Securing the Hastily Formed Network: Infosec for Disaster Relief and Emergency Response

Baria uh securing the hastely form Network thank

[Applause] you good morning everyone or good afternoon I guess um it's always hard to be the lunchtime speaker because I think I lose to the food trucks upstairs so I want to thank all of you for uh hanging out with me I promise there will be food afterwards okay so uh let's let's get on through this um and what I'd like to do is first of all if you have any questions since it is such a small group um feel free to ask them and I'll try to answer them right then and there uh are I want to talk about uh sort of an interesting Trend I noticed so I was here for the last two presentations so

we started off with uh was anyone here for the statistics discussion that started off this morning right so you saw the discussion of statistics and then you saw the gentleman who came right afterwards who was using statistics and that person went in turn using pictures of airplanes dropping water on fires and stuff right so I want to show you the next logical progression which is the fact that I'm actually talking about airplanes that are dropping water on Fires so I'm sure that I will use some sort of metaphor or analogy that will be used by whoever is following me next so just watch for that uh what I'd like to do is introduce myself and the team that I work with at

Cisco uh and then we're going to talk about something called the hly formed network uh I will talk about what hfns are and some examples of them and we'll talk then about what security and hfns and where the the intersection of these things come in and uh like I said we're going to talk about some of the examples that we've seen from some of our most recent incidents this is a very interesting place because when we talk about security as Mission critical typically we're talking about often lost information lost information uh intellectual property uh some sort of dollar value some sort of monetary value if you're a business or an Enterprise or what have you um in this area there's

not a lot of money in it but it's invariably kind of mission critical to somebody uh typically when we're working in public safety and humanitarian relief potentially uh you're talking about putting people at physically at risk uh so that's something that we have to be very mindful of as we go through this process here so uh a little bit of introductions first um I have been at Cisco since uh 1996 a really long time um don't think about it too long I'm actually the team lead for a team inside of Cisco called Cisco tactical operations um we're sort of the networking paramedics if you will uh we go into environments when uh a disaster or a crisis has happened and we

will actually establish connectivity for First Responders critical infrastructure and the continuity of government uh we will go into these environments when most other people are getting away when you won't normally find an IT organization or a bunch of tech is running around that's kind of where we go into uh I am also the chair of something called the global vsap form cyber security task force uh this is the organiz this is the the gvf is the industry organization that represents the satellite industry and for those of you who've been to uh black hat and Defcon recently you might have real heard that satellite cyber security is actually now in the news so uh part of

one of the things I do is is work on that particular topic before I got into all this emergency response stuff I was doing a different kind of incident response which is information security information assurance um security architecture and I was a security consultant for a little while um and then there's this thing out in the desert you might have heard of called burning man um I'm a emergency medical supervisor out there so again I wear a lot of incident response type hats both in my day job as well as outside of my day job um and then uh a number of incidents I've been part of um I've been doing disaster Rel for more than 20

years including September 11th Hurricane Katrina Haiti Japan um this photo with me and the helicopter here was actually is about 2 weeks old um and I was in Vanuatu uh which is a place I could not find on the map two months ago um after Cyclone Pam so we just came back from an emergency response just uh just like last week so Cisco tactical operations why does a vendor have a team called tactical operations do you guys bust down doors with routers and stuff um it turns out almost but not quite uh our team was created after September 11th to support primarily military operations in places like Iraq and Afghanistan so if you needed Network

engineers in to go somewhere outside of the green zone in Baghdad during the height of the War uh that was a kind of tasking that fell to our team uh then in 2005 this thing called Hurricane Katrina happened and Cisco like many other tech companies said hey um if you're a nice techy and you want to go help out in New Orleans just take two weeks and go so about 200 Cisco employees were self- deployed into the disaster Zone around Hurricane Katrina but if you think about it it doesn't matter how many CCI you have or how smart you are but if you're living in a cubicle in Silicon Valley and you suddenly are finding yourself in a

disaster Zone sometimes you're going to cause more problems than you solve so coming out of Katrina's experience our te the as a company they said well we're going to get asked because of things like climate change and the fact that everyone's moving to IP in the internet uh we're going to get asked again and again and again to go into uh crisis situations to do humanitarian networks how do we do this so our team was retest in 2005 from primarily a military war fighting mission to what is primarily a what we call HR operations humanitarian assistance and disaster relief um the people on our team come from a lot of different backgrounds um we have both

Technical and non-technical people on our team but most of us have worn different hats before we ever came into this job so uh yes a lot of us are network engineers and techies but there's also people who are current and former firefighters current and former military folks um people who have been in the field before a lot of field work experience and that kind of combination is really what you need to go out there and sustain yourself successfully in in the middle of a challenged environment um these vehicles by the way these are some of our vehicles the the big black truck with a satellite dish on it is called a nerve the network emergency

response vehicle there is one here in the Bay Area um that's kind of our Flagship Response Unit but we also have a number of things like satellite kits and I'll show you some of this stuff as we get further

along so where have we been um this slideshow or this slide here actually lists a number of our responses you can actually see that our our team's first humanitarian response was during Hurricane Katrina in 2005 um it's interesting that we're coming up on the 10y year anniversary of Katrina now um and then our most recent response was uh just last week in uh vanua to to Cyclone Pam but um I I for the longest time I I had to tell my parents what it was that I did for a living and I always told him if Anderson Cooper was there chances are I was probably there too so um that's kind of how I explain what we do so we

we will go into these kind of environments where um you wouldn't typically find a vendor or a tech company on the ground in these environments but we're there because hospitals need to come back up and operate search and rescue teams need to operate um you know security and law enforcement needs to operate in these kind of environments and so we're primarily focused on making sure those essential Services uh remain up or come back up so that they can execute their critical Mission it related to the whatever the crisis was so I wanted to Breeze through that real quick here before we get going um are any questions so far yes question what was Operation uh operation verdict was the

response to the measely trial uh in in on the in the East Bay a couple couple years ago yeah we were we were we were we were providing a network for the Oakland office of emergency services uh I thought there was another there was another question yes uh the question is whether we still do military operations um we do work with the military um a lot um like we work with the Philippine military during hyan and we work with uh organizations like the United States Pacific command but primarily around humanitarian assistance and disaster relief missions so we don't have a war fight Mission anymore um there's actually another team inside of the the company that actually

scaled up and took that role over for us so that we could focus on uh humanitarian assistance type operations so everything we do is unclassified everything that we do is um there's no secret sauce or anything like that so people can blog about us tweet about us um actually initially for the longest time there was no page on cisco.com that talked about our team because what we were doing was actually considered a closely held secret within the company we didn't want to advertise that this team actually existed and then we had to transition to well now we need to get a Facebook page we need to get a Twitter account and who's going to run the

social media for our team and stuff like that so any other questions yes sir is team that civan uh the civilian population is related to like emergency response and things like this people lost uh yeah so the the thing that you're talking about so the question was you know is there a team or does this team work um on networking for civilian populations and things to that effect um and the answer is yes we we do um so there there's this initiative called connecting with communities or CWC that's the term the United Nation uses which is to not just connect the responders but to get people who affected by the emergency back online because obviously once you get

people connected again then suddenly they can use that connectivity to actually become more enabled in their own personal response and that is part of the charter of our team we do do those kind of missions so let's talk a little bit about what the heck of hastily formed network is um this top photograph is actually us um this device right here is actually um what's called a gator dish it's an inflatable satellite dish so the idea is a 2.4 meter dish is too big to fit in the hold of a 737 to fly somewhere so so what we do is we basically use this thing that looks like a big beach ball so we take it out we

Pump It full of air and it's a satellite reflector so it's how you get uh it's a lightweight rapidly Deployable satellite infrastructure this is actually uh super typhoon uh hyan uh in the Philippines in 2013 and the photograph with the nerve and that helicopter those of you who are local here might recognize that that's Moffet field down the road here um and that's with the 129th rescue wing which is the combat search and rescue team uh that's based down at maet we do joint training with them so all crisis responders have the same problem uh it doesn't matter whether you are a hospital whether you are a volunteer organization like the Red Cross whether you're United

Nations whether you are a h uh Defense Agency whether you are a critical infrastructure provider like a power or a telecoms company and the essential problem relative to technology is how do I get the right information at the right time in the right format to the right person and on the right device we call this the five rights of emergency communication if any of those rights is wrong you've just added to the fog of War you've just added to the confusion you haven't subtracted from it this is the fundamental problem that all crisis communicators are trying to solve whether uh anyone here happen to be a ham radio operator right so I'm n6g as well so I

also speak radio um even ham radio operators have the same fundamental problem even though they aren't connected necessarily to the internet they aren't NE you know they may be using Morse code or what have you but again this is the same fundamental problem which exists outside of any particular technology the five rights of emergency communications at the same time the need and the desire for connectivity in crises is changing there's an evolution going on in society in industry in government to go from these old world environments where you just had a radio or maybe a telephone to things like integrated data and radio connectivity you went from a single device like a desktop computer to BYOD

or what we call in our team bodd bring your own device to the disaster so those of you who are familiar with the BYOD phenomena in business and in the Enterprise and in it we see that same phenomena occurring in the field in the middle of a crisis Zone um initially it was for closed teams open collab ation how many of you are on social media of any sort Instagram Facebook Twitter okay a disaster happens a crisis happens a building here in San Francisco is on fire there's 200 people with their cell phones doing this and they're putting it up on Instagram or Twitter or what have you right we've all seen this in fact for those of you who don't know

this the first use of the hashtag on Twitter the concept of a hashtag tag was first used in October of 2007 for the San Diego fires big wildfires in in San Diego were going on at that time and that was where the hashtag first came from now we use it for everything but but the hashtag concept itself was first used in an emergency context um so we go from fixed locations like a headquarters or an emergency Operation Center to the fact that people want connectivity everywhere in the middle of a crisis now before we get too far along I want to State this straight up emergency communicators people who actually make technology happen in a disaster whether

they're ham radio people or internet people like myself or anything in between emergency communications has never saved a single life people who say that communication saves lives is actually they're using a little Hyperbole and the reality is this you still need the firefighter to dig somebody out of the rubble you still need somebody to deliver food and water to someone who is hungry you still need to provide shelter to someone who needs it who's a refugee Communications facilitates all of those things it is a secondary service which is absolutely critical but it is not the end goal the end goal is to make sure that whoever needs help and gets who needs service gets it so the goal here is we want to

provide Mission workflow and productivity benefits that helps save lives and speed recovery to affected communities it is about the message and not the medium so how do we do that so what challenges are there so the technology the term that people use in our space is called ICT information and Computing Technologies uh it's computers networks the whole bit so when you see ICT think of all the stuff that you would think of as it when you have a disaster when you have a crisis whether it's Katrina whether it's Haiti whether it's 911 these are the typical things that we find happening in a crisis um first of all technology is absolutely needed because people need to

use information but often that technology or that infrastructure is either overwhelmed or destroyed first of all there's a lack of power there is often a degraded telephony infrastructure people can't make phone calls uh the cell phones are overloaded or the cell towers are down or what have you um the radio infrastructure what's called pusht talk radio the radio infrastructure is degraded uh maybe it's overloaded maybe your trunk Radio Systems uh the towers for your trunk Radio Systems are overwhelmed there's a lack of interoperability the previous speaker before me was actually using it as a metaphor where he talked about the police department and the fire department not able to talk to each other well that kind of thing actually

happens in this world over subscribed Services lack of Internet access few it resources and a lack of trained staff and this is where we're going to uh for the remainder of this talk um during Haiti in 2010 most of the techies representative of you folks in this audience two things either happened to them in the earthquake one is that they either bailed and they evacuated out to Florida or some other country they got out of Haiti or two they were dead so who brings back the infrastructure who brings back the technology when your techies are dead um so that is one of the challenges and then the other thing is lack of information security security is

a real challenge in this environment you think security is hard in I used to work for Cisco's infosec team and it was hard to get my it Department in building 12 12 down on the San Jose campus to actually pay attention to why you should use good passwords and why you should use SSL instead of you using tnet and unencrypted uh sessions try doing that in the middle of a crisis it's a very challenged environment and the reality is this is that when you work in this environment so does anyone here not have a smartphone laptop or tablet device with them right now on their person does anyone here have no device whatsoever on them right we're all connected we all

brought a laptop we all brought a smartphone we all brought some sort of tablet the reality is in a crisis environment people aren't heads down like some of you are right now in this room techies live heads down we're always looking at our screens in emergency response and humanitarian relief people are heads up because guess what the real problem is out here in the world it's not down here on your screen so bringing these two worlds together is actually an ongoing challenge so how do you do information security how do you do anything incident response in the middle of that so the term hastily formed network was created by the Naval Postgraduate School to describe emergency networks that did not

exist before a particular event so an earthquake happens a hurricane hits um some sort of Crisis happens and suddenly where there was no connectivity you suddenly need connectivity either because the old connectivity is gone or destroyed or overwhelmed or because there simply wasn't any to begin with so instant emergency networks hfns are portable so you got to be able to bring it in you have to be it's typically IP based and these are deployed when a a pre-existing network is either overwhelmed or unavailable or what have you and the goal of an HFN is to enable people who were actually on scene and in the field to talk to remote responders to co coordinate their operations to

enable connectivity for ordinary individuals who've been affected by the crisis to establish command and control and the goal here of an HFN is to enable the people in the middle of the affected area to communicate amongst themselves as well as to the outside world how do you tell the rest of the world that you need medicine or blankets or shelter or anything you need connectivity to make that happen so these are actually some of our uh volunteers using some of our kits here and and deploying some of this stuff in training and exercis so hfns are fundamentally portable rapidly Deployable and the other thing is they are interim like I said we're the networking paramedics we aren't the

networking uh let's see how where do I fall over with this we aren't the networking plastic surgeon we're not there to take you to the endtoend life cycle of things once the pre-existing networking or Communications infrastructure comes back maybe the cell phone carrier comes back this stuff gets packed up and sent home right it's interim or a gap filler typically you see Technologies like Wi-Fi satellite Communications YX um you're starting to see some things like around LTE also deployed in this space but those are kind of your basic building blocks of this kind of Technology um the top photo up here is actually uh an inflated Gator satellite dish the the inflatable dish um in guwan at the

Philippines um you see some emergency communications Vehicles you see down here one of our um one of these kits these uh sort of networking networks in a box kind of kits um you can actually see uh here in the in the corner this is actually um it's hard to see if you're a little bit further away but this thing with the fire engine here that's actually a mesh wireless access point that's providing network connectivity during actually a simulated exercise where we simulated that a high-rise building was on fire and so you had 200 firefighters running around and they're trying to put out a simulated fire and we were doing things like Wireless connectivity for their helmet cameras

and things along those lines so what are examples of hastily formed networks any questions about the concept before I move on here so this is Porto Prince Haiti 2010 um you all saw what that place looked like after the earthquake there was 250,000 fatalities in this event um it was actually probably one of the uh most significant disasters of our new century here um this is an example of an HFN uh what what you see here is that there is a satellite Landing Zone here at the airport and then then using Point to-point terrestrial shots you're actually Distributing the network to these other locations whether they're staging areas feeding and support sites or or what have you the reason why is

because satellite dishes are actually really rare in a disaster they don't just happen everywhere not everyone has the ability to afford them so the idea is you bring in one satellite dish and then you use terrestrial point-to-point Wireless or some other method to actually distribute the network around and in this case this network was actually linked to the usns Comfort which was actually a hospital ship uh sitting in the bay and what this network was being used for among other things was actually for metac support So as people were being dug out of the the rubble by Urban search and rescue teams um the helicopter airlifts in other words uh helicopters would fly off of

the ship go to some of these field hospital locations pick up patients and then deliver them back to the Comfort for Advanced Medical Care so this is what these networks are used for um they are typically high bandwidth the people who actually sit right on the other side of my desk uh in San Jose they work on multi- terbit Carrier networks and then here I am working on the far end of a thin sippy straw of satellite connectivity it's a very strange thing um but uh you know so so your idea of high bandwidth is not my idea of high bandwidth I'm happy if I can get a megabit sometimes so that's what 2010 looks like

um this is what the looks like so again this big black truck that Cisco has um this is our internal infrastructure we actually establish uh vpns across the public internet we have core routers mesh networks Voiceover IP telepresence um we use a technology called Cisco iix to actually bring together um you know so the police radio and the fire radio that don't talk to each other incompatible we actually bring them into Voiceover IP and once they're just voice over IP we can mix and match them as we need to so we can actually enable First Responders to communicate even if their infrastructure when they showed up on scene don't actually uh aren't compatible with one

another question in that case those re not at all and that's the brilliant thing about it because it happens invisibly if um if we're doing our job right the the Copp or the firefighter doesn't know why they can suddenly talk to the other organization it happens kind of invisibly in the background um we're we want to be as transparent as possible and the the reality is when you're in a crisis environment people will naturally revert to their lowest level of training so if you show up at an emergency scene and all of a sudden the radio that you use dayto day is suddenly replaced by a different radio that's kind of a headache right all of you who have smartphones here

know exactly where all your applications are your most used one anyway because you have muscle memory supporting that so you got to think about sort of user uh usability and the user experience so you want people to be able to use their lowest level muscle to support whatever they need to do question we can and actually that's one of the things I'll get to in the as we starts going along here so hold your question and if I don't answer it come back to me uh right here

okay yes so it it's really interesting so um there is no line on you can't go to cisco.com and order a nerve um it it's really funny I I I don't know how many of you have actually ever bought anything from us but it's pretty Byzantine actually um but I can assure you that there is no Cisco line item for in nerve however what we do do as part of the business side of what we do is um we have proven builds of materials and architectures that we provide so uh one of the things that we talk about a little bit later here is Ferguson Missouri and the vehicle that was actually attacked is actually based on

our nerve architecture so uh hold that thought I'll get to it in a little bit but the reality is that our operations are funded our humanitarian operations all those deployments you saw is is funded through corporate social responsibility so Cisco doesn't charge for what we do I mean I'm one of the few things that Cisco actually gives away for free um anyone who's ever had to buy smart net knows that this is you know this is a very rare thing um but but Cisco gives us away for free um because it's considered the right thing to do yada y yada um but but if you did want to buy one I can actually point to an account manager I

am not responsible for any sales or anything like that so even though I'm using a vendor slide deck here and I actually am a vendor uh I I don't I don't have any financial interest in selling you guys anything on anything here uh we're pretty pretty much talking just as um sharing some of our experiences in a lot of War Stories basically any other questions before I carry on so the other uh the other thing that we just did here is another another hastily formed Network example Ebola in West Africa our team was actually asked um so those of you who don't uh who might have heard about this um so Ebola hit three countries in West Africa right

Guinea Sierra Leon Liberia um all of a sudden and when you talk about something that is increasing at a literal geometric rate like Ebola was last year um data becomes absolutely key to getting in front of the disease because the disease is moving at at at this level where it's doubling every three weeks you have to have effective data collection and effective communication to get in front of and contain Ebola right so this network here uh on this left hand side here I just kind of Drew one up on the slide but this was 20 remote locations in Sierra Leon and Liberia these are what are called etus or Ebola treatment units these are clinics Health Facilities these are

places where Ebola patients are actually being treated um or places where disease surveillance experts are actually coming together to actually work um and then they're going over satellite and one of the things that happened was that this network was put into place so the satellite network was brought was deployed pretty early on without any Security in it and it was donated by a company called utel out which is one of the big four satellite service providers in the world and um they said hey you know what because this is Ebola we're going to give you a your your first 100 gigs per month free okay they're going to donate it which is pretty awesome of them right

it's pretty awesome that the satellite service provider is going to give the humanitarian Community Access to satellite data for free for a little bit right and then what happened was they realized in two weeks they were blowing through that why no one knew no one knew and we're going to come back to this in a little bit here because we found out why so at any rate what we wind up doing was we actually deployed instead of actually deploying Security in the field at the field locations because some of these locations were so remote that they could only be reached by Donkey can you imagine taking a router or a firewall strapping it to the back

of the donkey and then hiking it into some place it's going to take you weeks and that's hoping that the Box actually survives the trip and makes it there in one place and then who does the deployment who do you trust out there who's actually going to plug this thing in and connect the cables correctly so what we did was we actually deployed um we actually uh deployed this device here the moroi mx80 actually at the teleport side on the other end of the satellite link to do the security because it was going to take so long to get into the field that it just wasn't practical to do so um so that is what hastily formed

networks look like they are often based on satellite there's a lot of Wi-Fi the technology is actually not that different than what you're used to in an office environment in a business business environment uh in day-to-day life um many of you are often at home having higher bandwidth than we do in these networks so where does security come into this what are we really trying to do when it comes to security the first thing we are trying to do is protect the mission the mission absolutely comes first right we are there for some reason some awful thing has happened whether it is the refugee camp which is the world's largest refugee camp in Kenya whether it

is Zari in um Jordan which is supporting refugees from Syria whether it is Philippines whether it is Katrina whether it's a wildfire in Northern California we are always trying to protect the mission first um we obviously want to keep bad things out but we also got to keep bad things from getting out because I'll tell you right now that whole BYOD problem Humanity Arian laptops are some of the most Trojan devices I've ever seen people are out there they are outside of their organization's firewall they are whale outside of their organization's it support who knows what they're plugging in they're plugging into like a cyber cafe in Nigeria and that kind of environment right so so think about what

happens there so we need to keep critical Services running the the services that are absolutely Mission critical for The Incident Commander for the paramedics for the hospital we need to keep those things going we need to know what's going on on the network and on the devices and just like all the rest of you we are challenged to balance security versus access we have to make that call and we have to get it right every single time because the price of not getting it right sometimes is very high and that's not really a lot of hyperbole sometimes that's actually literally true though that we have to get it right every time um these photographs here actually

this top photograph um some of you who are local here may may recognize this this is the San Bruno gas pipeline explosion not too far away from here in 2010 that that P gen pipeline that blew up and took out 40 50 homes um that is actually me inside the nerve we were on scene we we were on scene for that fire for 3 Days providing uh a lot of emergency networking communication support for the entire incident management team because when the fire blew up the first thing that you do when a fire happens is you kill the power because you don't want firefighters spraying water on live energized power lines that's bad so what you do is you kill the power

in this area so all of a sudden you go into that area and once the batteries on the cell phone networks go away there's no connectivity you've created basically a dead zone in the middle of San Bruno California so what we were there to do was actually provide the connectivity for law enforcement for fire for rescue for or pg& for other folks they're at the scene and we were called up by calfire for that particular response so so this is what our this is what our world looks like it's literally you guys talk about firewalls I talk about firewalls too but then actually sometimes there's actually real fire right outside the door so um it this is kind of one of those places

where where the metaphorical and the literal actually kind of come together so I started off back in the 90s doing firewall Administration and stop me if you've heard this one before someone can't do something I'm trying to use an application I'm trying to get to some site can you turn off the firewall so I can get to it right I can't get to something the first thing that's suspect is the firewall turn it off right I mean I think everyone has run into this before when you go into a crisis Zone one of the big pressures that's on people who do this kind of work is they need to get it up yesterday they need to

get this n because remember this network didn't exist it doesn't exist it needs to exist and needed to exist yesterday because if this network doesn't exist babies will die right I mean that's kind of the how how how the story goes so I don't have time to secure the infrastructure I have to get this site up and then move on to my next site and then move on to my next site and then move on to my next site this is the number one challenge as a security person that we face again and again and again security is always seen as an afterthought because the existence of the network the existence of the infrastructure is considered so critical

that security Falls like to Priority number 10 now turning that on its head if the network is that critical you really ought to secure it right so so what we tell people is that just because it's a hastily formed network does not mean it's an ad hoc or unplanned Network plan these networks in advance plan your security into your infrastructure before you actually need to break it out so a lot of times these networking kits are actually just kits they sit in a Pelican case and they're ready to go and they have some sort of fixed configuration in them and all you need to do is plug them in and turn them on well if that's the case you can build

into that Network you can set it up in the configuration so this vehicle right here is uh they don't have them anymore the American Red Cross uh they're called ecvs emergency communications response Vehicles they are both radio trucks so they have ham radio and other stuff in there but they're also networking assets they have Wi-Fi and point-to-point shots and some other stuff they're actually really cool things and I used to volunteer on these vehicles back when I was doing stuff with red cross um and then this is actually Camp Roberts California where we're actually using wind and solar power to actually power the Satellite Dish which is then powering a mesh wireless network so we

get to play with some sort of alternative Technologies and things like that in places where power isn't available so basic security 101 this shouldn't be surprising to anybody in this room um a lot of the same basic security principles that we all use day-to-day also apply to hastily formed networks first of all principle of least access right we don't leave things wide open if you can at all help it but the problem is Advanced authentication like two- Factor authentication radius and things like that that may not be available to you right so you you you got to think about the fact that this is not an Enterprise Network this is not a business Network this is not some ISP

class Network this is something you just took out of a Pelican case and plugged it in there's no active directory in the middle of Port Villa Vanuatu when you're sitting in a tent somewhere so how do you do authentication and role-based access control those are things you need to think about because some of those dependencies on other resources aren't there um that satellite you know so for those of you who don't know when a big heavy rainstorm comes in sometimes satellite networks go down because of rain fade right the The Heavy Rain actually attenuates a satellite signal to the point where you're link to the outside world will go down for a little while so if you're depending on

resources on the other end of that link for your local access and AU medication all of a sudden you create a denial of service attack on your local infrastructure when the rain comes in we assume that threats may come from anywhere in the network um we want to strive for Simplicity uh once the uh network is configured the security architecture should really establish itself and then we realize that there's Personnel already who have too much to do um and we need to be able to automate as much of this as possible we need defense in depth because there is no such thing as a security Silver Bullet um and anyone who's trying to say that is trying to sell you something um

that's the other conference here in town this week um onse staff may have little to no security background right so typically in these environments you are trying to use local staff whenever possible but very rarely do you run into somebody who has a cissp out there in the middle of nowhere right security knowledgeable people are harder to find than networking or s f Administration people and those individuals are pretty rare as well right so um acceptable use policies incident response may be undefined in other words somebody like the United Nations emergency telecoms cluster will come in so the ETC is the organization within the United Nations that has the mandate to create emergency Networks for humanitarian response

organizations Etc comes in they set up a Wi-Fi Cloud they throw up a satellite dish now there's a place where humanitarian responders from 12 different organizations can come to and work okay but now who establishes the AUP for that who is going to monitor that Network and then say Hey you know guess what uh Doctors Without Borders you're no longer allowed to be on the network because your machine is Trojan I'm going to kick you off blacklisting or wh listing traffic there's you know it's very hard to figure out those things you know you may have a hard time figuring out um where your policies are back in your home office but out in the field it gets a

lot harder technology is easy politics is hard and politics is especially hard in these kind of

environments come on PowerPoint work with me human man

thank you anyway so managing infos emergencies um one of the downsides of hastily formed networks is that they will often Overlook security again that whole idea I need to get deployed right away if you have a basic firewall that's usually where it stops for most organizations basic firewall WPA on the Wi-Fi it's good to go can your users get to Google yep okay let's move on to the next slide so there's often no such thing as a chief security officer in a disaster now here's the downside this is actually a huge risk for responders if you're an emergency responder and your world is up here heads up remember not heads down that means that you are not looking

for or expecting the attack that is coming towards you our team have Integrated Security at a lot of different levels but honestly we're Cisco we we we know how to do this stuff because we are trying to sell you this stuff at the other conference right um but again we're the exception we're we're certainly the exception um so it's a it's very important to um get agency buying and support so if you go into an emergency if you're talking to FEMA or What's called the communit leader in the United States or comml it's important to talk to the agency okay look I have the ability to instrument this Network and look for attacks do you want me to

prevent attacks do you want me to go into an IPS kind of mode as opposed to just monitoring and often you have to spend a lot of time with these organizations and actually explain what you can do and what the threat is because the person you're talking to The Incident Commander is a 35e fire veteran who has been on more fires than you can ever count and has breathed more smoke than you've ever imagined but doesn't know the first thing about how the interet internet works doesn't know the first thing about security so being able to take all of the technology stuff that we're all familiar with and then turning that into um something that they can understand is

a key thing so if nothing else if you're working in the space being able to communicate in non-technical language technical Concepts is really important so HFN security stru with the physical first things first you're going into a disaster zone so when you talk about infos and cyber secur stuff for hfns layer one is where it starts at Force protection don't become part of the problem right I mean on our conference calls in Haiti you can actually hear gunfire um so do you need to actually be there in the first place that's something to consider physical security of your equipment Logistics intelligence health and safety it is easy to go halfway around the world into Haiti or Vanuatu

or the Philippines the hard trick is to suain yourself once you're there and not become part of the problem so all of our analysis when it comes to security starts at layer one this is our layer one problem and then on the other end um we use our own stuff ironport Moro etc etc there's other stuff out there that does the same thing um layer 7even inspection we turn on all all of our automated stuff we're actually able to say hey guess what we're able to do layer 7 inspection we can Blacklist and wh list host and then someone asked about quality of service earlier we can do qos and bandwidth throttling because one of

the big things you see aside from all the malware and all the bad traffic a lot of software updates because a lot of times these laptops sit in pelican cases and warehouses for deployment so the first thing it does is it does Windows updates right you take it out you want to do a Windows update and now that thin sippy straw of satellite connectivity you have is true up downloading stuff from Microsoft now I want people to get Windows updates right because that fixes security problems but I don't want the that to create a denial service condition on the satellite so I will do quality of service I will rate limit you know no more than say 500 kilobits per second so

your AV updates your security updates all that stuff will still get through it'll just take a little longer and that way I can prioritize the mission traffic over your sort of security traffic so throttling software um enabling things like Facebook but not peer-to-peer right social media is important in an emergency both for psychosocial support as well as the fact that you want to inform the rest of the world what you're doing but again since we're talking about an environment where I don't necessarily control the end device I don't control people's phones or laptops or what have you I have to build all the security into the network infrastructure all the intelligence has to live in the

network because I can't touch any of the hosts I have to assume that every host is contaminated every host is compromised and if my experience with ebola is true they actually quite often are it's very funny how you're fighting an actual virus and a computer virus at the same incident it's very strange um when it comes to satellite connectivity denial of service is really your primary security concern um often these in these environment satellite connectivity is the only way to go is to get is the only way to get out so now you got to protect and police that s satellite bandwidth um botn Nets zombies all that stuff but then there's also the inappropriate use stuff you

bit torrent peer-to-peer adult content all that stuff um chews up a lot of bandwidth so you got to police that but someone's got to establish that as a policy first so this is example this is the Ebola response Network for net hope this is that 2020 Ebola uh hospitals and facilities in Sierra Leon um when we first deployed it we put it in a monitoring mode so this this connectivity here you can see how the bandwidth utilization is going and then all of a sudden we started implementing rate limiting and policing the bandwidth now the number of actual users in devices is still the same or increasing but you can see the actual bandwidth being used is much less because we're

actually throttling things that need to be throttled we're blocking things that need to be blocked we're blocking all the botn net traffic from all the I mean oh my gosh it was kind of scary to see how many of these laptops and think about it this way all those laptops have things like health records in them so anyone here have to deal with HIPPA and stuff like that well there's no such thing as Hippa in West Africa but you got to get the point

right um no I was trying to keep that from happening but yeah anyway this was an example where we we had a security incident at the EV Road fire in North Carolina on our truck a firefighter's laptop came on to the network already trojaned and it started sending spoofed zombie traffic out to the internet trying to look for other hosts as part of a Dos botnet um so we created it created a satellite uplink uh a satellite service attack on our own infrastructure so we created a bunch of vlans and started throttling like untrusted versus trusted vlans and stuff whoa did I I I did that sorry um's my else okay thank you uh so

trusted Deans have access to servers vehicle resources and untrusted just get access to the internet and I'm I'm running out of time here so I want to fly through these other slides real quick here this is kind of what our Network like you can see that there's and egress access list across the way we do layers have an inspection for all sorts of applications firewalls each unit each kit each vehicle has its own firewall but we maintain one policy everywhere and then we do layer 7 inspection to to back that all up we do things like bogon filtering inbound and outbound as well um and we do sanity checking for outbound traffic so so the idea is we

don't want to be we we want to protect the rest of the internet as well as we protecting ourselves because we know that we're going to be a source of bad TR traffic realtime reporting and realtime response um this was the Carlton complex fire in Washington in 2014 we supported 673 devices on the south zone of that fire that's you know firefighters and support Personnel um we documented a ton of attacks against that attack surface and when we provided that to FEMA they said that this was the first documented Cyber attack against a first responder attack service that they were aware of this was just last year and this should scare everybody because there was nothing

special about this fire it just happened to be that we were there in instrumented to detect it so when you hear about all these brush fires that are happening and other disasters that kind of routine understand they're all being attacked constantly we just happen to be able to detect it and pick it up and mitigate some of it so this is an ongoing challenge So This Is Us in V watu this was actually our headquarter our Network Operation Center is canvas tart bunch of switches couple laptops um and this was Tana Island in Vanuatu uh setting up stuff with BT so security and Hasty formed networks are not mutually exclusive we're trying to tell the first responder community

that they will be attacked they already are being attacked we're trying to educate folks like yourselves that this community of responders needs a lot of help um if you're inclined to volunteer with organizations that do stuff like this please do so they need it um we have not yet seen targeted attacks ourselves but certainly possible the Missouri State Highway Patrol during the Ferguson protest a couple months ago had a targeted attack against one of their command Vehicles Anonymous did it um and uh we've seen incidents with a Syrian electronic army during as part of the Syrian Civil War and that has actually resulted in fatalities right someone goes in and steals the database and then

suddenly decides to go into the refugee camp and decides who's Sunni and who's Shia and then if you're the wrong sect they separate you guys and then you disappear that sort of thing happens so um information security and disaster leing humanitarian operations is currently vastly underappreciated things you guys all take for granted is brand new to this community and we're in 2015 they are well behind the curve um we've submitted to both F and the United Nations the idea this is best practices um and then lastly what I would leave you with here before I take any last questions um in the time that we have left this is a responder safety issue responders are at risk from electronic

attack this isn't the Cyber Pearl Harbor this is stuff that's happening dayto day and the failure of these organizations to secure their infrastructure leaves vulnerable populations at additional risk of victimization if you're already a refugee if you're already a disaster victim you were at the mercy of these networks and their security or lack thereof so these organizations have a duty which is currently underappreciated to secure their infrastructure because they TR their mandate to support people who are in crisis they're letting them down in the electronic space so um with that I will take any last questions here before we wrap up um

yes yes and actually is one of the partners that we use so the question is do we coordinate with NGS yeah our team works a lot with the net Hope Community with the United Nations with the Red Cross and other I mean th those are kind of the bread and butter organizations that we talk to a lot uh question yeah do you know any more about these people are attacking these n um so right now based on our own firsthand experience this is just the stuff that you get exposed to just based on being on the internet not specifically targeted necessarily however the situation um with regards to Syria is a little bit different um we

have seen specifically targeted attacks against specific individuals where people wind up dead afterwards um that's happened actually as part of the Syrian Civil War so um not domestically not related to like the firefighters and stuff but when you start talking about human conflict zones and how there's a cyber component to those things um yeah we have seen some of that question y um do you travel with any kind of sorry say again please do you travel with any read only Media likebox or to have know J we don't but other organizations do so for example like the American Red Cross actually deploys things like Windows servers into the field for their own applications the problem with us is that

we're always supporting somebody day to-day we don't know who we're going to support on the next incident but if you're the American Red Cross you know you're always going to be supporting the American Red Cross in the field so you can actually tune your server infrastructure and your technology package to just support American Red Cross applications you know what forms you need you need you know what applications you're going to need beforehand we don't um yes so Washington DC recently had some remove encrytion from the radios for interoperability um do you have do you have any comments on that and how that plays out in um yes typically first responder radios are not encrypted um in in that

uh they're usually UHF VHF over the air if they're trunk they're trunk so be it um cryptography does sometimes play an issue with regards to um interoperability but the reality is if we're doing a radio bridge where I take your radio that's encrypted in my radio that's unencrypted we're actually taking the audio out of it so it's already clear text by the time it gets to me right so now the problem is is that now if you're bridging two different radius together where it's encrypted and unencrypted all of a sudden someone tuning into the unencrypted frequency now here's what would be the encrypted traffic right um it tends to be rare in this space it's more from military

Communications although like SFO the airport here even the janitors are carrying p25 radios that are encrypted on them that are like $5,000 radios it's it's kind of crazy that's the way it works and then um the last question I have is is uh the lady behind you please um so I'm actually wondering I know respond you're mentioning respond to demonstration and I'm a little curious how you reconcile making responders to disaster safer with making responders to protest who are actually going out and harming people also that's a that's that's a great question um the reality is is that the principles apply to both so why the incident is happening is is secondarily to the process um responder safety is

typically why we bring people into here so um the political motivations for why something is happening is is really extraneous um so to take a couple of examples if you look at Ferguson for example um so people in this room probably have a lot of different opinions about why Ferguson happened and and the the other protests um the fact of the matter is is that you had people who were rioting in Ferguson they were burning down things you still need to coordinate the fire department to put out the building that's on fire that still needs to happen the fire department won't go into a place if they feel that the situation is unsafe right people think that fire department will

charge into a burning building sometimes they will but the reality is is that if there is a physical threat or a perception of a threat whether it's valid or not they won't go in you still need to coordinate that stuff that wasn't how doile coordinating response with coordinating American CI um I think that the the reality is is that we support First Responders in maintaining a general sense of Public Safety um going back to the measur Le incident we were supporting the Oakland office of emergency services so they could actually see what was going on right the command stuff that goes on the the decisions that law enforcement takes is actually secondary to the information

that we have but at the same time law enforcement and other organizations they're mining social media so if you look at some of these uh these incidents um people are like webcasting protests and stuff I can tell you right now that uh those organizations are actually doing that uh they that the response Community is doing that as well um I actually happen to be Pro technology in these circumstances because accountability matters to everybody right so things like body cams and live streaming stuff is actually good for everybody it protects the public it protect it protects the public from over overreaching response it also protects responders from an overreaching public people tend to behave themselves when

everyone knows they're on camera and if there's any other questions I'm happy to take them offline because I know that we have a next speaker coming up so I want to thank you very much for your uh your um your questions and stuff and have a great day and thanks to open DNS for supporting