Operational Security, Situational Awareness, and Ignoring Experts

Par for the Course for a Man Unfit for the Office

Back in 2015, members of ISIS were targeted and eliminated by the US after they posted to social media and included location information in their updates. It was an easy win for the US — you don’t have to look for the enemy when you have GPS coordinates that accurate within 3 meters. Gen. Hawk Carlisle, commander of Air Combat Command had the following to say about the intelligence:

These guys that are working down at Hurlburt (Florida), they’re combing through social media. And they see some moron standing at this command and control capability for Da’Esh, ISIL. These guys go, ‘ah we got an in,’
Long story short…three JDAMs take the entire building out

One would like to think that our new Administration has been paying attention, but it appears not to be the case. Over the weekend, our esteemed president openly handled the US response to North Korean’s missile launch in public at the President’s Mar-a-Lago resort. The flurry of activity, which should have been handled behind closed doors, was not only witnessed by onlookers, but captured and posted to social media by a guest.

Much has been written about President Trump’s continued use of his antiquated and unsecured Samsung Galaxy S3 cellphone. Setting aside the fact that the phone is not an approved device, that it is not encrypted, and that there are alternatives approved by security agencies which would be more appropriate, the fact is that the Samsung Galaxy S3 is ancient technology. As Nicholas Weaver wrote on the blog, Lawfare:

A Galaxy S3 does not meet the security requirements of the average teenager, let alone the purported leader of the free world. The best available Android OS on this phone (4.4) is a woefully out-of-date and unsupported.

Operational Security, as well as Situational Awareness, are critical when conducting business, even more so when conducting the business of the nation.

The DOD Education Activity website provides a good working definition of OPSEC. Perhaps the most important sentence on the site reads:

OPSEC is best employed daily when making choices about what communications to use, what is written in emails or said on the phone, postings on social networking sites and blogs. Any information you put in the public domain is also available to your adversaries.

The US Coast Guard defines Situational Awareness as “the ability to identify, process, and comprehend the critical elements of information about what is happening to the team with regards to the mission. More simply, it’s knowing what is going on around you.”

Our President and his team demonstrated a blissful ignorance of both these basic principles over the weekend.

The news that this event happened on the heals of the dismissal of the the White House Chief Information Security Officer, Cory Louie last week on Thursday only heightens the anxiety associated with this event. While Louie was a holdover from the Obama Administration, and clearly had a target on his back, it is highly distributing that he was dismissed without a replacement. This has been a repeated pattern in the Trump White House.

Last month, Trump named Rudy Giuliani as his Cyber Security Advisor, and the former mayor of New York City began assembling his advisory board. On January 31, 2017, Eric Geller tweeted out a list of members of this advisory board.

Back in the the first debate, Trump revealed just how ignorant he is when it comes to cyber security, when he rambled on denying that the possibility of Russian hacking and stating that it could be a 400 pound man in bed who hacked the DNC. Among his choicest words that night were:

So we have to get very, very tough on cyber and cyber warfare. It is — it is a huge problem. I have a son. He’s 10 years old. He has computers. He is so good with these computers, it’s unbelievable. The security aspect of cyber is very, very tough. And maybe it’s hardly doable.

Dave Lewis, a well known member of the information security industry who works at Akamia and publishes a the blog Liquidmatrix responded to Geller’s tweet:

It’s worth highlighting that while there are representatives from the NSA, there are no other representatives from our other intelligence communities. It’s worth mentioning that not a single member of this advisory board is hails from the information security industry and not a single member of this advisory board comes from a major university.

This too, seems to be in character. Trump routinely ignores and excludes the experts. We’ve seen it many realms including ethics (no blind trust), science (silencing the EPA and removal of Climate Change information from whitehouse.gov), the courts (firing the acting AG, Sally Yates).

As a concerned citizen, who has worked in the information security field for the past 20 years, this is all highly disturbing. I’ve been arguing with friends for months about the fact that Trump’s refusal to examine the Russian hacking connections is less about de-legitimizing the election and more about our national security. These claims seem to fall on deaf ears, because we have been so divided as a nation and people seem to be vehemently loyal to the parties which are increasingly disloyal to their constituents.

Trump is a clear and present danger to not only our nations security, but to the security of the world order. His ineptitude has been demonstrated over and over again and he is unfit to run the country. We need the republican majority in congress to wake up to these facts and stop towing party line in order to further their partisan politics.