Tag Archives: cyber security

Half of Industrial Control Systems Suffered Cyber Attack Last Year

Standard
Cyber Attacks

The National Institute of Standards and Technology’s industrial control security testbed. (Photo Credit: NIST)

“FIFTH DOMAIN CYBER”

“Data gathered comes from 359 industrial cyber security practitioners in 21 countries that completed online surveys between February 2017 and April 2017.

One-in-five respondents experienced two incidents within the 12-month window.

Threats to industrial control systems are becoming increasingly widespread, according to a new survey from cyber security firm Kaspersky Lab and Business Advantage that found over half of the companies sampled reporting at least one cyberattack in the last 12 months.

The top observed threat remains conventional malware, which played a part in 53 percent of actual incidents, followed by targeted attacks, such as spear phishing to more sophisticated advanced persistent threats. The top perceived threats are  third-party supply chain/partners and sabotage/intentional damage from other external sources.

This has led three-in-four companies to expect a cyber attack to happen to them, though 83 percent feel prepared to combat an incident.

Organizations might not be as ready as they believe themselves to be, however, considering the fact that the anti-malware solutions already implemented by 67 percent of respondents still allowed for so many incidents.

Increasing the frequency of issuing patches/updates could contribute to protection from incidents like the WannaCry pandemic, but the increased attack surface and access granted to external parties by growing enterprises complicates matters.

Therefore, risk management is being recognized as a growing priority, but finding properly trained staff and reliable external partners to implement cyber security tops the challenges of companies that acknowledge financial loss is shown to decrease in organizations that have security awareness programs for staff, contractors and partners.

Looking at the survey’s findings, the top risk factors appear to be the access of external parties, a lack of compliance with industry/government regulations and the use of wireless connections. This has led companies to express support for some level of mandatory reporting and governance to help bring about more transparency to help develop frameworks to address the risks.

Some factors that appear to help mitigate threats include documented cybersecurity programs being set in place; regular security assessments/audits being conducted; vulnerability scans and patch deployments happening biweekly at minimum; unidirectional gateways being installed between control systems and the rest of the network; anti-malware solutions being installed for industrial endpoints; industrial anomaly detection tools, intrusion detection and intrusion prevention tools being used; and staff and contractors being given regular security awareness training.”

The entire survey can be accessed by filling in a form on the Kaspersky blog.

WannaCry Worm Highlights Federal & Industry Failures

Standard
uscybercom - Department of Defense

Image:  Department of Defense

“BREAKING DEFENSE”

” The WannaCry worm proves that our collective response to cyber threat continues to churn ineffectively in the same futile rut while threats multiply and grow increasingly serious by the day.

A new approach is needed to enable innovation in the way security is encouraged and delivered with both carrot and stick.

The worm’s success is yet another clear signal that today’s security model isn’t working. Institutional failure to address security risks have/will continue to have the same pervasive impacts in government, industry, and at home with no respite in sight, no one in charge, and no one accountable for fixing the mess.

The ubiquity of such attacks challenges our internal/international legal framework. (The military and Intelligence Community should not be operating within the United States.) And it crosses our traditional fault lines (ensconced in US law) between corporate, military, legal, and law enforcement organizations. Senior leaders in each of these government fiefdoms tell me that the pan-government table top exercises held to understand and clear the fog around the “who’s in charge” questions assume away all the relevant risk. This is done in order to arrive at prearranged conclusions that won’t rock the boat between all the various stakeholders. The cyber problem is so much greater than a traditional geographical battlespace because it requires a complete strategic rethink of warfare as these kinetic, civil, intelligence, and international equities collide.

Microsoft has declared WannaCry “is a wakeup call.” Add the concomitant coverage in the press, and people being put at risk in hospitals and it makes you think that this incident marks a new chapter in cyber risk. Add in the second Wikileaks dump of the Vault 7 attack files and we have a perfect media storm of NSA toolkits, CIA attack techniques, likely North Korean mischief, chronic government underspending here and abroad, and the resulting health care service outages and outrage to feed the news cycle. The political, fiscal, and productivity impacts of the WannaCry worm highlight that the cyber risks currently accepted by corporate and government risk officials are not tenable.

This malware is particularly lively in large organizations whose legacy systems and limited security budgets provide clear skies for exploit and it could have been worse if not for an enterprising 22 year-old who helped save the world by finding and sharing its Kill Switch. Unfortunately, nastier and more effective worms and viruses and other tools are likely on their way and will wreak greater havoc. So let’s step back and ask what makes this crisis different?

The answer, sadly, is — NOTHING.

A quick review:

  • Ransomware (whereby software encrypts your computer and demands you pay a ransom for a decryption key) has been on the rise for several years. Everyone from Grandma to your insurance company has been hit and they have often (quietly) paid up to get back the family album or their health records.
  • Sure, WannaCry is linked to the purloined NSA toolkit. It is a variant of the WeCry exploit from February of this year and a patch has been available from Microsoft since mid-March.
  • Organizations with older equipment or legacy software often have a, “don’t fix what ain’t broke” culture of accepting risk because implementing a patch can be expensive and disruptive (trying to figure out why your 15 year-old patient scheduling system stopped working, for instance) and the potential real world impact outweighs the perceived risk.
  • The (allegedly) North Korea-linked team (the people behind the Sony hack, South Korean Banking attack, etc…) seeks to foment misery again,
  • The cure of installing up-to-date systems is perceived to be more expensive than compliance until the bill comes due — just ask the UK government as it reels under the revelations that the government funded NHS deemed that using post end-of-life (and hence unfixable) Windows XP machines.

The next question is: what are we doing about it? The answer for most large organizations is largely tactical – patch, update, scan, repeat. The strategic gaps induced by relying on individual organizations providing security for key services cannot be addressed by existing methods.

The institutional security risks highlighted again by WannaCry were mirrored in previous “wake up calls” such as the OPM hacks, Wikileaks — heck, just take your pick of Anthem/Blue Cross, the French election, etc… And these risks will only increase as vulnerable infrastructure increasingly underpins our daily lives. Our military is racing to understand and dominate the military aspects of the cyberspace domain. However, the seemingly endless policy churn around Cyber Command, Strategic Command, NSA, DHS etc. means that lines of authority, funding and staffing clouds the likelihood of anyone actually taking charge and solving the problem.

We must get behind a strategic embrace of computer security or the Internet will keep breaking. It will take international public/private partnerships that we haven’t seen since the Marshall Plan.”

http://breakingdefense.com/2017/05/wannacry-worm-highlights-federal-industry-failures/

Navigating Defense Department Cyber Rules

Standard

Cyber Rules

“NATIONAL DEFENSE MAGAZINE”

“Defense contractors by Dec. 31 are expected to provide “adequate security” to protect “covered defense information” using cyber safeguards.

Thousands of companies who sell directly to the Defense Department, and thousands more who sell to its suppliers, are or will be, subject to the rule.

This obligation arises from a Defense Acquisition Regulation System Supplement clause, “Network Penetration Reporting and Contracting For Cloud Services,” that was finalized last October and described in the National Institute of Standards and Technology (NIST) Special Publication 800-171.

The Pentagon is well-justified to seek improved cyber protection of sensitive but unclassified technical information. Hackers have exploited network vulnerabilities in the defense supply chain for the unauthorized exfiltration of valuable and sensitive defense information. Senior defense officials have expressed alarm at this persistent and pervasive economic espionage. 

Since 2013, the Defense Department has used acquisition regulations to protect controlled technical information significant to military or space. Other forms of information may not have direct military or space significance, but loss of confidentiality through a cyber breach can produce serious, even grave national injury. 

The Defense Department is the leader among federal agencies in using its contractual power to cause its vendors to improve their cybersecurity. The principal instruments are two contract clauses, DFARS 252.204-7008, “Compliance with Safeguarding Covered Defense Information Controls,” and DFARS 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.” Both were the subject of final rulemaking released Oct. 21.

Where the -7008 “compliance” clause is included in a solicitation, the offeror commits to implement the SP 800-171 safeguards by the end of this year. Defense Department contracts will include the -7012 “safeguards” clause, which defines the types of information that must be protected, informs contractors of their obligation to deliver “adequate security” using SP 800-171 controls, and obligates reporting to the department of cyber incidents.  

Every responsible defense supplier supports the objectives of these cyber DFARS rules. But the requirements are complex and are not currently well-understood. Outside of a few of the largest, dedicated military suppliers, many companies in the defense supply chain view these rules with a mix of doubt, concern and alarm. This recipe serves neither the interests of the Defense Department nor its industrial base.

A technology trade association, the IT Alliance for Public Sector, released a white paper that examines the Defense Acquisition Regulation System Supplement and other federal initiatives to protect controlled unclassified information. The goal was to assist both government and industry to find effective, practical and affordable means to implement the new cyber requirements. The paper examines these five areas: designation, scope, methods, adoption and compliance.

As for designation, the department should accept that it is responsible to identify and designate the covered defense information that contractors are obliged to protect. It should confirm that contractors only have to protect information that it has designated as covered, and that such obligations are only prospective — newly received information — and not retrospective.

In regards to “scope,” the Defense Department should revise the rule to clarify that contractors must protect information that it has identified as covered and provided to the contractor in the course of performance of a contract that is subject to the rule. The definition of “covered defense information” should be revised to remove confusing language that can be interpreted to require protection of “background” business information and other data that has only a remote nexus to a Defense Department contract.

The October 2016 revision now allows defense contractors to use external cloud service providers, where covered information is involved, only if those vendors meet the security requirements of FedRAMP Moderate “or equivalent.” The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services.

The regulation fails to explain what is meant by “or equivalent” and who decides. The Defense Department needs to explain what it expects from cloud services to satisfy SP 800-171 and the DFARS rules. A security overlay should be prepared by NIST to add cloud-specific controls. But it is unnecessary to impose the whole of the FedRAMP process and federal-specific controls on commercial cloud providers.

The Defense Department continues to depend on small business for many needs, and seeks their innovative ideas. The supplements are an obstacle and burden on smaller businesses, and yet security is just as important at the lower levels of the supply chain as at the top. The department can improve the ability of small business to implement the required security controls. Several specific recommendations are made as to how it can reach and assist the small business community. One recommendation is to make increased use of the NIST voluntary cybersecurity framework.

As far as compliance, contractors are required to represent that they will deliver “adequate security” and fully implement the SP 800-171 controls by the year-end deadline. The Defense Department needs to better inform its contractors how they can be confident their security measures will satisfy the requirements should they come under scrutiny following a cyber incident. The white paper explores different ways to create a safe harbor for compliance. A key component is contractor documentation of a system security plan, which was added as a 110th requirement to SP 800-171.        

The White Paper is available here. The Defense Department is hosting an industry day on the cyber DFARS, June 23 at the Mark Center in Alexandria, Virginia. Information and registration details available here. ”     

http://www.nationaldefensemagazine.org/articles/2017/4/21/navigating-defense-department-cyber-rules

How Russian Hackers Will Attack the US Next

Standard

Russia Hack the hackers

RZOZE19/SHUTTERSTOCK.COM

DEFENSE ONE”

“The U.S. needs to be planning now how it will respond.

The question is not if Russia will conduct another major cyberattack on the U.S., but when.

Russia has been the subject of much American press speculation this spring, as questions and suspicions swirl regarding its involvement in alleged hacks during the U.S. presidential election. While the details of these specific attacks remain unclear, what is clear is the danger posed by the superpower’s well-established hacking prowess.

As such, America needs to be planning now how it will respond. In 2015, cyberthreat firm FireEye alleged Russian nexus-hackers had caused power and energy outages across Ukraine, impacting thousands of citizens. No other country has been so publicly accused of conducting a cyber-to-conventional attack (a cyberattack with visible, physical consequences). Russia leadership has also publicly prioritized its information warfare and cyberweapons. “Information is now a species of weapon,” wrote Russian major general Ivan Vorobvev in 2013.

As proven by the alleged hacking activities this U.S. presidential election, the fear of information warfare is very real. However, the US must also remain vigilant about cyber-to-conventional attacks; many of our critical infrastructure networks are littered with vulnerabilities, and consumer technology is moving more and more citizens into the line of battle.

Because cybertools have become so accessible, it’s unlikely even a limitless defense budget could stop every attack. With this in mind, response must be the key priority. Based on my qualitative analysis of Russia’s previous military motives, strategies and tools, any Russian attempt to exploit US cybervulnerabilities will most likely target the US’s communications and IT critical infrastructure.

Intensifying the Fog of War

Russia is unlikely to target other industries for a number of reasons. Historically, it has avoided attacks that could trigger a full-scale military response, preferring to intensify the fog of war and cause maximum confusion. Within this strategy, Russia is unlikely to target such important U.S. sectors as chemical, nuclear, public health, energy, or defense industries. Russia is also unlikely to seriously attack the U.S. financial, agriculture, or manufacturing industries, which could anger U.S. allies and damage Russia’s growing role in the global economy.

But attacks on communications and IT infrastructure could take several forms.

Targeting alert systems would prevent U.S. monitoring systems from catching intrusions fast enough. This could in turn precede tactics with more immediate conventional consequences. As an example, conducting denial-of-service attacks against central IT networks could cripple government operations, disrupting service for thousands of phone customers or severing internet access for millions of consumers. If timed well, a communications attack during wartime could disrupt national emergency alert services. This includes 911 networks and emergency broadcast stations. During a national disaster, this would have devastating consequences.

Russia could also target physical parts of national infrastructure managed (and defended) by private companies, including fuel centers, power sources, and trucks that transport IT components. These industries also rely heavily on the internet of things, with vulnerabilities in cloud and mobile computing.

The U.S. is certainly aware of these risks. Following the 2013 National Infrastructure Protection Plan, national leaders assessed all critical infrastructure for vulnerabilities, and proposed defensive plans. As a result, industry departments have started performing a number of routine checks, including information sharing, monitoring, and backing up essential information.

However, budgetary gaps remain a huge problem. The Obama administration asked for only $19 billion (yet to be received) for its 2017 Cyber Security Budget. While the Trump administration has included huge proposed increases for cybersecurity investment in its 2017 budget (including $61 million for the FBI to combat criminal encryption tools), the private sector spent approximately $80 billion on cybersecurity five years ago. Of note, none of these federal government cybersecurity budgets were, or have been, approved.

Hacking the Hackers

As a result of these budget constraints and realities, it’s crucial the U.S. focus its efforts strategically. As a minimal option, the U.S. could respond to a Russian cyberattack by conducting simple cyberintrusions against Russian internet networks, government websites, and communications services, causing disruptions and damaging Russia’s security credibility. For example, using National Security Agency’s TreasureMap tool, which tracks all global connections to the internet, the U.S. could also place malware in these networks for future intelligence gathering.

A more aggressive response would involve conducting operations against Russia’s own critical infrastructure networks. By inserting logic bombs into Russian networks (tools that self-destruct once within systems), the U.S. could potentially damage the Russian economy. These same tools can be leveraged to cause even more damage if used to target dams, air traffic control towers or other infrastructure. Such actions would send a grave message, but the risk of escalation would be higher as well.

The most aggressive response would involve directly attacking Russian military targets by shutting off power at a nuclear facility or an airfield. Many Russian industrial networks run on Windows XP, a very old system, while remaining connected to the internet. Not only are these systems extremely vulnerable to attack, the U.S. has already shown it has the ability to do so. In November 2016, the U.S. reportedly penetrated Russian military systems and left behind malware, to be activated in the case of Russian interference of U.S. elections.

The problem with these cyberattacks is that the potential for counter attacks is infinite. Russia attacks the U.S. communications grid. The U.S. does the same. And on it would go, potentially until a physical war was started.

In 2016, Christopher Painter, the U.S. State Department’s coordinator for cyber issues, said “cyber activities may in certain circumstances constitute an armed attack that triggers our inherent right to self-defense as recognized by Article 51 of the UN Charter.” This means the U.S. could legally respond to a Russian cyberattack with conventional military forces, in an effort to deter Russia from escalating further.

But ultimately, there’s a reason the Obama administration referred to the plethora of powerful U.S. and Russian cybercapabilities as a digital arms race. The cycle is perhaps best described as an endless series of advantages, with Russia and the U.S. continuing to make each other more and more uncomfortable. And now Trump’s administration will need to figure out just how uncomfortable he is willing to get.”

http://www.defenseone.com/threats/2017/03/how-russian-hackers-will-attack-us-next/136469/?oref=d-river&&&utm_term=Editorial%20-%20Early%20Bird%20Brief

De-Complicating Federal Cyber Security

Standard

Decompliating Cyber Security(Photo Credit: U.S. Army)

“FIFTH DOMAIN CYBER” – By Keith Lowry

When it comes down to it we’re dealing primarily with a people problem before a technical problem. People use technology to become cybersecurity and insider threats.

They also use low-tech tactics like social engineering and dumpster diving, too. Until the government realizes these concepts are connected, and that it can’t just purchase tools to address their vulnerabilities, it will always lag behind the threat.

“The nine most terrifying words in the English language are, ‘I’m from the Government, and I’m here to help.’” ~President Ronald Reagan

It might seem like hyperbole to claim that anything the government does hinders, and doesn’t help, progress. I’d like to think differently, but my experience gives President Reagan’s statement a certain level of credibility. Too many times, government agencies are convinced that doing things on a large scale will solve individual problems or issues. This attitude leads to massive delays and a lack of attention to the small but important details.

Making Simple Things Complex

During my tenure at the Pentagon, it was almost impossible to develop, coordinate, authorize and publish any policy within two years. Even if a proposed policy was extremely important, it just took too long to implement. If the Department of Defense has such issues in developing policy, then consider how difficult it must be to develop and publish policies that span across the entire spectrum of the government.

Governments inherently make simple things complex, and complicate obviously simple tasks. Because of this, I inherently question any program driven by a government agency or organization that claims it is “here to help.”

Large scale government programs are often initiated to create cost effectiveness, but what is the cost if the program takes years to develop and implement? Even worse, the fast-paced cycle of technological advances makes measuring program development in terms of years a huge problem. The opportunity costs coming from a breach or system downtime far outweigh any fiscal savings. Add in the fact that many government agencies will fight for ownership of a large program because of the concomitant funding, and you’ll see why relatively simple matters can spiral out of control very easily.

That’s not to say there isn’t a benefit in government ownership. There are potential cost savings tied to having overarching policies executed by a single entity, but the coordination and time lapse in enacting anything of value is suspect. It takes too long to enact and follow through, especially when most agencies have their own congressionally driven budget and appropriations process to consider.

A Multi-faceted Issue

Over the years, I have heard many agencies state that they cannot consider creating an insider threat program or cybersecurity program because they don’t have the budget, or that they are waiting for a parent agency to come up with a plan and associated instructions. The problem with this thought process is multi-faceted. First, no two federal organizations are alike. They all have differing processes, serve diverse populations, and also possess assorted and sundry critical value data.

Second, each of these variables means that one insider threat or cybersecurity solution doesn’t fit another organization’s needs. Finally, the budgetary and appropriations cycles are controlled by Congress, subjecting them to political realities and consequences.

In these circumstances, when I hear that the government is telling agencies what they must do while controlling the budget from afar, it’s creating a difficult problem for the agencies to solve. Furthermore, when I hear that one agency is dependent upon another to proceed in developing insider threat programs or cybersecurity solutions, it rings of the “I’m from the government, and I’m here to help,” idiom. In other words, no action will be taken in sufficient time to counter any threat.

Solving at the Highest Level

My solution for this might sound a bit controversial.

Cybersecurity threats are comingled with insider threats. At a fundamental level, too many people believe that technology alone is the answer to cybersecurity concerns. I’ve mentioned it before, it’s not just about technology. Yet that’s the first thing people think of when considering cybersecurity or insider threats. Maybe it’s thanks to Hollywood’s portrayal of the industry and the capabilities of high-powered computers connected to, well, everything.

Solving at the Highest Level

My solution for this might sound a bit controversial.

Cybersecurity threats are comingled with insider threats. At a fundamental level, too many people believe that technology alone is the answer to cybersecurity concerns. I’ve mentioned it before, it’s not just about technology. Yet that’s the first thing people think of when considering cybersecurity or insider threats. Maybe it’s thanks to Hollywood’s portrayal of the industry and the capabilities of high-powered computers connected to, well, everything.

Tactically, the government should elevate decision making for the cybersecurity/insider threat problem to a Cabinet-level position, which would signify the importance of the issue. Additionally, the Cybersecurity Cabinet person should adhere to the mantra of centralized administration, de-centralized execution. Making each agency responsible for executing its own cybersecurity and insider threat program will encourage much faster implementation countering these threats. Of course, Congress would have to be included in any solution to ensure success.

This may not be the best fiscal option, but it would certainly be the best method for quick implementation and execution required to protect government-held and controlled critical value data. Rather than one agency doing everything, make each agency responsible for creating, implementing, and running individual programs, and hold them accountable at the highest level possible.

http://fifthdomain.com/2017/03/08/de-complicating-cybersecurity-at-the-federal-level-commentary/

About the Author

Keith Lowry

Keith Lowry is the senior vice president of Nuix USG and Nuix’s Business Threat Intelligence and Analysis division. He served as chief of staff to the deputy undersecretary of defense for human intelligence, counterintelligence and security at the Pentagon, as well as an information security consultant in the private sector

 

Cyber’s Role in Air Force’s Premier Training Exercise: Red Flag

Standard

Red radar display with identified targets

“FIFTH DOMAIN”

“Cyber forces have become an integral part in the Air Force’s premier realistic combat training exercise typically held four times each year.

The new face of warfare includes land, sea, air, space and cyber.

“We are bringing the non-kinetic duty officers into the fight at Red Flag,” Lt. Col. Neal, chief, current operations, 25th Air Force, said. “These experts in ISR and cyber warfare are the newest weapons in our command and control arsenal.”

Neal stressed the importance of bringing non-kinetic elements to the fight as the services are transitioning to multi-domain battle.

Air Force cyber teams have been integrated in Red Flag since 2009, a spokesperson from 24th Air Force said. The Air Force’s cyber element is made up of personnel from both 24th and 25th Air Force. Personnel from 25th Air Force provide cyber intelligence, surveillance and reconnaissance while personnel from 24th Air Force provide cyber operations and effects resulting in a 60/40 split of personnel from each numbered Air Force, respectively, to make up the roughly 1,700 AFCYBER workforce.

Cyber forces began in 2009 with a small contingent of 57 information aggressor squadron teams acting as red teams against operators in the Combined Air Operations Center at Nellis, the spokesperson said via email. Defensive cyber teams were then added.

Cyber mission teams, whose role is to defend the nation from cyberattacks, were added in the 2014-2015 timeframe to conduct full spectrum operations, integrating non-kinetic effects with kinetic operations and working with coalition partners. For example, in 2015, the Air Force looked at how to defend a s upervisory control and data acquisition, or SCADA/industrial control system at Red Flag, the 24th spokesperson said.

Defensive and offensive teams operate remotely from their home stations as well as at Nellis, where the main event is held, Jose Delgado, cyber-ISR subject matter expert at 25th Air Force said. Members from 24th Air Force, operating from Lackland Air Force Base in Texas, operate and defend the Air Force Information network at the CAOC-Nellis while offensive cyber operations executed from 24th and 25th cyber mission teams are executed at home station and Nellis.

Offensive teams work to infiltrate networks and disrupt data, Delgado said, representing adversary forces Blue teams must defend against.

Aside from the role of Cyber Command, each service has cyber components to address inherent challenges for their respective missions. The Air Force is no different.

“There’s a clear recognition that our service needs an organic cyber capability to get after much of what Cyber Command … just doesn’t have the bandwidth to do or simply not in their charter, and it’s critical [to the] Air Force,” Air Force CIO Lt. Gen. William Bender said.

This organic capability revolves around the Air Force’s five core missions – air and space superiority, intelligence, surveillance and reconnaissance, rapid global mobility, global strike and command and control – and focuses on mission-specific tasks in the air domain. CYBERCOM, Bender said, is concerned with big problems and high-end warfare, such as protecting missile defense systems and air defense systems and assuring the nuclear enterprise and space enterprise.

Red Flag is now used to validate training objectives for cyber mission force teams at Cyber Command. Each individual and team must meet certain training objectives in order to be validated at initial and full operational capability. The CMF reached initial operational capability in October, though slightly behind schedule.

The CMF is slated to reach FOC at the end of 2018.”

http://fifthdomain.com/2017/02/06/cybers-role-air-forces-premier-training-exercise-red-flag/

 

An Objective View of World Cyber Warfare

Standard

cyber-war-guys

Julian Assange, Donald Trump and Vladimir Putin – destined to be key players in the first world cyberwar? Composite: Geoff Caddick/Jim Watson/Mikhail Metzel/AFP/Getty

“THE GUARDIAN” by Martin Belam

“We are definitely living through something global in scope.

Cyberwarfare is clearly a front where nation states will try to gain advantage over each other and make plans for attack and defence. But, like espionage, it is a murky world where it is hard for outsiders to get an exact grasp on what is being done. Nation states seldom openly claim credit for hacking.

The job of the historian is often to pull together broad themes and trends, then give them a snappy title that people will easily recognise and understand. That’s how we end up with labels like “The decline and fall of the Roman Empire” or “The Rise of Hitler and the Third Reich”.

As someone who studied history, I’ve had this lingering curiosity about how historians of the future will view our times. It is easy to imagine textbooks in a hundred years with chapters that start with Reagan and Thatcher and end with the global financial crisis and called something like The Western Neoliberal Consensus 1979-2008.

But contemporaries seldom refer to events with these names, or can see the sharp lines that the future will draw. It wouldn’t have seemed obvious with the capture of Calais in 1347 that this decisive siege was just one early development in a dynastic struggle that would come to be known as the hundred years war.

This always makes me wonder what broader patterns we might be missing in our own lives, and I’ve come round to thinking that we might already be living through the first world cyberwar – it’s just that we haven’t acknowledged or named it yet.

What might a timeline of that war look like to a future historian? Well, 2007 seems like a good bet as a starting point – with a concerted series of cyber-attacks on Estonia. These were particularly effective, because the Baltic state has pushed so much of its public life online. The attacks were generally regarded to have come from Russia with state approval. That’s just one reason why I suspect cyberwarfare will provoke endless debates among historians.

Cyberwarfare is clearly a front where nation states will try to gain advantage over each other and make plans for attack and defence. But, like espionage, it is a murky world where it is hard for outsiders to get an exact grasp on what is being done. Nation states seldom openly claim credit for hacking.

In 2008 there were events that a historian might weave into a narrative of a global cyberwar, when several underwater internet cables were cut during the course of the year, interrupting internet communication and particularly affecting the Middle East. Some have argued these were accidents caused by ships dragging their anchors, but they mostly remain unsolved mysteries, with the suspicion that only state actors would have the required equipment and knowledge to target the cables. Of course, it might have just been sharks.

In 2010 the Stuxnet worm was used to attack Iran’s nuclear program. Carried on Microsoft Windows machines, and specifically targeting software from Siemens, Stuxnet was reported to have successfully damaged the fast-spinning centrifuges used to develop nuclear material in Iran. Analysts at the time thought the computer virus so sophisticated that it must have been developed with state support – with fingers frequently pointed at the US and/or the Israelis.

Another event from 2010, the WikiLeaks American embassy cables release, which the Guardian participated in the publication of, would be irresistible for a historian to refer to in this context. It is also one of the things that makes the first world cyberwar different from conventional warfare – the mix of nation states being involved with pressure groups, whistleblowers and hackers. As well as the state apparatus, a history of this period of electronic warfare would have to name Julian Assange, Chelsea Manning, Edward Snowden, Anonymous and the Syrian Electronic Army as key players.

North Korea has been suspected of hacking as a way to achieve diplomatic goals. The FBI publicly accused it of hacking Sony Pictures in 2014, exposing confidential company information. It was a hack of a Japanese company, targeted by an Asian state, with the aim of pressuring the US arm of the company over a movie.

Along the way there have been other equally odd quirks of war – the infected USB keys distributed at a US military base in 2008, or the curious laptop theft at a facility in Scotland that had recently received an official Chinese delegation.

The one that historians will be unable to ignore though is the 2016 US election campaign being influenced by alleged hacked and leaked emails – and the open speculation there was an attempt to hack into election counting machines by a foreign power. It might be unprecedented, but it isn’t going to go away. Yesterday Obama announced retaliation from the US and Germany is already braced for interference in its 2017 elections.

What reason is there to suppose that these events might eventually be grouped together as a single world cyberwar by historians? Well, for me, it is the idea that hostilities might formally come to an end.

You can envisage a scenario where Russia, China and the US can see a mutual benefit in de-escalating cyber-attacks between the three of them, and also begin to collectively worry about cyberwarfare capabilities being developed in a range of smaller nation states. Cue a UN summit about cyberwarfare, and the development of some code of conduct, or an anti-cyberwarfare treaty that provides historians with a neat endpoint.

It isn’t, of course, that nation states would stop electronic surveillance or building up hacking capabilities, but as with most wars that don’t deliver a decisive victory, eventually they become too expensive and too disruptive to maintain.

It is important to remember that the internet originally came from defence research, designed to provide communications capabilities in the event of a nuclear attack. It wouldn’t surprise me if in a hundred years it is the military purpose that historians mainly remember it for, and that we are living through the first time it is being used in anger.”

https://www.theguardian.com/commentisfree/2016/dec/30/first-world-cyberwar-historians

Martin Belam is Social & New Formats Editor for the Guardian in London. He helped set up UsVsTh3m and Ampp3d for the Daily Mirror, has worked at Sony and the BBC, and was previously Lead User Experience Architect at the Guardian. He is on Twitter as @MartinBelam

 

 

Enhance US Cybersecurity Don’t Undermine It

Standard

 

silverbull-dot-com

Image: Silverbull.com

“LAWFARE”

“The Digital Age has changed the locus of crimes and made many criminal investigations more complex.

Today the U.S. uses a single warrant issued in the United States to hack into computers in over a hundred nations around the world. Does that legitimize Chinese hacking into the machines of protesters living in the U.S., the U.K., or elsewhere? Or of the Russian, the Iranians, or the North Koreans to do so?

The default on using a vulnerability should be to report it. One can have exceptions just as the intelligence community does, but these should be rare and only when the potential damage to innocent people is minimal.

As we know from the Apple iPhone case, the FBI does not appear to be following such rules. Nor has it made public what its vulnerabilities equities process is. So what we have now is failure. The FBI did not report the vulnerability it used to hack into a Tor-protected child pornography site, which has now been used by nefarious sorts to deanonymize Tor communications.

This news comes out similtaneously with the changes in Rule 41, allowing the FBI to use a single warrant to hack into victims’ machines no matter where they may be. We know that a single warrant was used to hack into machines in 120 nations. This was in a case investigating child pornography, one of the ugliest forms of crime.

But one has to ask: what was the FBI thinking?

The FBI must learn how to conduct computer investigations without weakening the security of U.S. citizens or undermining the rule of law. We have now seen evidence of both. Both these terrible policies are the result of misunderstanding how law and technology interact. They should be rolled back immediately for our safety and security.”

https://www.lawfareblog.com/fbi-should-be-enhancing-us-cybersecurity-not-undermining-it

 

The Coming Cyber Crisis and How to Handle It

Standard

ingrammicroadvisor-dot-com

      Image: ingrammicroadvisor.com

“NEXT GOV”

“Five high-level priorities from experts and former federal officials.

The U.S. faces ongoing cyber threats from Iran, North Korea, and terrorist and criminal groups. Russia, has brazenly hacked a major political party and China continues to pilfer company secrets for economic advantage.

Build a Real Cyber Strategy

The Obama administration has published dozens of strategies, frameworks and guidelines aimed at shoring up vulnerabilities in government computer systems, bolstering private sector security and promoting peace in international cyberspace.

When it comes to responding to real-world cyber events, however—whether it’s the China-linked breach of records about more than 21 million current and former federal employees from OPM or an encrypted iPhone used by San Bernardino shooter Syed Farook—the administration has typically been caught without a firm plan or position and been left to make policy on the fly, analysts say.

Ideally, the next president should develop a series of big-picture cyber priorities clear enough the average citizen could predict his or her responses to some new challenge as reliably as she could to a new environmental challenge, said Jason Healey, senior research scholar at Columbia University’s School of International and Public Affairs and a former director of infrastructure protection at the White House.

“We know President Trump would focus on cheap energy, not the environment, and President Clinton would care more about the environment,” Healey said. “But do these administrations think that the government or the private sector is the locus of activity when it comes to cyber defense? I don’t know. Do we think it’s more important to use cyber as an espionage weapon or to plug holes in the internet? I don’t know … If we wanted to get rid of malaria, we’d create a vision, set a goal, arrange priorities around that goal and measure toward it. I don’t see why we can’t do that here.”

Create Playbooks

Even the best policy won’t provide perfect guidance for every situation, especially because cybersecurity, by its very nature, is bound up in numerous other issues ranging from national security and economic security to personal privacy and online innovation.

The solution is to integrate cyber into the administration’s broader planning, said Frank Cilluffo, director of The George Washington University’s Center for Cyber and Homeland Security and a former special assistant to the president for homeland security during the Bush administration.

The Democratic National Committee hack, “was that a cyber problem or a Russia problem? Well, obviously, it was a mixture of both,” Cilluffo said.

That means the administration needs to have plans in place to deter aggression and to respond when it happens, he said.

“Russia is not the same as China, which is not the same as Iran or a foreign terrorist organization or criminal enterprise,” Cilluffo said. “We need to have playbooks in place so we’re not opining out loud in the midst of crises.”

Build Cyber Norms

The government has endorsed a handful of norms for how nations ought to act in cyberspace, including several promulgated by a United Nations group of government experts. The scope of cyber threats has shifted so rapidly, however, the U.S. often seems to be left deciding what’s out of bounds after it’s happened rather than before.

The next administration should work toward a broader global consensus on what’s acceptable and unacceptable in cyberspace, experts said. That will include setting hard limits on what counts as merely espionage, which is generally considered acceptable in cyberspace, and what goes a step beyond espionage, such as Russia’s alleged release of hacked DNC emails during the 2016 election.

It also means showing restraint when increased militarization of cyberspace might be otherwise beneficial, said Bruce McConnell, global vice president of the EastWest Institute think tank and a former deputy undersecretary for cybersecurity at the Homeland Security Department.

“As the U.S. continues to grow [its cyber] capability, it has the effect of making other countries do the same thing,” McConnell said. “I think it’s incumbent on leaders of the free world to step back and ask ‘what are the limits on this?’”

Choose Priorities

One thing that’s delayed progress in defensive cybersecurity has been taking on too much at once, said Martin Libicki, an adjunct management scientist at the RAND Corporation and visiting professor at the U.S. Naval Academy.

Instead of a program to secure critical infrastructure against cyberattacks, Libicki recommended a narrower but more ambitious program to fully secure the electrical grid.

“The tendency is to go off in five different directions and not make much progress in any direction,” Libicki said. “Electricity is more specific than critical infrastructure. If you say critical infrastructure, you end up throwing in the kitchen sink. You can be specific and say ‘whatever happens, the power will not run out,’ and you can say to banks and telecoms ‘here are lessons learned to apply to other critical infrastructure.'”

Shift Focus to the Private Sector

Finally, the next president should figure out ways to better incentivize the private sector to improve its own security.

Some of that should come in the forms of research and development conducted or funded by government research agencies both into how basic security measures and into how cyber insurance and other incentives can improve security, said Ian Wallace, co-director of New America’s Cybersecurity Initiative and a former defense policy counselor at the British Embassy in Washington.

Regulatory agencies such as the Securities and Exchange Commission should also focus on ways to make security a higher priority for shareholders and for companies during mergers and acquisitions, said Columbia University’s Healey.

“The private sector is the most important actor,” Healey said. “That means shareholders need to get involved if a company isn’t taking responsibility. We need to look for places where a small bit of government action can have an outsize impact.”

http://www.nextgov.com/security/2016/11/next-president-will-face-cyber-crisis-heres-how-handle-it/132953/?oref=ng-HPtopstory&&&utm_term=Editorial%20-%20Early%20Bird%20Brief

 

 

 

Industry Consensus Forming Around Cyber Security

Standard

cyber-security-industry-4-oct-2016-copy-jpg-scale-large

“MILITARY AND AEROSPACE ELECTRONICS”

“There’s much more to cyber security than hackers and attempts to thwart their efforts.

Moreover, there’s billions of dollars pouring into the cyber security industry today, which represents opportunities for a wide variety of companies.

Unfortunately cyber security has come to depict a range of nefarious computer break-ins by shadowy hackers with cryptic names that compromise the credit card accounts of retail store patrons, emails by notable politicians, and the control of cars and unmanned aircraft.

There’s a plethora of descriptive terms in the cyber industry today, among them system security, system integrity, and trusted systems. There have been terms that were in vogue in previous years that have fallen by the wayside, such as information assurance (IA), that authorities such as the U.S. Department of Defense (DOD) are abandoning.

In fact DOD officials issued an instruction last August to amend DOD Directive 5134.01, which establishes policy and assigns responsibilities to minimize the risk that DOD’s warfighting mission capability will be impaired due to vulnerabilities in system design or sabotage or subversion of a system’s mission-critical functions or critical components by foreign intelligence, terrorists, or other hostile elements.

The changes specifically substitute the word “cybersecurity” for information assurance. Why the government wants to join cyber and security into one word is beyond me, but I digress.

From this it appears that DOD leaders are setting on the term cyber security to describe outside interference to military computer systems and the embedded computing technology that underlies many of today’s sophisticated weapon systems.

Certainly that outside interference, described as vulnerabilities in system design or sabotage or subversion of a system’s mission-critical functions could be intentional, such as the results of hackers, or also could include bits and pieces of computer programs, or bugs, that in certain circumstances could undermine or otherwise interfere with other parts of the program.

The terms system security, system integrity, and trusted systems are describing aspects of the same thing: cyber security. Realizing this can help define what cyber security really means, and more importantly, can reveal a new perspective of the emerging new cyber security industry.

Much of this became clear to me this week while talking with computer experts attending the Association of the U.S. Army (AUSA) conference and trade show in Washington. Some of these people realize they’re part of the cyber security industry, and some don’t.

The computer scientist and companies involved with system security, system integrity, trusted systems, and perhaps even anti-tamper are working the same side of the street. These companies aren’t involved in separate and distinct endeavors; they’re all part of the cyber security industry.

So what does this mean? Well for one thing it places many embedded computing companies like Mercury Systems, Curtiss-Wright Defense Solutions, Extreme Engineering Solutions, and Abaco firmly in the cyber security camp.

It’s true, then that not only the big prime contractors like Lockheed Martin, Boeing, Raytheon, and Lockheed Martin are doing cyber security. We’re talking about an already-large and growing technology ecosystem that runs the gamut from software hypervisors all the way up to large and complex computer programs that run big weapons platforms like jet fighters, main battle tanks, surface warships, and unmanned vehicles.

There are plenty of enabling technologies that come to bear on cyber security today, and plenty that will become part of this emerging ecosystem in the future.

Perhaps the first step in jump-starting this new industry is to acknowledge that many of us are taking separate paths toward the same destination. So how many out there are part of the new cyber security industry?”

http://www.militaryaerospace.com/articles/2016/10/cyber-security-emerging-new-industry.html?cmpid=enl_MAE_EmbeddedComputing_2016-10-10&eid=297842363&bid=1551728