Tag Archives: Cyberwar

Chinese government attacking American journalism?

Posted on 2013-02-02 | Leave a comment

What a week: disclosure of compromises at the New York Times, Wall Street Journal, and Washington Post. A Java update released on a Friday evening 18 days early due to active exploitation. Twitter compromised affecting 250k users, including me. I may have more to say about the Twitter compromise later.

Journalists in China

If they don’t respect them there, they won’t respect them here.

I’ve assumed for some time that state-sponsored attackers have long targeted major media outlets, especially those who regularly report on national security issues. While we don’t need to start putting on tinfoil hats, the ill-fated Wikileaks partnership with the NYT should have provided a pretty obvious starting point for people to think about these issues. Even more obviously, at least to me, journalists have had to take OPSEC seriously for a very long time, whether due to drug cartels or US presidents unhappy with political and legal revelations. I wouldn’t characterize these incidents as an assault on our way of life, exactly, because the Fourth Estate has always had conflicts with power. We should become far more suspicious when governments don’t concern themselves with the press, because that says something about their relationships with it or, perhaps, their views of popular opinion.

An extraordinary claim requires extraordinary proof.

Others have criticized the reporting and the completeness of the stories. For what it’s worth, as noted above, I certainly don’t think claiming that governments have tried to attack journalists really presents an extraordinary claim. And I have seen enough evidence first-hand to believe that Chinese-based actors actively exploit networks around the world. Combining the two, we know how the Chinese government regards free speech and a free press.

But if you want us to believe that this represents the greatest transfer of wealth in history and all the other hyperbole that surrounds discussion of “the APT” and “China” and “cyberwar”, you need to present evidence. Declassify it, make it public, show it to the American people. If you’re a news outlet dedicated to informing the public, give us the facts. When the government wants to make a case for war, it discusses specific incidents and presents intelligence. If we face such a great threat, don’t just assert the threat, prove it. (Note: I don’t actually expect any of this to happen.)

Whether the intelligence will amount to proof, however, remains to be seen.

→ Leave a comment

Posted in Links

Tagged , , , , , , , , , , , , ,

ERMAGERD GUISE WE R NUCULAR WEPINZ NAO

Posted on 2013-01-26 | Leave a comment

My cluebat - let me show you itSenator John Kerry, now the nominee for Secretary of State, had some attention-getting statements about ‘hackers’. According to the report, he compared the threat of ‘foreign hackers’ to “modern-day, 21st century nuclear weapons”. He also said, more or less correctly, “Every day while we sit here right now certain countries are attacking our systems. They are trying to hack into classified information to various agencies of our government.”

I don’t really have a beef with the second piece there. But let’s be realistic here: in the 20th century, the United States actually did face an existential threat, and it wasn’t terrorists or hackers or child pornographers or some other country buying all our land and debt. The aptly named doctrine of Mutually Assured Destruction ensured that the whole world, and in particular the USA and USSR, knew that the other side threatened them with actual extinction. While nuclear weapons still exist in large numbers and have proliferated to at least eight (well, nine) different countries. So we can’t really suggest that nuclear weapons no longer pose a threat in 2013, though not in the same way as they did in 1962.

Certainly, the threat of cyberespionage that Senator Kerry describes exists. We can easily name a number of states at this moment (not just the typical three or four, either) that engage in this to varying levels of activity and we shouldn’t ignore it. That threat, however, doesn’t begin to compare to the destruction of the human race and possibly Earth’s viability as an environment for living things.

Apparently he also thinks diplomacy will work against this threat. Maybe that will work against some specific threat actors, in concert with other efforts as always required for diplomatic success. I also prefer a policy of talking about issues rather than threatening “kinetic response”, at least in general terms. (How many people have actually died to “cyberattack” thus far?) But espionage, whether online or offline, frequently accompanies and supports diplomacy rather than the other way around. That’s not likely to change anytime soon, and in fact the US would be duplicitous to suggest that the threat only occurs against it, or that Westphalian notions of sovereign nation-states hold the same relevancy for this conflict as they did in the Cold War.

(For a similar take, see Bill Brenner’s article.)

→ Leave a comment

Posted in Links

Tagged , ,

Cyberwords on cyberwar

Posted on 2012-12-08 | Leave a comment

united-states-logistics-evolution-agency

Few things frustrate me as much as muddled thinking, depending on logical fallacies, or misinterpreting data. To my (long) list of examples of some of these things, I can add Dennis Fisher‘s post U.S. Cyberwar Doctrine Would Not Matter Without International Agreement. To be fair, you should read his article first before my critique of it.
Continue reading

→ Leave a comment

Posted in Links

Tagged , , , , , , ,

We are all cyber warriors now

Posted on 2012-07-06 | Leave a comment

Two recent articles have me thinking about the wide disparity of what people mean with the term “cyberwar”. I don’t like this term and don’t usually consider myself as working in or around cyberwar, as I don’t have anything to do with things like Stuxnet. You could make the case that we’re using “war” here in the sense of “war on drugs” (an apt comparison in more than one way), I suppose. Generally speaking, however, it’s less of a war and more about espionage or crime, depending on the actors and their motives.

Espionage EVERYWHERE

So when the excellent blog Sources and Methods ran an article a few days ago entitled Top 5 Things Only Spies Used To Do (But Everyone Does Now), it grabbed my attention because the activities listed all pertain to our more-or-less normal lives online. We don’t necessarily live in an age of “too many secrets” anymore, because the volume of open data has grown so rapidly that we have difficulty quantifying it. Instead, analysis and transparency have become our watchwords.

In Wheaton’s list of 5 things, a few really stood out to me. #4 “Shake a tail” stems from the idea that we all use various methods of countersurveillance now (using incognito mode or NoScript in our browser, for example). I do a lot of this, but it seems to me like we could turn this comparison around. Surveillance methods that might have seemed purely indicative of police states and the Warsaw Pact 50 years ago have become standard business practice today, to say nothing of the issues around government surveillance here in the West. I’m not sure that #3 is completely a new thing, as most password usage now has much more in common with the millennia-old use of locks and keys rather that Prohibition-era speakeasies. But the widespread use of encryption technology is an interesting comparison.

I take a little issue with #2 on the use of an “agent network”, in the sense that our usage easily surpasses the idea of “a group of humans who we have vetted and recruited to help us get the information we want”. That’s just a subset of our agent network now; tools like Paper.li and The Tweeted Times help us filter through large amounts of these data, not to mention Google Alerts and other intelligent agents that scour the Internet on our behalf with nothing more than an algorithm and parameters we’ve given it. Ironically, a lot of the countersurveillance privacy notions we may use in #4 above directly combats people using their own agent network against us.

While stating that our use of satellites now includes capabilities “that were not even dreamed of by the most sophisticated of international spies a mere decade ago” includes a bit of hyperbole, certainly many of the things we might consider normal in a few years would have seemed like pure science fiction not too long ago.

Cyberwar in Syria

Right next to Wheaton’s article, my browser had a tab open to US Training Syrian Opposition In Cyber Warfare, Online Security. I might quibble with Wheaton on a few insignificant details, but this article on Syria missed the mark in ways that disappointed me greatly.

First, the article essentially equates “PC encryption mechanisms, government firewall workarounds, and the safe use of mobile phones” to cyberwar. This is highly inaccurate, particularly given the parallels with the intelligence techniques we just discussed. While claims that the CIA provides logistical support (tech, weapons, and training) to the Syrian opposition are in line with the traditional roles of that agency, I don’t think that helping dissident groups in China or Syria is “warfare” in any meaningful sense of the word. While drug dealers definitely do use disposable cell phones, that’s because the use case is essentially the same. In fact, from the point of view of a government, the users themselves are pretty much the same: people doing illegal things that someone might construe as a threat to their national security. US government sponsorship of Tor may be the most ironic thing I’ve read all day, actually, but this only highlights the idea that any given tech itself isn’t ethical or unethical. Our usage of it certainly can imply ethical concerns, but even then that depends on your own framework.

Either way, for all our discussion about cyberwar and defending assets, it strikes me that involvement with some of these projects could go a lot further in the service of someone’s ideals than simply publishing exploits on Full Disclosure.

→ Leave a comment

Posted in Links

Tagged , , ,

Uninformed thoughts on Iran as a cyber threat

Posted on 2012-04-30 | Leave a comment
Carrot bomb

Understanding the reality of a threat matters.

Last week, a number of organizations reported that Iranian oil infrastructure had gone offline in response to malware of some sort. The Iranian Oil Ministry claims the attack only affected user data, not actual production equipment, and others have indicated that the malware did not target industrial control systems. So while the whole incident might seem reminiscent of Stuxnet, the reality doesn’t quite match up to that prior incident. In fact, we don’t know at this time whether they simply had to deal with commodity malware of some sort (though that seems like a stretch), or a reconnaissance attack gathering user data, as the Iranians claimed, or some other scenario.

Side note: this reminds me of the lack of utility of the term “advanced persistent threat”. If we don’t use it as a euphemism for a particular nation-state actor, then clearly we can consider the United States and Israel as APT-type adversaries for Iran, among other potential targets. While Israel continues to talk about a possible kinetic strike on Iranian nuclear facilities despite internal controversy, disabling those same facilities via attacks in the cyber domain has lots of benefits: drastically reduced collateral damage, deniability of a covert operation, and reduced risk of generating empathy for the regime among the Iranian populace.

Recent Congressional hearings convened to discuss whether Iran’s cyber abilities constitute a significant threat to the US. Personally, I consider it highly unlikely that any serious assessments would be unclassified, so these public hearings strike me as a sort of political Kabuki theater as follow-up to previous assessments including Iran as a cyber threat, though those had more meat to them. We have to consider the possibility that this gets so much play due to interest in conflict with Iran by hawkish elements in government and related commercial power structures. The nature of power leads to its active use. Uncharitably, we might say that power is no fun if not wielded, but more realistically that dormant power leads to atrophy.

That doesn’t mean we shouldn’t consider the range of Iranian cyber capability. I don’t have sufficient data or background on Iran to take a real stab at analyzing that1, but we can ask reasonable questions. Can a small isolated nation develop the mindset in personnel required (cf. DPRK)? (Probably so, though it might take more effort and broad collaboration with friendly organizations to get there.)

Consider, too, the nature and value of threat intelligence. The risk reduction for most private organizations stems from potentially attributing attacks to Iran and mapping out indicators of compromise, whether technical, methodological, or otherwise. Preventive controls likely would not change appreciably due to an Iranian threat: we in the US and much of the West in general have all sorts of commercial sanctions against Iran, so we rarely have to consider how to secure transactions and partner networks like we do in the case of Russia, Eastern Europe, China, and similar states. Appropriate governmental groups can also track units or other sponsored actors for possible counter strikes (CNA/CNE), although at this point I’ve ventured out of the scope of speculation where I feel knowledgeable enough to ask good questions.

1: However, you might follow Ali-Reza Anghaie (@packetknife) for a far more informed perspective.

→ Leave a comment

Posted in Notes

Tagged , , ,

Semantic change: APT, Cyberwar, and Hacking

Posted on 2012-04-12 | 1 Comment

“It’s just semantics!”

I hate that phrase. Words mean things – and “semantics” is the study of those meanings. Most words can push emotional buttons for us, even when we really just use different words to describe the same thing. Think about the range of words that all essentially mean “fecal matter”, running the entire way from baby talk to medical terminology to vulgarity.

And, over time, the meaning of a word can evolve through semantic change. I’d suppose this happens even more frequently with jargon. So I’ve started to change my tune on a few specific bits of jargon that I encounter daily.

First, one of the most common (and controversial) phrases in 2011: “advanced persistent threat” (APT). From my understanding, this term originated with the US Air Force in 2006 to refer to either “any sophisticated adversary engaged in information warfare in support of long-term strategic goals” or, well, China. I do not like this term at all, because we have much better terms now when discussing general classes of attackers. And now that the US government has publicly discussed the ongoing campaign of intrusions from China, rather than just in classified environments, we no longer need to treat the subject so gingerly. My stance has evolved to the point of eschewing the term completely. If you mean “nation-state actors” in general, say that. If you mean China (or Russia, or Israel, or the US), then say that. If you mean adversaries with significant capability, I suppose “APT” is the marketing buzzword these days, but this usually leads to so much FUD that I’d prefer other terms that don’t carry the same baggage.

This year, I still hear “cyberwar” – maybe with even more frequency than in 2011. In my view, individuals and organizations with specific agendas have fanned the flames here to suit their own purposes. I don’t really like this term, because I believe that we should reserve the term “war” for the sort of large-scale “kinetic” conflict traditionally associated with it. General Robert E. Lee said at the Battle of Fredericksburg that “it is well that war is so terrible, otherwise we should grow too fond of it”. By using the word “war” for something that doesn’t result in the broken lives and bodies we see in places like Afghanistan, Somalia, and Uganda, we desensitize ourselves to that harsh reality. (I speak here in general terms: certainly, there are individuals who use terms like “cyberwar” have an all-too-horrible familiarity with the reality of war in a way I do not.) With all that said, I’ve come to accept this term grudgingly. Certainly, conflict exists between nations and other organizations, and some of those conflicts extend to networks and other digital systems. At one time, this primarily took the form of a secret war, and the vast majority of the public knew nothing about it beyond what they saw in movies. Nobody denies that these conflicts exist now; we just disagree on who does what, what we should call what they do, and of course what will happen in the future. But if I see this term, I will assume you mean the type of serious conflict that leads to things like Titan Rain and Stuxnet – and that you know a thing or two about it, rather than parroting what you heard in a vendor webinar.

Finally: I refuse to give up the word “hacker”. My last CSO once said in a security meeting that “we don’t hire hackers” – only to have several of us cough politely and catch his eye. (“Well, you know what I mean.”) The term certainly has considerable nuance, but I will almost always use it to refer to a particular subculture of geeks and programmers: Linus Torvalds, Richard Stallman, Grace Hopper, Steve Wozniak – not Albert Gonzalez and Kevin Mitnick. Portmanteaus like “hacktivism” grate on me, but at the moment I don’t know of better alternate terms.

I’d like for us to think of something, though.

→ 1 Comment

Posted in Manifesto

Tagged , , ,

Analysis of DNI annual Worldwide Threat Assessment

Posted on 2012-02-02 | Leave a comment

The US Director of National Intelligence, James Clapper, provided his annual Worldwide Threat Assessment to the Senate yesterday (followed by a classified session with, we can surmise, greater detail).

The unclassified portion discusses cybersecurity several times. In fact, the introduction states:

Counterterrorism, counterproliferation, cybersecurity, and counterintelligence are at the immediate forefront of our security concerns.

Notwithstanding the idea that we should consider cybersecurity as a domain and not only a specific activity, I found it useful to see where the policymakers within the US intelligence community see specific concerns. The entire document runs about thirty pages, but over two-thirds of it addresses specific region-by-region and country-by-country concerns. Two pages cover cyber threats and counterintelligence, which for our purposes cover largely similar ground.

The assessment correctly notes that “neither the public nor private sector has been successful at fully implementing best practices.” I’d go a step further, because best practices evolve on both the attack and defense fronts. We don’t even fully implement standard practices: the things we know how to do efficiently and relatively easily. Standard practices, in my mind, constitute a reasonable bar to clear: if practitioners in a given area generally all accept some technology or process as “the way it’s done”, then we shouldn’t excuse anyone doing less than that.

Interestingly, the document first singles out China and Russia as state actors, but then refers to the 2011 NCIX report to specifically blame “entities within these countries”. This means that, although the DNI does not provide specific reasons for attribution in the unclassified report, he does claim that the entities have state sponsorship. The NCIX only said on page 5 of his report that the intelligence community has “not been able to attribute many of these private sector data breaches to a state sponsor.”

The DNI report also notes that governments cannot keep up with tech development and illustrates this by “failed efforts at censoring social media” in the Arab Spring. This should provide an object lesson to US policymakers, though the recent controversies over SOPA, PIPA, and now ACTA indicate that they might not have fully connected the dots.

As a community, we’ve talked for years about addressing the vulnerability problems (including across the entire supply chain), but the DNI also talks about threat in the context of problems regarding warning, detection, and attribution. He recommends greater “US Government engagement” with the private sector. This presents other challenges, though, because we have concerns about transparency versus legitimate secrecy needs (just for starters).

In the section on counterintelligence, the report also links cybersecurity to foreign intelligence service activity. I physically laughed out loud at the assessment that “many intrusions into US networks are not being detected“: understatement of the year. The report here adds Iran to the list of countries undertaking cybersecurity operations against the US. The private sector infosec community, outside of the defense industrial base and Stuxnet, hasn’t really paid much attention to Iran. That could change in 2012, particularly if geopolitical tensions continue to increase there.

I didn’t expect any specific data in this document, given its purpose and classification level. But it could point the way to at least some of the areas that could involve many of us in the next few years, and it certainly is useful in validating the idea that we need to improve our abilities in sharing threat intelligence and incident detection & response.

→ Leave a comment

Posted in Links

Tagged , , , , , , , , , , , , ,

Third world cyberalliances

Posted on 2011-12-15 | 1 Comment

NB: Due to the nature of the story, some of the links below go to Spanish-language articles. If you don’t read Spanish, you may wish to use Google Translate. I haven’t reviewed any translation so I don’t vouch for its accuracy.

I don’t always agree with Krypteia, but I always appreciate reading and considering his thoughts on things. And given my personal and professional connections to Mexico, I particularly appreciated his latest piece on La Amenaza de Iraní (sic). He analyzes in detail the recent reports from Univision regarding the now-former Iranian ambassador to Mexico planning “cyberwar” with Mexican university students.

I don’t have much to add to his analysis at the moment, except to take exception with another analyst whom I respect, Jeffrey Carr, who rejects the idea that Iran would bother with “Mexican hackers”

While I certainly recognize the efforts to which the Chinese have gone in their economic and military espionage (even if some folks dispute some of the specifics), that doesn’t mean that they cover every initiative from every ally. Nor does it mean that the Iranians wouldn’t attempt to grow their network, not least for the reasons Krypteia mentioned in his piece. This fits together well with today’s report on links between Los Zetas and Hizbollah, the latter of which has close ties with Iran.

Whatever the reality of this specific situation, the world has changed over the last two years. We will always have debates about who and why, and even more on what to do about it, but the threat landscape shifts daily.

→ 1 Comment

Posted in Links

Tagged , , , , , ,

Aside

Here are some articles worth reading, but which I didn’t get to discuss in more detail due to time constraints. Hopefully I’ll get around to some of the themes later. Reflections on the Oral Argument in United States v. Jones, … Continue reading

→ Leave a comment

Posted on 2011-11-09

Richard Clarke: The Year of the Hack

Posted on 2011-10-11 | Leave a comment

NB: These are my notes of Richard Clarke‘s talk at MIRcon 2011 and don’t necessarily represent my own views.

People are beginning to call this the “Year of the Hack”. No need to go into the details, but he believes that we should look separately at the various attackers’ identities and policy solutions. He uses the abbreviation CHEW.

1: Crime

“Cybergang” money rivals some drug cartels, billions of USD. Foreign law enforcement (e.g. eastern Europe) frequently on the take, so that the real ‘bad guys’ operate from “cybersanctuaries”. We can get the mules sometimes, but that doesn’t solve the issue. Policy solution looks like what’s been done about money laundering, so that the crime doesn’t pay. Grow the Budapest Convention into an organization with teeth, otherwise the costs will increase for banks. And while it’s fine for the banks to get screwed, they pass on the costs to us anyway.

2: Hacktivism

Personified by Wikileaks and other similar groups. Hacking because they believe in cybersecurity is like shooting people because you believe in gun control.

The other group believes that there should be no secrets (unless it’s their own secrets). Overclassification is a real problem, but the Foreign Service has done a good job. The cables aren’t revealing nefarious stuff like if this had happened in the 1970s. The cables should never have been revealed, and the Army should never have allowed a private with a questionable background to have access to these data. The DoD facility where he sat had technology to detect and prevent this stuff but it wasn’t installed and operational.

3: Espionage

A cancer that is destroying our economy. We do it, too, but against foreign governments to protect ourselves. The US doesn’t spy on private corporations and research labs to steal proprietary information for competitive business advantage. The WTO should have written rules about what can and cannot be done via espionage. There are rules about intellectual property, albeit often disregarded. China (primarily) has hacked its way into every corporation it can find in the US, Asia, and Europe, sucking out petabytes of data. Even if data isn’t secret research stuff, they will auction off the data (e.g. transactional data and business plans to international competitors).

The attacks are frequently successful and not noticed, so companies believe they haven’t been hit. In the meantime, a factory in China looks just like theirs and produces stuff just like theirs. And the Predator drone plans were stolen years ago, so the Chinese have the “Flying Dragon” drone that is just like it. In a nation with high labor costs, the only way to compete is through knowledge and innovation. Take that away and we can’t compete.

The technology and systems need to catch up. We need a plan to deal with the “cyber-rape” of our time. The Chinese will never stop until we penalize them somehow, either overtly (sanctions, etc.) or covertly. We’re not doing either.

4: War (cyberwar)

Something we’ve never had yet. It’s not hype; if it weren’t real, we wouldn’t have a 4-star general running Cyber Command and the Navy’s 10th Fleet that has no ships.

We’re talking about blowing up the same things in society that we traditionally blow up with missiles: telco facilities, power generators, all communications. We can also do it from data centers in Nevada and Maryland, like the Russians DDOSing Estonia or Georgia.

Then there’s Stuxnet. (China’s not the only company stealing digital certificates.) It looked for very specific sorts of SCADA operating systems, and when it found it, it looked very closely at which particular version and deployment it found. 1000 of the Iranian nuclear centrifuges were physically damaged so badly that they had to be removed and replaced, but without using B2 bombers.

The code is available now, as it didn’t actually wipe itself. People can modify and redeploy it to attack other SCADA systems, including inside the US. Someday, someone will attack us this way. It doesn’t even have to be a nation state like Iran. It could be some “nutcase group” that gets its hands on attack software. Cyber Command defends .mil and .gov but not .com. DHS can offer assistance, but companies have to defend themselves.

This is like asking every company in the Cold War to mount their own anti-air defenses against Soviet bombers. But Washington thinks any new government regulation of any sort is a bad thing. Until regulations require ISPs to filter packets and SCADA systems to disconnect from the Internet, none of these things will happen.

→ Leave a comment

Posted in Conferences

Tagged , , , , , , , , , , , , , , ,