The panelists were:
William P. Crowell – former Deputy Director of the National Security Agency
Michael P. Jackson – Deputy Secretary, Department of Homeland Security
Jose A. Rodriguez, Jr. – former Director CIA, National Clandestine Service & CIA, DCI Counterterrorist Center

Overall, it was a very nicely arranged event on a brisk fall evening with about 100 CXO attendees; mostly large but some small government contractors and a few product companies like ScienceLogic that conduct business with military, intelligence and the public sector.

No surprise, given the financial crisis the economy is suffering from that the panelists said we also have a crisis coming on the Federal budget front. This will put enormous pressure on the way Administration thinks, and how and where to spend the $$.

Obama’s tone regarding the issues he will be confronting in the world during the election was encouraging. Make the world more non-partisan and take on the threats that we have in front of us head-on!

The panel was very upfront about current threats. William Crowell said,

“It is highly imprudent to believe that there will not be another 9-11. We have to fund and support the work to stop other attacks. We can only mitigate risk but we can’t eliminate risk. We have to try to absorb the sense of urgency and wake up every day looking at the intelligence screens as if 9-11 happened within the last couple of months.”

He added,

“They (the intelligence community) need the innovation, sense of commitment and urgency that comes from the private sector – a sense of mutual commitment to that mission.”

Predicted Priorities for investment for DHS:

1. Cyber attack as the top issue
2. Nuclear threats including dirty bomb
3. Chemical and biological attacks
4. Explosive attacks against critical infrastructure with maximum # of lives and or financial disruption / loss.
5. Large scale natural disasters – hurricane + earthquakes
6. Border penetration - identity management and border management issues

An Obama administration will spend dollars around these threat vectors. They will want to spend $$ to help state and local governments. Grants to state and local governments should significantly increase with the Obama administration, so think about how you will increase your focus on the state and local government spending initiatives.

Secure border investments – the panelists believe that the new administration will feel compelled to invest here. Michael P. Jackson bluntly said, “You have to make investments in border tools to get meaningful immigration reform.”

Panelists agreed that the 1^st year will be an intense period of scrutiny about fundamental directions. We can’t afford it all at DHS; it is dramatically under budgeted. At TSA/DOT and then at DHS, we spent about $4 Billion on technology investments since 9-11; those investments are now reaching the end of the original service life.

One gripe from the panel that I found humorous: “We don’t have a group of people who think like entrepreneurs.” It is insane how long things last when you buy things in the government. As an example, we are still replacing vacuum tubes in some of the very old FAA gear… this is well beyond what any reasonable person would think these initial investments should/would last.

Final Thoughts:
I actually think that the Obama Administration will be quite favorable to COTS software products, SaaS offerings, and creative financing initiatives from the private sector. The government just won’t have the capital budget to do everything it wants to accomplish. I would say if you look at how intelligently and aggressively Obama used technology to assist his campaign, the odds are good that this new breed of IT talent (which is already really comfortable with SaaS products, blogs, wiki’s, hosted/outsourced Cloud solutions… this team really understands the latest technology trends) will quickly work to bring these new IT paradigms to the Federal marketplace. Clearly the private sector can help the Government achieve more with lower capital budgets – beginning to provide services rather than transaction-based selling. Another clear idea is to think about leasing as a better way to work with the government which going forward will have increased budgets restrictions.

They will likely be in confrontation with members of Congress that won’t change fast enough, however the future of our nation’s ability to fight terror lies in becoming more efficient and effective. It requires the government be flexible enough to figure out what jobs and IT functions to outsource in a nimble and smart way. My prediction: this is great news for Service Providers. Overall the next 4 years should be great for our business as well as the Managed Service Provider/SaaS industry!

Espin references Joe Sharkey's excellent column on in-flight calling in Sunday's New York Times: Sharkey, a veteran travel writer, who survived a mid-air collision over the Brazilian Amazon a few years ago, looks at varying attitudes about calls made during flights. He quotes Aircell's Jack Blumenstein saying what I've telling folks for months: Aircell has a lot of techniques to block VoIP calls already, and "as we identify new ways that people are trying to do voice calls on the airplane, we just kind of zero in and knock those off." Many geeks have assumed Aircell is a bunch of unsavvy folks who wouldn't be able to figure out how to disrupt their clever workarounds for making VoIP. (I keep noting that introducing jitter for suspicious data connections wouldn't disrupt legitimate applications, but would destroy VoIP call quality.)

He's not very positive about it, because his research shows a mismatch between claims and work. He writes that an unnamed American airline executive is frustrated by the delay in launching the 3-to-6 month pilot on their trans-continental fleet; that Aircell hasn't submitted paperwork for Virgin's Airbus models for certification; and that the FAA just received a request to certify Delta's MD-80 craft, which makes a launch with 75 planes this year on that airline less likely.

Competitor Row 44 doesn't fare better in his analysis, as they promised spring and summer 2008 tests that still haven't happened, with Southwest and Alaska Airlines.

I'm a little more positive about the future of in-flight broadband. There's no particular conspiracy. It's hard to make it work. Development and testing is tricky due to FAA limits, and getting in-flight handoffs to work for seamless service at 35,000 feet is far more difficult than, say, cellular handoffs in a moving car at 100 feet above sea level. My suspicion is that tuning the service to be entirely reliable at launch is what's taking so long.

Brancatelli blames the high price of Connexion on its failure, but I don't think the $27 fee for long-haul flights deterred users. Lufthansa, which deployed all its long-haul fleet, apparently had very good usage. Most other airlines had few craft equipped, which didn't allow business travelers, able to expense several hours of work for a $27 fee, the reliability of having on-board Internet when they needed it. Connexion also had many reports of spotty service in certain areas.

Connexion's failure came from deploying technology that was old when it was deployed, which weighed too much, and which was too expensive to install. Connexion's revenue and expenses were forecast based on having several hundred aircraft with Connexion service--recall that it was supposed to be a domestic U.S. service, too. In the end they had about 100, I believe.

Brancatelli is also modest when he says Boeing "lost" $300m. That's part of what they wrote down. My sources say they spent more than a billion in R&D, transponder leases, ground station operation, airline incentives, and payoffs at the end.

The HANG UP Act (Halting Airplane Noise to Give Us Peace, cute) will make the regulatory actions statutory. Oregon Rep. Peter DeFazio has been pushing such a move to prevent airlines from moving forward on such services despite the overwhelming distaste by American travelers. In Europe, Asia, and the Middle East, there appears to be less concern, and we'll see how it works out when calling starts to become widely available on RyanAir and other airlines by year's end.

AirCell's near-term launch with American Airlines of its GoGo Internet service will use various measures, including crew involvement, to prevent in-flight VoIP.

To enable in-flight calling, OnAir and others place a low-power picocell in an aircraft which handles all the frequencies that could be used by mobile phones. The phones associate with the picocell, keeping their power output low. The picocell could be used to prevent calls entirely, too.

I’m baaaaaack! As many of you noticed, Myrcurial was a trooper last week manning the battlements here at Liquidmatrix as I handled a personal project. And now, I can share the good news. My wife and I had our first child last week! Both mother and baby are doing great!

Thanks to all of our new subscribers that joined us yesterday. Welcome!

Click here to subscribe to Liquidmatrix Security Digest!

And now, the news…

1. Phishers Target New Victims on LinkedIn | PC World
2. Banks and Google mailing PIN codes on pieces of paper | the Inquirer
3. Sourcefire rejects Barracuda bid | vnunet
4. MediaDefender Defends Revision3 SYN Attack | Wired
5. US FAA database corrupted by hard drive failure | Blocks and Files
6. Bruce Schneier Q&A: The Endless Broadening of Security | CSO Online
7. Card issuers passing on fraud costs to retailer | Colorado Springs Gazette
8. H-1B opponents challenge Bush administration in court | Computerworld

Tags: News, Daily Links, Security Blog, Information Security, Security News

Is it a coincidence that St. Paul is getting Comcast's fastest service? St. Paul, just over the river from Wi-Fi-loving Minneapolis, will get news tomorrow from its cable provider that DOCSIS 3.0 technology will be rolled out. This latest flavor of cable standard will allow 50 Mbps down and 5 Mbps up in Comcast's initial rollout. Service will run $150 for 50/5 Mbps; 6 Mbps and 8 Mbps downstream service are currently $43 and $53 per month. The faster service will hit 20 percent of Comcast's customers nationally by 2009 and fully rollout by 2010.

According to the investigation, 122 Federal Aviation Administration safety inspector badges have been stolen or lost in the past five years. The credentials are one of the few forms of identification that give complete and unfettered access to airport facilities, including the cockpits of planes in flight.

"The FAA badge is probably of all the badges just as dangerous if not more so than any other," aviation expert Denny Kelly said.

Kelly, a former commercial pilot and a private investigator, said the badge can give a person free access to nearly every secure area of an airport.

"The FAA badge allows you not only on one airline, plus getting through security, it allows you to get on any airline, any airplane, anyplace," he said.

The computer network in the Dreamliner's passenger compartment, designed to give passengers in-flight internet access, is connected to the plane's control, navigation and communication systems, an FAA report reveals.

And:

According to the U.S. Federal Aviation Administration, the new Boeing 787 Dreamliner aeroplane may have a serious security vulnerability in its on-board computer networks that could allow passengers to access the plane's control systems.

More press.

If this is true, this is a very serious security vulnerability. And it's not just terrorists trying to control the airplane, but the more common software flaw that causes some unforeseen interaction with something else and cascades into a bigger problem. However, the FAA document in the Federal Register is not as clear as all that. It does say:

The proposed architecture of the 787 is different from that of existing production (and retrofitted) airplanes. It allows new kinds of passenger connectivity to previously isolated data networks connected to systems that perform functions required for the safe operation of the airplane. Because of this new passenger connectivity, the proposed data network design and integration may result in security vulnerabilities from intentional or unintentional corruption of data and systems critical to the safety and maintenance of the airplane. The existing regulations and guidance material did not anticipate this type of system architecture or electronic access to aircraft systems that provide flight critical functions. Furthermore, 14 CFR regulations and current system safety assessment policy and techniques do not address potential security vulnerabilities that could be caused by unauthorized access to aircraft data buses and servers. Therefore, special conditions are imposed to ensure that security, integrity, and availability of the aircraft systems and data networks are not compromised by certain wired or wireless electronic connections between airplane data buses and networks.

But, honestly, this isn't nearly enough information to work with. Normally, the aviation industry is really good about this sort of thing, and it doesn't make sense that they'd do something as risky as this. I'd like more definitive information.