Building a Foundation for Cyber Integrity (Part 1/3)

The Center for Internet Security Critical Security Controls for Effective Cyber Defense is an implementation guide of best practice guidelines for computer security.

Implementation Guide for ICS using the CIS Controls cover photo

The guidelines consist of 20 key actions, called critical security controls (CSC), that organizations should take to block or mitigate known attacks. The controls are designed so that primarily automated means can be used to implement, enforce and monitor them. The security controls give practical, actionable recommendations for cybersecurity, written in language that’s easily understood.

Goals of the guidelines include to:
• Leverage cyber offence to inform cyber defence, focusing on high payoff areas,
• Ensure that security investments are focused on counterring the top threats,
• Maximize the use of automation to enforce security controls, thereby negating human errors, and
• Use consensus process to collect the best ideas.

Building cyber integrity is a significant effort but does not need to be costly beyond current outlays for a team that believes proactive security. The Center for Internet Security (CIS) Critical Security Controls provide a valuable, practical framework for establishing cyber integrity presented in three categories: Basic, Fundamental, and Organizational.

These six basic CIS are the first step toward cybersecurity compliance, but it is important to remember that good cybersecurity goes beyond compliance and requires one to be proactive with security. The six Basic Critical Seucity Controls (CSC) are:

CIS Control 1: Inventory and Control of Hardware Assets

Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.

CIS 2 Control: Inventory and Control of Software Assets

Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.

CIS Control 3: Continuous Vulnerability Management

Continuously acquire, assess, and take action on new information to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.

CIS Control 4: Controlled Use of Administrative Privileges

The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.

CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using rigorous configuration management and change control process to prevent attackers from exploiting vulnerable services and settings.

CIS Control 6: Maintenance, Monitoring and Analysis of Audit Logs

Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack.

In Part 2 of 3: 10 Foundational Critical Security Controls

Download CIS Control V7 here:

China and Cyber: Attitude, Strategies, and Organization

This thought-provoking NATO CCD COE report “China and Cyber: Attitudes, Strategies, and Organization” by Mikk Rand gives an overview China’s approach to cyberspace and its use to its benefit and to fulfil its mandates, tasks and competencies for its political and strategic doctrine regarding cyberspace.

China is developing greater depth and sophistication in cyberspace its cyber and hybrid warfare techniques and strategies have led to some truly beneficial operations. To date, China’s efforts in cyberspace are primary towards national security, assuring its regime survival, defending national sovereignty and territorial integrity, and establishing China as both a regional and international power.

Principally, China engages in cyber operations to extract information from diplomatic, economic and defence industrial base sectors to support its defence, economic, and technological programs. In this context, one can view China’s cyber operations as being more about trying to strengthen China’s core and less about diminishing others’ power.

Consequently, in the past few years, China’s strategies are to target industries across the world that will shorten reaching its set goals in space, technology, infrastructure, energy (especially clean energy), nuclear power, biotechnology, and healthcare. Also China reinforces its cyber activities with form of hybrid warfare that include Psychological Warfare,[i] and Legal Warfare (Lawfare),[ii] and Public Opinion/Media Warfare.[iii]

Currently, China’s cyber operations are more about attaining a more significant status in the world and one day ascends to the Number One Economy throne, effectively dislodging the US; all without engaging in military conflicts that require bullets, tanks, missiles, warships, and jet fighters.

Raud, Mikk. China and Cyber: Attitude, Strategies, Organization. Tallin: NATO CCD COE, 2016.

[i] To undermine an enemy’s ability to conduct combat operations through operations aimed at deterring, shocking, and demoralizing the enemy military personnel and supporting civilian populations.

[ii] Uses international and domestic law to claim the legal high ground or assert Chinese interests. It can be employed to hamstring an adversary’s operational freedom and shape the operational space. Legal warfare is also intended to build international support and manage possible political repercussions of China’s military actions.

[iii] Influences domestic and international public opinion to build support for China’s military actions and dissuade an adversary from pursuing actions contrary to China’s interests.

FireEye 2019 cybersecurity predictions

A good read. Top discussion points from the FireEye 2019 cybersecurity predictions report includes:

Threats Targeting the Aviation Industry

While it’s important to stay attuned to cyber-enabled physical threats to aircraft and supporting systems, a far more common threat that security teams in the aviation industry must be prepared to defend against is cyber espionage.

Image result for FireEye FACING FORWARD Cyber Security in 2019 and Beyond

The Restructuring of Chinese Cyber Espionage

Notable restructuring in the Chinese cyber espionage apparatus has taken place since at least 2016, resulting in a resumption in the pace of activity. This reorganization should inform the growth and geographic expansion of Chinese cyber espionage activity through 2020 and beyond. Cyber espionage activity related to China’s Belt and Road Initiative will likely include the emergence of new groups and nation-state actors. Given the range of geopolitical interests affected by this endeavour, it may be a catalyst for emerging nation-state cyber actors to use their capabilities.

Attackers Eyeing the Cloud

Adversaries go where the money is, and 2019 promises to offer an increasing number of opportunities for attackers in the cloud. With the cloud, there’s a new, and often expanding attack surface that can be left unprotected or without the proper safeguards in place to protect essential data.

Supply Chain as a Weakness

In 2019, an increase in both state-sponsored and financially motivated supply chain attacks is expected. As organizations have improved their posture and built up their perimeter defences, attackers will shift their focus to compromising third-party vendors, customers or partners with the goal of gaining access to a target’s network.

Cyber Capabilities of Nation States

In 2019 and beyond, FireEye expects to see more nations developing offensive cyber capabilities. As seen with the rise of Iran, North Korea, and Vietnam over the past few years, many other emerging cyber countries are expected to come to the forefront in 2019. Iranian attackers, in particular, will continue to improve capabilities, even as new, less capable groups emerge supporting Iranian government goals.

The Rise in Breaches Due to Lack of Attribution and Accountability

Attribution and accountability are two of the most significant sticking points when it comes to winning the war in cyberspace. Without risks and repercussions for the malicious activity carried out on the internet, attackers will keep attacking, and organizations will keep getting breached.

The Widening Skills Gap and Lack of Trained Experts to Fill Security Roles

According to various industry estimates, there are at least two million cybersecurity jobs that will go unfilled by the year 2020. However, the critical meltdown point has not quite been hit yet, when it comes to staffing. The good news is that the thinking around this challenge is changing.

A copy of the report is available here:

US DOD Cyberspace Operations Doctrine

“… the United States (US) Department of Defense (DOD) is responsible for defending the US homeland and US interests from attack, including attacks that may occur in cyberspace. … the DOD seeks to deter attacks and defend the US against any adversary that seeks to harm US national interests during times of peace, crisis, or conflict. To this end, the DOD has developed capabilities for cyberspace operations and is integrating those capabilities into the full array of tools that the US government uses to defend US national interests…”
The Department of Defense Cyber Strategy, April 2015

While disinformation campaigns waged by state actors, criminal groups, and terrorist organizations have become familiar stories, little is discussed or understood about comparable operations conducted every day by Western countries’ militaries and intelligence organizations. While the emphasis on these operations are directly attributable to their respective sources (e.g. that people know they come from the military), units are specializing in marketing, ads, information, and even disinformation work to support broad and specific missions at home and abroad.

These US military units operate, out of necessity, outside the public eye, but some of the tools, strategies, and methods that they use are emerging into the public eye, and often the cause of severe collateral damages to the innocents. Military units members used an arsenal of tools (weapons) to allow mass email delivery, spoof SMS messages, impersonate social media posts (e.g., Facebook, Instagram), change online poll results, and artificially increase website traffic.

Their targets ranged from China, Iran, North Korea, Russia, countries across Africa, and areas within their own country. The necessity of this kind of cyber information warfare poses many problems, especially for democratic governments, who must walk a fine line between transparency and authoritarian behaviour.

The US DOD like many other countries’ military developed its own cyber and hybrid warfare strategies and this publication “Cyberspace Operations” provides an overview of the joint doctrine to plan, execute, and assess cyberspace operations.

Download a copy here:

One of the West’s biggest cybersecurity vulnerabilities

It is just amazing with nearly weekly news of hack, security breaches, and alarming cyber crimes (too often without describing the ingenuity or deviousness involved) that computers, hard drives, and/or RAM are not wiped clean when they are disposed of as they can be a valuable source of intelligence for those who want it. However what is worst is that there are so many good and free apps are available (DBan, Eraser, Disk Wipe), and if you need an industrial size app, there is Blancco Drive Eraser and KillDisk, and few others; or you can buy your own terminal solution easily.

1: Don’t merely format a disk or RAM as it does not erase the data, only the address tables.

2: Media sanitization and secure data sanitation standard found in NIST SP 800-88 presents the best methodologies to clear, purge, and destroy digital data; however, the responsibilities and challenges to clear, purge and destroy digital data rest squarely with the information owner, and no he or she cannot delegate the responsibility ever.

3: The final solution is using a data destruction system (available on Amazon under hard drive crusher or for a more complete range of solutions see Security Engineering Machinery (SEM) site for ideas).

Edwards, Jim, 2019. “One of the West’s biggest cybersecurity vulnerabilities is our idiotic habit of sending servers full of sensitive information to foreign countries” Business Insider, Sunday, January 6, 2019.

Handbook of Russian Information Warfare

The implications of facing a combined effort of cyberwarfare and hybrid warfare attacks with traditional subversion and active measures are critically important for all. This Handbook of Russian Information Warfare is an exciting introduction to current and projected Russian operations in the information and cyber domains.

It is publieshed by NATO Defense College’s Research Division,  “The Handbook of Russian Information Warfare” is an introductory guide to Russia’s doctrine and activities in this field, including elements of cyber warfare. For those unfamiliar with Russian principles of warfighting, but requiring an introduction to this essential element of how Russia projects state power, this is a good start.

This publication is based primarily on Russian sources. As such, it fills an important gap in the Western study of Russia’s approach to this aspect of inter-state confrontation, representing the principles and practice of information warfare in Russia’s own words. The handbook illustrates key concepts and approaches and explained by direct quotations from senior members of the Russian defence and security communities. The guide also functions as a source book for further detailed research as required; each section concludes with a list of recommended reading for deeper research on specific topics.

Please download a PDF copy of the Handbook of Russian Information Warfare here:

Cyber attacks are inevitable, but can we fight back? (Part 2 or 2)

“Cyber warfare is as much about psychological strategy as technical prowess.” 
― James Scott, Senior Fellow, Institute for Critical Infrastructure Technology

However, what if the attack is against a Northern country’s power grid in the dead of winter? This kind of attack would have military consequences if it were extensive. Most militaries, first responders, and many large organizations have backup power generation capability as well as stocks of fuel reserves, but these stores are not infinite. However, an cyber attack on a country’s infrastructure would likely have military consequences, definitely the case for a cyber retaliation, or even a cruise missile strike, or enven invasion.

Even if the country’s power grid were severely affected by a cyber attack and the government knew with a high degree of confidence which the guilty party was, there would be reasons for caution, primarily if the attack was an isolated incident, and there were no other signs of hostility or harmful intent because cyber attacks can have unanticipated consequences. With any military strike, collateral damage is always possible, but with most conventional attacks, methods of assessing and avoiding collateral damage are well-developed and based on well-established physics principles and observational experience. However, cyber weapons do not operate like missiles or tanks. They attack the underlying network or computer systems. The possibility of unexpected effects in the cyberspace is much higher.

For example, a cyberattack on an electrical grid might be intended to knock out the lights in a specific location, but end up affecting a whole region’s energy supply. The world saw this potential with the Stuxnet worm which was intended for a very specific, isolated Iranian control system, the worm was discovered precisely because it spread beyond its intended target into other related networked systems. Stuxnet did not attack other control systems, but only because the designers programmed in a self-destruct date. If the designers had been less cautious, its effects would have been much more widespread.

Therefore, before targeting a cruise missile at some cyber hub in a country, a coutnry’s leadership would want to have at least some knowledge of both the intentions of the attacker and the consequences (including secondary effects) of the response, otherwise the country might be starting a war by accident. However, a desperate foreign leader might miscalculate that he can get away with a surreptitious cyber attack on an ennemy’s infrastructure for exactly these reasons, and that in and of itself is cause for concern.

Context can make a huge difference. It is relatively easy to assess the damage done by an cyber attack on a country’s infrastructure, but less easy to assess the intent of that attack. If a cyber attack seriously disrupts a country’s power grid during an ongoing war with a known aggressor it is easier to strike back, with military force or with cyber weapons because it is easy to assume the attack was intentional.

Alternatively, given that cyberwarfare is a great field leveller a fearful foreign leader might lash out at a superpower if she or he fears one is on the verge of conducting a devastating cyberattack. The hostility might come in the form of a massive, pre-emptive cyber attack, a conventional attack, or in the extreme, even a nuclear salvo.

Since the ability to mount cyber attacks depends on keeping targeted vulnerabilities secret, both sides may fear that their adversaries possess capabilities that have far-reaching destructive potential, even when they do not. This fear in turn could increase the tendency toward pre-emptive action in cyberspace, followed by devastating escalation.

Cyber adds new and significant uncertainty to warfare and justice, making it difficult both to deter effectdively and respond adequatly. To this effect an International Attribution Consortium consisting of a “broad team of international experts would provide independent investigation of major cyber incidents for attribution. Membership should include representatives from two sectors: (1) technical experts from cybersecurity and information technology companies, as well as academia, and (2) cyberspace policy experts, legal scholars, and international policy experts from a diversity of academia and research organizations. A credible and transparent attribution organization should not include the formal representation of nation-states, to avoid an appearance of bias and to protect transparency.”[i]

[i] Davis, John S. II, Benjamin Boudreaux, Jonathan William Welburn, Jair Aguirre, Cordaye Ogletree, Geoffrey McGovern, and Michael S. Chase, Stateless Attribution: Toward International Accountability in Cyberspace. Santa Monica, CA: RAND Corporation, 2017.

“International hacker-for-hire jailed for cyber attacks on Liberian telecommunications provider,” UK National Crime Agency


Cyber attacks are inevitable, but can we fight back? (Part 1 or 2)

“There is no blood in cyberspace, but there is incredible danger.” ― Donghui Park, International Policy Institute Cybersecurity Policy Fellow, University of Washington

Sadly, now countries aggressively use cyberspace to maximize their national interests.  Cyberspace is a key domain (as in crucial territory) in today’s conflicts and only gain more importance in coming years not only for militaries, but terrorists and criminals.

Imagine that all the sudden that websites of major banks malfunction; ATMs stop working; and banks’ internal systems go haywire. Thousands of businesses and millions of people are affected. Within hours Computer Emergency Response Team (CERT) point to a cyber attack. In the following day there is a run on supermarkets for daily necessities and petrol stations; after a few days the strain on multiple supply chains is showing.

What is the government to do? Well, we know politicians would demand their security advisors to point a finger to the guilty party or parties PDQ. Who? Was it a country? Was it organized crime? Was it a thrillseeker? Why? Was it an accident? Is it a crime? Was it a deliberate attack? Is a prelude to war?

All would be demanding attribution first and like the why later from the national-level intelligence agency(ies) to determine a measured reaction, but would it/they know for certain who had launched the cyber attack. Attribution uncertainty for a crippling cyber attack would make it hard to deliver a measured response by the appropriate department or agency, national security, national law enforcement, alone or with allies…

In the event of a major cyber attack, public pressure for government to respond would be instantaneous and very forceful. If the cyber attack is wrongly attributed because the forensics was wrong and a country strikes back inadvertently starting a war, retraction maybe costly.

Russia’s alleged cyberwarfare and hybrid warfare attacks on the Baltic countries,[i] the Ukraine, the US have kept the issue of cyberspace warfare and undeclared war in the top of the news, but the promises these raise are only the tip of the iceberg when it comes to the role of cyber operations in future warfare. However, it is hard to say with certainty the exact role and impact cyber operations in future conflicts present. Unlike conventional arms cyber weapons impact and effects on the information domain are much harder to ascertain and possibly contain.

Even in cases one country can attribute with great certainty where a cyber attack originated, say from a country that considers cyberspace as just another theater of war like China, Iran, Israel, North Korea, Russia, or the US, it could be hard to know for sure whether its government ordered it. In some cases governments rely on third parties to develop their cyber weapons and conduct their attacks, using mercenary for hire to offer Hacking as a Service (HaaS) or Cybercrime as a Service (CaaS). Third party, especially located elsewhere say Israel’s Unit 8200, offers governments many benefits such as the obvious one, deniability; but it also offers them less control over what their cyber mecenaries do, creating a so called “principle agent problem.”

Also, an attack that originates from within one country’s cyberspace might or might not be the work of that country, further complicates the choice of response. Sometimes, the culprit is clear, of course. However, the question is how, specifically, to respond.

Now that almost all countries of cyberwarfare units, some want to retaliate in kind with a cyber counter attack to inflicts equal damage on the guilty party. However, this is not always possible. If the perpetrator is a terrorist group, then there is no equivalent financial system to target. Then should a country instead use conventional military weapons like a cruise missile? However, what if the country’s financial system had recovered in the interim with relatively minimal real damage, as military response might look as excessive.

[i] Radin, Andrew, Hybrid Warfare in the Baltics: Threats and Potential Responses. Santa Monica, CA: RAND Corporation, 2017.

Bodine-Baron, Elizabeth, Todd C. Helmus, Andrew Radin, and Elina Treyger, Countering Russian Social Media Influence. Santa Monica, CA: RAND Corporation, 2018.

Chase, Michael S. and Arthur Chan, China’s Evolving Approach to “Integrated Strategic Deterrence”. Santa Monica, CA: RAND Corporation, 2016.

What of collateral damages in undeclare wars?

Today’s security environment is unpredictable. Threats can come from states cyber and hybrid warfare units at work and non-state actors’ cyber attacks by criminals, overseas adversaries, and terrorists. Now cyber exploits blur the lines between a prelude to war or plain old crimes.  Countries are invading one another’s cyberspace, releasing exploits to assess the level of damages to they can inflict or the level of penetration (compromise) they can achieve on computer networks, any network (Local Area Networks (LAN), Personal Area Networks (PAN), Home Area Networks (HAN), Wide Area Networks (WAN), Campus Networks, Metropolitan Area Networks (MAN), Enterprise Private Networks (Intranet), Internetworks, Backbone Networks (BBN), Wireless Broadband Network, even the Internet). If these networks were towns and cities, it would be an act of war, but no one wants to claim an act of war over hostile or warlike events in cyberspace, yet.

However, insurance companies are claiming these hostile or warlike actions by countries or people acting on behalf of a said nation means they don’t have to pay out for damages incurred by their insured claimants; they claim such cyberattacks fall under the ‘war exclusion’ section. Case in point, Mondelēz is suing its insurance firm Zurich for refusing to pay out on a $100m claim for damages caused by the devastating NotPetya attack that rendered 24,000 laptops and 4,000 servers permanently dysfunctional following the attack.

For those whose memories need jogging, the NotPetya attack was an extensive wiper ransomware campaign. Major organizations around the world were affected, the likes of A.P. Moller-Maersk, Merck & Co, Reckitt Benckiser Group, Beiersdorf AG, WPP plc, and many others across the world. The entire goal of NotPetya was to inflict as much damage as possible on affected networks.

Many companies affected by NotPetya made claims for the cost of damages on their property insurance policy. Many policies suggested companies’ coverage for physical loss or damage to electronic data, software and physical damage caused by the malicious code makes a cyber attack a valid claim. The insurance companies cite an exclusion in most policies that a “hostile or warlike action” (war exclusion clause) by a country or people acting on behalf of a said nation means it did not have to pay out.

The case has the making of a precedent as governments blamed the NotPetya attack on the Russian military, this link could affect future insurance claims. It gives both insurer and insured firms pause for thought when it comes to their insurance policies. However, most cyber attacks to date have hit civilian (as in non-military) targets who conduct their business and lives unaware that an undeclared war is taking place. The economic damages from such malicious event can only but increase, and blurs the line between cyber crimes from criminals, malicious act by thrill seekers, or deliberate pre-emptive strike prelude to outright war. What if it is an accidental release during a test of a weaponized cyber exploit? Would a country admit its error and pay compensation? Not likely, even if its secret hacking tools fell into unknown hands, remember the Cisco Exploit that came to light after the Shadow Brokers reveilled the NSA was hording zero day exploits.

The attribution of cyber exploits to countries like China, Iran, North Korea, Russia, the UK and US, or group of states like NATO and the 5 Eyes could see this play out in future, where insurers use the link as a legal argument in cases relating to cyber attack claims. It remains to be seen whether these changes materialize as cyber-specific policies purchased by firms or a tightening of terms and conditions for their general coverage in a company property insurance.

One thing is for sure, cyber and hybrid warfare have taken root in cyberspace as they are great field leveller especially for countries with small less capable militaries than the world superpowers. These warfare posturing will surpass the Cold War from a few players to too many, thus resulting in ever-increasing damages to innocent bystanders with no recourse than to reduce their cyberspace footprint, imaginably reducing their business potential as they lose their grip on the Information Age, and slip back into the Industrial Age.

One thing is for sure; countries will continue to exercise their cyber and hybrid warfare skills weaponizing exploits simply because everyone seems to be doing it, and no one wants to be caught flat-footed like Ukraine which was one of the first guinea pigs for Russia. Hence, this can only lead to more severe cyber attacks or cyber incidents (accidents) that increase the costs of collateral damages to civilians without ever being aware that a state of war exists.

As for the ‘war exclusion’ claim by insurance companies, is this a ploy to extort more premium from insurance buyers in the future or limit insurers’ exposures, since we all know that cyber incidents are on the increase, as is their severity, hence their costs? This could be an impetus for organizations to truly consider Zero Trust systems and data encryption at rest and in motion more seriously.

As for cyber and hybrid warfares, will governments learn that if you let slip the dogs of war in chicken coops it will reduce the production of eggs? Doubtful!

Nonetheless, it is imperative that we consider the value of an independent global organization whose mission consists of investigating and publicly attributing major cyber attacks. To this effect, I recommend reading Rand’s Stateless Attribution: Toward International Accountability in Cyberspace. [Davis, John S. II, Benjamin Boudreaux, Jonathan William Welburn, Jair Aguirre, Cordaye Ogletree, Geoffrey McGovern, and Michael S. Chase, Stateless Attribution: Toward International Accountability in Cyberspace, Santa Monica, Calif.: RAND Corporation, RR-2081-MS, 2017.]

Cyberwarfare is the use or targeting in a battlespace or warfare context of computers, online control systems and networks. It involves both offensive and defensive operations about the threat of cyber attacks, espionage and sabotage. (Wikipedia)
Hybrid warfare is a military strategy that employs political warfare and blends conventional warfare, irregular warfare and cyber warfare with other influencing methods, such as fake news, diplomacy, lawfare and foreign electoral intervention. (Wikipedia)

Good news for end-to-end encryption

First, what does End-to-End Encryption mean? It means encrypting communications to make information unavailable to third parties. So when two or more devices communicate via an app that features this level of encryption, the data will be transmitted using a secret code rather than insecure plain text. As a result, only the people communicating can read the messages and no other person; not even Internet service providers, the app maker, the government or anyone else. The data is protected against tampering, surveillance, cybercriminals while it’s transmitted and stored. The encryption key is stored locally, for improved protection. For users, end-to-end encryption provides an assurance of privacy which is a growing concern in the wake of incidents such as 2018’s Cambridge Analytica scandal.

Now for the good news, Snapchat is currently the latest social media messaging platform to add end-to-end encryption. The end-to-end encryption ranks are growing from the likes of WhatsApp, Wickr, Viber, LINE, Telegram, KakaoTalk, Signal, Dust, Threema, Cyphr, CoverMe, Silence, SureSpot, and Wire, and now Snapchat. The feature is looking increasingly likely to become standard across the industry, despite governments and law enforcement concerns

Until then, remember that favourite apps like Twitter, Instagram, or Facebook Messenger don’t use end-to-end encryption, so your conversations and files may not be fully secured. However, if you are like me, a Skype user, the good news is that the company introduced end-to-end encryption at the beginning of 2018; thank you Microsoft.

Note: That since Spring of 2018 Twitter is reportedly testing a secret, encrypted messaging option that would enable its platform. At last news, the “testing is at an advanced stage, but not in place.”