Los Angeles is the USA’s second largest port, which makes it a key cog in gthe American economy. In an era where lean inventories are a business norm, disruptions in that port could have massive, cascading ripple effects on the US economy. Improving its security and streamlining its operations are both a national security imperative, and a national commercial imperative. Now, Government Security News notes that the Port of Los Angeles has purchased a sophisticated high-energy X-ray security scanning system from a Chinese manufacturer. Its stated purpose makes it a bit player in the port’s operations: inspect trucks delivering food, groceries and other supplies to cruise ships that dock in LA.
What raised more eyebrows was the identity of the Chinese manufacturer. NUCTECH is run by 37 year old Hu Haifeng, the son of PRC President and Communist Party General Secretary Hu Jintao. System requirements include the ability to capture, store and transmit 25,000 or more X-ray images and associated documents for remote viewing, and it will be paid for with a $1.7 million port security grant awarded by the U.S. Department of Homeland Security.
NUCTECH has won business in Europe, and now in America, by significantly underpricing its competitors. That was also true in Los Angeles, where their $1.9 million bid fronted by DULY Research Inc. in Rancho Palos Verdes, CA beat competitors Smiths GE Detection ($2.7 million) and Rapiscan ($2.9 million). That pricing, and the vendor, have both caused some controversy, but the port is sticking by its guns. Read “Port of L.A. buys Chinese X-ray scanning system with U.S. taxpayer money” for more background and details.
“The cybersecurity initiative launched by the Bush administration earlier this year remains largely cloaked in secrecy, but it’s already clear that it could have a major and far-reaching effect on government IT operations in the future.
Everything from mandated security measures and standard desktop configurations across government to a recast Federal Information Security Management Act (FISMA) could influence the way agencies buy and manage their IT.
Overseeing all of this will be a central office run by the Homeland Security Department, the first time that the government’s efforts in cybersecurity will run through a single office tasked with coordinating the work of separate federal cybersecurity organizations…”
Think of RFID (Radio Frequency I.D.) as a bar code that can be read at a distance, instead of having to be scanned directly. RFID is becoming a pervasive feature in the American defense supply chain, and is beginning to make inroads into other markets as well. While supply chain solutions remain its main use, it is also a common feature in security solutions like ‘smart’ access cards. That latter use has led to a number of problems lately, including the posting of armed guards to secure sensitive government facilities in Europe.
NXP Semiconductors is currently filing suit in The Netherlands against Radboud University in Nijmegen, in an attempt to keep its researchers from publishing a paper about reported security flaws in NXP’s widely distributed MiFare Classic RFID chip. The chip’s 48-bit encryption was high end in 1994, but is considered very vulnerable by modern standards. The chip’s security flaws were publicized in a 2007 crack, but the downside of hardware-based security systems is the expense and time involved in changing them. In light of recent events, government agencies employing smart cards will need to factor that unpleasant reality into their purchasing decisions. Ken van Wyk, principal consultant at KRvW Associates is quoted by Computerworld on this issue:
“It turns out it’s a pretty huge deal… There are a lot of these things floating around out there. Using it for building locks is the biggy, especially when it’s used in sensitive government facilities – and I know for a fact it’s being used in sensitive government facilities.” Van Wyk noted in March that one European country had deployed soldiers to guard some government facilities that used the MiFare Classic chip in their smart door key cards… “You have an RFID chip deployed by the millions,” said van Wyk. “Switching that around is extremely costly and won’t happen very quickly. It could be it will take them months or a year to do that.”
As Ferrari racing fans are very aware these days, industrial espionage that goes far beyond the bounds of ethical competitive intelligence is alive and kicking. This is even more true in the aerospace industry, whose national security implications often feature national intelligence organizations undertaking industrial espionage – in some cases, even against allied countries. China is most frequently mentioned in this context, with good reason, but Russia and France have also built reputations in this area.
The growth of identity theft and related fraud has turned a spotlight on security practices in all companies and organizations that deal with sensitive public data. Private sector practices in this regard are often severely lacking, but even organizations like the military have had difficulties. In May 2006, for instance, a serious American incident was covered in “ID Theft the Potential Reward for 26.5 million US Veterans.”
Now the UK Ministry of Defence has confirmed that a laptop stolen from a Royal Navy officer in Birmingham on the night of 9/10 January contained personal information relating to some 600,000 people who have either expressed an interest in, or have joined, the Royal Navy, Royal Marines and the Royal Air Force. In some cases, nothing more than a name would be present. In other cases, the data may include passport details, National Insurance numbers, drivers’ license details, family details, doctors’ addresses and National Health Service numbers.
The UK MoD did not immediately notify the public of the risk, on the grounds that the West Midlands Police felt it might impair the investigation, and the MoD’s apparent belief that it might be better not to make the potential value of the theft clear. That latter rationale can be defensible. Bluntly put, many thieves are not terribly bright; as an illustrative example, it’s quite possible for someone looking to score a quick payoff for a drug fix to miss a detail of this kind. Media reports made those rationales moot, however, and so an official admission has been made, along with contact information for a help line (0800 0853600). In the meantime, action had already been taken with APACS [Britain’s Association for Payment Clearing Services] to inform the relevant banks and place a watch on potential accounts, and the UK MoD says that letters to the 3,500 people whose bank details were included on the database are in process. Meanwhile, the story will continue to play itself out in the media, and on the ground where investigations continue. UK MoD: “MOD confirms loss of recruitment data.”
America’s ITAR system for controlling military exports has become a persistent complaint abroad – and at home. Abroad, it is often seen as being about protectionism first, and protection second. At home, the system is widely seen as a stumbling block to joint projects with US allies, and to America’s defense industry more generally. Britain’s ITAR-related disputes with the USA (now resolved) over the multinational F-35 program, and recent problems with approval that tipped a major foreign weapon purchase in favor of a particular US competitor, illustrate both types of complaints at work.
At the same time, legitimate security concerns around military technology transfer must be satisfied – and hopefully updated in an era where nations like China have used “American” front businesses as vehicles for major espionage coups. Now an industry initiative is underway to change key aspects of the US defense export control system, with support from several European firms. A recent GAO report is adding fuel to the fire, noting vulnerabilities in the existing system and recommending rethink and reform.
America’s recently-passed 2007 supplemental defense funding bill (#2) included $320 million for an unusual weapon: biometrics. Fingerprinting, iris scanning, certain approaches to automated facial recognition, DNA, and more are all part of biometrics, which seeks to identify humans based on unique physical characteristics.
Back in May 2005, “Biometric Access Card Project Underway for Iraq” shed light on biometrics’ increase use for defensive purposes; funding for those kinds of projects has continued, including research into fast, high-volume technologies and systems for National Guard units. What’s changing is the use of biometrics for offensive purposes as an integral tool in military operations, as opposed to just a defensive system for military installations. This requires a lot more interoperability and software bridging between systems, of course, in order to work. WIRED’s Danger Room e-zine covers the shift within Iraq, from operations in Baqubah to end-runs around the bureaucracy in order to get necessary equipment to warfighters. Read “Baqubah’s Biometric Squeeze” for more links and info… and see also these front-line reports:
On May 24/07, Australia’s Parliamentary Secretary to the Minister for Defence, Mr Peter Lindsay MP signed a statement reaffirming the importance of the Australian Department of Defence’s 2000 Enterprise License Agreement and relationship with Microsoft Corporation. The Australian DoD’s relationship with Microsoft also includes commercial and collaborative planning, research and development activities and premier support services.
Lindsay is quoted in the release saying that “Our strategic partnership with Microsoft provides the foundation for the modernisation of Defence’s information systems and business process reform.” At the ceremony, Microsoft CEO Steve Ballmer said: “This agreement underscores how serious we are about working together to help protect Australia’s critical communication infrastructure.”
Microsoft is not generally known in the technology world for high security levels, though they have been investing R&D in a trusted computing initiative. The larger question among security experts is whether Microsoft’s vast resources will succeed in fixing an underlying operating system and application model that haven’t been designed from the outset for top-tier security. The US Defence Department recently issued a report on China’s activities in particular that highlighted the threat of cyber-warfare as a growing aspect of hostilities, and a growing concern.
Shaw-Dick Pacific, LLC in Honolulu, HI received a $176 million (first increment) firm-fixed-price contract for construction of the Hawaii Regional Security Operations Center, at Naval Computer and Telecommunications Area Master Station Pacific. Work will be performed at Wahiawa, HI, and is expected to be complete by June 2010. This contract was competitively procured with 38 proposals solicited and 2 offers received by the Naval Facilities Engineering Command, Pacific in Pearl Harbor, HI (N62742-07-C-1329).
An additional $144 million will be funded upon the passage of FY 2008 Military Construction Appropriation Bill making the total amount $320 million, with one additional $40,000 option that may be exercised within 3 months.
If you work in the industry, you know that navigating the designated layers of classified material can be challenging, and that decisions regarding classification may not always make sense to you. This is also true on a public policy level: the Federation of American Scientists, for instance, is deeply skeptical of recent NY Times claims re: materials in the public Iraqi documents archive, and whether there was anything in them that justified secrecy or their subsequent removal from public access.