Friday, April 29, 2016

US Steel demonstrates why we need Cyber Letters of Marque

FBI Director Comey Speaking at Georgetown University

At the Georgetown Cyber Policy Conference this week Cyber Letters of Marque and “active defense” came back into the conversation at nearly every panel discussion. The recent penetration into US Steel, which stole their proprietary information for the use by Chinese Steel companies to compete with them in the global market, is exactly why.

US Signals Intelligence, of which the NSA is the primary agency, is largely aimed, and should be largely aimed, at strategic needs of the US Government. And while economic competitiveness is at some level a strategic need, the particular defense of a US Company is not something the NSA can and should prioritize. The answer to this problem is allowing private companies to offer their services under strict law enforcement and intelligence community oversight to perform the actions needed, including remote intrusion, data exfiltration and analysis, that would allow US Steel and the US Government to build a rock-solid case for criminal liability and sanctions. In that sense, cyber Letters of Marque are more similar to private investigator licensing than privateer licensing.

We will have to hold these private companies to high standards. They must follow the same norms of behavior as the US Intelligence Community when penetrating a foreign company for strategic information. And they must follow evidentiary rules that prevent them from giving their information to their customers. US Steel may be paying for a private cyber investigator to penetrate Chinese Steel companies, but that doesn't mean it gets to see the information that is retrieved unless a Law Enforcement or Intelligence Community team thinks it is stolen information or the result of stolen information.

Less privateer
More Private Eye

Being clear about what the US-licensed teams will not do is important to avoid escalation and reprisal issues or running the risk of being hypocritical. At some level licenced private companies are using the same skillset and scoping as a normal network penetration testing team, with some additional oversight and caveats by the DHS or NSA. But obviously they must observe due care to stay within only their licensed scope and not cause damage to targeted companies.

These private investigative teams may not find smoking guns every time. They may be only able to put together the clue that a Chinese Steel company used a new manufacturing technique without ever having done research and development towards it first. That information, combined with knowing a Chinese-State actor had penetrated US Steel would be enough for a sanctions case or it may bolster a criminal case.

And if you are a Chinese Steel company, and you know that integrating any US stolen technology without doing the R&D to produce it yourself may result in sanctions, you will have to be wary of even seeing stolen information yourself. This is a powerful deterrent effect against economic espionage.

This limited, effective, and restrained use of Cyber Letters of Marque would allow industries to fund their own active defense protection and deterrence efforts, avoid escalation issues, and would scale to address a current and pressing national security need.

Thursday, April 28, 2016

Letters of Marque

This presentation is from Thomas Dullian who is a German Strategist of Note:

Click the above presentation and give it a quick read when you have a chance. Letters of Marque came up four times at the Georgetown Cyber Policy Conference earlier this week - a high level conference that both DIRNSA and the Director of the FBI spoke at.

The Oral History of Export Control

Export control regulations are hugely important, and because of that, I and many of us in the software security industry have been sitting in on the ISTAC committee meetings for the last year at the Commerce Department. (Disclosure: I have applied to be on the committee and the White House is reviewing my application.)

These are meetings held by subject matter experts to advise the Commerce Department on how to improve or implement or remove regulations that control anything from Satellite systems to encryption.

I want to take a few minutes to tell you some things that would shock you if you come from an engineering or software development or even a legal background with regards to the process.

No Change Control Management or History

When you write export control regulations you have only an oral history. Nobody knows in the meetings why a particular regulation exists or is worded in any particular way or what the changes are that have gotten it to that point or what other pieces of law it effects or who worked on it or anything that would normally be on GitHub for an equivalent project in the real world.

Some of the things export control regulations are supposed to do are secret (and come from the DoD/IC), but a lot are not, and having a documented trail of what has happened would allow for a much better regulation writing.

No Testing

In the software industry we like to write something called "Unit Tests" for any major codebase. Export control is a kind of giant complicated codebase that lawyers execute to determine criminal liability over technical issues. But in every meeting people are always left guessing at the "intended capture" and "unintended capture" for any particular regulation. This is easy to fix with a simple wiki that links to a set of things you can run through as a checklist. I have done one for unintended captures for the Wassenaar "Intrusion Software" regulations. But it is telling that for most new regulations I've seen there is no specified INTENDED EFFECT. If you had software written like that you would run for the hills.

Basically, right now, we test our export control code in production.

The Future

If I get approved for the ISTAC I will endeavor to examine if it's possible to fix some of these issues, which I see as areas of basic government efficiency and transparency. It's really amazing how accessible the process is if you bother to show up for the meetings and get involved.    

Monday, April 25, 2016

Bandwidth and the Cyber Weapon of Availability

A key difference between the Immunity mindset on "Cyber Weapons" and the public one is that we see the ability to offer information that cannot be removed from the public Internet as an important, and perhaps the most important type of cyber weapon. If you don't think an AC-130 hurling USB keys full of videos and software into a city isn't a cyber weapon, then you won't agree with our paradigm and you'll have to live with being wrong. :)

Emin Gun Sirer has written two blogposts that should be must-reads by the policy sect or anyone in the security business and this is one of them:

TL;DR summary: "All the databases are going to be available to everyone." Cyber intelligence has long depended on the gap between what people knew was publicly available and what they could access. You know how powerful even a PHONE BOOK DATABASE is when it's not publicly known to be accessible? Try running an Alias for an intel officer who didn't actually have an apartment in Istanbul when she said she did, and I can check in 20 seconds with my stolen DB. This is true for the OPM database, all the airline databases and of course the hospital databases. The same techniques that Twitter uses to figure out what brand of soap to sell you can detect a fake persona without breaking a digital sweat.

Following from these self-evident facts, eventually every service that uses aliases is going to transition to just having to timeslice from normal people with normal jobs, which is going to require they haven't alienated the entire technical community they rely on for access and influence. (In case you wanted a link to the Comey-misteps-of-the-day).

The obvious trendline is that the amount of data that makes a company run is a constant. Mail spools just don't get big that fast, and the important information in them gets bigger even slower. Remember when downloading a movie was a big deal? Now you download 4 in between waking up and heading to the airport onto your Kindle.

In other words: The increase in available bandwidth has completely shifted some equation and made "Offer" cyber weapons more important than they ever otherwise could have been. You only need a tiny dwell time on the main mail server of a company to end that company forever, and that dwell time is now smaller than the target's "Indicators of Compromise" analysis speed. Or as Microsoft's researcher Sasha would say: "You win automatically when your exfil time is less than log aggregation and analysis periods."

On a completely unrelated note, I'm headed to DC today to attend a conference at Georgetown on Cyber Policy. I think part of what annoys everyone in the cyber policy world about the State Dept. fucking up Wassenaar so much is that it has absorbed all the bandwidth available for analysis for two whole years on an important subject. The only silver lining is that by aligning the opposition to their bone-headedness on the subject we may have congealed a multi-cell predator out of the primordial soup. :)

Wednesday, April 13, 2016

Naming/Shaming Iran Was a Huge Mistake

By Dave Aitel, CEO of Immunity Inc.

The Department of Justice made a big mistake. By naming the seven Iranian hackers it claims were responsible for penetrating a New York dam in 2013 and disrupting US banking websites, it has exposed major inconsistencies in US policy which could have far reaching impacts on US cyber policy and future operations.

First of all, it’s worth pointing out that the US government admonished a foreign government for doing something which it itself is famous for - probing critical infrastructure systems. After all, the Stuxnet project, which targeted Iran’s nuclear facilities in 2010 (and is widely believed to have been a joint US/Israeli operation), is likely what propelled Iran into offensive cyber operations in the first place. 

Some will see the DOJ’s announcement as a consistent follow-through in US government policy. After all, we named both China and North Korea in previous attacks and we levied sanctions on private Chinese companies as well. Why shouldn’t Iran get the same treatment?

Here are the problems, as I and others in the security community see them:

What are the ‘red lines’ the US government is trying to draw here?

The US was well within its rights last year when it finally confronted China over its aggressive economic cyber-espionage against American companies and industries. Intellectual property theft is not a legitimate activity of nation-states. The threat of targeted sanctions on Chinese citizens and private Chinese companies for data theft was justified and long overdue and changed Chinese policy at the top level.

But the situation with Iran is different. Just as the foreign intelligence service behind the Office of Personnel Management (OPM) breach was operating within customary espionage norms, so too are the Iranians operating within these boundaries when probing US systems without producing a “kinetic” effect (such as triggering a physical malfunction, damage or outage). And while there are no set norms when it comes to distributed denial-of-service (DDoS) attacks, as the Iranians used against the US financial sector in 2012 and 2013, this mode of attack cannot legitimately be claimed as posing a serious threat to our critical infrastructure. DDoS is inconvenient, but it’s hardly damaging. The Iranians use of DDoS likely had more to do with sending a message to Washington about its use of economic sanctions than anything else. 

Why was this a DOJ decision? Why wasn’t the State Department involved? 

Normally, when we want to change a nation-state’s behavior, we use customary nation-state to nation-state channels. We don’t sue individuals who are working for that country. 

Foreign diplomacy is the State department’s job, not the job of the FBI or a local police department. Something is very wrong with how the US government is coordinating on this issue. The US could, at any time, and probably did, reach out to the Iranian government and ask them to stop the DDoS attacks against the banks allegedly conducted by these seven individuals. But if they were conducting Iranian state operations, then holding them personally responsible is a huge change in policy. If they were not, then why mention the Iranian Revolutionary Guard Corps (IRGC) in the indictment at all?   

From an operational security perspective, this announcement was extremely harmful, now and in the future. 

By releasing this indictment, the government accomplished two things, both of which are bad from an intelligence standpoint. 

First, it showed the world what the US government knows about the Iranian effort. 

That means we’ve potentially exposed the sources and methods used by the government to make this determination. It’s generally not a good idea to blow operational security unless you’re truly getting something better in return. In fact, it’s standard practice for the US government to undergo an “equities process” to evaluate these types of risks before proceeding with a public disclosure. But what did the US government actually get out of this announcement? Does anyone seriously think those Iranians will face jail time here in the States? We still have Americans in Iranian cells - do we want them kept there as trading cards for later? 

Secondly, this announcement revealed what the US does not know about other, similar efforts like last year’s DDoS attack on Github. After all, if the US is willing to indict the Iranians for DDoSing the banking system, why didn’t they indict the Chinese team behind the Github attack? Is it because we don’t know who was behind that attack? Or are the rules different for the Chinese and the Iranians?

By saying we’re going to indict foreign citizens when we know who is behind a specific cyber attack, we are demonstrating to the world the precise boundaries of our knowledge. This is not a wise plan.

This announcement puts US cyber operatives in the cross-hairs.

The DOJ just put a target on the backs of all US intelligence community employees and contractors who are involved in offensive cyber operations around the world.

These indictments create a sort of international precedent that other countries could one day use to justify actions against private citizens in the US and its allies. By blurring the established cyber norms, the US Department of Justice is creating a complex and messy situation for itself and others in future cyber operations. Could Russia use a similar action against British or German cyber teams? Do we want Hezbollah interdicting American computer scientists when they travel in the region?

What the Department of Justice has done is dangerous and contravenes all standing nation-state policy on the issue, all for a few headlines and feel-good photo-ops. I, along with many others in the information security field, hope they can find a way to reconsider.

Monday, April 11, 2016

"Learning to Win"

Nate Fick's 2016 INFILTRATE Keynote on "Learning to Win" in Cyber is here:

It's funny, but it's also full of a lot of outside the box thinking that you may enjoy, especially if you're in the policy world.