Tag Archives: Cybersecurity

Comments on Comment Crew

Posted on 2013-02-21 | Leave a comment

Everyone paying any attention to security this week noted Mandiant’s report on the Comment Crew. If you haven’t, go read it first. I’ll wait.

Why You Make Groundless Accusations?Although I work for a competitor[1], I believe Mandiant did the right thing here. Others may disagree to an extent for good reasons, while others simply went too far in their assumptions and criticisms. (And some folks just need to take off the tinfoil hats). I don’t really care that much about what makes the sekrit skwirl cabal happy, and in fact it tickles me when they get frustrated by “outsiders” (inasmuch as Mandiant is one, anyway) not playing by their rules. In any case, healthy skepticism regarding someone else’s conclusions keeps them honest, but don’t miss the big picture out of myopia. The relative prevalence of espionage and APT relative to regular criminal activity remains an open research question and a valid area of debate, but I’ve seen some really smart people this week falling into the cliché of missing the forest for the trees.

Instead, this means the adversary can’t dictate the pace and terms of the conflict, whether or not they completely retool. By driving up the cost to the attacker over time, you start to make headway. That works both ways, of course, and at the moment that balance leans decidedly in their favor. Releasing the IOCs will also allow defenders to discover additional compromises. Remember that opponents make mistakes, and so we can capitalize on the opportunity for ongoing intel gathering as they transition to new infrastructure (assuming they even bother).

Sharing information has more than just tactical value. In my view (obviously not one shared by Congress), this points out that we don’t need the government to get in the way with CISPA or other information-sharing that stays behind walls of overclassification or possibly creates additional privacy and civil rights issues. We can do this the right way and improve things. Partisan politics lies way outside the scope of this blog, but I certainly see this as “we’re from the government and we’re here to help” territory.

[1]: As usual, these represent my opinions only. And that’s only good for today anyway because I may change my mind as new facts come to light or I think about topics more thoroughly.

→ Leave a comment

Posted in Links

Tagged , , , , , , , , ,

PDD21 FUD from Stiennon

Posted on 2013-02-14 | Leave a comment

With the release this week of President Obama’s executive order on Improving Critical Infrastructure Cybersecurity and the accompanying detail in Presidential Policy Directive 21, lots of people have commented on the implications. Jack Whitsitt appears to have some solid commentary coming.

However, a piece by Richard Stiennon on Forbes caught my eye, not because of the information in it, but because of the FUD it contains.

sparrow-oooh

First, he attacks the concept of risk management:

But risk management does not work in unpredictable environments. Risk management is the framework that most banks, hedge funds and trading desks use when addressing financial risks like those present in the real estate, commodities or derivatives markets. We know how well that worked. Management consultants and bureaucrats love risk management. It foists responsibility away from individuals and onto a process.

Here’s a hint: yes, it does work in “unpredictable environments”, when performed properly by responsible managers. (Whether the DHS can provide this is a separate question, and one on which I suspect Stiennon and I would likely agree.) This stems from the concept of uncertainty from statistics and related sciences. And simply saying ‘risk management is bad because bankers’ (obviously a paraphrase) isn’t wry sniping, as Stiennon later commented, but FUD.

How will an uber-map of critical infrastructure be kept out of the hands of the very threat actors that are targeting these systems? PPD 21 will, in effect, create yet another critical information asset that will end up at the top of the list of critical vulnerable assets.

I don’t know what this means. By this logic, we shouldn’t ever create an inventory of our assets. Does he not keep financial records? Would he have counseled the government during the Cold War not to keep track of nuclear launch sites? Yes, of course the documents detailing these things require appropriate controls, but to conclude that the government should not analyze and sort critical infrastructure because adversaries would love to have this information doesn’t make any sense.

Centralized information collection and dissemination is a natural requirement for risk management. It is akin to the economic data collection and analysis that command economies resort to in place of free markets.

Yes, he basically just said that centralized databases are communism. I have nothing to add here because it speaks for itself.

Stiennon concludes this way:

PPD 21 makes previous unfunded mandates seem simple by comparison. Its breath and scope is a giant overlay on top of the existing system of Federal agencies that, if executed as directed, will turn what was a of collection of connected puddles of government regulatory bodies into a single giant quagmire. It is a top down solution that expresses the frustration of good intentions to “do something.” Even if all the hurdles of implementing an over arching risk management framework were overcome there would still be the errant tree branch or targeted malware that could shut down the power grid.

Yes, bad things will still happen. That is not an excuse to do nothing. Stiennon proposes no alternatives here, other than the implied idea of leaving a “collection of connected puddles of government regulatory bodies” as they are. The current system doesn’t work that well, and whereas I’m not convinced right now that PDD 21 will actually do anything, I also believe that we as professionals and citizens should find ways to improve things rather than simply shoot down anything that isn’t perfect ‘because reasons’.

→ Leave a comment

Posted in Links

Tagged , , , , , ,

Cyberintelligence legislation: not just CISPA

Posted on 2012-04-14 | 1 Comment

"thε allεgory oƒ Camεra▲Obscura . ." by jef safiNB: As previously stated, my interest in these bills has nothing to do with partisanship or traditional political ideology. My opinions do not necessarily reflect those of my employers or anyone else and may evolve as I learn more about the issues.

As I’ve continued to look into CISPA in greater detail, I’ve started to understand better the objections raised by its opponents. I should also note that alternatives exist to CISPA: other bills trying to accomplish something similar with slightly more specificity. Anyone interested in this area should almost certainly read The Who, What and Why of Information Sharing in Cybersecurity Legislation on Lawfare by Paul Rosenzweig of the Heritage Foundation. Specifically, he looks at the Lieberman-Collins bill (Cybersecurity Act of 2012) and the McCain bill (SECURE IT Act), each of which cover far more than just intelligence sharing. They also originate in the Senate, while CISPA comes from the House. I really recommend reading his entire post, but I’ll note here some of the points I found most important.

  1. The other two bills contain specific definitions of the sorts of intelligence that the new programs would share. Actually, both of them classify threat indicators in some detail, and the Cybersecurity Act actually specifies that the intelligence should remove PII of other individuals (collateral privacy damage). I suspect that these sorts of definitions can go a long way to ease the minds of those who have concerns about the lack of specificity in CISPA.
  2. The Cybersecurity Act essentially designates the DHS as the lead agency to coordinate information sharing. Actually, it allows the DHS to decide which agency will take the lead, but interdepartmental politics almost guarantee that the DHS will select itself, probably attached to US-CERT in some fashion. On the other hand, the SECURE IT Act essentially lets private organizations choose from any available federal option, including the DHS, NSA, FBI, and others. These both take different approaches from CISPA, which designates the DNI as the coordinating point but doesn’t restrict private-sector organizations from sharing intelligence with any federal agency.
  3. Shared intelligence under the Cybersecurity and SECURE IT Acts can only be used for certain purposes, and they each have some restrictions on what law enforcement can do with the data. CISPA allows broader usages here.

None of these bills include anything like the censorship provisions in SOPA. None of them require any group to share information with the government or anyone else, though only the Cybersecurity Act seems to include major restrictions on sharing data of individuals unrelated to the threat. No federal dollars go to any private organization to fund whatever data collection and analysis systems they use. I think that CISPA opponents have triggered on the “notwithstanding any other provision of law”, but the courts don’t interpret that phrase in the same way you and I might.

From a civil liberties perspective, the intelligence sharing provisions in the Cybersecurity Act seem less controversial than CISPA. The SECURE IT Act is somewhat more nuanced in its approach to law enforcement, but generally takes a broader approach. However, the Cybersecurity Act more or less hands the coordination directly to law enforcement, whereas CISPA hands it to the intelligence community and the SECURE IT Act treats the agencies fairly neutrally.

As previously stated, these other two bills go further than just sharing cyberintelligence, including a broader approach to security in their scope. I haven’t looked at the rest of what they cover. But I think that, if the authors of CISPA continue to focus their legislation on the DNI, they could garner a lot of support by using some of the definitions and restrictions from the other bills. And I don’t know that the SECURE IT Act will do much more for threat intelligence than continue existing confusion because it will almost certainly lead to significant duplication within the government.

→ 1 Comment

Posted in Links

Tagged , , , , ,

Analysis of DNI annual Worldwide Threat Assessment

Posted on 2012-02-02 | Leave a comment

The US Director of National Intelligence, James Clapper, provided his annual Worldwide Threat Assessment to the Senate yesterday (followed by a classified session with, we can surmise, greater detail).

The unclassified portion discusses cybersecurity several times. In fact, the introduction states:

Counterterrorism, counterproliferation, cybersecurity, and counterintelligence are at the immediate forefront of our security concerns.

Notwithstanding the idea that we should consider cybersecurity as a domain and not only a specific activity, I found it useful to see where the policymakers within the US intelligence community see specific concerns. The entire document runs about thirty pages, but over two-thirds of it addresses specific region-by-region and country-by-country concerns. Two pages cover cyber threats and counterintelligence, which for our purposes cover largely similar ground.

The assessment correctly notes that “neither the public nor private sector has been successful at fully implementing best practices.” I’d go a step further, because best practices evolve on both the attack and defense fronts. We don’t even fully implement standard practices: the things we know how to do efficiently and relatively easily. Standard practices, in my mind, constitute a reasonable bar to clear: if practitioners in a given area generally all accept some technology or process as “the way it’s done”, then we shouldn’t excuse anyone doing less than that.

Interestingly, the document first singles out China and Russia as state actors, but then refers to the 2011 NCIX report to specifically blame “entities within these countries”. This means that, although the DNI does not provide specific reasons for attribution in the unclassified report, he does claim that the entities have state sponsorship. The NCIX only said on page 5 of his report that the intelligence community has “not been able to attribute many of these private sector data breaches to a state sponsor.”

The DNI report also notes that governments cannot keep up with tech development and illustrates this by “failed efforts at censoring social media” in the Arab Spring. This should provide an object lesson to US policymakers, though the recent controversies over SOPA, PIPA, and now ACTA indicate that they might not have fully connected the dots.

As a community, we’ve talked for years about addressing the vulnerability problems (including across the entire supply chain), but the DNI also talks about threat in the context of problems regarding warning, detection, and attribution. He recommends greater “US Government engagement” with the private sector. This presents other challenges, though, because we have concerns about transparency versus legitimate secrecy needs (just for starters).

In the section on counterintelligence, the report also links cybersecurity to foreign intelligence service activity. I physically laughed out loud at the assessment that “many intrusions into US networks are not being detected“: understatement of the year. The report here adds Iran to the list of countries undertaking cybersecurity operations against the US. The private sector infosec community, outside of the defense industrial base and Stuxnet, hasn’t really paid much attention to Iran. That could change in 2012, particularly if geopolitical tensions continue to increase there.

I didn’t expect any specific data in this document, given its purpose and classification level. But it could point the way to at least some of the areas that could involve many of us in the next few years, and it certainly is useful in validating the idea that we need to improve our abilities in sharing threat intelligence and incident detection & response.

→ Leave a comment

Posted in Links

Tagged , , , , , , , , , , , , ,

Richard Clarke: The Year of the Hack

Posted on 2011-10-11 | Leave a comment

NB: These are my notes of Richard Clarke‘s talk at MIRcon 2011 and don’t necessarily represent my own views.

People are beginning to call this the “Year of the Hack”. No need to go into the details, but he believes that we should look separately at the various attackers’ identities and policy solutions. He uses the abbreviation CHEW.

1: Crime

“Cybergang” money rivals some drug cartels, billions of USD. Foreign law enforcement (e.g. eastern Europe) frequently on the take, so that the real ‘bad guys’ operate from “cybersanctuaries”. We can get the mules sometimes, but that doesn’t solve the issue. Policy solution looks like what’s been done about money laundering, so that the crime doesn’t pay. Grow the Budapest Convention into an organization with teeth, otherwise the costs will increase for banks. And while it’s fine for the banks to get screwed, they pass on the costs to us anyway.

2: Hacktivism

Personified by Wikileaks and other similar groups. Hacking because they believe in cybersecurity is like shooting people because you believe in gun control.

The other group believes that there should be no secrets (unless it’s their own secrets). Overclassification is a real problem, but the Foreign Service has done a good job. The cables aren’t revealing nefarious stuff like if this had happened in the 1970s. The cables should never have been revealed, and the Army should never have allowed a private with a questionable background to have access to these data. The DoD facility where he sat had technology to detect and prevent this stuff but it wasn’t installed and operational.

3: Espionage

A cancer that is destroying our economy. We do it, too, but against foreign governments to protect ourselves. The US doesn’t spy on private corporations and research labs to steal proprietary information for competitive business advantage. The WTO should have written rules about what can and cannot be done via espionage. There are rules about intellectual property, albeit often disregarded. China (primarily) has hacked its way into every corporation it can find in the US, Asia, and Europe, sucking out petabytes of data. Even if data isn’t secret research stuff, they will auction off the data (e.g. transactional data and business plans to international competitors).

The attacks are frequently successful and not noticed, so companies believe they haven’t been hit. In the meantime, a factory in China looks just like theirs and produces stuff just like theirs. And the Predator drone plans were stolen years ago, so the Chinese have the “Flying Dragon” drone that is just like it. In a nation with high labor costs, the only way to compete is through knowledge and innovation. Take that away and we can’t compete.

The technology and systems need to catch up. We need a plan to deal with the “cyber-rape” of our time. The Chinese will never stop until we penalize them somehow, either overtly (sanctions, etc.) or covertly. We’re not doing either.

4: War (cyberwar)

Something we’ve never had yet. It’s not hype; if it weren’t real, we wouldn’t have a 4-star general running Cyber Command and the Navy’s 10th Fleet that has no ships.

We’re talking about blowing up the same things in society that we traditionally blow up with missiles: telco facilities, power generators, all communications. We can also do it from data centers in Nevada and Maryland, like the Russians DDOSing Estonia or Georgia.

Then there’s Stuxnet. (China’s not the only company stealing digital certificates.) It looked for very specific sorts of SCADA operating systems, and when it found it, it looked very closely at which particular version and deployment it found. 1000 of the Iranian nuclear centrifuges were physically damaged so badly that they had to be removed and replaced, but without using B2 bombers.

The code is available now, as it didn’t actually wipe itself. People can modify and redeploy it to attack other SCADA systems, including inside the US. Someday, someone will attack us this way. It doesn’t even have to be a nation state like Iran. It could be some “nutcase group” that gets its hands on attack software. Cyber Command defends .mil and .gov but not .com. DHS can offer assistance, but companies have to defend themselves.

This is like asking every company in the Cold War to mount their own anti-air defenses against Soviet bombers. But Washington thinks any new government regulation of any sort is a bad thing. Until regulations require ISPs to filter packets and SCADA systems to disconnect from the Internet, none of these things will happen.

→ Leave a comment

Posted in Conferences

Tagged , , , , , , , , , , , , , , ,