In the years since I took my first IT security position in 1999, the cyber security landscape has changed vastly. Fortunately, there has been an awakening within the entire information technology security community in the years since 9-11 and passage of the “Patriot Act". We are all just now beginning to realize the true power of the internet and just how interconnected we are on a global scale (public, private, and infrastructure (SCADA) networks). In today’s dynamic environment it is critical that we have full participation and information exchange between the USG and USBUS in order to quickly and accurately communicate with each other as securely as possible in response to Cyber attacks and threats.
“The tragic events of September 11, 2001, demonstrated that the United States needed greater integration across the Intelligence Community and improved information sharing to respond to evolving threats and to support new homeland security customers. The new threat environment we face is dynamic: The players and their motivations and methods emerge and evolve rapidly. Advances in technology are accelerating and are spreading through globalization. Commercial products featuring state-of-the-art technology are available globally at favorable prices. Our adversaries achieve technological advantage through the rapid assimilation and adaptation of commercial information and telecommunication products. They freely communicate, obtain training, share information on tactics, gather intelligence on potential targets, spread propaganda, and proselytize. In this post-9/11 world, intelligence must move faster and leverage all sources of intelligence information “. (Intelligence Community Information Sharing Strategy, February 22, 2008) http://www.dni.gov/reports/IC_Information_Sharing_Strategy.pdf
The constantly changing Cyber Security landscape and the APT’s that US Information Systems are barraged with on an hourly basis has been “one of the driving factors that has brought about a change of thought within the IC”. In addition to USIC failures leading up to 9-11 that plagued the Bush administration and led up to the events that hastened the 2003 Invasion of Iraq. The lines between Strategic and Tactical, Intelligence and Operations have become blurred in this ever-changing Cyber environment. This constantly evolving environment is the impetus for change within the IC and demonstrates the need to improve information sharing and integration within the IC.
We now need to dig deeper as a nation and expound upon the lessons learned by the USIC and CND communities and begin to integrate them in to the private sector BI and CND communities and incorporate key private sector entities into our overall National Security strategy. In doing so we will have to carefully navigate many issues including privacy, and other legal issues. Meeting these needs will require us to develop a culture that values sharing information with those who need it, and providing them with the training, policies, laws and processes necessary to distribute and share knowledge. We are now at a critical juncture at which we must be absolutely resolute in keeping the US in control of the internet, despite international pressure to relinquish control. The US must remain in control of the Internet in order to maintain both strategic, and tactical dominance; not only militarily but, economically as well.
4. The Threat
USBUS and academia’s Research and Development (R&D) efforts are the motors of industry that drive our economy and has historically kept the US in its position as an economic powerhouse and global leader. The success or, failure of our economy are a large part of our national security - the two are intertwined. Our adversaries (most notably China, followed closely by Russia and Iran) have been targeting and successfully compromising the Department of Defense (DoD) for years. They have also been busy targeting the Defense Industrial Base (DIB). The Unclassified corporate networks of Defense Contractors and US Private sector businesses, as well as the R&D programs of US Colleges and Universities. This is by no means a coincidence. Google the following “cover terms” that can be found conducting “Open Source” research:
- Moonlight Maze
- Titan Rain
- Byzantine Hades
“As noted in the Office of the National Counterintelligence Executive’s “Annual Report to Congress on Foreign Economic Collection and Industrial Espionage,” the threat to the United States from foreign economic intelligence collection and industrial espionage has continued unabated and foreign entities continue to try to illegally acquire U.S. technology, trade secrets, and proprietary information”. (DSS - Targeting U.S. Technologies: A Trend Analysis of Reporting from Defense Industry 2010)
The Advanced persistent threat (APT): is a term commonly used to refer to “State Sponsored” (foreign nation) cyber threats from states with well established and very capable Computer Network Attack (CNA) programs (most notably China, Iran, and Russia). APT actors are usually a group who has the resources, capability, intent, and ability to maintain persistence on a system and / or network that has been successfully exploited and compromised. These APTs have enabled our economic and technologic adversaries to leap-frog technologically, especially in the military arena. Just take a look at China’s new stealth fighter, Iran and China’s missile an UAV programs.
Dr. Eric Cole (SANS notoriety) Once said in a class I attended long ago and I am Paraphrasing here: The only way to truly secure a computer system is to:
- 1. Dig a 12’ x 12’ hole
- 2. Unplug the CPU from its power source
- 3. Place the CPU in the hole
- 4. Fill the hole with concrete.
- 5. Computer Secured
In my fourteen years of experience in the Information Technology (IT) world I have found this statement to be an un-deniable fact. To the best of my knowledge there is no Operating System (OS) Network, or TCP/IP protocol that is invincible. Those that made claims of invincibility in the past , and that their network, Operating System (OS), or program was “Secure” were quickly compromised as soon as the “Black Hat” community got wind of the “challenge”. There is NOTHING that cannot be hacked! Just ask Rivest, Shamir, and Adleman (RSA). Despite all of the emphasis and attention placed on cyber-security, many people would be shocked to learn the breadth and scope of the threats that we are facing. We currently have so many inter-connected devices that we ALL tend to forget that they are connected to a network and expose us to an attack. Due to the rapid expansion and integration of networked devices into our lives, information assurance and cyber security are often an afterthought. This is especially true of less tech-savvy users or, the small business owner who in many cases does have neither the time nor resources necessary to secure their Information Systems and network.
5. The Problem
In the past, on the USG side of the house each organization’s network defenders had to rely almost exclusively on their own computer / network centric cyber intelligence section, if they even had an established (CI) capability for attribution and assistance in the creation detection signatures (indicators) of malicious activities. This lack of intelligence, in many ways, handicapped the CND community because they (network defenders) had very little, if any knowledge, of new, emerging, or Advanced Persistent Threats (APT) they were facing. They did not have the “Big Picture” and we still don’t (to a lesser degree). This lack of sharing and collaboration within the IC has also obviously had a tremendous impact the Computer Network Defense (CND) communities. Today we are seeing much more information sharing and cooperation among USGA’s. So much so we are now seeing redundant or overlapping reporting. However, more often than not, we are seeing more inter-agency collaborations which are now becoming common place within the IC. On example of this new collaborative effort within the IC is the National Cyber Investigative Joint Task Force (NCIJTF).
[Comment: Let me add a cautionary note here. With these convergent and collaborative IC/CND efforts there have been and, will continue to be some growing pains within and between these two communities with very different missions. We are now [I hope] in the infancy of a new Information Sharing era between the USG and USBUS. In the future, I believe we will see much more participation from many other Public sector organizations. One example of this new detente are the USBUS members who are a participating members of the Defense Industrial Base Collaborative Information Sharing Environment (DCISE)]. (http://dc3.mil/dcise/dciseAbout.php)
In the past few years DHS has made tremendous strides in areas of information sharing and dissemination. However, they have thus far fallen short in getting the message out to a wider audience and “buy in” from the vast majority USBUS. Noticed by the limited use, access, and reach of their main point of access used to serve the US public. The US-CERT portal. I would venture to say that on a comparative level only a handful of private sector companies have actual “Portal” access. Even less actually visit this website. Outside of the CND community few even know about the site and the resources that are available to them from the website. I also believe that the USG should have in place a minimalistic monitoring capability (IP address, Port and Timestamp) in place at all ingress and egress Network Access Points (NAP) regardless, of ownership (if the backbone is owned by Verizon, ATT, or any other provider). This should be a government mandate placed upon any ISP that is providing carrier backbone service within the US. This implementation should be a mirror implementation of the US-CERT Einstein Program. The good news is that a few public sector organizations have begun to reach out to the FBI, NSA, and others and requested technical assistance in identifying, investigating, and eliminating network threats and compromises. For example:
“Google Asks NSA to Help Secure Its Network - Google is teaming up with the National Security Agency to investigate the recent hack attack against its network in a bid to prevent another assault, according to The Washington Post.” ( http://www.wired.com/threatlevel/2010/02/google-seeks-nsa-help/)
We are moving the right direction with the passage of H.R 2096, Cybersecurity Enhancement Act of 2011. H.R. 2096 (http://www.gpo.gov/fdsys/pkg/BILLS-112hr2096ih/pdf/BILLS-112hr2096ih.pdf ). However, in my opinion, we need to continue in this direction have stronger more clearly defined wording, and aggressively implement proactive measures that must be adopted by the USG. US private sector companies should be required to adhere to and implement a uniform Certification and Accreditation (C&A) process that is compliant with National Information Assurance Certification and Accreditation Process (NIACAP). These standards could be tailored to the specific area of industry. However, this is a “grey area” in that it may be seen as yet another form of government meddling in the private sector. It is essential the private sector realize that we are all connected and their protection is an essential element of our National Security. The IC must continue to break down the barriers regarding information sharing within the IC and take things a step further by sharing the bare minimum outside of USG channels. It is entirely possible to strip down a classified report to let’s say; strictly an IP address, filename, MD5 hash etc without any attribution that could compromise any ongoing investigation and share this information with the USBUS community. Conversely, US Businesses (USBUS) must be willing to share their data with the USG without fear of being singled out or becoming the target of an investigation if their network is compromised or Personally Identifiable Information (PII) is stolen.
DHS has the lead for the federal government in ALL things security, including Cyber Security. Their mission is to secure federal, civilian, and executive branch IS and to work with private sector in order to defend privately-owned and operated critical infrastructure. They also work with state and local governments to secure their information systems. We need to pass legislation that would require US utility companies (ie. Excelon and Constellation Energy) as well as state and local utilities (water & sewer, subway-metro, etc) to be more pro-active in protecting their Supervisory Control and Data Acquisition (SCADA) and Control Systems (CS) networks via a standardized C&A process and employing real-time IDS solutions. Even today, many believe that SCADA and CS are not vulnerable. At some point even these systems connect with a system that is connected to the internet. Also, we cannot dismiss one of the biggest and most often overlooked threats to our networks the “insider”. We are now at the beginning of a convergence in worlds of USG CND and the US Intelligence / Counterintelligence (Cyber) communities. We are now entering a crucial stage in our nation’s history. We are standing on the precipice of either continuing to be a global economic and technological powerhouse or falling into mediocrity. So, we must do some serious self examination in regards to our Cyber Security policy and how it relates to our National Security. We need to seriously consider joint public/private collaborations. I believe that we in the cyber community are missing out on a whole lot of actionable Intel that is just sitting out in cyberspace on many USBUS’ networks. We need to begin including the USBUS Business Intelligence (BI) communities. Traditionally, there has been an inherent lack of trust between the private sector and the USG. The reasons for this distrust are many and would be a book unto itself to go into the reasons why. Thus far, the lack of trust between public and private has been detrimental to our overall National Security. However, a movement of collaboration and Information Sharing has been underway in the years since 9/11 that has been slowly gaining progress. The Department of Homeland Security (DHS) and the other United States Government Agencies (USGA) have made huge strides in information sharing with each other and the private sector to a lesser degree. However, there is much more work to be done.
6. Recent Compromises
Both, public and private sector US networks have long been the target of Chinese hackers both “State Sponsored” and the so called “Patriotic Hackers”. These Patriotic Hackers appear to operate with a fair amount of autonomy granted to them by the Chinese government. That is as long as they do not attack other Chinese systems. Below you will find a short list of some of the more recent or, notable exploits perpetrated by China.
Comment: Notice the diversity of their targets, ranging in everything from Banking to the DIB, to mining companies.
- Morgan Stanley experienced a “very sensitive” break-in to its network by the same China-based hackers who attacked Google Inc.’s computers more than a year ago, according to e-mails stolen from a cyber-security company working for the bank.( http://www.bloomberg.com/news/2011-02-28/morgan-stanley-network-hacked-in-same-china-based-attacks-that-hit-google.html)
- A hack attack that targeted Google in December also hit 33 other companies, including financial institutions and defense contractors, and was aimed at stealing source code from the companies, say security researchers at iDefense. (http://www.banktech.com/blog/227101119)
- Chinese 'Spying' Rattles Australia - Australia has tightened its security control on communication with Beijing after Chinese spies reportedly hacked the phone and computer of Australian Prime Minister Kevin Rudd during his trip to China, and targeted Rio Tinto in the early stage of Chinalco’s bid. (http://www.forbes.com/2009/04/03/china-spies-scare-markets-equity-rio.html)
- Hacking watch: Google, Gmail and China; defense contractors; Sony update - A day after Google wrote in a blog post that hundreds of Gmail accounts belonging had been hacked in attacks that originated in China, the United States announced today that it is investigating the matter. The phishing attacks seemed aimed at spying on people including senior U.S. officials, Chinese political activists, journalists and others. (http://blogs.siliconvalley.com/gmsv/2011/06/hacking-watch-google-gmail-and-china-defense-contractors-sony-update.html)
- China denies involvement in Renault EV spy case; over $841k found in secret bank accounts? The industrial espionage case involving three top Renault execs and electric vehicle secrets (and maybe China) continues, as the French carmaker has officially filed an accusation against a foreign private company. The company involved was not made public, but the filing does not cite a foreign power, according to Jean-Claude Marin, a Paris prosecutor, in Reuters. In fact, the French government began stepping away from rumors that China is involved with this industrial espionage case. Even still, a member of the conservative UMP party told France-Info radio that, "There are in effect several sources that are typically thought to be serious who consider that a Chinese buyer is in fact behind this operation." That buyer might be a Chinese power company, which French newspaper Le Figaro reported laundered at least 630,000 Euros (around $841,800 U.S.) into bank accounts in Switzerland and Liechtenstein opened by the executives. For its part, China has denied any involvement. (http://green.autoblog.com/2011/01/14/china-denies-involvement-in-renault-ev-spy-case-over-841k-foun/)
- Google Hack Attack Was Ultra Sophisticated, New Details Show - Hackers seeking source code from Google, Adobe and dozens of other high-profile companies used unprecedented tactics that combined encryption, stealth programming and an unknown hole in Internet Explorer, according to new details released by the anti-virus firm McAfee. Google announced Tuesday that it had been the target of a “highly sophisticated” and coordinated hack attack against its corporate network. It said the hackers had stolen intellectual property and sought access to the Gmail accounts of human rights activists. The attack originated from China, the company said.( http://www.wired.com/threatlevel/2010/01/operation-aurora/)
- NSA to Investigate Nasdaq Hack - The National Security Agency has been called in to help investigate recent hack attacks against the company that runs the Nasdaq stock market, according to a news report. “By bringing in the NSA, that means they think they’re either dealing with a state-sponsored attack, or it’s an extraordinarily capable criminal organization,” Joel Brenner, former head of U.S. counterintelligence in the Bush and Obama administrations, told the publication. He added that the agency rarely gets involved in investigations of company breaches. (http://www.wired.com/threatlevel/2011/03/nsa-investigates-nasdaq-hack/)
Additionally, we cannot forget about all of the other threats that we are faced with on a daily basis. Listed below are just a few:
- The Russian Business Network (RBN) - http://en.wikipedia.org/wiki/Russian_Business_Network
- Iranian Hackers Suspected in Recent Security Breach- http://bits.blogs.nytimes.com/2011/03/24/iranian-hackers-suspected-in-recent-security-breach/
- Pakistani hackers attack U.S. government site-http://www.usatoday.com/tech/news/2001/10/26/hack-attack.htm
- Cyber Jihadist - http://news.bbc.co.uk/2/hi/americas/7191248.stm
- Narco Hackers - http://insightcrime.org/insight-latest-news/item/1251-are-mexico-drug-gangs-drafting-hackers
7. Conclusions and Recommendations:
In my opinion the USG does not realize that it is wasting a vast pool of talented Intel and CND personnel that currently working the private sector. The USG needs to exploit (for lack of a better term) this vast talent pool. We really need to start looking at the private and public sectors holistically (as the same). We can no longer afford to stand back “individually” as organizations with a reactive approach to Information Security.
- Maintain U.S. control and ownership and control of the internet
- The USG and USBUS need to take a “holistic” view to Cyber Security. We need to take a less “individualized” view of Cyber Security and look at as a “whole”.
- The United States needs to take a Machiavellian approach CND and Cyber Operations
- We must consider every organization from the smallest USBUS that has an internet presence, to the largest USGA as integral part of our critical infrastructure and national security.
- Advertise and expand upon US-CERT’s role
- Establish a “National Cyber Security Think Tank”. I believe that we should create a National Cyber Security Think Tank (NCSTT) would act as a national clearing house to provide Cyber Security guidance, recommendations and solutions to every segment of the American population. This body would merely take in information and make educated and feasible recommendations based on current intelligence, new and emerging threats, and best practices in order to guide lawmakers in constructing new legislation.
- The US needs to view ALL U.S. based information Systems that have been attacked or compromised as being a national IT asset. Or, establish a criticality hierarchy
- Draft and pass legislation that will allow for easier rules for the US public and “private Sectors “ to establish and maintain collaborative information sharing efforts in both CND, and Cyber Intelligence.
- USIC should work with USBUS in order to establish a cyber “Most Wanted” list of IP addresses, file hashes etc. Provide guidance to USBUS that reports suspicious activity on their networks.
- Have “No Fear” in taking retaliatory actions when there is a preponderance of evidence.
- Be more aggressive in “Red Team” and CNA operations in both public and private sectors and collaborate on targets of opportunity and Interest.
- Allow for the formation of “Patriotic Hacking” teams that have guidance and direction (handlers)
- Seek out youth while in High School or College who have demonstrated Cyber “ninja” skills and utilize those skills for doing good.
- The USG must develop a required minimum system security baseline requirements program for all USBUS
- USBUS should be required to adhere to and implement a nationally uniform Certification and Accreditation (C&A) process
- USG needs to develop a cyber security educational assistance program implemented via DHS and the Small Business Administration (SBA) for less tech-savvy small business owner
- Above all, the privacy of the citizen/customer must be protected at all times by all parties. It is imperative for USG and USBUS to establish ‘trust relationships’ and information sharing agreements. Our adversaries have been kicking down our doors for years now. We all realize that almost all systems are somehow inter-connected today and need to be secured and defended.
We are currently moving in the right direction however, there is much more work to be done. Now, is the time for the US to be Unified and resolute in defending our National Security interest on the Cyber front. We need a unified and cooperative approach from the US Government and US private sector organizations working together for the Common Defense. Yes, these suggestions are daunting and perhaps extreme. However, in considering how much we have already lost can we afford to lose much more?