Category Archives: History

Energy, History, Security

Is “Cash Strapped” The Right Analysis of American Critical Infrastructure?

Leave a comment

If you’ve been a long-time reader of this blog you may recall seeing here before that in the early-2000s the US government left security of critical infrastructure up to the market investors in infrastructure (mainly banks) to figure out.

It was like a “trickle-down” theory of investment bankers showering the littlest critical infrastructure projects with the kind of money they would need to make things safe — at a market-designated level.

I have done critical infrastructure security audits, as well as security strategy consulting, before and after this time. What one might imagine on the outside is very different than what I found on the inside. That is to say, I expect most people (even myself before I started going inside) expect management to be laser focused on safety of service delivery, and willing to invest even a little extra to protect people from harm (capacity and disaster planning).

Yet that hasn’t been my experience.

For example on one engagement I had a bank ask if they should put their investments towards building adjacent bitcoin mining operations in power stations to shove “excess” power into assets they would sell off to an unregulated market.

On another engagement, as I was on my way to hack into the generation and distribution networks (they were weak), management stopped me and said “wait a minute, we care not much if those go down and people are without service, as that’s routine for us; instead please focus attacks on our trading systems and financial operations around billing and pricing” (they were weak too).

To be fair they were saying they could handle dangerous life-threatening accidents because that’s what they have been planning for all along… yet when I probed deeper it was more like they knew that those accidents wouldn’t have an effect on their P&L. Really.

And these were giant even “bulk” organizations, not “small systems” that have less of a fighting chance to argue with banks that may make final decisions on risk management models:

There are over 145,000 active public water systems in the United States (including territories). Of these, 97% are considered small systems under the Safe Drinking Water Act, meaning they serve 10,000 or fewer people.

Alas, from an economics standpoint it’s easy to say “poor” American banks do not have the money to spend on public utilities. Yet a wider macro view is probably that American investors with loads of cash to invest made it a conscious market decision since at least 1998 (when I pwned 1,000s of infrastructure routers across five states using clear-text passwords) to not invest in service safety. They’re not cash strapped as much as they’re not regulated in a way that a whole history of relevant accidents and basic common sense would force a cash infusion into the areas we might expect.

Also sometimes I wonder things like why Microsoft’s billionaires even charged utilities to license software for water utilities in the first place… or why the utilities didn’t all shift to software that came without a license, avoiding built-in end-of-life (EOL) and support models wildly inconsistent with their operation plans.

Anyway, here’s the TL;DR on the most recent “news” in America that uses the headline of “cash strapped” Americans (who have been violating basically every basic principle of safe operations even as laid out by the US government for years):

  • All computers used by plant personnel had remote control
  • All computers connected to plant’s control system
  • All computers connected directly to Internet
  • Out of date OS (Win7 – EOL Jan 2020)
  • All users share the same password
  • No network protection (firewall)

Shocking. It doesn’t take much money to fix all of that, especially if you had done it a year ago.

And here’s a post I wrote about many of the prior warnings: Was Stuxnet the First?

And here’s a post I wrote (in 2011!) about this exact issue: Chicken LittleStux is Falling

Let me now suggest a different narrative. “Cash strapped” is a military negotiation and planning phrase despite having an enormous amount of money in its budget.

Cash-strapped US military to cut Persian Gulf fleet: USS Harry S Truman will not return to Middle East, leaving only one American carrier group near the strategic Strait of Hormuz

And now for something completely different, look at hard lessons of 1991 when a missile downed an AC-130 gunship and how the US military responded.

America decided not one more AC-130 would be lost to attack. And 30 years later it’s still true. Was it cash infusion? No.

All 14 airmen aboard were killed, but one Air Force general wrote that their sacrifice helped usher in a new era of the AC-130, one where new technology and tactics helped ensure that no gunship has been lost in combat since.

“We owe much to those who sacrificed everything aboard Spirit 03, not only because ‘they gave the last full measure of devotion’ for us, but also because they bequeathed to us, at a critical point in history, the decisive motivation to reinvent the AC-130 for a new challenge and a new century,” wrote now-retired Maj. Gen. Mark Hicks, a career gunship pilot, in the summer 2014 issue of Air Commando Journal.

The lesson from the US military success with the AC-130, however, was not an expensive reinvention of technology and newly dedicated staff as much as what Deming called the statistical control process to improve existing practices — commitment to delivering quality and identifying exposure or risks earlier.

For what it’s worth, in 1980s when “cash strapped” Ford hired Deming he improved safety, quality and changed management practices in those areas. They called it Total Quality Management and focus on lack of cash; he turned risk around so much they soon outperformed GM and became the most profitable car company.

Had Ford stuck with Total Quality Management, it might have avoided many of the problems that have plagued it recently. Instead, as the years rolled by, the concept faded into the background at Ford as its champions retired and were replaced by executives who had other priorities. “U.S. automakers had so much confidence, they felt they had achieved quality and didn’t need to focus on it anymore”…

Perhaps read that insight as Ford was no longer was “cash strapped” so their focus deteriorated and safety declined.

Cash infusions could have actually led to the wrong outcome. Again, it was focus on the wrong things that led to the AC-130 being shot down, and like Deming’s work at Ford maintaining focus on quality is what made a huge difference in safety. Spend as little as possible and no less.

Here’s the money quote from the story of how an AC-130 program now has run three decades without any attacker forcing one down.

…improved fire control and better sensors really helped, but it was a commitment to be tactically sound that really made the difference,” Hicks wrote. Walter expressed a similar view. “The fundamental lesson learned is to always expect to be fired upon when firing.”

They don’t say the fundamental lesson is a cash infusion (in fact they brush that away as “really helped, but”). They certainly spent some money and also had some accidents — but it was focus on quality that mattered most.

Although losing a brand new, low density-high demand asset like an AC-130J is bad news, this is what testing is for. Better have a permanently grounded plane than one laying on the ground burning in the enemy’s backyard.

And I wonder if we should apply the same lessons domestically. Stop making safety in critical infrastructure about cash moving hands and instead make it about being tactically sound. I don’t mean NERC’s Critical Infrastructure Protection (CIP) either as some of you may remember it was a very cynical game by utilities to avoid NIST 800-53 and pretend they needed their own set of rules so they could ignore them.

We’ve known what happened in a water system in 2021 is what we talked about in 2000 after a water system was compromised, as I said above in my links to blog posts from a decade ago. There have been many, many studies in between then and now.

However, unlike the US military resolve to care deeply about stop loss, the market-driven critical infrastructure seems to have long taken the opposite approach and push the question how many more catastrophes are allowed before they really, really have to care.

I say don’t make it about cash, because it’s always been that way. Take a look at America’s healthcare system for reference. Anyone who says government run health care would be more inefficient is willfully ignoring that the United States pays more per capita on health costs than any advanced country, yet is the only one without universal health care. Cutting out health insurance companies whose sole goal is to manage “cash strapped” issues by pushing huge amounts of money around using a market-based solution could save billions and still improve safety.

In fact, you might say the inflationary cost of security has made safety even less likely to happen because it gives bankers and easy out by claiming the risks are worth not spending on controls. So the less cash-strapped the less secure… could be a logical outcome.

Make it about quality, about tactical soundness, not about opening coffers or another form of congressional-military-industrial-complexity.

See also 2020: “What We’ve Learned from the December 1st Attack on an Israeli Water Reservoir?

The reservoir’s HMI system was connected directly to the internet, without any security appliance defending it or limiting access to it. Furthermore, at the time of the publication, the system did not use any authentication method upon access. This gave the attackers easy access to the system and the ability to modify any value in the system, allowing them, for example, to tamper with the water pressure, change the temperature and more. All the adversaries needed was a connection to the world-wide-web, and a web browser.

History, Security

Harvard’s Mandatory Course on Race and Racism in America

Leave a comment

Is it unethical and irresponsible to train public leaders without requiring a course on how race and power work?

Yes.

Is the Stanford University able to overcome their racist and genocidal namesake by just starting a mandatory course on race, power, and business.

No.

Harvard Kennedy School, however, is in a better place today with a new mandatory course “Race and Racism in the Making of the United States as a Global Power

Students learn the central role race and racism play in business and wealth creation, social institutions, and public policy, drawing from Indigenous history from the legacy of slavery to contemporary systemic inequalities in justice and economic opportunity.

[It was wrong] to hand over Master of Public Policy degrees to people who were no smarter in many cases in understanding how the real world works with racism and power … the day they leave the School than the day they arrived.

I’ll always go back to asking questions about Harvard graduates like the infamous modern politician Kobach, whose degree was based on a repugnant and obviously false thesis that apartheid is good for business. So this is a very welcome step from Harvard that may help avoid graduating another Kobach.

History

Buffalo Soldiers: First U.S. Park Rangers

Leave a comment

Recently I found out blacks invented mountain biking in America. In that history I found multiple references to Buffalo Soldiers being the first park rangers in America.

Source: PresidioSF. Buffalo Soldiers were an integral part in Spanish-American War, performing much of the heaviest fighting at the decisive Battle of San Juan Hill.

In 1869, Congress established four all-black regiments within the Army – the 9th and 10th Cavalry and the 24th and 25th Infantry. These soldiers, known for their fierce bravery and fighting spirit, were dubbed “Buffalo Soldiers” by Native Americans during the American Indian Wars.

All four of the first regiments of “Buffalo Soldiers” were garrisoned right here in the Presidio during the Spanish-American (1898) and Philippines-American War (1899-1902). There are 450 Buffalo Soldiers interred at the Presidio’s San Francisco National Cemetery.

Buffalo Soldiers protected parks in the western United States before the National Park Service was created. The Presidio’s 24th Infantry and 9th Calvary units protected both Yosemite and Sequoia national parks in 1899, 1903, and 1904.

Here’s a video posted by Presidio Park in July 2020 that gives more detail to the story as told by Rik Penn, a black park ranger working there now:

It has 405 views.

And here’s even more history from Presidio Park that has ONLY 78 VIEWS!

The commander of “I” Troop was Captain Charles Young, the only African American troop commander in the regular army. A man of many talents, Young was the only Black graduate of West Point still serving in the army.

Life changed for the 3rd Squadron in April and May of 1903, when it was assigned two special missions. On April 23rd the squadron was divided, and Troops K and L were dispatched to Wawona, California, at the southern boundary of Yosemite National Park. Their mission was “to establish a camp with the purpose of protecting the Park from injury and depredations.” These black troops spent the entire season patrolling and maintaining the national park.

Captain Young and the men of I and M troops remained at the Presidio for one last duty before being dispatched to patrol Sequoia National Park. Their duty was to serve as special escort to the President of the United States, Theodore Roosevelt, on his West Coast tour of California. The President visited San Francisco on May 12th through 14th. Thousands of people turned out to greet the Chief Executive.

Accompanying the President through the streets of San Francisco were Buffalo Soldiers on horseback flanking several carriages of honored guests. Captain Young was attired in his dress blues; the soldiers were resplendent wearing their neat but simple blue uniforms with a pill box cap, white canvas leggings and gloves.

The troops provided not only an escort and security for the distinguished guest, but also served as “Guard of Honor.” The San Francisco Call lauded Troops I and M as two “crack military organizations that had the honor of forming Roosevelt’s escort.”

For many of these men, the escort duty had been a reunion of sorts, having last seen “Colonel” Roosevelt on the crest of San Juan Hill in 1898. Although Roosevelt had praised the Black soldiers shortly after the battle, he had since incensed them by making disparaging remarks about their worth as professional soldiers in Scribner’s magazine.

The use of the 9th U.S. Cavalry to provide his escort may have been seen by some as an apology of sorts. Having Captain Young as I Troop commander certainly gave the President a first-hand look at a Black man who was a competent commander and troop leader.

I’ve spent decades in and around the Presidio, I study black history constantly, and yet this is all news to me.

History, Security

When Futurists Get History Wrong, Can They Predict Right?

Leave a comment

What if I told you there is ample evidence to say projectiles with lethal effects beyond arm’s reach are as old as weapons themselves?

…researchers found that 14 of the 25 point fragments bore evidence of impact-related damage, animal residues, and wear features that strongly indicated that these points may have been used for hunting. Examination of the impact-related fractures and the distribution of the points indicated that these points may have been attached to handles to form projectile weapons and that these weapons were projected from a distance, most likely with a flexible spear-thrower or a bow. …the new Sibudu Cave site data may push back the evidence for the use of pressure flaking during the MSA to 77,000 years ago…

There’s even a dart-firing Atlatl product design discussion from the Stone Age:

Darts were not only easier to transport but they penetrated hides with greater force, which likely killed animals quicker. In Alberta, darts were used to hunt bison, sheep, elk, deer, antelope, and smaller animals. Each species likely involved a different strategy and context of atlatl use.

If you really want to get more technical about it, archaeologists say things like the blowgun comes from the Stone Age… yet recent digs in Africa also found primitive Middle Stone Age tools used just 11,000 years ago (20,000 years later than previously thought to have been obsolete and deprecated).

Groups of ancient humans were shifting to newer tools at relative speed, not linearly. It’s actually very important to notice how groups were somewhat isolated and developing projectiles based on locality leading to domain shifts and imbalance in conflict.

I mean it’s kind of like a chicken and egg riddle to ask did the rock wall or throwing a rock come first?

All of that is just preamble to introduce a futurist who has written a prediction of future war based on a curious understanding of the past:

Up until now, the history of military innovation has been about moving lethal effects to an intended victim with greater efficiency. In the Stone Age, a club was an inert object wielded by a human hand to create lethal injury. With the advent of metal, a sword became a more maneuverable and sharper instrument to create the same effect. Gunpowder and the advent of projectiles allowed for lethal effects beyond arm’s reach. Artillery increased the range and impact of lethality. Navies became ways of moving artillery over the oceans to bring lethal effects to other ships and to the shore through fire support missions. Aircraft carriers were invented to support aircraft that in turn delivered munitions with lethal effects. And so on.

That phrase “gunpowder and the advent of projectiles allowed for lethal effects beyond arm’s reach” is just so strange as to be unbelievable. It reminds me of how wrong early theories about Easter Islanders holding weapons were, given they were in fact more like hoes or shovels.

Everyone studies the 1415 Agincourt projectile battle, right? And the whole debate about the ethics of crossbows because too automated any peasant could use one versus a highly trained archer… all long predates this “advent of projectiles” sentence that starts with gunpowder.

It doesn’t look like a typo because it is a linear progression by the futurist. Club then sword then boom you have a bullet and a gun with powder? No. Instead imagine a line from the Stone Age to today for projectiles, a line from the Stone Age to today for hand-held weapons… and even parallel lines for artillery and navies instead of a serial one.

From there this futurist, based on what feels like a very weak presentation of history (falsely linear, and falsely handheld first then projectile 10,000s of years later), presents what he calls the next chapter:

Now comes the discontinuity. In 1999, a book called Unrestricted Warfare was published by two Chinese colonels from the People’s Liberation Army. Its take-home message was that all elements of an advanced society could now be considered as means of waging war. We see this visible now in the war of the meme, disinformation, kompromat, lawfare and cyber threats to key infrastructure, to name but a few.

Use of all means of waging war is by no means a new concept. WWI is probably the best foundational reading for “all means of waging war” in our modern context, particularly Woodrow Wilson’s use of propaganda and nationalizing communications as well as German military spy infiltration of British colonies to force fractures and revolution.

It’s just so strange to see this already dated concept labeled “modern” or “future” war, stranger to see it attributed to 1999 Chinese authors, let alone see that earlier false linear history in the windup.