ThreatsWatch.Org: PrincipalAnalysis

Threat from the ‘Net: Part I

Congress Tries Once Again to Sort Out Fear, Uncertainty, Doubt

By Michael Tanji

Today the House Committee on Homeland Security's Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology will hold a hearing on the impact hackers are having on federal computer systems and critical infrastructure. Myriad high-level witnesses from the government and private sector will be testifying, though I wonder if this will not be yet another case of “same-speech, different speaker.”

The adoption of information technology in all aspects and levels of government and industry is irreversible. This is particularly true in the commercial and private sector where there is precious little that one cannot accomplish – stocking the fridge, buying a car or going to college – through the use of information technology.

The military is also a large and enthusiastic adopter of both technology and related metaphors (Network Centric Warfare, Information Operations). The Army in particular is keen on turning every soldier into a technical sensor; the Navy manages warship with Microsoft Windows; the Air Force has its own cyber command.

The rush to adopt the best of the information technology age has left most government institutions with gaping security holes that are regularly and extensively exploited. This is not a new phenomenon but one that is reinforced by a number of fairly recent revelations:

Are we being played? Does the cyber threat conveniently mesh with the nations in the “Axis of Evil” or is there more to this than meets the eye? Where does the real cyber threat originate?

The fact of the matter is that at any given time each of the aforementioned reports may be correct and none of the aforementioned reports may be correct.

Every study on these issues relies heavily on what is called “last hop” data, that is, the last IP address that was observed attacking a given target system. The problem is that those that perpetrate cyber attacks have a wide range of ways to hide their true location and mask their identities. The phrase “last hope” is a hint: Nearly all of these attacks actually originate at an IP address that is at the end of a long chain of compromised IPs. Actually tracking the source of an attack requires the victim – or law enforcement – to hack-back through the same systems that were compromised in the first place. In other words: To solve a crime one has to commit a crime. So reports that country-X is the greatest cyber threat based on last-hop data is not a realistic or accurate way of portraying the true source of threats in cyber space.

Since we cannot count solely on technical data to assign responsibility for these malicious activities, we need to turn to other sources of information to assess the threat. Like assessments for physical threats, cyber threat assessments should give more serious consideration to the motivation and goals of those posing the threat. The following example is notional but reflective of real-world events:

WASHINGTON - One week after US defense contractor General Tank signed a deal to build the next-generation tank, General Tank network administrators noticed a slight up-tick in probes against their corporate network from Portugal. Several months later when artist renditions of the proposed tank hit the defense technology press a series of cyber attacks probing for system vulnerabilities were noted, again coming from IP addresses in Portugal. About a month after that event General Tank technicians came in to work and found that their system had been breached. No data was destroyed or missing, but a review of system log files indicated that nearly every file related to the design and production of the new tank had been copied and sent to an IP address in Portugal.

Fairly straight forward, no? Time to get with the FBI and whomever else might need to be involved and complain to the Portuguese Ambassador, right?

Not exactly.

What possible use could Portugal have for a tank as sophisticated as the one being built? Portugal isn’t exactly an ideal place to fight a major ground war. Additionally, it is a member of NATO – surrounded by another NATO nation - and if attacked by some misguided foreign power could count on a collaborative response that would dwarf any ground force they could muster. Bottom line: Portugal has no use for advanced tank data.

Portugal should be asked to work harder at securing its information infrastructure, but they’re not the true perpetrators of this attack. So who is? There are really only two options: Nations that could build and use an advanced tank and adversaries that are likely to face such a tank.

The conventional wisdom holds that those who are most likely behind these events – not the unwitting proxies – are those that can make the most out of the information that is obtained, that is: near-peer nation-states. The primary flaw in the conventional wisdom is that militarily speaking we have no near-peers and attempting to build a rival weapons system, well, ask the former Soviets how well that strategy worked.

The more likely conclusion is that the number of perpetrators of these attacks is nearly as diverse as those who stand in opposition to the US and its allies on political, economic or ideological fronts. Knowledge of how our most advanced military and technical systems work provides the necessary insight in how to defeat such sophisticated systems in an asymmetric fashion. Such tactics rely on imagination and gap-analysis, not massive funding and an expansive military-industrial base.

Focusing on nation-states and discounting non-state actors in this arena is a short-sighted flaw that is highlighted every time a new “improvised” method of killing US and allied forces is employed. Assembling a cyber war capability is well within the realm of most non-state actors, and indeed the primary non-state actor we face has already indicated their willingness to adapt to the information age.

Unfortunately, information security is rarely given sufficient attention at the highest levels of government. If it is discussed at all it tends to be after a series of substantial breaches or mishaps - as this hearing happens to reflect - and the solution is legislation that makes certain activities illegal; something conveniently ignored by perpetrators who are rarely identified much less apprehended.

Part II of this essay will follow shortly after the testimony of committee witnesses is made public and analyzed.