IntelFusion

A Committee of the Australian Parliament recently announced that it was soliciting feedback on eSecurity matters related to Australia’s cyber crime problem. And in fact, some evidence puts Australia right at the top of the list of nations suffering from a high incidence of cyber crime, not to mention cyber espionage.

The Prime Minister of Australia, Kevin Rudd, and his party were targets of Chinese hackers during his trip to Beijing last year and ever since he has been an advocate of increasing federal spending in this area, along with his British counterpart Gordon Brown.

I’m happy to announce that I was approached by a manager for the KAZ Group of Fujitsu Australia and New Zealand Limited to do substantial work on the draft of their submission for the Australian Parliament’s consideration and, thanks to the generous efforts of colleagues who responded to my last minute request for information, we were able to field a reasonably thorough look at the problem including threats and defenses. Once the document has been cleared for public dissemination by the Committee, I’ll provide a link.

Yesterday the New York Times ran an article by John Markoff and Andrew E. Kramer which laid out the dispute between the U.S. and Russia over how to combat international acts of cyber aggression.

In the course of writing Inside Cyber Warfare, I came across a Russian military paper that elaborates on the current thinking of leading military theorists in the Russian Federation on how to conduct Information Warfare.

Since it is relevant background to Russia’s negotiating position, here is an excerpt from chapter 11 of my book. It explains why we won’t be seeing Russia agreeing to any treaty provision for cooperative law enforcement against Russian cyber criminals.

<!– @page { margin: 0.79in } P { margin-bottom: 0.08in } –>

Russian Federation Military Policy in the Area of International Information Security: Regional Aspect

From Moscow Military Thought (English) 31 Mar 07.

The Authors

There are five authors credited for this article: I.N. Dylevsky, S.A. Komov, S.V. Korotkov, S.N. Rodionov, and A.V. Fedorov . Unfortunately, little background information is available for some, and none appears available for others. Of the five, S. A. Komov is a Russian military theorist, Colonel Sergei Korotkov is attached to the Main Operations Department, General Staff of Armed Forces, RF, and A. V. Fedorov served in the FSB’s Directorate of Counterintelligence Support to Transportation

The Paper

This rather lengthy treatise explores the Russian perspective of what other nations are planning for in the sphere of Information Warfare, and what the Russian Federation should be doing in light of those activities. The authors propose the following definition for Information Warfare:

(The) main objectives will be to disorganize (disrupt) the functioning of the key enemy military, industrial and administrative facilities and systems, as well as to bring information-psychological pressure to bear on the adversary’s military-political leadership, troops and population, something to be achieved primarily through the use of state-of-the-art information technologies and assets.

They also warn readers that the U.S. is already fully capable of embarking on “psychological and technical information operations” and site three documents to support their view:

• DOD Directive No. 3600.1, Information Operations. 2001. October

• DOD Information Operations Roadmap. 2003. 30 October

• JP 3 - 13 Information Operations. February 13, 2006

Each of these documents is explored in the U.S. military doctrine section of this chapter.

To further boost the need for Russia to develop its own Information Operations (IO) capability, the authors go on to criticize the U.S. for not supporting United Nations efforts to ensure international information security:

In 1998, the Russian Federation suggested to the United Nations that it was necessary to consolidate the world community’s efforts in order to ensure international information security. Since then the General Assembly annually passes the resolution “Developments in the Field of Information and Telecommunications in the Context of International Security.” This fact reaffirms the importance of assuring international information security and the UN readiness to study and solve the problem. But progress in this matter is extremely slow on account of counterproductive attitudes displayed by the United States.

For example, this was the reason why a group of government experts on international information security that operated under the auspices of the First Committee of the UN General Assembly from 2004 to 2005 failed to realize the results of its work. The stumbling block was the Russian Federation’s motion (supported by Brazil, Belarus, China and South Africa) on the necessity of studying the military-political component of a threat to international information security.

As is to be regretted, the U. S. is consistent in its reluctance to address the information security problem at the international level. At the 60th and 61st General Assembly sessions it was the only state to vote against the said resolution. It cannot be ruled out that Washington will behave similarly towards a new group of government experts the UN is setting up in 2009.

Predictably, much of this document paints U.S. policies in a negative light; even to the point of accusing it of fostering the flower revolutions that have taken place in the countries that used to make up the Soviet Union and are now known as the Commonwealth of Independent States (CIS):

A case in point is the moral-psychological and political-economic aftermath of a string of “flower” and “color” revolutions masterminded in a number of countries contrary to the will of their peoples (the “rose revolution” in Georgia, the “orange revolution” in Ukraine, the “purple revolution” in Iraq, the “tulip revolution” in Kyrgyzstan, and the “cedar revolution” in Lebanon). For the masterminds of the “flower revolutions” there was an instant spin-off from bringing to power the desirable leaders and governments. But with the passage of time it became clear that political crises in the countries in question and, as a consequence, their economic decline could not be surmounted.

Ironically, Russia waged its own style of Information Warfare on those very nations, including Chechnya (2002), Kyrgyzstan (2005, 2009), Estonia (2007), Lithuania (2008), and Georgia (2008) in the form of network and government Web site attacks by Non-state hackers.

Creating a legend for a cyber attack

The authors progress to a few key sections that have a direct application to the Kremlin keeping its distance from the activities of its nationalistic hackers during each of the aforementioned examples:

In our view, isolating cyber terrorism and cyber crime from the general context of international information security is, in a sense, artificial and unsupported by any real objective necessity. This is because the effect of a “cybernetic” weapon does not depend on the motivation of a source of destructive impact, whereas it is primarily motivation that distinguishes acts of cyber terrorism, cyber crime, and military cyber attacks. The rest of their attributes may be absolutely similar. The practical part of the problem is that the target of a cyber attack, while in the process of repelling it, will not be informed about the motives guiding its source, and, accordingly, will be unable to qualify what is going on as a criminal, terrorist or military-political act. The more so that sources of cyber attacks can be easily given a legend as criminal or terrorist actions.

After establishing the tactical importance of maintaining a “legend” or cover for an act of cyber warfare to be indistinguishable from an act of cyber crime or cyber terror, the authors go on to decry efforts by the United States to secure international legislation that might infringe on a State’s internal affairs in these matters.

International legal acts regulating relations arising in the process of combating cyber crime and cyber terrorism must not contain norms violating such immutable principles of international law as non-interference in the internal affairs of other states, and the sovereignty of the latter.

Moreover, politically motivated cyber attacks executed on orders from governmental structures can be qualified as military crimes with all the ensuing procedures of investigation and criminal persecution of the culprits. Besides, military cyber attacks can be considered as a subject of international public law. In this case, we should speak about imposing restrictions on development and use of computers intended to bring hostile influences to bear on objects in other states’ cyberspace.

In any event, the military policy in the area of international information security where it involves opposition to cyber terrorism and cyber crime should be directed at introducing international legal mechanisms that would make it possible to contain potential aggressors from uncontrolled and surreptitious use of cyber weapons against the Russian Federation and its geopolitical allies.

I’m happy to see that the U.S. State Department has aligned acts of cyber crime with cyber espionage and cyber warfare, and is properly pursuing international cooperation among law enforcement agencies. In my opinion this must occur if we want to effectively combat this problem of Non-state hackers engaging in every aspect of cyber aggression while providing their host governments plausible deniability. After all, cyber crime is the day job for many of the same hackers that engage in acts of cyber espionage and cyber warfare.

At least, that’s what Fauziya Bayramova, Chairwoman of Milly Mejlis (National Counсil) in Chally City (Republic of Tatarstan) claims:

24.06.200914:08 (GMT)Tatar activists blame Russia’s Federal Security Service for breaking open of the website of the president of Milli Majlis of Tatar people Fauziya Bayramova and making stream of viruses into it, online paper Kavkaz Center reports. The president of the Tatar parliament is unable now to enter into the Internet and open her online archive.
On December 20, 2008, the expanded session of Milli Majlis of Tatar people adopted a resolution, in which about 100 members of Tatar parliament, referring to results of the referendum on independence of Tatarstan of 1992, declared about illegitime character of violent inclusion of Tatarstan into the structure of the Russian Federation.
In the statement for the press by the National Democratic Party Vatan, M. Мinachev specifies the following,
“The secret services have one single purpose — to complicate activity of nationally focused organizations of Tatars and particularly of their leaders as much as possible. They have almost reached their purpose, they have a little complicated our communication, but they have not managed to do it completely. Our computers have been requisitioned. Seeing that withdrawal of computers has not strongly affected our activity, including activity of Fauziya Bayramova, and not having an opportunity to withdraw computers again, they simply have messed up Fauziya’s computer.”

Fauziya had a run-in with the Russian Federal Security Service (FSB) back in January of this year, so its not surprising that she suspects them. So far I haven’t found any further information on the hack or the nature of the attack but I’ll update this story if I do.

Tatarstan

The BBC reports on the new cyber strategy which coordinates a beefed up security posture by standing up a Cyber Security Operations Center at the electronic spy agency GCHQ (British equivalent of the NSA).

CSOC’s aim will be to identify in real time what type of cyber attacks are taking place, where they come from and what can be done to stop them. (Whitehall Security Official)

A Cabinet level post has also been set up to coordinate cyber policy across the government. The new Cyber Security Chief was also announced - Neil Thompson, a senior civil servant.

In an interview, Cyber Security Minister Lord West acknowledged an offensive capability and the employment of “naughty boys”, an obvious euphemism for hackers.

Read the full story here.

The BBC reports:

According to the Israeli intelligence analyst, Dr Ronen Bergman, Israel’s concerns are twofold: first, that Israeli internet sites might be breached and sabotaged; second, that Israeli soldiers might be enticed to give away secrets.

Israeli intelligence officials are worried that Israelis risk leaking sensitive information or may even be kidnapped if they speak too openly with Palestinians and Lebanese online.

They fear that Israelis might be encouraged to leave Israel to meet someone they meet in the virtual world of Facebook and then be kidnapped in the hope that they can be exchanged for some of the thousands of Palestinians held in Israeli jails.

It’s a legitimate concern, and one that is not unique to Israeli intelligence. Ongoing GreyLogic research in this area shows multiple governments are involved in attempts to control the inadvertent leakage of information which in turn may be harvested by adversarial intelligence-gathering efforts.

It’s a tough area to control because its not enough to provide Operations Security (OPSEC) training to service members, but also their families - especially children and teens who spend most of their waking moments online communicating with their friends and publishing personal information to sites like MySpace, Facebook and other social software platforms.

I addressed this concern in my earlier article for O’Reilly Radar “Loki’s Net: The National Security Concerns of Gov 2.0 and the Social Web“. The combined benefits of rich intelligence gathering and income generation is, in my view, what’s behind the recent investment of $200 to $300 million by Digital Sky Technologies in Facebook.

On the Weaponization of the Collaborative Web by Matthew Burton

Matt is a good man and a valued colleague and collaborator, but his rationale for engaging in a DDOS attack just fails on so many levels (some of which he himself mentions in his post).

My biggest concern is that as a self-identified past empolyee for a U.S. government intelligence agency, his engagement in an unauthorized computer Web site attack reflects on his former employer and on the U.S. government as a whole. Anyone engaged in collecting OSINT on U.S. gov employees will read Matt’s actions not as coming from a place of passion and sympathy but as the same kind of covert encouragement from State sources that we ascribe to the actions of Non-state hackers in geopolitical Web conflicts across the globe. This, of course, is NOT the case, but I’m sure that anyone reading this can see how easy it is to jump to that conclusion.

I’m glad that Matt’s final decision was to stop his attack. I just wish he didn’t make it in the first place.

My colleague and I will be presenting at the NATO CCD COE Conference on Cyber Security June 17th - 19th. If you can attend, please introduce yourself at some point during the conference. I’ll post my impressions here afterward, and I may even do some live twittering during a few of the sessions.

In the meantime, posting here will be light for at least another week.

And if you ordered a Project Grey Goose tee shirt before June 1st, you should be receiving it next week. Post-June 1st orders will probably be shipped by the end of the month. Thanks again to everyone who donated.

The problem

Since August, 2008, the Project Grey Goose team of OSINT analysts have collected a lot of information on the activities of Non-state hackers engaging in cyber conflicts. Out of that research, we’ve produced two reports with a third one coming this Fall. Our reports are well received and respected sources of data for various agencies. The problem is that a lot of the information that we uncover is time-sensitive and should be put in the hands of the apporpriate agencies immediately. A public blog like this one simply isn’t an appropriate venue for a lot of our findings.

One solution

One way to solve this problem is by establishing a protected channel whereby we can move sensitive data and analysis directly to our public and private sector customers instantly. This would be a subscription service offered through GreyLogic, possibly in partnership with an educational institution.

Share your thoughts

I’d love to hear from the readers of this blog what you think about the idea, or suggest some alternate ideas that address the problem. Feel free to post them as comments or send me an e-mail. I’d also like to hear from you if you think that your company or agency would be interested in learning more about how to receive this new level of data.

I had a well-attended session at the NYS Cyber Security Conference this past Wednesday (sponsored by the CSCIC). Thanks to those of you who attended and particularly to Professor Sanjay Goel for inviting me. His program at the University of Albany is doing some cutting edge research into the security threats posed by Non-State hackers and it appears that there may be some intersects between his department’s work at U of A and GreyLogic.

Here are a few things of note:

1. Chinese police arrested 4 hackers for launching a DDoS attack against DNSpod that resulted in a loss of Internet service for about 300 million Chinese users; the largest outage since an undersea cable was damaged on December 26, 2006. (h/t Fergies Tech Blog)

The moral of this story is that the PRC is perfectly capable of cracking down on hackers when they want to. Cases like this provide evidence, in Beijing’s eyes, that they are serious about Internet crime; that is, unless its being directed at U.S. military networks. Then the strategy changes to one of deny and defend: “it’s not us. We prosecute hackers.” Sure thing, fellas.

2. Excellent thesis paper on the use of Web 2.0 technologies during emergencies written by Laurie J. Van Leuven while at the Naval Post Graduate School. I discovered it when reading Laurie’s comment to my O’Reilly Radar post Loki’s Net. Thanks, Laurie and congratulations on a job well done.

3. Speaking of Gov 2.0, check out this new Gov mashup called KnoWorld. According to its creators, you can Access and analyze world data such as GDP or Infant Mortality. With KnoWorld, you can visualize the data through graphs and maps and compare them with actual events to analyze their causes and consequences.

4. I’m more than a little concerned about DST’s investment in Facebook for reasons that I’m not prepared to share yet, but here’s one obvious reason. Yuri Milner, DST’s CEO, is going to leverage his investment in Facebook to propel interest in his company’s impending IPO.

I’m particularly pleased to point you to this post that I wrote for O’Reilly Radar. With the rush towards more openness in Government and the impending Gov 2.0 Summit, I noticed a lack of published material on the risks associated with Gov 2.0, particularly those that involve Social software like Twitter, Facebook, Govloop, etc.

I also list 5 recommendations on things that you can do right now to reduce your risks and increase your understanding about how you may be targeted by our adversaries via your use of social media.