Tuesday, March 24, 2015

Who Do You Love?

This is why we can't have nice things
Despite efforts to play it down, a primary - though certainly not the only - driver of conflict in the middle east and North Africa is sectarian in nature. Specifically the overarching Sunni-Shi'ite conflict that has been simmering for centuries, and was essentially released to metastasize by the desperately ill-advised US invasion and occupation of Iraq. So now it's important for the US to have some consistency in her responses, and to speak with a single voice to the parties in conflict. That seems like something that shouldn't be difficult, but it is turning out to be far beyond the capacity of the Obama administration to construct a foreign policy that lays out a coherent position. Of course, the US should be neutral on theology even as it is partisan on ideology, but in reality those lines are difficult, perhaps even impossible to draw. Let's think about three conflicts.

The US invasion in 2003 overthrew the Sunni leadership under their strongman Saddam Hussein, and the rush to something that looked like 'democracy' led to elections without any other established democratic institutions, resulting in the expected 'tyranny of the majority', and the inevitable Shi'ite state. This allowed a sudden sea change, the theocratic and political alignment of longtime enemies Iran and Iraq. With Iraq's infrastructure destroyed by years of war, their economy in tatters and their society fragmented, it was left for Iran to step in and provide assistance and guidance to the allied Shi'ite Iraqi leadership in Baghdad.

The US Response:
The US claims that Iran is a key adversary and one of the greatest threats to peace and security in the region, while their major regional ally, Iraq, is a US ally. That creates the situation where the US is allied with Shi'a Iraq (but not with their benefactor, Shi'a Iran) against Sunni IS, and is therefore tacitly allied with Iran in the war against Islamic State.

Syria's leadership is Alawite, which is a branch of Shi'a Islam, and their primary opposition is, predictably enough, Sunni. IS, al Quaeda and even the Free Syrian Army, to whatever extent that was ever a real organization, all were Sunni groups arrayed against the Alawite leadership. A leadership supported, predictably, by Iran, and opposed, every bit as predictably, by Saudi Arabia.

The US Response:
The US is opposed to the al-Assad regime, and has aligned itself against the Damascus/Tehran alliance that, with Russian support, has kept the regime in power, albeit with a dramatically reduced territorial footprint. Therefore, in the Syrian conflict, the US is supporting the Sunni insurgents in the battle against the regime loyalists. At the same time, when the US flies airstrikes against IS positions in Syria, they are tacitly supporting the Shi'ites in power ind Damascus, despite rhetoric claiming exactly the opposite. This kind of supporting-both-sides tactical incoherence serves only to extend the conflict.

Houthis, a Shi'ite splinter similar to the Syrian Alawites, overthrew the Sunni government of Abd Rabbuh Mansur Hadi in Yemen, bringing them into conflict with Sunni extremist fighters in and creating another potential Syrian style conflict, where the sectarian divide becomes inextricably tied to the political, and there is no path to solve the disagreements but an endless fight to the death.

The US Response:
The US has been actively fighting to support President Hadi, a Sunni, in his fight to survive the Houthi insurgency, with the full spectrum of drones, SpecOps, weapons and training. Now that the Houthis have succeeded in deposing the Hadi government, the Houthis are working to consolidate their power, while the opposition Sunnis, led by al Quaeda fighters resist them from their enclave in Aden. Yemen is on the brink of civil war, and the problem for the Houthis is that long border with Saudi Arabia. If the Saudis decide to actively support the Sunni resistance - which is highly likely - they will be working to hand Sana'a over to what would essentially be an al-Quaeda (or IS) led government. US troops and drones have been withdrawn for now - will the US support the Houthis on the Saudi border or will they continue to support Hadi's fight to retake the Presidency, despite the fact that his primary fighting force is composed of al-Quaeda jihadists? Judging from history, the US will claim to be supporting some kind of moderate, inclusive government based on some kind of nonexistent moderate Sunni power structure. Meanwhile, the Sunni resistance will become exclusively jihadist in its makeup and it will become impossible for the West to support.

What Now?
None of the forgoing should suggest that any of this is easy. Regional political and diplomatic goals often find different champions, and the nature of the risk should define the nature of the response. But that's precisely where the US is so wrong-headed about the current sectarian conflicts throughout the region. There is nothing inherent in either side - Sunni or Shi'ite - that could convince the American leadership to focus its support on one or the  other. They are both violent, bigoted, misogynist, 7th century throwbacks that do not seem to be able to live together in peace, or even provide for their own people. As long as the arguments can't be worked out by systemic political and territorial compromise, as long as they are at least partially premised on events of over a thousand years ago - events that may or may not have even happened - as long as someone's family name or method of worship marks them for summary execution, there are no 'good guys' and there is no faction worthy of external support.

The US should be entirely neutral in these conflicts. We should offer to mediate, and even provide troops and resources to implement and support a peace agreement. But the American leadership should be very clear that until the shooting stops we will not be a party to what is essentially a sectarian conflict. That American blood and treasure should be spent over ancient mythological hatreds is bad enough, but to support both sides almost at random only guarantees that the conflict cannot end. Endless war should not be an American foreign policy goal.

Sunday, March 22, 2015

Iranian Nuclear Talks - It's the EU, Stupid

Apparently, the US Senate doesn't realize they're involved
The rabid fanatical ideologues of the American Political Right have accomplished much in the last 20 years. They have divided the country, destroyed its ability to govern effectively, permanently damaged the economy by delivering all economic gains to the top 10% and created a toxic dialog where anyone not sufficiently fascist is anti-American, a 'socialist' or worse. And now they have topped themselves by inserting their fever dreams and racist hatreds into a sensitive negotiation the American leadership is having alongside her international partners over the Iranian nuclear program.

Setting aside for now the specific question of why it is only Iran, an NPT signatory in full compliance, that finds itself subject to these kinds of sanctions and demands, today I'm merely noting that the right wing ideologues, in the guise of the United States Senate, have effectively interfered with the American ability to conduct American foreign policy. This has large ramifications for the future of American governance, but in the case of the Iranian negotiations seems to utterly fail to notice that the US and Iran are far from being the only players involved.

You see, there are two kinds of sanctions. Sanctions imposed by UN Resolution, which are upheld by all UN member states by treaty obligation, and sanctions imposed unilaterally by a nation's government. The second kind are voluntary - there is no legal obligation for any other nation to implement them. The US has often compelled international support for unilateral sanctions by using her enormous global economic clout to further sanction any company or institution, even those in friendly nations, if they violate sanctions imposed solely by the US Congress. This is analagous to a man holding a crowd at bay with a revolver - nobody wants to be one of the six people he can shoot, but if the crowd is sufficiently motivated they will accept the cost and overwhelm the man when he runs out of bullets. In the same way, if the EU comes to perceive the US as the primary obstruction to a nuclear deal with Iran, they will simply bypass the US, forge an agreement with Tehran and eliminate the sanctions as long as Iran is compliant. The US might continue to impose unilateral sanctions, but they would be perceived as pointless punishment, while the rest of the world happily welcomed Iran back as a trading partner.

It is worth mentioning that France could be problematic in this scenario. They have, in recent years, chosen to align themselves quite closely with Saudi Arabia, and are therefore quite hawkish on Iran, both on the nuclear issue and in more general terms. If the negotiating bloc fragments too thoroughly, the agreements will not be strong enough to change the status quo. But France has much closer ties to the UK and Germany than the US, so it would be surprising if they ultimately blew up a deal.

There is a point where America's inability to govern itself effectively will have a powerful impact on her broader place in the world. If the US Senate wants to suggest that they could unilaterally break an agreement signed by seven nations, those nations will feel they have no choice but recognize that constitutes a rogue, pariah nation that cannot be trusted to live up to its most basic agreements.  And when the US congress itself denies the legitimacy of the US President, that President's credibility and authority is weakened all around the globe. The damage that America's radical shift to the extreme right has already done, economically, socially and politically is profound. As the partisan ideological divide becomes deeper and more acrimonious, the wreckage will continue to pile up.

Sunday, March 8, 2015

Women in Combat - Case Closed

Yeah, that's a silver star.
You got one of those?
I didn't think so...
Throughout history, women have often been in combat. From Stalingrad to the Golan, even in the 20th century reality has provided an answer to the question we for some reason continue to ask. Can women serve effectively in combat? Absolutely. SHOULD women serve in combat? To whatever extent that anyone should, gender is no better reason to exclude someone from  a given role than race was before it. But the doubters have one thing right. Not everyone can do it. Oh, the Army can designate anybody 11 Bravo, hand them a rifle, and ship them to a combat zone. But we're supposed to be smarter than that now, and we certainly aren't desperately fighting for our very existence, despite the rhetoric you might here on cable teevee. Just as there are men who are physically, mentally and emotionally incapable of serving in combat effectively, there are women who can dominate contested dirt. The problem is nobody ever came up with a set of metrics that can determine which is which.

Let me introduce you to Leigh Ann Hester. You've never heard of her, because our wars are illegal, pointless attacks on weak countries, and pride in our warriors is limited to jingoistic hate peddlers. But where a war against a weak opponent has a foregone conclusion, any given small-unit battle within that war can go massively pear-shaped no matter how much firepower and combat power a modern, wealthy, technologically advanced army can bring to bear. And when it all comes down to the bloody work of killing at eyeball range, fighting for a meter or two of ground, and trying to keep your fellow soldiers from getting overrun and dying hard, you'd be surprised - though you shouldn't be - by who can win the day.

It's March of 2005 and a thirty truck supply convoy is on the road outside of Salman Park, Iraq. The escort is Raven 42, a ten man squad in three Humvees, except two of the men are women, and one of them is the formidable Sergeant Leigh Ann Hester of the Kentucky Army National Guard, 617th Military Police Company. As the convoy is passing through some orchards, it is ambushed by at least 50 Iraqis. They've arranged parked cars to keep the trucks from turning away, and they open fire from the irrigation ditches with machine guns and RPGs.

Sgt. Hester immediately realized that they couldn't pull back, and if they tried to fight from where they were they'd be shot to pieces. So she unhesitatingly led the team straight through the ambush kill zone, the last thing the Iraqis would have expected. As she cleared the kill zone, she curled into a flanking position and assaulted the trenchline with her M203 grenade launcher, driving back the attackers. But she wasn't done. Alongside the squad leader, Sgt. Tim Nein, she jumped into the trench and cleared it, killing at least three Iraqi soldiers at eyeball range. In the course of the 25 minute firefight, she assaulted and cleared a second trench, driving the Iraqis back away from the convoy. In the end, 27 Iraqis were dead and 6 were wounded. As a result of the speed and ferocity of the American's counter-ambush assault, only 3 US troops were wounded.

Hester and Nein were both awarded the Silver Star for their actions on March 5th, along with their Platoon Medic Jason Mike, who notably (I think he might have seen too many Schwarzenegger movies) fired an M4 carbine and a SAW light machine gun simultaneously, laying down a deadly base of fire for the assault on the trench.

There can be no doubt that women, just like men, when sufficiently trained and motivated, can serve successfully and even brilliantly in combat. It's not something everybody can do, or do well, but the traits and characteristics that make up a warrior are not so simple to identify as stature or gender. People will become what is in their hearts to be.

Sunday, March 1, 2015

On Cybersecurity

I've got you now, my pretty

What the hell?

Target, Best Buy, Anthem, Sony, Uber. It seems that hackers can pretty much penetrate any organization they want and steal whatever they can find. And yeah, if it seems that way, it's because that's exactly the way it is. The bad guys are winning. These are no longer the hackers of yore, although people have been slow to update their vision of the cyber world. These are professional organizations, well funded, staffed with some of the best programmers, psychologists and engineers in the world. They are for-profit businesses, operating in loosely coupled networks where they sell each other access to specific exploits, huge botnets and compromised servers on a per-hour basis. They make millions of dollars every week, and are immune to legal consequence due to both their geographic locations, and their operational security - everyone that has to know who and where they are is compensated out of the huge profits they generate, and no one has any incentive to shut them down.

Jeez, mikey, why can't we just prevent these breaches?

You have to understand the way this is done. Using some combination of malware and social engineering, the attackers work on specific individuals at a given targeted organization until they can successfully co-opt that user's network credentials. Now they can log on to the network, but they aren't some unknown alien entity, they appear to be the employee or contractor whose credentials they are using. Now, with access to the network, it becomes a matter of working horizontally, increasing access entitlements, elevating permissions, co opting more user and service accounts. At no time are they doing anything that would draw notice - they appear as employees or contractors doing their everyday work, or even worse, as automated systems that don't even have a human associated with them. The Target breach is a perfect example. The hackers got access to the network through the account of their HVAC contractor, and from there were able to install the malware on the POS systems, stage the credit card data on a database server they set up in Target's own data center, and periodically upload huge batches of stolen data to their own servers in Eastern Europe.

Is technology the answer?

It is an infuriatingly common trope that technology by itself can't save us from these unrelenting attacks. And of course, it's ultimately true. Like all complex problems, the solution requires a holistic approach, with training, policy, investigation, enforcement, regulation, compliance and widespread participation within the organization. That said, it's bullshit. A large scale modern network is generating hundreds of millions of events and transactions per second. There IS no non-technology solution, because the problem exceeds human capacity. Just as it takes a bulldozer to move a giant boulder, it takes very smart software on very powerful computers to monitor modern networks and figure out what is happening in real time, and what might be worth investigating.

OK, but what do you do when you find something bad?

That's something we're still struggling with. Obviously, the first step is to keep the data from being exfiltrated out of the organization, and to close the holes the attackers have drilled into the network, but while that protects the organization under attack, it doesn't do anything to protect the rest of the world from those attackers. There are those who are in favor of offensive cyber attacks as a response, but this is something you want to think very carefully about. Remember these attackers are as smart, as well organized and as well funded as anything arrayed against them, including most nation states. If you want to raise the stakes from an economic battle to a war, make sure you have the wherewithal to win. And right now there is no reason to believe that we have that ability. The US already has the responsibility of being the nation that first unleashed kinetic, destructive cyber war with the Stuxnet attacks against Iran. It's very much a "be careful what you ask for" situation.

I keep hearing that we are vulnerable to a "Cyber Pearl Harbor".

Like so many things we hear about today, it's a scary phrase, but there's a reason why nobody ever drills down into it. What would comprise this devastating surprise attack in cyberspace? While it's certainly true that various installations in the electric grid, municipal water supplies and major chemical plants and refineries are vulnerable to destructive cyber attack, it's hard to see how simultaneous successful attacks could be coordinated and carried out against hundreds of different installations. While one can easily envision an electrical blackout in a major metropolitan area, or a major fire at a chemical plant that releases a toxic plume, the question of whether those kinds of attacks rise to the level of a "cyber Pearly Harbor" is entirely subjective and difficult to conclude.

So what happens next?

We're still in the arms race stage. And, of course, in addition to the organizations launching the attacks - organized crime stealing money and nation states stealing knowledge - we now know, thanks ironically to cyber criminal Edward Snowden, that global intelligence agencies are actively working to keep weaknesses and vulnerabilities in place. And everything they can exploit can also be exploited by the criminals. So you have this tension where industry is struggling to harden their network security even as their own governments are working even harder to weaken it. The battle over SSL/TLS and access to encryption keys is one worth watching, because governments are perfectly willing to commit crimes, even work with the criminals, while industry is dead set on making it much harder for them to either steal information or demand it through legal channels.

But one can imagine a time - still years in the future, but on this side of the horizon - where the internet and the enterprise network are mostly secure. Think of banks - they can still be robbed, but there's really not much of a living to be made doing so. When the revenue stream that can be generated by hacking networks becomes a trickle, the criminal organizations will move on to another, more lucrative area, and the nation states will return to more traditional methods of espionage. But for now, expect to have your data stolen on a semi-regular basis.