Recently in Government
Filed in: CyberWarfare
A couple of weeks ago, I talked about the DOD's new cyber warfare policy. Deputy Secretary of Defense, William Lynn, rolled out his justification and strategy in an essay published in Foreign Affairs magazine. I gave an evaluation on how far along the DoD is in implementing that policy and gave Secretary Lynn a thumbs up for crafting a cogent plan.
In the Strategy section of the essay, Lynn mentions a concept called active defense. This is a government euphemism for Offensive Cyber Operations. He basically says that you cannot be effective in cyber space if you are only playing defense. Lynn said,
"In an offense-dominant environment, a fortress mentality will not work. The United States cannot retreat behind a Maginot Line of firewalls or it will risk being overrun."
This is a basic tenant of regular warfare (Look up quotes from any famous general or military expert like Napoleon, Clausewitz, McArthur, Patton, etc). To win, you have to take the fight to the enemy. This is not different just because we operate in cyberspace. The basics tenants of warfare do not change simply because you are in a new medium. They are the same on land, in the air and on the sea. If we fight in cyberspace, we have to go on the offense.
This is consistent with what General Alexander, the Army General in charge of the new Cyber Command, said in August when he spoke at the Armed Forces Communications and Electronics Association's LandWarNet conference:
"We have to have offensive capabilities, to, in real time, shut down somebody trying to attack us."
But developing and deploying a framework for these kinds of operations is hard and must be done in advance. You don't want to be making this stuff up on the fly during a crisis. Working out the legal and civil liberties issues is tough. Lynn agrees,
"The speed at which active defense systems must act means that the rules of engagement governing network defense must be set largely in advance. Devising these protocols is not easy."
Also, just saying the Army will conduct offensive operations sounds so clean and precise. It is not. It will be messy. Unforeseen consequences will happen. The enemy will react. As civilians, we like to think that just because the Army will hit back, the enemy will wither and run away. That will absolutely not happen. It has not happened in Iraq and in Afghanistan, and it will not happen in cyberspace. I had an old commander of mine who always use to say, "The Enemy gets a vote." Most likely he will not vote to quit.
General Alexander and Deputy Secretary of Defense Lynn know this. They have been around the block a few times. They know what is in store when we start down this path. That is why it is imperative that the framework is in place before the crisis occurs. We must have a general game plan in place that is transparent and generally agreed upon before the first cyber digit is fired in anger; transparent to the good guys and yes to the enemy. The enemy must know what we are likely to do before they cast their vote. This will all influence the shape of the battle space.
I believe that all of this is years away, but we have started down the path. The DOD must still negotiate many obstacles; but Secretary Lynn has outlined a strategy and General Alexander has committed to it. It is just a matter of time now.
(No Comments)
Filed in: DoD Policy Lynn Intelligence Policy Trends
William Lynn, the US Deputy Defense Secretary, published an essay in Foreign Affairs magazine last week describing recent US Department of Defense (DoD) policy changes concerning cyber warfare. Although the essay does not present much new information, it is the most cogent description of the issues, challenges and potential solutions on the table that I have read in one easy-to-read article. Here is a summary of Lynn's Justification and Strategy:
Justification
In 2008, hackers - most likely from a foreign government - successfully penetrated DoD networks (both the CLASSIFIED SIPIRNET and UNCLASSIFIED NIPRNET) and exfiltrated large volumes of official documents. This situation instigated the formalization of a US strategy (See below).
Cyberspace is asymmetric and the offense will always have the upper hand.
Cold War deterrence models of assured retaliation do not work because the attribution problem is hard.
Cyber warfare forces will not attack just military targets. They will go after the nation's critical infrastructure and industrial secrets.
Cyber Warfare forces will not always come from the network. They will infiltrate the supply chain, both hardware and software, and attack from within.
Strategy
(My assessment of each plank's completeness in parentheses)
Formally recognize cyberspace as a new domain of warfare (Done)
Put one command in charge of the strategy: Cyber Command (Done)
1). Lead daily defense operations (On-going)
2). Provide an accountable way to marshal cyber warfare resources across the military (On-going)
3). Coordinate with other government bodies and commercial entities (Just Beginning)
Dynamic reaction to Attacks (On-going)
1). Maintain computer hygiene (On-going)
2). Deploy advanced sensors (On-going)
3). Develop an "Active Defense" but protect US civil liberties (Just Beginning)
Define rules of engagement (Just Beginning)
Support broader efforts to protect critical infrastructure (Just Beginning)
Coordinate Signals Intelligence (SIGINT) with allies (On-going)
Bring the commercial sector into the discussion (Just Beginning)
Fund research and development (R&D); focus on superior technology (On-going)
Train and equip the military cyber warrior (Just Beginning)
Streamline the government's procurement process (Just Beginning)
My Observations
Like I said, there is not much new here. Many of the concepts expressed in the justification and in the strategy have been on the table for the last 10 years. That's the bad news. The good news is that they are starting to congeal into something more than just a set of slides in PowerPoint deck.
Regarding the actual 2008 data breach, it is not clear who the actual perpetrators were. The code, agent.btz, had been around for at least 3 years when discovered by the US military skipping through both the classified (SIPRNET) and unclassified (NIPRNET) networks. As reported by our Russian analyst, Kimberly Zenz, in December 2008, a Russian hacker most likely crafted the code, but the attack vector was so lame that it seems unlikely that any nation's cyber espionage program would launch it. Wired Magazine's Noah Shachtman echoed this observation when he interviewed Lynn last week.
Still, Lynn's essay is a signpost in the continuing discussion and developing plans of the US government. It definitely shows the direction the US government is heading. It also supports the notion that iDefense put forward in last year's 2010 Cyber Threats and Trends paper: We are witnessing the incipient stages of a significant shift in the center of gravity away from the commercial enterprise and toward the government in terms of new policy, the amount of money that will be spent on cyber security and what the cyber security professional will look like in terms of skill set.
Whether or not the US government will be successful in executing the above strategy remains to be seen. Lynn has cogently laid out the plan. It is clear what he wants to do. Like we said in last year's trends paper though, the space is likely to be muddled for the next couple of years while government leaders work through the issues.
(No Comments)
Filed in: Gonzalez
A couple of weeks ago I presented at the annual
FS-ISAC (Financial Sector - Information Sharing and Analysis Center) conference held in Saint Petersburg Florida. I know. It is a tough gig. Somebody has to do the hard jobs around here.
The FS-ISAC is one of several ISACs "mandated" by the US Government to facilitate information sharing between companies within the same business sector. Other prominent
ISACs are the IT-ISAC and the Multi-State ISAC.
During the talk, I got to the part where I was discussing the Albert Gonzalez case. If you have been sleeping under a rock for the past year, Gonzalez is the guy that masterminded the TJX breaches. The US Government just recently sentenced him to 20 years for his efforts. It turns out though that he was also involved in some of the most nefarious cyber activity of the past decade in one shape or another.
For example, he was the snitch used by the USSS (United States Secret Service) in Operation Firewall back in 2004 where the feds snatched some 28+ underground carders. He was also a member of the infamous Darkmarket forum; the forum where FBI Agent Mularski infiltrated for two years and resulted in the arrest of some 56 underground carders. It is iDefense speculation that Gonzalez used Darkmarket to exchange credit card numbers with one of his main TJX accomplices: Maksym Yastremskiy. The USSS used Yastremskiy as the linchpin in the case to tie everything back to Gonzalez.
At this point in the presentation, I was telling the part of the story where the feds were paying Gonzalez an annual salary to be a "consultant" for them. You see, they did not know that he was secretly going behind their backs to do the TJX job while he earned $70K a year for being an informant. That was not a typo. They paid Gonzalez $70K a year.
But that is not the good part. This is the good part.
At this point in the presentation, one of the FS-ISAC leaders stopped me cold and said that he wanted to make an announcement. In the interest of full disclosure, he wanted the audience to know that, in fact, Albert Gonzalez presented at this very same conference not five years ago as part of his federal consultancy gig. The USSS brought him in to give the FS-ISAC membership a view from the hacker's mind. This was about the same time that Gonzalez was launching his TJX scheme.
How cool is that?
As you might imagine, this little nugget of information brought the house down. I was almost wiping tears from my eyes because I was laughing so much. I could not have planned it better if I was making it all up.
(2 Comments)
Filed in: Cyber Arms Control
Before the holidays, I stumbled into a
blog
over at defensetech.org regarding the subject of Cyber Arms Control.
The word "stumbled" is one of those euphemisms I use when I am surfing
the net instead of doing real work.
From Bruce Schneier's
blog,
the Russians and the Americans have started discussions about how a
treaty might be arranged that might "strengthen Internet security and
limit military use of cyberspace". From what I have read, the Americans
are not that interested in a formalized treaty, but in a break from the
previous administration, the Obama administration is at least willing
to listen.
It is not quite time to gloat yet because there are many years of
negotiations ahead of us before this gets any closer to reality. But,
this falls right into line with something I suggested in an SC Magazine
essay
back in August. This is the idea that nations could agree to take on
individual security issues together. The particular issue I suggested
in the SC Magazine essay was the Botnet issue. I suggested that nations
might authorize an international team of Botnet Terminators to pursue
and destroy Botnets wherever they may lead. If we could just get the
Chinese, the Russians and the Americans to sign up for that program,
other nations would surely follow. The result would be a game changer.
Pernicious Cyber Security Cartels from around the world would have to
refit and reconfigure their entire operations in order to avoid the
Terminators.
As I said, it is not time to gloat yet. There are many reasons why
nations will not want to participate in my Botnet Terminator program or
other similar Cyber Arms Control Treaties. I am encouraged though that
at least some leaders are talking about it. That puts us a lot closer
to the possibility then we were back in August and way closer than I
ever thought possible when I wrote the original essay.
I guess I need to stumble around more often. If I could just convince my boss then I would really have a reason to gloat.
(2 Comments)
