Tag Archives: Cyberwarfare

The Business of National Cybersecurity


Business of Cyber Security



“With all the attention this subject is now receiving, one would think the business of national cyber security (commercial, government and defense) would be very robust.

Small and medium-sized businesses are not singing a happy, carefree tune. Delays in contracts, budget cuts and delayed payments seem to be the most common complaints.

It is hard to open a browser, look at a newspaper, or watch or listen to a news show without the topic of cybersecurity coming up. In mid-June, Microsoft received a lot of attention from headlines about the company’s warning of an elevated risk of cyberattacks. Another attention-grabbing headline came from Chris Childers, the CEO of the National Defense Group located in Germantown, Maryland, who shined light on the fact that many satellites in use today are dated and use old technology that was made before cyberthreats were a real issue and prior to when cyber defenses were readily available.

With all of the headlines about cyberattacks, viruses, ransomware attacks (WannaCry) and so on, you would think cybersecurity business is booming. Odds are it is not as robust as many people think. Let’s not forget when the Department of Homeland Security said 20-plus states faced major hacking attempts during the 2016 presidential election.

Today, basic cybersecurity understanding and skills need to reach into every profession and every level of the workforce. Updating the skills of the workforce must be continuous, and this takes time and money.

Another interesting point was brought up during a recent cyber strategy thinking session: Could our adversaries be leveraging inexpensive cyberattacks and threats as economic warfare, knowing full well that we will move to identify, analyze and address the emerging threats — something that would cost us money? After all, what choice do we have?”








Hacks Raise Fear Over National Security Agency (NSA) Hold on Cyberweapons

NSA Hacking Tools

Image  Patrick Semansky/Associated Press


“The N.S.A. has kept quiet, not acknowledging its role in developing the weapons.

But the silence is wearing thin for victims of the assaults, as a series of escalating attacks using N.S.A. cyber weapons have hit hospitals, a nuclear site and American businesses.

Now there is growing concern that United States intelligence agencies have rushed to create digital weapons that they cannot keep safe from adversaries or disable once they fall into the wrong hands.

Twice in the past month, National Security Agency cyber weapons stolen from its arsenal have been turned against two very different partners of the United States — Britain and Ukraine.

On Wednesday, the calls for the agency to address its role in the latest attacks grew louder, as victims and technology companies cried foul. Representative Ted Lieu, a California Democrat and a former Air Force officer who serves on the House Judiciary and Foreign Affairs Committees, urged the N.S.A. to help stop the attacks and to stop hoarding knowledge of the computer vulnerabilities upon which these weapons rely.

In an email on Wednesday evening, Michael Anton, a spokesman for the National Security Council at the White House, noted that the government “employs a disciplined, high-level interagency decision-making process for disclosure of known vulnerabilities” in software, “unlike any other country in the world.”

Mr. Anton said the administration “is committed to responsibly balancing national security interests and public safety and security,” but declined to comment “on the origin of any of the code making up this malware.”

Beyond that, the government has blamed others. Two weeks ago, the United States — through the Department of Homeland Security — said it had evidence North Korea was responsible for a wave of attacks in May using ransomware called WannaCry that shut down hospitals, rail traffic and production lines. The attacks on Tuesday against targets in Ukraine, which spread worldwide, appeared more likely to be the work of Russian hackers, though no culprit has been formally identified.

In both cases, the attackers used hacking tools that exploited vulnerabilities in Microsoft software. The tools were stolen from the N.S.A., and a group called the Shadow Brokers made them public in April. The group first started offering N.S.A. weapons for sale in August, and recently even offered to provide N.S.A. exploits to paid monthly subscribers.

Though the identities of the Shadow Brokers remain a mystery, former intelligence officials say there is no question from where the weapons came: a unit deep within the agency that was until recently called “Tailored Access Operations.”

While the government has remained quiet, private industry has not. Brad Smith, the president of Microsoft, said outright that the National Security Agency was the source of the “vulnerabilities” now wreaking havoc and called on the agency to “consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.”

For the American spy agency, which has invested billions of dollars developing an arsenal of weapons that have been used against the Iranian nuclear program, North Korea’s missile launches and Islamic State militants, what is unfolding across the world amounts to a digital nightmare. It was as if the Air Force lost some of its most sophisticated missiles and discovered an adversary was launching them against American allies — yet refused to respond, or even to acknowledge that the missiles were built for American use.

Officials fret that the potential damage from the Shadow Brokers leakscould go much further, and the agency’s own weaponry could be used to destroy critical infrastructure in allied nations or in the United States.

“Whether it’s North Korea, Russia, China, Iran or ISIS, almost all of the flash points out there now involve a cyber element,” Leon E. Panetta, the former defense secretary and Central Intelligence Agency chief said in a recent interview, before the weapons were turned against American interests.

“I’m not sure we understand the full capability of what can happen, that these sophisticated viruses can suddenly mutate into other areas you didn’t intend, more and more,” Mr. Panetta said. “That’s the threat we’re going to face in the near future.”

Using the remnants of American weapons is not entirely new. Elements of Stuxnet, the computer worm that disabled the centrifuges used in Iran’s nuclear weapons program seven years ago, have been incorporated in some attacks.

In the past two months, attackers have retrofitted the agency’s more recent weapons to steal credentials from American companies. Cybercriminals have used them to pilfer digital currency. North Korean hackers are believed to have used them to obtain badly needed currency from easy hacking targets like hospitals in England and manufacturing plants in Japan.

And on Tuesday, on the eve of Ukraine’s Constitution Day — which commemorates the country’s first constitution after breaking away from the Soviet Union — attackers used N.S.A.-developed techniques to freeze computers in Ukrainian hospitals, supermarkets, and even the systems for radiation monitoring at the old Chernobyl nuclear plant.

The so-called ransomware that gained the most attention in the Ukraine attack is believed to have been a smoke screen for a deeper assault aimed at destroying victims’ computers entirely. And while WannaCry had a kill switch that was used to contain it, the attackers hitting Ukraine made sure there was no such mechanism. They also ensured that their code could infect computers that had received software patches intended to protect them.

“You’re seeing a refinement of these capabilities, and it only heads in one direction,” said Robert Silvers, the former assistant secretary of cyber policy at the Department of Homeland Security, now a partner at the law firm Paul Hastings.

Though the original targets of Tuesday’s attacks appear to have been government agencies and businesses in Ukraine, the attacks inflicted enormous collateral damage, taking down some 2,000 global targets in more than 65 countries, including Merck, the American drug giant, Maersk, the Danish shipping company, and Rosneft, the Russian state owned energy giant. The attack so crippled operations at a subsidiary of Federal Express that trading had to be briefly halted for FedEx stock.

“When these viruses fall into the wrong hands, people can use them for financial gain, or whatever incentive they have — and the greatest fear is one of miscalculation, that something unintended can happen,” Mr. Panetta said.

Mr. Panetta was among the officials warning years ago of a “cyber Pearl Harbor” that could bring down the American power grid. But he and others never imagined that those same enemies might use the N.S.A.’s own cyberweapons.

For the past six years, government officials were comforted by the fact that their most fervent adversaries — North Korea, Iran, extremist groups — did not have the skills or digital tools to inflict major damage. The bigger cyberpowers, Russia and China in particular, seemed to exercise some restraint, though Russia’s meddling in the 2016 presidential election added a new, more subtle threa

But armed with the N.S.A.’s own tools, the limits are gone.“We now have actors, like North Korea and segments of the Islamic State, who have access to N.S.A. tools who don’t care about economic and other ties between nation states,” said Jon Wellinghoff, the former chairman of the Federal Energy Regulatory Commission.

So long as flaws in computer code exist to create openings for digital weapons and spy tools, security experts say, the N.S.A. is not likely to stop hoarding software vulnerabilities any time soon.”



WannaCry Worm Highlights Federal & Industry Failures

uscybercom - Department of Defense

Image:  Department of Defense


” The WannaCry worm proves that our collective response to cyber threat continues to churn ineffectively in the same futile rut while threats multiply and grow increasingly serious by the day.

A new approach is needed to enable innovation in the way security is encouraged and delivered with both carrot and stick.

The worm’s success is yet another clear signal that today’s security model isn’t working. Institutional failure to address security risks have/will continue to have the same pervasive impacts in government, industry, and at home with no respite in sight, no one in charge, and no one accountable for fixing the mess.

The ubiquity of such attacks challenges our internal/international legal framework. (The military and Intelligence Community should not be operating within the United States.) And it crosses our traditional fault lines (ensconced in US law) between corporate, military, legal, and law enforcement organizations. Senior leaders in each of these government fiefdoms tell me that the pan-government table top exercises held to understand and clear the fog around the “who’s in charge” questions assume away all the relevant risk. This is done in order to arrive at prearranged conclusions that won’t rock the boat between all the various stakeholders. The cyber problem is so much greater than a traditional geographical battlespace because it requires a complete strategic rethink of warfare as these kinetic, civil, intelligence, and international equities collide.

Microsoft has declared WannaCry “is a wakeup call.” Add the concomitant coverage in the press, and people being put at risk in hospitals and it makes you think that this incident marks a new chapter in cyber risk. Add in the second Wikileaks dump of the Vault 7 attack files and we have a perfect media storm of NSA toolkits, CIA attack techniques, likely North Korean mischief, chronic government underspending here and abroad, and the resulting health care service outages and outrage to feed the news cycle. The political, fiscal, and productivity impacts of the WannaCry worm highlight that the cyber risks currently accepted by corporate and government risk officials are not tenable.

This malware is particularly lively in large organizations whose legacy systems and limited security budgets provide clear skies for exploit and it could have been worse if not for an enterprising 22 year-old who helped save the world by finding and sharing its Kill Switch. Unfortunately, nastier and more effective worms and viruses and other tools are likely on their way and will wreak greater havoc. So let’s step back and ask what makes this crisis different?

The answer, sadly, is — NOTHING.

A quick review:

  • Ransomware (whereby software encrypts your computer and demands you pay a ransom for a decryption key) has been on the rise for several years. Everyone from Grandma to your insurance company has been hit and they have often (quietly) paid up to get back the family album or their health records.
  • Sure, WannaCry is linked to the purloined NSA toolkit. It is a variant of the WeCry exploit from February of this year and a patch has been available from Microsoft since mid-March.
  • Organizations with older equipment or legacy software often have a, “don’t fix what ain’t broke” culture of accepting risk because implementing a patch can be expensive and disruptive (trying to figure out why your 15 year-old patient scheduling system stopped working, for instance) and the potential real world impact outweighs the perceived risk.
  • The (allegedly) North Korea-linked team (the people behind the Sony hack, South Korean Banking attack, etc…) seeks to foment misery again,
  • The cure of installing up-to-date systems is perceived to be more expensive than compliance until the bill comes due — just ask the UK government as it reels under the revelations that the government funded NHS deemed that using post end-of-life (and hence unfixable) Windows XP machines.

The next question is: what are we doing about it? The answer for most large organizations is largely tactical – patch, update, scan, repeat. The strategic gaps induced by relying on individual organizations providing security for key services cannot be addressed by existing methods.

The institutional security risks highlighted again by WannaCry were mirrored in previous “wake up calls” such as the OPM hacks, Wikileaks — heck, just take your pick of Anthem/Blue Cross, the French election, etc… And these risks will only increase as vulnerable infrastructure increasingly underpins our daily lives. Our military is racing to understand and dominate the military aspects of the cyberspace domain. However, the seemingly endless policy churn around Cyber Command, Strategic Command, NSA, DHS etc. means that lines of authority, funding and staffing clouds the likelihood of anyone actually taking charge and solving the problem.

We must get behind a strategic embrace of computer security or the Internet will keep breaking. It will take international public/private partnerships that we haven’t seen since the Marshall Plan.”


Untangling the Web of Russia’s Cyber Operations


Image: “toinformistoinfluence.com


“The Kremlin has every incentive to exploit its access to some of the world’s most sophisticated hackers.

Though investigators in the United States and France will keep working to dismantle Moscow’s hacker networks and arrest the architects behind them, digital interference in foreign elections will be a hallmark of Russian intelligence operations for years to come.”

“Forecast Highlights
  • If the Russian state falls into another period of crisis, the cyber operatives working for the Kremlin could turn against it, much as Moscow’s criminal contacts have in the past.
  • Still, the benefits of hiring criminal hackers to conduct cyber operations abroad will continue to outweigh the risks for the Russian government.
  • As investigators around the world keep working to dismantle Moscow’s hacking networks, digital meddling in foreign elections will remain a mainstay of Russian intelligence operations.

Russia’s interest in foreign elections didn’t end with the U.S. presidential race. Two days after the first round of the French presidential election on April 23, a cybersecurity firm based in Japan reported that Russian hackers had targeted Emmanuel Macron’s campaign in the runup to the vote. Macron, one of two candidates who advanced to the runoff slated for May 7, had accused the Kremlin of discrediting his campaign, and his staff complained of constant, sophisticated phishing attempts throughout the race. Phishing, though not the most advanced technique, has proved highly effective for conducting criminal activity and espionage; the Kremlin allegedly used the same tactic to interfere in the U.S. vote. Recent developments have shed light on the apparent ties between Russia’s state security apparatus and the world’s most sophisticated cybercriminals.

Laying Out the System

On April 12, Russian media published a letter from Ruslan Stoyanov, a former security expert at Kaspersky Lab who is currently in prison in Russia on charges of treason. Stoyanov alleged in his letter that the Kremlin had recruited hackers to help with its various cyber campaigns in exchange for immunity from prosecution for their criminal exploits abroad. Allegations like Stoyanov’s are difficult to confirm, but the pattern of activity outlined in his letter conforms to previous suspicions over Moscow’s cyber strategy.

About a month before Stoyanov’s letter surfaced, the U.S. Department of Justice indicted four individuals for their alleged involvement in stealing credentials from 500 million Yahoo accounts. Two of the four defendants are agents with Russia’s Federal Security Services (FSB) who, according to the indictment, used their offices to protect two “hackers for hire” — Alexsey Belan and Karim Baratov. The hackers profited off the breach, incorporating it into their existing spamming campaign. Cooperating with the Kremlin, moreover, afforded the cybercriminals protection, just as Stoyanov later described; the circumstances surrounding Belan’s escape from arrest in Europe in 2013 suggest he had official help. For the FSB, meanwhile, the intrusion offered access to information on figures of interest, including Russian journalists, government officials and high-profile businesspeople. One can imagine that this kind of intelligence collection may have also proved useful in Russia’s efforts to influence the U.S. election, although no evidence has linked the two incidents.

A Symbiotic Relationship

Moscow’s ties to the world of cybercrime are just the latest manifestation of a well-established trend. The Russian state has been entwined in crime since long before the dawn of the internet, often in a kind of symbiosis with criminal organizations. Under Soviet rule, for example, Russian officials generally turned a blind eye to smugglers, who then sold them contraband luxury goods. The black market was the closest thing to a free market for most of the Soviet era, and it offered the Kremlin a way to relieve pressure on the Soviet people and economy. But even after the liberal reforms of the late 1980s and the Soviet Union’s collapse in 1991, Russian capitalism struggled to break free of its corrupt roots. The early post-Soviet years were a period of plunder. Criminals took advantage of the state’s weakness to line their pockets. Then, as Russia regained its footing, the country’s gangsters and bandits began to cooperate with the government — a pattern that has played out in several countries over the years.

Many of the most successful criminals to emerge during the 1990s were themselves a part of the crumbling Soviet system. Military personnel and KGB agents stationed around the world capitalized on their access to valuable arms and intelligence to keep themselves afloat as their government imploded. Soldiers and intelligence officers made the most of their precarious position by selling off state property — including, in at least one instance, a submarine — for their own profit. Viktor Bout, a former army linguist and officer in Russia’s Military Intelligence Directorate (GRU), offers perhaps the most infamous example. Before his arrest in 2008, Bout had become one of the world’s most prolific arms dealer, alternately preying on and working with the Kremlin to suit his business.

Today, Russia is enjoying a period of strength relative to the chaos of the 1990s. If history is any guide, however, its fortunes could easily change, and with them, the criminal class’s allegiances. Stoyanov’s letter warned of the danger that the hackers currently in the Kremlin’s employ could turn against it one day.

U.S. Indictments of Russian Hackers

No Risk, No Reward

Notwithstanding the risks of hiring criminals, the ends of such an arrangement often justify the means. Relying on agents for hire to carry out certain operations may be an economic necessity for cash-strapped governments. As states vie for primacy — or at least strategic advantages — in the cyber realm, they have to compete to recruit the best people in the field. And they don’t come cheap. The U.S. Department of Homeland Security suffers from high turnover in its cybersecurity leadership roles, in part because it can’t keep up with the private sector’s salary offerings. Peter Levashov, another Russian spammer arrested earlier this month, purportedly charged $500 dollars for every 1 million messages he sent, a rate that could have earned him up to $750,000 a day. The Russian government can never hope to match that pay. It can, however, offer other incentives to draw in experts like Levashov, including legal immunity.

Keeping cyber operatives off the books also affords governments a degree of plausible deniability. After all, listing one of the world’s most notorious spammers on its payroll would reflect poorly on Russia’s image, and on its tradecraft. Most countries with advanced intelligence capabilities maintain operatives under non-official cover. These agents don’t receive the same protections that registered foreign officials enjoy, but by the same token, they don’t attract the same scrutiny. Consequently, they have much more latitude to conduct sensitive operations. Creating and maintaining non-official cover is a daunting task, though, especially in the age of social media. An even safer bet for governments is to avoid establishing an official relationship with cyber mercenaries in the first place.

Common Practice

Russia isn’t the only country reaping the economic and practical benefits of working with unofficial agents. China’s intelligence services routinely recruit Chinese nationals living abroad and working in strategic sectors to conduct operations on their behalf. In January 2016, for example, U.S. authorities uncovered an industrial espionage scheme in which Chinese operatives apparently tried to poach Chinese-American scientists from GlaxoSmithKline PLC to start a rival company. The intelligence officials set up their recruits with their own firm in China, and in exchange, they received exfiltrated proprietary information — all without adding anyone to their payroll.

The Kremlin has every incentive to exploit its access to some of the world’s most sophisticated hackers. And despite the damning allegations in Stoyanov’s letter, the Russian government has so far maintained its plausible deniability, offering its word against that of a man in prison for treason. Though investigators in the United States and France will keep working to dismantle Moscow’s hacker networks and arrest the architects behind them, digital interference in foreign elections will be a hallmark of Russian intelligence operations for years to come.”