A couple of weeks ago, I talked about the DOD's new cyber warfare policy. Deputy Secretary of Defense, William Lynn, rolled out his justification and strategy in an essay published in Foreign Affairs magazine. I gave an evaluation on how far along the DoD is in implementing that policy and gave Secretary Lynn a thumbs up for crafting a cogent plan.
In the Strategy section of the essay, Lynn mentions a concept called active defense. This is a government euphemism for Offensive Cyber Operations. He basically says that you cannot be effective in cyber space if you are only playing defense. Lynn said,
"In an offense-dominant environment, a fortress mentality will not work. The United States cannot retreat behind a Maginot Line of firewalls or it will risk being overrun."
This is a basic tenant of regular warfare (Look up quotes from any famous general or military expert like Napoleon, Clausewitz, McArthur, Patton, etc). To win, you have to take the fight to the enemy. This is not different just because we operate in cyberspace. The basics tenants of warfare do not change simply because you are in a new medium. They are the same on land, in the air and on the sea. If we fight in cyberspace, we have to go on the offense.
This is consistent with what General Alexander, the Army General in charge of the new Cyber Command, said in August when he spoke at the Armed Forces Communications and Electronics Association's LandWarNet conference:
"We have to have offensive capabilities, to, in real time, shut down somebody trying to attack us."
But developing and deploying a framework for these kinds of operations is hard and must be done in advance. You don't want to be making this stuff up on the fly during a crisis. Working out the legal and civil liberties issues is tough. Lynn agrees,
"The speed at which active defense systems must act means that the rules of engagement governing network defense must be set largely in advance. Devising these protocols is not easy."
Also, just saying the Army will conduct offensive operations sounds so clean and precise. It is not. It will be messy. Unforeseen consequences will happen. The enemy will react. As civilians, we like to think that just because the Army will hit back, the enemy will wither and run away. That will absolutely not happen. It has not happened in Iraq and in Afghanistan, and it will not happen in cyberspace. I had an old commander of mine who always use to say, "The Enemy gets a vote." Most likely he will not vote to quit.
General Alexander and Deputy Secretary of Defense Lynn know this. They have been around the block a few times. They know what is in store when we start down this path. That is why it is imperative that the framework is in place before the crisis occurs. We must have a general game plan in place that is transparent and generally agreed upon before the first cyber digit is fired in anger; transparent to the good guys and yes to the enemy. The enemy must know what we are likely to do before they cast their vote. This will all influence the shape of the battle space.
I believe that all of this is years away, but we have started down the path. The DOD must still negotiate many obstacles; but Secretary Lynn has outlined a strategy and General Alexander has committed to it. It is just a matter of time now.
William Lynn, the US Deputy Defense Secretary, published anessay inForeign Affairs magazine last week describing recent US Department of Defense (DoD) policy changes concerning cyber warfare. Although the essay does not present much new information, it is the most cogent description of the issues, challenges and potential solutions on the table that I have read in one easy-to-read article. Here is a summary of Lynn's Justification and Strategy:
Justification
In 2008, hackers - most likely from a foreign government - successfully penetrated DoD networks (both the CLASSIFIED SIPIRNET and UNCLASSIFIED NIPRNET) and exfiltrated large volumes of official documents. This situation instigated the formalization of a US strategy (See below).
Cyberspace is asymmetric and the offense will always have the upper hand.
Cold War deterrence models of assured retaliation do not work because the attribution problem is hard.
Cyber warfare forces will not attack just military targets. They will go after the nation's critical infrastructure and industrial secrets.
Cyber Warfare forces will not always come from the network. They will infiltrate the supply chain, both hardware and software, and attack from within.
Strategy
(My assessment of each plank's completeness in parentheses)
Formally recognize cyberspace as a new domain of warfare (Done)
Put one command in charge of the strategy: Cyber Command (Done)
1). Lead daily defense operations (On-going)
2). Provide an accountable way to marshal cyber warfare resources across the military (On-going)
3). Coordinate with other government bodies and commercial entities (Just Beginning)
Dynamic reaction to Attacks (On-going)
1). Maintain computer hygiene (On-going)
2). Deploy advanced sensors (On-going)
3). Develop an "Active Defense" but protect US civil liberties (Just Beginning)
Define rules of engagement (Just Beginning)
Support broader efforts to protect critical infrastructure (Just Beginning)
Coordinate Signals Intelligence (SIGINT) with allies (On-going)
Bring the commercial sector into the discussion (Just Beginning)
Fund research and development (R&D); focus on superior technology (On-going)
Train and equip the military cyber warrior (Just Beginning)
Streamline the government's procurement process (Just Beginning)
My Observations
Like I said, there is not much new here. Many of the concepts expressed in the justification and in the strategy have been on the table for the last 10 years. That's the bad news. The good news is that they are starting to congeal into something more than just a set of slides in PowerPoint deck.
Regarding the actual 2008 data breach, it is not clear who the actual perpetrators were. The code, agent.btz, had been around for at least 3 years when discovered by the US military skipping through both the classified (SIPRNET) and unclassified (NIPRNET) networks. Asreported by our Russian analyst, Kimberly Zenz, in December 2008, a Russian hacker most likely crafted the code, but the attack vector was so lame that it seems unlikely that any nation's cyber espionage program would launch it. Wired Magazine's Noah Shachtman echoed this observation when heinterviewed Lynn last week.
Still, Lynn's essay is a signpost in the continuing discussion and developing plans of the US government. It definitely shows the direction the US government is heading. It also supports the notion that iDefense put forward in last year's 2010 Cyber Threats and Trendspaper: We are witnessing the incipient stages of a significant shift in the center of gravity away from the commercial enterprise and toward the government in terms of new policy, the amount of money that will be spent on cyber security and what the cyber security professional will look like in terms of skill set.
Whether or not the US government will be successful in executing the above strategy remains to be seen. Lynn has cogently laid out the plan. It is clear what he wants to do. Like we said in last year's trends paper though, the space is likely to be muddled for the next couple of years while government leaders work through the issues.
We just published our latest Global Threat Research Report on Russia to our customer base. I have to say, it is a very interesting read; 48 pages of deep-dive intelligence about what is going on in that country. But one thing caught my eye in our Russia report that dovetails nicely with another report written by the National Security Cyberspace Institute (General-Retired-Ron Keys, Charles Winstead and Kendra Simmons). This is the idea of a two tier internet.
A "Two-Tier Internet" is the concept that for day-to-day internet surfing activity (like checking out what Sponge Bob episode is on the cartoon network tonight or whether or not Mel Gibson's wife has released another phone rant by her extremely mad ex), the internet is anonymous and should remain anonymous like it is for the most part today. For official transactions (like banking, ecommerce, government functions, etc), reliable authentication between parties is not just a nice to have feature but a prerequisite for doing business. The NSCI paper explains it this way:
"[...]the bottom layer is the anonymous layer, the place where you can surf the web without anybody knowing who you are. The second tier is the maturity layer; the place where you go when you have to function in the real world: finical transactions, government exchanges, business transactions, etc. In the maturity layer, you must identify yourself with absolute precision."
What caught my eye about the NSCI paper is that the thesis is very similar to what the Russian leadership is advocating within their own country; namely that the internet should be split into two categories: humanities (unrestricted) and economics (restricted). Here we have two similar positions; one advocated by the Russian Government and one advocated by a US conservative think tank.
At first glance, I thought that the motivations between the two advocates (Russia and NSCI) were different. Russian leadership wants to uplift business opportunities within the country through the power of the internet but they are concerned that this increased communication capability will threaten their hold on power. The NSCI authors are not afraid of losing power as much as they are concerned about getting some of it back.
This is not to say that a two tier internet is a bad idea. Indeed, I think it is a great idea. It is a wonderful compromise between privacy rights advocates who think everything should be free and private on the internet and global governments who are ultimately responsible for protecting their citizens wherever they travel, whether that be on land, in the sea, in the air or in cyber space. If you want to watch your Sponge Bob episodes without anybody knowing your geometric and yellow proclivities, use the humanities portion of the internet. But, if you want to do some sort of official transaction, you need to step up and identify yourself with precision. This would be the price of doing business on the internet.
This in no way describes how we might go about establishing a two-tier internet. That path is fraught with engineering design geekiness that just might insert more security holes into the system then we have already. But if we could do it, I think it might go a long way in making the internet a safer place.
Am I worried that I am coming down on the side of the Russian Government when it comes to internet monitoring? Ok, I'll admit it. It does worry me a little. But, I do not normally discard ideas just because I am concerned. If it makes it easier for me to watch my Sponge Bob episodes, I think it is worth giving it a try.
I am in London this week getting ready to kick off the eCrimes
conference. This is my second trip out here for this great event. I get
to travel to London, burn my tongue senseless on some very hot Thai
food (I highly recommend the Mango Tree, but I may have to go through several therapy sessions to recover) and spend the week seeing customers.
The marketing folks have me on the treadmill today. I am facilitating a
discussion with Eli Jellenc, the Manager of the iDefense International
Cyber Team, at breakfast this morning with about 25 CISOs. We are going
to touch on these topics:
Targeted attacks by criminal organizations
Invasive government activity (e.g., monitoring)
Hacking of mobile hardware devices
Increases in corporate espionage
Distribution of malware via social networking sites
Outsourcing software development to foreign countries
I am then presenting during the 9:20 a.m. keynote slot behind Paul
Hoare, the Senior Manager of UK's SOCA (Serious and Organized Crime
Agency). I am giving the Reader's Digest version of the iDefense
patented Trends Briefing -- it should be a "hoot." If you are in town,
let me know. I am buying the beer.
But, none of this is what I want to talk about today. During the RSA conference two weeks ago, Microsoft's Scott Charney suggested
that an Internet tax might be a way to reduce the cost of implementing
a vaccination-like program for consumer-infected Malware machines. This
type of program would be similar to how parents vaccinate their
children before sending them to school. He suggested that the Internet
Service Providers (ISPs) might be the designated vaccinators, scanning
and cleaning machines before they let "grandma's" machine access the
Internet. Charney noted that the business world already does this
today. Many enterprises scan computers on the fly every time someone
accesses their corporate networks. If a computer does not pass a scan,
the user cannot access the company network. In his RSA speech, Charney
asked, who does that for the consumer?
Of course, the ISPs have no incentive to do that kind of thing
today. What's in it for them? Charney suggested that the government
could compel the ISPs to conduct such scans as part of their business
license requirements. He was not naive enough, though, to suggest that
this was a no-cost operation for the ISPs. In order to offset those
costs, Charney suggested an Internet tax -- an added cost to consumers
in order for the ISPs to pay for the vaccination program.
Well, you would have thought that Charney publicly advocated the
buying and selling of babies for slave labor. Everybody jumped in to
say why this was a "horrible" idea, including Gartner's John Pescatore, Qualys' Wolfgang Kandek, ESET's Randy Abrams and nCircle's Andrew Storms.
After reading their reasons, it seems to me that some of these folks
had not understood Charney's suggestion in context. They reacted to the
tax idea without understanding the reasoning behind the tax; they
knee-jerked against the general principal of an Internet tax, as if
there could be no possible reason to hinder their God-given rights to
free use of the Internet. This all appears short sighted to me.
As Charney pointed out in his speech, "We pay a fee to put phone
service in rural areas, we pay a tax on our airline ticket for
security. You could say it's a public safety issue and do it with
general taxation."
Computerworld
quotes Microsoft statistics: "there are 3.8 million infected botnet
computers worldwide, 1 million of which are in the U.S. They are used
to steal sensitive information and send spam and were a launching point
for 190,000 distributed denial-of-service attacks in 2008."
Clearly, we have a problem. Using ISPs as vaccinators is a
wonderful idea; paying for it is problematic. An Internet tax may fit
the bill, but we should all start getting used to the idea that running
and securing this great experiment in connecting the world is not free.
By now, you all know about the Google Breach. I have been handling belt-fed reporters on my cell phone since we published our press release late last night. In fact, talking to so many reporters has caused the intelligence to get a little confused.
Case in point is the Elinor Mills article on Cnet News interviewing one of our iDefense guys: Elli Jellenc. She has him saying that the hackers that attacked Google and others definitely leveraged an Adobe vulnerability. When I read that, I thought to myself, "Hey - that isn't right. The fact is that we do not know." But after re-reading our own press report, we definitely said that was the case. Elinor Mills is an excellent reporter ( I read her all the time) and reported what we gave her. Unfortunately, we muddled the message.
Let me clear this up. Here is what we know.
A well-targeted attack reportedly hit Google and over thirty other firms, many of them in the Silicon Valley. It appears that attackers primarily targeted source code repositories. Among the companies types targeted were high tech companies based in the Silicon Valley, financial institutions, defense contractors and chemical companies.
Google is convinced that the attackers are sponsored by the People's Republic of China. In fact, they even convinced the US Secretary of State, Hillary Clinton, that is was so. She is quoted as saying,
"We have been briefed by Google on these allegations, which raise very serious concerns and questions. We look to the Chinese government for an explanation." Whatever evidence Google has, it must be strong.
Google reports that it identified malicious code on its system in mid-December. Google followed the code back to the drop servers and determined that in addition to the compromise of its own systems, more companies are involved. According to our sources, hackers hit ~ 33 additional companies.
The attack bears significant resemblance to a July 2009 attack in which attackers launched targeted e-mail campaigns against approximately 100 IT-focused companies. The July attack employed a PDF file that exploited a zero-day vulnerability in Adobe Reader. The malware associated with the summer attacks communicated with Command & Control Servers configured similarly to the Command and Control Servers involved in the Google attacks. In fact, the C&C servers from the Google attacks are within the same subnet and six IP addresses apart from the Command and Control server addresses in the summer attacks.
Considering the similarity of the two attacks, it is likely that the summer attacks and the Google attacks originate from the same actor and that the organizations targeted in the Silicon Valley attacks have been compromised since July. It is not much of a stretch to speculate (This is the speculation part) that both attacks leveraged an Adobe vulnerability although that has not been confirmed and Goggle is not talking.
If just half of this turns out to be true, the impact to Google, Silicon Valley and perhaps the US will be enormous. Google's reaction to China is a good example. They are considering pulling their business out of China as retaliation against the attacks. Google's a big player. Where they go, other smaller organization may follow. If Google and other tech-savvy companies started pulling out of China, that would make things very interesting for the next decade for both businesses in the technical sector and for policy negotiation between China and the US.
Yikes, that makes my head spin. I think I will go back to my belt-fed reporters.
According
to Guillermo Segovia, a member of my Vulnerability Aggregation Team (VAT), we
went through the "Mother of All Vulnerability Announcements" last
week. Microsoft released 34 patches and Adobe released 28. Oracle was scheduled
to release too, but pushed it to this week because of a conference they were
hosting. But, if Oracle had released, that would have increased the number of
patches by 38 for a grand total of --wait a sec, let me take off my shoes and
socks so that I can see my toes and count that high--100 Vulnerabilities. 100
Hundred Vulnerabilities? Is that insane?
Guillermo was pulling his hair out. Not only did he have to help the VAT team
with the heavy load; but also, he had to write the blog for that day (Too Much,
Too Many, All at Once - Oct 14, 2009). Understandably, he was a little snippy.
In his blog post, he railed against the vulnerability gods-- Microsoft, Adobe,
Oracle, the usual suspects -- and wondered why they couldn't cooperate a little
in terms of the release schedule. Did they all have to release 25+ patches on
the same day? Picture Guillermo on top of the Verisign HQs building, black
clouds in the background, lightening flashing across the sky and Guillermo
pumping his fist into the air. Well, it was sort of like that (Actually, he was
sitting at his desk, picking Chipotle out of his teeth and complaining to a VAT
room that wasn't listening to him because they were all too busy; but I like to
pump his image up).
From our point of view during Patch Tuesday, anything under 10 Vulnerabilities
is a light day. Between 10 and 17 is about normal. Anything above that is a
major effort to get our intelligence out to you guys in a reasonable time.
Actually, announcing the Vulnerabilities is not that hard. The analysis piece
is what takes the time; trying to determine if Microsoft's Exploitability Index
makes any sense or if Adobe's reveal is going to be especially nasty.
I hate to say this but we got what we asked for. The security community has
been saying for years that we want big vendors to get on a schedule so that we
can have some control in our geeky, security lives. Guess what? They did it.
They did what we asked. We even predicted it in last year's trends paper. I
hate it when I get what I asked for. Don't they realize I want them to do what
I mean and not what I say?
Here is my new
wish. Instead of Patch Tuesday, I want a shotgun start; each major vendor takes
a day: Adobe - Monday, MS - Tuesday, CISCO - Wed, Oracle - Thursday. As more
vendors come on board, we could spread this out across an entire month.
Just when I thought we had squeezed
every ounce of efficiency out of the iDefense Vulnerability alerting service,
along comes a question that has no easy answer. This puzzler has to do with our
Vulnerability Contributor Program and the exclusive vulnerabilities that pop
out at the end of that process. The question is this: How do we score an
iDefense exclusive vulnerability using the Common Vulnerability Scoring System
or CVSS?
If you are a vulnerability enthusiast and CVSS geek, you know that you have
several choices in the Temporal Score Metrics box when it comes to adding
knowledge of an Exploit to the score. You can choose one of the following:
Not Defined
Unproven that Exploit Code
Exists
Proof of Concept Code
[Exists]
Functional Exploit Code
Exists
High
For
you kids bouncing in your seats and waving your hands in the air to answer the
question, consider this. Does this choice have to do with publicly known
exploits, meaning that everybody on the Internet knows about them or does it
have to do with exploits that only I know about? That is the royal
"I" in that last sentence meaning all iDefense customers know about it.
Historically, we have annotated exclusives in our alerts as "Proof of
Concept Code [Exists]" or "Functional Exploit Code Exists". In
other words, we have acknowledged the iDefense exploit in the CVSS score.
Understandably, this choice bumps up the CVSS value. One of our customers
raised a red flag last week and said they would prefer us to only use these
values if the vulnerability was known to the general public. You see, they have
built-in processes around the iDefense CVSS score. If it gets above 9.something,
then their escalation processes kick in and they have to do a lot of extra work
quickly to mitigate this new, high-severity threat. They would prefer not to do
that for threats that are not known to the general public.
My razor-like retort to that statement is to remind the customer of the reason
he or she subscribed to the iDefense service in the first place; to get early
warning about threats like these and to mitigate them before they go public. It
sounds to me like the system worked.
But, now that I am home, have had a beer or two, have kicked off my shoes and
reclined in my easy chair, I have the time to be magnanimous.
(I linked "magnanimous" to dictionary.com so that I can come back
later and figure out what the word means.)
You see, we don't mark other security vendor's claims to exclusive
vulnerabilities the same way as our own. If Immunity claims to have a new
exploit, we mark that as "Unproven that Exploit Code Exists" until the
vulnerability gets into the public sphere. Obviously, Immunity must have
something or they would not say anything. So, why count them differently? Well,
because if we have an exclusive, we know we have it. If Immunity has it, we are
not sure; we are sort of sure - in fact mostly sure, but not completely.
All of this nonsense does not really answer the question though.
Deapesh Misra, one of our senior analysts on the Vulnerability Aggregation
Team, said the answer is quite simple. He had to speak slowly and use one
syllable words for me to get it, but he said the answer is in the name of the
scoring system itself. It is the Common Vulnerability Scoring System; emphasis
on the Common. It is not the Rick Howard Gee-Whiz Make-it-up-as-You-Go scoring
system or even the iDefense Exclusive Scoring System. It is the Common
Vulnerability Scoring System. The theory is that if everybody in the world
applied the rules of the system correctly to the same vulnerability, everybody
would calculate the same score. This works most of the time, plus or minus
small discrepancies.
As much as I do not want to admit it, the customer was right. I hate when that
happens. We are changing our process. From now on, we will not consider
iDefense exclusives in the CVSS score unless they are in the public somehow. We
will document the stuffing out of them in our published alert, but the CVSS
score will remain pure.
Now, let me look around for another issue that I can point my razor-like
retorts at. Just remember to speak slowly to me.
A couple of weeks ago, I talked about the DOD's new cyber warfare policy. Deputy Secretary of Defense, William Lynn, rolled out his justification and strategy in an essay published in Foreign Affairs magazine. I gave an evaluation on how far along the DoD is in implementing that policy and gave Secretary Lynn a thumbs up for crafting a cogent plan.
This is consistent with what General Alexander, the Army General in charge of the new Cyber Command, said in August when he spoke at the Armed Forces Communications and Electronics Association's LandWarNet conference: 
