Secrecy News

Crisis in Mali, and More from CRS

New reports from the Congressional Research Service on diverse topics of current interest are provided below.  Pursuant to congressional policy, CRS is prohibited from making these documents directly available to the public.

The Posse Comitatus Act and Related Matters: The Use of the Military to Execute Civilian Law, August 16, 2012

Turkmenistan: Recent Developments and U.S. Interests, updated August 17, 2012

Pipeline Cybersecurity: Federal Policy, August 16, 2012

Gifts to the President of the United States, August 16, 2012

Health Insurance Exchanges Under the Patient Protection and Affordable Care Act (ACA), August 15, 2012

Crisis in Mali, August 16, 2012

JP Morgan Trading Losses: Implications for the Volcker Rule and Other Regulation, August 16, 2012

Why Some Fuel-Efficient Vehicles Are Not Sold Domestically, August 17, 2012

Armed Conflict in Syria: U.S. and International Response, updated August 20, 2012

The Palestinians: Background and U.S. Relations, updated August 17, 2012

One thought on “Crisis in Mali, and More from CRS

  1. The CRS reports on Cybersecurity and US gas pipelines deserves some extra comment.

    There have been no acts of terrorism perpetrated against US pipelines through cyberspace. Small collections of news reports of cases in which Americans interested in aiding al Qaeda in the last ten years in aspirational conventional bomb plots against pipelines are irrelevant.

    Citing one ABC News report on an al Qaeda video urging an audience to attack the infrastructure of the US electronically is not compelling evidence of anything, particularly in light of the fact that the terror organization has never demontrated any capability in this area. It is, however, some evidence of a standard wishful, or aspirational thinking. Wanting to attack the infrastructure through cyberspace, because they may have read in western sources that it is easy to day, does not confer a capability or demonstrate a vulnerability. It is just a discussion, and a fragmentary one.

    If a federal assessment in 2011 concluded “with high confidence that the threat to US pipeline industry is low,” it may actually be true.

    Citation of three industrial accidents caused by worker error and industrial breakdowns in the US pipeline industry do not demonstrate that the same industry is vulnerable to cyberattack.

    Computer network intrusions in the pipeline industry, unless the details are specifically described, do not imply or, worse, prove the pipeline infrastructure can be damaged through remote attack. Malware and intrusions occur everywhere there are networked computers, daily. They are security problems that must continually be dealt with, and the risk managed.

    Citation of a report by a computer security company, McAfee, on the nature of threat or risk, in this case on cyberattacks against global energy companies should always be accompanied by caveats that such reports are well known to be untrustworthy. A recent ProPublica news article on such security software industry reports contained the quote, from researchers at Microsoft, which, as a rule, does not issue these kinds of things: “Our assessment of the quality of cyber-crime surveys is harsh: they are so compromised and biased that no faith whatever can be placed in their findings.”

    If the Stuxnet virus is going to be used in a discussion to imply vulnerability in US systems, it should also be noted that it is now widely accepted that this particular piece of malware was engineered by an American military or intelligence team of programmers specifically to attack the Iranian nuclear program. And that the same team is recognized to be continuing to write and dispense malware to attack various infrastructures in Middle Eastern nations, with confusing and difficult to assess results.

Leave a Reply