Ali-Reza Anghaie (Right) is a Consulting Security Engineer and Senior Analyst with Wikistrat. His varied work in engineering and security has taken him to numerous universities and Fortune 500 companies in the Defense, Energy, Entertainment, and Medical fields. You can follow Ali-Reza on Twitter and Quora. Scot Terban (Left), AKA the gonzo INFOSEC blogger Krypt3ia, blogs at http://krypt3ia.wordpress.com. You can also find him on Twitter. Both host the weekly Cloak & Swagger: Security Unhinged podcast.

John Little: Let’s start off with a Skyfall-esque word association game. Ready? “Cyber Pearl Harbor”

Ali-Reza Anghaie: Geraldo. (Yes, that’s my answer. Say `Cyber Pearl Harbor` in his voice and you’ll want to strangle yourself too.)

Scot Terban: Expletive.

John Little: Alright, so what is it about “Cyber Pearl Harbor” that sets you two, and many other infosec professionals, off? What are Panetta, Lieberman, and other Beltway types getting wrong about the legitimate threats we face in the digital domain?

Ali-Reza Anghaie: Lets clarify “getting wrong” – as professionals we encounter `wrong` all the time. ~Intentionally~ exaggerating and obfuscating threats is what has been happening in DC. However, it’s also politics – you never hear a politician talk about any issue in a way that satisfies the wider professional community of that issue. That’s quite intentional – as the people who really know are absolutely the people that politicians need to play ~against~ to centralize and pull power toward their own spheres of influence.

And that’s really the part that burns me – the echo chamber they’ve built is designed to accomodate just those that will work within the confines of the existing DC dynamic. And so much energy is exhausted in just that posturing that by the time you get to actual technical working groups – you’re already on the tail end of resource availability. So, if you’re lucky, you’ll get through one or two iterations of actual policy driven work before the next manufactured crises hoovers priority elsewhere.

Since this is the inevitable cycle, I suggest we move straight to the end – private industry needs to step to the plate as a competitive matter because Government, as Government always does, will punish you using whatever laws do or don’t exist as soon as it’s politically tenable. And won’t provide any solutions along the way. Why not just get it over with?

You know – I’d probably be less cynical and in a better mood if you stopped saying “Cyber Pearl Harbor”..

Scot Terban: It’s jingoism at its best. It is propaganda and a tool to get people to react in a knee jerk way.

What are Panetta, Lieberman, and other Beltway types getting wrong about the legitimate threats we face in the digital domain? Everything. They do not comprehend the technologies involved nor the complexities of what they are advocating as the end of the world. They need to let the professionals who deal with this technology and space give the answers. It’s akin to telling a five year old to go on to Meet The Press and explain quantum mechanics.

John Little: There are countless layers to this problem and many of them are not “technical”. There are human factors and physical security issues for example. In most cases there are no paths to 100% security. So where, from a national security perspective, should we focus or efforts and dollars? What would get us the most bang for the buck?

Scot Terban: Well, contrary to what a Dave Aitel or lately Schneier might posit, more security awareness for the general populace to start I think. This is more so for companies that are within the sights of an APT adversary but also look at what goes on with crimeware to start right? How much of this could be stopped just with making sure people understand the technology that they own and should be managing? We are all supposed to have training to drive a car and a license so why not at least have a better grasp on the PC and how things work right?

*wait’s for Ali’s head to explode*

But really, knowledge is power and unfortunately I don’t think this will happen either really. The money will all go into offensive campaigns within the CyberComm and we will lag behind on defense. Look at the EO and how the corps responded to it. “hey yeah, we would like to do less” I know Ali thinks that is all about letting the gubment take over and that is what they want but I disagree here. I think they do not want the government dictating to them nor do they want to be responsible for the security of their environments at the level of mandate because they would be held to it by assessment.

I think in the end your question is moot because nothing will be done that will help us.

Ali-Reza Anghaie: The pounding of the `do the basics` drums needs to be louder than the `sexy` drums..

However, I think the biggest things we can do at a national security lever are:

1) Admit defeat at the Government level. Make it clear – CLEAR – that if you’re waiting for Government to combat your hacking problem, you’re going to die.

2) You. Must. Compete. There is a concept called “Intellectual Property Obesity” that has ravaged the American innovators for some time. They spent too much time on Copyright, Patent, and IP theft and not enough on risk analysis, business development, existing means of competition.. concentrate on ~everything else~ that has made America less competitive on a global scale.

In the end, if we’re to suffer a `death by a thousand cuts`, it’s not because of cyber espionage from the Chinese or anyone else. That’s but a small part of the bigger picture.

Now – that speaks to national security at the economic level, which I think is most important – but some conflate this as all purely defense/military in nature. The solutions to that problem set as a bit different and, in part, require actually letting people fail. Not retroactively but put a pretty solid post in the ground that says: `Hey, if you get hacked and all the IP is stolen. Your program funding is going to take a BIG hit. We don’t want to tell you how to fix it – we (Government) doesn’t know how. Likewise, if the data gets stolen while with us (again, Government), you’re going to get a bit of automatica business helping us or influencing our direct means of securing it`.. something along those lines without the tin-foil gaps.

John Little: Although I know and respect many security professionals the ones that I encounter professionally seem to be bureaucrats rather than technical professionals. They are just lords of a massive fixed documentation process that must be completed whether I’m building a simple web page with public data or a massive mission critical enterprise system. The problem is that I can answer 500 questions about my application and get it approved but at the end of the day there’s nothing about the process that really enhances security. What are your thoughts about how the private sector utilizes InfoSec professionals?

Ali-Reza Anghaie: Firstly – I’m sorry. Really really sorry. You’ll have to file a RC269B exception to ask me this question. It’ll be rejected of course because everyone knows of the `Great RC268T Debacle` of 2012. I have my big red stamp ready to reject your request because email isn’t secure enough and the ColdFusion workflow app we had developed in Bangalore was, of course, developed by non-US Citizens so we can’t really use it. I have spoken.

There is this inherit fear of InfoSec that comes with the noise around incidents right now – similar to how auditors were perceived just after SOX went into effect. Nobody knows what to do with InfoSec except to not piss InfoSec off. Along with that come a lot of non-technical professionals or entry-level professionals enabled with copious amounts of authority and confidence over – well – nothing in particular. So, much like politics, you do exactly what you can get away with without punishment.

This is a cynical view – as my answers have trended so far – but it’s quite normal and recent trends leave me very optimistic.

We’re at the tail end of this trend and, as an industry, we’re going through it a fair bit quicker than many of our predecessors. Somewhat due to economic constraints but I sincerely believe the best of the best in InfoSec have taken more responsibility recently for knocking down their own echo chambers. They’ve seen the charlatans flourish and they know “we” created room for them with ambiguity and hand-waiving. “We” want our industry back..

So – to answer your question – I think a huge majority of the private sector is very confused in how to apply InfoSec. And it’s our fault…for now.

Scot Terban: I think we need to differentiate between the INFOSEC folks like an archaeological dig here to start. First off, not all INFOSEC’ers are built the same. I come from the pentesting side AND the policy as well. I performed many assessments that had a combination of both and understand them both well enough to see where the rubber meets the road to so speak. Unfortunately not everyone has the skill sets to see both sides of coin and to work efficiently in the space. So we have people who get into INFOSEC primarily from a “legislative or paper” side of the issue. They understand that security is necessary and there are rules that need to be in place and that is about it. They follow their checklists and once they have checked the boxes they are good. This is bad but all too often the real aegis of many folks in corporations who perform audit from SOX to other government audit standpoints.

Then there are the people who perform just pentest and who many often think that rules are just useless. Why? Because the hackers/adversary does not follow the rules and all too often rules get mired in minutiae that doesn’t matter to their attacks. I have heard way too many times, and rightly so, that SOX and other check box security measures are useless. I too have felt the same thing but, too often the pentest crowd is just dismissive of it because they are broken and not workable in their present state much of the time. So you can develop an app as you say, the “Bob’s” can come in with their checklists but in the end they have not made the product more secure because they lack the dimension of the attacker perspective.

So we have two camps.. Both out to secure things and neither really can because of a third camp.. Let’s call this camp the “Corporation” The corp all too often is motivated not by an innate desire to protect their data, their clients etc.. Their driver is to make as much money as possible and in doing so security spend is even today, not what it should be because it is a cost center. When looking at the options and the legal drivers we can see how it is so easy for a company to go for the check box security approach mainly because that is what the government and the laws are mandating. It is the “due diligence” mentality and in that, the only due diligence we have primarily is to have the boxes checked to insure that they can say that once they get sued or after an incident. THIS is to minimize the legal remunerations that they may incur to law suits and that’s the extent of it. Rarely have I seen a company throughout my career that was proactive about their security enough to engage true red teaming and effective policies, procedures, and audit to insure a modicum of security.

It’s mostly set and forget as well as get drones who check SOX boxes every year. Aye, there’s the rub huh? This is where you have the paper CISSP’s and others who really do not have a grasp of adversarial INFOSEC that needs to be in place to protect yourselves and this is where the engine of popularity and money have made a glut of people who don’t really have the chops to be in the business doing business. So yeah, you could create an application and the SOX types come along and ask questions but they really aren’t coders nor understand application code security right? They do their bit but they don’t see the whole picture and you, you could totally hoodwink them that your application is up to standard because this is the only appsec that they are carrying out.. Asking questions and not validating code?

To me, that says that the system is broken. What we need is a middle road where true application security people are involved in your case. In other cases I would like to see people who have a good grasp of security (defense as well as offense) in the roles of audit. Will this happen? Probably not and that is because as was lamented recently “Defense isn’t sexy” add to that the corp’s aren’t looking to do anything but be “risk averse” and you have a broken system.

John Little: So we have a system that is broken and seems bound to stay that way. With the increasing complexity and distributed nature of data and applications, the vast number of application users (a good portion of the planet now), the rapid advancement of technology, and the challenges involved in building and maintaining an even barely adequate cadre of INFOSEC professionals how will the future not become even more of a hacker’s playground?

Ali-Reza Anghaie: The problem space is going to continue to grow at an accelerating pace. We will drown in more data and we won’t ever have enough bodies to throw at the problem. Government “regulation” will likely further exasperate the staffing problems. Generally we’ve shown ourselves incapable of effective security automation. Woe is me?

There is a difference between a hacker’s playground and an unmanageable risk. Like any other type of crime, society will compensate in some areas and not in others. Some regions will do better with the same `door locks` and other regions will need `burglar bars` on all windows. So the question isn’t if the attack surface will continue to outpace us – it certainly will – the question is how will we compensate, as an industry and society, elsewhere?

This goes to the very root of competition – and we’re stuck with this idea that InfoSec is absolute. You’re either not using computers or your pwned. In no other aspect of life or society do we so readily say that to customers, through Governments, and in our daily routines.

So I would say that hackers will hack and that’s OK. If you aren’t viable and complete even under hacker fire – I’d say you were never actually viable or complete.

Scot Terban: It shall be just as it is now. The only answer is to become a new age Luddite and live in a bunker awaiting the end…

John Little: A significant portion of the cyber-chatter inside the Beltway and in the media is focused on China. How would you characterize the threat Chinese hackers (official or not) pose to the U.S. and how should we be talking about it?

Ali-Reza Anghaie: Lets be clear – the Chinese threat is real and it’s aggressive. It is also entirely irrelevant.

We’re at such an early stage of secure architecture and software that concentrating on a given foe is foolish for all but a small core of defense and intelligence agencies. Along those lines, Government emphasizing a given nation-state threat also leaves people with the false impression that these threats ~require~ a nation-state to execute. And…. wait for it… a nation-state level response.

About now big red spinning alarms should be going off in your head. THAT is the problem with “the Chinese threat” – it’s become a political football that has turned into a lobby interest that has turned into a disadvantage to an already painfully broken field. It creates whole classes of C-levels looking at the wrong problems, wrong solutions, and wrong people to deliver those solutions.

Scot Terban: How would I characterize the Chinese threat… Well, they are a threat because they are just persistent and mostly sneaky. Not all of the teams are uber ninja’s like portrayed in the news media or in a Mandiant self propaganda piece but they are pretty good (some of them) What the question really should be though is how would I characterize the attacked.. Not the attacker. We are on the whole not prepared to deal with attacks either in the MIL space or the private whatsoever. Companies are reticent to fix their infrastructures because it would cause loss of productivity, they hold on to old technologies like XP and IE6 for way too long, and they generally are not as a whole, security savvy.

So.. How hard is it for the average Chinese hacker to get someone to click on a link, pwn a machine, enter a poorly managed network, and steal them blind? Furthermore, how hard is it then to keep persistence?

Meh.

John Little: You both raise a very important point. While the debates over terminology, doctrine, and threats rage on the assets are going unprotected. We hear case after case of hackers having an easy time with their targets because of laziness, ignorance, and irresponsibility on the behalf of individual users, software developers, and network owners. It seems like we could eliminate most threats by shifting the focus away from “external” threats and back to our own behavior and business practices.

Ali-Reza Anghaie: Some years ago various groups started referring to de-perimeterisation as an inherit system design goal – that is to say that every system’s functions should act like it’s facing the “outside” world. From the outset I thought that should be the data protection goal as well – trust no one, period. Everything should have a forensic trail, least-privilege model, etc. Insiders can become your outsiders – prepare as such.

Now, that was naive of me – cost applies. So I think it comes down to appropriate risk assessments in the complete context of your business, legal, and technical resources – which is non-trivial for multinationals and small business alike.

So – the “right” answer to your question is – we still have an accountability problem period. Internally or externally the risk assessments, valuations, and models just aren’t being done appropriately on a reliable basis for most organizations. The good news is that the body of work on these topics are increasingly reliable – we can fix the overall scheme of things. Where fixing doesn’t always mean absolute security as the goal.

I’d like to thank Blogs of War for taking the time to put together this interview. It’s been great and I really enjoy your various feeds.

Scot Terban: The answer is “yes” but I would also hasten to say that it’s not just accountability but a more encompassing problem of OPSEC altogether. The point being that many people today lack understanding of the need never mind the practice of OPSEC. So we have all these private and public entities that really have no concept of the security landscape in the first place and why it is important to protect their data so how do you expect them to be aware of internal or external threats? While in the military and government space they have an idea they too suffer from lackadaisical attitudes and lack of comprehension of the technologies that they are using to manipulate, store, and use data. I tend to think of it as a human nature issue in general that we need to tackle just to bring people to the security table in the first place before we can make them aware enough to think about and secure their assets. Once people are on the same page with the technologies (not just the tech folks we all work with but the end users) then we will have a discussion over the internal versus the external threats posed.

Warfare takes place across four domains: land, air, sea and space. Recently – in search of a comparative advantage over the enemy – cyberspace was included as the fifth domain. In the future, this will no longer be the case, the human mind will be the sixth and perhaps the only domain of warfare.

Current technologies are shaping our ability to not only influence, but also to penetrate the human mind. As such, warfare is moving into information spaces such as cyberspace, as well as into the mind itself – through the emerging technology of the Brain-Computer Interface (BCI) as we recently argued on Wired. However, unlike the widely criticised COIN strategy, this is more than just winning hearts and minds. War in the sixth domain is about controlling the human mind, either by shaping emotional and cognitive responses, or by outright exploitation of man-machine technology. It is, in a sense, coercive persuasion through internal and external stimuli.

Sound like something from a science fiction movie? Perhaps; but the future is not as far away as we think. Information operations (IO) – the effort to inform and shape perceptions, attitudes, behaviours, and understanding through the circulation of information – have always been a pivotal part of warfare.

Traditionally, an IO campaign was based on targeted information filtered through one-way communication channels. However, the spread of online networking technologies and the digitalisation of global news media means that the public now has greater access than ever before to events happening across the world, and can engage with them in real-time. As a result, we are seeing an increased emphasis on real-time IO unfolding across interactive multimedia platforms as forces such as Israel and Hamas compete to influence the human mind and dominate both public and private information and communication spaces.

So far, real-time IO using online networking technologies have relied on sympathisers seeking out or reaffirming information amongst their like-minded community. This means they take an active role in accessing and receiving an IO message. In the sixth domain of warfare, this role will be more passive as recipients are delivered messages involuntarily. By harnessing the technology behind personalised advertising, combatants could implant ideas and messages directly into the minds of their targets, eliminating any potential barriers between sender and receiver.

Imagine impressionable targets waiting at a bus stop where high-definition cameras scan their faces, retrieve their biometric details (which, presumably have been linked through a number of online networking technologies) and subsequently deliver a customised message to a nearby digital advertising board. Or perhaps, using audio spotlight technology, combatants could target potential recruits by delivering a message inside their head – a message that no one else can hear. Each target would receive a personalised message that accounted for their gender, socio-economic status, political background, personal biases, and social network characteristics. In a world in which we are increasingly “plugged in”, this kind of personalisation is not nearly as farfetched as it sounds. These technologies are well and truly here, and it’s not inconceivable that they’ll be used as effective real-time IO tactics to influence what people think and feel about conflicts happening at home and abroad.

If future technologies will allow us to intensify IO campaigns to influence minds, what might such technologies mean for the manipulation of minds when we use it concurrently with BCI?

In August of this year, the 21st USENIX Security Symposium took place in Washington. In addition to the usual contemporary topics of interest to IT security professionals such as password protection and cyber-security education, there was one additional topic that has significant implications for the future of defence and national security: “The Brain”.

What was once the purview of futurists and conspiracy theorists has now become a startling reality – the creation of tools and methods to harness the power, thoughts and desires of the brain to undertake both simple and complex operations. With this new reality comes new dangers. Researchers at the Symposium demonstrated how easily the brain could be hacked for private and secret information using cheap accessible technology designed for video games and keyboards. Essentially, technology that has been developed to enhance our lives may prove to be one of our biggest liabilities as our understanding of the brain significantly increases, leading us to question what one blogger recently referred to as the need for neurosecurity.

Whether it is a human controlling a metal exoskeleton or monkeys controlling a robotic arm, the increased technological capacity for brains and computers to interact is an area for further exploration, and it holds implications for the future of warfare, especially if exploited.

Control of the sixth domain would effectively mean that domination of the enemy’s mind both externally (IO) and internally (BCI) is possible, thereby altering the individual into a mind-controlled weapon. The risks here – if successfully applied in a nefarious manner – are that such individuals would have the ability to kill, maim or sabotage without conscience, but no capacity to question the command to do so – even if it contravened the Law of War or the Rules of Engagement.

Clausewitz argued that the application or threat of violence was the most effective method of coercion. A successful combination of IO and BCI manipulation (the sixth domain) would reduce war to just phase zero, eliminating the necessity for traditional warfare across the former five domains.

This is really an election day over-reaction monitor. As expected Twitter if full of people threatening to riot, leave the country, or commit other acts of stupidity if their candidate loses today. Some are reacting in even more harmful ways at their polling location with voter intimidation or counter-intimidation efforts but I believe that there is more fear and hysteria about voter intimidation than is warranted.

Anyway, you can watch the drama unfold with the Covert Contact Election Reaction Monitor. Just click on the big green button to start the live streams.

Subscriptions to Covert Contact’s array of over 140 topic monitors and 400 live social media streams are available for only $10 per month.

This monitor is live for both Covert Contact subscribers and demo viewers. It is currently broadcasting mentions of both candidates, the debate itself, and discussions about foreign policy. Hit the big green button to launch the demo and access the monitor.

This monitor is live for both Covert Contact subscribers and demo viewers. It is currently broadcasting mentions of both candidates, the debate itself, and discussions about fact checking. Hit the big green button to launch the demo and access the monitor.

Mistakes can be forgiven but covering them up, especially when your excuse changes from day to day, points to a much larger problem:

Michael Hayden, former CIA director, and Michael Chertoff, who served as Homeland Security chief, hit out after Biden stunned many in the intelligence community by insisting that the U.S. consulate in Benghazi did not ask for additional security before it was attacked on September 11 – directly contradicting what security officials and diplomats have testified under oath.

The tough joint statement was issued via the Romney campaign. In it they added: ‘Blaming those who put their lives on the line is not the kind of leadership this country needs.’

‘During the Vice Presidential debate, we were disappointed to see Vice President Biden blame the intelligence community for the inconsistent and shifting response of the Obama Administration to the terrorist attacks in Benghazi,’ they said in the statement.

‘Given what has emerged publicly about the intelligence available before, during, and after the September 11 attack, it is clear that any failure was not on the part of the intelligence community, but on the part of White House decision-makers who should have listened to, and acted on, available intelligence. Blaming those who put their lives on the line is not the kind of leadership this country needs.’

There may be layers of failure contributing to this incident but the response from the White House is appalling. It’s not just that they have demonstrated the wrong kind of leadership. They haven’t demonstrated any leadership at all. And then there are the hints (I’m being generous) of ethical and moral failings permeating the entire affair. That is not forgivable.

With the State Department backtracking on its story, disturbing and shameful background details on the security situation continuing to emerge, and hearings on “The Security Failures of Benghazi” being held today there is going to be a flood of commentary and information on Twitter.

Fortunately, I’ve created a monitor for these issues on Covert Contact. These monitors usually require a small subscription fee but this is a critical issue and I want to help as many people follow it as possible. Just click on the start button below to launch the monitor.

I will be live tweeting the debate at 8pm EST tonight. You can also stream all of the debate tweets with the Blogs of War GOP Debate monitor at http://gopdebate.blogsofwar.com.

Romney, Gingrich, and Huntsman should have informed positions tonight. Bachmann, Ron Paul, and Santorum will continue to be irrelevant. Rick Perry is essentially a wild card. I don’t expect him to do particularly well but if he can find his groove he could still score points. Perry will do best if he sets his sights on Newt. Newt is the political equivalent of a Gaddafi motorcade in the desert – a big fat juicy target.

Recommended on Twitter: @newtgingrich – Newt Gingrich’s official twitter account.

Follow all the developments in the 2012 presidential race with the Blogs of War 2012 Monitor at http://2012.blogsofwar.com.

It’s time for yet another debate that Rick Perry can’t afford to flub. Foreign policy issues and pre-season debates are a disaterous mix but half of you will be watching in anticipation of just that anyway. Between Cain, Perry, and Ron Paul you’re probably in for a treat. Don’t be surprised if Perry comes into this one wound up and closes the show by bellowing “This is Sparta!” and running wildly off the set in the direction of Iran. They’re going to come up an awful lot tonight.

I suspect Romney could win this one just by keeping quiet and looking at most everyone else like their half-crazy because, well, they are.

You can follow the debate chatter live on the Blogs of War 2012 Monitor.

Regarding possible military dimensions:

43. The information indicates that Iran has carried out the following activities that are relevant to the development of a nuclear explosive device:

• Efforts, some successful, to procure nuclear related and dual use equipment and materials by military related individuals and entities (Annex, Sections C.1 and C.2);
• Efforts to develop undeclared pathways for the production of nuclear material (Annex, Section C.3);
• The acquisition of nuclear weapons development information and documentation from a clandestine nuclear supply network (Annex, Section C.4); and
• Work on the development of an indigenous design of a nuclear weapon including the testing of components (Annex, Sections C.5–C.12).

44. While some of the activities identified in the Annex have civilian as well as military applications, others are specific to nuclear weapons.

45. The information indicates that prior to the end of 2003 the above activities took place under a structured programme. There are also indications that some activities relevant to the development of a nuclear explosive device continued after 2003, and that some may still be ongoing.

Page 8 Section G.43

On the evidence:

“As indicated in paragraph 6 above, among the information available to the Agency is the alleged studies documentation: a large volume of documentation (including correspondence, reports, view graphs from presentations, videos and engineering drawings), amounting to over a thousand pages. The information reflected in that documentation is of a technically complex and interconnected nature, showing research, development and testing activities over time. It also contains working level correspondence consistent with the day to day implementation of a formal programme.”

Annex Page 4 Section B.12

On Iran’s lack of cooperation:

“Iran has acknowledged certain information reflected in the alleged studies documentation. However, many of the answers given by Iran to questions posed by the Agency in connection with efforts to resolve the Agency’s concerns have been imprecise and/or incomplete, and the information has been slow in coming and sometimes contradictory. This, combined with events such as the dismantling of the Lavisan-Shian site in late 2003/early 2004 (see paragraph 19 below), and a pattern of late or after the fact acknowledgement of the existence of previously undeclared parts of Iran’s nuclear programme, have tended to increase the Agency’s concerns, rather than dispel them.”

Annex Page 4 Section B.15

On missile integration

“The alleged studies documentation contains extensive information regarding work which is alleged to have been conducted by Iran during the period 2002 to 2003 under what was known as Project 111. From that information, the project appears to have consisted of a structured and comprehensive programme of engineering studies to examine how to integrate a new spherical payload into the existing
payload chamber which would be mounted in the re-entry vehicle of the Shahab 3 missile.”

Annex Page 11 Section C.11.59

From the summary:

“The Agency has serious concerns regarding possible military dimensions to Iran’s nuclear programme. After assessing carefully and critically the extensive information available to it, the Agency finds the information to be, overall, credible. The information indicates that Iran has carried out activities relevant to the development of a nuclear explosive device. The information also indicates that prior to the end of 2003, these activities took place under a structured programme, and that some activities may still be
ongoing.”

Page 10 Section K.53

You can download the full IAEA report from ISIS.

Recommended on Twitter: @IAEAorg. Official accout of the International Atomic Energy Agency (IAEA).

In isolation this would have been embarrassing but wouldn’t have left a mark. But when you’ve stumbled in every debate, and pundits are repeatedly declaring that you have just one more chance to get it right, this is pretty damaging. I am sure that this will be the defining moment of Perry’s campaign, the moment everything ended, but things have been unraveling from the start. This has been Romney’s race for some time and looks to stay that way.

@MajorEChirchir – Major E. Chirchir is a Kenyan military spokesman.

@KareemLailah – Writer, Musician, Human rights activist and Freedom fighter. Editor-in-Chief of Syrian revolution newspaper.

@ArmsControlWonk – Jeffrey Lewis is the Director of the East Asia Nonproliferation Program at the James Martin Center for Nonproliferation Studies.

@FBIPressOffice. Official FBI Press Office feed.

@ShababLibya – The Libyan Youth Movement is a group of Libyan Youth, both in and out of Libya, inspired by Egypt and Tunisia.

@IAEAorg – The latest news and updates from the International Atomic Energy Agency (IAEA).

@ArmyTimes – Your online source for everything Army: Army news, benefits, photos, news from Iraq, military community.

@azelin – Aaron Y. Zelin is a research associate in the Department of Politics at Brandeis University. He is interested in Islamic intellectual history, Tunisia, and Yemen.

@Hamza_Africa – Hamza Mohamed is an independent Journalist currently with BBC. He specialises in Sub Saharan Africa.

@dianawueger – Diana Wueger writes about & analyzing small arms, foreign affairs, natsec.

@Sm0k34n0n – Anonymous account and original source of the threat against the cartels.

@opcw – Official twitter account of the Organisation for the Prohibition of Chemical Weapons.

@allthingsct – Leah Farrall is an ex-counterterrorism analyst; returned academic type w/ background in IR.

@AnonOps – Frequent updates on Anonymous activities.

@billroggio – Editor of The Long War Journal & Senior Fellow at The Foundation for Defense of Democracies.

@Africom – U.S. Africa Command (AFRICOM), is one of nine Unified Combatant Commands of the U.S. Department of Defense.

This isn’t an iPad app but it is designed to cleanly cram a lot of national security tweets into a smaller tablet-sized format. There are a total of nine streams available under the NatSec, CyberWar, and Arab Spring tabs.

NatSec
Tracking US national security, the intelligence community, and terrorism discussions.

CyberWar
Tracking cyberwar chatter, hacker groups such as Anonymous and LulzSec, and Infosec discussions.

Arab Spring
Tracking Arab Spring, and Arab Revolution discussions and several involved countries.

You can access version from the main menu of the full version of the crisis monitor or at http://ipad.blogsofwar.com

I’ve thrown together a presidential address monitor for tonight’s speech. There are live Twitter streams for Obama and reaction to his address. You can also find links to the White House and up to date unemployment data. I’m also testing out a new split screen view that will allow you to watch the speech while monitoring reaction on Twitter.

International media has been slow to react and Mubarak has attempted to silence the population but Twitter just keeps rolling. Here are some of my favorite sources from every angle of this developing story. Whether on the ground in Cairo or observing from afar they’re all informative. Follow them.

There’s far too many to list here. I’m streaming live #Jan25 tweets on this page (along with links to live video streams, twitter lists, and other resources). You’ll find even more people to follow there.

3arabawy – Abdurahman Warsame. Broadcast Journalist @ Al Jazeera English.

AJELive – Al Jazeera English. Coverage of live & breaking news events.

AJEnglish – Al Jazeera English, the 24-hour English-language news and current affairs channel, is headquartered in Doha, the capital of Qatar.

Alaa – Alaa Abd El Fattah. Frequent updates.

AlArabiya_Eng – Al Arabiya English. The English site of the Arab world’s leading news station.

AlecJRoss – Alec Ross. Secretary of State Hillary Clinton’s Senior Advisor for Innovation.

AmgadRezk – Amgad Rezk. An Egyptian citizen, other than that I am nobody!

Arabist – The site on Arab politics and culture.

AymanM – Ayman Mohyeldin. Ayman is a Correspondent for Al Jazeera English.

Azelin – Aaron Y. Zelin. Research Assistant, Department of Politics, Brandeis University.

Bencnn – Ben Wedeman of CNN. Great updates from Egypt.

Demaghmak – Demagh MAK. Cairo.

Dima_Khatib – Dima Khatib. Arab journalist and eternal rebel. Al Jazeera’s Latin America Correspondent. My tweets don’t reflect Al Jazeera’s views.

Eacusa – We are a group of Egyptians and Egyptian Americans committed to Egypt’s democratic, political, social, and economic reforms.

EgyptUpdates – Breaking news out of Egypt.

Elazul – Based in USA and Cairo. Frequent updates.

ElBaradei – Mohamed ElBaradei. On the ground in Cairo and attempting to join the protests. Under house arrest at the moment.

Evanchill – Evan Hill. Online producer at Al Jazeera English in Doha by way of San Francisco by way of Wisconsin. Professional cynic. C is my middle initial. All views are my own.

Habibh – Habib Haddad. Founder @Yamli & @YallaStartup, entrepreneur, activist, frequent traveler and a big believer – Young Global Leader, GAC on Innovation.

Intelwire – J.M. Berger. High-volume terrorism/security feed.

Jonjensen – Jon Jensen. Writer, reporter, producer. Based in the Middle East.

Litfreak – Things I have survived: Saudi Arabia, Texas, 9 months without Conan. Thing I am attempting to survive: Grad school.

lars_akerhaug – Lars Akerhaug. News reporter. Interested in war and terrorism, Arabist at heart.

Monaeltahawy – Mona Eltahawy. Columnist and public speaker on Arab and Muslim issues.

Monasosh – Blogs at http://ma3t.blogspot.com/.

Octavianasr – Octavia Nasr. Editor of http://OctaviaNasr.com Founder of Bridges Media Consulting.

RamyRaoof – Ramy Raoof. Human Rights Defender| Online Media| Digital Activism| Digital Security| Editor of Egyptian Blog for Human Rights.

Rzabaneh – Rania Zabaneh. AlJazeera English Producer in WestBank, oPt. MS Journalism, Columbia-USA & MA Democracy and Human Rights, Birzeit-PS. Tweets are mine; not AlJazeera’s.

Salmaeldaly – Salma el Daly.

ShereefAbbas -Born in Cairo raised in the UAE, studied Pol.Sci@AUC, Researcher @ Al-Ahram Center for Pol. & Strategic Studies.

ShmpOngO – Frequent updates.

SultanAlQassemi – Sultan Sooud Al Qassemi is a columnist for The National.

Telecomix – The Telecomix News Agency aims to inform about the telecoms package, ACTA, data retention, net neutrality and censorship within EU and the rest of the world.

Tharwacolamus – Ammar Abdulhamid. Dissident, heretic, democracy activist.

Themoornextdoor – Quid novi ex Africa? North Africa, foreign policy & American Muslim issues.

TweetsintheME – Andrew Lebovich. Learning and writing about the Middle East, North Africa, France, and all sorts of other things.

Umm_Issa – Mother, Aston Villa fan and Middle Eastern history fanatic.

Webaddy – Mauritanian activist, focused on civil rights in the Mideast and North Africa.

Joshua Foust is a fellow at the American Security Project, a columnist for PBS Need to Know, a contributing editor to Current Intelligence, and he blogs about Central Asia at Registan.net. He’s the author of Afghanistan Journal: Selections from Registan.net. You can follow him on Twitter @JoshuaFoust.

John Little: Let’s talk about The Unforgivable Horror of Village Razing. In that post, which details the destruction of a booby-trapped Afghan village with 49,200 lbs. of ordnance and what you feel is the unsympathetic response to the resulting suffering, you drop some pretty heavy ordnance of your own:

Look, war is hell. I have no illusions about that. But what is happening right now in Southern Afghanistan is inexcusable. There were rumors of this policy of collective punishment in the Arghandab before (see this overwrought Daily Mail story that stops right before the village actually was destroyed for an idea of what is going on), and I’m really struggling to see how such behavior does not violate Article 33 of the Fourth Geneva Convention—that is, how this behavior is not a war crime, especially given the explicit admission that such behavior is merely for the convenience of the soldier and not any grander strategy or purpose.

This sort of abhorrent behavior is not limited to the Arghandab, either. Broadwell explicitly states that it has the Petraeus stamp of approval, and Pahjwok has reported U.S. Marines in Helmand province explicitly warning local villagers of collective punishment if insurgents hide out in their settlements. It is probably a safe assumption to say that this is a widespread phenomenon.

A lot of people would say “Look, this may have been clumsy, inefficient, and lazy on our part but a Taliban outpost was cleared, civilian and friendly causalities were avoided, and we’re going to help the civilian owners rebuild. Relax Mr. Foust. This is war, not a war crime.”

So, with a few days to reflect, do you still think this event might point to an illegal policy of collective punishment? Can you see any merit at all in arguments of those who support the military’s casualty minimization strategy?

Joshua Foust: With some further reflection, I think I was right to struggle with whether destroying villages like this is a war crime. Some friends helped me wrap my head around what actually constitutes a violation of the Fourth Convention, and I don’t think this qualifies as such. However, the reason I feel comfortable with that struggle is this is the sort of thing we should question.

In that link to the Daily Mail story about another village facing this same fate, the soldiers seem to be threatening the villagers with the destruction of their homes if the villagers don’t turn in more IEDs. There are two ways to interpret that story (and the one here, about the Arghandab). Either the soldiers are punitively destroying entire settlements in punishment for not resisting the Taliban, or they’re communicating—incompletely—that if they can’t remove the Taliban from these areas, they have no way of removing the bombs and IEDs left over except by detonation.

From everything I’ve read about these incidents, and from speaking with people close to one of them, it’s probably bad communication being compounded by a false sense of urgency and action bias. These are not large villages—maybe a few dozen houses at the most. There’s no compelling, strategic reason for the U.S. military to literally burn a hole through them once the Taliban have run off. If the Taliban are gone, then we can ponder defusing and decontamination at a deliberate pace (the village razing incident is written in a way that suggests the decision to burn the village was made quickly, for the sake of battle momentum). There’s no need to rush in with B-1s dropping tons of explosives on them.

So I didn’t intend, and I still don’t intend, to accuse anyone of malice. I stand by my charge of laziness, however. Look at the aftermath: this is rural Afghanistan. No one has land deeds or property records. The soldiers are giving the local sub-governor a pot of money and the power to issue now-official land deeds. There is no way in hell people will be compensated appropriately for what they lost (which is required under Article 40 of the Afghan constitution). There will be winners and losers, and the U.S. is funding the picking of winners and losers—a dangerous situation, and one I frankly think is impossible to solve without massive corruption. This is not a hopeful result, in other words. And the callousness with which both the soldiers and that researcher writing about them discuss it—up to sniffing that the Afghans should thank us for rebuilding, as if destroying a family’s possessions is perfectly okay so long as you replace it later—led me to assume the worst. I don’t see how this is a better, more humane option that will create fewer headaches in the long run than attempting to defuse and decontaminate mined villages.

Either way, and whatever more details emerge as these people try to explain themselves, we should be up front in asking hard, probing questions about the deliberate erasure of entire communities. I’m frankly shocked at how many people reacted against that. Our conduct in Afghanistan should never be above question.

John Little: Paula Broadwell, the author of the piece that triggered all of this, has since offered some clarification. There’s nothing earth shattering there though. It is exactly along the lines of what one would expect:

The Taliban had laden the roads, compounds, everywhere with booby traps. In the commander’s assessment, the deserted village was not worth clearing. If you lost several KIA and you might feel the same… SOF had tried to clear the village and had several EKIA but also lost two guys. Afghan commandos had attempted to take the village and got hammered by the IEDs and HEMsas well…

[T]he villagers told all of these visitors {Petraeus, an ABC news crew] that Flynn was their hero and they wanted him to move into the village with them. They express great gratitude for helping them claim security in their river valley and push the Taliban out. Sure they are pissed about the loss of their mud huts (look at the picture again) but that is why the BUILD story is important here.

Your counter-argument, if I can attempt a summary, is that even if we accept the military’s version of the story it still seems to indicate poor execution of our counterinsurgency strategy. You point to a naivete that, if systemic, is quite troubling:

The gullibility of Americans is also something I thought we would have moved beyond in 2011, but it still remains. In civil wars, locals—that is, non-combattants—are always friendly to the guys with guns. In the passage above Paula expresses dismay, and toys with feeling little sympathy for, villagers who accepted money rather than violence to leave their village. That is worse than calloused, and it’s the kind of glib attitude that comes, depressingly commonly enough, from the zombies living in the military’s COIN bubble. I’ve seen elders in Afghanistan smile warmly at me, talk about how much they hate the Taliban, and so on… only to, mere days later, be caught passing information along to a local insurgent commander because they were scared witless by a night letter tacked to their door. Christian Bleuer explored this years ago—in Kapisa, of all places—and it really is a universal phenomenon. Displaced villagers will warmly greet armed groups… especially if those groups are handing out money as well. It means nothing beyond that, however. We should not be this gullible still. But we are, and that’s really sad to see.

Do you think that this is a broader issue? If so, can it be addressed with better training or do you think that inherent flaws in strategy are coming to light in stories like this?

Johsua Foust: I think it’s absolutely is the broader issue. The military still is, by and large, operating in total ignorance of not just local issues, but a basic acceptance of the humanity of Afghans. I shy away from complaining they misunderstand culture—and I say this having made my income for several years through coaching the Army on cultural issues in Afghanistan—because it doesn’t require specialized knowledge to see that poor people have bad housing, and that they are exceedingly vulnerable to displacement during conflict (to keep it confined to this one issue). So in this case, I’m baffled at the complete lack of empathy toward the villagers who were given a choice: resist the Taliban and suffer, or take some cash and flee.

As for addressing it, I lose my way a bit. I’ve seen what counts as “cultural training” within TRADOC, and at CGSC under General Caldwell. It’s a mixed bag, like most training is. You will always have good students and bad students, guys for whom this sort of mindset comes naturally and guys who either struggle with it or reject it outright. I am not knowledgeable enough about the Army’s training system to say how that can be remedied, or if it even can be.

But here’s part of the problem in discussing all of this: none of us were there. Frankly, Paula Broadwell wasn’t there when they burned this village to the ground. So already we’re working on filtered experiences, and that introduces a lot of bias that’s difficult to sift through when trying to figure out what happened. I’ve also never worn the uniform (at least, as a soldier), nor have I led men into combat—so I get really uncomfortable complaining about a bad decision made in defense of soldiers’ lives. And most people are—understandably, and appropriately, I think—hesitant to second-guess the decisions of a commander leading his men in combat.

However, there are some things that are worth questioning, even if it’s painful, and even if it ends up going nowhere. The decision to raze a town should be one of them. You don’t call in almost 50,000 pounds of bombs on a single target without a lot of signatures up the line of command. So this wasn’t a rogue decision, and it wasn’t done in the spur of the moment—this was a deliberate, considered, approved decision. And so far, from all the tiny amounts of data we have on it, it is an appalling decision. So in that sense, I think we really do need to keep pressing on the issue to try to figure out what really happened.

John Little: Based on your experience do you believe that there is willingness, at the command level, to look at events like this and identify opportunities to enhance the approach or is there just overwhelming pressure to execute, to maintain momentum?

Joshua Foust: I’m sure there is willingness somewhere in the chain of command. The problem is, General Petraeus knows this is going on—he hosted an ABC camera crew viewing the rubble—and we have no data to suggest he thinks the approach is flawed or could be improved. I do know there is pressure—implicit pressure, in a lot of ways, but pressure nevertheless—to “execute a counterinsurgency strategy” in the south. And that can easily lead to bizarre or inexplicable behavior getting sold as COIN.

John Little: Given the challenges (many of which originate in powerful neighboring states) do you think it’s possible that the current state of affairs is about as close to success as we’ll get? Is Afghanistan doomed to remain a problem to be managed rather than an emerging modern state that can be nurtured or incubated? Could it even be said that in the end our footprint there is less about Afghanistan and more about countering a long list of troublesome regional forces?

Joshua Foust: I think there can definitely be some improvement to the current state of affairs. I’d love to see us go back to cooperating with Iran in tracking down Taliban figures, as we were in 2001-2 (there are rumors the Iranians coordinate some counter-drug operations with the U.S., but no one wants to talk about that). I really do think that we can lessen the problem emanating from Pakistan by exploring a way to guarantee their interests in a post-America Afghanistan, and that one way we can do that is with beginning political reconciliation with the Taliban.

None of those developments means militancy will go away or the war will end. And in that sense, I don’t think management means “doom” in the sense of it being a negative thing. A reduced American footprint, combined with increased regional engagement, has the potential to be a net improvement for the country. It could also blow up in our face—which is the challenge with any course of action.

John Little: So is COIN only useful in the sense that it buys time until we negotiate a political solution with Pakistan and other regional players? If and when that agreement comes do you think that it will publicly acknowledge Pakistan as the guarantor of Afghanistan’s stability? Does it require that commitment and acknowledgment to succeed?

Joshua Foust: I don’t get the sense that COIN is a delaying tactic. A lot of people at the top—including General Petraeus and his fan club—genuinely believe COIN is the best thing, ever, for all things in Afghanistan. I obviously don’t share that assumption, but I do think they believe that honestly and aren’t playing a shell game. I also don’t have any indication that the top leadership has any real interest in political solutions with Pakistan and other regional players (which would, by design, have to include Iran, only Iran is excluded from NATO summits on the topic).

Now, I happen to think that we must publicly acknowledge and at least make a good-faith effort to secure Pakistan’s interests in post-America Afghanistan. I also am not aware of any push within the U.S. policy community to do that. Everything remains focused on “breaking” the Taliban, of severing Pakistan’s relationship to it, and so on. I’m not at all hopeful those counterproductive ideas will be reversed by the 2014 “withdrawal” date.

John Little: Let’s assume, for the sake of argument, that something resembling a withdrawal occurs in 2014. We’ll also assume (and this is probably the safer assumption of the two) that the current military and diplomatic approaches will continue on their current tracks with little or no change. Where does that leave Afghanistan and where does that leave the region? What does 2015 look like?

Joshua Foust: I don’t see any evidence that we’re actually going to withdraw in 2014. Even Joe Biden, who had been consistently and vocally supporting “drop-dead” withdrawal dates, just told Hamid Karzai that we’ll be sticking around past 2014. So from where I sit, that leaves Afghanistan largely unchanged—there might be some withdrawal, but probably not to the extent that even people like CNAS advocate (which would be down to near-2005 levels, or around 25,000-30,000 troops). There will also be an increasingly shrill wing of the commentariat that will cry bloody murder at the thought of reducing our presence without catastrophic victory, regardless of ground conditions—which is exactly what’s happened with the July, 2011 date.

So, 2015? It will probably look much more like 2008 than anything else. And that ain’t good.

I’m not doing a page-by-page analysis but I’ll point you to three excellent posts:

Al Malahem’s Inspire 4: Crusades Rhetoric and Tactical Updates In A Feedback Loop by @crabbyolbastard

and

al-Qaeda in the Arabian Peninsula’s al-Malahem Media releases Inspire Magazine Issue #4 by @Azelin

and

Awlaki Breaks Silence In New Issue Of Inspire, Builds Links To History Of Jihad by @IntelWire

There are a few interesting things to note about this issue. First, the production quality has improved significantly. This is looking less like your office newsletter and more like a professionally produced print publication every day. This is especially interesting when contrasted with the extremely limited thinking evident in their discussions about “Open Source Jihad”. In short, the strategic masterminds behind some of this content have more experience making things look FABULOUS than they do killing people. I’m reminded of this for some reason:

Now, I’m not minimizing the long-term threat of their approach here. There is reason for concern. I just continue to think that they are, thankfully, executing poorly. Declaring man will set foot on the moon is a visionary idea. Looking for the best horse to take him there is poor execution of that idea. This is the current state of open source Jihad.

There is another significant development in this issue that others have touched on but that I don’t want to elaborate on here. I will say that I will not be surprised if, eventually, elements of this production team are discovered and authorities (or perhaps some independent ethical hackers) credit this issue with the breakthrough.

Download: Inspire 4 (PDF)