NB: The below are my notes from Michael Chertoff’s keynote speech at MIRcon 2011. They do not necessarily represent my views, and in some cases are completely opposed to my views.
The Internet was not built with security in mind, and net culture today believes that it’s inimicable to how the Internet works. But we need rules of the road, just like the actual roads. We’ve seen credit card numbers stolen from Wifi networks, and plans stolen from US countries to reproduce our stuff. DDOS attacks on Estonia and Georgia go hand-in-hand with hacktivism against organizations whose politics the attackers don’t like. Most disturbing is the possibility of a disruptive or destructive attack on an industrial control system or key piece of infrastructure. Stuxnet provides a good example though he’s basing his comments on what’s been reported in the newspapers, which he’ll accept as accurate for the sake of argument. If that can be done to Iran, what can be done to the US or its allies?
So everyone’s at risk: not just the above-mentioned groups, but anyone who does business anywhere in the world. Mine companies negotiating with the Chinese found that they had been “peeking into” their systems for additional leverage. This concept can be used to attack trading or financial platforms in order to gain market advantage. If there’s a widespread belief that some folks have that advantage, it will have an overall negative impact on the performance of the entire market. The challenge is that it seems complicated and expensive to those running mom and pop businesses, who don’t think of themselves as targets of “cyber criminals” even though they are. Identifying steps they can take to reduce their risk and deal with this type of fraud is highly valuable.
There isn’t one problem; there are a whole set of problems. There’s not one piece of software or a Maginot line that will fix things, but focusing on those things to the exclusion of all else ignores other key parts of a possible solution set. Layered defense, not a single point of defense, matters, and he doesn’t just mean hardware and software. Airline security has improved tremendously despite the fact that no one part is perfect (screening, airplanes, customs, etc.).
We’re facing threats from different actors: fraud, IP theft, DDOS attacks, destructive attacks. Different groups of people pursue different sorts of objective. Our approach to criminals centers around prosecution, although this fails somewhat for overseas attackers. Others are trying to “rob us of the birthright of our intellectual property”. So part of the solution set isn’t just arresting people (you can’t arrest nation states). You have to implement deterrence to prevent them, unlike with ordinary criminals. Nation states may have to respond at that level, rather than how we deal with criminals.
The vectors for these attacks are in three categories: over the network (the most imagined); the hardware and software in devices and systems (from fabrication of chips all the way to assembly); and the human factor (negligence or malice). Get away from the proposition that there’s a simple fix; there will never be perfect security. Concentrate on risk mitigation and risk management. You have to array all your tools against all your attackers, recognizing that not every tool works against every attack.
This requires a doctrine of cybersecurity. It has to map the landscape, the attackers, the toolset (across all possible actors, including technical, legislative, etc.). These must exist with the boundaries of the Constitution, but Congress can change specific laws subordinate to that. You won’t stop everything, so your best way of mitigating these threats is to live on the network, being aware of what’s going on and knowing what’s problematic. Information sharing also matters, particularly as we get more sophisticated about understanding our attackers. They have “tells”, including simple indicators like IP addresses and more complex indicators like particular techniques. The collection of information about these things is a critical part of building that series of layered defenses. We need to share within and among enterprises.
What role should the government play in this? Americans don’t want the government to have same sort of control that the Chinese government has. But there are certain tools that the government has. How do we share this information in ways that don’t compromise intelligence sources and methods? There’s a unique relationship between the defense contractors and the government. Sharing exists there, but it needs to get better. In other areas, that particular relationship doesn’t exist: power grid, water grid, transportation, financial services, etc. Chertoff advocates a “private party function” for firms who understand what’s going on in many clients and can then provide information. This could include, not just addresses and signature, but techniques. It’s about people, not just bits, and it’s really a counter-intelligence problem.
How do we train people and build the architecture so it’s easier for people to comply with the rules (and find the people who aren’t)? Social engineering defeats some of the verification questions used when passwords are forgotten. Golden questions allow the user to pre-define the questions and answers themselves. Chertoff sees this as an elegant solution, and therefore a good part of the overall solution set along with the things we already do (firewalls, secure software, etc.). Leaving laptops in hotel rooms needs just as much attention, but it requires another set of solutions.
So take a counter-intel approach and focus on the human domain, not just the tech domain. The threats won’t go away, because the value is online now. The notion of destructive and disruptive tools embedded in our control systems will be an important part of warfighting in the decades to come. Intelligence – knowledge about things and people – and sharing of that intel is the key tool in mitigating the risk.
Addressing my question on responding to civil liberties and intelligence failures for national defense in the cyber domain: an Internet kill switch for the President would probably not work, cause more damage, and be unacceptable. The harder issue is what the private sector can do in the area of civil liberties. Some advocate a series of different networks (like .secure that has no anonymity versus .wildwest with plenty of anonymity and no financial transactions). Are privacy and security opposite to each other? Security is an indefensible civil liberty. If the government is unable to secure our tax records, the promise of privacy there is worthless. People need to understand that, without security, they won’t have privacy. Understand that there will be a government on your network: will it be ours or a foreign government?
Naming and shaming can be counterproductive to information sharing. DHS could create a set of standards or metrics, and critical infrastructure organizations that don’t achieve them would suffer some form of disclosure. This has to be crafted in a way not to disclose that a company has had a breach but that they’ve not addressed underlying issues. Don’t penalize somebody for failure but for not trying or taking reasonable steps.
The rules are different for multinational enterprises, because their rules of the road are very different. So the entry point of a compromise can strongly affect how an investigation proceeds. In Europe, this is a challenge because protecting the privacy of one employee may put the privacy of all the other employees at risk. Europeans are historically fixated on data protection against the government and big institutions, not networks or criminals or terrorists, and they need to change.
We can’t take offense: you can’t go follow a burglar back to his house, break in, and take your stuff back. On the Internet, the attribution problem makes this particularly difficult as the hops from which you see the attacker could be a victim itself. This leads to problems with deterrence policies, since you can’t go to war every time you find a spy. But if you suffer an actual attack (disabling the power grid), you might want to respond, but against whom? This requires more discussion leading to public policy. You tend to get wars when you misread the other side, like Saddam Hussein misreading the US when he invaded Kuwait. Developing doctrine and policy in advance helps with that issue.