So what's new in the Defense Department's new report about Chinese military capabilities? The biggest news seems to be that the Pentagon is actually saying that Chinese-military hackers are attacking its networks. Not that this should be news to readers of Killer Apps.
The report states that numerous U.S. government computer systems around the world are being "targeted for intrusions, some of which appear to be attributable directly to the Chinese government and military." It goes on to say that China is using cyber espionage to collect intelligence on U.S. diplomatic, economic, and "defense industrial base sectors that support U.S. national defense programs."
The same skills being used by Chinese cyberspies to steal information could easily be used in a destructive attack against U.S. networks, the report points out.
Preventing cyber espionage and cyber attacks is "a consequences calculation and the consequences aren't there," said one Senate staffer who works on cyber issues. For "everybody from your common hacker to your professional hacker to the nation states, the consequences aren't there" to deter these kinds of actions.
He went on to compare the current era of cyber espionage to the "Napster days" of free music downloading.
"There was nothing that was going to deter college-age students from ripping off music until there was a consequence that was associated with it and the RIAA [Recording Industry Association of America] had to go out there and start suing," said the staffer.
Richard Bejtlich, chief security officer at Mandiant, thinks that while it's important for the U.S. government to call out the Chinese government's bad behavior, it's going to take more than harsh language to deter state-backed cyber espionage. (Remember, Mandiant is the firm that published a report in February detailing the exploits of what is believed to be a PLA hacking unit against worldwide targets, including the U.S. government.)
"It's important for noncommercial, government entities like DOD to make definitive statements on Chinese cyber capabilities," Bejtlich told Killer Apps. However, "because the Chinese consider espionage a tool for economic development, and the economy is one of their top national security concerns, they will not change course if the U.S. only complains with words. They are more likely to constrain their behavior if the U.S. imposes specific sanctions and exercises all elements of national power."
Bejtlich's comments echo those of Rep. Mike Rogers, chair of the House Intelligence Committee who has repeatedly urged the State Department to impose sanctions on any foreigner found to aid cyber espionage against the United States government or businesses.
As the militaries of the United States and Britain purchase more and more of the same networked hardware, most notably the F-35 Joint Strike Fighter (above), the two nations are increasing collaboration in cyber warfare, according to a Pentagon official.
"Cybersecurity is a growing area of cooperation between the United States and the United Kingdom," the official told Killer Apps. "We're sharing more information and going deeper into threat analysis and response planning than we ever have before. Both nations firmly agree we need improved multilateral cyber coordination and we're working to do just that. Cyber will also be on the agenda for discussions at the upcoming NATO conference in June."
His comments come a day after British Defence (with a "c") Secretary Phil Hammond was in Washington meeting with U.S. Defense Secretary Chuck Hagel to discuss the situation in Syria, the war in Afghanistan, how to deal with Iran, and visit U.S. Cyber Command at Fort Meade, MD. (As is sadly the norm, a spokesman for the command could not talk about Hammond's visit to Fort Meade.)
While much of the discussion between the two officials centered current or potential conflict zones and major weapons buys like the F-35, Hagel announced that the two allies will increase their cooperation in the cyber world.
"The United Kingdom's continued commitment to [the F-35] program, and our growing cooperation in new priority areas like cyber, is helping ensure this alliance has the kind of [cutting-edge] capabilities needed for the future," Hagel said during a Pentagon press conference yesterday.
"The U.K. and the U.S. remain in lock step on these projects, and as we take them forward, we will ensure the continuity of those vital capabilities," added Hammond.
It makes sense for the two to discuss F-35 and cyber in the same breath. The F-35 relies on tens of thousands of lines of software code to function. It is perhaps, the most networked plane in history, using software to do everything from fire weapons to beam chunks of data to other aircraft or command centers. Last fall, Killer Apps reported that the jet's computerized maintenance system was found to be vulnerable to hacking -- meaning that, if penetrated by spies, they could see everything from how many pilots were available to fly the jets to the maintenance status of all the airplanes in a squadron.
This comes just after Bloomberg news reported that QinetiQ, a British defense firm (that used to be a Ministry of Defense research agency until it was privatized in 2001 suffered) a series of major cybersecurity breaches at the hands of Chinese government hackers. QinetiQ works on a host of advanced technologies from cyber to robotics with U.S. government agencies such as the DOD and the Department of Energy. In fact, the firm runs Britain's version of Area 51, a site known as MoD Boscombe Down and has been called the inspiration for the workplace of James Bond's gadget-maker, Q.
CISPA isn't the only piece of cyber-security legislation that passed the House this week.
The Federal Information Security Management Act of 2013 updates the 2002 version of the federal IT security law, known as FISMA, by requiring government agencies to constantly monitor their computer networks for threats
Right now, FISMA requires government agencies to perform only yearly evaluations of cyber-threats and vulnerabilities. Yours truly can't tell you how many times I've heard cybersecurity experts say the current version of FISMA does nothing to stop fast-paced cyber threats; it's merely an exercise in checking off boxes.
As a statement released this week by Rep. Jim Langevin, co-chair of the Congressional Cyber Caucus says, "While the annual reports currently mandated under FISMA are supposed to give government executives overall insight into security management of their networks, this does not provide the minute-by-minute view into network security that is needed.
"It's just an out of date and slow process for examining security of government networks," a House staffer told Killer Apps. The new version of FISMA would mandate "continuous monitoring of networks and provide regular threat assessments."
Here's an excerpt from the Library of Congress' official summary of FISMA 2013, explaining the change in the reporting procedures:
Directs senior agency officials, with a frequency sufficient to support risk-based security decisions, to: (1) test and evaluate information security controls and techniques, and (2) conduct threat assessments by monitoring information systems and identifying potential system vulnerabilities. (Current law requires only periodic testing and evaluation.)
Directs agencies to collaborate with OMB [the Office of Management and Budget] and appropriate public and private sector security operations centers on security incidents that extend beyond the control of an agency. Requires that security incidents be reported, through an automated and continuous monitoring capability, when possible, to the federal information security incident center, appropriate security operations centers, and agency Inspector General.
The House also passed the Cybersecurity Enhancement Act which requires the National Science Foundation, the National Institute of Standards and Technology, and "other key federal agencies" to develop a strategic plan for federal cybersecurity research and development work, with a focus on securing industrial-control systems and developing advanced protections for personal information online. (Remember, the Stuxnet virus that destroyed thousands of Iranian uranium-enrichment centrifuges targeted the machines' industrial-control computers.)
The second bill also calls for the establishment of a "Scholarship for Service" program meant to cultivate a highly-skilled government cybersecurity workforce, and it requires the president to send a report to Congress on the government's current and future cybersecurity workforce needs.
The Cyber Intelligence Sharing and Protection Act, better known as CISPA, just passed the House by a vote of 288 to 188. Meanwhile, the Senate is working on crafting its own bill aimed at facilitating information-sharing on cyber-threats.
"We are currently drafting a bipartisan information sharing bill and will proceed as soon as we come to an agreement," Senate intelligence committee chair Dianne Feinstein wrote in an email to Killer Apps.
Remember, CISPA allows private businesses to share "cyber-threat information" with each other and government agencies, including the military.
Earlier this week, the White House threatened to veto CISPA unless it was amended to require that information businesses with the government go through a civilian agency, such as the Department of Homeland Security, before being sent to any military organization, such as the National Security Agency. The White House also wants to narrow the liability protections given to businesses that improperly disclose personal information or commit antitrust violations while sharing information with each other or the government.
"The version of CISPA that just passed the House floor includes an amendment that encourages, but doesn't require businesses to share cyber threat information with DHS instead of the military," a Hill staffer told Killer Apps.
Another amendment bans the U.S. government from using information gathered under the auspices of the bill to target a U.S. citizen for surveillance. Another one "reconfirms" that "the federal government may not use library records, book sales records, customer lists, fire arms sales records, tax returns, educational and medical records that it receives under CISPA," said the staffer.
Last week, the House intelligence committee removed language from the bill that would have allowed companies to collect and share information for "national security" purposes. Privacy advocates who oppose CISPA claimed using the broad term "national security" would allow the government to spy on people online without a warrant. The committee also added an amendment requiring that information shared with the government be scrubbed of all personal information.
Still, these amendments weren't enough to satisfy privacy advocates such as the ACLU. Here's what Michelle Richardson, one of the ACLU's lawyers, said after the bill passed today.
CISPA is an extreme proposal that allows companies that hold our very sensitive information to share it with any company or government entity they choose, even directly with military agencies like the NSA, without first stripping out personally identifiable information. We will work with Congress to make sure that the next version of information sharing legislation unequivocally resolves this issue, as well as tightens immunity provisions and protects personal information. Cybersecurity can be done without sacrificing Americans' privacy online.
The big questions that remain are whether the White House still opposes CISPA and whether the Democrat-controlled Senate will permit language included in CISPA to pass the conference process. So far, the White House has remained mum on today's news.
Last year's White House-backed Cyber Security Act of 2012, sponsored by former Senators Joe Lieberman and Susan Collins, failed to pass the Senate because Republicans objected to the bill's call for minimal cyber-security standards for certain banks, energy firms, communications providers, transport companies, and other so-called critical infrastructure providers.
In February, the White House issued an executive order allowing the government to share intelligence on cyber-threats with businesses and encouraging minimal best practices for critical-infrastructure providers.
This didn't take long. Cyber criminals have begun exploiting the Boston Marathon bombings to spread malware.
That's right, hackers are sending out a spam email labeled "Boston Marathon Explosion" in the subject line, according to a brand new FBI warning. The email contains a link to a website showing a series of photos of the attack site. At the bottom of the page there's an unloaded video that directs to "the Red Exploit Kit," according to the warning.
FP staffers have actually recieved several similar emails titled, "2 Explosions at Boston Marathon" and "Texas Plant Explosion".
The Red Exploit Kit is a new hacking tool that allows criminals to surreptitiously find security vulnerabilities in a victim's computer and upload malicious software through those vulnerabilities. "Once an exploit has been successful, the user sees a popup asking them to download a file, at which time the malware is downloaded," the warning says.
Once in, the hackers may look for personal information about their victims, according to the FBI. Personal information could include anything from bank account numbers to website passwords.
The FBI's announcement goes on to warn against fake charity Twitter accounts soliciting donations for victims of the attacks: "According to various reports, a Twitter account was created soon after the explosions that resembled a legitimate Boston Marathon account. Allegedly, for every tweet received to the account a dollar would be donated to the Boston Marathon victims."
The warning goes on to say that, while that account has been suspended, other fraudulent accounts may be set up. "The FBI was made aware of at least 125 questionable domains registered within hours of the Boston Marathon Explosions. Though the intentions of the registrants are unknown, domains have emerged following other disasters for fraudulent purposes."
Here are the FBI's recommendations for avoiding marathon bombing-related online scams.
Individuals can limit exposure to cyber criminals by taking the following preventative actions when using email and social networking Web sites.
- Messages may contain pictures, videos, and other attachments designed to infect your computer with malware. Do not agree to download software to view content.
- Links appearing as legitimate sites (example: fbi.gov), could be hyperlinked to direct victims to another Web site when clicked. These sites may be designed to infect your computer with malware or solicit personal information. Do not follow a link to a Web site; go directly to the Web site by entering the legitimate site's URL.
Individuals can also limit exposure to cyber criminals by taking the following preventative actions when receiving solicitations from, or donating to, charitable organizations online.
- Verify the existence and legitimacy of organizations by conducting research and visiting official Web sites. Be skeptical of charity names similar to but not exactly the same as reputable charities.
- Do not allow others to make the donation on your behalf. Donation-themed messages may also contain links to Web sites designed to solicit personal information, which is routed to a cyber criminal.
- Make donations securely by using debit/credit card or write a check made out to the specific charity. Be skeptical of making donations via money transfer services as legitimate charities do not normally solicit donations using this method of payment.
Today, the White House once again threatened to veto the Cyber Intelligence Sharing and Protection act, CISPA, unless the bill incorporates additional privacy protections.
"The Administration recognizes and appreciates that the House Permanent Select Committee on Intelligence (HPSCI) adopted several amendments to H.R. 624 [CISPA] in an effort to incorporate the Administration's important substantive concerns. However, the Administration still seeks additional improvements and if the bill, as currently crafted, were presented to the President, his senior advisors would recommend that he veto the bill." (Underlines by the White House.)
"We have long said that information sharing improvements are essential to effective legislation, but they must include proper privacy and civil liberties protections, reinforce the appropriate roles of civilian and intelligence agencies, and include targeted liability protections," said National Security Staff spokeswoman Caitlin Hayden today.
CISPA -- set for a vote on the House floor tomorrow and Thursday -- allows private businesses to share information on cyber threats with each other and government agencies including the military. The bill died last year after the White House issued a veto threat, citing concerns that it would infringe on citizens' privacy rights.
Despite the veto threat, the White House said it looks forward to working with the committee to refine the information-sharing bill. Remember, the White House called for such legislation after it released its cyber-security executive order in February that allows the government to share information on cyber-security threats with businesses. But the executive order could only permit government-to-industry info- sharing, it couldn't mandate industry to share information, nor could it protect businesses that share such information from lawsuits.
Last week, the intelligence committee struck language from CISPA that would have allowed private companies to collect and share information for "national security" purposes -- a statement that was too vague for privacy advocates, who claimed this would allow the government to spy on people's online lives without a warrant. The committee also added language to the bill requiring that information shared with the government be scrubbed of all personal information.
Still, these steps don't go far enough for the White House, which wants the bill to do more to protect personal information and to place a civilian government agency -- namely the Department of Homeland Security -- in charge of receiving information from businesses instead of allowing the info to be sent directly to a military organization, such as the National Security Agency.
The Administration, however, remains concerned that the bill does not require private entities to take reasonable steps to remove irrelevant personal information when sending cybersecurity data to the government or other private sector entities. Citizens have a right to know that corporations will be held accountable - and not granted immunity - for failing to safeguard personal information adequately. The Administration is committed to working with all stakeholders to find a workable solution to this challenge. Moreover, the Administration is confident that such measures can be crafted in a way that is not overly onerous or cost prohibitive on the businesses sending the information. Further, the legislation should also explicitly ensure that cyber crime victims continue to report such crimes directly to Federal law enforcement agencies, and continue to receive the same protections that they do today.
The White House is also calling for the bill to reduce the amount of protection it affords companies from lawsuits if they improperly share private information or violate antitrust laws while sharing info on cyber threats with one another or the government.
The Administration agrees with the need to clarify the application of existing laws to remove legal barriers to the private sector sharing appropriate, well-defined, cybersecurity information. Further, the Administration supports incentivizing industry to share appropriate cybersecurity information by providing the private sector with targeted liability protections. However, the Administration is concerned about the broad scope of liability limitations in H.R. 624. Specifically, even if there is no clear intent to do harm, the law should not immunize a failure to take reasonable measures, such as the sharing of information, to prevent harm when and if the entity knows that such inaction will cause damage or otherwise injure or endanger other entities or individuals.
Ever thought the term C4ISR was acronym overkill? Well, here's another doozy. The Air Force's fiscal year 2014 budget request includes $11.3 million to develop tools to do, wait for it, "D5."
D5 stands for "deceive, degrade, deny, disrupt, destroy." No, it's not something an awful child does on the playground; it's what the service wants its cyberweapons to do enemy networks.
Offensive cyber-technologies are being built to allow Air Force cyber operators to secretly infiltrate enemy networks, stay there undetected, steal information, watch what the enemy is doing, resist reverse-engineering should it be discovered, and wreak D5 havoc (cue action-movie music).
Here's what the service's program has achieved so far, as described by the Air Force's budget request:
What's left to work on in 2014 besides continuing to develop the capabilities listed above? Start developing a "common operating platform" -- the actual computer interface that will allow Air Force cyber-troops to do all of the above.
U.S. Air Force
U.S. military commanders around the world are discussing how to integrate cyber weapons with all the other tools in their arsenals, according to the chief of the Navy's cyber forces.
Doing this will give battlefield commanders the ability to choose which weapon they want to use to achieve a desired effect.
"Whether we do that through the spectrum [via electronic warfare], we do that through the network [via cyber] or we do that through something kinetic [bullets and bombs], what we want to be able to do is be able to tee up to the commander, multiple options," said Vice Admiral Michael Rogers during the Navy League's annual Sea Air Space conference just outside Washington today. Then, "the commander can make the decision about what's the best tool to use. . . . I don't get any pushback on that idea at all."
"If we think we're going to do cyber off in some closet somewhere we have totally missed the boat on this thing," Rogers noted.
At the same time, the lines between traditional electronic warfare -- radar jamming, electronic eaves dropping, etc. -- and cyber warfare are containing to blur, at least in the U.S. Navy.
"I see those lines blurring increasingly There is great convergence between the spectrum [EW] and the cyber world at the moment which I think just offers great opportunities, as a SIGINT [signals intelligence] kind of guy by background, I just lick my lips at the opportunities that I see out there in that arena," said Rogers.
While Rogers didn't elaborate on the type of combined cyber-electronic warfare missions he envisions, a fellow admiral noted that the Pentagon is looking at non-cyber ways of shutting down an enemy's ability to fight without firing a shot. (Remember, cyber-philes often point out that cyber weapons can cripple a nation without a single missile being launched.)
"Cyberspace can be an enabler but there's [other] non-kinetic ways to disadvantage the enemy in cyberspace that don't require a cyber activity; [electronic warfare] capability, and other things like that," said Rear Admiral Michael Hewitt, deputy director of the special programs cross functional team on the Joint Staff, during the Navy League's annual Sea Air Space conference just outside Washington today.
Click here to read an example of a type of non-cyber electronic weapon that's capable of shutting down an enemy's electronics systems without blowing anything up.
By now, everyone is familiar with Distributed Denial of Service attacks -- the relatively primitive cyberattack that takes down a website by flooding it with visits. Well, there's a new denial of service trend that takes advantage of VoIP technology to target phone lines instead of websites.
Last month, the Department of Homeland Security and the FBI issued a confidential warning to first responders, warning that hackers may try to flood emergency call centers with phone calls, overwhelming them and preventing legitimate calls from getting through. Instead of a DDOS attack, it's called a Telephony Denial of Service (TDOS), attack.
Dozens of attacks in "multiple jurisdictions" have targeted these public safety lines -- which are not the same as 911 lines -- according to the DHS-FBI announcement, a copy of which was put online this week by cybersecurity researcher, Brian Krebs.
"These attacks are ongoing. Many similar attacks have occurred targeting various businesses and public entities, including the financial sector and other public emergency operations interests, including air ambulance, ambulance and hospital communications," reads the March 16 bulletin, which was for immediate dissemination to "public safety answering points and emergency communications centers and personnel." The FBI's Internet Crime Complaint Center issued a little-noticed warning about TDOS attacks in January.
The DHS-FBI announcement describes the wave of attacks as part of an extortion scheme whereby an individual -- who usually speaks with a thick accent -- calls an organization and asks to speak with a current or former employee and then demands collection of a $5,000 payday loan. When the victim tells the caller to get lost and hangs up, the attackers launch the TDOS attack using hacked VoIP automated dialing systems to flood the call center.
"The organization will be inundated with a continuous stream of calls for an unspecified, but lengthy period of time," reads the bulletin. "The attack can prevent both incoming and/or outgoing calls from being completed." The attacks can continue intermittently over weeks or even months.
TDOS attacks are meant to intimidate victims by flooding their employers with debilitating phone calls. Sometimes those employers happen to be emergency call centers. But the bulletin also says, "It is speculated that government offices/emergency services are being ‘targeted' because of the necessity of functional phone lines."
In another variant of this extortion scheme, perpetrators claim that an arrest warrant has been issued for the victim's failure to pay the loan. "In order to have the police actually respond to the victim's residence, the subject places repeated, harassing calls to the local police department while spoofing the victim's telephone number," the January notice said.
I'm no extortionist, but aren't there plenty of ways to shake someone down without bringing first responders into the mix? What could possibly go wrong for the criminals there?
Been on the website of U.S. Forces Korea lately? Of course not because it's down.
Is it a prelude to war, similar to how Russia attacked Georgian websites before invading that country in 2008? Nope. A Pentagon spokeswoman tells Killer Apps that it's a hardware issue and that it has nothing to do with North Korea, just really bad luck and timing.
"They had a hardware problem so their server crashed and they are in the process of getting a whole new system," the spokeswoman told Killer Apps this morning. She added that communications specialists will be working over the weekend to get the site back up.
So no, North Korean cyber warriors haven't fired the first shots, er lines of code, of the second Korean War, according to the Pentagon.
We've heard plenty of civil liberties advocates object to the Cybersecurity Intelligence Sharing and Protection Act (CISPA), claiming the bill harms privacy rights. However, one group opposed to the act argues that it actually allows businesses to commit the very behavior it aims to curb -- that is, it allows them to hack the computers of anyone they believe is hacking them.
"CISPA says that a company gets immunity for any decisions made based on cyber-threat information that they receive under the bill and based on cyber-threat information that they identify and obtain using cybersecurity systems," Greg Nojeim of the Center for Democracy and Technology told reporters in Washington this morning.
This is where Nojeim worries that the bill could permit an increase in hacking.
"What if one's decision in response to the receipt of cyber-threat information from someone you think is a bad guy is to render the sending computer inoperative?" asked Nojeim. "That's certainly within the scope of the legislation and would be completely immunized."
As Nojeim and his colleagues at CDT read it, CISPA could allow businesses that think they had discovered a hacker to hit back or, hack back, against malicious actors in cyberspace -- an action frequently referred to as active defense. (Yours truly has heard this topic debated plenty of times between lawyers who are against it and businesses who want to be able to defend themselves aggressively in cyberspace.)
CDT wants the bill's language tweaked to prohibit this behavior.
"What the bill does not say is, in looking for cyber threat information you can examine only your own network," said Nojeim. "If you think the cyber threat information is on somebody else's computer or on somebody else's network, you have authority, notwithstanding any law, to go get it . . . and immunity when you do."
Killer Apps reached out to one of the bill's sponsors, House intelligence committee chairman Mike Rogers, and one of his committee staffers told us that authorizing companies to strike back at hackers "was not the chairman's intent." Rogers "intends to address this issue in committee markup" by adding language specifying that the bill does not authorize businesses to break into other people's networks.
Rogers and the bill's co-sponsor, Rep. Dutch Ruppersburger, have insisted that they are working with the White House, privacy advocates, and businesses to address their concerns.
"We want to make sure that we meet the level of privacy concerns, and we think we can do that by working in some very direct language that expresses, in language, what we believe the bill already does but we want to reiterate that," said Rogers last week when announcing that the bill will come up for a committee vote this month.
As it's currently written, the bill specifically says that businesses can receive immunity from prosecution "for using cybersecurity systems to identify or obtain cyber threat information or for sharing such information in accordance with this section; or for decisions made based on cyber threat information identified, obtained or shared under this section."
"That authorizes hacking that would otherwise be a crime under current law, it authorizes cybersecurity criminal acts that are described in this very bill," he added. "The last place one would think you would find new authority to hack would be in cybersecurity legislation, but there it is."
Here's what Rogers said in December when asked how he felt about private entities fighting back against hackers.
"It's best not to go punch your neighbor in the face before you hit the weight room," said Rogers, in a warning to both public and private sector actors that are considering offensive actions to defend their networks under the growing trend of "active defense."
Government organizations and businesses are still figuring out the best way to defend themselves from advanced cyber threats. But, said Rogers, "until we have figured out how we will defend ourselves and our networks, I would be very, very, very cautious about using an offensive capability."
The lawmaker, speaking at an event at The George Washington University, added: "Now, you can't do a good defense if you don't develop the capability for offense...so I completely agree with [building offensive power]. I'm just very concerned about engaging [in offense] before we have the ability to defend ourselves because, guess what, something's coming back" to hit us.
The Defense Department's Inspector General called out the U.S. Army for the fact that thousands of those smartphones that troops buy off-the-shelves to use on the job aren't properly secured.
"The Army Chief Information Officer (CIO) did not implement an effective cybersecurity program for" commercially purchased smartphones and tablets, reads a new announcement from the DOD IG. "Specifically, the Army CIO did not appropriately track [off-the-shelf devices] and was unaware of more than 14,000 [such devices] used throughout the Army."
(The IG investigated the Army's use of phones and tablets running Google's Android, Apple's iOS, and Microsoft's Windows Mobile operating systems in 2012. It didn't look BlackBerrys since it did a 2009 investigation into their security.)
Troops are already using commercial smartphones and tablets to do things like file flight plans. As the utility and availability of such devices grows, so will the amount, and type of data stored on them. If spies can break into these devices, they can likely glean plenty of useful information. As the report notes, the CIO "inappropriately concluded that [these devices] were not connecting to Army networks and storing sensitive information. As a result, critical information assurance controls were not appropriately applied, which left the Army networks more vulnerable to cybersecurity attacks and leakage of sensitive data."
The IG goes on to say that the Army failed to: sanitize these devices; failed to install apps on the phones that would protect stored information; allowed troops to store sensitive data on the devices; didn't implement the ability to remotely wipe data off of stolen or lost devices; and failed to make users sign agreements governing the security of their devices or to make them take training on how to keep their smartphones secure.
What's interesting is that the Army's CIO, Lt. Gen. Susan Lawrence, told yours truly last October that the service would be taking some of these very steps to protect the data on commercially purchased smartphones and tablets. Remember, the military -- following the lead of plenty of private sector businesses -- is starting to embrace the bring-your-own-device (BYOD) trend. It ultimately wants troops to be able to use one device for both personal and official use, barring all but the most classified data
Here's what Lawrence said when Killer Apps asked how the Army would protect its information:
"At the end of the day, we're really are going to become hardware agnostic. Whatever device you feel most comfortable with to do command and control, to be mobile with, is the device that you'll have and that's the one that we'll work with."
"We're in the RIM [Blackberry] environment, we're in the Apple environment, and we're in the [Google Android] already as we go through this."
"What you will agree to do is, if that's the device you want to use, you're going to sign an agreement with me that I get to scan you before you log on. I get to scan your device and then, you're also going to let me monitor you so that I can look for an inside threat as well. So if you're on the government network, you're gonna let me scan you first and you're gonna let me monitor you second."
DOD officials including Lawrence have said that enabling secure mobile computing is a top, if not the top, computing priority within the department. To enable this, Pentagon officials are hustling to field something called the Joint Information Environment, a massive cloud- based network that, over the next decade, will replace the dozens of networks that the DOD currently maintains. Officials say this will make it easier to defend and monitor data and make it easier to access from anywhere.
As Killer Apps quoted Lawrence as saying last October, one of the most important issues in the shift toward mobility and cloud computing "is in fact, ensuring that it's you on the network and that we've got your certifications and accreditations so that when you log on, I say yes, that's that person," said Lawrence.
How do you make sure users are who they say they are? Click here to read about how DARPA wants to monitor everything, from users' typing patterns and sentence structure to the way they hold their phone, to ensure that the person using a computer, smartphone, or tablet is the person who is authorized to use that device.
The Army tells the IG that, as soon as this month, it will start buying software allowing it to "wipe or remove a device from the [Army's networks] as well as monitor applications used, web sites visited, and data viewed, saved, or modified on the mobile devices." This satisfied one of the IG's recommendations that the service develop the ability to make sure mobile device users are secure.
The IG also says the Army "should develop clear and comprehensive policy to include requirements for reporting and tracking all" such devices. "In addition, the Army CIO should extend existing" practices aimed at protecting sensitive information to all off-the-shelf smartphones and tablets.
The Army however, provided what the IG called "nonresponsive" answers to those suggestions. Specifically, the Army says it already has a reporting program for mobile devices that may carry sensitive data. The IG says this reporting program for registering mobile devices isn't good enough: thousands of unregistered and unauthorized devices were found to be in use.
In response to the IG's recommendation that it do more to protect the data on its devices, the Army said that the DOD is already working on a plan to secure the information on "every managed mobile device" via its Commercial Mobile Implementation plan. Again, the IG called this answer to its recommendation "nonresponsive," since off-the-shelf mobile devices aren't designated "as information systems, users [of such devices] would not apply the appropriate information assurance controls to protect the devices and the data" on them. Furthermore, because there is no clear timeline to manage the security of these devices, "there's an increased risk that Army networks could be vulnerable to data leakage."
Expect to see Congress take up legislation to punish nations and people that back global intellectual property theft and industrial espionage, House intelligence committee chairman Mike Rogers said today. Such legislation could revoke visas of those involved in economic espionage or sanction countries that back such behavior.
Such actions would punish "nation-states that steal intellectual property and repurpose it for government companies to illegally compete in the market," Rogers told reporters after a breakfast in Washington, alluding to Chinese intellectual property theft. "That's something I'm working on, and we've got some great bipartisan support on this and great bicameral support, and we'll have an announcement on this soon."
He added that legislation to punish countries engaged in economic espionage will not be included latest version of CISPA, set to be voted on next month, but rather it will be "announced and ready sometime this year."
He hinted that the legislation could also punish people who knowingly do business with foreign entities that rely on intellectual property theft for their business model.
"I steal from your house, and I come to [another person's house] and try to sell it, it is both a crime for me to steal it and a crime for you to take stolen property. This should be no different. The only difference is, the value of it is exponentially bigger," said Rogers, a former FBI agent.
Early last month, Rogers said the U.S. must do more to confront China on its state-backed economic espionage campaigns.
"We need direct talks with China and it needs to be at the top of a bilateral discussion about cyber espionage," Rogers told Killer Apps on Feb. 13. "This is a problem of epic proportions here, and they need to be called on the carpet. There has been absolutely no consequences for what they have been able to steal and repurpose to date." Rogers suggested that the U.S. implement trade sanctions and identify "individuals who participate in this, go after their visas, go after family travel, all of the levers we have at the Department of State. The problem is that bad."
Last month the White House unveiled its strategy to combat the international theft of intellectual property and trade secrets. This effort is focused on international law enforcement efforts to catch IP thieves and diplomatic cooperation aimed at curbing state-backed theft of trade secrets.
We hear a lot about Chinese and Iranian hackers, but we don't usually hear much about North Korea. In the wake of this week's cyber attacks against South Korean banks and television stations, though, there have been several news reports claiming North Korea is one of the world's top cyber players. (The image above shows South Korean cyber investigators looking into this week's attacks) While there's no doubt that the North Korean military has growing cyber capabilities, most experts wouldn't put them at the top of the list in terms of ability or sophistication.
"Limited internet access, limited electricity, bad infrastructure means that North Korea isn't a place you'd look for a hacker culture," Jim Lewis of the Center for Strategic and International Studies told Killer Apps today. "The tendency is to overestimate their capabilities. When you look at their nuclear weapons or their missiles, yeah they have them, but they're pretty primitive. Hacking probably tracks with their other programs."
"Are they trying? Sure, they've been trying since 1995, 1996 when Korean diplomats in the UN began to take computer programming courses in New York," added Lewis. "But the idea that they have low capabilities in all these areas and high capabilities in this one area [cyber] is just a little bit hard to believe."
Here's what the intelligence unit at cyber security firm Mandiant tells Killer Apps about the North Korean military's cyber endeavors:
While we are unable to determine the extent of North Korean cyber capabilities, we anticipate they may be capable of offensive cyber operations, cyber espionage, and surreptitious intelligence collection on individuals or organizations they perceive as threatening.
North Korea's Automation University graduates around 100 skilled cyber specialists each year and several academies and schools in North Korea now focus on training electronic warfare specialists that support at least two hacker brigades. The majority of North Korea's cyber activities, as reported in the open press, have focused on South Korea. However, we consider that North Korea could target U.S. commercial entities for military or dual use technologies it lacks due to ongoing trade sanctions. During times of heightened political tensions, targeting critical infrastructure or computer networks of either South Korea or the United States might appeal as a perceived lower-risk form of escalation.
We believe North Korea will become more active in the cyber domain as the regime struggles to maintain legitimacy as a military power amid international scrutiny surrounding its nuclear program. Computer network operations employed as a lever of influence, coercion or disruption might appeal to North Korean authorities constrained by the sanctions regime.
In case you haven't been following it, the Twitter traffic from today's Cyber Dialogue 2013 at the University of Toronto's Munk School of Global Affairs featured a great quote from a recently retired Canadian general.
Lt. Gen. Andrew Leslie (chief of the Canadian Army from 2006 to 2010, shown above in 2009) apparently made a comment that yours truly has heard plenty of times in Washington: a major, destructive cyber attack would likely prompt a knee-jerk reaction from governments that greatly expanded their control of the Internet. Killer Apps wasn't at the event to hear the quote directly, but here's what people who were at the event tweeted about it.
Taylor Owen, research director at Columbia University's Tow Center for Digital Journalism, tweeted that the general's comments sent "a chill over" the conference:
Scott Carpenter of Google Ideas called the Canadian general's comment "a weird threat":
Finally, Richard Bejtlich, chief security officer at cyber firm Mandiant, tweeted:
It's interesting to see cyber professionals from some of the foremost institutions in tech, business, and journalism express surprise over Leslie's comments. U.S. lawmakers have made similar comments throughout the last year in trying to pass cyber security legislation.
Reps. Mike Rogers and Dutch Ruppersburger -- co-sponsors of CISPA, the cyber security bill currently being worked on in the House -- have used this argument several times in an attempt to push lawmakers to adopt their bill, which civil liberties advocates say is harmful to individual privacy rights.
Last summer, James Lewis of the Center for Strategic and International Studies warned that a destructive cyber attack will likely result in Congress passing legislation that runs roughshod over privacy rights.
Bruce MacRae, Flickr
Army Gen. Keith Alexander, head of U.S. Cyber Command, yesterday said that civilian agencies should have the lead in responding to most cyber attacks on U.S. soil.
"From my perspective the domestic actor would be the FBI," said Alexander, responding to a question from Rep. Joe Heck about the command's role in responding to cyber attacks that originate in the United States. "We share our tools with the FBI. They work through the courts to have the authority to do what they need to do in domestic space to withstand an attack."
Cyber Command and FBI Director Robert Mueller have "come up with a way that he would do inside [the U.S.] and we would do outside," Alexander added, in testimony to a House Armed Services subcommittee.
Alexander went on to point out that DOD, the FBI, and the Department of Homeland Security are hammering out ways to share information on cyber threats extremely quickly -- figuring out where the attack is coming from; determining whether it's a criminal, espionage, or destructive attack; and allowing the appropriate agency to take the lead while receiving support from the others.
"There may be points and times where you have, you know, significant attacks where we need to change parts of that [civilian-led response structure], but the key thing is to have him [Mueller and the FBI] do inside the country," said Alexander. "He would work with the courts as appropriate to do his portion of the mission. Outside the country, that's where we would operate." (Click here to read about the offensive cyber teams that DOD is standing up to conduct operations outside the United States.)
It's worth noting that some of the teams that Cyber Command is establishing to "operate and defend" networks will work closely with "DHS and FBI as required," said Alexander.
Still, as Alexander noted, "the Defense Department will do its part to defend the country. It's not going to just defend itself. Our job is to defend the country and the focus would be obviously on critical infrastructure, just as it would be in kinetic and other things."
He elaborated on the key questions that govern the debate as to when the military becomes deeply involved in responding to a cyber incident.
"The issue becomes, when does an exploit become an attack, and when does an attack become something that we respond to? Those are the policy decisions, and the red lines that go to those will be policy decisions" for the White House, said the four-star. "Our job would be to set up the options that the president and the secretary could to stop [destructive cyber attacks from an outside enemy]. And as you may recall, both the former president and the current president have both said that they would keep the options open in this area. I mean, I think that's reasonable, from using State Department to demarche, all the way over to kinetic options or cyber. So they have that whole range."
Army Gen. Keith Alexander, head of United States Cyber Command, dropped several interesting nuggets about the military's cyber forces during a Senate Armed Services Committee hearing today.
First off, the command is fielding 13 offensive cyber teams that are tasked with deterring destructive cyber attacks against the United States. While Alexander said these are offensive teams, he insisted their role is defensive: "Let me be clear, this defend-the-nation team is not a defensive team, this is an offensive team that the Department of Defense would use to defend the nation if it were attacked in cyberspace."
If you have trouble making sense of that, you're not alone. After the hearing, Alexander compared the teams to missile defenses. (Click here to read some of the Defense Science Board's recent suggestions for deterring destructive cyber attacks with some pretty offensive weaponry.)
"We are already developing the teams that we need, the tactics, techniques, and procedures and the doctrine for how these teams would be employed, with a focus on defending the nation in cyberspace," said Alexander in his opening statement.
In addition, the command is developing 27 teams that will provide assistance in planning offensive cyber operations to the regional combatant commands -- the military organizations around the globe that are tasked with actually fighting wars.
Finally, the command is organizing a number of teams, Alexander didn't say how many, aimed at defending the military's networks against cyber attacks.
"Those three sets of teams are the core construct for what we're working with the services to develop our cyber cadre," said Alexander. "The key here is training our folks to the highest standard possible."
One third of these teams will be stood up by September 2013, the second third in late 2014, and the final third will be in place a year after that, he told lawmakers.
The Army four-star also said in his written statement that in addition to 917 troops and civilians at Cyber Command headquarters in Maryland (with a budget for FY13 of $191 million), there are more than 11,000 people from all four armed services working cyber issues for the command. (Click here for Killer Apps' recent look at the total expected number of cyber troops in the U.S. military. The numbers we saw were a lot higher than 11,000.)
Alexander's testimony comes as Defense Secretary Chuck Hagel is looking at whether or not to elevate Cyber Command to a full-unified command. Cyber Command currently reports to U.S. Strategic Command.
Later in the hearing Alexander said he agreed with Sen. Lindsey Graham's (R-SC) statement that a major cyber attack that devastated the U.S. power grid would do "as much or more damage" as the 9/11 terrorist attacks. On the other end of the spectrum, Alexander said that the denial of service attacks like the ones suffered by major U.S. banks last fall are best dealt with by Internet Service Providers, not the government. He went on to say that in addition to the Obama administration's recent cyber security executive order, legislation is needed to allow private businesses to share information about cyber attacks they are suffering in real time with the U.S. government.
Also today, the U.S. Intelligence Community released its annual World Wide Threat Assessment, featuring cyber at the top of the list, ahead of terrorism. However, U.S. Director of National Intelligence James Clapper told lawmakers today when unveiling the assessment that the risk of major destructive cyber attacks against the U.S. by a major cyber player like Russia or China "is remote." Remember, Russia and China are the two powers most frequently cited as being able to execute a catastrophic destructive attack against the U.S. Still, many would point out these countries have little interest in doing so.
Last month it was big news that the Pentagon was considering increasing the size of U.S. cyber Command from 900 people to 4,900 troops and civilians. Then, in response to the now-famous Mandiant report detailing the exploits of a PLA cyber unit, the Chinese government claimed that the U.S. had a "hacking unit" of 100,000 cyber warriors.
While some people dismissed this claim, we decided to use publicly available info to tally up the size of the U.S. military's various cyber commands -- the units dedicated to protecting the military's networks from cyber attack and waging offensive cyber operations. Keep in mind that we didn't get the total number of civilian contractors or cyber personnel at the NSA, CIA, DIA, and other intelligence agencies. There are also likely troops out there working on cyber that aren't necessarily attached to the units listed below. Nevertheless, the U.S. has far more "cyber warriors" than the 900 people working on digital warfare at Cyber Command.
Here are the numbers that are publicly listed on the web for each service's dedicated cyber arms. These forces act as each service's contribution to U.S. Cyber Command and Strategic Command when needed.
24th Air Force: 16,400+ airmen and civilians.
Navy Fleet Cyber Command/Tenth Fleet: At least 14,000 sailors and civilians
Army Cyber Command: Set to exceed 21,000 soldiers and civilians.
U.S. Cyber Command: 900, set to grow to 4,900 troops and civilians.
Total expected cyber troops: 53,000 to 58,000.
The next step is figuring out the military's total cyber budget.
U.S. Air Force
Killer Apps was lucky enough to have a short email Q and A with Air Force General C. Robert Kehler, chief of U.S. Strategic Command. Remember, in this role he's not only in charge of the nation's nuclear forces, he's also the military's top cyber officer since U.S. Cyber Command falls under STRATCOM.
It's worth pointing out that he's been dealing with cyber professionally for almost a decade. Before taking over STRATCOM in 2011, Kehler led Air Force Space Command when it stood up the service's cyber fighting unit, 24th Air Force, with more than 14,000 airmen in 2009. From 2005 to 2007, he served as deputy commander of U.S. Strategic Command where he helped oversee, among other things, the U.S. military's network warfare operations -- the term for what would later be called cyber operations.
Here's what he has to say about cyber threats, the idea of cyber deterrence, the cyber budget, and whether or not Cyber Command will become an independent combatant command:
Killer Apps: What worries you the most in cyber, what keeps you up at night?
Kehler: The possibilities of disruption or damage to the nation's critical infrastructure, our economy, and our military capabilities from cyber-attack or cyber-espionage are of great concern.
The greatest cyber threat we face as a nation is the catastrophic failure of systems and networks supporting critical infrastructure for national security or public safety. The uncertainties in the full capabilities of potential adversaries along with the requirement to rapidly characterize an attack when coupled with the speed at which a potential adversary can carry out that attack concern me.
Killer Apps: How are the sequester, the continuing resolution, and general budget concerns impacting cyber forces?
Kehler: The continuing resolution will have the largest impact to US Cyber Command in the areas of workforce growth and cyber situational awareness. The Department was primed to begin an aggressive increase in the size and training of the workforce to provide full spectrum cyber capability. The CR impacts this effort. Compounding this effect, sequestration will result in the furlough of more than 400 civilian workers at US Cyber Command. One of the key capabilities required to defend our networks is timely and comprehensive cyber situational awareness. The FY13 budget provided funds to begin development of a common operational picture to support cyber situational awareness for all the Services and Combatant Commands. This effort will also be delayed.
Killer Apps: Is there any update on the decision to elevate Cyber Command to a full unified command?
Kehler: The Joint Staff has been examining different command options, including maintaining the status quo. These different options will be presented to the Secretary of Defense for review and decision on whether to recommend a change to the President.
Killer Apps: Is doctrine of cyber deterrence emerging?
Kehler: We are working hard to enhance the protection and resilience of our networks as we increase the capacity and capability of our cyber operational forces.
Together we believe these steps will enhance our overall deterrence posture by convincing adversaries they cannot achieve their objectives and will run the risk of unacceptable US response at the time, place, and via the domain of our choosing. It is in the best interests of all nations to recognize our common dependence on free access to and use of cyberspace, and to behave accordingly. Finally, we are working to improve our ability to detect and attribute hostile action in cyberspace.
U.S. Air Force
This is interesting. The Defense Science Board's new report on protecting the Pentagon's computer networks calls for the development of a special force armed with its own bombers, cruise missiles, and cyber weapons to respond to a devastating cyber attack. Kind of like a mini, conventionally-armed Strategic Command for cyber deterrence.
We've heard Pentagon leaders acknowledge that they are building up their offensive cyber capabilities to deter destructive cyber attacks that could harm thousands or even millions of Americans. However, the new report says that the U.S. must go further to "ensure the President has options beyond a nuclear-only response to a catastrophic cyber-attack."
That's right, the report, written by the DSB's Task Force on Resilient Military Systems, implies that the United States might have to rely on nuclear weapons to retaliate after a large-scale cyber attack.
As one Pentagon official tells Killer Apps: "It's the responsibility of the Department of Defense to provide a range of options for policy leaders to deal with potential threats. In doing so, we must take into account the full range of capabilities at our disposal and how to engage if and when necessary."
To avoid going nuclear, the report calls for the Pentagon to develop a cadre of cyber and conventional forces that are heavily protected against cyber attack and dedicated to retaliating after such a strike.
"Cyber offense may provide the means to respond in-kind," reads the document. "The protected conventional capability should provide credible and observable kinetic effects globally. Forces supporting this capability are isolated and segmented from general-purpose forces to maintain the highest level of cyber resiliency at an affordable cost. Nuclear weapons would remain the ultimate response and anchor the deterrence ladder."
The document then lists a number of weapons systems that could be included in this special conventional deterrent force: "Global selective strike systems e.g. penetrating bomber, submarines with long range cruise missiles, Conventional Prompt Global Strike (CPGS), survivable national and combatant command."
It goes on to suggest that only a handful of bombers would be specially defended and reserved for this cyber deterrence mission.
"Notionally, 20 aircraft designated by tail number, out of a fleet of hundreds, might be segregated and treated as part of the cyber critical survivable mission force. Segmented forces must remain separate and isolated from the general-purpose forces, with no dual-purpose missions (e.g. the current B-52 conventional/nuclear mission)."
To put this in place, the report calls for the Pentagon to develop "an updated Strategic Deterrence Strategy, including the development of cyber escalation scenarios and red lines."
Remember, the DSB is an advisory panel that gives recommendations to the Pentagon leadership about technological threats and challenges. It is not part of the U.S. military chain of command and the brass can ignore its findings.
"The department is reviewing the report to consider application of some of these recommendations for future cyber policy and operations," the defense official said.
U.S. Air Force
Think you knew all there was to know about Stuxnet, the worm that was discovered in 2010 to have destroyed thousands of uranium enrichment centrifuges at Iran's Natanz nuclear facility? Think again. It appears that an early version of the worm was attacking Iran's nuclear program years before the version that made headlines in 2010 was unleashed, according to a new report by the IT Security firm Symantec.
Dubbed Stuxnet 0.5, the early version of the worm attacked Iran's nuclear program by closing valves that allowed uranium hexafloride gas (UF6) to flow into the centrifuges at Natanz, according to Symantec. Cutting off the flow of UF6 would, in theory, damage the centrifuges. (Click here for a primer on gas centrifuges.)
This apparently didn't work as well as Stuxnet's designers wanted it to and we saw later versions of the worm that famously caused the centrifuges to spin out of control -- thereby destroying them. Stuxnet 0.5 was under development as early as November 2005 and in the wild by November 2007 with orders to shut down by July 2009 -- the year that the version aimed at causing the centrifuges to spin out of control was developed, according to Symantec.
"The earliest known variant of Stuxnet was version 1.001 created in 2009. That is, until now," reads a Symantec blog post accompanying the report.
Remember, Stuxnet was reportedly the work of a U.S.-led cyber campaign against Iran known as Operation Olympic Games. At the time of its discovery the worm was considered to be one of the most advanced cyber weapons ever fielded. The worm reportedly took an unprecedented amount of time, expertise, and money to create.
As a Symantec blog post says, "Stuxnet proved that malicious programs executing in the cyber world could successfully impact critical national infrastructure."
The malware was designed to worm its way (See what I did there?) harmlessly around the globe until it found its precise target, the Siemens-made programmable logic control (PLC) computers that ran the centrifuges at Natanz. Once there, it attacked. You know the rest.
Some cybersecurity experts fear that cyberweapons like Stuxnet can be revers- engineered and used against their creators or sold on the ever-growing black market for cyber weapons.
"The difference between traditional weapons and cyber weapons is that it's not possible to [re]assemble a cruise missile after it has been used," said cyber security expert Eugene Kaspersky last September in Washington. "Cyber weapons are different" because the victims "can learn from" weapons used against them.
As another cyber security expert told Killer Apps last fall:
Because uranium centrifuges and power turbines are both spinning machines, "the attack is identical -- the one to take out the centrifuges and the one to take out our power systems is the same attack."
"If a centrifuge running at the wrong speed can blow apart" so can a power generator, said the expert. "If you do, in fact, spin them at the wrong speeds, you can blow up any rotating device."
A week after releasing its cyber security executive order, the White House today unveiled its strategy to fight back against the wave of intellectual property (IP) theft facilitated by cyber espionage that has hit U.S. businesses in recent years.
The Administration Strategy on Mitigating the Theft of U.S. Trade Secrets calls for: increased diplomatic efforts to confront nations hosting IP thieves and increased collaboration between governments on combating IP theft; the promotion of voluntary best practices by businesses to protect their trade secrets; "enhanced" domestic law enforcement operations; improved domestic legislation; and increased "public awareness and stakeholder outreach."
The document also includes a number of anecdotes about China-based thieves stealing U.S. intellectual property.
One of the key elements of the strategy is the plan to increase prosecution of people caught stealing U.S. trade secrets. The administration also wants to increase information sharing between the Intelligence Community and the private sector on foreign efforts to steal trade secrets, including the type of info being sought and the techniques being used. The strategy also notes that the shift toward cloud and mobile computing will likely increase the threat of cyber espionage.
Included in the document's list of likely espionage targets are a wide range of industries from defense contractors to IT firms and clean energy companies.
The White House's 141-page strategy document was released one day after cyber security firm Mandiant published a report detailing the exploits of a Chinese military unit involved in widespread cyber theft and espionage against U.S. businesses.
Just last week, Rep. Mike Rogers (R-Mich.), chairman of the House intelligence committee, called for the U.S. do more in confronting China on its massive cyber espionage campaign against American businesses.
Here's the strategy:
The U.S. government has and will continue to confront senior Chinese government officials "at the highest levels" about the massive amounts of cyber theft and espionage being committed against the United States by Chinese hackers, a senior White House official said today.
"We have repeatedly raised our concerns at the highest levels about cyber theft with senior Chinese officials, including in the military, and we will continue to do so," said the official in a statement emailed to Killer Apps Monday morning in reaction to cyber security firm Mandiant's new report detailing the exploits of a Chinese government cyber espionage unit.
"The United States has substantial and growing concerns about the threats to U.S. economic and national security posed by cyber intrusions, including the theft of commercial information," said the official, whose comments come a week after the White House introduced its cyber security executive order aimed at protecting critical infrastructure providers -- a relatively small group of banks, transport firms, energy companies, defense contractors and communications providers -- from crippling cyber attacks that would impact large numbers of Americans. The Pentagon is famously bolstering its offensive cyber capabilities in an effort to deter destructive cyber attacks against the United States.
The news of Mandiant's findings, first reported by the New York Times, also comes a week after Rep. Mike Rogers (R-Mich.), chairman of the House intelligence committee, called on the United States to confront China on its reportedly widespread cyber theft and espionage campaign against U.S. government and businesses. (Click here to read Killer Apps's recent interview with Mandiant's chief security officer on China's massive espionage campaign.)
"We need direct talks with China, and it needs to be at the top of a bilateral discussion about cyber espionage," Rogers told Killer Apps after a speech at the Center for Strategic and International Studies Wednesday. "This is a problem of epic proportions here and they need to be called on the carpet. There has been absolutely no consequences for what they have been able to steal and repurpose to date."
Rogers suggested that the United States begin implementing trade sanctions and "identifying individuals who participate in this, go after their visas, go after family travel -- all of the levers we have at the Department of State. The problem is that bad.
White House officials have repeatedly declined to discuss the specific steps they are considering taking to counter Chinese cyber aggression.
The United States is reportedly preparing a National Intelligence Estimate detailing Chinese cyber attacks against U.S. interests.Last year, Rogers's committee urged U.S. companies not to deal with Chinese telecommunications firms Huawei and ZTE, accusing the two of spying on U.S. businesses for the Chinese government. Also last year, U.S. Army Gen. Keith Alexander, head of U.S. Cyber Command and the National Security Agency called cyber crime "the greatest transfer of wealth in history."
The White House official went on to call for the United States and China to "continue a sustained, meaningful dialogue and work together to develop an understanding of acceptable behavior in cyberspace."
The effort to establish international rules of the road, or norms of behavior, in cyberspace based on the law of armed conflict is a tricky process that may take decades to flesh out, U.S. officials have repeatedly said.
DARPA is getting serious about one of the issues that cyber-security professionals inside and outside government regularly bemoan: the relative inability of weak passwords to protect...anything.
To overcome the fact that passwords can be stolen or hacked -- and don't necessarily protect a computer once the authorized user is logged on -- the Pentagon's research arm has kicked off a $14 million effort to develop sensors that can constantly monitor users' online behavior to determine whether they are who they say they are.
This kind of vigilance is going to become all the more important as the Pentagon shrinks the number of networks it runs under its cloud-computing initiative and fields mobile devices capable of handling classified information. Ask any cyber security expert and they will tell you that computer networks will inevitably be compromised and that the best defense lies in constantly monitoring for weird behavior.
How exactly do you do that? Well, that's where DARPA's Active Authentication program comes in. The Active Authentication program is aimed at verifying your identity based on your online behavior instead of an easily guessed or stolen password.
"The program focuses on the development of new types of behavioral biometrics focused on the user's cognitive processes," Richard Guidorizzi, DARPA program manager, explained in an email to Killer Apps. In English, that means Active Authentication will monitor your computer habits -- like your typing patterns, the way you use a mouse, and even how you construct sentences -- to assemble an "online fingerprint."
"Examples of this could include, but are not limited to, behavioral biometrics that focus on a user's unique way of typing on the device or cognitive biometrics that focus on how the user processes language and structures sentences," he said.
In theory, a user would log onto his computer using a government-issued secure ID card, known as a Common Access Control card. This would tell AA sensors to begin monitoring the user, analyzing typing and sentence structure, and comparing the patterns to previous behavior.
AA isn't just limited to desktop computers. DARPA will also address mobile devices.
This could come in mighty handy for soldiers and spies who are increasingly reliant on smart phones and tablets to do everything from filing flight plans to collecting and sharing classified information.
Mobile devices will have their own unique safeguards. "For example, the accelerometer in a mobile phone could track how the device rests in a user's hand or the angle at which he talks into it. Another technique might track the user's gait, reflecting how he walks as it is transported. In theory, each of these examples could be another layer of user validation," Guidorizzi writes.
Don't expect AA tech to be put into place anytime in the near future, though -- AA's work is experimental. "This program is not intended to develop fielded systems but instead to advance the technologies and concepts outlined above," added Guidorizzi.
Still, some type of online identity software may emerge in the coming years. Just today White House Cyber Security Coordinator Michael Daniel told an audience at the Center for Strategic and International Studies that he wants to see research and development programs that sound a lot like AA shift the balance of cyber power from favoring the attacker, as it does right now, to favoring the defender.
Daniel told Killer Apps he wants to know whether there are "ways that you can bake in better credentialing into the underlying structure of the Internet? Are there ways you can get the software manufacturers make software secure by default, so that you actually have to work at browsing insecurely?"
The leaders of the House intelligence committee say they are working with the White House to ensure passage of the Cyber Intelligence Sharing and Protection Act, which fell to a presidential veto threat last year but which Chairman Mike Rogers' (R-Mich.) reintroduced yesterday.
The bill would establish rapid information-sharing about cyber threats between private businesses and the government. Last year, the White House threatened to veto it over concerns from privacy groups that the bill gave the government too much authority to view people's online activities without a warrant.
"We were working with the White House for one year, and we thought everything was going to be fine," Dutch Ruppersburger, the committee's ranking member, said yesterday in a joint appearance with Rogers. "Fifteen minutes before we went to the rules committee, we received a phone call that the president was going to veto our bill."
"We've resolved all that," he added. "We're working with the White House as of today. Mike [Rogers] and I talked with the national security advisor [Tom] Donilon and the White House is now working with us to ensure that somehow, some way, we get a bill."
Rogers was a little more cautious, telling reporters yesterday that White House "does not endorse the bill" as it stands right now and that negotiations over its contents are ongoing. "They want to see changes in the bill, but that's a long way from where we used to be," said Rogers. "We're actually having a dialogue on how the bill moves through, I welcome that, that's a good thing."
Ruppersburger and Rogers repeatedly emphasized during a Capitol Hill hearing today that the bill will not infringe on privacy, and that CISPA only authorizes the government and private companies to share digital threat signatures, "ones and zeros" that make up packets carrying malware.
It does not allow the government to not "monitor your computer, read your email, tweets or Facebook posts," Ruppersburger said yesterday.
The two lawmakers also said they are committed to working with privacy advocates on the bill.
Rep. Mike Rogers said today that Iran may pose the highest risk of a destructive cyber attack on U.S. critical infrastructure because its leaders are irrational. Although Russia and China are conducting large-scale cyber espionage campaigns, he explained, Iran has fewer qualms about launching a destructive attack.
"You have nation-states like Iran who are developing this capability, and they're not a rational actor when it comes to trying to disrupt or cause a catastrophic attack to our U.S. economy," the chair of the House Permanent Select Committee on Intelligence said during a speech Wednesday reintroducing his Cyber Intelligence Sharing and Protection Act, better known as CISPA.
Rogers said that Iran had already displayed its willingness to wreak havoc abroad in the attacks last August against the Saudi Aramco oil company and the Qatari gas firm RasGas, which wiped the data from 30,000 computers and kept employees off email for more than a week.
The U.S. government has yet to name a culprit in those attacks, but Rogers said that, based on his conversations with private sector cyber security analysts, he is "99.9 percent sure" that Iran was behind them.
"That's a new level of capability," said Rogers. "They have obviously aggressively stepped up their campaign."
He then pointed to last fall's denial of service attacks against U.S. banks as also being the work of Iranian cyber operators, though he acknowledged those attacks were far less sophisticated and damaging.
"Most people believe that was a probing action, they're trying to find deficiencies in our systems to find a better way to come back and cause some catastrophic disruption," Rogers said. "You can imagine how devastating it would be, not just getting into that system but actually breaking that system, manipulating and changing data, and destroying data. Devastating. That could bankrupt a company."
Rogers said that Russia and China would be unlikely to attack the United States in peacetime, but that Iran is a different story.
"I think they're eager and ready to ramp up their actions against the United States," he said to reporters after his speech. "Here's a country that's feeling isolated. Sanctions are hurting badly. You saw them reach out and strike Aramco. This is the same country that tried to kill the Saudi ambassador here in Washington DC. This is not a country that's going to make a rational decision about attacks of this nature."
Finally. President Barack Obama signed the long-awaited executive order on cyber security today. As expected, the order expands information-sharing programs between the government and private sector and establishes voluntary cyber security best practices for critical infrastructure providers -- though the administration plans to use its leverage to strongly encourage compliance.
One of the order's main provisions calls for the National Institutes of Standards and Technology to work with the private sector to identify a set of cyber security best practices that can be turned into a "Cybersecurity Framework" that critical infrastructure firms would use to ensure they are defended against cyber attack. A senior administration official said this afternoon that this framework, due one year from today, "is not designed to be a one size fits all approach" and will "not lock in specific technology or approaches."
NIST and other government agencies will work with businesses that have proven to be the best at cyber security to help develop these practices. "We believe that companies driving cyber security innovations are really in the best place to help us push out best practices across more of the critical infrastructure and companies would have a lot of flexibility in determining how to do so," said the official. "This is about taking the existing best practices and spreading them out to as many of the critical infrastructure companies as we can."
The Department of Homeland Security will form an organization to push out these standards to critical infrastructure providers. DHS, DoD and other government agencies will develop incentives, in collaboration with the private sector, to coax critical infrastructure companies into adhering to those standards, since they are officially voluntary.
"There's a whole range of " incentives that have been suggested, added the official, mentioning the recommendations of the Commission for Cyber Security and the 44th Presidency as some examples.
Possible incentives could include government contracts, according to the official. Government agencies have 120 days from now to come up with these incentives.
In addition to the incentives, the order also has "teeth," according to the official. It calls for federal agencies to review their regulations for industries they oversee to make sure they apply to cyber security. If critical infrastructure providers don't live up to the minimal best practices that emerge in the Cybersecurity Framework, the agencies could find a way to make them.
"It makes business sense to [adopt these practices] in a lot of cases, and that's something that a lot of businesses are starting to understand," said the official. "What we want to make sure of with our direction to our federal regulators is that, if for some reason that market signal isn't getting through as clearly or as loudly as we would like, that there's the backstop of the federal regulators to make sure those companies that are in this critical infrastructure [sector] . . . are really putting into the baseline levels of cyber security."
In other words, the administration believes the market will demand better cyber security, and it is going to provide incentives to encourage better practices. But if those approaches don't work, it will use its regulating power to ensure that various critical infrastructure businesses adhere to minimal standards, added the official.
"We're giving multiple avenues for either incentives to be created in the voluntary program and for market forces to work, but we're also putting in place the ability and the direction for the regulators to use their existing authority, if needed" to make sure critical infrastructure businesses adhere to minimal standards, said the official.
The order defines critical infrastructure providers as company and organizations with "systems and assets, whether physical or virtual, so vital to the United States that the incapacity of destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." The senior administration official said the White House expects this to amount to a very small number of private businesses.
The order also calls for increased information sharing about cyber threats between government agencies like the Defense Department, the Department of Justice, the Intelligence Community, the Department of Homeland Security. One of the ways this will be done is by expanding the Pentagons DIB Pilot program (click here to read all about that), which allows the government to rapidly share information on cyber threats aimed at defense contractors with those companies.
As expected, DHS will have the lead on information sharing and is required to come up with a plan to ensure that civil liberties are protected. The order does not provide liability protections for companies that improperly share private citizens' information with the government or that violate antitrust laws in the course of sharing information. Those issues will have to be addressed by cyber security legislation, said the official. The order also calls for an expansion in the number of critical infrastructure workers who may receive classified briefings on cyber threats.
White House officials today said the information shared under the executive order would be specific digital threat signatures -- strings of ones and zeros -- that can identify pieces of malware aimed at critical infrastructure providers, not the contents of peoples' email. Click here to read more about the type of information that the government would share with critical infrastructure providers. The order calls for numerous privacy protections and reviews when information is shared to make sure that information about private citizens or companies is not inappropriately used. The privacy protections involved "will be based upon the Fair Information Practice Principles," reads the document.
Here's a copy of the executive order:
With the White House expected to release its cyber security executive order as early as tonight, Killer Apps spoke with some private sector cyber security experts on what they would like to see. Almost all agreed that the Obama administration -- and Congress -- need to do something to help protect the nation's banks, transport companies, energy firms, defense contractors, and other companies on which millions of people rely, from a crippling cyber attack.
"It's a public security and a public safety issue, and it needs some level of government oversight because you cannot let market forces completely go in areas where public safety is involved," said Ashar Aziz, chief technology officer of FireEye. While Aziz and other IT security executives Killer Apps spoke with recently agreed that the government needs to do something to ensure that critical infrastructure providers are adequately protected against cyber attacks, they caution that an executive order or legislation should not dictate technical security measures (such as specific pieces of software) that could quickly become obsolete.
"The regulations don't need to be specified in terms of technology, they need to be specified in terms of posture," said Aziz. "You need to look at where the [evolving] threats are, how the threats operate, and what is needed to counter such threats. . . . All we need to say is, the critical networks need to have safeguards to protect against unknown threats, independent of technology. Use whatever the best commercially available products on the market are."
Some suggest that the government could follow the model used by the credit card industry's security organization, Payment Card Industry Security Standards Council, whose members develop security standards and audit companies that process credit card payments. If a company fails an audit, the council has the power to ban that firm from processing credit cards.
"It specifies 12 different things that companies need to do in order to secure credit card data," such as encrypting credit card data and using firewalls. "An auditor will walk in and look and see how well you followed that 12-step criteria," said Rob Rachwald, manager of IT security strategy at Imperva. "If you're found out of compliance, different penalties could apply. They may be financial penalties. Worst case -- and this doesn't happen very often but it does happen -- your ability to transact credit cards is pulled.
Roger Thornton, chief technical officer at AlienVault, agrees with the approach.
"What you want to specify is, ‘the end result I [the government] want you to achieve. You're all smart and you'll all find different ways to achieve it'," said Thornton of what any cyber legislation should say. That end result would involve limiting how many break-ins each firm suffers or how many IT security vulnerabilities the firm has.
The execs also agreed that provisions allowing for rapid information sharing on cyber threats, and the best way to defend against them, between the government and private businesses needs to be in any executive order or legislation.
"We really need good threat intelligence sharing, these attack frequently come in campaigns and these campaigns target multiple organizations," said Aziz. "We need a real-time view of a threat landscape. I believe it's possible to provide that in a way that does not violate or compromise the consumer's or the public's information privacy."
The Cyber Security Act of 2012, which failed to pass the Senate last fall, contained provisions aimed at encouraging businesses to share information with the government about cyber attacks they had suffered by freeing them of liability for improperly sharing citizens' private information.
"We all recognize that cybersecurity is a [government] problem because a lot of these attacks are coming from overseas," said Rachwald. "What would happen for example, if the government ponied up a community resource center" aimed at sharing information about cyber attacks against U.S. firms and the best responses to those attacks.
Rachwald agreed that the government should order companies to constantly scan their networks for actual intrusions, not just potential vulnerabilities -- under the premise that all networks will be penetrated, no matter how good their security.
Richard Bejtlich, chief
security officer with Mandiant told Killer Apps that simply ordering that firms
adhere to certain standards won't work. Businesses need to be audited for
"I would like to see some type of annual requirement, maybe starting with critical infrastructure, that says, at the very least on an annual basis, are you compromised?" he said. "You need to know, are the Russians inside your network, are the Chinese inside your network doing damage and have it be an annual test. All this vulnerability-based we've been doing for the last 10 or 15 years doesn't make any difference."
Companies would have to report publicly if they had been penetrated -- something that might prompt innovation in cyber defense since firms won't want to be known for having bad network security. "I see it as the same thing as a financial audit, are you a going concern, what kind of money are you making, what kind of money are you losing? As a shareholder, I want to know, is some of the intellectual property that drives this investment in someone else's hands."
Still, Bejtlich admits that this approach is "fairly intrusive, so the likelihood of that happening is low, instead, we're likely to see more standards."
Jeffrey Carr, CEO of Taia Global, echoed Bejtlich's sentiment, arguing that the SEC's current recommendation that companies disclose cyber attacks, should be made mandatory. President Obama's executive order should "encourage the SEC to make their cyber security guidelines into requirements," said Carr in an email to Killer Apps. "At the very least, to require registrants to reveal their degree of cyber risk."
Bringing the PCI audit
model and using it to find actual penetrations on networks instead of monitoring
for vulnerabilities may be workable, according to another cyber security expert.
The "idea of continuous monitoring linked to mitigation, if you can fit that into the credit card model, then that makes sense," said James Lewis of the Center for Strategic and International Studies. "The idea of monitoring for weird behavior is a good one, if massive files are being transferred out of your network at 3:00 in the morning, you know something's up."
When asked by Killer Apps about the business lobby's claim that critical infrastructure providers are doing a good job at cyber security and that no government action is needed, Lewis said, "Why are the banks squealing for help from NSA?"
Rep. Jim Langevin (D-RI), co-chair of the Congressional Cyber Caucus, just released the text of a letter he sent President Barack Obama, urging him to discuss cyber security in his State of the Union address next week. Langevin doesn't specify what he wants the president to say other than "I hope that you will take the unique opportunity afforded by your State of the Union address to galvanize both Congress and the public to demand immediate action to secure out country's cyberspace."
Keep in mind that the White House is famously working an executive order that is believed to contain minimum IT security standards for banks, energy companies, transportation firms, and other so-called critical infrastructure providers in the wake of Congress's repeated failures to pass cyber security legislation last year.
This comes just after a New York Times report saying that the White House has decided it can conduct preemptive cyber strikes if it thinks such actions will stave off a major cyber attack that could seriously damage the United States. Last October, Defense Secretary Leon Panetta said the Defense Department is prepared to conduct this type of aggressive defense.
Here's the text of Langevin's letter:
February 5, 2013
The Honorable Barack Obama
President of the United States
The White House
1600 Pennsylvania Avenue NW
Washington, D.C. 20500
Dear Mr. President:
Congratulations on your inauguration for a second term. As your State of the Union address now approaches, I would like to thank you for your efforts to improve our nation's cybersecurity in your first term. From increasing the amount and quality of the data shared among federal agencies and the private sector to elucidating clear policy guidelines for trusted identities in cyberspace and cyberwarfare, your administration has truly made protecting American citizens and American interests a national priority.
Unfortunately, the scope of the challenge has only increased. The same American ingenuity that allows our businesses to be world-leaders in information technology also exposes us to a host of new threats. Defense Secretary Panetta, speaking to the Business Executives for National Security, described the current state of cyber-affairs as "a pre-9/11 moment." Attacks against our defense industrial base, our financial services infrastructure, our free press, and even our own government networks are a daily occurrence. While none have yet caused the destruction on the scope of 9/11, the potential for such a disaster is real, and it is growing.
Combating this threat is a pressing priority. As the co-founder of the Congressional Cybersecurity Caucus, I work to inform my colleagues of the inadequacy of existing legislation to secure the domain, and I have appreciated your administration's efforts to highlight the immediacy of our need. I hope that you will take the unique opportunity afforded by your State of the Union address to galvanize both Congress and the public to demand immediate action to secure our country's cyberspace. While I trust that you will use every existing avenue of executive power to improve our capabilities in this realm, our current laws simply do not reflect the amazing technological advances (and the accompanying challenges) that have been made since their enactment.
I was privileged to serve as the Co-chair of the Commission on Cybersecurity for the 44th Presidency, which presented you with a series of recommendations when you first took office. Your actions in your first term have made it abundantly clear that you have embraced the need for a comprehensive cybersecurity strategy, and I look forward to working with you to expand and implement this strategy throughout the coming session.
Member of Congress
Below is the email that the Department of Energy sent to its employees notifying them that the personal information about several hundred DoE staff and contractors at the department's Washington headquarters (shown above) may have been accessed by hackers.
You'll notice that DoE mention who might have been responsible for the attack and it makes no mention of whether classified information regarding nuclear-anything was accessed.
(Several media accounts have said Chinese hackers were to blame and that the cyber attack didn't access nuclear-related information.)
You can also see that DoE is in the early stages of figuring out the details and full extent of the attack. From the early reports, it sounds like this could have been a spear phishing email attack. If that's the case, an employee at DoE likely got a professional sounding email with a special file attached that contained malware, once the staffer clicked on the file, the hackers were into the department's networks. What would hackers/spies want with staffers' and contractors' email and the info contained within? For one thing, they could use it to crack security safeguards to other networks that contain classified information.
Click here to read an article about DoE's Inspector General's report on the department's cyber security practices from last fall that points out a bunch of cyber vulnerabilities.
Here's the email:
The Department of Energy (DOE) has just confirmed a recent cyber incident that occurred in mid-January which targeted the Headquarters' network and resulted in the unauthorized disclosure of employee and contractor Personally Identifiable Information (PII).
The Department is strongly committed to protecting the integrity of each employee's PII and takes any cyber incident very seriously. The Department's Cybersecurity Team, the Office of Health, Safety and Security and the Inspector General's office are working with federal law enforcement to promptly gather detailed information on the nature and scope of the incident and assess the potential impacts to DOE staff and contractors. Based on the findings of this investigation, no classified data was compromised.
We believe several hundred DOE employees' and contractors' PII may have been affected. As individual affected employees are identified, they will be notified and offered assistance on steps they can take to protect themselves from potential identity theft.
Once the full nature and extent of this incident is known, the Department will implement a full remediation plan. As more specific information is gathered regarding affected employees and contractors, the Department will make further notifications.
The Department is also leading an aggressive effort to reduce the likelihood of these events occurring again. These efforts include leveraging the combined expertise and capabilities of the Department's Joint Cybersecurity Coordination Center to address this incident, increasing monitoring across all of the Department's networks and deploying specialized defense tools to protect sensitive assets.
Cybersecurity is a shared responsibility, and we all play an important role in maintaining the integrity and security of our networks. To help minimize impacts and reduce any potential risks, please keep the following best practices in mind:
Encrypt all files and emails containing PII or sensitive information, including files stored on hard drives or on the shared network.
Do not store or email non-government related PII on DOE network computers.
John Reed reports on the frontiers of cyber war and the latest in military technology for Killer Apps.