Year: 2014

For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion. I love a good argument, so feel free to let me know what you think.

Cyber Warfare: The Next Threat to National Security and What To Do About It (2010) by Richard Clarke and Robert Knake

This book covers a lot of ground. It’s essential to the cyber warrior who needs to understand the historical context around the evolution of defending any nation in cyber space. For international policy makers, it is a good place to start for a real discussion about substantive policies that the international community should consider.

For the commercial security folks, read this book if you want insight into how government policy makers frame the problem and what they would want to implement if they could. Even if you do not agree with the policies, you will come away with a better understanding of what they want. Richard Clarke and Robert Knake discuss the nature of cyber warfare, cyber espionage, cyber crime and cyber terrorism and provide specific examples of several.

In the last five years, we’ve seen a plethora of books on cyber warfare hit the market. I’ve read several, but I prioritized Clarke’s book because of his background. Before he retired from government service, he served three different US Presidents as the Special Assistant to the President for Global Affairs, the National Coordinator for Security and Counterterrorism and the Special Advisor to the President for Cybersecurity.

Clarke and Knake published “Cyber Warfare” in April 2010, just months short of when the public became aware of STUXNET. Some of the things Clarke suggests could have used the context of STUXNET – it was a game-changing event in the security community – but for the most part, I like what Clarke brings to the table.

Because of his background, this book is about policy and not really about how a nation might deploy assets in a cyber war. Specifically, it is about what the US should consider adopting going forward when considering the implications of an all-out cyber war.

He starts with a history of cyber events to demonstrate why we need the policy. He covers the usual suspects, but in some instances, the events Clarke cites aren’t really about cyber warfare at all. Two of them, Moonlight Maze and Titan Rain, are specifically about cyber espionage, and Eligible Receiver is about computer network defense. Others, including Estonia and Georgia, see, barely to meet Clarke’s own definition of cyber warfare:

“[T]he term “cyber war” … refers to actions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption.”

What all of these events have in common, however, is that they shaped Clarke’s thoughts on what to do about cyber warfare. Eligible Receiver proved that Department of Defense networks are vulnerable. Even after a decade, there’s still evidence to suggest that DOD networks are as porous today as they were back in 1997.

Moonlight Maze was the proverbial wake-up call, however. The dictionary definition of asymmetry is a “Disproportion between two or more like parts.” Clarke says that when a nation sits on the high end of that equation (the US for example), they have a high degree of “cyber dependence.” In other words, that nation depends greatly on cyber for it to function. If that is out of balance, an asymmetric advantage develops and cyber defense becomes more important than cyber offense. Another event in the last decade, Titan Rain, proved again how weak the DOD networks were and how successful Chinese cybercriminals had been in pursuing their asymmetric vision.

From there, Clarke describes examples of how various nation states have experimented with cyber warfare in the past, particularly the US, Russia, Israel and North Korea. With this history lesson complete, Clarke makes the case that the US defenses against these kinds of attacks are weak, both for government networks and for commercial networks, and spends the rest of the book talking about what should be done about it.

Clarke’s bottom line is that, painful as it might be, the US will require sweeping new laws, regulations and policy in order to protect the nation from this threat. He points out that Cyber Command is responsible for defending the DOD networks and that the Department of Homeland Security is responsible for protecting the non-DOD government networks.

Nobody is responsible for protecting the commercial side. That might seems short sighted when you lay it out like that, but in truth, is there much love lost between the commercial side and the U.S. government, whose track record on security isn’t all that good? The standoff between the US government and the commercial sector has been going on for well over a decade. Clarke’s point is that enough is enough. Tough decisions are required.

Clarke’s Proposition

Clarke’s proposition is the Defense Triad Strategy:

• Secure the US Backbone
• Secure the US Power Grid
• Install security best practices on all government networks (NIPRNET /SIPRNET /JWICS)

I totally agree with the first one. Today, the US Internet is a mix of commercial ISPs that interconnect with each other and the rest of the world based on business decisions. While all of the big ones cooperate with each other and with the US government, their first priority is to make money. If a large-scale attack on the financial system, for example, is launched from a foreign adversary, the US government has no first hand means to monitor the situation. They largely have to depend on the generosity of the commercial sector to share information.

Today, most of these commercial companies willingly share with the government, but the system is inefficient and will likely not prevent the first wave of attacks. Clarke’s point is that somebody from the government should be monitoring the US cyber perimeter. Privacy advocates will scream and detractors will point out that it is equally possible to launch an attack against the food system from within the US as it is from a foreign country. In his book, Clarke acknowledges those issues but advocates that just because they will be controversial does not mean we should not address them.

For Clarke’s second point, I was a little skeptical at first. Why single out power as the first priority among 18 different critical infrastructure sectors such as banking, and food? After further thought, though, it’s clear the reason the US is cyber dependent is because it has reliable power distributed across the entire nation. Take that out and the rest of the 18 critical infrastructure sectors come tumbling down after it.

For his last point, it is a little sad that in 2013 we have to suggest that the US Government should install basic best practice security measures (like need-to-know network segmentation, file encryption, and host-based intrusion detection technology) across all of its networks.

The fact that the government has not done this is a little scary, but it is my experience, having worked in and with federal government agencies for many years, that this is not an act of incompetence. It really comes down to cost. The US government networks are some of the largest in the world. To install all of that technology on every laptop and computer on three different networks is not cheap. In a world of limited resources, when you compare the trade-off between buying file encryption software to, say, buying body armor for deployed soldiers, file encryption is going to lose every time.

Clarke realizes that it is unlikely that any US leader will be able to push through these radical ideas from the start. In order to get there, he proposes six paths that the international community should work on in parallel:

• Broad public dialogue about cyber war
• Create the Defensive Triad
• International cooperation on Cyber Crime
• Cyber Arms Reduction beginning
• R&D for more secure networks
• President is required to make decision on Computer Network Attack (CNA)

Why Read It

I recommend this book, not least because of the debates it stokes. At the very least, an open and frank discussion of Clarke’s six parallel paths between international government leaders and commercial business leaders would not be a bad thing. Nothing can happen if we do not put everything on the table and discuss it. We can use a book like Clarke’s to get the conversation started.

[Source: Rick Howard]

 

For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion. I love a good argument, so feel free to let me know what you think.

Trojan Horse (2012) by Mark Russinovich

Like “Zero Day,” another Mark Russinovich novel I recently reviewed for the Cybersecurity Canon, “Trojan Horse” is a book I’d recommend for casual readers. Cybersecurity professionals won’t learn anything new here, but all readers might enjoy wallowing around in a Tom Clancy-esque story with cybersecurity tech as the main focus.

The story picks up two years after “Zero Day” ended. Main character Daryl is now out of government service and working with her better half, Jeff, in his consulting firm. Jeff gets called in to track down a nasty piece of Malcode that changed the contents of an important UN document regarding the Iranian nuclear program prior to publication. Daryl comes in to assist and the two of them discover that the Chinese are behind the UN attacks. Their investigation leads them to stumble upon the Chinese attempting to deliver a STUXNET Eradicator tool to the Iranians.

STUXNET is the infamous Malcode that the west launched against Iran to prevent the nation from building an atomic bomb. (Earlier in the Cybersecurity Canon series, I looked at “Confront and Conceal,” a nonfiction book dealing specifically with this topic.) In “Trojan Horse,” Spy-vs-Spy-type hijinks ensue and our two heroes find themselves in all sorts of threatening physical situations from Chinese agents and their Muslim proxies. You know, all in a typical day for a geek.

That’s what I like about Mr. Russinovich. He throws a lot of ingredients into the pot, applies heat and stirs vigorously. While readers watch all of these things collide with each other, they also get a good history lesson on some recent cybersecurity issues and learn about some interesting hacks, some we have seen in the real world and others we have not seen but given the current cybersecurity landscape are quite possible.

Recent Cybersecurity History 

To sober the audience up a bit, Russinovich talks about the 2009 hacks against unmanned drones in the Middle East. Iraqi insurgents were able to capture video feeds from flying Predators by repurposing a $30 Russian software package called SkyGrabber that was originally intended to snatch music and videos that others are downloading.

Russinovich explains how the Chinese stole the plans for the Pentagon’s $300 billion Joint Strike Fighter jet by hacking into military systems. He also helpfully describes the forces involved in the Chinese Cyber Warfare program, specifically how there are three hacker contingents in the country — the Patriotic Hackers, the Militia and the PLA – and how none report to the same leader.

Russinovich also attempts to describe how STUXNET represents that first real-world example of Cyber Warfare. If you believe David Sanger in “Confront and Cocneal,” the US and Israel have demonstrated that cyber warfare is a viable middle ground option when it comes to diplomacy between sanctions on the one side and bombing and/or occupation on the other.

Just for fun, Russinovich talks about how Jeff and Daryl track down a Malcode author because the hacker placed his home address in the code. This sounds crazy, but this is something that actually happened in the real world. At a TED Talk in 2011, Mikko Hypponen described that very thing.

Hacking Techniques 

Russinovich packs a lot of realistic tech into this story. He needles the anti-virus industry for being behind on discoveries of new malware, explains what a keylogger is and then explains how a nation state in the story uses keyloggers to compromise UN officials.

He also talks about the long-standing cyber philosophy of Responsible Disclosure, in which it is fine for researchers to discover vulnerabilities in commercial software but they should not go public with that information until the vendor has had time to fix it. He also talks about how that practice is losing ground to the lucrative market for selling these kinds of things to governments and independent contractors willing to pay large sums of money for just the right Zero Day.

One of the most interesting things in “Trojan Horse” is that Russinovich has devised a scary new piece of Malcode that, if it existed in the real world, would be a spy’s dream come true. The Malcode in question is smart about how its victim operates. It knows that the victim writes position papers using the Microsoft Word program. In this case, a United Nations official is writing disparaging remarks about Iran’s nuclear program. Once the official saves the final draft, he cryptographically signs the document before he sends it to the intended recipient.

Signing the document like that guarantees the integrity of the file. When the receiver opens the document and verifies the signature, the receiver knows that the document he is reading is the same one that the sender gave him. But therein lies the rub. The Malcode understands that process and inserts itself into the seam. After the author saves the document but before he cryptographically signs it, the Malcode alters the document to say something that the Malcode author wants to be said.

I have not seen a piece of Malcode that does this in the real world, but it could be done. Russinovich even gives the Malcode the same “Call Home” design that the famous Conficker Worm used; essentially, generate thousands of random DNS names and systematically try each at random intervals. The Malcode author would place his command and control server at one of those names in the list of a thousand; kind of like hiding in the noise.

“Trojan Horse” is another fun romp in the political thriller genre that places cybersecurity geeks up front as the heroes. I don’t know that I’d call it a must-read for the cybersecurity professional, but it sure is a fun one.

[Source: Rick Howard]

For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion. I love a good argument, so feel free to let me know what you think.

Zero Day (2011) by Mark Russinovich

A number of the Cybersecurity Canon candidates I’ve discussed so far have been heavier reads. But there are some lighter books I think are worthy of consideration, too. “Zero Day,” by longtime security researcher Mark Russinovich, is one of them.

I appreciate what Russinovich is trying to do with this novel: Tell an exciting, “Die Hard”-like story with interesting cybersecurity people and realistic tech and, at the same time, inform the general reader about how dangerous the current state of the cybersecurity environment is. In a presentation that Russinovich did at RSA in 2012 to supplement this book, he quoted Senator Joe Lieberman:

“To me it feels like it is September 10, 2001. The system is blinking red – again. Yet we are failing to connect the dots – again.”

One of the reasons I started this project was to talk about novels that discuss these ideas in a compelling way. Russinovich has devoted two novels to the idea: Zero Day and 2012’s Trojan Horse. He is also a geek of the highest order: a Microsoft Technical Fellow, a co-founder of the famous Sysinternals website and famous for his discovery of the root kit that Sony BMGinstalled on its music CDs back in 2005.

The good guys in the story are a Mr. Jeff Aiken, an überkind computer security consultant with a past, and Daryl Haugen, the US CERT director and no slouch in the technical prowess department. These two fight the US government bureaucracy in an effort to defeat a follow-on 9/11 cyberattack that is intended to destroy a significant portion of every data system in the US.

Along the way, the reader is treated to colorful descriptions of malicious code attacking an on-board in-flight aircraft computer system causing a near-crash, adjusting the geo-positioning system on a large oil tanker that causes a harbor crash and the spillage of millions of tons of crude oil into the harbor, tinkering with the Supervisory Control and Data Acquisition (SCADA) systems in multiple nuclear power plants, and controlling multiple manufacturing robots on an assembly line that eventually causes the murder of one of the human technicians.

The main hacker in the story is Superfreak (aka Vladmir Koscov), a Russian engineer who has found a way to make a pretty good living building elite malicious code for his benefactors. His benefactors are two Islamic brothers with ties to Osama bin Laden and who are intent on striking the US another significant blow after the first 9/11 attacks. One of the brothers even makes a special pilgrimage across the desert to receive his mission from bin Laden personally.

Russinovich uses this Tom Clancy-ish plot to push the story forward. Along the way, he takes the time to explain the cybersecurity environment to the average reader. He provides decent descriptions of the classic “Salami Slice” bank hack, the game-changing Slammer Worm attack of 2003 that compromised every machine on the planet that it was going to compromise in 10 minutes (some 75,000 victims), the E-Gold Money Laundering scheme (a blackhat internet service that was popular for a few years in the 2000s), and what a zero day vulnerability is. He makes the point about why the US is vulnerable to the plot’s cyber terrorism evil plan compared to other nations based on how completely the US has embraced the internet for day-to-day business.

I first read this book when Russinovich published it back in 2011, and it wasn’t one I recommended that often to cybersecurity friends. The characters aren’t always convincing and the plot favors “on the nose” resolutions instead of more realistic cybersecurity scenarios.

But as a very readable cybersecurity novel intended for a mass audience, it works. It’s important for non-technical audiences to think about cybersecurity issues, and in a business, for cybersecurity professionals to drive awareness. This is something several of my Palo Alto Networks colleagues have touched on and it’s worth repeating: cybersecurity is everybody’s problem.

[Source: Rick Howard]

For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion. I love a good argument, so feel free to let me know what you think.

Confront and Conceal: Obama’s Secret Wars and the Surprising Use of American Power (2012) by David E. Sanger

This book is an interesting read for foreign policy buffs but a must-read for cybersecurity professionals interested in the evolution of cyber warfare. It is the first published book that chronicles the current US government’s thinking about the merits of cyber attacks as a middle-ground diplomacy option between invading a country on one hand and sanctions or negotiations on the other.

It is also the first book that gave the public details about operation “Olympic Games,” a multiyear covert operation that the governments of the United States and Israel directed against Iran that changed the cybersecurity landscape forever. Security pundits have been saying for years that cyber warfare is theoretically possible or, more precisely, that cyber weapons could cause physical damage on a massive scale. Olympic Games demonstrated conclusively that hackers can use a cyber vector alone, without the aid of other kinetic weapons, to destroy components of a country’s critical infrastructure.

Regardless of how successful Olympic Games ultimately was in slowing down the Iranian nuclear program, the use of cyber tools to inflict physical damage against your adversaries is now a viable option. Operation Olympic Games represents the world crossing the line between theory and practice, and this book is your guide to understanding that decision.

In addition to my February 24 presentation on the Cybersecurity Canon, I’ll also be discussing Olympic Games and its implications during a February 28 presentation at RSA 2014. But let’s look here at some of the particulars.

Stuxnet Revealed

In June 2012, David E. Sanger published an article in The New York Times proclaiming for the first time that the United States, in conjunction with Israel, was indeed behind the infamous Stuxnet malware attacks that targeted the Iranian nuclear enrichment plant at Natanz. The article set up his then-new book, which is our subject today.

In both the article and the book, Sanger demonstrated an unprecedented level of access to President Obama’s former staff members that provides insight into how leadership made important changes to American policy around offensive cyber operations. The book is a fascinating look at the inner machinery of how two presidents made decisions that changed US foreign policy; away from President George W. Bush’s “You are with us or against us” mentality into something Sanger calls the Obama Doctrine. I originally picked up the book because of chapter 8, “Olympic Games.” For the cybersecurity professionals in the crowd, this chapter alone is worth the price of admission.

Understanding Olympic Games

Olympic Games is the now-declassified US code name for the cyber initiatives aimed at degrading Iran’s nuclear enrichment capability. Many international leaders are afraid of what Iranian leadership might do if they were to get their hands on a nuclear bomb. Iranian leadership claims that their nuclear program is peaceful and is designed to provide electric power to Iran’s citizens.

In the past, the only options Western governments had to dissuade Iranian officials from their nuclear ambitions were economic sanctions and military strikes. But according to Sanger, as Iran got closer to its goal of building a working nuclear bomb during President Bush’s time in office, Israeli leadership became more and more anxious to pursue the military option since they believed Israel might be one of the first targets of such a bomb. President Bush was not keen on starting a fight with yet another Middle Eastern country. He was already fully engaged with Iraq and Afghanistan. He needed a different way to deal with the problem. The short version of the story is that Olympic Games became the in-between option.

Sanger fills in a lot of details about Olympic Games that many professionals suspected were true at the time but had no evidence to prove. He explains how the operation grew out of military channels under President Bush and how President Obama moved it over to intelligence channels during the first weeks of his administration for legal reasons. Sanger describes how at least as much work went into the legal justification for a covert action to destroy critical infrastructure in a country with which the United States was not at war as the amount of work that the coders did when they planned, built, and tested the actual cyber weapons. He describes how the operation used unwitting Siemens employees who were working at Natanz to transfer the malware into the facility, a facility that had no connection to the Internet. Siemens is the company that builds the supervisory control and data acquisition (SCADA) devices used at the plant to control the Iranian centrifuges that Olympic Games was meant to destroy.

All of this is fascinating detail, and Sanger’s book, along with his preceding Times article, was the first time that the public became aware of it. More importantly though, Sanger’s book marks a spot where cyber warfare moved from a theoretical idea to practical implementation.

Before Olympic Games, security pundits only pontificated about the possibilities of cyber warfare. Some estimates claim that the damage done by operation Olympic Games caused Iranian engineers to replace more than 4,000 damaged centrifuges out of the 9,000 that were on site at Natanz. This is a true cybersecurity warfare event. The world has changed, and you cannot put that genie back in the bottle.

This past year, cyber attackers destroyed the data residing on 32,000 computers from a number of Korean companies, including Shinhan Bank, Nonghyup Bank, Munhwa Broadcasting Corp., YTN, and Korea Broadcasting System. Public attribution is unclear, but the South Koreans believe the attacks came from North Korea. If that’s true, the attack represents the first example of another nation taking its cues from the United States and Israel and operation Olympic Games. I expect that this is just the beginning.

The Tech

Sanger details the three phases of the operation. The first step was to build and deploy a “beacon” designed to map the network at Natanz and get the information back to the United States. The second phase was to build and test the “bug,” the malware that would destroy the centrifuges. The last phase was to deploy and upgrade the bug on the fly to seek new and better targets.

According to Sanger, the intent of Olympic Games was not to destroy the plant completely but to play mind games with the Iranian technicians, to cause confusion within the technical ranks, and to add time on the clock for the inevitable day when Iran would succeed in making enough nuclear material to build a bomb. The jury is still out on whether Olympic Games succeeded, but Sanger uses the operation to make a larger point about the change in US foreign policy under President Obama.

Conclusion

The book is an interesting read for foreign policy enthusiasts, but the Olympic Games chapter in particular is a must-read for every cybersecurity professional interested in the evolution of cyber warfare.

Security pundits have been saying for years that cyber warfare is theoretically possible or, more precisely, that cyber weapons could cause physical damage on a massive scale. Olympic Games demonstrated conclusively that hackers can use a cyber vector alone, without the aid of other kinetic weapons, to destroy components of a country’s critical infrastructure. Regardless of how successful Olympic Games ultimately was in slowing down the Iranian nuclear program, using cyber tools to inflict physical damage against your adversaries is now a viable option. Operation Olympic Games represents the world crossing the line between theory and practice, and this book is your guide to understanding that decision. This book is part of the canon, and you should have read it by now.

[Source: Rick Howard]