The New World Order: July 2017

NSA Creating Spy System To Monitor Domestic Infrastructure

The National Security Agency has begun work on an "expansive" spy system that will monitor critical infrastructure inside the United States for cyber-attacks, in a move that detractors say could end up violating privacy rights and expanding the NSA's domestic spying abilities.

The Wall Street Journal cites unnamed sources as saying that the NSA has issued a $100-million contract to defense contractor Raytheon to build a system dubbed "Perfect Citizen," which will involve placing "sensors" at critical points in the computer networks of private and public organizations that run infrastructure, organizations such as nuclear power plants and electric grid operators.

In an email obtained by the Journal, an unnamed Raytheon employee describes the system as "Big Brother."

"The overall purpose of the [program] is our Government...feel[s] that they need to insure the Public Sector is doing all they can to secure Infrastructure critical to our National Security," the email states. "Perfect Citizen is Big Brother."

"Raytheon declined to comment on this email," the Journal reports.

Some officials familiar with Perfect Citizen see it "as an intrusion by the NSA into domestic affairs, while others say it is an important program to combat an emerging security threat that only the NSA is equipped to provide," the Journal states.

The program is reportedly being funded under the Comprehensive National Cybersecurity Initiative, a program launched by the Bush administration in January, 2008, and continued under the Obama administration. The initiative is budgeted to cost $40 billion over several years.

ANOTHER WAR WITHOUT DEFINITION?

News of the spy system comes in the wake of months of news reports and government statements on the the threat of cyber-attacks. Last year, the US pointed the finger of blame at North Korea for a "widespread" attack on US and South Korean government computers. Earlier this year, a coordinated attack on Google servers was identified as originating from China.

But many observers say the threat of cyberwar is exaggerated, and they suggest that profit may be a motive behind efforts to build cyber-defense systems.

"It's about who is in charge of cyber security, and how much control the government will exert over civilian networks," writes security technology expert Bruce Schneier at the CNN Web site. "And by beating the drums of war, the military is coming out on top."

Schneier sees danger in the media "mislabeling" activities like computer hacking and "cyber-activism" as "cyberwar."

"One problem is that there's no clear definition of 'cyberwar.' What does it look like? How does it start? When is it over? Even cybersecurity experts don't know the answers to these questions, and it's dangerous to broadly apply the term 'war' unless we know a war is going on."

MONEY TO BE MADE

In a report published last month, Cecilia Kang at the Washington Post described cyber-security as "Washington's growth industry of choice," and companies in the business are "in line for a multibillion-dollar injection of federal research dollars."

Kang reported: Delivering the keynote address at a recent cybersecurity summit sponsored by Defense Daily, Dawn Meyerriecks, deputy director of national intelligence for acquisition and technology, said that along with the White House Office of Science and Technology, her office is going to sponsor major research "where the government's about to spend multiple billions of dollars."

Also:

Is the NSA's 'Perfect Citizen' the Ultimate Spying Tool?

Could the NSA's new "Perfect Citizen" actually be used for spying on every citizen in the U.S.?

The name sounds like an action movie -- the heroic vigilante chases down the bad guys to aid his country and prevent a nuclear armageddon. It also sounds like the worst possible name for a government program intended to protect citizens, not spy on them.

The NSA's new cyber-security program Perfect Citizen will monitor nuclear power plants, train stations, and the electric power grid to safeguard against cyber-assaults.

And as the Wall Street Journal reported, the new program is intended to monitor cyber-terrorist threats and "would rely on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by unusual activity suggesting an impending cyber attack."

According to that report, Raytheon was awarded a $100M contract to develop Perfect Citizen. (Raytheon declined to comment to FoxNews.com, as did the NSA other than describing Perfect Citizen in an official statement as a "research and risk-assessment" project that does not use sensors.)

How would such a system work? Why do experts fear it could be turned against us? And should the government really be in the business of installing sensors on the private power grid and at nuclear plants owned by private companies?

Fighting cyber-attacks

Your local power plant was built long before Google became a household name. Yet just about every nuclear power plant, train station, subway system and local power company now connects to the outside Internet, either for employees to access their e-mail or just to check the weather.

And many utility companies provide remote access for workers to monitor these utility systems; some plants are even interconnected over the Internet to share data.

Perfect Citizen will analyze these attack vectors and plug any security holes. Yet experts claim the new program is just a stop-gap measure -- a band-aid on an old wound.

"Cybersecurity wasn't even a concept when these infrastructure systems were built, and yet they have now all been connected and interconnected online -- making them high profile targets for a cyber-attack," says Hemanshu Nigam, a security consultant who advises Congress on cyber-security.

"Finding anomalous activity will do very little to prevent real cyber-attacks, especially since Perfect Citizen will not be 24/7 and will not be all encompassing [to every point of entry into these systems]."

Nigam says Perfect Citizen is a very broad security program. It will monitor nuclear plants and the electric grid for denial-of-service attacks, which is when hackers -- many of them from China and Russia -- send repeated requests to a computer to cause an overload and failure. Nigam says cyber-terrorists already know the NSA fights denial-of-service threats and will attack through other means.

Interestingly, a more likely attack vector at power plants is the Web browser on an employee's workstation, says Bradley Anstis, a vice president at M86 Security. A terrorist might use malware that tricks an employee into installing a virus, which then infects higher-level systems -- such as a command and control server -- on the same network.

Krish Shetty, the CEO at Wiznucleus, a company that specializes in protecting nuclear power plants and power companies from cyber-assaults, says protecting the aging utility infrastructure in the U.S. requires a risk-assessment for every plant and at every endpoint -- and that Perfect Citizen is a step in the right direction. Yet the challenge is in correlating why a cyber-attack occurred at one power plant and learning from that new attack.

Nigam suggests a similar ground-level approach to protecting power plants. He advocates grants and incentives to companies to build their own private security layer.

Mike Lloyd, the chief scientist at the security company RedSeal Systems, says our current utility cyber-defenses are weak compared to what they should be. He says a terrorist only has to find one weak spot, but a security defense needs to protect against every conceivable attack.

The main issue with protecting utilities is that they are incredibly complex -- not just one company at an office, but multiple buildings and networks, a complex infrastructure with antiquated systems.

The next step: no more privacy?

If Perfect Citizen really is a series of sensors that monitor cyber-attacks, it's easy to envision how this same network could be used for monitoring everyday citizens.

With any NSA program, communication is a one-way street, noted Nigam. There won't be any new official information about the Perfect Citizen program, so it's left to the experts to hypothesize about what it really is -- and the true nature of the program, he says.

They have. And they're worried about what the NSA is planning.

For starters, there's a Wired.com report that claims the NSA has teamed with Homeland Security to get around any legal entanglements, hinting at a justification for spying on U.S. citizens. And a story in The Economist declares a new cyberwar that involves secret cyber-weapons and cyber-armies from Iran, North Korea, and Russia attacking utility companies and the grid.

In the Wall Street Journal, an unnamed military official said Perfect Citizen is long overdue and that "any intrusion into privacy is no greater than what the public already endures from traffic cameras."

All told, Nigam maintains that Perfect Citizen is a result of new beefed up security measures, partly due to an influx of funding for the Comprehensive National Cybersecurity Initiative.

"The Obama Administration is playing catch-up. And so for that reason alone it needs to invest more than ever," says Nigam. "Such spending is fully warranted only if it is directed to the right areas, and right now the Perfect Citizen program is not a good example of that."

Digital Driver’s License - Your ID In Your Smartphone

The world is evolving rapidly towards mobile and digital formats for many everyday tasks.

Key drivers for this trend are convenience and ease of use for transactions that require some form of identification. And one of the most used documents to confirm identity is looking at going down this route - the driver's license .

The primary goals of the driving license, whether physical or digital, remain to confirm identity and to confer the right to drive a vehicle.During the course of the last two years, studies and pilots have been launched in several states in the US to explore the technical feasibility of a digital driver's license.

There, digital driver's licenses also named mobile driver's licenses are set to retain the key visual aspects of a physical driver's license, displaying the driver's personal information - name, address and date of birth, along with his photo.

Various technologies are considered to address but security and user friendliness will be key drivers.

There's more.

The topic is now receiving even more federal attention.

In August 2016, the U.S. Commerce Department's National Institute of Standards and Technology (NIST) awarded a grant to further support the development of trusted identities based on Digital Driver's License provided by states.

Through a $2M grant awarded to Gemalto, four jurisdictions – Idaho, Colorado, Maryland and Washington D.C. – are implementing a pilot for a secure Digital Driver's License (DDL), which many believe to be the future of trusted identities. In 2017, Wyoming decided to join the pilot.

Discover in detail and pictures the July 2017 DDL pilot in Colorado.

There are striking similarities in challenges and potential benefits with what is called a "national eID scheme" in many other countries where states are including digital identity as a defining feature in a digital space of trust, with good levels of security, interoperability and data protection.

See our January 2016 white paper on national identity schemes to learn more on this topic.
Digital driver licenseConvenience of the mobile format – potential new identification use cases

Beyond the important security aspects, issuing authorities have shown particular interest in the universal convenience of this mobile format:

    Convenience for holders, who can travel lighter with a digital driver's license, instantly updatable, on their phone.
    Convenience for law enforcement or other parties wanting to verify identity and privileges.
    Convenience for issuing authorities who can explore new services needing such a trusted and secure channel for sharing and validating identity.

The driver's license has been a standard for decades, acting not just as proof that you can drive but as an ID to verify age and identity, opening mobile driver's license to many usages such as:

    Police control: roadside stops to identify the driver of a vehicle and his/her privileges.
    Proof of age: where purchase of alcohol, as in many countries, is restricted to people aged 18 or more, verified by the retailer.
    Car rental: to identify the renter, ensure driving privileges and share attributes (address…etc )
    Identity validation or confirmation for hotel check-in, financial institutions, social services...
    Online authentication: from access control to identity verification…

When could you use a DDL?
Digital driver's license - The 2016-2017 US landscape

Iowa was the first state decide to test digital driver's license in 2014. It started a pilot on an IOS platform with 100 state employees at the end of 2015. The goal was to test the daily usability of the solution. The Department of Transportation hopes to make the app public in 2017.

Several legislatures (legislative body of States in the United States) authorize the study of smartphone driver's license app such as Arizona, Illinois, Utah and Texas to name a few.

Some other states have legislation under consideration. Idaho, Colorado, Maryland and Washington D.C are now on their way to set up a pilot funded by a federal grant.

    In Tennessee, legislation (HB556) enacted in May 20, 2015 authorizes the State DMV to develop a secure "electronic driver license system" and to display electronic images on a cellular phone or any other portable electronic device.
    In Arizona the Senate Bill 1237 bill was passed and signed on May 11, 2016. The Arizona Department of Transportation (ADOT) has to study and specify what may be done with an electronic driver license.
    In Utah, Bill 227 effective in May 2016 requires the Driver License Division and Department of Technology Services to study and report findings and recommendations regarding electronic driver licenses.
    In Louisiana, Bill 481 was signed by Governor Edwards on June 23, 2016. The law outlines requirements for a digitized driver's license. It allows persons to use the digitized license in lieu of a physical license when stopped by law enforcement. The proposed law provides that display of the digital driver's license shall not serve as consent to search the mobile device. A fee of up to $6 can be charged for use of the drivers license app.
    Kentucky was considering the topic as well but the feasibly study has not been launched as the measure did not receive a hearing.
    In California, the state legislature passed a bill (February – September 2015) to study the feasibility of a digital mobile driver's license app for smart phone. It was however vetoed by Governor of California Jerry Brown in October 2015.
    In New Jersey, the bill introduced in January 2016 has been withdrawn from consideration in February 2016.
    In Illinois, the Legislature approved a resolution in 2015 that created an Electronic Driver's License Task Force to study the feasibility of a digital/mobile DL. The Task Force reported its finding on April 21, 2016. It recommended that the Secretary of State continue to monitor advancements in mobile driver's license technology.
    In March 2015, North Dakota passed HCR 3036, a bill to study implications of driver's licenses for smart phones. However, the measure has not been considered as of October 2016 by Legislative Management.
    In August 2016, through a $2M grant awarded to Gemalto, Idaho, Colorado, Maryland and Washington D.C. are to set a pilot for a secure Digital Driver's License (DDL). Its goals are to define and create a convenient and secure way for citizens and authenticating parties to exchange and verify government-issued credential information via smartphone.
    In 2017 Wyoming joined this initiative.
    On March 21 2017, in Arkansas, the Senate Bill 428 was signed into law and is allowing the Office of Driver Services to issue a digital copy of an Arkansas driver’s license for a $10 fee.
    In July 2017, Colorado and Maryland started a live pilot. Follow the progress of the DDL pilot on our dedicated pages. September 2017 was dedicated to full pilot analysis, conclusion, lessons learned, best practices. Stay tuned for the December 2017 phase of the pilots.

The American Association of Motor Vehicle Administrators Working Group is looking at DDL standards and their specifications.

The legal environment is also positively impacted by the famous Riley v. California case of September 2014. The United States Supreme Court ruled that Police may not, without a warrant, search digital information on a mobile phone seized from an individual during an arrest.

This makes it easier for states to implement DDL solutions since the court is clear: police cannot arbitrarily search phones.
Other initiatives around the world

    In Australia, New South Wales announced in November 2015 the introduction for 2016 of digital driving licenses on smartphones and in February 2016 the press revealed that Victoria is also analyzing technology to produce a digital driver's license app in the next few months. Western Australia State announced a plan to turn driver's licenses into digital IDs in April 2016.

    New South Wales' Premier Mike Baird promised to introduce the digital license within four years. However a lot of co-operation will be needed to set up a working multi-jurisdictional approach in the country.

    In November 2016, NSW's Minister for Finance, Services and Property Dominic Perrottet said that digital driver licences will be introduced by 2019. A pilot in Dubbo started in November 2017.

    In October 2016, senior officials at the Dutch road transport authority have made it clear that the country is working on a mobile app version of the license that would accompany a card.

    In May 2016, Britain's Driver and Vehicle Licensing Agency (DVLA) revealed it was also working on a digital driving licence for smart phones and showed a "prototype" of a feature that would let people store their license in their phone and turn driver's iPhone into an ID. According to the Daily Mail of March 31, 2017, the Agency will test the system this September and plan a roll out for spring 2018. The existing UK driving licence will still be available.
    In July 2017, CONTRAN, the Brazilian National Traffic Board, approved a proposition for a digital driver's license to be launched in 2018.

In Other countries like India are investigating this option.
DDL standards at early stage

As of today, the market is at an early stage and standards are not fully defined. In 2016, the ISO SC17 WG10 - Task Force 14 "Mobile Driving Licence" started to work on verification standards for Mobile DL and defined the scope of off-line verification.

2017 will see draft specs of both off-line and on-line verification appear for a new work item.
Mobile driver license
4 key requirements

Mobile driver's license needs to address 4 key requirements in order to gain acceptance as a trusted digital identity.

It needs to be :

    accessible in both online and offline modes,
    highly secure to protect the confidentiality and privacy of user data,
    interoperable between different issuing and verifying authorities,
    able to manage the integrity of data throughout its life cycle - from enrolment to the in-field verification process.

For the time being, mobile driving licenses will not replace physical driver's licenses but will exist as a secondary form of ID to complement to these physical driver's licenses.

How would you get a DDL on your phone?
Technologies and implementation models from Gemalto

In September 2015, Gemalto conducted an extensive study with a consumer on-line community gathering 200 members from the United Kingdom and United States. The direct feedback from potential users of the digital driver's license solution revealed the benefits, concerns and the diversity of audiences. These results allowed the company to set up relevant implementation models.

Gemalto Mobile DL solutions bring technology and implementation models which take into account user-friendliness, the local DL schemes and practices (drivers, Police, service providers…), and provide the highest level of security in both credential storage, data transmission and verification.

What's the story here?

Not only does a digital credential bring new layers of security, such as PIN or fingerprint verification, but it is also much more difficult to fraudulently duplicate or alter.

Why?

Because it is checked with the issuer backend in real-time, a fraudulent credential can quickly and easily be identified as invalid, to make verifying even out-of-state digital credentials significantly simpler and more secure.

If a user's mobile device is ever lost or stolen, the digital license can be remotely deactivated or wiped almost instantly.

Secure DDL

Unlike a traditional driver's license card, a mobile driver's license never needs to leave the owner's hands. A person verifying the driving license in the field will have access to advanced real-time authentication through another version of the application on an authentication device – either another smart-phone or a reader.

No footprint is left on the verification device and no geo-location tagging or tracking of user information occurs.

With a digital driver's license, an issuer can have much greater control over in-use credentials compared to a traditional physical license - for example alerting holders when their license is about to expire. Citizens could also update their personal information or even renew their license directly through the application instead of visiting a branch office, saving time and resources.

Control and convenience will prove essential elements for issuers and users on the road to mobile driver's licenses.

This form of digital credential could enable a new, more efficient and more secure way of authenticating a person and their entitlement for a range of personal identification usages.

New 'Sonic' Attack Reported In Cuba, 19 Americans Now Affected

Sonic Weapons

Nineteen Americans are suffering from a range of symptoms, including mild traumatic brain injury and hearing loss, related to mysterious "sonic harassment" attacks in Cuba -- with a new incident reported just last month.

Previously, U.S. officials said the incidents started in December 2016 and ended this past spring. But State Department spokesperson Heather Nauert revealed Friday that a new incident occurred in August and is now part of the ongoing investigation.

"We can’t rule out new cases as medical professionals continue to evaluate members of the embassy community," warned Nauert, who has described the situation as "unprecedented."

The U.S. government, including the FBI, continue to investigate who and what are behind the incidents, but with no firm answers so far.

The American Foreign Service Association said Friday that its representatives met this week in Washington, D.C., with Foreign Service Officers posted at the U.S. embassy in Havana who have faced diagnoses including mild traumatic brain injury and permanent hearing loss, but also loss of balance, severe headaches, cognitive disruption and brain swelling.

Traumatic brain injury is caused by a violent blow or jolt to the head or body that may cause temporary dysfunction of brain cells or more lasting damage, according to the Mayo Clinic. Symptoms can be immediate or appear days or weeks later, ranging from loss of consciousness or confusion to sensory problems, memory loss, or headache and nausea.

AFSA said they only met with 10 affected because the others were not available; the State Department has said that some of those affected have remained at their posts in Havana.

Sources have told ABC News that some U.S. officials were exposed to a sonic device in Havana that caused serious health problems and physical symptoms. Sound waves above and below the range of human hearing could potentially cause permanent damage, medical experts have told ABC News.

No device or piece of equipment has been discovered yet, according to Nauert. Some of the affected Americans are still experiencing symptoms "because the symptoms are experienced at different times, because the symptoms are different in various people," according to a State Department official.

The Cuban government, which denies any involvement, is said to be cooperating with the ongoing U.S. investigation, but the two governments are not working together on the matter.

In May 2017, the State Department asked two Cuban officials working at the embassy in the United States to depart the country. The State Department said that the move was not a form of retaliation or a sign that the U.S. believes Cuba is behind the attack but rather to punish Cuba for its failure to keep American diplomats safe -- something it is obligated to do under an international treaty known as the Vienna Convention.

AFSA is encouraging the State Department and U.S. government to "do everything possible to provide appropriate care for those affected, and to work to ensure that these incidents cease and are not repeated."

"What has happened there is of great concern to the U.S. government," Nauert has said, defending the U.S.'s response. "Let me just reassure you that this is a matter that we take very seriously.... It is a huge priority for us and we're trying to get them all the care that they need."

There have been no reports of other embassies experiencing this, a senior State Department official said.

By: http://abcnews.go.com/