First the obvious disclosure piece. I’m never comfortable with allowing & receiving reports from those you procure services from. I’m even less comfortable with Northrop Grumman’s Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage report. I don’t understand what would possess the U.S.-China Economic and Security Review Commission to accept such a report let alone request and fund it from a Department of Defense contractor with significant interests in this developing area. I could care less if these information security analysts were the best on the planet this in my mind is a clear conflict of interest and “personnel firewalls” have zero effectiveness.
With all that mentioned let’s see what they put together in this massive document.
The immediate focus of the document is on “information confrontation.” They point to a Chinese paper on Infomization Dominance. Sounds a lot like the U.S. Navy’s Information Dominance Corps focus doesn’t it? Additionally it discusses China’s Integrated Network Electronic Warfare or INEW strategy.
PLA analysts consistently identify logistics and C4ISR infrastructure as U.S. strategic centers of gravity suggesting that PLA commanders will almost certainly attempt to target these system with both electronic countermeasures weapons and network attack and exploitation tools, likely in advance of actual combat to delay U.S. entry or degrade capabilities in a conflict.
This is of significant concern. The United States has continued to outsource and outsupply items through every portion of our lives and the result is this has forced the US Military to be dependent upon similar sourcing paths and venues. Until a shift toward in house production and upfront investments to mitigate supply chain risk this will continue to leave a massive vulnerability through every level of the Department of Defense and Critical Infrastructure of the United States.
At least 50 civilian universities conducting information security research nationwide benefit from one or more of roughly five main national-level high technology grant programs, reflecting what appears to be a broad technology development plan consistent with published national priorities.
My immediate response was that the U.S. has so many more universities conducting information security research that it dwarfs the metric listed. While true what is more concerning is the number of individuals China has attending our universities which compliments this metric. The cost is often prohibitive for the US Government and Military to send or acquire personnel from places like Carnegie Mellon University. However, for a highly resourced entity the ability to integrate with the leading Computer Science and Information Security university and research entities is much more significant.
Without strict control of this complex upstream channel, a manufacturer of routers, switches, or other basic telecommunications hardware is exposed to innumerable points of possible tampering and must rely on rigorous and often expensive testing to ensure that the 11 semiconductors being delivered are trustworthy and will perform only as specified, with no additional unauthorized capabilities hidden from view.
Until the U.S. changes its Research and Development to include Production capabilities this will pose a massive risk which cannot be managed, improved, or worked around. I’ve seen discussions to make this a responsibility of the GSA or other major government entity but I’m not sure GSA could effectively get this accomplished. I believe an entity tasked with this would need to be supported heavily by the National Laboratories and Research & Development components of the USG.
Professional state sponsored intelligence collection not only targets a nation’s sensitive national security and policy making information, it increasingly is being used to collect economic and competitive data to aid foreign businesses competing for market share with their U.S. peers.
There is no longer a difference between national security information and economic and competitive data information. Intellectual Property is part of a Cyber War and this includes the piracy of information and data. The difficult part of this is discerning the difference between Cyber Warfare and Cyber Crime. Where does this get handed to Cyber Command or the Department of Homeland Security? This is something that is currently being debated in the U.S. Congress. There are a couple of Information Security Bills being tossed around; Senator McCain’s Bill and Senator Lieberman’s Bill.
Media and industry reports portray some of the incidents attributed to China as advanced but the reality is that many successful penetrations are “advanced” only because the targeted organization was unable to stop them or detect the presence of the operators on their networks.
This is simply the complex media spin that exists in the United States. It makes it more interesting and sexy if it was complex. The story isn’t as valuable (yes advertisements run everything) to the news venue with out this interesting and sexy spin on it. Not bad to note that this is the case but if you don’t understand that this is occurring you aren’t paying enough attention.
Activities attributed to state sponsored operators often appear to target data that is not easily monetized in underground criminal online auctions or markets but highly valuable to foreign governments. Highly technical defense engineering information, operational military data, or government policy analysis documents rarely if ever appear to be a priority for cybercriminal groups.
This is well executed obfuscation of the intent of the adversary. If it is difficult to determine why certain information was ex-filtrated then it provides less alarm to the victim. This allows further ex-filtration from other entities to compliment the data and turn it into very valuable and actionable information.
To date, the former joint venture between Huawei Shenzhen Technology Company Ltd and Symantec, Inc. is the only major partnering between a Western information security firm and a Chinese high technology company.
This has since been disolved as of 26 March 2012. The New York Times did a quick piece called Symantec Dissolves a Chinese Alliance. So we’re starting to see significant implications of a quiet and cold Cyber War that is well underway both in the private and public sectors.
The PLA is to prepare for “Local wars under informationized conditions.”
PLA leaders included additional responsibilities under the third role that identified not only space and distant ocean areas as domains vital to Chinese national security interests, but also included the electromagnetic spectrum—a change that is likely already driving PLA investment in the development of more sophisticated information warfare capabilities.
The PLA Daily described warfare under informationized conditions as being characterized by opposing sides using complete systems of ground, naval, air, space, and electromagnetic forces.
This essentially reflects the exact move the U.S. Navy made in 2009 when Admiral Roughead formed the U.S. Navy’s Information Dominance Corps. It effectively recognized the Electromagnetic Spectrum as the 5th domain. This has also been echoed via General Michael Hayden (USAF, Ret), former Director of NSA and CIA. So who started this operationalization of Cyberspace?
Information Confrontation Theory: The strategic imperative for the PLA to operate in the electromagnetic domain is driving the formulation of a new approach to information warfare, termed information confrontation (xinxi duikang; 信息对抗), that applies system of systems operations theory to information warfare, viewing it as a macro-system comprised of discrete capabilities linked together under a single command structure and fully integrated into the overall campaign plan.
Information confrontation theories currently being developed and refined within the PLA today seek to address these gaps, particularly the need for more coherent command infrastructure.
With this section I see absolutely no difference compared to the initiatives the USG and its Military is pursuing. Remind you of anything? Maybe the Cold War? The “adversary has developed this so I must” paradigm. Locks everyone in a continuous do-loop until someone finally gives up.
PLA had created a “super-elite unit of cyberwarriors” designed to carry out network exploitation of foreign networks.
There have been continued reports on this network exploitation team formed in China and in other countries which now includes the United States Military. Unlike the United States China has denied existence of this type of unit even though numerous evidence, videos, and other indicators continue to validate it’s existence. But at this point this fact doesn’t matter. Most are operating under the assumption that it does exist and that most countries with the ability will form a similar cadre with cyber expertise.
Much of the remainder of the document stipulates and speculates on what-ifs and could happen items. This can be chalked up to “cyber marketing.” This brings me back to the disclosure piece. The document isn’t that bad but since Northrop Grumman produced it you must rightfully discount it. This then devalues the tax dollars that were spent on it. I have nothing against Northrop Grumman. I simply believe this could have been produced in a much better fashion from one of the dedicated Federally Funded Research and Development Centers (FFRDC), like SEI or MITRE vice a services and production based contractor such as Northrop Grumman.
Lately there has been a lot of news about Zeus Botnets and crackdowns on them. I thought I’d take a moment to tell you why this is important to you and in the larger scheme of things.
Identified in 2007, Zeus is a Trojan Horse type of malware that steals banking information by Man-in-the-browser keystroke logging and Form Grabbing. This captures your information then removes your money. While much of this Cyber Battle has been placed upon the banking industries security shoulders this can be solved mostly at the personal level. This cost is then transferred to you and the organization through various form like fees, interest rates, and cost of services.
The point of entry for Zeus is most likely a targeted download you were looking for (that latest song or vides, etc) or by a phishing email. Stop clicking links that you don’t trust and get them from industry established and reputable entities and 9 times out of 10 you’ll have no issue. The problem is that there is so much incentive to continue to spread this type of item through the internet (piracy, internet traffic generated advertising, identity theft) that it is an enormous scale fight.
You want this fight to succeed and be deterred. For far too long Cyber criminals and Hacktivists have escaped unscathed and without ramification while they inflicted massive damages upon organizations and individuals. This all has occurred while Countries and their Governments worked to identify and create the building blocks for something like the Zeus crackdown. And although Offensive Cyber Crime capabilities still lead the Defensive Cyber Crime capabilities by several years (if Zeus is used as a metric ~5 years of lag) the continued attack on botnet and Cybercrime entities will start to inflict and induce deterrence for future individuals considering starting down this path.
[via The Microsoft Blog]
The video above is Dr. Regina Dugan speaking at the DARPA Cyber Colloquium in January 2012. This is video provides an excellent snapshot of what is ongoing throughout the Internet and what we call “Cyberspace”. It also alludes to the “Death by a thousand cuts” I mentioned in my Information Dominance Corps video.
The news today is that Dr. Dugan is headed out of DARPA and into the arms of Google. This kind of departure is one of my main concerns for the U.S. Government, Department of Defense, and the U.S. Navy. This concern is rooted in the historical departure of excellent people from these institutions due to the institution’s inability to entice them to stay. The military and Navy have battled this issue for centuries and I think the battle in the realms of Information Technology and Cyberspace will be a far more challenging one.
To this point the private sector has traveled through the economic recession and is in full recovery and growth mode in these realms while the government sector is just now facing it with massive budgetary issues. Companies can’t obtain excellent people in these Cyber fields fast enough. Carnegie Mellon University and others can’t create them fast enough. In steps a company like Google, Facebook and others and they gobble up every great candidate. Facebook’s creator visited CMU for just this reason in the last part of 2011.
When a company like Facebook wants a great candidate they are no longer simply offering a salary (which already dwarfs those of the government sector) but are able to provide a substantial and comprehensive package. If the candidate puts up a bit of a fight they simply increase the offer. And if the candidates desires are to follow their company start-up dreams and continue with their own company; Facebook will simply buy the company.
Starting to see my point? The Government and our Military are significantly challenged when trying to recruit, develop, and maintain this cyber force. They are not only facing a foe in Cyberspace but the economic challenges in one of the most rapidly growing and developing industries in a globally connected world. Compound these considerations with the Military budgets and personnel that are shrinking. While more resources are shifting to the Cyberspace arena the priority changes, funding amounts and personnel may not be adequate enough to mitigate the risks that our Nation is facing.
What do you think? How do you keep, maintain, and improve the people required for Cyberspace?