenty of reckless claims of his own, about “shutting down those tubes” which I’ve already covered.

DSCNF270

On balance, I feel more uneasy about Donald Trump’s instability and recklessness than Hillary’s, but I think we’re seeing the results of a system that doesn’t encourage the right kind of people to run for office (and “raise money” from other people’ sources).  If we had a businessman as GOP nominee, I’d rather have seen Mark Cuban (who knows my books).  Imagine Anderson Cooper (as a journalist) or Tim Cook as a Democratic nominee.   Johnson-Weld sounds like the most temperate and ethically responsible ticket.  Coming back to Hillary’s preplexing judgment on the her own BYOD server issue, I can only compare it to situations in my own career where I was in a canyon for a long time and accepted something based on compulsiveness of perhaps just immaturity and inattention as normal, because I couldn’t see out of it — but climb out I eventually did.  Likewise, when driving on a plateau, I eventually come to a precipice and can look out over the next valley.  Hindsight is not too comforting in accounting for one’s own past bad judgment.

First picture is the Port Richmond area of Philadelphia, about three miles from the DNC site, near the 2015 Amtrak derailment site. Philadelphia is not “another borough” of New York City.

(Published: Tuesday, July 26, 2016 at 2:30 PM EDT)

Sinclair Broadcast Group publishes sudden dire warning about future EMP or cyber attacks on US power grids

IMG26209

On Tuesday, July 5, 2016, WJLA affiliate station WJLA broadcast (at about 5:55 PM EDT) a 4-minute report  (by Jeff Barnd) from the Sinclair Broadcast Group  (near Baltimore, in Hunt Valley) about the security threats to the three big power grids.  I could not find the story on Sinclair’s own site. WJLA gave the story the title “Next terror target: Our power grids?”

IMG29986

The report correctly called the Texas grid as the “Texas Interconnect”.

The report suggested that the main threat would probably be a high altitude blast from a hostile state enemy, like North Korea (Alaska and the US Pacific Northwest, within a couple more years, possibly) or Iran (which could try an attack on Israel or even Sunni neighbors), throwing an electromagnetic pulse (EMP) wave(s) over a large area, perhaps most of the country in extreme cases.  The report said that ISIS probably does not have the expertise to mount such an attack.

The report also suggests that a major threat could come from cyber hacking of the grid.  Either a major blast or cyberwar could overload parts of the grid suddenly, because of the “overconnecteness” of power companies selling power for profit.

It’s less clear, to me at least, that an outside actor could even reach the power control systems through the public Internet.  It should not be possible to reach the grid control from my own computer, according to any mathematical topology.   However Ted Koppel’s book “Lights Out” may have been a factor in Sinclair’s report.

The report did not mention that smaller conventional flux weapons can produce localized EMP effects. It also did not mention solar storms.

The report described massive fatalities from prolonged electricity loss like those in the NBC series “Revolution” or the novel “One Second After”.

The report also suggested that an EMP attack might be followed by a physical attack on the homeland, like in the movies (like either “Red Dawn” movie).   That sounds more likely if the aggressor is Vladimir Putin himself.

It has been very unusual for mainstream media to discuss the EMP threat. Only Ted Cruz has mentioned so far, among presidential candidates, but I suspect Newt Gingrich would discuss it as a VP candidate.  When will Donald Trump and Hillary Clinton talk about this openly?

Could my own blogging (June 17) have drawn attention to the problem?  Maybe.  Some people at WJLA know me and I have discussed my concerns about it with their reporters  in person at least twice at “Your Voice, Your Future” forums in Arlington.

Important films on the topic include “American Blackout” (National Geographic Channel, aired Oct. 27, 2013, and CNN’s “We Were Warned: Cyber Shockwave” in February 2010.

To me, this topic deserves a lot more attention than something very narrow (affecting a cohort group close to me personally) like the North Carolina bathroom bills (but there is an iceberg or “slippery slope” effect even from small issues).  But throughout my adult life, many have resented my bringing up external issues and threats when I seem less inclined to live communally as part of a closely knit “helping hands” intentional community.   I’m still a lot more into winning arguments than counting partisan converts.

Anyway, “I told you so”.   But I’m not better than you, and couldn’t live with you in a 19th Century society.

(Published: Tuesday, July 5 at 9:45 PM EDT)

DSCNF053

Update: July 9

I got an email from a site called “Fiscal Beacon” reproducing what it claimed was a story from Fox News about the devastation that could come from a power grid attack, bringing ordinary Americans to their knees in a personal way (that would include me).  The email offered sales of a home solar power generator, so it has a doomsday prepper flavor.  I could not find the source online, but Fox does have a couple of stories about the FBI’s comments on the issue, especially in view of a hack in the Ukraine, here by Victoria Craig, as well as a later one in April by Bill Gertz. It’s possible I got the email in response to this blog post about the Sinclair story, but I could not verify its authenticity quickly.

Here is a video on a typical solar power generator, this one apparently in Utah and popular with LDS.

Update: July 16

The Wall Street Journal carries, on p. C5 of the weekend edition, a book review (by R. Tyler Priest) of the book “The Grid” by Gretchen Bakke, from Bloomsbury.  I will purchase the book and provide my own review soon.

IMG30134

Update: July 26

The Wall Street Journal also published a major article by Rebecca Smith, “How America Could Go Dark” on July 14, with illustrations, and some focus on the physical attack in 2013 at PG&E’s Metcalf facility in the Silicon Valley, CA.  There is an LTE today about “unsecure technology”.