Georgetown University’s Institute for Law, Science, and Global Security hosted a discussion this morning between the Institute’s Director, Dr. Catherine Lotrionte, and US Cyber Command’s Legal Counsel, Col. Gary Brown*, on the topic of “Legal Challenges to Advancing Cybersecurity.” The purpose of the discussion was to highlight some of the lessons learned from a conference held last year on the same topic, in which policymakers and other leaders in cyber attempted to tackle the legal complexities of cybersecurity.
View full article »
Tag Archive: Critical infrastructure
The Heritage Foundation held an event this morning on cyber threats, with particular attention paid to House Intelligence Committee Chairman Mike Rogers’ bill, HR 3523 - the Cyber Intelligence Sharing and Protection Act of 2011.
View full article »
Yesterday, the Hudson Institute hosted a discussion between Harold Furchtgott-Roth and Gen. James Cartwright (USMC, ret.) entitled “Recent Developments in Cyber Warfare.” Cartwright served as Commander, U.S. Strategic Command, and later as Vice Chairman of the Joint Chiefs of Staff. He is currently the Harold Brown Chair in Defense Studies at the Center for Strategic and International Studies (CSIS).
Cartwright began his discussion by noting that the underlying assumptions about how the Department of Defense (DOD) views cyber and has organized itself in that respect are not well understood, and that he wanted to rectify some of those misconceptions.
View full article »
The Marshall Institute hosted a panel discussion Tuesday afternoon addressing the role of government in private sector cybersecurity. The panelists were Dan Gallington, Senior Policy & Program Advisor at the Marshall Institute; Dr. Lani Kass, CEO of Drywit LLC; and Dmitri Alperovitch, President of Asymmetric Cyber Operations LLC. The discussion was moderated by Dr. John Sheldon, Professor at the School of Advanced Air and Space Studies, Air University, Maxwell AFB.
Sheldon provided some context before the discussion began, observing that 85-90% of the cyber structure used is held in private hands; that cyberattacks (or the reporting of them) are on the rise; and that the federal government is carefully evaluating its role in protecting in cybersecurity, with proposals from the White House and various legislators under consideration in Congress.
Gallington spoke first, and started off with noting that “cybersecurity” encompasses many subjects and thus any discussion of it needs to clarify the precise topic at issue. For the purposes of his talk he was focused on defense. An interesting point he raised was the dichotomy between how China and Middle Eastern countries are focused on content-based defense (i.e., stemming anti-government rhetoric and other “inflammatory” material) whereas the United States is focused on technical defense (i.e., anticipating and mitigating threats to critical networks, infrastructure, etc.). He suggested the experience with CALEA is evidence that indirect government control or regulation does not ensure implementation of what he called “cyber requirements,” presumably referencing cybersecurity standards and other measures.
These factors, along with our reliance on the massive privately held cyber infrastructure and the fact that this infrastructure was not designed with 21st century threats in mind, have resulted in our adversaries having “huge cyber leverages” over the US. As part of this conclusion he notes how the US stands alone as far as having some semblance of privacy – whereas in most other countries when you pick up the phone you know that that state’s intelligence authorities are listening in, the US has many laws on the books to make this task relatively difficult. This is a virtue, but it also presents challenges in how the US responds to the myriad threats it faces.
Responding to the concern that the US could be subjected to a “Cyber-9/11″ or “Digital Pearl Harbor,” Gallington asserted that although the US is vulnerable to “shutdown attacks,” US systems represents too much of a “fat” or valuable target for such an attack – collectively they are a golden goose that is worth more alive than dead. Gallington’s theme seemed to be that the US is living in the past , between the stovepipe treatment of cyber, in terms of both technical aspects (offense / defense / counterattacks) and bureaucracy (law enforcement / national security agencies / other federal agencies), as well as a general lack of experience and knowledge in all things cyber in positions of power.
As an example of the right approach to cyber, Gallington recommended the DHS Privacy Impact Statement that was published earlier this year. I’m working on finding the precise document to which he was referring, and will update this post when I have.
Dr. Kass spoke next, and began by recalling how she was asked by the US Air Force in late 2006 to help define cyber. She then gave the definition of cyber as an “operational domain characterized by the use of electronics and the electronic spectrum to create, store, modify, and exchange information via networked and interconnected information systems and telematic infrastructures.” Kass said the law of armed conflict (LOAC) should apply in cyberspace as it does in other domains, but noted that we have yet to develop rules of the road for this domain, and that the law lags behind technology.
She gave a strong statement about the importance of cyberspace as a domain, claiming “if you lose the domain, you lose the war.” Kass went on to note how cyberspace is the US’s center of gravity, and its Achilles Heel. The opposition knows this, she continued, and knows that the US is uniquely vulnerable in this regard.
Another key distinction in cyber is that the damage one inflicts is disproportionate to one’s level of investment – that is to say, given the asymmetries of cyber conflict and the relatively low entry costs, it is easy for the proverbial David to slay Goliath. She called the photon (or electron) the ultimate “precision guided munition,” observing that an adversary need not match the US jet for jet or tank to tank to engage us. In fact, she noted, cyber tools are the “ultimate bargain hunters’ way” of destroying the West.
Kass continued on this path, declaring that the first battle of any war is the battle for control of air, space, and cyber space, and that freedom of action in those domains is absolutely crucial. Victory can only be achieved, she noted in conclusion, through control of the electromagnetic spectrum.
Finally, Dmitri Alperovitch took to the podium. He began by discussing major cyber breaches, with targets including governments (Japanese Parliament as a recent example), private sector (Sony, Epsilon), and military (US DoD). He briefly discussed his work in uncovering major cyberespionage operations this year. This is only the tip of the iceberg, he cautioned. To make his point clearer, he suggested that there are two types of companies in the Fortune 1000 – those who know they’ve been compromised and those that do not. The threat is that pervasive, he observed, and cyber is an “indefensible domain.”
He disagreed with characterizations of a “Cyber-9/11″ or “Cyber Pearl Harbor,” saying the reality is more akin to “death by a thousand cuts.” This is the most unprecedented transfer of wealth from the US to China, and is de facto pillaging. Alperovich challenged the claim that attribution is an insurmountable obstacle, and while admitting that challenges do exist, asserted that it can be done.
As far as solutions or remedies for this rampant theft, he suggested we need to develop a deterrent value to block attacks. We must explore all types of influence to halt Russia and China’s efforts in this area. To do so, he continued, we need to figure out what they care about. Alperovitch concurred with Gallington that those countries are concerned with regime preservation and the ever-vexing “Facebook rumors” web content. Instigating these types of rumors might be one avenue for response, along with trade sanctions and WTO measures.
Upon Alperovitch’s conclusion, a fairly robust Q&A session began. The first topic up for consideration was the role of government in protecting “dot com” domains. According to Sheldon, DHS is responsible for “dot gov,” DoD for “dot mil,” and “dot com” sites are left to fend for themselves. This jives with remarks made by Secretary Lynn back in 2009. One panelist claimed DHS has the authority to protect “dot com,” while the rest of the panel disagreed. My cursory review of the Homeland seems to support the panel’s conclusion that DHS is not vested with any authority to protect commercial networks, though I’d welcome any comments that can clarify this matter.
Another area briefly considered was the liability of companies for data breaches. Alperovitch seemed amenable to the idea, though he indicated liability ought to depend on who the attacker is. He suggested if a company’s system is penetrated by a 14-year-old living in his mom’s basement, the robustness of that network is questionable and that company should probably be on the hook. Alternatively, if the network is instead penetrated by a nation state with vast cyber capabilities, that company doesn’t really stand a chance of defending against such an attack. The only remedy, he joked, was not to have anything worth stealing.
With that, the panel concluded. In all it was a valuable discussion and the Marshall Institute should be commended for bringing placing these issues up for debate in the public sphere. I highly recommend attending future events if you’re in the DC area. You can find out more about them at the Institute’s website, http://www.marshall.org.
Paul Mutter at Foreign Policy in Focus reports on an article by author Richard Sale, in which Sale claims major software developers are working in cahoots (I’ve always wanted to use that word) with Israeli cyber experts to devise a new piece of malware based on Stuxnet, capable of shutting down “Iran’s entire software networks” should the regime get too close to “breakout.” Mutter provides some thoughts on the matter:
Far from being a deterrent, this new malware has the potential to be the software equivalent of the Strategic Defense Initiative. Yet while “Super Stuxnet” might turn into a U.S.-Israeli trump card, it also has the potential to become the electronic equivalent of Operation Fast and Furious.
Read Mutter’s full piece. We’ll look for other commentary on Sale’s article and post accordingly.
Tom Gjelten at NPR has a piece discussing the view of some analysts that the advent of Stuxnet heightens the risk of blowback in the form of similar efforts against US critical infrastructure and other sensitive targets:
But for people who worry about the security of critical U.S. facilities, Stuxnet represented a nightmare: a dangerous computer worm that in some modified form could be used to attack an electric or telecommunications grid, an oil refinery or a water treatment facility in the United States.
“It’s just a matter of time,” says Michael Assante, formerly the chief security officer for the North American Electric Reliability Corporation. “Stuxnet taught the world what’s possible, and honestly it’s a blueprint.”
Sui-Lee Wee at Reuters in Beijing reports that the Chinese government has denied any involvement in the hacking of two NASA satellites. A spokesman for the PRC’s Foreign Ministry attributed the suggestions of China’s involvement in the matter to “ulterior motives.”
(H/T Hillicon Valley)
It’s not too often that we get to post an item that fits within all three categories here (Cyber, Space, and Technological Domination), but today is one of those days. Tony Capaccio and Jeff Bliss at Bloomberg Businessweek discuss revelations from an upcoming report by the U.S.-China Economic and Security Review Commission indicating that hackers, possibly linked to the PLA military apparatus, accessed US satellites and disrupted their operation by penetrating the ground control systems for those satellites.
Among the affected satellites were a Landsat-7 and a Terra AM-1, both of which are used for earth observation activities. The hackers allegedly gained the ability to “control the satellite,” though apparently did not actually do so. This isn’t the first revelation of China’s anti-satellite capabilities: China used ground based lasers to “dazzle” satellites belonging to the US and France, though as the Economist notes additional countries have that ability, including the US, Britain, and Japan. The Chinese also shot down a weather satellite in 2007, leaving behind over 150,000 pieces of debris in orbit.
While dazzling is generally not destructive in nature, the potential harm that could be wrought through gaining control of another country’s satellite is immense. One could foresee any number of possibilities, from moving a satellite out of its orbit to shutting down surveillance or communications equipment on it, to rendering it an expensive and dangerous piece of space junk.
The report isn’t scheduled to be released for another month, so we’ll continue to follow this development.
James Simpson at Japan Security Watch reports on the latest revelations in the Mitsubishi Heavy Industry intrusion, with indications that information relating to Japanese defense assets and nuclear power infrastructure was among compromised data:
Officials are suspicious that information relating to combat defense equipment and nuclear power plants has been leaked in the cyber-attack incident at Mitsubishi Heavy industries. From the left-over traces of the information transmitted to the outside world, there is said to be highly possible that something was stolen. Suspicions have begun to surface that the virus that infected MHI circulated military information.
A few outlets are discussing a new report from Symantec regarding a new piece of malware that has entered the digital ecosystem, exhibiting many similarities to the Stuxnet code. There are a few key distinctions however.
From Mike Lennon at SecurityWeek:
According to Symantec, early samples of the malware were seen in Europe, with one revealing a compilation date as late as October 17, 2011 that Symantec is currently analyzing. Initial findings compared Duqu to Stuxnet, with parts of it nearly identical to Stuxnet—but it appears to serve a different purpose and does NOT contain code that would target industrial control systems.
Instead, Duqu’s primary purpose appears to be a remote access Trojan or RAT, being an acronym that stands for Remote Access Tool that can provide a way for attackers to install other forms of malware that can record keystrokes and collect other system information.
And from Robert Vamosi at Forbes:
At this time Duqu does not propagate and has been released only within targeted industries, although Symantec admits it may also be elsewhere and not yet discovered. The original compile dates on some of the variants of Duqu so far analyzed suggest it may have existed as far back as November 3, 2010. Stuxnet compile dates were between June 2009 and March 2010 and therefore pre-date Duqu.
Clues to Duqu’s origin do exist. For example, it uses a digital certificate set to expire August 2, 2012, issued from a company in Taipei, Taiwan. F-Secure’s Hypponen thinks the certificate might have been stolen from C-Media in Taiwan. Symantec says that certificate was revoked on October 14, 2011.
You can read Symantec’s report here.
ErikTheBlond
Luke Pelican
