Among the most coveted pieces of information in the malware business are so-called zero-day vulnerabilities, weaknesses or flaws in computer software for which there is effectively no defense from exploitation. The market for zero-days has been booming as security companies and researchers sell vulnerabilities they've discovered to government organizations. The US military and intelligence community are believed to be some of the biggest buyers, and they'd prefer that other countries, particularly hostile ones, not acquire these building blocks of cyber weapons.
But how does a company know that it's not unwittingly selling that information to Iran or North Korea, or to a Chinese spy? Or a terrorist? The Commerce Department has some tips for determining whether the buyer is on the up-and-up (at least as far as US interests are concerned) that may be useful.
Is the buyer "reluctant to offer information about the end-use of a product"? Does he decline routine services like installation and on-site maintenance that come with the product? Is the customer "willing to pay cash for a very expensive item when the terms of the sale call for financing"? According to the "Know Your Customer" program, which is part of the US export control regime, these are "red flags" that should alert a seller to investigate whom he's actually doing business with.
The guidelines don't apply specifically to information security or any single product or service.They're meant to prevent sellers from allowing sophisticated or dangerous technology to fall into the hands of adversaries or hostile groups. Zero-days could easily fit on that list.
One company that sells zero-day exploits to governments, VUPEN, says it won't do business with anyone that doesn't fully comply with with the Know Your Customer guidelines. The company is based in France, but has adopted the US guidelines as a standard practice. American security firms, including anti-virus software manufacturers, are also covered by export controls on their products.
The guidelines advise sellers to proceed with caution if "the product's capabilities do not fit the buyer's line of business; for example, a small bakery places an order for several sophisticated lasers." Is the final destination for the product "a freight forwarding firm"? Red flag. Is the customer "unfamiliar with the product's performance characteristics but still wants the product"? (Think learning how to fly a jet aircraft without wanting to know how to land it.) Red flag.
Here is the full list of 12 warning signs:
Possible indicators that an unlawful diversion might be planned by your customer include the following:
1. The customer or purchasing agent is reluctant to offer information about the end-use of a product.
2. The product's capabilities do not fit the buyer's line of business; for example, a small bakery places an order for several sophisticated lasers.
3. The product ordered is incompatible with the technical level of the country to which the product is being shipped. For example, semiconductor manufacturing equipment would be of little use in a country without an electronics industry.
4. The customer has little or no business background.
5. The customer is willing to pay cash for a very expensive item when the terms of the sale call for financing.
6. The customer is unfamiliar with the product's performance characteristics but still wants the product.
7. Routine installation, training or maintenance services are declined by the customer.
8. Delivery dates are vague, or deliveries are planned for out-of-the-way destinations.
9. A freight forwarding firm is listed as the product's final destination.
10. The shipping route is abnormal for the product and destination.
11. Packaging is inconsistent with the stated method of shipment or destination.
12. When questioned, the buyer is evasive or unclear about whether the purchased product is for domestic use, export or reexport.
In a rare public appearance, a senior intelligence official who has worked on the front lines of securing Defense Departments computer networks said it would be "almost immoral" for the DOD to focus on protecting itself and not apply that expertise to the commercial sector.
Speaking at a conference in Washington on Tuesday, Charles Berlin, the Director of the National Security Operations Center at the National Security Agency, said, "The mission of the Department of Defense" is not merely to protect the department. "It's to protect America."
"I've been on the ramparts pouring boiling oil on the attackers for years," Berlin said, referring to NSA's efforts to repel intrusions into DOD and military networks, which have been broadly successful. But he sounded frustrated that there weren't more ways for his agency to protect the country as a whole. "At the present time, we're unable to defend America," Berlin said.
The operations center that Berlin runs is the heart of the NSA's efforts to provide early warning about threats, including to information networks. Berlin said the NSA was looking for ways to take the skills it has developed in the government and "apply [them] to the private sector."
But many executives, as well as lawmakers and privacy advocates, are uneasy about the NSA, which is a military organization that spies on foreign countries and terrorists, taking on a larger role protecting private networks inside the United States.
Currently, the Homeland Security Department, a civilian agency, has the legal authority to provide companies with warnings about cyber attacks. But much of that intelligence comes from the NSA. The agency does not work directly with all American companies. And yet, it is undoubtedly the reservoir of expertise in government for how to defend networks from potentially devastating assaults. Of particular concern to the Obama administration are threats against critical infrastructure, such as public utilities and the financial sector networks, as well as industrial espionage by hackers in China.
"There needs to be a team effort" to protect private networks, Berlin said. He noted that the NSA had been invited to examine the networks of some companies and "found some appalling things" in how they were being run. For example, Berlin said he knew of US defense contractors doing business in China and Korea that had not taken relatively easy and practical steps to raise the defenses of their networks and protect proprietary information. That's troubling to the NSA since defense contractors have secret government information on their networks, which makes them a frequent target of cyber spies.
Berlin spoke at a conference sponsored by SAS, a business analytics software and services company.
If you want an idea of what "cyber warfare" means to the US Navy, check out this short video about the Tenth Fleet, home to the Navy's cyber warriors.
It's a bit melodramatic--though not so bad on production values. But it tells you how the Navy sees its role in the "fifth domain" of combat; protecting networks, stopping attacks, and, when necessary, pairing cyber offense with "kinetic" military force.
"Cyberspace is where the battles of the future will be won or lost," says the film's narrator. It's a hotly debated point, of course. But if you want a window into why the Navy--or at least the Tenth Fleet--believes this is true, have a look.
The United Kingdom is embarking on a national program to train the next generation of cyber warriors to protect the country's infrastructure.
From the Guardian:
"The UK is now so short of experts in cybersecurity, they could soon command footballers' salaries... Ministers support plans for a national competition for schools in the hope of encouraging teenagers, especially girls, to become so-called "cyber Jedi"--defending firms, banks and government departments from an ever increasing number of online attacks."
Two thousand schools will participate in a pilot project beginning in September, as part of Cyber Security Challenge UK, the Guardian reports. Then, the program would roll out across England and Wales.
Stephanie Daman, the group's director, tells the newspaper, "Kids need to know there is a real career in this, because they have no concept at the moment. And we need to spark their interest. It's a profession like law or accountancy, with well-paid salaries.
"A lot of companies are desperate to hire people for the roles in cybersecurity, but they have not been able to find the number of qualified recruits. There is a huge gap in terms of the number of properly qualified people in this area, and we need to tap into talent we know is out there."
In a sign of how seriously the government takes that shortfall, Michael Gove, the UK education secretary, recently "ripped up" school IT curriculum "in part because it does not have a cybersecurity element," according to the Guardian.
There's a similar and growing effort on this side of the pond to train the next generation of "cyber ninjas," as some involved in the effort like to call them. High schools have teamed up with technology advocacy groups to recruit more young students into college computer science programs, with an eye towards working in the cyber security industry. Rhode Island congressman Jim Langevin, for instance, has organized high-school hacker competitions in his state.
In December, the SANS Institute, which trains military and intelligence personnel in the cyber arts, sponsored an international cyber competition at the Washington Hilton. A group of high schoolers were selected to compete against the world's best hackers in the early rounds.
The National Security Agency also sponsors a nation-wide contest in which teams from the military service academies face off against some of the NSA's best cyber warriors. Cadets at the Air Force Academy, which now has a separate educational track for cyber warfare, recently took first place.
As in the UK, there aren't enough people in the workforce right now with the high-level of skill that the US government demands, hence many of these efforts to go down to the roots of the education system. But you're going to see this demand coming more from the private sector, as financial services companies, utilities, media organizations and others increasingly find themselves the targets of malicious hackers and are virtually powerless to do anything about it. They're not going to wait around for the government to protect them. They'll hire their own cyber armies to do that job.
The executive chairman of Google says the most significant threats in cyberspace won't come from individuals, because the kinds of attacks that a national government worries about are too expensive to be pulled off by one person.
"Governments are going to continue to do what they've always done which is spy, worry about other countries. That's not going to go away," Eric Schmidt said in an interview with Rita Braver, which will air on CBS' "Sunday Morning" this weekend.
"Individuals are unlikely to be able to put together the kinds of threats that we worry about. It's going to take a lot of money and a lot of very specialized knowledge. Because the Internet is, in fact, pretty safe."
The image of a lone hacker sitting in a basement somewhere taking down a power grid has been the kind of nightmare scenario that government officials and corporate executives have used over the years to focus attention on cyber security. But increasingly, experts are saying that to pull off such a devastating assault on critical infrastructure is going to take considerable manpower, organization, and money.
I had a conversation a few weeks ago with a cyber security researcher at a Washington think tank, who said it wasn't smart for governments to worry about single actors; they should be focusing their counter-cyber war efforts on other governments and organized criminal rings. Look at Stuxnet, he said. The most sophisticated known cyber attack to date is generally believed to have been launched by the US and Israeli governments. The project likely took many months of work and relied on an extraordinarily high level of technical expertise.
For someone of Schmidt's statute and national prominence to implicitly rebut the lone-hacker threat as the thing governments should really be worrying about suggests that you're going to hear more high-level people follow suit. This may help to tamp down some of the more hyperbolic rhetoric surrounding the threat of cyber war. Or it may just cause governments to panic more about other governments.
As the House considers cybersecurity legislation this week, it's illuminating to compare how the United States proposes to protect critical infrastructure vis a vis other Western powers.
The approach in Germany-- a country with which the US has deep and abiding mutual interests in the military and intelligence community--is to protect cyberspace through direct regulation of companies that provide Internet and communications services. This is a broader and more direct approach than what the US is considering. According to a new proposal from Germany's Minister of the Interior, the following would be “required to meet minimum IT security standards”:
“Operators of critical infrastructure;”
In addition, all those companies must “report significant IT security incidents” to Germany’s Federal Office for Information Security. The providers must also make “easy-to-use security tools” available to their customers. And the telemedia companies would be “obligated to implement recognized protective measures to improve IT security to a reasonable degree.”
There’s a lot in this document that isn’t defined. What does the German government consider a “critical infrastructure?” What qualifies as “easy-to-use”? Who are “telemedia services” companies? (Presumably companies like YouTube or Netflix, but it’s not clear to me how Germany would go about regulating non-German companies in this context.)
The document is just a proposal. But as Paul Rosenzweig at Lawfare (who helpfully posted the English translation) points out, “In Germany, more so than in the US, government proposals come from the executive and are likely to be adopted by the parliament.”
When you compare this German proposal to an earlier set of proposed rules by the European Union, which also would require companies--such as banks and Internet providers--to report security incidents, you start to see a common picture emerging. The European approach to getting a handle on cyber threats is to require companies to cooperate with the government, which presumes some overall responsibility for the security of networks in the national interest.
This broad of an approach hasn’t flown in the United States, though there have arguably been versions of it in specific sectors. The Defense Industrial Base, for instance. It’s important to keep that in mind as Congress moves forward with cyber legislation. The US approach may end up looking something like the German one, but in individual sectors that the government deems need the most protection. This wouldn’t look like a broad regulatory regime, but maybe a set of sticks and carrots applied to, say, energy companies that effectively force them to beef up their security to a standard that the government accepts. I’ve heard from some energy company executives who say they’re already required to do this--through their current regulators.
Here are some upcoming titles that have caught my attention in the past few months. Pub dates given if available.
Untitled book by Andrew Cockburn (Times Books)
The author of Rumsfeld, and future father-in-law to SNL cast member Jason Sudeikis, is working on a true story about drones and assassins.
We Will Not Be Silent: How the White Rose Student Resistance Movement Defied Adolf Hitler by Russell Freedman (Clarion)
A story about a small group of university students who distributed anti-Hitler leaflets and condemned his policies.
Untitled book on Russian protest group Pussy Riot by Masha Gessen (Riverhead)
The author of The Man Without a Face, about the rise of Vladimir Putin, has an untold story of Russia's most famous dissidents.
Pub date: Fall 2013
Untitled book by Karen J. Greenberg (Crown)
Greenberg, the director of the Center on National Security at Fordham Law School, is writing a narrative account described as "how the power and legitimacy of the Department of Justice have been radically challenged in the wake of 9/11."
Casablanca by Meredith Hindley (Public Affairs)
A narrative history of the famous North African city, against the backdrop of the French resistance, Gestapo, Vichy agents, and American spies battling for control.
The Russian Revolution by Sean McKeekin (Basic)
Billed as "a revisionist account of the Russian Revolution" based on new information from Soviet archives.
Pub date: 2017
CIA Rogues and the Killing of the Kennedys: How and why CIA Agents Conspired to Kill JFK and RFK by Patrick Nolan (Skyhorse)
An investigation of "CIA involvement" in the assassinates of President Kennedy and his brother Robert. Timed for release with the 50th anniversary of JFK's death.
Pub date: Fall 2013
Rogue Code by Mark Russinovich (Thomas Dunne Books)
The third novel in a thriller series about cyber-expert Peter Joseph. The first two books were Zero Day and Trojan Horse.
Untitled book by Adam Segal (Public Affairs)
Segal, who's a senior fellow at the Council on Foreign Relations and heads up their cyber security initiatives will write about "the geopolitics of information and what diplomacy looks like in the age of big data."
Forty-Seven Days by Mitchell Yockelson (Caliber)
How Gen. John "Black Jack" Pershing led the Army and helped it come of age in World War I, with the service of soldiers such as George Patton, Douglas MacArthur, and Harry Truman.
Pub date: Summer 2015
A newly declassified issue of a technical journal published by the National Security Agency opens a fascinating window into how the United States first started to grapple with the complexities, the risks, and the potential advantages of cyber warfare.
The journal was published in the spring of 1997, shortly after the NSA was delegated by the Defense Secretary to develop new computer network attack techniques, defined then as "operations to disrupt, deny, degrate, or destroy information resident in computers or computer networks, or the computers and networks themselves." This was "information warfare " as practitioners then called it. And NSA's earliest cyber warriors saw themselves on the cusp of a momentous undertaking, one for which even the agency's own technology savvy workforce was not completely prepared.
"We are on the edge of a new age, called the 'Information Age,'" writes Bill Black, then the NSA Director's special assistant for information warfare. It was "engulfing almost every aspect of society, including the very nature of our business"--spying on other governments' and intercepting electronic communications.
This didn't exactly catch the NSA by surprise; it was, and still is, the home to some of the most brilliant computer scientists the world has ever known. But perhaps because the agency understood so well the potential of technology, it knew better than most how computer networks and the increasingly integrated digital world could be exploited for strategic advantage, both by the United States and its adversaries.
In one especially prescient article in the journal, the author (his or her name has been redacted) writes about the potential of computer network attacks for "destroying enemy power facilities."
"In previous conflicts, if you wished to destroy or disable an economic/industrial target, you needed to place ordnance on it." But information warfare was "making possible infinitely scalable, infinitely accurate strikes on infrastructure targets by means of cyber-attacks on the information infrastructure needed to operate it."
This wasn't theoretical speculation. According to former military intelligence officers I spoke to when researching my book, by the late 1990s the Army was practicing for information warfare in military operations, and researchers were actively looking, as one former officer put it, "for ways to knock out the lights in Tehran," meaning a cyber attack on electrical power facilites in Iran.
Today, a cyber attack on a US power facility is the nightmare scenario many officials use to highlight the urgency of raising America's cyber defenses. "We know that cyber intruders have probed our electrical grid and that in other countries cyber attacks have plunged entire cities into darkness," President Obama said in May 2009, when he announced that his administration would devote more attention to securing cyberspace.
The NSA journal also shows that America's early cyber warriors were building up an arsenal of sorts. Any cyber attack must be directed at a vulnerability in a network, a piece of software, or a device. These are the back doors and security gaps that allow a cyber intruder to get into a system, preferably undetected. The NSA was tracking these vulnerabilities, and apparently hoarding them in secret.
"One unofficial survey within NSA listed some eighteen separate organizations who were collecting vulnerability information in one form or another!" writes one anonymous author, who seems exasperated at the lack of a more unified, coherent approach to keeping track of this valuable information. "Intelligence operatives wish to protect their sources and methods" for collecting, the author writes. "No one really knows how much knowledge exists in each sector." And without that knowledge, there could be no "large-scale national" approach to cyber war, which, the journal makes clear, is not only something NSA wanted, but was directed to do by the Pentagon.
The journal also shows the extent to which the NSA feared that US networks were vulnerable to the very kinds of attacks the agency was imagining. Yet then, as now, there was insufficient understanding of just how much risk private networks faced, because makers and users of technology were reluctant to disclose their own vulnerabilities.
"Companies wish to maintain consumer confidence and their competitive advantage," one author writes. The NSA's efforts weren't helped by poor public relations. "The public sees the government as the bad guy," writes Bill Black, who later became the NSA's deputy director. "Specifically, the focus is on the potential abuse of the Government's applications of this new information technology that will result inan invasion of personal privacy." This was hardly news even in 1997. And though it's still true today, there is perhaps greater concern by companies and technology manufacturers that they will be held legally liable when their vulnerable products enable a cyber attack or an intrusion.
The whole journal makes for fascinating reading. It's infused with both respect for and anxiety about the power of technology, and its rapid, unyielding proliferation in the world. The opportunities and the threats of a global network are presented as complex, risky, and yet impossible to ignore. In this respect, it is striking how little has changed.
National Security Adviser Tom Donilon today called Chinese cyber espionage of US business information "a growing challenge to our economic relationship with China" and "key point of concern and discussion with China at all levels of our governments."
In the first public remarks by a White House official directed specifically at cyber espionage emanating from China, which is believed to be state-sponsored, Donlion said the problem had "moved to the forefront of [the administration's] agenda," and called for "additional, intensive attention," including recognition by the Chinese government of "the urgency and scope of this problem and the risk it poses--to international trade, to the reputation of Chinese industry and to our overall relations."
Donlion's remarks are another pivotal moment in the increasingly tense, and public, dispute between China and the US over cyber spying. The last time the US government went on record blaming China for stealing American companies' secrets and other proprietary information was when the National Counterintelligence Executive released a frank and alarming report on Chinese and Russian cyber spying. At the time, I compared that to Winston Churchill's Iron Curtain speech, because it characterized the spying as part of the two countries' national strategy of military, technological, and economic domination of the West, and the United States in particular.
Interestingly, Donilon's remarks today were not as emphatic or wide-ranging as that report. His relatively brief comments came up in a lengthy speech on U.S.-Asia policy at the Asia Society in New York. Donilon focused on cyber espionage and stayed away from any discussion of state-on-state spying, or of cyber warfare, even though these are both part of the calculus when it comes to U.S-China relations in cyber space.
But this was the first time any US official has made specific demands of China. In addition to calling for official "recognition" of cyber espionage--Chinese officials steadfastly maintain that their country is not a perpetrator, but a victim--Donilon said, "Beijing should take serious steps to investigate and put a stop to these activities" and "engage with us in a constructive direct dialogue to establish acceptable norms of behavior in cyberspace."
The Obama administration is raising the stakes. While not specifically accusing the Chinese government of being behind the intrusions, Donilon called for state action and invoked it on the part of the United States. Referring to President Obama's most recent State of the Union Address, Donilon said, "We will take action to protect our economy against cyber-threats." Already we're seeing some evidence of that. In the coming weeks, elements of US intelligence and law enforcement will begin sharing information about Chinese cyber hacking with US telecommunications companies, bringing them deeper into a public-private effort to secure cyberspace.
Donilon also drew a distinction between "ordinary cybercrime or hacking" and what China is accused of doing. He said it's not "solely a national security concern," but one for businesses who are "speaking out about their serious concerns about sophisticated, targeted theft of confidential business information and proprietary technologies through cyber intrusions emanating from China on an unprecedented scale."
This is carefully tuned language. It focuses the administration's attention on what Donilon characterized as a strategic threat to the economic growth of both countries, which are each other's most important trading partners. And it brings the private sector into the problem as a key player, not a bystander.
The full video of Donilon's remarks are here. He starts talking about cyber security about 32 minutes in.
The Obama administration is about to pull US telecommunications companies even deeper into the ongoing cyber conflict with China.
Foreign Policy reports that in the coming weeks, the National Security Agency, in concert with the Homeland Security Department and the FBI, "will release to select American telecommunication companies a wealth of information about China's cyber-espionage program." The idea behind this reportedly classified operation is to give the telecoms more information about how Chinese cyber spies ply their trade, so that American companies can in turn get ahead of the threat and better defend themselves.
The information the government wil share with the companies includes "sophisticated tools that China uses, countermeasures developed by the NSA, and unique signature-detection software that previously had been used only to protect government networks," FP reports.
This marks an escalation in the so-called "public-private partnership" that has existed for a few years now in the ever-expanding cyber battlefield. The government has already been sharing with telecom companies some domain names and Internet addresses associated with suspected spies and hostile actors. The companies which run and manage the country's networks, in turn are expected to exercise some level of surveillance and defense, which theoretically redounds to the benefit of their customers.
This hasn't really made cyberspace any safer, nor has it significantly reduced cyber espionage and malware attacks against US companies. So now, the government is effectively giving the companies more cyber "ammo," in the form of richer, and more secretive intelligence, which it has traditionally guarded. In theory, the companies will have greater insight into how spies are trying to crack their networks.
The timing of this event doesn't seem coincidental. In February, computer security firm Mandiant released a report naming the Chinese military as a major source of espionage against U.S. companies. I'm told by knowledgable sources that the release of that report was coordinated with the Defense Department and the Homeland Security Department, which just a day earlier released much of the same threat information that's in the Mandiant report, but without attributing the source to China. Like the new information-sharing program, these are not rhetorical strategies, but rather tactical attempts to push back against cyber spying and give US companies more means to defend themselves.
The Obama administration has long understood that in order to defend cyberspace, it's going to have to enlist the cooperation and active participation of US companies. The US government, for all its technical intelligence prowess, simply cannot defend a network infrastructure that is almost entirely owned and operated by the private sector.
For their part, companies have been itching to get more information and to change the often one-way flow of threat information from the private sector to the government. Companies know they're networks are threatened, but they often don't know much about the sources of those intrusions, and what else the intruders are capable of doing. They need a government intelligence agency to obtain that information--mainly through espionage, which companies can't legally practice on their own.
Yesterday, the chief information officer for Dow Chemical Company told a Senate panel that he'd like to see more information sharing from the government to industry, and among different sectors of US companies. He's about to get some of what he asked for.
To some extent, this information exchange has been happening already. For the past few years, US defense contractors have been sharing threat information with the government and allowing government agencies to monitor their networks, so the intelligence community can gather information about US adversaries, and how they work.
Now, though, the administration is pushing this cooperation even deeper into the telecom sector, essentially taking the fight down to the level of the network operators. That's a significant development. Think of this as deputizing some companies in the new cyber war. We're going to see a lot more of this in the future.