Wednesday, November 30, 2011

2012: Blood in the Water

2011 was the year that our perceived security was stripped away. EMC’s RSA division was breached and soon afterward so were some of its customers. The world’s largest anti-virus companies have been taken to task for selling snake oil (also known as anti-virus) to gullible CEOs. Local police departments were unable to protect their own officers’ personal and confidential information. The FBI’s Infraguard program was repeatedly hacked. And the directors of DARPA and NSA have recently both agreed that after many years of trying they’ve failed to come up with a security model that works.

We’ll be entering 2012 more vulnerable than ever before because at least part of our security relied upon the perception by bad guys that those charged with our security, both public and private, could do the job. Well, that myth has been busted which gives rise to opportunity. Conversely, over 28 nations and counting are developing offensive cyber capabilities, and the really malicious actors of the world like drug cartels and extremist groups (both domestic and foreign) are rapidly learning what’s possible vis-a-vie attacks through cyberspace. In other words, those with the means to act are growing quickly.

Finally, the anger and frustration of the expanding Occupy movement combined with the onset of hate-fueled politics that accompanies a Presidential election year - especially against this President - will engender widespread motivation for people to take action. With means, motive, and opportunity solidly represented, I fully expect 2012 to produce one or more multi-modal cyber attacks against a U.S. target which will result in serious harm if not loss of life. By multi-modal, I mean an offensive operation where a cyber attack represents one component. Once there's blood in the water, you can expect more of the same to quickly follow.

The very worst part of this prediction is that its inevitable. CEOs typically refuse to act to protect their own companies if it cuts into profit. The U.S. government has refused to do what’s necessary to protect our nation’s critical infrastructure because it's 90% privately owned, and our laws and system of government has enabled this massive malfeasance so that everyone responsible can claim absence of malice. In the words of Upton Sinclair and the movie based upon his book Oil! - "there will be blood". It's just a matter of time.

Tuesday, November 29, 2011

Dark Cloud Rising: Cloud Services are Becoming the Attackers' Preferred Target

The largest Cloud providers today are Google, Microsoft, and Amazon; each offering multiple services and platforms for their respective customers. For example, Microsoft Azure, Google Apps, and Amazon EC2 are all hosting and development platforms. Google Docs,, and Microsoft Office 365 all provide basic word processing, spreadsheets and other applications for individuals to use via the Web instead of on their individual desktop. Then of course there’s social networks, online gaming, video and music sharing services - all rely on a hosted environment that can accommodate millions of users interacting from anywhere on Earth yet all connected somewhere in cyberspace. While the benefits are many, both to individuals and to corporations, there are three distinct disadvantages from an individual and national security perspective:
  • The cloud provider is not responsible for securing its customers’ data
  • Attacking a cloud-based service provides an economy of scale to the attacker
  • Mining the Cloud provides a treasure trove of information for domestic and foreign intelligence services.
No Security Provisions
A Ponemon Institute [1] study on Cloud Security revealed that 69% of Cloud users surveyed said that the providers are responsible, and the providers seemed to agree, however, when you review the terms of service for the world’s largest cloud providers, responsibility for a breach of customer data lies exclusively with the customer. For example:
  • From Amazon [2]: “Amazon has no liability for .... (D) any unauthorized access to, alteration of, or the deletion, destruction, damage, loss or failure to store any of your content or other data.”
  • From Google [3]: Customer will indemnify, defend, and hold harmless Google from and against all liabilities, damages, and costs (including settlement costs and reasonable attorneys’ fees) arising out of a third party claim: (i) regarding Customer Data...” 
  • From Microsoft [4]:“Microsoft will not be liable for any loss that you may incur as a result of someone else using your password or account, either with or without your knowledge. However, you could be held liable for losses incurred by Microsoft or another party due to someone else using your account or password.”
Not only do none of the three top cloud providers assume any responsibility for data security, Microsoft goes one step further and places a legal burden upon its customers that it refuses to accept for itself.
An Economy of Scale
NASDAQ’s Directors Desk is an electronic boardroom cloud service which stores critical information for over 10,000 board members of several hundred Fortune 500 corporations. In February, 2011 [5], an un-named federal official revealed to the Wall Street Journal’s Devlin Barrett that the system had been breached for more than a year. It’s unknown how much information was compromised as well as how or when it will be used. From an adversary’s perspective, this type of breach offers an economy of scale has never been seen before. In the past, several hundred Fortune 500 companies would have to be attacked, one company at a time, which costs the adversary time and money not to mention risk. Now one attack can yield the same amount of valuable data with a significant reduction in resources expended as well as risk of exposure.
An Open Source Intelligence Goldmine
China’s national champion firm Huawei is moving from selling telecommunications network equipment towards developing Infrastructure-as-a-Service software (the Cloud stack) needed to provide a highly scalable public cloud like Microsoft's Azure or Amazon's EC2. If it sells IaaS with the same strategy that it uses in selling routers and switches, Amazon, Google, and Microsoft can expect to begin losing a lot of enterprise business to Huawei who will cut pricing by 15% or more against its nearest competitor. Cloud customers can expect their data to reside in giant state-of-the-art server farms located in Beijing’s “Cloud Valley”; a dedicated 7800 square meter industrial area which is home to ten companies focusing on various aspects of Cloud technology such as distributed data centers, cloud servers, thin terminals, cloud storage, cloud operating systems, intelligent knowledge bases, data mining systems, and cloud system integration.
Cloud computing has been designated a strategic technology by the Peoples Republic of China’s State Council in its 12th Five Year plan and placed under the control of the Ministry of Industry and Information Technology (MIIT). MIIT will be funding research and development for SaaS (Software as a Service), PaaS (Platform as a Service), and IaaS (Infrastructure as a Service) models as well as virtualization technology, distributed storage technology, massive data management technology, and other unidentified core technologies.  Orient Securities LLC has predicted that by 2015, cloud computing in China will be a 1 trillion yuan market.
According to the US-China Council website [6], MIIT was created in 2008 and absorbed some functions from other departments including COSTIND (Commission of Science, Technology, and Industry for National Defense):
“From COSTIND, MIIT will inherit functions relating to the management of the defense industry, with a scope that covers the national defense department, the China National Space Administration, and certain administrative responsibilities of other major defense-oriented state companies such as the China North Industries Co. and China State Shipbuilding Corp. MIIT will also control weapons research and production in both military establishments and dual-role corporations, as well as R&D and production relating to "defense conversion"--the conversion of military facilities to non-military use.”
Clearly, the PRC has made a serious commitment to Cloud Computing for the long term. This doesn't portend well for today's private cloud service providers like NetApp or public cloud providers like Amazon, Google, and Microsoft; especially if buying decisions are made on price.
In Summary
The move to the Cloud is both inevitable and filled with risk for high value government employees, corporate executives, and companies engaged in key market sectors like energy, banking, defense, nanotechnology, advanced aircraft design, and mobile wireless communications, among others. To make matters more complicated, cloud providers may move data to different server farms around the world rather than keep it in the same country as the corporation or individual which owns it. That could potentially put the customer’s data at risk for being compromised legally under foreign laws which would apply to the host company doing business there. For example, Microsoft UK’s managing director Gordon Frazier was recently asked at the Office 365 launch: “Can Microsoft guarantee that EU-stored data, held in EU based datacenters, will not leave the European Economic Area under any circumstances - even under a request by the Patriot Act?” Frazier replied: “Microsoft cannot provide those guarantees. Neither can any other company.” 
The best advice for individuals and companies at this time is to insist that cloud providers build a measurably secure infrastructure while providing legal guarantees and without the use of foreign data farms. Until that occurs, and it's highly unlikely to happen without strong consumer pressure, there are significant and escalating risks in hosting valuable data with any cloud provider.

1 The Ponemon Institute, “Security of Cloud Computing Providers Study” April 2011 
2 The Amazon Web Services (AWS) agreement available on 
3 Google Apps for Business Online Agreement 
4 Microsoft Information on Terms of Use, “Member Account, Passwords, and Security”, 5 The Wall Street Journal, “Hackers Penetrate Nasdaq Computers” February 5, 2011 (online edition)
6 The US-China Business Council website, “12. Ministry of Industry and Information Technology (MIIT)”

Monday, November 28, 2011

Actress, Banker, Soldier, Spy: Announcing Suits and Spooks II

I'm pleased and excited to announce an open registration policy for our next Suits and Spooks conference scheduled for February 8th, 2012. It'll be held at the beautiful Waterview Conference Center in Rosslyn, VA and registration will be limited to no more than 100 persons. Breakfast, lunch and a cocktail reception afterwards is included.

The Challenge: Shaping a Revolution in Security Affairs.
The complexity of today's computing environment has surpassed anything that the world has seen before. The amount of data generated globally is 72 Gigabytes per person on earth according to a 2011 EMC report. Past models for securing that data have had marginal to zero effectiveness. The U.S. government has produced multiple cybersecurity initiatives over the years which lay out many hard challenges along with recommendations for R&D. Suits and Spooks II will explore new thinking on how to re-shape an information security framework based upon the revolutionary work of individuals across a wide swath of disciplines including medicine, finance, entertainment, and technology. This transdisiplinary approach will include a visual scribe and real-time link analysis projected onto a split-screen behind the speakers. At the end of the day, we'll produce a report on our findings and distribute to the relevant agencies.

This second event is going to be different from our first Suits and Spooks conference in two very important way:
  1. Open Admission. The first event was by invitation only because we were creating offensive and defensive strategies using social media as an attack platform. For obvious reasons, we felt it necessary to control admission. This event is focused on problem-solving using a multi-disciplinary approach (also known as Transdisplinarity) hence an invitation-only event would be too limiting. If you have an idea about how to build a better security framework, we want you to attend however we can only accomodate 100 of you.
  2. Audience Participation.  We call these events an anti-conference because we aren't interested in packing seats to listen to lectures, nor are we interested in introducing customers to vendors. We involve the attendees directly in accomplishing the objective of the event. In this case, we'll be performing live link analysis using a mind-mapping application (we haven't selected one yet) on a screen behind the speakers. This will be done simultaneously with the speaker's presentations. Attendees will be able to send SMS messages or use a white board to communicate their insights into how any given speaker's presentation may connect to another speaker's presentation on a different topic or to the challenge that we're addressing. An operator will transfer those insights and connections to the application and build linking diagrams in real time.
We have some great speakers lined up, and I'll be featuring several of them in follow up posts this week. For starters, there's Christopher Burgess, Daniel Geer and Janina Gavankar:

Christopher Burgess. Christopher serves as the Chief Security Officer and President Public Sector for Atigeo, LLC a compassionate technology company.  He most recently served as the senior security advisor to the CSO of Cisco where he led the Global Threat Analysis, Global Investigative Support, Government Security Office and Litigation Support teams.  Prior to joining Cisco, he served from more than 30 years as a career intelligence officer within the Central Intelligence Agency.  Christopher was awarded the Distinguished Career Intelligence Medal by the CIA in recognition of his sustained significant accomplishments in the national security arena.  He sits on a number of advisory boards, including Mayo Clinic’s Social Media advisory board, and Rune Information Security.  Burgess is also a sough after speaker and writer, providing thought leadership on the topics of intellectual property protection, security stratagem, online safety  & privacy, social media, security education and awareness, intelligence, counterintelligence, protecting against corporate/industrial espionage and global geopolitical/economic affairs.  Additionally, he is the co-author of “Secrets Stolen, Fortunes Lost:  Preventing Intellectual Property Theft and Economic Espionage in the 21stCentury”.

Daniel E. Geer, Sc.D. Dr. Geer has 10 years in clinical and research medical computing followed by five years running MIT's Project Athena, the first distributed computing emplacement.  After a series of entrepreneurial endeavors either as a founder or an officer of the company, he's now in government service at In-Q-Tel, the investment arm of the US intelligence community. Dr. Geer's milestones include: The X Window System and Kerberos (1988), the first information security consulting firm on Wall Street (1992), convenor of the first academic conference on electronic commerce (1995), the "Risk Management is Where the Money Is" speech that changed the focus of security (1998), the Presidency of USENIX Association (2000), the first call for the eclipse of authentication by accountability (2002), principal author of and spokesman for "Cyberinsecurity: The Cost of Monopoly" (2003), co-founder of SecurityMetrics.Org (2004), convener of MetriCon (2006-present), author of "Economics & Strategies of Data Security" (2008), and author of "Cybersecurity & National Policy" (2010).  Creator of the Index of Cyber Security (2011) and the Cyber Security Decision Market (2011).  His participation in government advisory roles include the Federal Trade Commission, the Departments of Justice and Treasury, the National Academy of Sciences, the National Science Foundation, the US Secret Service, the Department of Homeland Security, and the Commonwealth of Massachusetts.

Janina Gavankar. Janina is an actress (HBO's True Blood) and a social media developer. I invited her to speak at Suits and Spooks after reading this Forbes article about how she found an innovative way to solve a problem that she and many of her fellow actors struggled with and that existing platforms like IMDB didn't solve. She kindly agreed to take time out of her HBO shooting schedule to make the trip to DC and share details about the problem set and her innovative approach to solving it. Understanding how individuals are tackling and solving hard problems outside of the information security industry and whether we can gain insights from that to apply to InfoSec will be a key component of our February event.

More speakers will be announced this week. I can promise you that Suits and Spooks 2 will be unlike any conference that you've ever attended. We anticipate a lot of interest in attending this event so I recommend that you take advantage of the early bird discount and register today. A free signed copy of the second edition of my book (due out in January 2012) will be included for all attendees.

Rep. Mike Rogers Needs To Re-Think His China Tactics

According to NPR, Rep. Mike Rogers thinks that a piece of legislation is going to help stem the tide of IP theft on the part of foreign states like China. Rep. Rogers deserves credit for recognizing the problem and trying to do something about it, however the solution that he's considering - "naming and shaming" - not only won't work but completely misses the real problem.

The heart of the matter is not that foreign states are stealing U.S. intellectual property. Espionage is the 3rd oldest profession and our reliance upon cyber-space-time has made it easier than ever for agents around the world to not only take what they want but make it look like others are the culprits. The solution doesn't lie in deterrence because deterrence is a laughable concept among sophisticated attackers. While its natural to want to stop the "bad guys" from stealing what is yours, it's also naive to believe that you can do it. You can't stop bad guys from coming in, but you can stop your data from leaving. That's the key to ending China and Russia's relatively free access to U.S. technological secrets.

Don't threaten them. Don't pretend that you can deter them. Don't imagine that you even know which one of them is doing the attacking at any given time. Instead, Rep. Rogers should write legislation that requires U.S. companies to inventory their critical data so that they know where on their network it resides, then implement a set of security controls that monitors the behavior of authorized users and locks that data down when certain norms are violated. The hard truth of the matter is that most companies today don't have a clue about where on their network their critical data resides because they've bought into the old school security model of trying to stop attacks at the perimeter of their network. Until that changes, Rep. Rogers and others like him will just waste more taxpayer money and perpetuate the illusion that the problem is somewhere "out there" and can be stopped with U.S. muscle. 

Sunday, November 27, 2011

The Russian Internet (Runet) Becomes More Opaque

Recent implementation of amendments to Russian Law make the Russian Internet (Runet) more opaque to anyone other than the Russian security services.  For example, below is the domain registration for a Russian IT company as listed on November 2, 2011.  The registrar—Reg.Ru—is a Russian registrar located in Moscow:

domain: SAYTECH.RU
org: Saitek, LLC
phone: +7 495 9843552
registrar: REGRU-REG-RIPN
created: 2011.05.25
paid-till: 2012.05.25
source: TCI

As amended, however, Russian Federal Law FZ-152 On Personal Data now prohibits the release of personal data to any foreign entity by a Russian business operator.  Personal data includes phone numbers and email addresses.  As a result, the same domain registration now appears as below:

org: Saitek, LLC
registrar: REGRU-REG-RIPN
created: 2011.05.25
paid-till: 2012.05.25
free-date: 2012.06.25
source: TCI

Note that the email address and telephone number no longer appear.  Instead, anyone desiring contact information for Saitek, LLC must use the Reg.Ru whois administrative service.  Using the whois service returns the form below.  As you can see, the requestor must provide their email address and the information desired.  However, under Federal Law FZ-152, the domain administrator will simply refuse to provide the information except under a very limited set of circumstances.  Nevertheless, they will know who is interested and what they want.

The information is available since Federal Law FZ-152 now requires an internal passport for domain registration from a Russian registrar.  Federal Law FZ-149 On Information, Information Technologies and Data Protection requires the operator to provide that information to investigators from the Russian security services.  As a result, if the Federal Security Service (FSB) wants to know who registered the site posting information criticizing the government (usually referred to as exciting violence or extremism), no problem.  However, if a US system administrator wants to contact someone about the problems originating from a Russian registered domain, tough luck.

This is a guest blog post by Taia Global's lead Russia analyst.

Tuesday, November 22, 2011

Latest FBI Statement On Alleged Illinois Water Company Attack

I just received the following update on the alleged Illinois Water Company attack that was released to the media by Joe Weiss. It appears to be a case of jumping too quickly to a conclusion with little to no corroborating evidence. I have an article coming out today for Slate on this issue but here's the ICS-CERT/FBI UPDATE in full:

After detailed analysis, DHS and the FBI have found no evidence of a cyber intrusion into the SCADA system of the Curran-Gardner Public Water District in Springfield, Illinois.

There is no evidence to support claims made in the initial Fusion Center report - which was based on raw, unconfirmed data and subsequently leaked to the media - that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant.  In addition, DHS and FBI have concluded that there was no malicious traffic from Russia or any foreign entities, as previously reported.

Analysis of the incident is ongoing and additional relevant information will be released as it becomes available.

Monday, November 21, 2011

Who's Selling Huawei Products To The U.S. Government?

The House Permanent Select Committee on Intelligence recently announced that it would be conducting an investigation into whether the expansion of Chinese telecommunications companies Huawei and ZTE into the U.S. represents a threat to national security. I'm in favor of the investigation and in my opinion, one of the things that the Committee should investigate is the Huawei Symantec (HS) joint venture and its "Wingmen"; i.e., U.S. companies that have signed up as partners to sell Huawei Symantec products to the U.S. government and associated entities. Symantec has recently announced that it's selling its 49% share of the joint venture to Huawei however that raises the question of who will be servicing those accounts. It seems to me that it'll be Huawei by default. At least two of those wingmen are Dell's Force 10 Networks and MPak Technologies who recently won a contract with the University of Tennessee SimCenter which, in turn, caused several U.S. Senators to ask the Departments of Energy and Defense to investigate the reasons for the sale.

MPak Technologies Founder and President Mike Kornblum has openly said that "the performance of the Huawei Symantec hardware combined with Symantec software helped Mpak win deals with the U.S. government and a large contract at the University of Tennessee SimCenter: National Center for Computational Engineering." Personally, I'd love to know who in the U.S. government has paid Mpak for equipment made by Huawei and sold by Huawei Symantec through its U.S. partner MPak Technologies. The same with Force 10 Networks and HS other "wingmen". The House Intelligence committee should as well.

Related Posts:
Symantec Sells Its Stake In Huawei-Symantec Joint Venture
Huawei's Chairwoman Worked For Chinese Intelligence Before Joining Huawei
Here are the Facts about Huawei and the Chinese Government
Taia Global's Report On Huawei's Bank Loan Controversy
Huawei Symantec Hardware Powers U.S. Critical Technology Research
Symantec CEO Salem Needs To Get His Priorities Straight
Look Out Azure and EC2, Here Comes The Huawei Cloud Service
The Cyprus-Vienna Connection In Huawei Bribery Case

Tuesday, November 15, 2011

Google's Finland Data Center Was A Security-Savvy Move

One of the biggest security issues with cloud computing is the location of data centers in high risk countries like Russia, China, India, Brazil, etc. If the country has laws which allow their security services to demand access to the foreign-owned data center, you've got a problem. If the country's own ICT infrastructure is "pwned", you've got a problem. Unlike other large cloud providers, Google made a smart move by building its data center in Finland, just a few hours away from the Russian Federation. My company regularly provides due diligence research on foreign supply chains and state security issues and here's a brief summary of our analysis on Google Russia.

OOO Google (Общество с ограниченной ответственностью Гугл) is Google’s Russian subsidiary.  Google’s activity is Russia is consistent with a desire to expand the Russian market and exploit Russia’s reservoir of IT professionals while minimizing Google’s vulnerability to the Russian government.  OOO Google employees listed on Russian social networking sites are usually graduates of Russia’s elite universities.  Google’s largest capital investment pertinent to the Russian market, however, is an approximately $500 million datacenter in Finland.  The datacenter enjoys excellent communication links with Russia enabling Google to service and support expanding Russian activity without giving the Russian government leverage over Google.  In sum, Google is approaching the Russian market with its eyes open.

OOO Google
According to, all sales and engineering activity are conducted from the Moscow and St. Petersburg offices.  However, press and cover the opening of a major new datacenter in Finland (appendix for articles) in 2011.  The capital cost of the land and building are listed as $260 million before the installation of servers.  Similar Google datacenters are listed as approximately $500 million when complete.  Google uses an innovative design with servers located in standardized containers enabling rapid construction and easy expansion by adding additional containers.  Google servers run on Linux.  Russia is particularly strong in Linux developers since it is the Russian government’s preferred operating system.

The new datacenter enjoys excellent communications with Russia.  However, Russian press frequently contains accusations of Google colluding with foreign intelligence services against Russia.  As a result, Google is probably wise to locate the new facility outside Russia to prevent the Russian government using the facility as a hostage.

Google Vulnerabilities in Russia
Google’s primary vulnerability at this point is probably penetration by Russian intelligence services through a recruited asset.  Placing the new datacenter is Finland shows Google is sensitive to the baggage that comes with making a significant capital investment in Russia.  However, Russian press shows Russia’s intelligence services view Google as a threat.  As a result, penetrating Google’s Russia activities would be a priority.  Indeed, the Google circle on shows five employees with previous experience at Luxoft, a Russian software firm with excellent Federal Security Service connections.

Symantec Sells Its Stake In Huawei-Symantec Joint Venture

Huawei just announced that it's buying Symantec's interest in their joint venture Huawei-Symantec (HS). This is a very interesting turn of developments for a joint venture that I've been railing against for most of 2011. Six months ago, Symantec CEO Enrique Salem said he either wanted to increase Symantec's stake in HS or sell shares to the public via an IPO. Then in October, he added the additional option that Huawei may buy Symantec's shares. Today, that's precisely what happened. My question is, what happened between May and October to make CEO Salem change his mind?

Could it have been this Washington Times article last August about how four Senators and a Congressman were asking the Departments of Defense and Energy to look into the sale of H-S parts to a government research lab at the University of Tennessee? Or perhaps it was the release of an Open Source Center report on Huawei's Chairwoman Sun YaFang's past with the equivalent of China's CIA, the Ministry of State Security?

Or perhaps it was that the ludicrous nature of the relationship between a Chinese company with State affiliations and a security company who's supposed to protect their customers from espionage activities from that same State finally sunk in to Salem's brain?  No, it probably wasn't that.

Sunday, November 13, 2011

Forbes, Nike, and the Endorsement of Child Rape

The editorial by executive editor and sports hag Mike Ozanian - "Nike's Refusal To Abandon Tarnished Clients Like Joe Paterno Has Paid Off" - is so off-putting, so peculiarly pecuniary in nature;  so un-sympathetic to Sandusky's child victims that I'd like to start heaving footballs at Ozanian's groin to get him to feel something akin to what those kids felt.

Writing an editorial that coldly makes the business case for Nike to stick with "tarnished" sponsors like Tiger Woods or Kobe Bryant is one thing. Woods was a serial cheater and Bryant was accused of rape, but Joe Paterno along with Penn State University and the University Police are apparently complicit in at least 8 cases of child rape by Jerry Sandusky according to the Grand Jury report. In fact, if you read the report you'll learn that that Sandusky had been victimizing young boys for about 10 years and that the University, Paterno, and the University Police all ignored numerous reports by adult witnesses and family members. Ozanian writes about this like its just another example of a moral lapse in judgment and celebrates Nike for standing by Joe Paterno because it's good for business. When children have been tortured, raped, or killed, you don't coldly analyze it in terms of whether you can still make a buck off the perpetrator, or anyone who supported him. You denounce it. You make the people responsible pay for their crimes. You use your position of power to show other children that this was a heinous act that will never be tolerated. I already knew that the editorial staff of has no balls. Ozanian's post showed me that they have no heart either.

As far as Nike not immediately pulling its endorsement goes - banks figuratively fuck over their customers. You sponsor a guy who allowed it to happen for real. Children are your customers too. Fuck you, Nike.

Friday, November 11, 2011

Words Matter: Why Derek Bambauer's Wrong on Cyber Terrorism

Derek Bambauer is an associate professor of Law at Brooklyn Law School. He specializes in Internet law and is one of the authors of the Info/Law blog. I just finished reading his post from yesterday "Cyber-Terror: Still Nothing To See Here" and decided to post a quick response.

Like Professor Bambauer, I don't believe that we've seen any acts of cyber terrorism yet however unlike Bambauer, I'm convinced that we will see them in the next few years. His rationale behind his argument that cyber-terrorism won't happen now or in the future is an example of how "cyber hyphenated" language is fueling wrong thinking in this area. Cyber-terrorism (and cyberterrorism), because of its construction, is interpreted to be a cyber form of terrorism but like cyber-war (and cyberwar) that's not what we see in real life. Cyber operations are a subset of a variety of hostile actions - warfare, espionage, crime, and terrorism. None of them exist purely in cyberspace. All rely on a kinetic component. The one that we see the least of today are terrorists exploiting vulnerabilities through cyberspace, however I can't imagine how anyone can deny that terrorists won't one day find a way to take advantage of the many vulnerabilities that exist in that sphere. Yet that's precisely what Bambauer argues in his post, with no evidence to support it.

Bambauer clearly hasn't spoken with any Industrial Control System (ICS) experts or he'd know precisely how easy it is to cause serious problems at any facility running SCADA systems. He doesn't evaluate what's possible and weigh it against the present actors (state and non-state) motivations and capabilities, now and in the future, to arrive at an informed conclusion. Instead he argues that the supporters of cyber terrorism are in it for the money or suffer from cognitive bias. Two cheap shots which hurt, not help, Bambauer's argument especially when both could be turned against him.

Personally, I agree with Shawn Henry's assessment that acts of cyber terror are on the horizon. The only reason why we haven't seen it yet is because old guys like me are still running the show in most terrorist groups. It's just a matter of time before someone from the Internet generation assumes the reins of power.  Someone who knows precisely how vulnerable the world has become thanks to our reliance upon cyberspace for every aspect of our lives, and decides to leverage that reliance into a weapon of mass destruction in the name of a God or a Cause or just pure Anarchy. You don't need a college degree to understand that. You just need to have lived long enough to know what people are capable of doing, and expect it.

Monday, November 7, 2011

Why DARPA Is Clueless About Securing Cyberspace

If DARPA's Director Regina Dugan hadn't already admitted that the agency is clueless about how to secure cyberspace, the choice of Richard Clarke as a speaker certainly made that clear. Of all the experts out there, Mr. Clarke has provided some of the worst advice that I've ever heard when it comes to specific cyber-based threats and remediations.

Director Dugan won't find a solution to her problem by speaking to more of the same people that the agency always speaks with. Einstein's oft-repeated definition of insanity is doing the same thing over and over again and expecting different results. The director should stop speaking to hackers, crackers, grey hats, black hats, white hats, and the cyber industrial complex in general. DARPA has done that for years without success. If the director wants a different result, she needs to approach the problem in a completely different way. In fact, I recommend that this problem be completely re-framed. Just like money problems are never about money, and obesity problems are never about food (they both stem from negative belief systems that we've learned as children and reinforced as adults), protecting data is not about cyber security. It's about understanding how we take care of our valuable possessions in the physical world and transferring that understanding to comparable models in the virtual world.

Instead of inviting hackers, Director Dugan should invite experts in personal security like Gavin De Becker or my friend Roderick Jones who understand how to protect high value individuals against multiple unknown attackers. She should invite farmers who have to defend their crops against an unpredictable weather system. Or corner a few MDs at the Centers for Disease Control to learn how virulent bacteria consistently beat the body's immune system. The bottom line here is that we must MUST find a way to break free of the grip that the information security industry has on all things cyber because it is a failure from top to bottom.

I doubt that anyone from DARPA will take this post to heart but I'm convinced that it's the right way to proceed. We're planning a second Suits and Spooks conference for Washington DC this Spring. Perhaps that will be the time to bring farmers, doctors, and personal security specialists together to find some common sense solutions and apply an entirely different mindset to the current cyber-security insanity.

Friday, November 4, 2011

A Review of the NCIX Report on Foreign Economic Collection and Industrial Espionage

Although this is the 14th report on Foreign Economic Collection and Industrial Espionage, it's the first to be written by the Office of the National Counterintelligence Executive (ONCIX); a post created in 2009 under the Office of the Director of National Intelligence. It's also the first to include cyber espionage in its coverage which was a bit surprising to me considering how long cyber espionage has been around. Other firsts in this report are that the ONCIX expanded its traditional sources within the government to include the private sector as well as academic research in an effort to gain the broadest possible coverage of the problem. The report also mentioned but didn't specify "new sources of government information".

I liked this report very much. It's the first official report that I've seen which mentions Russia with China as a source of cyber espionage. I can't tell you how exhausting it's been to try to refute so-called experts who proclaim loudly and often the twin fallacies that only China engages in cyber espionage while only Russia engages in cyber crime. When confronted, some of these experts will fall back on the "if you only had a clearance" retort. Well, ONCIX is cleared, and they came up with essentially the same assessment that I usually give:
We judge that the governments of China and Russia will remain aggressive and capable collectors of sensitive US economic information and technologies, particularly in cyberspace.
The report gets a lot of things right. While it mentions specific states like Russia and China, it also gives tangible examples of espionage that have nothing to do with cyberspace. This is important because it sets a precedent for Russia and China's past activities. Cyberspace has simply made it easier and more efficient for the collectors. For example:
Dongfan Chung was an engineer with Rockwell and Boeing who worked on the B-1 bomber, space shuttle, and other projects and was sentenced in early 2010 to 15 years in prison for economic espionage on behalf of the Chinese aviation industry. At the time of his arrest, 250,000 pages of sensitive documents were found in his house. This is suggestive of the volume of information Chung could have passed to his handlers between 1979 and 2006.a The logistics of handling the physical volume of these documents—which would fill nearly four 4-drawer filing cabinets— would have required considerable attention from Chung and his handlers. With current technology, all the data in the documents hidden in Chung’s house would fit onto one inexpensive CD.
Further, the report demonstrates motivation by identifying key technologies of interest to developing and developed nations:
  • Information and communications technology (ICT), which forms the backbone of nearly every other technology.
  • Business information that pertains to supplies of scarce natural resources or that provides foreign actors an edge in negotiations with US businesses or the US Government.
  • Military technologies, particularly marine systems, unmanned aerial vehicles (UAVs), and other aerospace/ aeronautic technologies.
  • Civilian and dual-use technologies in sectors likely to experience fast growth, such as clean energy and health care/pharmaceuticals.
Taia Global clients get a more specific assessment of various nation states' "shopping lists" which help us identify who our clients may have been attacked by, but I'm really happy to see this assessment included in the NCIX report.

While it has many positive points, this report falls short in a few areas. They could have included more information about how Russia is engaging in cyber espionage. Also, under Resources for Help in Appendix A, the report says to contact the NCIX or FBI for assistance in developing effective data protection strategies. I don't have any experience in working with the NCIX but I can tell you that the FBI is completely overwhelmed by cyber cases. We regularly hear from companies who have been contacted by the FBI about a breach in their network but who receive very little to no help at all after the initial contact. They just don't have the resources. Short of the FBI, there's no one else in government that the authors of this report could reasonably list as a point of contact for assistance. 

One might think that they could have listed US-CERT and DHS but neither organization has proven itself as particularly effective or competent in protecting civilian infrastructure. They couldn't list private information security companies for obvious reasons so this underscores a gap that may need filling by a non-profit public-private entity yet to be created.

Thursday, November 3, 2011

Decision Tree for Potential #OpCartel Participants

If the idea of outing one of the world's most dangerous criminal gangs as a part of Anonymous' #OpCartel appeals to you, please ask yourself the following questions:

1. How have you managed your online identity over the past two years? If you don't know for sure that you haven't revealed any clues to your real life identity in all of the thousands of posts that you've probably generated on Twitter, Facebook, YouTube, LinkedIn, GroupOn, Zynga, Full Disclosure, public IRC chat, etc., than don't participate in OpCartel.

2. If you aren't sure about your posting history but you're young and feeling immortal, please know that if you participate, you're putting the lives of your family and friends at risk as well. Let me re-state that. Before you get involved in #OpCartel, tell your mother, father, sisters, and brothers that there's a chance they could all be killed because you want to play revolutionary.

The Zetas may not be technically savvy enough to run social analytics on your posting history, but there are plenty of mercenary hacker crews in South America, the EU, and Eastern Europe who are; and that's one thing that the Zetas have lots of - cash.

If you know how to navigate in cyberspace without being identified, and if you believe that helping the Mexican people take back their country from the grip of the cartels is potentially worth dying for, then please consider waiting for members of AnonymousMexico to kick things off. Social networks can provide momentum to a revolutionary movement (witness the Arab Spring), but in every case it has to be initiated by the indigenous population. They have the skin in the game. They have to live with the consequences. Support them if you wish, but if they aren't the primary movers, the risk:reward ratio for this AnonOp is heavily skewed toward the risk side. 

Tuesday, November 1, 2011

Words Matter: Dump APT for APA

I've written about my objections to the term Advanced Persistent Threat before, and explained why the term is both inaccurate and illogical, but I didn't propose an alternative term and clearly journalists need one. Therefore, I'd like to propose that we put this abused, over-used, and ill-fitting term to a well-deserved retirement and use in its place "Adaptive Persistent Attack" or APA.

Adaptive should replace "advanced" because advanced malware costs time and money to develop and an adversary crew won't use something expensive and sophisticated if a mundane spear phishing attack crafted by some social engineering will do the trick. In other words, the bad guy's attack profile is adaptive, not advanced.

Persistent is exactly the right word. Once they're in, you aren't getting them out. The Fortress defense paradigm needs to die the same death as "APT".

As I pointed out in my post "The APT Logical Fallacy", APT is an oxymoron. A threat is not an attack. You've been attacked. Call it an attack.

But APT is a Who, not a What
Almost everyone who makes this statement believes that APT is a code word for the Peoples Republic of China. Period. Only China. I refuted this argument in my above-referenced post with detailed examples of the same attacks coming from the Russian Federation. Frankly speaking, it's stupid to keep using a code word when the meaning of the code word is widely known. Back in 2006, only other Air Force insiders knew what was mean't by the term APT so it fulfilled its purpose back then. Now the secret is out. There's no reason to keep referring to China as APT when we all now what you're talking about, including China. So either name the State that you're accusing or don't name it, but don't call China APT, APA, or any other code word. It's silly and it doesn't fool anyone.

Today, the Advanced Persistent Threat (APT) has become a huge FAIL, both as a "who" and as a "what" so please, let's all stop using it. I think that APA fits the bill rather nicely. If you've got a better idea, by all means suggest it as a comment. Words matter, and the world of information security has lots of horrible ones. This will be the first of a series of Words Matter posts that I hope to write in the near future with the hope of stimulating discussion and arriving at a more precise terminology for this emerging threat environment. Please contact me in the comments or via email if you have suggestions for a future Words Matter post (like "cyberwar").