Tag Archives: cyber security

Estonia Lesson Learned: “Every Country Should Have a Cyber War”

Standard

cyber-war-or-business-as-usual-10-728

“DEFENSE ONE”

” Estonia’s biggest turning point was 10 years ago, when the country came under sustained cyberattack.

The shock of a cyberwar united the community to take action.  Estonians don’t see cybersecurity as a phenomenon,  it’s about being empowered by technology, not controlled by it.”


“Estonia’s steps have certainly been radical, and other countries can learn lessons from them about how to defend themselves.

In 1991, Estonia was part of the dying communist empire. Its economy was run by central planners in Moscow, less than half of all households had a phone line, and goods were so scarce that people had to line up for food.

Skip ahead 26 years, and Estonians don’t even have to queue to vote. They do that online.

In just over two decades, Estonia has become one of the world’s most digitally innovative and efficient countries. In fact, Estonians conduct all their civic responsibilities online. Offices and paper forms have become obsolete as state-issued digital identities allow all citizens to carry out any financial or government transaction from their laptops or cellphones. And that gives them an edge when it comes to cybersecurity.

Estonia’s journey down the digital road has been astonishingly fast. When it gained independence from the Soviet Union in 1991, it had almost no money and few natural resources. But it did have one advantage: It was the designated center for software and computer production for the USSR. After achieving independence, the country had a pool of tech expertise for them to build on.

During these early years of independence, Estonia needed to create the means for a new economy. And it wasn’t going to be easy. The country’s tiny population of just 1.3 million is spread over a relatively vast countryside. Outside the capital Tallinn, there’s an average of just four people per square kilometer. The new government didn’t have the resources to extend government offices or banking facilities to small towns and villages, so it decided to encourage self-service, and spread internet access across the country in order to do so.

To achieve this, the government set up an investment group to build computer networking and infrastructure. By 1997, almost every school was connected to the internet, and by 2004, 300 wifi access points had been established, bringing the internet even to small villages—and mostly for free.

In 2007, Estonia was in the middle of a political fight with Moscow over plans to remove a Soviet war memorial from a park in Tallinn. Suddenly, it was hit with three weeks of D-DoS (designated denial of service) attacks. When this happens, multiple sources send multiple online requests, flooding a service or system and making it unable to function. It’s the digital equivalent of crowding an entrance to a building so that no one can come in or out.

As a result, the internet shut down as websites were bombarded with traffic. Russia denied any involvement, but Estonia didn’t believe it.

“War is the continuation of policy by other means,” Estonian president Kersti Kaljulaid told a NATO cyber-conference in Tallinn in June 2017. “Ten years on, it is clear that the decision made by Estonia not to withdraw but stay and fight for the security of our cyberspace was indeed the right one.”

The attacks made Estonia more determined than ever to develop its digital economy and make it safe from future attacks. “I think every country should have a cyber war,” says Taavi Kotka, the government’s former chief information officer. “Citizens get knowledge about what an attack means, about how phishing works, how D-DoS works, and they start to understand and live with that. People aren’t afraid if they know they can survive something. It’s the same thing as electricity going off: Okay, it’s an inconvenience, but you know how to deal with it.”

In Estonia, people are not afraid of cyber warfare, nor are they afraid of sharing personal data across public and private institutions. Go to a hospital, and the nurse or doctor can call up your entire health records from any doctor you ever visited without the need to call their offices and asking them to send files.

Full marks for convenience, simplicity, and efficiency. But what about the dangers of nameless bureaucrats accessing your personal data? Isn’t there a risk of future governments abusing the system and using your intimate details against you? Isn’t this inviting an Orwellian nightmare?

Estonia says no. Unlike an authoritarian state like the old Soviet Union, government transparency is built into the system. While all your private data is online, only you can give permission for any data to be accessed. And you can check who has accessed what. If a doctor you don’t know has viewed your records, it will be traceable, and you can have them sacked. As one software developer Quartz spoke to said, “You become your own Big Brother.”

Data is protected through a framework known as X-road, which helps exchange decentralized data between big government databases. X-road has built-in security measures that encrypt traffic and time-stamps so that the data cannot be manipulated. Taimar Peterkop, from Estonia’s Information System Authority, says that the security measures built into E-identity databases are all but impenetrable by outsiders. “Estonia takes data integrity very seriously because our society is so digitized,” he says. “If someone manipulates citizens’ data, that’s a challenge for us. We use blockchain-based technology to ensure the data is as it should be.”

When it comes to security, Peterkop says humans are usually the weak link. “Cybersecurity starts with us. If you have weak cyber hygiene, that’s a problem. We need to raise awareness and educate people about using strong authentication methods,” he says. For example, Estonia has public-education campaigns about how to use your smart devices wisely.

It seems like glaringly obvious advice, but a look at the recent USelection shows that basic cyber hygiene has been an after-thought, even for the powerful. When Democratic nominee Hilary Clinton’s campaign chief John Podesta’s Gmail account was hacked, Wikileaks founder Julian Assange claimed Podesta’s password was simply the word “password.” The campaign denied this claim and said they fell victim to a phishing scam. Whatever the case, it was an avoidable security breach that should never have occurred.

Peterkop also says that consumers need to ask more questions about the Internet of Things, especially when it comes to everyday household products and devices. “There is so much pressure to come up with new products in a hurry, so security measures are an after-thought,” he says. “As consumers, it’s essential that we start paying attention to it. We don’t do enough risk mitigation. Basically every TV is a computer now.” These issues are present already: A recent document dump from Wikileaks points to hacking tools that directly relate to Samsung televisions.

Estonia’s steps have certainly been radical, and other countries can learn lessons from them about how to defend themselves. As well as creating a paperless public service, Estonia is now backing up government data on secure servers offsite in Luxembourg. It has also prioritized tougher international action for cyber-crime and encouraged private companies to review security measures and have stronger agreements with server providers.”

http://www.defenseone.com/technology/2017/08/every-country-should-have-cyber-war-what-estonia-learned-russian-hacking/140217/?oref=d-mostread

 

A New Tool for Looking at Federal Cybersecurity Spending

Standard
cyber Spending

Image:  “Taxpayers for Common Sense”

“THE PROJECT ON GOVERNMENT OVERSIGHT”

“A new database and visualization tool that breaks down unclassified federal spending on cybersecurity over the past decade—giving the public a peek at how each major federal agency is devoting resources toward protecting computer systems.”


“More and more of what the federal government does relies on complex computer systems and networks. This high tech infrastructure makes the government work better by making services more efficient and accessible.

But that digital revolution also comes with big risks—just think back to the massive data breach at the Office of Personnel Management disclosed in 2015, when hackers compromised sensitive information about tens of millions of Americans. Last year, there were at least “30,899 cyber incidents that led to the compromise of information or system functionality” at federal agencies, according to a White House report released in March. The number of attacks on federal computer systems have risen sharply over the last decade.

So how much is the government spending to protect itself (and us) in this brave new world?

Unfortunately, the answer is “we don’t really know.” But a new tool from nonpartisan watchdog group Taxpayers for Common Sense provides perhaps the most comprehensive analysis of federal cybersecurity spending.

Last week, Taxpayers released a new database and visualization tool that breaks down unclassified federal spending on cybersecurity over the past decade—giving the public a peek at how each major federal agency is devoting resources toward protecting computer systems.

Taxpayers used public budget documents to build the database, but it wasn’t easy. “There is no government-wide standard definition or method of accounting for what qualifies as cyber funding and, therefore, no way to fully track it,” the organization explains on its methodology page. Agencies also use a variety of different approaches to tackle the issue, making it even harder to pin down their spending. Then, there is the government’s murky “black budget” of classified spending. So Taxpayers “settled on providing the best picture [it] could develop from extensive research of government programs” that are unclassified, spending two years searching through thousands of budget documents for terms like “information security” and “information assurance.”

Taxpayers found the amount spent on cybersecurity has quadrupled over 11 years. The group was able to tally $7 billion in unclassified cybersecurity spending in 2007, as compared to $28 billion in 2016. But some of that growth could be attributed to improvements in how the government tracks cybersecurity funding.

The resulting snapshot isn’t perfect, but it’s an impressive start—and a necessary one. After all, you can’t figure out what bang the government gets for its cybersecurity buck if you don’t know where those bucks go.”

http://www.pogo.org/blog/2017/08/a-new-tool-for-looking-at-federal-cybersecurity-spending.html

 

 

 

 

 

The Business of National Cybersecurity

Standard

Business of Cyber Security

 

“FIFTH DOMAIN CYBER”

“With all the attention this subject is now receiving, one would think the business of national cyber security (commercial, government and defense) would be very robust.

Small and medium-sized businesses are not singing a happy, carefree tune. Delays in contracts, budget cuts and delayed payments seem to be the most common complaints.

It is hard to open a browser, look at a newspaper, or watch or listen to a news show without the topic of cybersecurity coming up. In mid-June, Microsoft received a lot of attention from headlines about the company’s warning of an elevated risk of cyberattacks. Another attention-grabbing headline came from Chris Childers, the CEO of the National Defense Group located in Germantown, Maryland, who shined light on the fact that many satellites in use today are dated and use old technology that was made before cyberthreats were a real issue and prior to when cyber defenses were readily available.

With all of the headlines about cyberattacks, viruses, ransomware attacks (WannaCry) and so on, you would think cybersecurity business is booming. Odds are it is not as robust as many people think. Let’s not forget when the Department of Homeland Security said 20-plus states faced major hacking attempts during the 2016 presidential election.

Today, basic cybersecurity understanding and skills need to reach into every profession and every level of the workforce. Updating the skills of the workforce must be continuous, and this takes time and money.

Another interesting point was brought up during a recent cyber strategy thinking session: Could our adversaries be leveraging inexpensive cyberattacks and threats as economic warfare, knowing full well that we will move to identify, analyze and address the emerging threats — something that would cost us money? After all, what choice do we have?”

http://fifthdomain.com/2017/07/07/the-business-of-national-cybersecurity-commentary/

 

 

 

 

 

Cyber Training and Education Must Be Continuous

Standard
Cyber Training

(Photo Credit: Staff Sgt. Alexandre Montes/Air Force)

“C4ISRNET”

“Today, very few organizations have as a requirement for employees and contractors the upkeep of cyber security knowledge.

That must change immediately if we are to keep pace with the ever-changing cyber threat environment.

Times are certainly changing. Politics, regulation, threats, conflict and so much more are changing; but it can be difficult to adapt to all the new and emerging technologies and their applications. There is little doubt that the world’s reliance on computers and their use continue to increase rapidly. Arguably, digital transformation is the leading driver of change. All these are producing a significant amount of new data and data communication paths that are all potential targets for cyberattacks by our adversaries and criminals. The sum of all this equals changes to our knowledge base, education requirements and the cyberthreat environment. Let’s take a look at some of the stats.

Cyberattack surface area

In 2016, there were multiple numbers that clearly showed just how large the cyberattack surface area has become. It was estimated that in 2016, internet of things, or IoT, devices rose to 17.6 billion. In 2016, there were an estimated 12.5 million connected cars produced and put into operation. Also in 2016, an estimated 45 percent of Americans had either a smart home or invested in smart-home technology, according to a survey by Coldwell Banker.Now we should also include robots. In the forth quarter of 2016, robot orders in North America surged by 61 percent. The increases in robot sales has led analysts projecting that robots will take/occupy 6 percent of all U.S. jobs by 2021.

Here is something that provides a partially over-arching perspective: data storage. IDC projects data storage growth by 35 to 40 percent per year for external storage and 33 to 38 percent for internal storage. Finally, consider Gartner’s projection that “manufacturers, consumer goods companies, medical device providers and their supply chain vendors are expanding the use of 3-D printing.” Think of the data files flowing to those printers! Think about the value of those files. Theft of those files enables counterfeit products, for sure. Think about all the changes in technology and to the cyberattack surface area the above data represents.

Threats

Consider the following metrics as an indication of the current pace of change to the cyber environment. In just one quarter of 2016, Panda Labs stated there were 18 million new strains of malware identified/captured. That equates to about two and one-third new pieces of malware being identified every single second. That is what was found! It is anyone’s guess what was actually released. In 2016, ransomware continued to grow in number. In fact, some place the growth rate at approximately 300 percent. That means in 2016 there were on average approximately 4,000 ransomware attacks occurring every day. That equates to two and three-fourths ransomware attacks per minute. We shouldn’t forget about the growing use of cryptocurrencies for payment in ransomware attacks! At the time of writing this, there were more than 850 differentcryptocurrencies with a total market capitalization equal to or over $97 billion. Think about all the nefarious activities that cryptocurrencies could be used to fund. It’s proven to be so relevant that a recent cryptocurrency webinar had approximately 3,000 professional attendees.
Distributed denial of service, or DDoS, attacks in 2016 were up in frequency, intensity and the amount of flooding data. In fact, we saw the largest DDoS attack of its kind in history. One company reported DDoS traffic of 1.2 terabytes per second. But hold on. Think about the potential for a highly distributed IoT bot net. That is a distinct possibility evolving right before our eyes.

Impact on cyber training and education

The pace at which the cyberthreat environment is changing creates a huge challenge for our military and intelligence communities. Keeping up with these changes is a large and growing task. Considering the pace with which technology is advancing and implemented, it is easy to see just how essential continuous education has become. With all of the changes that have taken place and continue to take place, updating the curriculum must be an ongoing activity; the same goes for the knowledge and skill-set requirement of professionals in the cybersecurity field. Today, very few organizations have as a requirement for employees and contractors the upkeep of cybersecurity knowledge. That must change immediately if we are to keep pace with the ever-changing cyberthreat environment.”

 http://www.c4isrnet.com/articles/cyber-training-and-education-must-be-continuous

 

Half of Industrial Control Systems Suffered Cyber Attack Last Year

Standard
Cyber Attacks

The National Institute of Standards and Technology’s industrial control security testbed. (Photo Credit: NIST)

“FIFTH DOMAIN CYBER”

“Data gathered comes from 359 industrial cyber security practitioners in 21 countries that completed online surveys between February 2017 and April 2017.

One-in-five respondents experienced two incidents within the 12-month window.

Threats to industrial control systems are becoming increasingly widespread, according to a new survey from cyber security firm Kaspersky Lab and Business Advantage that found over half of the companies sampled reporting at least one cyberattack in the last 12 months.

The top observed threat remains conventional malware, which played a part in 53 percent of actual incidents, followed by targeted attacks, such as spear phishing to more sophisticated advanced persistent threats. The top perceived threats are  third-party supply chain/partners and sabotage/intentional damage from other external sources.

This has led three-in-four companies to expect a cyber attack to happen to them, though 83 percent feel prepared to combat an incident.

Organizations might not be as ready as they believe themselves to be, however, considering the fact that the anti-malware solutions already implemented by 67 percent of respondents still allowed for so many incidents.

Increasing the frequency of issuing patches/updates could contribute to protection from incidents like the WannaCry pandemic, but the increased attack surface and access granted to external parties by growing enterprises complicates matters.

Therefore, risk management is being recognized as a growing priority, but finding properly trained staff and reliable external partners to implement cyber security tops the challenges of companies that acknowledge financial loss is shown to decrease in organizations that have security awareness programs for staff, contractors and partners.

Looking at the survey’s findings, the top risk factors appear to be the access of external parties, a lack of compliance with industry/government regulations and the use of wireless connections. This has led companies to express support for some level of mandatory reporting and governance to help bring about more transparency to help develop frameworks to address the risks.

Some factors that appear to help mitigate threats include documented cybersecurity programs being set in place; regular security assessments/audits being conducted; vulnerability scans and patch deployments happening biweekly at minimum; unidirectional gateways being installed between control systems and the rest of the network; anti-malware solutions being installed for industrial endpoints; industrial anomaly detection tools, intrusion detection and intrusion prevention tools being used; and staff and contractors being given regular security awareness training.”

The entire survey can be accessed by filling in a form on the Kaspersky blog.

WannaCry Worm Highlights Federal & Industry Failures

Standard
uscybercom - Department of Defense

Image:  Department of Defense

“BREAKING DEFENSE”

” The WannaCry worm proves that our collective response to cyber threat continues to churn ineffectively in the same futile rut while threats multiply and grow increasingly serious by the day.

A new approach is needed to enable innovation in the way security is encouraged and delivered with both carrot and stick.

The worm’s success is yet another clear signal that today’s security model isn’t working. Institutional failure to address security risks have/will continue to have the same pervasive impacts in government, industry, and at home with no respite in sight, no one in charge, and no one accountable for fixing the mess.

The ubiquity of such attacks challenges our internal/international legal framework. (The military and Intelligence Community should not be operating within the United States.) And it crosses our traditional fault lines (ensconced in US law) between corporate, military, legal, and law enforcement organizations. Senior leaders in each of these government fiefdoms tell me that the pan-government table top exercises held to understand and clear the fog around the “who’s in charge” questions assume away all the relevant risk. This is done in order to arrive at prearranged conclusions that won’t rock the boat between all the various stakeholders. The cyber problem is so much greater than a traditional geographical battlespace because it requires a complete strategic rethink of warfare as these kinetic, civil, intelligence, and international equities collide.

Microsoft has declared WannaCry “is a wakeup call.” Add the concomitant coverage in the press, and people being put at risk in hospitals and it makes you think that this incident marks a new chapter in cyber risk. Add in the second Wikileaks dump of the Vault 7 attack files and we have a perfect media storm of NSA toolkits, CIA attack techniques, likely North Korean mischief, chronic government underspending here and abroad, and the resulting health care service outages and outrage to feed the news cycle. The political, fiscal, and productivity impacts of the WannaCry worm highlight that the cyber risks currently accepted by corporate and government risk officials are not tenable.

This malware is particularly lively in large organizations whose legacy systems and limited security budgets provide clear skies for exploit and it could have been worse if not for an enterprising 22 year-old who helped save the world by finding and sharing its Kill Switch. Unfortunately, nastier and more effective worms and viruses and other tools are likely on their way and will wreak greater havoc. So let’s step back and ask what makes this crisis different?

The answer, sadly, is — NOTHING.

A quick review:

  • Ransomware (whereby software encrypts your computer and demands you pay a ransom for a decryption key) has been on the rise for several years. Everyone from Grandma to your insurance company has been hit and they have often (quietly) paid up to get back the family album or their health records.
  • Sure, WannaCry is linked to the purloined NSA toolkit. It is a variant of the WeCry exploit from February of this year and a patch has been available from Microsoft since mid-March.
  • Organizations with older equipment or legacy software often have a, “don’t fix what ain’t broke” culture of accepting risk because implementing a patch can be expensive and disruptive (trying to figure out why your 15 year-old patient scheduling system stopped working, for instance) and the potential real world impact outweighs the perceived risk.
  • The (allegedly) North Korea-linked team (the people behind the Sony hack, South Korean Banking attack, etc…) seeks to foment misery again,
  • The cure of installing up-to-date systems is perceived to be more expensive than compliance until the bill comes due — just ask the UK government as it reels under the revelations that the government funded NHS deemed that using post end-of-life (and hence unfixable) Windows XP machines.

The next question is: what are we doing about it? The answer for most large organizations is largely tactical – patch, update, scan, repeat. The strategic gaps induced by relying on individual organizations providing security for key services cannot be addressed by existing methods.

The institutional security risks highlighted again by WannaCry were mirrored in previous “wake up calls” such as the OPM hacks, Wikileaks — heck, just take your pick of Anthem/Blue Cross, the French election, etc… And these risks will only increase as vulnerable infrastructure increasingly underpins our daily lives. Our military is racing to understand and dominate the military aspects of the cyberspace domain. However, the seemingly endless policy churn around Cyber Command, Strategic Command, NSA, DHS etc. means that lines of authority, funding and staffing clouds the likelihood of anyone actually taking charge and solving the problem.

We must get behind a strategic embrace of computer security or the Internet will keep breaking. It will take international public/private partnerships that we haven’t seen since the Marshall Plan.”

http://breakingdefense.com/2017/05/wannacry-worm-highlights-federal-industry-failures/

Navigating Defense Department Cyber Rules

Standard

Cyber Rules

“NATIONAL DEFENSE MAGAZINE”

“Defense contractors by Dec. 31 are expected to provide “adequate security” to protect “covered defense information” using cyber safeguards.

Thousands of companies who sell directly to the Defense Department, and thousands more who sell to its suppliers, are or will be, subject to the rule.

This obligation arises from a Defense Acquisition Regulation System Supplement clause, “Network Penetration Reporting and Contracting For Cloud Services,” that was finalized last October and described in the National Institute of Standards and Technology (NIST) Special Publication 800-171.

The Pentagon is well-justified to seek improved cyber protection of sensitive but unclassified technical information. Hackers have exploited network vulnerabilities in the defense supply chain for the unauthorized exfiltration of valuable and sensitive defense information. Senior defense officials have expressed alarm at this persistent and pervasive economic espionage. 

Since 2013, the Defense Department has used acquisition regulations to protect controlled technical information significant to military or space. Other forms of information may not have direct military or space significance, but loss of confidentiality through a cyber breach can produce serious, even grave national injury. 

The Defense Department is the leader among federal agencies in using its contractual power to cause its vendors to improve their cybersecurity. The principal instruments are two contract clauses, DFARS 252.204-7008, “Compliance with Safeguarding Covered Defense Information Controls,” and DFARS 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.” Both were the subject of final rulemaking released Oct. 21.

Where the -7008 “compliance” clause is included in a solicitation, the offeror commits to implement the SP 800-171 safeguards by the end of this year. Defense Department contracts will include the -7012 “safeguards” clause, which defines the types of information that must be protected, informs contractors of their obligation to deliver “adequate security” using SP 800-171 controls, and obligates reporting to the department of cyber incidents.  

Every responsible defense supplier supports the objectives of these cyber DFARS rules. But the requirements are complex and are not currently well-understood. Outside of a few of the largest, dedicated military suppliers, many companies in the defense supply chain view these rules with a mix of doubt, concern and alarm. This recipe serves neither the interests of the Defense Department nor its industrial base.

A technology trade association, the IT Alliance for Public Sector, released a white paper that examines the Defense Acquisition Regulation System Supplement and other federal initiatives to protect controlled unclassified information. The goal was to assist both government and industry to find effective, practical and affordable means to implement the new cyber requirements. The paper examines these five areas: designation, scope, methods, adoption and compliance.

As for designation, the department should accept that it is responsible to identify and designate the covered defense information that contractors are obliged to protect. It should confirm that contractors only have to protect information that it has designated as covered, and that such obligations are only prospective — newly received information — and not retrospective.

In regards to “scope,” the Defense Department should revise the rule to clarify that contractors must protect information that it has identified as covered and provided to the contractor in the course of performance of a contract that is subject to the rule. The definition of “covered defense information” should be revised to remove confusing language that can be interpreted to require protection of “background” business information and other data that has only a remote nexus to a Defense Department contract.

The October 2016 revision now allows defense contractors to use external cloud service providers, where covered information is involved, only if those vendors meet the security requirements of FedRAMP Moderate “or equivalent.” The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services.

The regulation fails to explain what is meant by “or equivalent” and who decides. The Defense Department needs to explain what it expects from cloud services to satisfy SP 800-171 and the DFARS rules. A security overlay should be prepared by NIST to add cloud-specific controls. But it is unnecessary to impose the whole of the FedRAMP process and federal-specific controls on commercial cloud providers.

The Defense Department continues to depend on small business for many needs, and seeks their innovative ideas. The supplements are an obstacle and burden on smaller businesses, and yet security is just as important at the lower levels of the supply chain as at the top. The department can improve the ability of small business to implement the required security controls. Several specific recommendations are made as to how it can reach and assist the small business community. One recommendation is to make increased use of the NIST voluntary cybersecurity framework.

As far as compliance, contractors are required to represent that they will deliver “adequate security” and fully implement the SP 800-171 controls by the year-end deadline. The Defense Department needs to better inform its contractors how they can be confident their security measures will satisfy the requirements should they come under scrutiny following a cyber incident. The white paper explores different ways to create a safe harbor for compliance. A key component is contractor documentation of a system security plan, which was added as a 110th requirement to SP 800-171.        

The White Paper is available here. The Defense Department is hosting an industry day on the cyber DFARS, June 23 at the Mark Center in Alexandria, Virginia. Information and registration details available here. ”     

http://www.nationaldefensemagazine.org/articles/2017/4/21/navigating-defense-department-cyber-rules

How Russian Hackers Will Attack the US Next

Standard

Russia Hack the hackers

RZOZE19/SHUTTERSTOCK.COM

DEFENSE ONE”

“The U.S. needs to be planning now how it will respond.

The question is not if Russia will conduct another major cyberattack on the U.S., but when.

Russia has been the subject of much American press speculation this spring, as questions and suspicions swirl regarding its involvement in alleged hacks during the U.S. presidential election. While the details of these specific attacks remain unclear, what is clear is the danger posed by the superpower’s well-established hacking prowess.

As such, America needs to be planning now how it will respond. In 2015, cyberthreat firm FireEye alleged Russian nexus-hackers had caused power and energy outages across Ukraine, impacting thousands of citizens. No other country has been so publicly accused of conducting a cyber-to-conventional attack (a cyberattack with visible, physical consequences). Russia leadership has also publicly prioritized its information warfare and cyberweapons. “Information is now a species of weapon,” wrote Russian major general Ivan Vorobvev in 2013.

As proven by the alleged hacking activities this U.S. presidential election, the fear of information warfare is very real. However, the US must also remain vigilant about cyber-to-conventional attacks; many of our critical infrastructure networks are littered with vulnerabilities, and consumer technology is moving more and more citizens into the line of battle.

Because cybertools have become so accessible, it’s unlikely even a limitless defense budget could stop every attack. With this in mind, response must be the key priority. Based on my qualitative analysis of Russia’s previous military motives, strategies and tools, any Russian attempt to exploit US cybervulnerabilities will most likely target the US’s communications and IT critical infrastructure.

Intensifying the Fog of War

Russia is unlikely to target other industries for a number of reasons. Historically, it has avoided attacks that could trigger a full-scale military response, preferring to intensify the fog of war and cause maximum confusion. Within this strategy, Russia is unlikely to target such important U.S. sectors as chemical, nuclear, public health, energy, or defense industries. Russia is also unlikely to seriously attack the U.S. financial, agriculture, or manufacturing industries, which could anger U.S. allies and damage Russia’s growing role in the global economy.

But attacks on communications and IT infrastructure could take several forms.

Targeting alert systems would prevent U.S. monitoring systems from catching intrusions fast enough. This could in turn precede tactics with more immediate conventional consequences. As an example, conducting denial-of-service attacks against central IT networks could cripple government operations, disrupting service for thousands of phone customers or severing internet access for millions of consumers. If timed well, a communications attack during wartime could disrupt national emergency alert services. This includes 911 networks and emergency broadcast stations. During a national disaster, this would have devastating consequences.

Russia could also target physical parts of national infrastructure managed (and defended) by private companies, including fuel centers, power sources, and trucks that transport IT components. These industries also rely heavily on the internet of things, with vulnerabilities in cloud and mobile computing.

The U.S. is certainly aware of these risks. Following the 2013 National Infrastructure Protection Plan, national leaders assessed all critical infrastructure for vulnerabilities, and proposed defensive plans. As a result, industry departments have started performing a number of routine checks, including information sharing, monitoring, and backing up essential information.

However, budgetary gaps remain a huge problem. The Obama administration asked for only $19 billion (yet to be received) for its 2017 Cyber Security Budget. While the Trump administration has included huge proposed increases for cybersecurity investment in its 2017 budget (including $61 million for the FBI to combat criminal encryption tools), the private sector spent approximately $80 billion on cybersecurity five years ago. Of note, none of these federal government cybersecurity budgets were, or have been, approved.

Hacking the Hackers

As a result of these budget constraints and realities, it’s crucial the U.S. focus its efforts strategically. As a minimal option, the U.S. could respond to a Russian cyberattack by conducting simple cyberintrusions against Russian internet networks, government websites, and communications services, causing disruptions and damaging Russia’s security credibility. For example, using National Security Agency’s TreasureMap tool, which tracks all global connections to the internet, the U.S. could also place malware in these networks for future intelligence gathering.

A more aggressive response would involve conducting operations against Russia’s own critical infrastructure networks. By inserting logic bombs into Russian networks (tools that self-destruct once within systems), the U.S. could potentially damage the Russian economy. These same tools can be leveraged to cause even more damage if used to target dams, air traffic control towers or other infrastructure. Such actions would send a grave message, but the risk of escalation would be higher as well.

The most aggressive response would involve directly attacking Russian military targets by shutting off power at a nuclear facility or an airfield. Many Russian industrial networks run on Windows XP, a very old system, while remaining connected to the internet. Not only are these systems extremely vulnerable to attack, the U.S. has already shown it has the ability to do so. In November 2016, the U.S. reportedly penetrated Russian military systems and left behind malware, to be activated in the case of Russian interference of U.S. elections.

The problem with these cyberattacks is that the potential for counter attacks is infinite. Russia attacks the U.S. communications grid. The U.S. does the same. And on it would go, potentially until a physical war was started.

In 2016, Christopher Painter, the U.S. State Department’s coordinator for cyber issues, said “cyber activities may in certain circumstances constitute an armed attack that triggers our inherent right to self-defense as recognized by Article 51 of the UN Charter.” This means the U.S. could legally respond to a Russian cyberattack with conventional military forces, in an effort to deter Russia from escalating further.

But ultimately, there’s a reason the Obama administration referred to the plethora of powerful U.S. and Russian cybercapabilities as a digital arms race. The cycle is perhaps best described as an endless series of advantages, with Russia and the U.S. continuing to make each other more and more uncomfortable. And now Trump’s administration will need to figure out just how uncomfortable he is willing to get.”

http://www.defenseone.com/threats/2017/03/how-russian-hackers-will-attack-us-next/136469/?oref=d-river&&&utm_term=Editorial%20-%20Early%20Bird%20Brief

De-Complicating Federal Cyber Security

Standard

Decompliating Cyber Security(Photo Credit: U.S. Army)

“FIFTH DOMAIN CYBER” – By Keith Lowry

When it comes down to it we’re dealing primarily with a people problem before a technical problem. People use technology to become cybersecurity and insider threats.

They also use low-tech tactics like social engineering and dumpster diving, too. Until the government realizes these concepts are connected, and that it can’t just purchase tools to address their vulnerabilities, it will always lag behind the threat.

“The nine most terrifying words in the English language are, ‘I’m from the Government, and I’m here to help.’” ~President Ronald Reagan

It might seem like hyperbole to claim that anything the government does hinders, and doesn’t help, progress. I’d like to think differently, but my experience gives President Reagan’s statement a certain level of credibility. Too many times, government agencies are convinced that doing things on a large scale will solve individual problems or issues. This attitude leads to massive delays and a lack of attention to the small but important details.

Making Simple Things Complex

During my tenure at the Pentagon, it was almost impossible to develop, coordinate, authorize and publish any policy within two years. Even if a proposed policy was extremely important, it just took too long to implement. If the Department of Defense has such issues in developing policy, then consider how difficult it must be to develop and publish policies that span across the entire spectrum of the government.

Governments inherently make simple things complex, and complicate obviously simple tasks. Because of this, I inherently question any program driven by a government agency or organization that claims it is “here to help.”

Large scale government programs are often initiated to create cost effectiveness, but what is the cost if the program takes years to develop and implement? Even worse, the fast-paced cycle of technological advances makes measuring program development in terms of years a huge problem. The opportunity costs coming from a breach or system downtime far outweigh any fiscal savings. Add in the fact that many government agencies will fight for ownership of a large program because of the concomitant funding, and you’ll see why relatively simple matters can spiral out of control very easily.

That’s not to say there isn’t a benefit in government ownership. There are potential cost savings tied to having overarching policies executed by a single entity, but the coordination and time lapse in enacting anything of value is suspect. It takes too long to enact and follow through, especially when most agencies have their own congressionally driven budget and appropriations process to consider.

A Multi-faceted Issue

Over the years, I have heard many agencies state that they cannot consider creating an insider threat program or cybersecurity program because they don’t have the budget, or that they are waiting for a parent agency to come up with a plan and associated instructions. The problem with this thought process is multi-faceted. First, no two federal organizations are alike. They all have differing processes, serve diverse populations, and also possess assorted and sundry critical value data.

Second, each of these variables means that one insider threat or cybersecurity solution doesn’t fit another organization’s needs. Finally, the budgetary and appropriations cycles are controlled by Congress, subjecting them to political realities and consequences.

In these circumstances, when I hear that the government is telling agencies what they must do while controlling the budget from afar, it’s creating a difficult problem for the agencies to solve. Furthermore, when I hear that one agency is dependent upon another to proceed in developing insider threat programs or cybersecurity solutions, it rings of the “I’m from the government, and I’m here to help,” idiom. In other words, no action will be taken in sufficient time to counter any threat.

Solving at the Highest Level

My solution for this might sound a bit controversial.

Cybersecurity threats are comingled with insider threats. At a fundamental level, too many people believe that technology alone is the answer to cybersecurity concerns. I’ve mentioned it before, it’s not just about technology. Yet that’s the first thing people think of when considering cybersecurity or insider threats. Maybe it’s thanks to Hollywood’s portrayal of the industry and the capabilities of high-powered computers connected to, well, everything.

Solving at the Highest Level

My solution for this might sound a bit controversial.

Cybersecurity threats are comingled with insider threats. At a fundamental level, too many people believe that technology alone is the answer to cybersecurity concerns. I’ve mentioned it before, it’s not just about technology. Yet that’s the first thing people think of when considering cybersecurity or insider threats. Maybe it’s thanks to Hollywood’s portrayal of the industry and the capabilities of high-powered computers connected to, well, everything.

Tactically, the government should elevate decision making for the cybersecurity/insider threat problem to a Cabinet-level position, which would signify the importance of the issue. Additionally, the Cybersecurity Cabinet person should adhere to the mantra of centralized administration, de-centralized execution. Making each agency responsible for executing its own cybersecurity and insider threat program will encourage much faster implementation countering these threats. Of course, Congress would have to be included in any solution to ensure success.

This may not be the best fiscal option, but it would certainly be the best method for quick implementation and execution required to protect government-held and controlled critical value data. Rather than one agency doing everything, make each agency responsible for creating, implementing, and running individual programs, and hold them accountable at the highest level possible.

http://fifthdomain.com/2017/03/08/de-complicating-cybersecurity-at-the-federal-level-commentary/

About the Author

Keith Lowry

Keith Lowry is the senior vice president of Nuix USG and Nuix’s Business Threat Intelligence and Analysis division. He served as chief of staff to the deputy undersecretary of defense for human intelligence, counterintelligence and security at the Pentagon, as well as an information security consultant in the private sector

 

Cyber’s Role in Air Force’s Premier Training Exercise: Red Flag

Standard

Red radar display with identified targets

“FIFTH DOMAIN”

“Cyber forces have become an integral part in the Air Force’s premier realistic combat training exercise typically held four times each year.

The new face of warfare includes land, sea, air, space and cyber.

“We are bringing the non-kinetic duty officers into the fight at Red Flag,” Lt. Col. Neal, chief, current operations, 25th Air Force, said. “These experts in ISR and cyber warfare are the newest weapons in our command and control arsenal.”

Neal stressed the importance of bringing non-kinetic elements to the fight as the services are transitioning to multi-domain battle.

Air Force cyber teams have been integrated in Red Flag since 2009, a spokesperson from 24th Air Force said. The Air Force’s cyber element is made up of personnel from both 24th and 25th Air Force. Personnel from 25th Air Force provide cyber intelligence, surveillance and reconnaissance while personnel from 24th Air Force provide cyber operations and effects resulting in a 60/40 split of personnel from each numbered Air Force, respectively, to make up the roughly 1,700 AFCYBER workforce.

Cyber forces began in 2009 with a small contingent of 57 information aggressor squadron teams acting as red teams against operators in the Combined Air Operations Center at Nellis, the spokesperson said via email. Defensive cyber teams were then added.

Cyber mission teams, whose role is to defend the nation from cyberattacks, were added in the 2014-2015 timeframe to conduct full spectrum operations, integrating non-kinetic effects with kinetic operations and working with coalition partners. For example, in 2015, the Air Force looked at how to defend a s upervisory control and data acquisition, or SCADA/industrial control system at Red Flag, the 24th spokesperson said.

Defensive and offensive teams operate remotely from their home stations as well as at Nellis, where the main event is held, Jose Delgado, cyber-ISR subject matter expert at 25th Air Force said. Members from 24th Air Force, operating from Lackland Air Force Base in Texas, operate and defend the Air Force Information network at the CAOC-Nellis while offensive cyber operations executed from 24th and 25th cyber mission teams are executed at home station and Nellis.

Offensive teams work to infiltrate networks and disrupt data, Delgado said, representing adversary forces Blue teams must defend against.

Aside from the role of Cyber Command, each service has cyber components to address inherent challenges for their respective missions. The Air Force is no different.

“There’s a clear recognition that our service needs an organic cyber capability to get after much of what Cyber Command … just doesn’t have the bandwidth to do or simply not in their charter, and it’s critical [to the] Air Force,” Air Force CIO Lt. Gen. William Bender said.

This organic capability revolves around the Air Force’s five core missions – air and space superiority, intelligence, surveillance and reconnaissance, rapid global mobility, global strike and command and control – and focuses on mission-specific tasks in the air domain. CYBERCOM, Bender said, is concerned with big problems and high-end warfare, such as protecting missile defense systems and air defense systems and assuring the nuclear enterprise and space enterprise.

Red Flag is now used to validate training objectives for cyber mission force teams at Cyber Command. Each individual and team must meet certain training objectives in order to be validated at initial and full operational capability. The CMF reached initial operational capability in October, though slightly behind schedule.

The CMF is slated to reach FOC at the end of 2018.”

http://fifthdomain.com/2017/02/06/cybers-role-air-forces-premier-training-exercise-red-flag/