So what's new in the Defense Department's new report about Chinese military capabilities? The biggest news seems to be that the Pentagon is actually saying that Chinese-military hackers are attacking its networks. Not that this should be news to readers of Killer Apps.
The report states that numerous U.S. government computer systems around the world are being "targeted for intrusions, some of which appear to be attributable directly to the Chinese government and military." It goes on to say that China is using cyber espionage to collect intelligence on U.S. diplomatic, economic, and "defense industrial base sectors that support U.S. national defense programs."
The same skills being used by Chinese cyberspies to steal information could easily be used in a destructive attack against U.S. networks, the report points out.
Preventing cyber espionage and cyber attacks is "a consequences calculation and the consequences aren't there," said one Senate staffer who works on cyber issues. For "everybody from your common hacker to your professional hacker to the nation states, the consequences aren't there" to deter these kinds of actions.
He went on to compare the current era of cyber espionage to the "Napster days" of free music downloading.
"There was nothing that was going to deter college-age students from ripping off music until there was a consequence that was associated with it and the RIAA [Recording Industry Association of America] had to go out there and start suing," said the staffer.
Richard Bejtlich, chief security officer at Mandiant, thinks that while it's important for the U.S. government to call out the Chinese government's bad behavior, it's going to take more than harsh language to deter state-backed cyber espionage. (Remember, Mandiant is the firm that published a report in February detailing the exploits of what is believed to be a PLA hacking unit against worldwide targets, including the U.S. government.)
"It's important for noncommercial, government entities like DOD to make definitive statements on Chinese cyber capabilities," Bejtlich told Killer Apps. However, "because the Chinese consider espionage a tool for economic development, and the economy is one of their top national security concerns, they will not change course if the U.S. only complains with words. They are more likely to constrain their behavior if the U.S. imposes specific sanctions and exercises all elements of national power."
Bejtlich's comments echo those of Rep. Mike Rogers, chair of the House Intelligence Committee who has repeatedly urged the State Department to impose sanctions on any foreigner found to aid cyber espionage against the United States government or businesses.
This week's crash of a civilian cargo jet at Bagram airfield in Afghanistan highlights the fact that the U.S. military relies on a private air force to move enormous amounts of supplies and numbers of people around the globe.
The jet that crashed at Bagram (shown above) was a Boeing 747-400 that had been converted from a passenger jet into a freighter for Florida-based National Airlines, one of the many little-known civilian carriers that keep the U.S. military and intelligence agencies supplied around the globe. The plane was said to be transporting five MRAP armored vehicles (which are incredibly heavy) from Afghanistan to Dubai -- a route the airline had been flying for about a month prior to the crash.
Here are just a few more of the many private airlines that serve the U.S. government on a regular basis:
Spend any time at BWI Airport and you'll see MD-11s sitting on the ramp, painted in the livery of World Airlines, a contractor that flies U.S. troops to Europe and the Middle East. They usually operate out of a terminal reserved for the U.S. Air Force's Air Mobility Command -- the organization that operates more than a thousand cargo and tanker aircraft such a C-5 Galaxies, C-17 Globemaster IIIs, C-130 Hercules, KC-135 Stratotankers, and KC-10 Extenders. Despite all these planes dedicated to moving troops and materiel, the service still contracts with dozens of private airlines.
Frequently sharing ramp space at BWI with World Airlines is North American Airlines, the company that provided a Boeing 767 for Barack Obama's 2008 presidential campaign. The charter-jet provider operates five 767s that are frequently used to ferry U.S. soldiers around the world.
The Washington state-based Evergreen Aviation is supposedly one of the successors to the CIA's legendary Air America -- famous for hauling everything from chickens to drugs (allegedly) throughout Southeast Asia during the Vietnam War. (In 1968, an Air America UH-1 Huey chopper actually shot down a Soviet-made An-2 Cub cargo plane flown by the North Vietnamese air force.) The company has done everything from supporting CIA missions to operating one of the largest aerial firefighting aircraft in the world: the Evergreen Supertanker, an old 747 passenger jet that was converted to carry more than 20,000 gallons of fire suppressant.
Tepper Aviation is a company that operates a fleet of ghost-white Lockheed L-100s (the civilian version of the C-130 Hercules), allegedly conducting missions for the CIA all over the globe, possibly including prisoner transport. As would be expected, Tepper has no website. However, if you search Google Maps for the small airport in Crestview, Fla., where Tepper is reportedly based, you'll find a large facility on the southeast corner of the runway with a U.S. Air Force C-130 parked nearby and a hangar with the logo of defense giant L-3 Communications painted on the roof. (Click here to see apparent pics of the flight deck of one of tepper's planes while it was stopped in Japan with some "diplomatic" cargo aboard.)
And who can forget Presidential Airways. This former Blackwater subsidiary is famous for a 2004 incident in which a CASA 212 ferrying U.S. troops from Bagram to Farah, Afghanistan crashed into a canyon wall after the pilot became disoriented, killing three soldiers and three civilian crew. This incident brought attention to the fact that small carriers were hauling U.S. troops around battlefields even though the U.S. Air Force, Army, and Marines have thousands of planes and helicopters designated for such tasks. Despite increases in the number of military tactical airlifter missions in the Middle East since then, the U.S. military still relies on contractors to support the massive task of keeping its troops supplied via air in Afghanistan.
We've been hearing for years now that the U.S. military's crop of slow-moving spy planes fielded for the wars in Iraq and Afghanistan -- ranging from MQ-9 Reaper drones to manned MC-12 Liberties -- will be totally useless in a fight against an adversary armed with sophisticated radars and anti-aircraft missiles (often labeled anti-access/area denial (A2/AD) weapons).
This, of course, is how the U.S. Air Force and Navy are justifying the development of a host of stealthy strike and spy jets (manned and unmanned), missiles and electronic warfare weapons designed to fight countries equipped with sophisticated weapons designed to keep U.S. forces far from their borders.
However, the Air Force's spy arm -- officially called the Air Force Intelligence Surveillance and Reconnaissance (ISR) Agency -- is experimenting with flying low and slow prop-driven spy planes in skies where advanced air defenses are present. In late February, the agency sent several squadrons of Air Force intelligence assets to play in the service's legendary air combat exercise known as Red Flag over the Nevada desert.
"One of the things that we need to figure out is how much risk would we have to take to fly airborne ISR assets ... in a non-permissive environment," said Col. Mary O'Brien, commander of the Air Force's 70th ISR Wing during a speech late last week. "Initially, we had said, ‘well you could never fly them because there would be risk.' But one of the things that you can practice at Red Flag is you can build a package that includes defenses and then see."
The agency managed to successful fly a propeller-driven MC-12 Liberty -- based on Beechcraft's civilian King Air -- to collect intelligence in the face of a simulated advanced air defense network that featured Soviet-designed SA-6 surface-to-air missiles.
"It was not shot down but that's a case of one," said O'Brien. "It made us say, ‘this should be perhaps an exercise objective in a future Red Flag."
(While the MC-12 is a slow, twin turboprop of the type you'd see at your average small town airport, it might help that the SA-6 is a 1970s-vintage system used by dozens of countries that the United States has had decades to figure out how to defeat.)
She went on to say that while advanced enemy air defenses would pose a big threat to planes like the MC-12, U.S. forces may be able to provide such planes with protection for just long enough to collect some pieces of vital intelligence.
"How long do we need to operate in that environment?" asked O'Brien. "Maybe you don't need air supremacy and maybe you only need air superiority for this amount of time depending on what you want to do."
The whole point of sending prop-driven ISR planes into the fight is getting people to think about the notion that "hey, we don't need to sit everything on the ramp that we used in Iraq and Afghanistan.... Let's start thinking about" how these aircraft might play a role in a future fight.
She wouldn't say what type of protection the Liberty had as it flew its mission, it could have been anything from fighter escorts who were hunting down the enemy radar and missile sites to advanced electronic warfare gear that jammed enemy sensors or some combination of both.
U.S. Air Force
The Cyber Intelligence Sharing and Protection Act, better known as CISPA, just passed the House by a vote of 288 to 188. Meanwhile, the Senate is working on crafting its own bill aimed at facilitating information-sharing on cyber-threats.
"We are currently drafting a bipartisan information sharing bill and will proceed as soon as we come to an agreement," Senate intelligence committee chair Dianne Feinstein wrote in an email to Killer Apps.
Remember, CISPA allows private businesses to share "cyber-threat information" with each other and government agencies, including the military.
Earlier this week, the White House threatened to veto CISPA unless it was amended to require that information businesses with the government go through a civilian agency, such as the Department of Homeland Security, before being sent to any military organization, such as the National Security Agency. The White House also wants to narrow the liability protections given to businesses that improperly disclose personal information or commit antitrust violations while sharing information with each other or the government.
"The version of CISPA that just passed the House floor includes an amendment that encourages, but doesn't require businesses to share cyber threat information with DHS instead of the military," a Hill staffer told Killer Apps.
Another amendment bans the U.S. government from using information gathered under the auspices of the bill to target a U.S. citizen for surveillance. Another one "reconfirms" that "the federal government may not use library records, book sales records, customer lists, fire arms sales records, tax returns, educational and medical records that it receives under CISPA," said the staffer.
Last week, the House intelligence committee removed language from the bill that would have allowed companies to collect and share information for "national security" purposes. Privacy advocates who oppose CISPA claimed using the broad term "national security" would allow the government to spy on people online without a warrant. The committee also added an amendment requiring that information shared with the government be scrubbed of all personal information.
Still, these amendments weren't enough to satisfy privacy advocates such as the ACLU. Here's what Michelle Richardson, one of the ACLU's lawyers, said after the bill passed today.
CISPA is an extreme proposal that allows companies that hold our very sensitive information to share it with any company or government entity they choose, even directly with military agencies like the NSA, without first stripping out personally identifiable information. We will work with Congress to make sure that the next version of information sharing legislation unequivocally resolves this issue, as well as tightens immunity provisions and protects personal information. Cybersecurity can be done without sacrificing Americans' privacy online.
The big questions that remain are whether the White House still opposes CISPA and whether the Democrat-controlled Senate will permit language included in CISPA to pass the conference process. So far, the White House has remained mum on today's news.
Last year's White House-backed Cyber Security Act of 2012, sponsored by former Senators Joe Lieberman and Susan Collins, failed to pass the Senate because Republicans objected to the bill's call for minimal cyber-security standards for certain banks, energy firms, communications providers, transport companies, and other so-called critical infrastructure providers.
In February, the White House issued an executive order allowing the government to share intelligence on cyber-threats with businesses and encouraging minimal best practices for critical-infrastructure providers.
Investigators sifting through the flood of cellphone, surveillance camera, and TV footage of Monday's bombings at the Boston Marathon are being aided by technology similar to the software that the military has used to collect intelligence about IED attacks in Iraq and Afghanistan.
"There's a different twist to it this time. The different twist is the increased degree of crowd-sourcing if you will, in terms of providing information. You have many, many more sensors in the context of people with video devices in their smartphones," said retired Lt. Gen. David Deptula, who was in charge of the Air Force's intelligence efforts from 2006 to 2010. "You had many, many more collectors than we had in the past."
The amount of video and photo documentation of the marathon attacks may be unprecedented, so how do you sift through all that data quickly to find clues? Software, naturally.
As ABC News reported, investigators from the FBI's Operational Technology Division are likely using a computer program that can do things like recognize faces in a crowd if they match those listed in a criminal database. This is similar to the software that the military has been developing for years in an effort to quickly glean information from UAV videos.
As the U.S. military flocked to the skies of Iraq and Afghanistan with all manner of camera-equipped spy-planes, intelligence officials soon realized they were collecting far more footage -- thousands of hours a day -- than human beings could sort through in time to use the information it contained. The military turned to tech companies to produce software capable of quickly identifying certain things analysts were looking for -- say, a red Toyota pickup truck that had been seen at a bombing site.
"There are software programs that are out there that allow one to rapidly search through that information and key in on what the investigators may find of interest," said Deptula. "Exponential growth is not hyperbole when it comes to motion imagery, much less still imagery, because we've had an explosion in that kind of information. As the information [available] has grown, people have moved from human analytic teams to more automated means to sift through all that data."
"Let's say somebody reported that they saw somebody that was Caucasian, with a yellow sweatshirt, with powder burns on their hands running away before the explosion -- that's a hypothetical -- you could tell the software to look for a yellow sweatshirt, Caucasian running before a certain period of time," said Brian Cunningham, a former White House security official and now a senior advisor to the Chertoff Group who works with firms that develop this kind of software. New York City and London both have massive video surveillance systems that use similar software.
Still, another homeland security consultant who wished to remain anonymous tells Killer Apps that it might not be that easy. First of all, Boston doesn't have a massive, centralized video camera system the way New York does. Many of the images will come from people's phones and other private cameras, meaning that investigators will probably have to receive and review each photo and film clip individually.
"There are some automated tools that exist for this type of thing, but for the most part it's just a very labor-intensive process to go through things and try to correlate and sequence things in time and look for suspicious activity and then try to build a profile for how somebody's moving around," said the former DHS official. "There are capabilities like in London and lower New York where they can follow a person who is of concern as they walk from camera to camera. When you're dealing with public-source information it's just a different process."
Cunningham agrees that while the Boston Police Department or the FBI has the software capable of identifying a particular person or bag as they appear in the mountains of video, investigators still face the challenge of uploading all that footage so the software can analyze it. "The biggest challenge will be: how do you upload that volume of video onto a single server or a couple of servers that can be searched against?" he said.
Investigators have identified two
people they want to talk to in connection with suspects (see the video above) in the Boston bombing. But, Cunningham said, "It's not clear
yet whether it was good old-fashioned shoe leather as much as analytic software."
He explained how the process could work: "You'd figure out where the devices were, and while you had street cops out interviewing people and collecting video of cellphones and you would go to fixed cameras in department stores or ATMs and pole cameras that are right around the area of the devices" and then upload the footage into the software, said Cunningham. "They also may have just had officers sitting there watching the footage. Let's say there were 15 cameras that were fixed, that had a good line of site of where the device was, then you could throw 100 officers at it; you probably wouldn't need software."
Cunningham also points out that investigators are working with cellphone companies to find cellphone records of the calls that were made close to the site of the explosions. Cellphones might allow them to find calls that were used to detonate the explosives. It's not clear if the explosives were triggered by timing devices or cellphones. Initial reports suggest that at least one of the suspects sought by investigators was actually talking with someone on the phone rather than triggering a bomb.
"Once they know what cellphone was his, that's the jackpot because they can find out where he was right before, and they can find out where he is today if he's dumb enough to be carrying that same cellphone," added Cunningham. Even if the phone the suspect used was a cheap, pay as you go phone, investigators would immediately begin to look for the store where that phone was sold.
Today, the White House once again threatened to veto the Cyber Intelligence Sharing and Protection act, CISPA, unless the bill incorporates additional privacy protections.
"The Administration recognizes and appreciates that the House Permanent Select Committee on Intelligence (HPSCI) adopted several amendments to H.R. 624 [CISPA] in an effort to incorporate the Administration's important substantive concerns. However, the Administration still seeks additional improvements and if the bill, as currently crafted, were presented to the President, his senior advisors would recommend that he veto the bill." (Underlines by the White House.)
"We have long said that information sharing improvements are essential to effective legislation, but they must include proper privacy and civil liberties protections, reinforce the appropriate roles of civilian and intelligence agencies, and include targeted liability protections," said National Security Staff spokeswoman Caitlin Hayden today.
CISPA -- set for a vote on the House floor tomorrow and Thursday -- allows private businesses to share information on cyber threats with each other and government agencies including the military. The bill died last year after the White House issued a veto threat, citing concerns that it would infringe on citizens' privacy rights.
Despite the veto threat, the White House said it looks forward to working with the committee to refine the information-sharing bill. Remember, the White House called for such legislation after it released its cyber-security executive order in February that allows the government to share information on cyber-security threats with businesses. But the executive order could only permit government-to-industry info- sharing, it couldn't mandate industry to share information, nor could it protect businesses that share such information from lawsuits.
Last week, the intelligence committee struck language from CISPA that would have allowed private companies to collect and share information for "national security" purposes -- a statement that was too vague for privacy advocates, who claimed this would allow the government to spy on people's online lives without a warrant. The committee also added language to the bill requiring that information shared with the government be scrubbed of all personal information.
Still, these steps don't go far enough for the White House, which wants the bill to do more to protect personal information and to place a civilian government agency -- namely the Department of Homeland Security -- in charge of receiving information from businesses instead of allowing the info to be sent directly to a military organization, such as the National Security Agency.
The Administration, however, remains concerned that the bill does not require private entities to take reasonable steps to remove irrelevant personal information when sending cybersecurity data to the government or other private sector entities. Citizens have a right to know that corporations will be held accountable - and not granted immunity - for failing to safeguard personal information adequately. The Administration is committed to working with all stakeholders to find a workable solution to this challenge. Moreover, the Administration is confident that such measures can be crafted in a way that is not overly onerous or cost prohibitive on the businesses sending the information. Further, the legislation should also explicitly ensure that cyber crime victims continue to report such crimes directly to Federal law enforcement agencies, and continue to receive the same protections that they do today.
The White House is also calling for the bill to reduce the amount of protection it affords companies from lawsuits if they improperly share private information or violate antitrust laws while sharing info on cyber threats with one another or the government.
The Administration agrees with the need to clarify the application of existing laws to remove legal barriers to the private sector sharing appropriate, well-defined, cybersecurity information. Further, the Administration supports incentivizing industry to share appropriate cybersecurity information by providing the private sector with targeted liability protections. However, the Administration is concerned about the broad scope of liability limitations in H.R. 624. Specifically, even if there is no clear intent to do harm, the law should not immunize a failure to take reasonable measures, such as the sharing of information, to prevent harm when and if the entity knows that such inaction will cause damage or otherwise injure or endanger other entities or individuals.
Despite a climate of what defense officials love to describe as "fiscal uncertainty," the Pentagon's 2014 budget request includes $4.7 billion for increased "cyberspace operations," including dozens of cyber attack teams, the Defense Department announced today. To give you some sense of just how much cyber has increased in importance over the last year, the DOD’s 2013 budget overview mentions "cyber" 47 times while the 2014 overview mentions it 153 times. Last year's budget provided $3.9 billion for cyber according to DOD Comptroller Robert Hale. This money will be used to "increase defensive capabilities and develop the cyber Joint Force," according to the budget proposal.
What's that mean in English? The billions will support the Pentagon's previously announced plan to field dozens of cyber-combat teams that will protect the country from devastating cyber attack.
Thirteen of these teams -- called "defend the nation" teams -- are geared toward offensive operations aimed at deterring cyber attacks. Twenty-seven teams will support battlefield commanders around the globe by giving them cyber attack capabilities. The remainder will focus on defending DOD's networks from cyber attack.
These teams will be composed of a mix of civilian and uniformed personnel at locations across the country.
The increased funding "provides manpower, training and support costs for regional cyber mission teams to be located in Maryland, Texas, Georgia, and Hawaii as well as other Combatant Command and military service locations," the budget proposal says. "In addition, manpower at the National Security Agency continues to be funded to provide both cyber security and intelligence support to the USCYBERCOM teams."
Continued investment in cyber is listed as one of the "Key Priorities" in the budget, along with missile defense, space programs, science and technology efforts, personnel pay, and funding National Guard and reserve forces.
Here are the other cyber highlights of the 2014 budget as listed by DOD:
- Continues to support the construction of the Joint Operations Center for USCYBERCOM at Fort Meade, Maryland. Planned construction begins in FY 2014 with occupancy scheduled in FY 2017.
- Provides funding to develop tools to automate vulnerability detection on classified networks.
- Provides funding for commercial software for data monitoring of defense networks that will identify and isolate suspect files for analysis.
- Continues to robustly support cyberspace operations Science and Technology programs.
- Continues to support defensive cyberspace operations providing information assurance and cyber security to the Defense networks at all levels.
- Provide funding to enhance cyberspace range capabilities by increasing capacity, improving pre- and post- exercise analysis, and mainstreaming and sustaining capabilities of the National Cyber Range developed by the Defense Advanced Research Projects Agency under the oversight of the Department's Test Resource Management Center.
U.S. Air Force
We've heard plenty of civil liberties advocates object to the Cybersecurity Intelligence Sharing and Protection Act (CISPA), claiming the bill harms privacy rights. However, one group opposed to the act argues that it actually allows businesses to commit the very behavior it aims to curb -- that is, it allows them to hack the computers of anyone they believe is hacking them.
"CISPA says that a company gets immunity for any decisions made based on cyber-threat information that they receive under the bill and based on cyber-threat information that they identify and obtain using cybersecurity systems," Greg Nojeim of the Center for Democracy and Technology told reporters in Washington this morning.
This is where Nojeim worries that the bill could permit an increase in hacking.
"What if one's decision in response to the receipt of cyber-threat information from someone you think is a bad guy is to render the sending computer inoperative?" asked Nojeim. "That's certainly within the scope of the legislation and would be completely immunized."
As Nojeim and his colleagues at CDT read it, CISPA could allow businesses that think they had discovered a hacker to hit back or, hack back, against malicious actors in cyberspace -- an action frequently referred to as active defense. (Yours truly has heard this topic debated plenty of times between lawyers who are against it and businesses who want to be able to defend themselves aggressively in cyberspace.)
CDT wants the bill's language tweaked to prohibit this behavior.
"What the bill does not say is, in looking for cyber threat information you can examine only your own network," said Nojeim. "If you think the cyber threat information is on somebody else's computer or on somebody else's network, you have authority, notwithstanding any law, to go get it . . . and immunity when you do."
Killer Apps reached out to one of the bill's sponsors, House intelligence committee chairman Mike Rogers, and one of his committee staffers told us that authorizing companies to strike back at hackers "was not the chairman's intent." Rogers "intends to address this issue in committee markup" by adding language specifying that the bill does not authorize businesses to break into other people's networks.
Rogers and the bill's co-sponsor, Rep. Dutch Ruppersburger, have insisted that they are working with the White House, privacy advocates, and businesses to address their concerns.
"We want to make sure that we meet the level of privacy concerns, and we think we can do that by working in some very direct language that expresses, in language, what we believe the bill already does but we want to reiterate that," said Rogers last week when announcing that the bill will come up for a committee vote this month.
As it's currently written, the bill specifically says that businesses can receive immunity from prosecution "for using cybersecurity systems to identify or obtain cyber threat information or for sharing such information in accordance with this section; or for decisions made based on cyber threat information identified, obtained or shared under this section."
"That authorizes hacking that would otherwise be a crime under current law, it authorizes cybersecurity criminal acts that are described in this very bill," he added. "The last place one would think you would find new authority to hack would be in cybersecurity legislation, but there it is."
Here's what Rogers said in December when asked how he felt about private entities fighting back against hackers.
"It's best not to go punch your neighbor in the face before you hit the weight room," said Rogers, in a warning to both public and private sector actors that are considering offensive actions to defend their networks under the growing trend of "active defense."
Government organizations and businesses are still figuring out the best way to defend themselves from advanced cyber threats. But, said Rogers, "until we have figured out how we will defend ourselves and our networks, I would be very, very, very cautious about using an offensive capability."
The lawmaker, speaking at an event at The George Washington University, added: "Now, you can't do a good defense if you don't develop the capability for offense...so I completely agree with [building offensive power]. I'm just very concerned about engaging [in offense] before we have the ability to defend ourselves because, guess what, something's coming back" to hit us.
Killer Apps kicked off the week with a quote about the true cost of cyber crime being equivalent to a rounding error when compared to the size of the overall economy. We're going to end it with an interesting quote about what might quell China's campaign of cyber-espionage and trade-secret theft.
"The old trope was always, the Chinese will begin to respect our intellectual property when they have intellectual property of their own to defend," said James Mulvenon, VP of intelligence at Defense Group, a consulting firm, during a breakfast in Washington yesterday. "What we're starting to see on the Chinese side is the intra-company hacking between Chinese companies is having almost more effect on their attitude about a cybersecurity regime in China, than it is about responding to our demarches about their activity."
We've been bombarded with messages from cyber security firms to lawmakers about a massive Chinese cyber espionage campaign for years. U.S officials have been increasingly vocal in calling out China and the White House just released its new strategy aimed at combating the theft of trade secrets via law enforcement and increased diplomatic pressure on China. One of the criticisms that I've heard many times is, what can the U.S. do if China simply ignores its requests to stop stealing U.S. trade secrets? If Mulvenon is correct, maybe we all we have to do is wait.
Expect to see Congress take up legislation to punish nations and people that back global intellectual property theft and industrial espionage, House intelligence committee chairman Mike Rogers said today. Such legislation could revoke visas of those involved in economic espionage or sanction countries that back such behavior.
Such actions would punish "nation-states that steal intellectual property and repurpose it for government companies to illegally compete in the market," Rogers told reporters after a breakfast in Washington, alluding to Chinese intellectual property theft. "That's something I'm working on, and we've got some great bipartisan support on this and great bicameral support, and we'll have an announcement on this soon."
He added that legislation to punish countries engaged in economic espionage will not be included latest version of CISPA, set to be voted on next month, but rather it will be "announced and ready sometime this year."
He hinted that the legislation could also punish people who knowingly do business with foreign entities that rely on intellectual property theft for their business model.
"I steal from your house, and I come to [another person's house] and try to sell it, it is both a crime for me to steal it and a crime for you to take stolen property. This should be no different. The only difference is, the value of it is exponentially bigger," said Rogers, a former FBI agent.
Early last month, Rogers said the U.S. must do more to confront China on its state-backed economic espionage campaigns.
"We need direct talks with China and it needs to be at the top of a bilateral discussion about cyber espionage," Rogers told Killer Apps on Feb. 13. "This is a problem of epic proportions here, and they need to be called on the carpet. There has been absolutely no consequences for what they have been able to steal and repurpose to date." Rogers suggested that the U.S. implement trade sanctions and identify "individuals who participate in this, go after their visas, go after family travel, all of the levers we have at the Department of State. The problem is that bad."
Last month the White House unveiled its strategy to combat the international theft of intellectual property and trade secrets. This effort is focused on international law enforcement efforts to catch IP thieves and diplomatic cooperation aimed at curbing state-backed theft of trade secrets.
We hear a lot about Chinese and Iranian hackers, but we don't usually hear much about North Korea. In the wake of this week's cyber attacks against South Korean banks and television stations, though, there have been several news reports claiming North Korea is one of the world's top cyber players. (The image above shows South Korean cyber investigators looking into this week's attacks) While there's no doubt that the North Korean military has growing cyber capabilities, most experts wouldn't put them at the top of the list in terms of ability or sophistication.
"Limited internet access, limited electricity, bad infrastructure means that North Korea isn't a place you'd look for a hacker culture," Jim Lewis of the Center for Strategic and International Studies told Killer Apps today. "The tendency is to overestimate their capabilities. When you look at their nuclear weapons or their missiles, yeah they have them, but they're pretty primitive. Hacking probably tracks with their other programs."
"Are they trying? Sure, they've been trying since 1995, 1996 when Korean diplomats in the UN began to take computer programming courses in New York," added Lewis. "But the idea that they have low capabilities in all these areas and high capabilities in this one area [cyber] is just a little bit hard to believe."
Here's what the intelligence unit at cyber security firm Mandiant tells Killer Apps about the North Korean military's cyber endeavors:
While we are unable to determine the extent of North Korean cyber capabilities, we anticipate they may be capable of offensive cyber operations, cyber espionage, and surreptitious intelligence collection on individuals or organizations they perceive as threatening.
North Korea's Automation University graduates around 100 skilled cyber specialists each year and several academies and schools in North Korea now focus on training electronic warfare specialists that support at least two hacker brigades. The majority of North Korea's cyber activities, as reported in the open press, have focused on South Korea. However, we consider that North Korea could target U.S. commercial entities for military or dual use technologies it lacks due to ongoing trade sanctions. During times of heightened political tensions, targeting critical infrastructure or computer networks of either South Korea or the United States might appeal as a perceived lower-risk form of escalation.
We believe North Korea will become more active in the cyber domain as the regime struggles to maintain legitimacy as a military power amid international scrutiny surrounding its nuclear program. Computer network operations employed as a lever of influence, coercion or disruption might appeal to North Korean authorities constrained by the sanctions regime.
Army Gen. Keith Alexander, head of U.S. Cyber Command, yesterday said that civilian agencies should have the lead in responding to most cyber attacks on U.S. soil.
"From my perspective the domestic actor would be the FBI," said Alexander, responding to a question from Rep. Joe Heck about the command's role in responding to cyber attacks that originate in the United States. "We share our tools with the FBI. They work through the courts to have the authority to do what they need to do in domestic space to withstand an attack."
Cyber Command and FBI Director Robert Mueller have "come up with a way that he would do inside [the U.S.] and we would do outside," Alexander added, in testimony to a House Armed Services subcommittee.
Alexander went on to point out that DOD, the FBI, and the Department of Homeland Security are hammering out ways to share information on cyber threats extremely quickly -- figuring out where the attack is coming from; determining whether it's a criminal, espionage, or destructive attack; and allowing the appropriate agency to take the lead while receiving support from the others.
"There may be points and times where you have, you know, significant attacks where we need to change parts of that [civilian-led response structure], but the key thing is to have him [Mueller and the FBI] do inside the country," said Alexander. "He would work with the courts as appropriate to do his portion of the mission. Outside the country, that's where we would operate." (Click here to read about the offensive cyber teams that DOD is standing up to conduct operations outside the United States.)
It's worth noting that some of the teams that Cyber Command is establishing to "operate and defend" networks will work closely with "DHS and FBI as required," said Alexander.
Still, as Alexander noted, "the Defense Department will do its part to defend the country. It's not going to just defend itself. Our job is to defend the country and the focus would be obviously on critical infrastructure, just as it would be in kinetic and other things."
He elaborated on the key questions that govern the debate as to when the military becomes deeply involved in responding to a cyber incident.
"The issue becomes, when does an exploit become an attack, and when does an attack become something that we respond to? Those are the policy decisions, and the red lines that go to those will be policy decisions" for the White House, said the four-star. "Our job would be to set up the options that the president and the secretary could to stop [destructive cyber attacks from an outside enemy]. And as you may recall, both the former president and the current president have both said that they would keep the options open in this area. I mean, I think that's reasonable, from using State Department to demarche, all the way over to kinetic options or cyber. So they have that whole range."
Army Gen. Keith Alexander, head of United States Cyber Command, dropped several interesting nuggets about the military's cyber forces during a Senate Armed Services Committee hearing today.
First off, the command is fielding 13 offensive cyber teams that are tasked with deterring destructive cyber attacks against the United States. While Alexander said these are offensive teams, he insisted their role is defensive: "Let me be clear, this defend-the-nation team is not a defensive team, this is an offensive team that the Department of Defense would use to defend the nation if it were attacked in cyberspace."
If you have trouble making sense of that, you're not alone. After the hearing, Alexander compared the teams to missile defenses. (Click here to read some of the Defense Science Board's recent suggestions for deterring destructive cyber attacks with some pretty offensive weaponry.)
"We are already developing the teams that we need, the tactics, techniques, and procedures and the doctrine for how these teams would be employed, with a focus on defending the nation in cyberspace," said Alexander in his opening statement.
In addition, the command is developing 27 teams that will provide assistance in planning offensive cyber operations to the regional combatant commands -- the military organizations around the globe that are tasked with actually fighting wars.
Finally, the command is organizing a number of teams, Alexander didn't say how many, aimed at defending the military's networks against cyber attacks.
"Those three sets of teams are the core construct for what we're working with the services to develop our cyber cadre," said Alexander. "The key here is training our folks to the highest standard possible."
One third of these teams will be stood up by September 2013, the second third in late 2014, and the final third will be in place a year after that, he told lawmakers.
The Army four-star also said in his written statement that in addition to 917 troops and civilians at Cyber Command headquarters in Maryland (with a budget for FY13 of $191 million), there are more than 11,000 people from all four armed services working cyber issues for the command. (Click here for Killer Apps' recent look at the total expected number of cyber troops in the U.S. military. The numbers we saw were a lot higher than 11,000.)
Alexander's testimony comes as Defense Secretary Chuck Hagel is looking at whether or not to elevate Cyber Command to a full-unified command. Cyber Command currently reports to U.S. Strategic Command.
Later in the hearing Alexander said he agreed with Sen. Lindsey Graham's (R-SC) statement that a major cyber attack that devastated the U.S. power grid would do "as much or more damage" as the 9/11 terrorist attacks. On the other end of the spectrum, Alexander said that the denial of service attacks like the ones suffered by major U.S. banks last fall are best dealt with by Internet Service Providers, not the government. He went on to say that in addition to the Obama administration's recent cyber security executive order, legislation is needed to allow private businesses to share information about cyber attacks they are suffering in real time with the U.S. government.
Also today, the U.S. Intelligence Community released its annual World Wide Threat Assessment, featuring cyber at the top of the list, ahead of terrorism. However, U.S. Director of National Intelligence James Clapper told lawmakers today when unveiling the assessment that the risk of major destructive cyber attacks against the U.S. by a major cyber player like Russia or China "is remote." Remember, Russia and China are the two powers most frequently cited as being able to execute a catastrophic destructive attack against the U.S. Still, many would point out these countries have little interest in doing so.
Last month it was big news that the Pentagon was considering increasing the size of U.S. cyber Command from 900 people to 4,900 troops and civilians. Then, in response to the now-famous Mandiant report detailing the exploits of a PLA cyber unit, the Chinese government claimed that the U.S. had a "hacking unit" of 100,000 cyber warriors.
While some people dismissed this claim, we decided to use publicly available info to tally up the size of the U.S. military's various cyber commands -- the units dedicated to protecting the military's networks from cyber attack and waging offensive cyber operations. Keep in mind that we didn't get the total number of civilian contractors or cyber personnel at the NSA, CIA, DIA, and other intelligence agencies. There are also likely troops out there working on cyber that aren't necessarily attached to the units listed below. Nevertheless, the U.S. has far more "cyber warriors" than the 900 people working on digital warfare at Cyber Command.
Here are the numbers that are publicly listed on the web for each service's dedicated cyber arms. These forces act as each service's contribution to U.S. Cyber Command and Strategic Command when needed.
24th Air Force: 16,400+ airmen and civilians.
Navy Fleet Cyber Command/Tenth Fleet: At least 14,000 sailors and civilians
Army Cyber Command: Set to exceed 21,000 soldiers and civilians.
U.S. Cyber Command: 900, set to grow to 4,900 troops and civilians.
Total expected cyber troops: 53,000 to 58,000.
The next step is figuring out the military's total cyber budget.
U.S. Air Force
Think you knew all there was to know about Stuxnet, the worm that was discovered in 2010 to have destroyed thousands of uranium enrichment centrifuges at Iran's Natanz nuclear facility? Think again. It appears that an early version of the worm was attacking Iran's nuclear program years before the version that made headlines in 2010 was unleashed, according to a new report by the IT Security firm Symantec.
Dubbed Stuxnet 0.5, the early version of the worm attacked Iran's nuclear program by closing valves that allowed uranium hexafloride gas (UF6) to flow into the centrifuges at Natanz, according to Symantec. Cutting off the flow of UF6 would, in theory, damage the centrifuges. (Click here for a primer on gas centrifuges.)
This apparently didn't work as well as Stuxnet's designers wanted it to and we saw later versions of the worm that famously caused the centrifuges to spin out of control -- thereby destroying them. Stuxnet 0.5 was under development as early as November 2005 and in the wild by November 2007 with orders to shut down by July 2009 -- the year that the version aimed at causing the centrifuges to spin out of control was developed, according to Symantec.
"The earliest known variant of Stuxnet was version 1.001 created in 2009. That is, until now," reads a Symantec blog post accompanying the report.
Remember, Stuxnet was reportedly the work of a U.S.-led cyber campaign against Iran known as Operation Olympic Games. At the time of its discovery the worm was considered to be one of the most advanced cyber weapons ever fielded. The worm reportedly took an unprecedented amount of time, expertise, and money to create.
As a Symantec blog post says, "Stuxnet proved that malicious programs executing in the cyber world could successfully impact critical national infrastructure."
The malware was designed to worm its way (See what I did there?) harmlessly around the globe until it found its precise target, the Siemens-made programmable logic control (PLC) computers that ran the centrifuges at Natanz. Once there, it attacked. You know the rest.
Some cybersecurity experts fear that cyberweapons like Stuxnet can be revers- engineered and used against their creators or sold on the ever-growing black market for cyber weapons.
"The difference between traditional weapons and cyber weapons is that it's not possible to [re]assemble a cruise missile after it has been used," said cyber security expert Eugene Kaspersky last September in Washington. "Cyber weapons are different" because the victims "can learn from" weapons used against them.
As another cyber security expert told Killer Apps last fall:
Because uranium centrifuges and power turbines are both spinning machines, "the attack is identical -- the one to take out the centrifuges and the one to take out our power systems is the same attack."
"If a centrifuge running at the wrong speed can blow apart" so can a power generator, said the expert. "If you do, in fact, spin them at the wrong speeds, you can blow up any rotating device."
A week after releasing its cyber security executive order, the White House today unveiled its strategy to fight back against the wave of intellectual property (IP) theft facilitated by cyber espionage that has hit U.S. businesses in recent years.
The Administration Strategy on Mitigating the Theft of U.S. Trade Secrets calls for: increased diplomatic efforts to confront nations hosting IP thieves and increased collaboration between governments on combating IP theft; the promotion of voluntary best practices by businesses to protect their trade secrets; "enhanced" domestic law enforcement operations; improved domestic legislation; and increased "public awareness and stakeholder outreach."
The document also includes a number of anecdotes about China-based thieves stealing U.S. intellectual property.
One of the key elements of the strategy is the plan to increase prosecution of people caught stealing U.S. trade secrets. The administration also wants to increase information sharing between the Intelligence Community and the private sector on foreign efforts to steal trade secrets, including the type of info being sought and the techniques being used. The strategy also notes that the shift toward cloud and mobile computing will likely increase the threat of cyber espionage.
Included in the document's list of likely espionage targets are a wide range of industries from defense contractors to IT firms and clean energy companies.
The White House's 141-page strategy document was released one day after cyber security firm Mandiant published a report detailing the exploits of a Chinese military unit involved in widespread cyber theft and espionage against U.S. businesses.
Just last week, Rep. Mike Rogers (R-Mich.), chairman of the House intelligence committee, called for the U.S. do more in confronting China on its massive cyber espionage campaign against American businesses.
Here's the strategy:
The U.S. government has and will continue to confront senior Chinese government officials "at the highest levels" about the massive amounts of cyber theft and espionage being committed against the United States by Chinese hackers, a senior White House official said today.
"We have repeatedly raised our concerns at the highest levels about cyber theft with senior Chinese officials, including in the military, and we will continue to do so," said the official in a statement emailed to Killer Apps Monday morning in reaction to cyber security firm Mandiant's new report detailing the exploits of a Chinese government cyber espionage unit.
"The United States has substantial and growing concerns about the threats to U.S. economic and national security posed by cyber intrusions, including the theft of commercial information," said the official, whose comments come a week after the White House introduced its cyber security executive order aimed at protecting critical infrastructure providers -- a relatively small group of banks, transport firms, energy companies, defense contractors and communications providers -- from crippling cyber attacks that would impact large numbers of Americans. The Pentagon is famously bolstering its offensive cyber capabilities in an effort to deter destructive cyber attacks against the United States.
The news of Mandiant's findings, first reported by the New York Times, also comes a week after Rep. Mike Rogers (R-Mich.), chairman of the House intelligence committee, called on the United States to confront China on its reportedly widespread cyber theft and espionage campaign against U.S. government and businesses. (Click here to read Killer Apps's recent interview with Mandiant's chief security officer on China's massive espionage campaign.)
"We need direct talks with China, and it needs to be at the top of a bilateral discussion about cyber espionage," Rogers told Killer Apps after a speech at the Center for Strategic and International Studies Wednesday. "This is a problem of epic proportions here and they need to be called on the carpet. There has been absolutely no consequences for what they have been able to steal and repurpose to date."
Rogers suggested that the United States begin implementing trade sanctions and "identifying individuals who participate in this, go after their visas, go after family travel -- all of the levers we have at the Department of State. The problem is that bad.
White House officials have repeatedly declined to discuss the specific steps they are considering taking to counter Chinese cyber aggression.
The United States is reportedly preparing a National Intelligence Estimate detailing Chinese cyber attacks against U.S. interests.Last year, Rogers's committee urged U.S. companies not to deal with Chinese telecommunications firms Huawei and ZTE, accusing the two of spying on U.S. businesses for the Chinese government. Also last year, U.S. Army Gen. Keith Alexander, head of U.S. Cyber Command and the National Security Agency called cyber crime "the greatest transfer of wealth in history."
The White House official went on to call for the United States and China to "continue a sustained, meaningful dialogue and work together to develop an understanding of acceptable behavior in cyberspace."
The effort to establish international rules of the road, or norms of behavior, in cyberspace based on the law of armed conflict is a tricky process that may take decades to flesh out, U.S. officials have repeatedly said.
The leaders of the House intelligence committee say they are working with the White House to ensure passage of the Cyber Intelligence Sharing and Protection Act, which fell to a presidential veto threat last year but which Chairman Mike Rogers' (R-Mich.) reintroduced yesterday.
The bill would establish rapid information-sharing about cyber threats between private businesses and the government. Last year, the White House threatened to veto it over concerns from privacy groups that the bill gave the government too much authority to view people's online activities without a warrant.
"We were working with the White House for one year, and we thought everything was going to be fine," Dutch Ruppersburger, the committee's ranking member, said yesterday in a joint appearance with Rogers. "Fifteen minutes before we went to the rules committee, we received a phone call that the president was going to veto our bill."
"We've resolved all that," he added. "We're working with the White House as of today. Mike [Rogers] and I talked with the national security advisor [Tom] Donilon and the White House is now working with us to ensure that somehow, some way, we get a bill."
Rogers was a little more cautious, telling reporters yesterday that White House "does not endorse the bill" as it stands right now and that negotiations over its contents are ongoing. "They want to see changes in the bill, but that's a long way from where we used to be," said Rogers. "We're actually having a dialogue on how the bill moves through, I welcome that, that's a good thing."
Ruppersburger and Rogers repeatedly emphasized during a Capitol Hill hearing today that the bill will not infringe on privacy, and that CISPA only authorizes the government and private companies to share digital threat signatures, "ones and zeros" that make up packets carrying malware.
It does not allow the government to not "monitor your computer, read your email, tweets or Facebook posts," Ruppersburger said yesterday.
The two lawmakers also said they are committed to working with privacy advocates on the bill.
Rep. Mike Rogers said today that Iran may pose the highest risk of a destructive cyber attack on U.S. critical infrastructure because its leaders are irrational. Although Russia and China are conducting large-scale cyber espionage campaigns, he explained, Iran has fewer qualms about launching a destructive attack.
"You have nation-states like Iran who are developing this capability, and they're not a rational actor when it comes to trying to disrupt or cause a catastrophic attack to our U.S. economy," the chair of the House Permanent Select Committee on Intelligence said during a speech Wednesday reintroducing his Cyber Intelligence Sharing and Protection Act, better known as CISPA.
Rogers said that Iran had already displayed its willingness to wreak havoc abroad in the attacks last August against the Saudi Aramco oil company and the Qatari gas firm RasGas, which wiped the data from 30,000 computers and kept employees off email for more than a week.
The U.S. government has yet to name a culprit in those attacks, but Rogers said that, based on his conversations with private sector cyber security analysts, he is "99.9 percent sure" that Iran was behind them.
"That's a new level of capability," said Rogers. "They have obviously aggressively stepped up their campaign."
He then pointed to last fall's denial of service attacks against U.S. banks as also being the work of Iranian cyber operators, though he acknowledged those attacks were far less sophisticated and damaging.
"Most people believe that was a probing action, they're trying to find deficiencies in our systems to find a better way to come back and cause some catastrophic disruption," Rogers said. "You can imagine how devastating it would be, not just getting into that system but actually breaking that system, manipulating and changing data, and destroying data. Devastating. That could bankrupt a company."
Rogers said that Russia and China would be unlikely to attack the United States in peacetime, but that Iran is a different story.
"I think they're eager and ready to ramp up their actions against the United States," he said to reporters after his speech. "Here's a country that's feeling isolated. Sanctions are hurting badly. You saw them reach out and strike Aramco. This is the same country that tried to kill the Saudi ambassador here in Washington DC. This is not a country that's going to make a rational decision about attacks of this nature."
Finally. President Barack Obama signed the long-awaited executive order on cyber security today. As expected, the order expands information-sharing programs between the government and private sector and establishes voluntary cyber security best practices for critical infrastructure providers -- though the administration plans to use its leverage to strongly encourage compliance.
One of the order's main provisions calls for the National Institutes of Standards and Technology to work with the private sector to identify a set of cyber security best practices that can be turned into a "Cybersecurity Framework" that critical infrastructure firms would use to ensure they are defended against cyber attack. A senior administration official said this afternoon that this framework, due one year from today, "is not designed to be a one size fits all approach" and will "not lock in specific technology or approaches."
NIST and other government agencies will work with businesses that have proven to be the best at cyber security to help develop these practices. "We believe that companies driving cyber security innovations are really in the best place to help us push out best practices across more of the critical infrastructure and companies would have a lot of flexibility in determining how to do so," said the official. "This is about taking the existing best practices and spreading them out to as many of the critical infrastructure companies as we can."
The Department of Homeland Security will form an organization to push out these standards to critical infrastructure providers. DHS, DoD and other government agencies will develop incentives, in collaboration with the private sector, to coax critical infrastructure companies into adhering to those standards, since they are officially voluntary.
"There's a whole range of " incentives that have been suggested, added the official, mentioning the recommendations of the Commission for Cyber Security and the 44th Presidency as some examples.
Possible incentives could include government contracts, according to the official. Government agencies have 120 days from now to come up with these incentives.
In addition to the incentives, the order also has "teeth," according to the official. It calls for federal agencies to review their regulations for industries they oversee to make sure they apply to cyber security. If critical infrastructure providers don't live up to the minimal best practices that emerge in the Cybersecurity Framework, the agencies could find a way to make them.
"It makes business sense to [adopt these practices] in a lot of cases, and that's something that a lot of businesses are starting to understand," said the official. "What we want to make sure of with our direction to our federal regulators is that, if for some reason that market signal isn't getting through as clearly or as loudly as we would like, that there's the backstop of the federal regulators to make sure those companies that are in this critical infrastructure [sector] . . . are really putting into the baseline levels of cyber security."
In other words, the administration believes the market will demand better cyber security, and it is going to provide incentives to encourage better practices. But if those approaches don't work, it will use its regulating power to ensure that various critical infrastructure businesses adhere to minimal standards, added the official.
"We're giving multiple avenues for either incentives to be created in the voluntary program and for market forces to work, but we're also putting in place the ability and the direction for the regulators to use their existing authority, if needed" to make sure critical infrastructure businesses adhere to minimal standards, said the official.
The order defines critical infrastructure providers as company and organizations with "systems and assets, whether physical or virtual, so vital to the United States that the incapacity of destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." The senior administration official said the White House expects this to amount to a very small number of private businesses.
The order also calls for increased information sharing about cyber threats between government agencies like the Defense Department, the Department of Justice, the Intelligence Community, the Department of Homeland Security. One of the ways this will be done is by expanding the Pentagons DIB Pilot program (click here to read all about that), which allows the government to rapidly share information on cyber threats aimed at defense contractors with those companies.
As expected, DHS will have the lead on information sharing and is required to come up with a plan to ensure that civil liberties are protected. The order does not provide liability protections for companies that improperly share private citizens' information with the government or that violate antitrust laws in the course of sharing information. Those issues will have to be addressed by cyber security legislation, said the official. The order also calls for an expansion in the number of critical infrastructure workers who may receive classified briefings on cyber threats.
White House officials today said the information shared under the executive order would be specific digital threat signatures -- strings of ones and zeros -- that can identify pieces of malware aimed at critical infrastructure providers, not the contents of peoples' email. Click here to read more about the type of information that the government would share with critical infrastructure providers. The order calls for numerous privacy protections and reviews when information is shared to make sure that information about private citizens or companies is not inappropriately used. The privacy protections involved "will be based upon the Fair Information Practice Principles," reads the document.
Here's a copy of the executive order:
With the White House expected to release its cyber security executive order as early as tonight, Killer Apps spoke with some private sector cyber security experts on what they would like to see. Almost all agreed that the Obama administration -- and Congress -- need to do something to help protect the nation's banks, transport companies, energy firms, defense contractors, and other companies on which millions of people rely, from a crippling cyber attack.
"It's a public security and a public safety issue, and it needs some level of government oversight because you cannot let market forces completely go in areas where public safety is involved," said Ashar Aziz, chief technology officer of FireEye. While Aziz and other IT security executives Killer Apps spoke with recently agreed that the government needs to do something to ensure that critical infrastructure providers are adequately protected against cyber attacks, they caution that an executive order or legislation should not dictate technical security measures (such as specific pieces of software) that could quickly become obsolete.
"The regulations don't need to be specified in terms of technology, they need to be specified in terms of posture," said Aziz. "You need to look at where the [evolving] threats are, how the threats operate, and what is needed to counter such threats. . . . All we need to say is, the critical networks need to have safeguards to protect against unknown threats, independent of technology. Use whatever the best commercially available products on the market are."
Some suggest that the government could follow the model used by the credit card industry's security organization, Payment Card Industry Security Standards Council, whose members develop security standards and audit companies that process credit card payments. If a company fails an audit, the council has the power to ban that firm from processing credit cards.
"It specifies 12 different things that companies need to do in order to secure credit card data," such as encrypting credit card data and using firewalls. "An auditor will walk in and look and see how well you followed that 12-step criteria," said Rob Rachwald, manager of IT security strategy at Imperva. "If you're found out of compliance, different penalties could apply. They may be financial penalties. Worst case -- and this doesn't happen very often but it does happen -- your ability to transact credit cards is pulled.
Roger Thornton, chief technical officer at AlienVault, agrees with the approach.
"What you want to specify is, ‘the end result I [the government] want you to achieve. You're all smart and you'll all find different ways to achieve it'," said Thornton of what any cyber legislation should say. That end result would involve limiting how many break-ins each firm suffers or how many IT security vulnerabilities the firm has.
The execs also agreed that provisions allowing for rapid information sharing on cyber threats, and the best way to defend against them, between the government and private businesses needs to be in any executive order or legislation.
"We really need good threat intelligence sharing, these attack frequently come in campaigns and these campaigns target multiple organizations," said Aziz. "We need a real-time view of a threat landscape. I believe it's possible to provide that in a way that does not violate or compromise the consumer's or the public's information privacy."
The Cyber Security Act of 2012, which failed to pass the Senate last fall, contained provisions aimed at encouraging businesses to share information with the government about cyber attacks they had suffered by freeing them of liability for improperly sharing citizens' private information.
"We all recognize that cybersecurity is a [government] problem because a lot of these attacks are coming from overseas," said Rachwald. "What would happen for example, if the government ponied up a community resource center" aimed at sharing information about cyber attacks against U.S. firms and the best responses to those attacks.
Rachwald agreed that the government should order companies to constantly scan their networks for actual intrusions, not just potential vulnerabilities -- under the premise that all networks will be penetrated, no matter how good their security.
Richard Bejtlich, chief
security officer with Mandiant told Killer Apps that simply ordering that firms
adhere to certain standards won't work. Businesses need to be audited for
"I would like to see some type of annual requirement, maybe starting with critical infrastructure, that says, at the very least on an annual basis, are you compromised?" he said. "You need to know, are the Russians inside your network, are the Chinese inside your network doing damage and have it be an annual test. All this vulnerability-based we've been doing for the last 10 or 15 years doesn't make any difference."
Companies would have to report publicly if they had been penetrated -- something that might prompt innovation in cyber defense since firms won't want to be known for having bad network security. "I see it as the same thing as a financial audit, are you a going concern, what kind of money are you making, what kind of money are you losing? As a shareholder, I want to know, is some of the intellectual property that drives this investment in someone else's hands."
Still, Bejtlich admits that this approach is "fairly intrusive, so the likelihood of that happening is low, instead, we're likely to see more standards."
Jeffrey Carr, CEO of Taia Global, echoed Bejtlich's sentiment, arguing that the SEC's current recommendation that companies disclose cyber attacks, should be made mandatory. President Obama's executive order should "encourage the SEC to make their cyber security guidelines into requirements," said Carr in an email to Killer Apps. "At the very least, to require registrants to reveal their degree of cyber risk."
Bringing the PCI audit
model and using it to find actual penetrations on networks instead of monitoring
for vulnerabilities may be workable, according to another cyber security expert.
The "idea of continuous monitoring linked to mitigation, if you can fit that into the credit card model, then that makes sense," said James Lewis of the Center for Strategic and International Studies. "The idea of monitoring for weird behavior is a good one, if massive files are being transferred out of your network at 3:00 in the morning, you know something's up."
When asked by Killer Apps about the business lobby's claim that critical infrastructure providers are doing a good job at cyber security and that no government action is needed, Lewis said, "Why are the banks squealing for help from NSA?"
Well done to Danger Room for finding the needle in the haystack. On Thursday, the Wired.com blog posted this article showing an insanely remote military airstrip being built in the Saudi Arabian desert on the border with Yemen.
Looking at the satellite imagery, the base is almost certainly the secret drone base the United States is using to conduct UAV strikes in Yemen; it's got those beige "clamshell" tent-hangars that are a ubiquitous feature at expeditionary drone bases around the world. It's also smack dab in the middle of nothing. I mean nothing (that's why they call it Rub al-Khali -- the Empty Quarter). The crew at Wired remembered to look in Bing maps instead of Google maps. (We should have thought of this. After all, it was Bing maps, not Google, that had photos of the North Carolina mockup of Osama bin Laden's compound that the Navy SEALs used to rehearse for the May 2011 raid to kill the al Qaeda leader.)
Guess, what? That Saudi facility is not alone. Last night, we found another possible drone base in the Yemeni desert relatively close to the Saudi site. The Yemeni airstrip (shown above) looks relatively new and is of a very similar layout to the Saudi base that's being built. One thing that's missing, however, is those clamshell tents. In fact, the airstrip and the substantial military-looking compound a few miles to the northeast that's connected to the runway via a dirt road look almost abandoned.
Here's one more nugget we found. Below is a screenshot from Wikimapia showing the site of the Saudi base before it was built. Notice how it's just a few tents and a twin engine turboprop plane tucked amid the dunes of one of the most remote and forbidding locations on Earth. Pretty impressive. These finds have to make you wonder where else there are hidden airfields like this literally sprouting out of the wilderness.
Below is the email that the Department of Energy sent to its employees notifying them that the personal information about several hundred DoE staff and contractors at the department's Washington headquarters (shown above) may have been accessed by hackers.
You'll notice that DoE mention who might have been responsible for the attack and it makes no mention of whether classified information regarding nuclear-anything was accessed.
(Several media accounts have said Chinese hackers were to blame and that the cyber attack didn't access nuclear-related information.)
You can also see that DoE is in the early stages of figuring out the details and full extent of the attack. From the early reports, it sounds like this could have been a spear phishing email attack. If that's the case, an employee at DoE likely got a professional sounding email with a special file attached that contained malware, once the staffer clicked on the file, the hackers were into the department's networks. What would hackers/spies want with staffers' and contractors' email and the info contained within? For one thing, they could use it to crack security safeguards to other networks that contain classified information.
Click here to read an article about DoE's Inspector General's report on the department's cyber security practices from last fall that points out a bunch of cyber vulnerabilities.
Here's the email:
The Department of Energy (DOE) has just confirmed a recent cyber incident that occurred in mid-January which targeted the Headquarters' network and resulted in the unauthorized disclosure of employee and contractor Personally Identifiable Information (PII).
The Department is strongly committed to protecting the integrity of each employee's PII and takes any cyber incident very seriously. The Department's Cybersecurity Team, the Office of Health, Safety and Security and the Inspector General's office are working with federal law enforcement to promptly gather detailed information on the nature and scope of the incident and assess the potential impacts to DOE staff and contractors. Based on the findings of this investigation, no classified data was compromised.
We believe several hundred DOE employees' and contractors' PII may have been affected. As individual affected employees are identified, they will be notified and offered assistance on steps they can take to protect themselves from potential identity theft.
Once the full nature and extent of this incident is known, the Department will implement a full remediation plan. As more specific information is gathered regarding affected employees and contractors, the Department will make further notifications.
The Department is also leading an aggressive effort to reduce the likelihood of these events occurring again. These efforts include leveraging the combined expertise and capabilities of the Department's Joint Cybersecurity Coordination Center to address this incident, increasing monitoring across all of the Department's networks and deploying specialized defense tools to protect sensitive assets.
Cybersecurity is a shared responsibility, and we all play an important role in maintaining the integrity and security of our networks. To help minimize impacts and reduce any potential risks, please keep the following best practices in mind:
Encrypt all files and emails containing PII or sensitive information, including files stored on hard drives or on the shared network.
Do not store or email non-government related PII on DOE network computers.
Chinese hackers' espionage efforts against the networks of U.S. news organizations including the New York Times and Wall Street Journal prompted several House lawmakers to call for a renewed effort to pass cyber security legislation.
"Attacks like this and the recent cyber attacks on U.S. banks, are further evidence that we must harden our networks against espionage by enacting comprehensive cybersecurity legislation to bolster our defenses against enemies who seek to steal our intelligence, intellectual property and dismantle our critical infrastructure," said Rep. Mike McCaul (R-Texas), chair of the House Homeland Security Committee in an email statement to Killer Apps.
Rep. Mike Rogers (R-Mich.), chair of the House Permanent Select Committee on Intelligence made a similar call for Congress to move ahead with cyber security legislation in the face of a "relentless and sweeping" cyber espionage effort by China.
"The attacks on the U.S. banking industry and now major media outlets who dared publish stories critical of the Chinese government prove this is not a theoretical threat," said Rogers in a statement to Killer Apps. "Foreign cyber attackers are targeting every aspect of the American economy every day and Congress needs to act with urgency to protect our national security and our economy."
Rogers tried late last year to reintroduce the Cyber Intelligence Sharing and Protection Act, or CISPA that he sponsored in early 2012.
CISPA would have allowed the government to share intelligence about online threat signatures with companies. It would have also allowed companies to quickly notify the government if they believed they were under cyber attack, without being legally liable for improperly sharing customers' private information.
That bill passed in the House last April. However, it failed in the Senate after criticism by civil liberties advocates such as the ACLU, and Internet activist groups such the Electronic Frontier Foundation and the Mozilla Foundation (the creators of Firefox).
Rogers' committee last year warned American businesses against doing business with Chinese telecomminucations giants Huawei and ZTE, claiming the two firms were spying on U.S. businesses on behalf of the Chinese government.
Rep. Jim Langevin (D-RI.), co-chair of the Congressional Cybersecurity Caucus called for the establishment of international norms of behavior for dealing with cases of cyber aggression in addition to cyber security legislation in the United States.
"I have long pushed for international cooperation on cyber that includes establishing practices for responding when a country either condones or actively participates in significant cyber crime, espionage or attacks," said Langevin in a statement to Killer Apps. "However, we must remember that one of the greatest challenges in cybersecurity is the difficulty of attribution, so it is critical for the government and for private companies to take responsibility for protecting themselves. Most importantly, I continue to implore my colleagues to recognize the urgency with which we must act on cybersecurity by passing legislation that will make information sharing easier and address the vulnerability of our critical infrastructure."
The cyber attacks by Chinese hackers against the New York Times and Wall Street Journal, and possibly Bloomberg, are just the latest episode in a long-term effort by China against the West, says one cyber security expert whose firm was hired to defend the Times networks from the attackers.
While the hacks against the Times and Journal are considered pretty low-key cyber crimes (since they didn't steal money, property, or destroy the newpapers' networks) in the United States, China may view them as part of an almost military-style campaign to secure its rise a major world power, according to Richard Bejtlich, chief security officer at Mandiant, the IT security company hired by the Times to respond to the attacks,.
"I tend to [view] war from the perspective of the East; war is an ongoing condition that involves social, political, economic [efforts], it's not strictly troops on a field," Bejtlich told Killer Apps. "So from that perspective, [the hacks are] part of the global cyber war that the East is waging more or less against the West."
The attacks against the newspapers are the latest in a long list of cyber espionage attacks against U.S. targets -- ranging from defense contractors working on the F-35 Joint Strike Fighter program to the White House and even Washington think tanks.
"There's been no slowdown" in the onslaught of cyber attacks emanating from China, despite the ever increasing amount of attention Chinese hackers have been getting in the press, said Bejtlich.
The attacks are aimed at getting intelligence that may help Chinese leaders gain insight about their U.S. counterparts decision-making, learn military secrets, and steal intellectual property than can help Chinese businesses produce military and civilian technology that is on par with products made in the West.
"Almost universally, we don't see these type of actors seeking to do destructive activities," said Bejtlich. "Though with the level of access that they have, it wouldn't be a problem, it's just not one of their goals."
The spear phishing attacks against the newspapers were "not that sophisticated," he added. "This wasn't the best stuff we'd ever seen, for sure."
In the case of the news outlets, Chinese officials appear to want to learn what stories are being written about them before they are published. This gives China's propaganda machine a head start in pushing out a pro-China narrative, according to Bejtlich. It's an approach that has backfired, in this case, making China look worse. "This was a bad day for them," said Bejtlich.
"This was reconnaissance, espionage -- this was not a disruption attempt," said Bejtlich. "They wanted to know what [the newspapers] were going to report and who their sources were."
In the Times' case, the hackers were looking for information that reporters gathered from public documents in China for a story on the wealth of China's premier, Wen Jiabao.
"The sources were very important. The Chinese were operating from a position of, ‘who is feeding you information about the Wen family so that we can handle those people,'" added Bejtlich. "They were basically leak obsessed."
The Times and Journal are not the only major media outlets that have been targeted by Chinese hackers, according to Bejtlich. He put the number at "not quite double digits but close."
Expect the Pentagon to continue to flesh out a policy of cyber deterrence if Chuck Hagel becomes the next defense secretary.
Buried toward the end of the 112 pages of answers to questions that Hagel gave the Senate Armed Services Committee in advance of his confirmation hearing tomorrow are some insights into his views on cyber security.
Among his thoughts on the matter is that deterrence is working for the United States, so far anyway.
"At this time, it appears that the United States has successfully deterred major cyber attacks," reads Hagel's response to SASC's questions. "I expect that deterring and, if necessary, defeating such attacks will be a continued key challenge. If confirmed, I intend to ensure that the Department provides strong support to our national efforts in this area."
That last sentence is pretty telling. National efforts to defend against cyber attack mean that the rest of the U.S. government and private industry will need to play a role in deterring against cyber attacks, according to Hagel.
Here's what he said when asked specifically about DOD's role in protecting the U.S. from cyber attacks:
"My understanding is that the Department of Homeland Security has the lead for domestic cyber security," writes Hagel. "The Defense Department provides technical assistance to DHS when requested. The [DOD's] role is to provide military forces needed to deter the adversary and, if necessary, act to protect the security of the country. This includes planning against potential threats to our critical infrastructure, gathering foreign threat intelligence, and protecting classified [government] networks." [Emphasis ours.]
It sounds like Hagel envisions DOD using its expertise in cyber warfare to help protect other government networks and certain private industries from cyber attack; spy on foreign cyber actors; and be ready to go on the offensive should anyone start a cyber fight with the U.S.
Still, when asked explicitly about using offensive cyber operations to defend "the homeland" (after more than a decade that's still a creepy-sounding term, isn't it?) Hagel says:
"My current view is that defending the homeland from cyber attacks should involve the full range of tools at the disposal of the United States, including diplomacy and law enforcement as well as any authorized military operations."
As for looming decisions that need to be made about expanding U.S. cyber command, elevating it to a combatant command, and paying for increased cyber forces at a time of declining defense budgets, Hagel punted, saying he will "consult closely" with the White House, Congress, and DOD officials before doing anything.
Click here to read more about Hagel's plans for cyber.
Killer Apps found it interesting that cyber security featured prominently in last week's confirmation hearing of Sen. John Kerry, with the next secretary of state calling cyber threats the nuclear weapons of the 21st century. He even went so far as to agree with Sen. Dick Durbin's (D-Ill.) labeling of cyber security as the world's "greatest threat."
My how things have changed. During Condoleezza's Rice's 2005 confirmation hearing there was nary a mention of cyber, hackers, or even the Internet. The trickle of cyber awareness at confirmation hearings for secretaries of state and defense began in 2006, when Robert Gates acknowledged that Chinese computer hacking was a threat -- but he admitted that he wasn't too well versed in it. Fair enough: the Iraq War was raging and COIN was the theme of the day. It wasn't until 2009, with Secretary of State Hillary Clinton's confirmation hearing, that the word "cyber" was brought up.
There is almost certain to be cyber talk at Chuck Hagel's confirmation hearing tomorrow. Hagelians in the Obama administration reached out to Killer Apps earlier this month to argue that the nominee gets cyber. Stay tuned: this afternoon we'll bring you a look at how Hagel answered advance questions on cyber that the Armed Services Committee sent him.
In the meantime, here's a look at what nominees have said over the last decade. Use it as a rough, unscientific measurement to the growing cyber awareness among the U.S. government's national security leaders.
Condoleezza Rice's testimony to the Senate Foreign Relations Committee, Jan. 18, 2005:
No mention of "cyber," "Internet," or "hacker."
Robert Gates' testimony to the Senate Armed Services Committee, Dec. 5, 2006:
While the term cyber wasn't specifically mentioned, Sen. James Inhofe (R-Okla.) asked Gates for his take on Chinese hackers breaking into the U.S military and defense contractor networks between 2003 and 2006 as part of the Titan Rain attacks. Gates, admitting to being under informed about Titan Rain's details (understandably), framed these attacks as more of an intelligence and counterintelligence perspective rather than as one element in an entirely new combat domain -- akin to sea, air, space and land. That would change by the end of his tenure:
Inhofe: "But I am concerned about China, and I'd like to hear what your thoughts are. Just in the last month the Chinese hackers, as you, I'm sure, have read, have shut down the e-mail and official computer work at the Naval War College. This is referred to by this commission as the Titan Rain..."
Gates: "Yes, sir. I have not read the reports. I would be more than willing to do so. I've been aware, just from reading in the newspapers, it's been a number of years since I received any classified intelligence on what the Chinese were up to.
But it's been my impression that they've had a very aggressive intelligence-gathering effort against the United States.
Some of these other things that you've mentioned, this is the first time I've heard about that. And clearly, if confirmed, this would be something that I would want to get well-informed on."
Hillary Clinton testimony to the Senate Foreign Relations Committee, Jan. 13, 2009:
Only two years later, things had radically changed. Then Sen. Clinton mentioned "cyber" in a list of weapons of mass destruction that posed "the gravest threat" to the United States should they fall into the hands of terrorists. And she said would reorganize the state department to handle "these new threats."
Clinton: "The gravest threat that America faces is the danger that weapons of mass destruction will fall into the hands of terrorists. We must curb the spread and use of these weapons -- nuclear, biological, chemical, or cyber -- and prevent the development and use of dangerous new weapons."
She went on to say:
"You add to [traditional WMD] the growing threat of cyber terrorism, which has the potential of disrupting the networks we rely on for all kinds of things, like traffic signals and electric grids and the like, which would be incredibly disruptive and dangerous -- I mean, this is the number one threat we face, there's no doubt in my mind. So we're going to start calling it such. We're going to reorganize the department to be better prepared to deal with nonproliferation, arms control and these new threats."
Leon Panetta's testimony to the Senate Armed Services Committee, June 9, 2011:
Finally, we get to Defense Secretary Leon Panetta's June 2011 confirmation hearing where cyber security featured prominently. This was the first such hearing where the both senators and the nominee, who was then director of the CIA, seemed to have a fairly strong grasp of cyber security. Panetta hints at his desire to expand DOD's cyber fighting capabilities and its role in defending U.S. critical infrastructure from cyber attack -- something that has been one of the hallmarks of his relatively brief tenure as defense secretary. You also get the sense that Panetta understands that cyber is much bigger than buying the best software and hackers -- that dealing successfully with cyber threats may mean establishing international codes of conduct dealing with cyber war, espionage and crime.
Sen. Jack Reed (D-RI.): "There is a whole a whole new dimension [of conflict, in addition to land, air, sea], cyber. I don't think we know enough yet to be fully prepared, fully conversant, but can you comment briefly on the strategy that you will try to develop?
Panetta: "There is no question that the whole arena of cyber attacks, developing technologies in the information area represent potential battlefronts for the future. I have often said that there is a strong likelihood that the next Pearl Harbor that we confront could very well be a cyber attack that cripples our power systems, our grid, our security systems, our financial systems, our governmental systems.
This is a real possibility in today's world. And as a result, I think we have to aggressively be able to counter that. It is going to take both defensive measures as well as aggressive measures to deal with it. But most importantly, there has to be a comprehensive approach in Government to make sure that those attacks don't take place.
My goal would be to work very closely with [NSA] and with others to develop not only the capability, but also the law that I think we need to have in order to determine how we approach this challenge in the future."
Sen. Kirsten Gillibrand (D-NY): "Can you share with us any of your vision, design, goals with regard to how we create a greater platform for cyber security and cyber defense?"
Panetta: "This is an area of great concern for me because I think what I have witnessed at the CIA and elsewhere is that we are now the target of increasing attacks that go after our systems, and it is extremely important for us to do everything we can to confront that threat.
He went on to say: "What I would like to do is to develop an even more effective force to be able to confront cyber terrorism, and I would like to work with you on the effort to try to develop those kinds of relationship not only here, but abroad, so that other countries can work with us in this effort. We talk about nuclear. We talk about conventional warfare. We don't spend enough time talking about the threat of cyber war."
Dana Stuster contributed to this report.
The Defense Department has not yet formally decided to expand U.S. Cyber Command, according to a senior Pentagon official. "That decision has not been made yet. I'm not saying it won't be made. It hasn't been made," the official said.
"It's fair to say that this has not been given the green light," the official told Killer Apps when asked about a Washington Post report that the command is set to grow from 900 people to 4,900 civilian and uniformed cyber operators.
While U.S. Cyber Command has been working with the Pentagon since last April to define the cyber capabilities it wants from each of the armed services, no final decision has been made on the numbers of troops, where they will be drawn from, and what the various cyber fighting units will be called, according to the official.
"There is no doubt that we will expand our [cyber] forces; everyone is on the same page with that," said the official. "Exactly what the figures are, what they're called, and their precise makeup, that does remain to be seen. So in concept yes, we're expanding it. Has it happened on paper yet? No."
"The decisions in terms of the budget and people have not been made," said the official. "It remains in the building for approval," said the official.
The Post reported yesterday that the Pentagon late last year approved the plan to dramatically increase the size of U.S. cyber command and organize it into three tranches: "National mission forces" would protect help defend critical national infrastructure such as power grids, financial networks, and transportation networks; "combat mission forces" would engage in offensive cyber operations; and "cyber protection forces" would "fortify the Defense Department's networks." It's important to note that the Post did say that the details of the expansion are still being hammered out.
While Killer Apps wrote last fall that an increase in cyber forces is coming -- and with it, a scramble to figure out how to pay for increased investments in cyber -- the Pentagon official today said that staff from Cyber Command, the Joint Chiefs of Staff, and the Office of the Secretary of Defense have still not reached a formal decision on whether to grow the command.
The Pentagon's cyber plans are being debated by a group of senior defense officials (known as the Deputy's Management Action Group) who report to Deputy Defense Secretary Ashton Carter, according to the official. The Pentagon is indeed hoping to grow its cyber forces, especially in light of increased threats to critical infrastructure against which the Pentagon will play a role in defending, but the plan as reported by the Post "has not been cleared" by the Pentagon, he added.
"It will also have to go to Congress because it's going to involve money and people," said the official.
"Everything's a little slow right now," due to fiscal uncertainty caused by the fact that the Pentagon is operating under a Continuing Resolution that is keeping its budget flat -- combined with the fact that the Pentagon may be forced to make dramatic budget cuts should Congress fail to reach a deficit reduction agreement by March 1.
Even without sequestration, it will be tough for the services to staff and fund Cyber Command's requests. Here's what Killer Apps wrote the Pentagon's growing cyber forces last November following a discussion with Lt. Gen. Michael Basla, the Air Force's Chief Information Officer.
"The demand signal has increased and will continue to increase," said the three-star general. "We see an increase in the demand signal [from Cyber Command], that's going to be one of the things the Air Force has to respond to."
Given the ever increasing demand for cyber operations, the Air Force will fight to defend its cyber budgets from cuts and may see finding increases over the coming years, said Basla.
"We've been holding the line. This is one of those areas where we've said we cannot afford to take reductions and may in fact, be one of the growth areas in a very tight budget environment," said Basla. The air service (and the rest of the military) is currently looking at how much money it will need to spend on cyber related activities in the second half of this decade.
The Air Force has designated "cyberspace superiority" as a core mission for the service, similar to the way the service sees dominating airspace as a key mission.
Basla warned that at a time of declining budgets, any investments in cyber may come at the expense of other Air Force programs.
"You all know that it's a zero-sum game. If we decide, based on something that comes out of this tank session today or the meeting with [Deputy Defense Secretary Ashton Carter] next week, if we find out that we have to respond to cyber demands in the [fiscal year 2014] timeframe and adjust that [long term spending plan] accordingly, something else will have to be reduced in order to do that, unless -- and I certainly don't see this at this moment -- there's some top-line adjustment."
Operation Red October -- the newly discovered cyber spying operation that has targeted a range of diplomatic facilities, defense companies, and energy firms around the globe -- may mark an evolution of the cyber black market.
U.S. government officials have been extremely worried about the rise of hackers for hire and the associated markets for cyber crime and espionage tools for, but Red October may be one of the most sophisticated cyber espionage operations conducted by a private group. Since 2007, Red October has been using a virus called Rocra to spy on computers and smartphones used by the employees of everything from diplomatic missions to research facilities -- gathering exactly the type of information that government spy agencies want.
Kaspersky Lab, the IT security firm that announced they had uncovered Red October earlier this week, says that its perpetrators appear to be Russian-speaking, but the lab can't provide evidence that this is an official Kremlin-backed operation. The lab also can't eliminate the possibility that private hackers are responsible. That's right, we may be seeing the rise of private spy agencies, think SPECTRE or whatever Raoul Silva, Javier Bardem's character in the latest 007 film, calls his organization.
"If this is a private cyber espionage network without close state sponsoring or funding -- which seems to be the driving thesis in the Kaspersky report -- than that says something about the new terrain for how actors are working in cyberspace," Laura Galante, an intelligence analyst at IT security firm Mandiant, told Killer Apps.
"We've moved on from kind of this hacker for hire" who simply perform disruptive, denial of service attacks "and now we're into what information can we sell that would be incredibly valuable to a government, and private individuals or groups are willing to take on that kind of endeavor which is definitely riskier and requires significant funding to do," said Galante. "It's almost digital spies for hire."
"I think the big takeaway for most people will be people; this was a sophisticated attack, that's the type of thing that makes people think, ‘do we now have private espionage networks that can provide really targeted information" about high level targets to a government, said the analyst.
Still, this may well be the work of government spies, notes Galante. She points out that Red October is a sophisticated operation that's been going on for five years, meaning that it likely had significant funding and its perpetrators were probably comfortable in knowing there's a low chance they'll be prosecuted.
"To be able to function and get the information that they've supposedly got, you have to be able to operate in an environment immune from imminent prosecution," said Galante. "For something that goes after this type of information, that's a five year long operation, it's really suspicious that a completely private group of entrepreneurial hackers would have the funding to do that and have the same kind of attention to go on that long."
It's also worth noting that Kaspersky researchers found Cold War era Russian espionage slang (who knew that was a thing?) written into Rocra's code. For example, one of Rocra's modules designed to spy on smartphones was named, zakladka, possibly after the Russian slang term for a microphone bug embedded in the wall of an embassy, according to Kaspersky.
If the Kremlin is behind Red October, the discovery would give Western analysts a relatively rare window into Russia's cyber capabilities.
"If the Russian government had close ties or some sort of ability to direct and provide tasking for something like the Red October campaign, that would be the newest point for an understanding of what Russia's capabilities are," said Galante. "It definitely raises suspicions for the U.S. government about the potential of Russia's capabilities; whether we believe they're highly capable or not is the question, but it definitely raises suspicions" about how advanced Russia's cyber capabilites are.
Still, Galante warned against freaking out about the Russians coming after everyone in cyberspace.
"We don't know how capable Russia is, we don't have a lot to point to, and we should look at threats accordingly, seeing demonstrated capabilty and seeing attributed events is something we should look at before we're too giddy to deem a certain country a major threat.
Defense Secretary Leon Panetta is discussing the U.S. government's effort to establish international norms of behavior in cyberspace during his trip to Europe this week.
"That's going to be on the agenda for Secretary Panetta's trip to Europe this week, it'll probably be something that he talks about in his speech in London at the end of the week," a U.S. government official told Killer Apps over the weekend. "As we look at Secretary Panetta's tenure, this is something that remains in the front of his mind as a key priority."
The outgoing U.S. defense secretary just wrapped up a meeting today where he discussed the topic with his Spanish counterpart Defense Minister Pedro Morenes Eulate in Madrid, Spain, according to the official who just updated Killer Apps.
After seeing billions of dollars in intellectual property stolen and physical damage done to some nations via cyber attacks, the U.S. has been trying to get nations around the world to subscribe to a set of acceptable behaviors in cyberspace that are based on the law of armed conflict. However, the process of establishing universally agreed upon codes of conduct in the relatively new domain of cyber will take decades, cautions another U.S. official.
"The nature of it is very slow. It's something that will occur over the course of decades rather than months," the second U.S. official told Killer Apps. "We place a lot of emphasis on it, we have ongoing talks with the Chinese, we engage with the Russians and then on a very regular, frequent basis we're talking with our Five Eyes allies, the folks in NATO, the European Union and others."
"That's the way you do it, you come to a common understanding" as to what behaviors the international community deems acceptable.
A key sticking point so far has been that the U.S. and its allies want the norms to focus on things like international cooperation to ban intellectual property theft, while nations such as China and Russia want the norms to leave them free to censor what their citizens view online.
U.S. Department of Defense
John Reed reports on the frontiers of cyber war and the latest in military technology for Killer Apps.