Computers and networks have blurred the boundaries when you look at cyber warfare, cyber crime, and cyber terrorism. There is no doubt that future conflicts will involve cyber warfare between nations. Distinguishing between military and criminal and civilian attacks is tough and could create a dangerous problem in determining who is behind a cyber attack. It’s very difficult to trace cyber attacks back the responsible parties. It is rarely the case that the computer forensic analysis conducted as a result of a cyber attack yields enough hard evidence that would meet the “beyond a reasonable doubt” standard we apply in non-civil court actions.
There are millions of pieces of malicious code available today along with a significant number of vulnerabilities that can be exploited by cyber soldiers, hackers and others who wish to compromise computers and networks. Websites now provide both novice and expert level computer attackers with the latest, up-to-date programs and support needed to plan, design, develop and initiate cyber attacks. In fact, these websites provide services to parties that are interested in hacker computer systems and networks.
When you use the Internet, you leave the equivalent of digital footprints and attacks leave digital fingerprints as well as digital DNA. Every message a computer sends to a different computer travels in a series of hops from one router or server to another leaving behind logs and addresses of the route. Even after the message is received, the record of its path of travel remains behind. There are also a number of ways that attackers use to obscure their location and identity. Intelligence around cyber weapons development and cyber attacks is very limited. In our vast sources of intelligence gathering capabilities only electronic intercepts and human intelligence have the ability to provide the primary sources for our intelligence helping to defend our nation against cyber attacks. The tools and technologies available to law enforcement and the Defense Department are not keeping pace with the rapid advances being made in cyber weapons used by attackers. The current state of the practice and available tools regarding the technical ability to track and trace cyber attacks remains very primitive. The advanced level of sophisticated cyber attacks make it close to impossible to trace to their true source and have the hard evidence that would pass the court of public opinion. In addition, the technical nature of the investigation would make it difficult to effectively communicate to those serving on a jury. Advanced tools for tracing complex attacks are among the research topics that are currently under development by multiple organizations and agencies, but we need them now.
We have seen the harbingers of cyber warfare and the image they present instills fear in our military and technical professionals. Dozens of nation states currently have highly sophisticated cyber attack capabilities and many others are in the process of developing cyber weapons of mass disruption. Advances are needed now to defend our systems against such attacks. Likewise, advances tools, techniques and trained staff are needed now to conduct the investigations into the rash of cyber attacks we are experiencing. Finally, international laws and doctrine must rapidly be developed and implemented as part of our overall cyber defense activities.
Browsing Posts published in June, 2008
In the face of growing demand to target security investments based on risk management principles–a domain foreign to many CIOs and infosec practitioners–there’s wisdom to be garnered from our peers.
[From 2008 Security Survey: We're Spending More, But Data's No Safer Than Last Year]
InfoWorld’s Tom Yager offers insight on how digital TV is rapidly heading toward the kind of lockdown that entertainment and broadcast lobbies desire for the Internet. Standards such as HDMI and HDCP are acting in concert to strip your equipment of its functionality, displaying ‘incompatibility’ messages when plugged into older HDMI-enabled devices, shutting down analog outputs when active, and requiring balky handshake credentials that force many consumers to reboot their TVs to recover permission to watch them. Even broadcast flagging, which has been overturned by the Court of Appeals, is still on the de-facto table, as the entertainment lobby retains the power to bully technology companies into baking broadcast flagging into their wares. Sure, digital TV has far fewer points of origin than the Internet and is therefore easier to control, but, as Yager writes, ‘Internet rights restrictions come through your telecommunications equipment’ — and it is likely through that equipment that the entertainment and broadcast lobbies will chip away at your rights on the Web.
From Digital TV Foreshadows Erosion of Net Rights ]
[
Throughout history wars have been triggered by events. Being at war is a state or condition. To be legal, a war must be declared by a branch of the government entrusted by the Constitution with this power. In the Constitution of the United States, Article I provides Congress the power to declare war. War is defined as a contention by force; or the art of paralyzing the forces of an enemy. An act of war is typically defined as an aggressive act that constitutes a serious challenge or threat to national security, armed conflict, whether or not war has been declared, between two or more nations; or armed conflict between military forces of any origin. This frames the discussions around traditional war. In the physical sense it is easy to define such infractions; enemy troops crossing another countries border, military strikes by missiles or bombs, basically you know it when you see it. What constitutes a serious challenge and a threat to our national security in cyber space? That is much more difficult to define.
In the U.S. Army’s Cyber Operations and Cyber Terrorism Handbook 1.02 I found the following reference to the definition of Cyber Warfare & Terrorism: “the premeditated use of disruptive activities, or the threat thereof, against computers and/or networks, with the intention to cause harm or to further social, ideological, religious, political or similar objectives or to intimidate any person in furtherance of such objectives.” This was an excerpt from an article I wrote back in 2003 when the issue of cyber war was in its infancy. While this frames acts of cyber war, in retrospect it does not address a measure of the disruptive acts or provide guidance assess if individual acts, or a collection of acts rise to the level to be considered an act of cyber war.
If a foreign government hacks a sensitive system of another government and accesses security and defense information, is that an act of cyber war? If so, that has already occurred. If a foreign government hacks a sensitive system of another government and places software on the system that collects data and sends it back, is that an act of war? If military personal from a foreign government infiltrates another nation’s networks or systems through the use of counterfeit hardware and monitors communications, is that an act of cyber war? Both are certainly acts of espionage and have already taken place. The factor that will determine if an act or acts of cyber attack rise to the level of an act of war rests in the magnitude of disruption that accompany the acts. Adding to the complexity is the fact that much of our critical infrastructure that are prime targets for cyber attacks are owned or operated by the private sector not the government. This infrastructure in some cases carries military communications, supports civilian emergency services as well business and consumer services. An attack on the infrastructure impacts multiple segments. The question of what constitutes an act of cyber war remains unanswered.
Given that we are in relatively new territory, each individual attack must be examined and the forensic evidence weighed to determine the source of attack. Little physical evidence will ever exist that you can hold up and point to or take a picture of and say “they did this.” Much debate is currently taking place over the legality of cyber warfare tactics and their use. Is a cyber attack on our networks and systems an act of war? Are acts of cyber espionage a violation of international law? It is better we investigate and answer these questions now rather than reacting to cyber events in the heat of the moment when they occur.
Is the US falling behind when it comes to science and technology? Not according to an evaluation by the RAND Corporation, performed at the behest of the Department of Defense. The report does identify some areas of concern, and makes some specific recommendations.
[From RAND study: US still #1 in R&D, but sees areas of concern]
More bloggers than ever are being arrested around the world, highlighting the dangers of citizen journalism, according to a new report from the University of Washington.
South Korea launched its third Type 214 submarine last week. While it is often noted the quantity of naval growth taking place in China and India, we continue to observe both growth and quality in the naval forces being produced by South Korea. The addition of Type 214s to the naval mix by South Korea is not a small thing, while not often discussed, the quality of ASW capabilities by North Korea
Recently much attention is being given to the topic of cyber warfare and rightfully so. Our computers and networks are under continuous attack from all over the world. The level of sophistication of these attacks and the quality of the code written to perform these attacks both have raised significantly in the past year. Experts agree we have entered a new era of warfare and are transitioning from bombs and bullets to bits and bytes.
In January two classified presidential directives were signed related to defending the country against cyber attacks. At that time the price tag was estimated at $6 billion. In mid May the price tag was revised and believed to be $17 billion. Now, the price has risen again to be $30 billion. That is a big pot of money by anyone’s standards. So the question is, where will this money be spent? Increasing cyber defense will require investment in Research and Development as well as in existing technology and services. The first and most critical activity will be to fortify current systems against known cyber threats.
Spending Allocation:
- Hardware 18% $5.4 Billion USD
- Software 25% $7.5 Billion USD
- Consulting 29% $8.7 Billion USD
- Services 24% $7.2 Billion USD
- R&D 4% $1.2 Billion USD
The R&D efforts will focus on near term delivery of advanced defensive capabilities (like behavioral modeling) of software processes and transaction to evaluate if they pose a threat to the system. Additionally, advanced modeling capabilities are required for evolving defenses and investigative activities. Advanced modeling will be used to certify and authenticate chips, hardware and software to be authentic and free of malicious code. One of the most promising capabilities centers on the development of a “Digital DNA” database repository. The ultimate goal of this work is the same as with current DNA forensics – to identify the perpetrators of the assault. Most cyber attacks leave behind forensic evidence that can be used to assess the capabilities of the attacker, understand the implications of the attack and to create defensive measure to guard against this type attack in the future. With all the attacks that have taken place, there is significant intelligence out there about techniques, cyber weapons, and strategies that have been used in these cyber assaults. Analysis of this evidence can create Digital DNA which could also help to identify the source of the malicious code and potentially lead to the attacker.
ASDF represents the four Digital DNA characteristic sets.
A = attributes, abilities, abstraction, architecture, assembly, adaptation
S = style, signatures, syntax, structure, source, specification, scope
D = demographics, delivery, development, discipline, data, design
F = functions, features, faults, formidability, fields, forms, factorsThere are currently over a million pieces of malware. On average there are approximately 200 new computer viruses released monthly, so the raw cyber DNA materials are not in short supply. The potential use and value of the Digital DNA repository will increase with every single entry and the analysis of attacks. According to a source close to the Digital DNA project, the repository is currently in its infancy, it continues to grow and mature with the knowledge gained from each cyber attack. John Foley, CEO of Defcomm1 and former CEO of Vigilant Minds a leading managed security services provider said, “Much like the human genome project, Digital DNA will basically fingerprint the technical and human factors behind the malicious software and attacks.” Security experts believe that Digital DNA type data is a critical component and required to fight cyber attacks and defend systems.
[From A Big Pot of Money]
The good folks over at Verizon Business have released a report that summarizes what they’ve found after looking through 500 forensic investigations involving 230 million records, and analyzes hundreds of corporate breaches including three of the five largest ones ever reported. What did they find? How about (1) Nearly nine in 10 corporate data breaches could have been prevented had reasonable security measures been in place, (2) Fewer than 25 percent of attacks took advantage of a known or unknown vulnerability and (3) attacks from Asia, particularly in China and Vietnam, often involve application exploits leading to data compromise, while defacements frequently originate from the Middle East.
[From Data Breach Study Spanning 500 Break-Ins Released ]
Albert writes “Storm shows several key characteristics, some new and advanced. It uses cunning social engineering techniques — such as tying spam campaigns to a current event or site of interest — as well as a blend of email and the Web to spread. It is highly coordinated, yet decentralized — and with Storm using the latest generation of P2P technology, it cannot be disabled by simply ‘cutting off its head.’ In addition, Storm is self-propagating — once infected, computers send out massive amounts of Storm spam to keep recruiting new nodes.”
[From Storm and the Future of Social Engineering ]
LinucksGirl writes “Journaling file systems used to be an oddity primarily for research purposes, but today it’s the default in Linux. Discover the ideas behind journaling file systems, and learn how they provide better integrity in the face of a power failure or system crash. Learn about the various journaling file systems in use today, and peek into the next generation of journaling file systems.”
[From Anatomy of Linux Journaling File Systems ]
If you think selling Web 2.0 in your organization is hard, some early backers of a Wikipedia-like project at the Central Intelligence Agency were called traitors and told they “would get someone killed” by their efforts. But Intellipedia — the CIA’s version of Wikipedia — now is so heavily used by analysts that the agency is using it in its security briefings, according to two of the CIA employees who work on the project. Intellipedia has been expanded since it was first launched so that now it boasts its own YouTube-like channel for video and Flickr-like photo sharing as well as a wiki where workers can debate different intel information.
A senior Senate lawmaker, Sen. Jeff Sessions (R-Ala.), told me this morning that he believes the Air Force suffers from systemic problems and must examine how it buys weapons, how it manages its forces and perhaps rebuild its long-term strategy in the face of todays changing international situation.
Sessions a senior member of the Senate Armed Services Committee and ranking member of its strategic forces subcommittee, said he and his colleagues arent certain how to proceed yet to fix the service.
Sessions did praise Gates for his actions in sacking Air Force Secretary Mike Wynne and Chief of Staff Mike Moseley, noting he had helped reestablish personal responsibility among senior leaders.
A congressional source, asked about the likelihood that Congress might undertake a probing look at the Air Force to try and figure out what must be done to rebuild the service said any action was unlikely before the election. Senior lawmakers are already being drawn into daily management of the campaign message wars. And senators such as Sessions, while eager to do the right thing, will find it difficult to muster support from their colleagues for a bipartisan effort such as this would require.
Sessions comments came the day after Defense Secretary Robert Gates made extraordinary visits — well intentioned and well executed to Air Force commands to deliver the message that he believes the service matters and has his support and to give service officials the chance to ask him questions face-to-face. One of the most interesting exchanges shed some bright light on just how much far apart are the secretary and the Air Force.
Gates, flying to Colorado Springs, Colo., told reporters that he took the opportunity of a question about the F-22s to address the speculation that, in truth, these changes were due to disagreements over the F-22. And I said that that was not true, that in fact that issue had been settled for some weeks. And that I had essentially made the decision that we would allocate enough money to keep the production line open so that the next administration could decide on the balance between buying more F-22s and buying more joint-strike fighters. And I thought that that was a significant procurement decision that ought not be made in the last six or seven months of an administration. You can imagine how much the Air Force officers believed that, no matter how true it is. The gap is so wide that even gates spokesman, Geoff Morrell, felt compelled to tell reporters that despite rumors: the F-22 issue had nothing to do with the secretary’s decision for a change of leadership in the Air Force.
Gates briefly mentioned the acquisition side of the Air Forces problems, noting that he is figuring out how to get the modernization program back on track. He gave the example of the tanker decision. I mean, we’re 10 years past when we should have started replacing the tanker fleet.Gates said that no one asked him about his recommendation of Gen. Norton Schwartz, leader of Transportation Command, as Air Force Chief of Staff. A reporter asked about the choice. He’s very process-oriented. I mean, the changes that he’s made in TRANSCOM have been pretty dramatic in terms of how you manage all these priorities and the logistics of supporting the war in two theaters with limited capability But I also liked his experience and mobility and jointness. He has a lot of joint experience. His whole command has been about how do you support all of the services. So that was important. And frankly, also, the Special Operations experience.
– Colin Clark
An interview with John De Goes in which he argues: “The tools market is dead. Open source killed it.” The software developer turned president of N-BRAIN explains the effect that open source has had on the developer tools market, and how this forced the company to release the personal edition of UNA free of charge. According to De Goes, selling a source-code editor, even a very good one, is all but impossible in the post-open source era, especially given that, “Some developers would rather quit their job than be forced to use a new editor or IDE.” N-BRAIN’s decision is but one in a string of similar announcements from tools companies announcing the free release of their previously commercial development tools.
[From Open Source Killing Commercial Developer Tools ]
“Chinese hacking is getting some serious Congressional attention. Two House members said Wednesday their Capitol Hill computers, containing information about political dissidents from around the world, have been hacked by sources apparently working out of China. Virginia Rep. Frank Wolf says four of his computers were hacked. New Jersey Rep. Chris Smith says two of his computers were compromised in December 2006 and March 2007. The two lawmakers are longtime critics of China’s record on human rights
