CyberCommand

...now browsing by tag

 
 

Response to “Thinking about cyber offensive capabilities”

Thursday, September 17th, 2009

MAD

http://threatchaos.com/2009/09/thinking-about-cyber-offensive-capabilities/

Should the US engage in offensive cyber attacks?

All warfare is based on deception….

With the NSA’s acquisition of cybercommand, we have a fair indicator of the nation’s digital offensive capability and direction. Cyber attacks such as denial of service are much too public for the intelligence community.  The cyber offensive will come in the form of information collection and subversion of the enemy population, the infowar. Psychological operations will continue to be carried out as they have been for decades, only now with a massive influx of skilled technologists to maintain the competitive electronic edge. Kinetic attacks are also very much a reality. Such was the case when Russia acquired a piece of software corrupted by western intelligence, which caused damage to a pipeline.

“”The result was the most monumental non-nuclear explosion and fire ever seen from space,” he recalls, adding that U.S. satellites picked up the explosion. Reed said in an interview that the blast occurred in the summer of 1982.”

http://www.msnbc.msn.com/id/4394002

Without an external botnet to control, undue stress would be placed on the networks. However, it is likely that the command and control of existing botnets could be subverted by the cybercommand and used to against remote targets. Reflecting on the historical nature of nuclear, biological, and chemical warfare, it does not seem to be a stretch of the imagination to believe that governments would be willing to develop new attacks. By utilizing offensive tactics such as worms, viruses, and even electromagnetic pulse attacks to achieve some objective, suddenly we have a new threat of cyber collateral damage. There is already a precedent for clandestine cyber warfare, and one can only imagine this will continue to escalate.

Will we see cyber Mutually Assured Destruction, the “Deterrence by in-kind response”?

That seems to be how these things reach their apex.  Only by fully developing offensive capability will a nation no longer be subject to a major attack. Or at least that’s the logic behind it.  MAD is the old school way of thinking, and sometimes it’s hard for the old war dogs to learn new tricks. Perhaps through education and training at the local level, a holistic approach to national cyber defense can be effective, this as opposed to relying on government and corporate entities to assume the whole of the burden. One thought on a sort of cyber homeland security is to offer the civilians an opportunity to participate in the federal botnet, offering up their systems willingly to fight the “enemy”.  Learning the lesson from America’s forefathers and establishing a well armed militia for the defense of the nation.

Attacks should not be used as a deterrent, after all the best offense is a good defense, and the enemy could use an event to draw their opponent into a conflict where they possess the higher ground.  One should make their position unassailable, and wait for their opponents to reveal themselves and with it their weakness.

The 24th airborne are training for cyber operations. They are learning to deploy physical assets to defend communications lines, and methods of attack on various targets such as networks, industrial control systems, radio, and air defense. True cyber war will be the combination of traditional combat blended with advanced technological attacks by ‘hacking’ the enemy in the field as a means to gain and advantage. Realistically speaking this is nothing new. ‘Hackers’, and more specifically ‘Crackers’, have played a significant and decisive role in warfare for decades.  Without the employment of these skilled technologists, the result of the Second World War may have been quite different. The connection between cyber war and the NSA is quite clear. By compromising the enemy’s communications, obtaining their documents, and influencing their actions. The outcome of a conflict can be predicted before the first move has ever been made.

On the netcentric battlefield, can there be anything other then western dominance?  The irony there is that there does not seem to be someone their own size to pick on, and they fall victim to the same guerilla warfare that acted as their own midwife into existence. The west owns space, the sky, the airwaves, and the technology. The netcentric warfighter is progressing into the future with little to no opposition, yet continues to fall prey to primitive attacks (though perhaps that’s what the British said about the colonists). I suppose one could envision a future battlefield where technologists play a game of virtual chess, attempting to outhack each other before the first shot is fired.

A cyber Geneva Convention, some UN mandated rules of engagement, would be totally ineffective on the virtual battlefield. Control of the media, political spin, and the very nature of cyber combat, will maintain the air of plausible deniability for any sort of electronic offensive. Protected by secrecy they will be able to carry out operations that supersede any national or international laws.  Privacy, property, and speech have long since fallen victim to this system.

We need to keep in mind the division of roles between the military cybercommand and Homeland cyber security.  Any offensive actions would come from the military.  The protection of non-military government and critical infrastructure systems is the function of Homeland Security.  The protection of the civilian end user of the internet has been delegated to the corporate sector.

So with that perspective, the cybercommand has no role other then military defense of its own networks and to carry out attacks against the enemy. The defense of infrastructure is completely separate. It has less to do with protecting the people, and more focused on defending the critical infrastructure which the government relies upon to operate. In other words, if an attack only affects non-critical sites such as mybook or twitterface, then the general public must look to the corporations to resolve this issue.

The US will continue to conduct intelligence operations against foreign and domestic targets using the most advanced technology and best available labor. Ground forces have been appropriated for kinetic operations. We can call this cyberwar if you wish.

Privacy to PreCrime

Thursday, July 9th, 2009

 

When the NSA assumed control of the Cyber Command, it stirred up many privacy concerns. As most know they have been intercepting domestic communications for some time While some people are worried about their phone and email conversations being recorded by the government, the other g-men at Google are doing the exact same thing. Of course deleting your g-mail account only prevents you from accessing the information, deleting your account at the NSA will get you a free vacation to Cuba for waterboarding lessons.

 

Throughout your life, little pieces of information are gathered and accumulated. Your profile is constantly amended as data volunteered by yourself is automatically correlated.  Every time someone forfeits some morsel of information, that data is forever public.  This material goes into a database, the security of which will be compromised at some point. We could blame the corporations when they experience a security breach, but honestly who’s at fault for supplying them with the information to begin with?

 

If we are to address privacy concerns, then it is hypocritical to start the finger pointing with the NSA. Thanks to popular social networking sites,  people are willing to give away the most important details of their lives.  It is this very ignorance of the overall value of information that creates risk on a number of levels. Police officers only require a name and date of birth to positively identify most people. The same details can be used by criminals.  Think about that the next time someone mentions their birthday. If that person has their real name associated with the statement, then all of the facts required to build an extensive profile have been provided.  Such a profile, for example, could be used by a criminal to assume an identity, manipulate a person into revealing more information, or even pose a physical threat.  This same method could be used to launch attacks from within an organization through the user. Imagine a sort of phishing attack that affects the user at home. They enter into correspondence via email with a criminal posing as an old friend.  The employee continues this correspondence at work on the company computer. Since the employee feels safe, they are willing to click links, or even download files.

 

There is a whole industry based on gathering data about consumers, and using their personal details for marketing. The obvious signs of this are places like Amazon that recommend items based on site history.  What does your Amazon account say about you?  I don’t buy into that line about “if you’re not doing anything wrong, you don’t have anything to hide”. Would you invite someone into your house to create a behavioral profile based on your possessions?    Just about everything you do reveals some detail about your life.  For example, when you go to sleep your inactivity is noted. Just by looking at your social network updates anyone can know what your sleeping habits are, and possibly where you sleep.  Everything you do is recorded, cataloged, correlated, psychologically analyzed, and put up for sale. The biggest customer for this information is the Federal Government, and because these databases are private, the Freedom of Information Act does not apply.

 

In the past it was common for people to keep a their private names and public names separate.   In Homer’s Oddesy, Ulysses used a clever name to avoid unwanted attention from the other Cyclopes after blinding Polyphemus.  In Christian mythology, God gives Adam the power to name the animals, and so he had some power over them.  What of the clever goblin Rumpelstiltskin who allowed the millers daughter to renege on a deal by giving her a chance to guess his name?  When I first started in networked computing, one of the first things we learned was to contrive a ‘handle’, a pseudonym under which we would carry out our online activities.  Today, it seems, people view this an act of cowardice, or become suspicious to the motivations behind concealing one’s identity.  It wasn’t a hacker thing, it was standing operational procedure. There is no such thing as anonymous internet usage. The best people can do is become aware of how much privacy that has already been lost, and do what they can to hold on to its shredded remains. It’s not about assuming a new identity, it’s about protecting privacy.  Today people  on-line are trading their identity for an illusion of friendship.

 

With the amount of information already in the databases, it is possible for them to know what we want before we do.  Using predictive modeling, marketing companies can already forecast the likelihood of future purchases. This also
means with government access to these details, they can perform similar analysis. Psychographic profiles reveal your personal interests, activities, and opinions, when combined with demographics and other variables, it is possible to triangulate personality in the same manner as physical location. It is trivial to track the physical direction of an individual, the same is also true about their mental direction.

 

Today we have the increased use of biometric identification. It comes with the promise of security, but can pose a new privacy risk.  Clear, the airport security screening service, may be taking the data trade to a new level. The TSA approved company, which required biometric finger and eye scans, has suddenly shut down.  It is likely their database will be transferred to some other private firm which specializes in collecting biometric data.  Since they are working with Lockheed Martin, I’d suggest the database and technology will resurface as part of the new biometric authorization requirement for access to public and private infrastructure.  Unlike passwords, there is no easy way to reset your fingerprints once the database has been compromised. 


Within a few years there will be a global DNA database which will be used for a number of purposes. Utilization of the genome is so important that Francis Collins, who was responsible for the Human Genome Project, has been made director of the National Institute of Health.  If you take a look back at that psychographic profile link, you’ll notice the article was in strategy+business, which is published by Booz and Company the global parent of Booz Allen Hamilton. A representative of Booz Allen was the one who brought to my attention the Global DNA database while giving a talk titled  “Hacking the Genome” at a computer security conference.  Booz Allen is interested in developing psychological and genetic databases, they are also one of the main contractors for organizations such as the NSA . This sort of database, combined with genetic screening, could lead to the ability to determine much of the future of an unborn child.  While this has its merits, like any other system it can be abused. If not kept in check, it could lead to the reincarnation of the eugenics movement of the last century which was forced to re-brand after WWII because of it’s popularity within the leadership of the German National Socialist party as part of their platform for world domination

 

Welcome to the Brave New World!

 

CzarWars Episode 1 – The Phantom Finance

Wednesday, June 24th, 2009

CzarWars Episode 1 -The Phantom Finance

First of all we need to define the various compartments of network security.  There is the Military/Government sector, the DOD is responsible for defending these systems. There is the public government infrastructure, which the DHS will be in charge of defending. There is the private sector which are responsible to defend themselves. mixed in with this is the general protection of the people which will come in usual form of software developed by the private sector.

The announcement has not yet been made for the new cybersecurity coordinator.  though there are many choices, and much speculation. I’ll add to it with my own observations.  All of the choices will be from one of the 3 sectors who have a stake in the cybersecurity plan. Whoever is selected will show what lobby has been successful. The DOD has stated repeatedly they have no interest in backing the position. that leaves the DHS and big business.  It gets a bit complicated because the DHS also has a close private-public collaboration.  So the distinction again needs to be made that there are two levels of defense here. the DHS, while responsible for civilian infrastructure, only takes responsibility for the systems that are government critical. The rest of the work, dealing with what their CISO calls the standard internet pollution, will go to some of the big names in public security. Meaning the responsibility to protect the people will be left to Anti-Virus vendors, and Microsoft. The person who is selected should have an existing understanding of current national security policy.  This would rule out the representatives from a strictly business background. The new cyber coordinator will most likely be someone from inside government, or someone who has recently gone into the private government consulting sector.  Before I continue I should mention Keith Alexander is rumored to be head of the new [cyber]command, but this is not the czar position. Melissa Hathaway already holds a similar white house position, and it is possible that she could receive the promotion – though I get a sense of reluctance either from her, or on the part of the white house.  What we have left is Fred Kramer, the former assistant defense secretary for international affairs under president Clinton, Paul Kurtz an Obama advisor who served in the national security council under bush and Clinton, Maureen Baginski  a former FBI intelligence leader, and Tom Davis.

To update this a little bit, Alexander was selected as head of the CyberCommand, and Tom Davis has expressed that he is quite comfortable in his new position in the private sector, he mentioned he was lucky to get out with out an indictment, and has no plans to return. Davis did act quite nervous when confronted about the position, so it is possible he already has been confirmed and is playing the denial game until the president makes it official.

The cybersecurity coordinator will need to have a technical enough background to understand the details of security recommendations. This person will need to then be able to translate the recommendations into terms that the president can understand, as well as pass them along to the Secretary of Commerce who can choose to request funding from the OMB.  The cyberczar might not have direct power to make changes, but the position is an important one. There is defiantly need for a coordinator to facilitate between the public-private partnership and the Executive Office of the President.  Someone who already has a good understanding of national security, technical knowledge, and political ability.  I’ve made my pick based on the current choices, so when if pull someone out of left field don’t hate.

Paul Kurtz an Obama advisor who served in the national security council under bush and Clinton, he has in the white house for long enough to  know its politics. Kurtz is also one of the people quoted in the findings on which the Cybersecurity Act was drafted saying “the United States is unprepared to respond to a `cyber-Katrina’ and that `a massive cyber disruption could have a cascading, long-term impact without adequate co-ordination between government and the private sector”. Here is a person that fits my criteria, he is technical, political, and a possesses an overwhelming desire to over-hype the cybersecurity threat with the understanding that it will create revenue to his and others private interests.  Its all about the money. If you check out the consulting team Paul B. Kurtz is on, it’s also about the cyber-FUD.

-I don’t want to leave out Maureen Baginski as a possible choice, since the current administration seems to be about equal opportunity employment, breaking barriers, etc.  Baginski is a career NSA gal who was tapped by FBI Director Robert Muller to reform the FBI’s handling of domestic intelligence.  It was suggested that major restructuring within the government might be required to integrate ‘cyber’ as a separate but equal department.-

Twitter links powered by Tweet This v1.8, a WordPress plugin for Twitter.

Get Adobe Flash player