MIRCON and network counteroffensives

13 October 2010

I popped in for a couple of stretches at Mandiant’s MIRcon incident response conference today and yesterday and was struck by a panel discussion on Tuesday about defenders going on offense. The gist was half a) it’s of dubious legality and wisdom and half b) you’ve got be an expert to do it properly. Now politics and economics being what they are, a) will ultimately be irrelevant without a prohibition and b) will govern the dynamics.

I recalled Mandiant’s model: they have a bunch of people constantly working on highly technical stuff in a field that changes rapidly—this level of expertise requires economies of scale. The same is true for black hat hackers: economy of scale drives the less skilled to leverage off-the-shelf capabilities, and it drives the more highly skilled to collaborate on the most demanding projects.

Because defense costs more than offense, “offensors” could benefit from the same economies of scale. I can imagine a future in which people not only pay for but subscribe to offense as a service, where a group of (nominally) white hatters have their own organizations that do nothing but attack designated black hatters, thereby raising the costs of doing malicious business. The economics might work for the white hatters in much the same way it does for insurance companies, and the product would not be entirely dissimilar. If this sort of activity were tolerated by authorities it might often be preferred by many hackers over black hatting, even if the latter gave bigger paychecks. This could further affect the economics in a good way.

If it will make sense for corporations to go on network counteroffensives themselves, it will make more sense for them to outsource that role if they possibly can. And they might end up being able to.

Random bits

23 April 2010

“in [Richard Clarke's] Cyberwar, like in real war, truth is the first casualty”

Cyberdeterrence through tattlling? This is ridiculous. Not bloody likely that will work against serious hackers. And not bloody likely that it would be done in cases where potentially state-sponsored hackers were caught.

Cybersecurity and National Policy

The Clinton doctrine

25 January 2010

After the fallout from Aurora, US Secretary of State Hillary Clinton gave a major speech last Thursday at the Newseum in DC. Highlights below:

The spread of information networks is forming a new nervous system for our planet…in many respects, information has never been so free…[but] modern information networks and the technologies they support can be harnessed for good or for ill…

There are many other networks in the world. Some aid in the movement of people or resources, and some facilitate exchanges between individuals with the same work or interests. But the internet is a network that magnifies the power and potential of all others. And that’s why we believe it’s critical that its users are assured certain basic freedoms. Freedom of expression is first among them…

…a new information curtain is descending across much of the world…

Governments and citizens must have confidence that the networks at the core of their national security and economic prosperity are safe and resilient…Disruptions in these systems demand a coordinated response by all governments, the private sector, and the international community. We need more tools to help law enforcement agencies cooperate across jurisdictions when criminal hackers and organized crime syndicates attack networks for financial gain…

States, terrorists, and those who would act as their proxies must know that the United States will protect our networks. Those who disrupt the free flow of information in our society or any other pose a threat to our economy, our government, and our civil society. Countries or individuals that engage in cyber attacks should face consequences and international condemnation. In an internet-connected world, an attack on one nation’s networks can be an attack on all [ed. see article 5 of the North Atlantic Treaty]. And by reinforcing that message, we can create norms of behavior among states and encourage respect for the global networked commons.

China denies everything and is trying to change the subject.

The tone of this speech was remarkable. While it is natural to expect that most nations conduct offensive computer network operations against foreign governments and organizations, getting publicly called on it is rare. Most observers have no doubt that the PRC has been infiltrating and attacking US government and commercial networks for strategic ends, and the NSA would not be doing its job if it were not doing the same thing abroad. So even if everything isn’t Marquis of Queensberry you wouldn’t expect to see folks complain too loudly.

But human rights and censorship is another story. There is a simple reason why Cold War rhetoric was recycled in this speech. Regardless of whether Google capitulates or leaves China (any other outcome is unlikely), by going public instead of leaking to the press they have put the PRC on the defensive. As I remarked earlier, Google surely must have known it had the (at least implicit) backing of the US before it (effectively) named names. The administration must have seen this as a golden opportunity to seize the moral high ground. When force of arms cannot be decisive, the justness of a cause still might be.

China and Google

14 January 2010

Time for the (n+1)th dissection of Google’s recent announcement concerning cyberattacks and censorship. (You’ve got to love recursion!)

As Galrahn points out, discounting Google’s market share relative to Baidu isn’t really sensible. They’ve got a lot of market share there, especially for non-search services without strong competitors—but many of these services (YouTube, Picasa, and often Blogger) have been blocked by the Chinese government. That speaks to two things in China: an opportunity for user base consolidation and to a governmental approach to information that is inimical to Google’s business model. More to the point:

For what amounts to only 2% of revenue, Google is threatening to disrupt the internet behavior of at minimum 118 million internet savvy Chinese and believes that fact alone has value in negotiations.

Source: http://www.flickr.com/photos/dong/4271035989/ / CC BY 2.0

Is this really a funeral, or will a hundred flowers blossom?

That is, Google is using a casus belli to force an issue that predates their entry into the Chinese market. It doesn’t cost them much to do so. They’ve already got the explicit backing of some other heavyweight Western companies (e.g., Yahoo) and network effects may induce many others to climb on board the bandwagon. They surely have the implicit backing of the US government in pushing back against China (and am I the only one who is thinking about the possibility of honeypots here? No way).

The bottom line is that this is not about a moral stand. By taking things public, Google is creating a negotiating opportunity for what it’s wanted all along from China. The real issue here is not who is “right” or “wrong” but who is going to win. For Google to thrive in China, the Chinese Communist Party’s control over information has to be weakened. For the CCP to thrive in China, it has to retain a monopoly on political power, and this requires controlling the flow of information. Moreover, and as I’ve mentioned before, there is a clear path from China’s cyber strategy to the foundations of its politics. So Google will probably not win much if anything in this skirmish.

The larger point is much more interesting, though. After a decade of undeclared cyber war with Chinese characteristics, this is the first overt public response. China has less to lose from cyberwarfare than the West does. But as it finds what it’s looking for with rampant cyberespionage, China may also find that it is hurting itself.

Common ecology quantifies human insurgency

21 December 2009

Researchers in Colombia, Miami, and the UK have published an article in this week’s Nature that claims to identify what amounts to universal power-law behavior (though they don’t call it that, and there are slightly different exponents for different insurgencies, but the putative universal exponent is apparently 5/2) in insurgencies. The researchers analyzed over 54000 violent events across nine insurgencies, including Iraq and Afghanistan. They find that the power-law behavior of casualties (see also here for the distribution of exponents over insurgencies) is explained by “ongoing group dynamics within the insurgent population” and that the timing of events is governed by “group decision-making about when to attack based on competition for media attention”.

Their model is not predictive in any practical sense: few things with power laws are. What it provides is a quantitative framework for understanding insurgency in general, and perhaps more importantly a path towards classifying insurgencies based on a set of quantitative characteristics. One of the nice things about universality (if this is really what is going on) is that it allows you to ignore dynamical details in a defensible way, so long as you understand the basic mechanisms at play. This insight actually derives from the renormalization group (the same one that informs Equilibrium’s architecture) and provides a way to categorize systems. So if there really is universal behavior, then the fact that the model these researchers use is just a cariacture wouldn’t matter as much as it otherwise would, and it would allow for reasonably serious quantitative analysis.

The first question about this work ought to be if similar results can be obtained with different model assumptions. The second ought to be attempting to run the same analysis on “successful” wars of national liberation to see if there are indeed distinguishing characteristics. If there are, this framework could be a valuable input to policy and strategy. When pundits talk about Iraq or Afghanistan being another Vietnam, the distinction between terrorist insurgency and guerrilla warfare is blurred. But hard data may provide clarity in the future.

The chimera of cyberdeterrence

8 December 2009

One thing I’ve heard a lot of people talk about recently is the need to develop good theories of cyberdeterrence. It’s making the think tank rounds and what not. But the basic assumptions that cyberdeterrence is needed, or doesn’t exist, etc. aren’t obvious to me.

Let’s take the PRC as a case in point. Based on a lot of pretty strong and publicly discussed circumstantial evidence, it seems reasonable to assume that the PRC is constantly attacking US computer networks, conducting industrial and governmental espionage and laying the groundwork for damaging cyberattacks in the event of hostilities. Lots of people are spending a lot of time, effort, and money to try to mitigate the attacks that are already occurring, and especially the ones that have not yet occurred. And all of these people, myself included, are convinced that we are and will continue to be behind the curve. Since it seems like so many people like to arrogate the terminology of Cold War standoff, I will follow suit and say that the best we can (or should try to) do is “containment”. [1]

This is a fundamental issue in security—not just information security. Professionals mitigate risk and concern themselves with threats, not vulnerabilities. Attacks will inevitably happen. Some will be more successful than others. The point is to work to avoid the most serious, probable, and predictable ones, while trying to detect all attacks and mitigate their effects—that is, to contain attacks. Addressing threats dictates the nature of security approaches, deployments and technologies. And while it is fundamentally defensive in nature, it acts as a deterrent in its own right. Fewer businesses are physically robbed because there are video cameras and silent alarms when it makes sense to have them, and everybody knows it. Fewer individuals attempt serious attacks on DoD because they know people are watching, and getting caught means they’ll (get extradited and) go to prison. And so on.

Containment in the sort of sense indicated above (or in the original sense intended by Kennan and [mis]appropriated by the wider defense intellectual community) is a form of deterrence. It also relies on more overt, less subtle forms of deterrence (read: the threat of overwhelming force, or containment à la Nitze) in order to be effective. But we have that anyway in our military.

As I’ve suggested elsewhere, the PRC may very well be using cyberattacks to deter conventional attacks:

the PRC is already deterring the US by its apparent low-level attacks. These attacks demonstrate a capability of someone in no uncertain terms and in fact may be a cornerstone of the PLA’s overall deterrence strategy. In short, if the PLA convinces US leadership that it can (at least) throw a monkey wrench in US deployments, suddenly the PRC has more leverage over Taiwan, where the PLA would need to mount a quick amphibious operation. And because it’s possible to view the Chinese Communist Party’s claim to legitimacy as deriving first of all from its vow to reunite China (i.e., retake the “renegade province” of Taiwan) one day, there is a clear path from the PLA cyber strategy to the foundations of Chinese politics…The PLA has concluded that cyber attacks focusing on C2 and logistics would buy it time, and presumably enough time (in its calculations) to achieve its strategic aims during a conflict. This strategy requires laying a foundation, and thus the PRC is presumably penetrating networks: not just for government and industrial espionage, but also to make its central war plan credible.

The US, on the other hand, can clearly deter serious cyberattacks through its conventional military, not least because serious cyberattacks will be paired with kinetic attacks, and attribution won’t be a problem. I’ve talked about this elsewhere and won’t belabor it here.

But the idea that we should more actively deter cyberattacks using cyber methods is out there. It is based on unrealistic technological assumptions, but more importantly it’s fundamentally wrong. It doesn’t make sense from the point of view of political or military objectives. The US wouldn’t gain anything from a cyberdeterrent: it treats cyber as a strategic capability, and wouldn’t use it just to deter the sorts of cyberattacks that it faces now. And the PRC wouldn’t use any more of its presumptive cyber capability than the bare minimum required for the PLA’s purposes—and note that the likely PLA strategy would also require a powerful reserve (but not in the sense of “second-strike”) capability.

If cyberdeterrence is supposed to mean deterring cyberattacks using cyber methods, we’re better off without it. If cyberdeterrence means just about anything else, we’ve either already got it or have already decided against it.

[1] Containment, as originally intended by Kennan, was not a strategy of constant military opposition. Kennan did not believe that the USSR was a grave military threat to the US (or to Western Europe), and went to some lengths to clarify this point in his later years, but he very much believed that the USSR was an entity that needed to be opposed. Its influence needed to be contained so that it could not gain ground in Europe through political and economic means: these were the Soviets’ preferred avenues for expansion.

Although the USSR possessed a tremendously powerful military machine at the end of World War II, the US held a clear strategic advantage at the time of the long telegram, and until the Soviets had more than a handful of atomic bombs, they did not have the minimum means of reprisal to counter a US attack. It was only decades later that the USSR presented any direct military threat to the United States homeland. It’s important to remember that not only was NATO always intended to demonstrate American commitment to Europe through placing troops as hostages to a Soviet strike, but that the demonstration was as much (if not more) for the benefit of the Europeans as for the Soviets.

In short, the strategy of containment was not originally intended as a justification for a colossal military counterweight to the USSR, but as justification for a clear commitment to providing a viable political and economic alternative—backed up by force, but not based on the threat of its use. Instead the threat became the message.

Happy Thanksgiving

26 November 2009

I'm thankful for seeing truth presented with beauty.

This is a picture to help understand an Anosov flow obtained from the cat map. It’s part of research on a technique we’ve used to analyze network traffic.

Capability of the PRC to conduct cyber warfare and computer network exploitation

23 November 2009

I just finished reading a recent report [pdf] with this title produced for the US-China Economic and Security Review Commission. Though there’s a lot of filler material, it’s pretty good. I’ll spare you the trouble of reading all 88 pages and start with what I thought were the most salient themes covered in the executive summary:

  • Some evidence exists suggesting limited collaboration between individual elite hackers and the Chinese government; however
  • The constant barrage of network penetrations from China (comprising most of what Mandiant calls “the advanced persistent threat“) “is difficult at best without some type of state-sponsorship”.
  • The modus operandi of the penetrations “suggests the existence of a collection management infrastructure”; and
  • PLA CNE aims during a military conflict would be “to delay US deployments and impact combat effectiveness of troops already in theater”.

The PLA’s “Integrated Network Electronic Warfare” doctrine is based on attacking a few carefully selected network nodes controlling C2 and logistics. The INEW doctrine was apparently validated in a 2004 OPFOR exercise when the red force (NB. the Chinese use red to denote themselves) C2 network got pwned within minutes, and it is likely that PRC leadership would authorize preemptive cyberattacks if they think it wouldn’t cross any “red lines”. This preemptive strategy is apparently favored by some in the PLA who view cyber as a “strategic deterrent comparable to nuclear weapons but posessing greater precision, leaving far fewer casualties, and possessing longer range than any weapon in the PLA arsenal“. [emphasis original]

One aspect of this thinking that I think is underappreciated is that the PRC is already deterring the US by its apparent low-level attacks. These attacks demonstrate a capability of someone in no uncertain terms and in fact may be a cornerstone of the PLA’s overall deterrence strategy. In short, if the PLA convinces US leadership that it can (at least) throw a monkey wrench in US deployments, suddenly the PRC has more leverage over Taiwan, where the PLA would need to mount a quick amphibious operation. And because it’s possible to view the Chinese Communist Party’s claim to legitimacy as deriving first of all from its vow to reunite China (i.e., retake the “renegade province” of Taiwan) one day, there is a clear path from the PLA cyber strategy to the foundations of Chinese politics.

The paper goes on to note that “much of China’s contemporary military history reflects a willingness to use force in situations where the PRC was clearly the weaker entity” and suggests that such uses of force were based on forestalling the consequences of an even greater disadvantage in the future. This putative mindset also bears on cyber, particularly through the Taiwan lens. The PLA has concluded that cyber attacks focusing on C2 and logistics would buy it time, and presumably enough time (in its calculations) to achieve its strategic aims during a conflict. This strategy requires laying a foundation, and thus the PRC is presumably penetrating networks: not just for government and industrial espionage, but also to make its central war plan credible.

In practice a lot of the exploitation would consist of throttling encrypted communications and corrupting unencrypted comms, and it is likely that the PLA is deliberately probing the boundaries of what can and cannot be detected by the US. But this generally shouldn’t be conflated with hacktivism or any civilian attacks originating from China, as there’s little reason to believe that the PLA needs or wants anything to do with this sort of thing. While it’s possible that there is some benefit to creating a noisy threat environment, executing precise cyberattacks in the INEW doctrine requires exploitation that can be undermined by hacktivism or civilian (especially amateur) attacks.

The end of the meaty part of the report talks about what’s being done and what should be done. It talks about the ineffectiveness of signature-based IDS/IPS and the promise of network behavior analysis, but also its higher overhead and false alarm rates. This is precisely the sort of thing our software is aimed at mitigating, by combining dynamical network traffic profiles and interactively configurable automated alerts with a framework for low-overhead monitoring and fast drill-down.

Random bits

5 November 2009
  • 3He shortage impacting experiments requiring dilution refrigerators…more than a few quantum computing groups use this technology to get to millikelvin temperatures and I remember seeing such a fridge at LPS nearly a decade ago. If it ever became a problem for QC research I imagine NSA and the gang would talk to DoE to get the stuff pipelined to favored (US?) groups, and indeed the government is prioritizing the stuff already, with a lot going towards neutron counters to detect radioactive materials under the DHS umbrella. Good alternatives apparently do not exist for QC work: note that magnetic refrigeration is fundamentally contraindicated for a lot of QC experiments because of, e.g. the big magnetic fields and stuff like the Zeeman effect, even apart from the issue of what temperatures you can reach. And while I have no idea about the capabilities or applicability of dry dilution fridges, in the Physics Today article you can reach via the first link, Bob Richardson is quoted as saying 3He “is irreplaceable. If you want to create temperatures on the order of magnitude of 10 mK, there is no substitute.” (As a more general disclaimer: being on the abstract side even for a theorist when I wear a physics hat means that I don’t claim to say anything correct about experimental physics, but informed comments are always welcome.)

The “Korean” Cyber Attacks and Their Implications for Cyber Conflict

27 October 2009

CSIS has published an eponymous paper (PDF) by James Lewis that came to my attention via Threatpost. It is surprisingly good and pleasantly brief, if a bit muddled in places. Early on, Lewis points out the characteristic uncertainties (attribution, scope, and effect) associated with cyber attacks, and mentions the familiar fact that the calculi of deterrence, proportionality, etc have not been properly formulated for cyber. And like most people that have taken a serious look, he thinks that

Cyber conflict will be part of warfare in the future and advanced militaries now have the capability to launch cyber attacks not only against data and networks, but also against the critical infrastructure that depend on these networks.

Sounds about right to me. But Lewis fumbles the ball a bit later:

The alternative to the conclusion that terrorist groups currently lack the capabilities to launch a cyber attack is that they have these capabilities but have chosen not to use them.  This alternative is nonsensical.

This is only partially true. There is a very simple reason why terrorists wouldn’t launch cyber attacks. They may not have the capabilities, but on the other hand, they could probably get them. But they can already get more bang for their buck with bombs. Terrorists want to cause terror. Cyber attacks can’t do that unless they’re very large and sophisticated. And the resources such an attack would require don’t provide the same ROI as something like dispersed and coordinated bombs would.

To some extent this argument applies to states as well: a tactical physical attack isn’t worth using a strategic cyber attack to complement it. Conversely, because the cyber capability is strategic and only worth exercising in concert with physical attacks, the physical attack should have a strategic aim. (The purported cyber aspect of Israel’s strike against a purported Syrian nuclear facility would fit this bill nicely.) At the same time, attribution will be easy to get for the physical attack, which removes a lot of the attractive features that non-attribution nominally confers upon cyber attacks. That means that there is already a pretty clear threshold below which a nation-state will not launch a serious cyber attack.

Lewis actually articulates the more commonly acknowledged elements of this argument, though like most analysts he seems to have missed the fact that attribution will be easiest precisely when it matters most:

Serious cyber attack independent of some larger conflict is unlikely…The political threshold for serious cyber attack (as opposed to espionage) by a nation-state is very high, likely as high as the threshold for conventional military action. At a minimum, this suggests that a serious cyber attack is a precursor, a warning, that some more serious conflict is about to begin.

Absent such larger conflict, however, a nation-state is no more likely to launch a serious cyber attack than they are to shoot a random missile at an opponent. The risk is too great and the benefits of a cyber attack by itself too small for political leaders to authorize the use of this capability in anything short of a situation where they had already decided on military action.  Cyber weapons are not decisive; cyber attack by itself will not win a conflict, particularly against a large and powerful opponent. It is striking that to date; no cyber “attack” that rises above the level of espionage or crime has been launched outside of a military conflict.

[emphases added]

The last real nugget relates to cyberterrorism:

[Host state tolerance] provides a degree of constraint on support for cyber terrorism…The political environment in which the most advanced cybercriminals exist militates against them becoming mercenaries for many terrorist groups without the consent of their host….Even if we accept this political constraint on mercenary support for cyber terror, other trends suggests [sic] that terrorist use of advanced cyber weapons (if current trends remain unchanged) is inevitable…in less than a decade, perhaps much less, a terrorist group could enter the cybercrime black market and acquire the capabilities needed for a serious cyber attack.

This actually may be true. At present, and as I’ve mentioned here, there is basically no such thing as cyberterrorism. But that doesn’t mean that there won’t be in the future. I’d keep my eyes on outfits like the Russian Business Network. If terrorists or organized cybercriminals can achieve their aims more effectively with cyber, they’ll use it. It’s up to folks like us to keep the barriers to entry high.


Get every new post delivered to your Inbox.