Nouvelles

Security would be ‘fourth pillar' in weapons purchase decisions The Pentagon should take into account the cybersecurity capabilities of defense contractors in addition to cost and performance measures when awarding contracts, a U.S. government-funded think tank recommended in a report published Monday. Through its buying process, the Pentagon “can influence and shape the conduct of its suppliers,” the Mitre Corp. said in a report titled “Deliver Uncompromised: A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War.” The Defense Department “can define requirements to incorporate new security measures, reward superior security measures in the source selection process, include contract terms that impose security obligations, and use contractual oversight to monitor contractor accomplishments,” the report said. The Pentagon must consider new measures because the very nature of war is changing, the Mitre report said. Adversaries no longer have to engage the United States in direct conflict using weapons but can respond to American military strikes “through blended operations that take place through supply chain, cyber domain, and human elements,” the report noted. The report recommends that security be made a “primary metric” in Pentagon weapons purchase and sustainment decisions and that the Defense Department increase awareness of risks associated with its supply chains. It also calls for a National Supply Chain Intelligence Center that would include officials from the FBI, Homeland Security, the Pentagon and intelligence agencies to track risks and advise agencies. When choosing current or new contractors, in addition to considering cost, performance and schedule, the Pentagon must also make security a so-called “fourth pillar,” the report said. Contractors should be continuously monitored and assessed for the degree of risk they pose, the report said. In addition to measuring a contractor's ongoing performance on a contract, an independent, federally-funded research agency could develop a risk rating similar to credit ratings done by agencies like Moody's, the report said. Mitre is a federally-funded research and development center. The Pentagon did not respond to an email seeking comment on the report. The report and its recommendations come as U.S. intelligence officials have become increasingly alarmed at potential cybersecurity risks that may be embedded in vast computer networks and systems that power government agencies as well as weapon systems. Last year the Trump administration banned federal agencies from using a popular anti-virus software made by Kaspersky Labs, which was alleged to have close ties with Russian intelligence services. Full Article: https://www.rollcall.com/news/politics/pentagon-judge-contractors-cybersecurity

By: Justin Lynch A vast majority of security professionals and experts who attended the Black Hat conference in Las Vegas predict that nation-states will target smart devices in the next year, according to a survey. Ninety-three percent of respondents told Armis, a security platform, that they expected governments to exploit connected devices during a hack or cyberattack. Twenty-three percent of respondents said that the energy and utility sector were most at risk of being attacked through smart devices, the survey found. Hackers are using connected devices as intermediaries to attack computer networks, the FBI warned Aug. 2. Examples of previous hacks using smart devices include an attack on a Las Vegas casino through the thermometer of an aquarium. Full Article: https://www.fifthdomain.com/critical-infrastructure/2018/08/14/experts-predict-countries-will-use-smart-devices-to-launch-cyberattacks/

By Second Lieutenant Kathleen Soucy The challenges of operating an aircraft in the North are numerous. “The first challenge is, without a doubt, weather,” says Capt Colin Wilkins, a CC-130J Hercules pilot with 436 Transport Squadron, during a planned flight to Canadian Forces Station (CFS) Alert. “Weather can be very unpredictable up North–and change rapidly.” In order to mitigate risks associated with extreme weather conditions, the aircrew follows a “plan procedure for cold weather operations,” said Cpl Yassabi Siwakoti, an aviation technician. This even includes a special procedure to start and shut down the aircraft when it is extremely cold, involving the removal and storage of batteries inside the aircraft. Located 1,834 kilometres north of the Arctic Circle, just 817 kilometres from the North Pole, Canadian Forces Station (CFS) Alert is the most northerly permanently inhabited location in the world. Full Article: https://www.skiesmag.com/news/flying-up-north/

MDA Press Release Canada's role and potential involvement in the growing new space economy requires a commitment from the Government of Canada for a new space strategy, the group president of MDA, a Maxar company, said in a speech to the Aerospace, Defence and Security Expo. “The most pressing question is whether Canada will participate, or not, in the international space community's next big exploration project,” said Mike Greenley, group president of MDA. “The United States, Europe, Japan and Russia are currently planning a return to the Moon in the 2020s. NASA will build a small space station that orbits the Moon, as a base for lunar exploration and as a gateway to explore deeper space. The international community expects Canada to participate in this mission and to provide advanced AI and robotics–our traditional and strategic role.” Greenley said the international community expects and wants Canada to participate. Full Article: https://www.skiesmag.com/press-releases/mda-president-notes-opportunities-challenges-for-canadas-next-role-in-space/

MONTREAL – The head of flight simulator company CAE Inc. said Tuesday U.S. President Donald Trump's appetite for defence spending is a boon to the Montreal-based company, as newfound access to contracts tied to top-secret missions pave the runway for more revenue. “On the defence side, budgets continue to be on the rise worldwide, and in the U.S. they are at historical highs,” president and CEO Marc Parent told shareholders at an annual general meeting Tuesday. On Monday, Trump signed a $716-billion defence spending bill for 2019, an $82-billion increase from 2017 and a dramatic upswing from most Obama-era military budgets. CAE's acquisition of Virginia-based Alpha-Omega Change Engineering earlier this month opens the hatch to “top-secret missions,” mainly out of the U.S., Parent told reporters. An agreement between the U.S. government and a CAE subsidiary allows a proxy board made up of two American generals and a military contractor executive to oversee the high-security contracts, he said. “That opens up an extra $3 billion of potential market for us. So that brings our total addressable market in the world to $17 billion,” Parent said. As to what the classified missions involve, he said only, “You can speculate all day long.” Parent defended how CAE potentially stands to benefit amidst heightened military spending south of the border, more combative language from the White House and the creation of a new armed services branch focused on fighting wars in space. Full Article: https://www.680news.com/2018/08/14/flight-simulators-ceo-says-bigger-u-s-armed-forces-budgets-are-a-boon/

By: David B. Larter WASHINGTON — Huntington Ingalls Newport News is gearing up to start a yearslong overhaul of the U.S. Navy carrier John C. Stennis, which is shifting home ports from Washington state to Norfolk to get ready for its break from the rotation. The company announced last week it had inked a $187.5 million contract for advanced planning to support Stennis' refueling and complex overhaul, or RCOH, slated to begin in 2021. The contract is for “engineering, design, material procurement and fabrication, documentation, resource forecasting, and pre-overhaul inspections,” according to the announcement. In a statement, HII's head of carrier maintenance said the contract was a critical first step toward getting Stennis started out right. WASHINGTON — Huntington Ingalls Newport News is gearing up to start a yearslong overhaul of the U.S. Navy carrier John C. Stennis, which is shifting home ports from Washington state to Norfolk to get ready for its break from the rotation. The company announced last week it had inked a $187.5 million contract for advanced planning to support Stennis' refueling and complex overhaul, or RCOH, slated to begin in 2021. The contract is for “engineering, design, material procurement and fabrication, documentation, resource forecasting, and pre-overhaul inspections,” according to the announcement. In a statement, HII's head of carrier maintenance said the contract was a critical first step toward getting Stennis started out right. Full Article: https://www.defensenews.com/naval/2018/08/14/us-navy-supercarrier-john-c-stennis-headed-for-layup/

WHEN THE CYBERSECURITY industry warns about the nightmare of hackers causing blackouts, the scenario they describe typically entails an elite team of hackers breaking into the inner sanctum of a power utility to start flipping switches. But one group of researchers has imagined how an entire power grid could be taken down by hacking a less centralized and protected class of targets: home air conditioners and water heaters. Lots of them. At the Usenix Security conference this week, a group of Princeton University security researchers will present a study that considers a little-examined question in power grid cybersecurity: What if hackers attacked not the supply side of the power grid, but the demand side? In a series of simulations, the researchers imagined what might happen if hackers controlled a botnet composed of thousands of silently hacked consumer internet of things devices, particularly power-hungry ones like air conditioners, water heaters, and space heaters. Then they ran a series of software simulations to see how many of those devices an attacker would need to simultaneously hijack to disrupt the stability of the power grid. Their answers point to a disturbing, if not quite yet practical scenario: In a power network large enough to serve an area of 38 million people—a population roughly equal to Canada or California—the researchers estimate that just a one percent bump in demand might be enough to take down the majority of the grid. That demand increase could be created by a botnet as small as a few tens of thousands of hacked electric water heaters or a couple hundred thousand air conditioners. "Power grids are stable as long as supply is equal to demand," says Saleh Soltan, a researcher in Princeton's Department of Electrical Engineering, who led the study. "If you have a very large botnet of IoT devices, you can really manipulate the demand, changing it abruptly, any time you want." The result of that botnet-induced imbalance, Soltan says, could be cascading blackouts. When demand in one part of the grid rapidly increases, it can overload the current on certain power lines, damaging them or more likely triggering devices called protective relays, which turn off the power when they sense dangerous conditions. Switching off those lines puts more load on the remaining ones, potentially leading to a chain reaction. "Fewer lines need to carry the same flows and they get overloaded, so then the next one will be disconnected and the next one," says Soltan. "In the worst case, most or all of them are disconnected, and you have a blackout in most of your grid." Power utility engineers, of course, expertly forecast fluctuations in electric demand on a daily basis. They plan for everything from heat waves that predictably cause spikes in air conditioner usage to the moment at the end of British soap opera episodes when hundreds of thousands of viewers all switch on their tea kettles. But the Princeton researchers' study suggests that hackers could make those demand spikes not only unpredictable, but maliciously timed. The researchers don't actually point to any vulnerabilities in specific household devices, or suggest how exactly they might be hacked. Instead, they start from the premise that a large number of those devices could somehow be compromised and silently controlled by a hacker. That's arguably a realistic assumption, given the myriad vulnerabilities other security researchers and hackers have found in the internet of things. One talk at the Kaspersky Analyst Summit in 2016 described security flaws in air conditioners that could be used to pull off the sort of grid disturbance that the Princeton researchers describe. And real-world malicious hackers have compromised everything from refrigerators to fish tanks. Given that assumption, the researchers ran simulations in power grid software MATPOWER and Power World to determine what sort of botnet would could disrupt what size grid. They ran most of their simulations on models of the Polish power grid from 2004 and 2008, a rare country-sized electrical system whose architecture is described in publicly available records. They found they could cause a cascading blackout of 86 percent of the power lines in the 2008 Poland grid model with just a one percent increase in demand. That would require the equivalent of 210,000 hacked air conditioners, or 42,000 electric water heaters. The notion of an internet of things botnet large enough to pull off one of those attacks isn't entirely farfetched. The Princeton researchers point to the Mirai botnet of 600,000 hacked IoT devices, including security cameras and home routers. That zombie horde hit DNS provider Dyn with an unprecedented denial of service attack in late 2016, taking down a broad collection of websites. Building a botnet of the same size out of more power-hungry IoT devices is probably impossible today, says Ben Miller, a former cybersecurity engineer at electric utility Constellation Energy and now the director of the threat operations center at industrial security firm Dragos. There simply aren't enough high-power smart devices in homes, he says, especially since the entire botnet would have to be within the geographic area of the target electrical grid, not distributed across the world like the Mirai botnet. But as internet-connected air conditioners, heaters, and the smart thermostats that control them increasingly show up in homes for convenience and efficiency, a demand-based attack like the one the Princeton researchers describes could become more practical than one that targets grid operators. "It's as simple as running a botnet. When a botnet is successful, it can scale by itself. That makes the attack easier," Miller says. "It's really hard to attack all the generation sites on a grid all at once. But with a botnet you could attack all these end user devices at once and have some sort of impact." The Princeton researchers modeled more devious techniques their imaginary IoT botnet might use to mess with power grids, too. They found it was possible to increase demand in one area while decreasing it in another, so that the total load on a system's generators remains constant while the attack overloads certain lines. That could make it even harder for utility operators to figure out the source of the disruption. If a botnet did succeed in taking down a grid, the researchers' models showed it would be even easier to keepit down as operators attempted to bring it back online, triggering smaller scale versions of their attack in the sections or "islands" of the grid that recover first. And smaller scale attacks could force utility operators to pay for expensive backup power supplies, even if they fall short of causing actual blackouts. And the researchers point out that since the source of the demand spikes would be largely hidden from utilities, attackers could simply try them again and again, experimenting until they had the desired effect. The owners of the actual air conditioners and water heaters might notice that their equipment was suddenly behaving strangely. But that still wouldn't immediately be apparent to the target energy utility. "Where do the consumers report it?" asks Princeton's Soltan. "They don't report it to Con Edison, they report it to the manufacturer of the smart device. But the real impact is on the power system that doesn't have any of this data." That disconnect represents the root of the security vulnerability that utility operators need to fix, Soltan argues. Just as utilities carefully model heat waves and British tea times and keep a stock of energy in reserve to cover those demands, they now need to account for the number of potentially hackable high-powered devices on their grids, too. As high-power smart-home gadgets multiply, the consequences of IoT insecurity could someday be more than just a haywire thermostat, but entire portions of a country going dark. https://www.wired.com/story/water-heaters-power-grid-hack-blackout/

By Ellen Nakashima The Pentagon has a new goal aimed at protecting its $100 billion supply chain from foreign theft and sabotage: to base its weapons contract awards on security assessments — not just cost and performance — a move that would mark a fundamental shift in department culture. The goal, based on a strategy called Deliver Uncompromised, comes as U.S. defense firms are increasingly vulnerable to data breaches, a risk highlighted earlier this year by China's alleged theft of sensitive information related to undersea warfare, and the Pentagon's decision last year to ban software made by the Russian firm Kaspersky Lab. On Monday, President Trump signed into a law a provision that would bar the federal government from buying equipment from Chinese telecommunications firms Huawei and ZTE Corp., a measure spurred by lawmakers' concerns about Chinese espionage. “The department is examining ways to designate security as a metric within the acquisition process,” Maj. Audricia Harris, a Pentagon spokeswoman, said in a statement. “Determinations [currently] are based on cost, schedule and performance. The department's goal is to elevate security to be on par with cost, schedule and performance.” The strategy was written by Mitre Corp., a nonprofit company that runs federally funded research centers, and the firm released a copy of its reportMonday. “The major goal is to move our suppliers, the defense industrial base and the rest of the private sector who contribute to the supply chain, beyond a posture of compliance — to owning the problem with us,” said Chris Nissen, director of asymmetric-threat response at Mitre. Harris said the Pentagon will review Mitre's recommendations before proceeding. She added that the Department of Defense, working with Congress and industry, “is already advancing to elevate security within the supply chain.” Testifying to Congress in June, Kari Bingen, the Pentagon's deputy undersecretary for intelligence, said: “We must have confidence that industry is delivering capabilities, technologies and weapon systems that are uncompromised by our adversaries, secure from cradle to grave.” Security should be seen not as a “cost burden,” she told the House Armed Services Committee, “but as a major factor in their competitiveness for U.S. government business.” The new strategy is necessary, officials say, because U.S. adversaries can degrade the military's battlefield and technological advantage by using “blended operations” — hacking and stealing valuable data, manipulating software to sabotage command and control systems or cause weapons to fail, and potentially inducing a defense firm employee to insert a faulty component or chip into a system. “A modern aircraft may have more than 10 million lines of code,” Mitre's report said. “Combat systems of all types increasingly employ sensors, actuators and software-activated control devices.” The term “Deliver Uncompromised” grew out of a 2010 meeting of senior counterintelligence policy officials, some of whom lamented that the Defense Department was tolerating contractors repeatedly delivering compromised capabilities to the Pentagon and the intelligence community. Addressing the security issue requires greater participation by counterintelligence agencies, which can detect threats against defense firms, the report said, and ideally, the government should establish a National Supply Chain Intelligence Center to monitor threats and issue warnings to all government agencies. Ultimately, the military's senior leaders bear responsibility for securing the supply chain and must be held accountable for it, the report said. The Defense Department, although one of the world's largest equipment purchasers, cannot control all parts of the supplier base. Nonetheless, it has influence over the companies it contracts with as it is the principal source of business for thousands of companies. It can shape behavior through its contracts to enhance supply-chain security, the report said. Legislation will be needed to provide incentives to defense and other private-sector companies to boost security, Mitre said. Congress should pass laws that shield firms from being sued if they share information about their vulnerabilities that could help protect other firms against cyberattacks; or if they are hacked by a foreign adversary despite using advanced cybersecurity technologies, the report said. Contractors should be given incentives such as tax breaks to embrace supply chain security, the report suggested. The Department of Homeland Security is addressing the security of the information technology supply chain through its newly established National Risk Management Center. “What we're saying is you should be looking at what vendors are doing to shore up their cybersecurity practices to protect the supply chain,” said Christopher Krebs, DHS undersecretary for the National Protection and Programs Directorate. The National Counterintelligence and Security Center, an agency of the Office of the Director of National Intelligence that coordinates the government's counterintelligence strategy, said in a report last month that software-supply-chain infiltration has already threatened critical infrastructure and is poised to endanger other sectors. According to the NCSC, last year “represented a watershed in the reporting of software supply chain” attacks. There were “numerous events involving hackers targeting software supply chains with back doors for cyber espionage, organizational disruption or demonstrable financial impact,” the agency found. https://www.washingtonpost.com/world/national-security/the-pentagon-is-rethinking-its-multibillion-dollar-relationship-with-us-defense-contractors-to-stress-supply-chain-security/2018/08/12/31d63a06-9a79-11e8-b60b-1c897f17e185_story.html?noredirect=on&utm_term=.265ce85b6eb1

By: Jessie Bur The Department of Defense kicked off its sixth bug bounty program Aug.12 with Hack the Marine Corps, a challenge focusing on the Corps' public-facing websites and services. “Hack the Marine Corps allows us to leverage the talents of the global ethical hacker community to take an honest, hard look at our current cybersecurity posture," said Maj.Gen. Matthew Glavy, the head of the U.S. Marine Corps Forces Cyberspace Command, in a news release. “Our Marines need to operate against the best. What we learn from this program will assist the Marine Corps in improving our war-fighting platform, the Marine Corps Enterprise Network. Working with the ethical hacker community provides us with a large return on investment to identify and mitigate current critical vulnerabilities, reduce attack surfaces and minimize future vulnerabilities. It will make us more combat ready.” The DoD launched its first bug bounty, Hack the Pentagon, in May 2016, which was considered one of the first major successes for the then-newly minted Defense Digital Service. Since then the DoD has held bug bounties for the Army, the Air Force, the Air Force again and the Defense Travel System. The combined programs resulted in over 600 resolved vulnerabilities with approximately $500,000 awarded to the ethical hackers participating in the program. “Information security is a challenge unlike any other for our military. Our adversaries are working to exploit networks and cripple our operations without ever firing a weapon," said Chris Lynch, the director of the Defense Digital Service. "Sometimes, the best line of defense is a skilled hacker working together with our men and women in uniform to better secure our systems. We're excited to see Hack the Pentagon continue to build momentum and bring together nerds who want to make a difference and help protect our nation.” Hack the Marine Corps was launched with HackerOne, which partners with the hacker community to help businesses and government conduct bug bounties, and kicked off with a live hacking event coinciding with the Black Hat USA, DefCon and BSides conferences in Las Vegas. The live hack resulted in 75 unique vulnerability reports and more than $80,000 in awards. “Success in cybersecurity is about harnessing human ingenuity,” said Marten Mickos, CEO at HackerOne. “There is no tool, scanner or software that detects critical security vulnerabilities faster or more completely than hackers. The Marine Corps, one of the most secure organizations in the world, is the latest government agency to benefit from diverse hacker perspectives to protect Americans on and off the battlefield.” The bug bounty program ends Aug. 26. https://www.fifthdomain.com/dod/marine-corps/2018/08/13/pentagon-invites-researchers-to-hack-the-marine-corps/