Imagine if Russia or China announced a formal policy of using non-state actors in cyber deterrence

Last Updated on Wednesday, 3 March 2010 10:56 Written by Jeffreycarr Wednesday, 3 March 2010 10:56

As I pointed out earlier, Initiative #10 states that the U.S. will be “building an approach to cyber defense strategy that deters interference and attack in cyberspace by improving warning capabilities, articulating roles for private sector and international partners, and developing appropriate responses by both state and non-state actors.“

About a month ago, the Russian Federation released their military doctrine for 2020. As far as cyber operations go (the RF calls it Information Warfare), it was almost a non-event, which is partly why I haven’t blogged about it (yet). Still, for the purpose of comparison between what the Kremlin released and what the White House released, I think its a constructive exercise. So according to the RF’s Military Doctrine and Principles of state policy on nuclear deterrence to 2020, the following sections relate to Information Warfare:

12. (d) Acknowledgment of the intensification of the role of information warfare in contemporary military conflict.

13. (d) The prior implementation of measures of information warfare in order to achieve political objectives without the utilization of military force and, subsequently, in the interest of shaping a favorable response from the world community to the utilization of military force.

41. The tasks of equipping the Armed Forces and other troops with armaments and military and specialized equipment are: (c) to develop forces and resources for information warfare

And that’s pretty much it. But what if 41 (c) said “to develop state and non-state actors as forces in the use of information warfare”. Can you imagine the uproar that would occur; that Russia has “outed” its own use of non-state actors? Well, that’s essentially what this document has done for the U.S. government.

Now if this document were released in a vacuum, it could be argued that it’s just a statement that could have been written a little clearer; that my concerns are excessive and over-blown. Fair enough, but it wasn’t released in a vacuum. Many other nations in the world community see the U.S. in a more negative way already because 20 of the world’s top 50 worst ISPs for serving malware operate in the United States. This creates the illusion that the US is responsible when in fact foreign actors use US servers to mask attribution and, as a side benefit to them, feed anti-US sentiment. This strategy seems to be working according to the McAfee report “In the Crossfire” (.pdf), which surveyed “600 IT and security executives from critical infrastructure enterprises across seven sectors in 14 countries”. According to the report, the U.S. is seen as the “most worrisome potential aggressor”.

Ironically, China will surely use this document against us as they continue to accuse the U.S. of launching cyber attacks against .cn websites. China, PRC officials will say, is busy shutting down bad ISPs and enforcing its own anti-hacking laws (which they are doing, by the way), while the U.S. does nothing about its own infected computers and badware.

While I have no doubt that the intentions of those who wrote this Initiative were good, announcing it in the public version is a potential disaster for us.

A Definitive Counter Cyber Operation in 3 Easy Steps

Last Updated on Sunday, 28 February 2010 10:35 Written by Jeffreycarr Friday, 26 February 2010 12:18

You’ve probably read Mike McConnell’s editorial in yesterday’s Washington Post “We’re losing the cyber war. Here’s the strategy to win it.” Overall, it was a pretty good article which promoted the implementation of these tactics:

1. Re-engineer the Internet to make attribution easier.

2. For irrational actors (i.e., terrorist groups), preemptively “degrade, interdict, and eliminate” their leadership and capabilities.

3. Improve information flow between public and private sectors, particularly companies whose networks have been attacked and protect them from the lawsuits which may follow such sharing.

With all due respect to the Admiral, those tactics, sound as they be may, each have a number of obstacles blocking their immediate implementation.  In the meantime, I offer 3 recommendations which can be implemented today at little to no cost that will quickly and dramatically reduce the ability of State-sponsored actors and Non-State actors to continue their attacks against not only U.S. networks but ANY nation state’s networks. They are:

1. Deny access to safe havens in Eastern Europe and Asia by implementing something akin to a COIN strategy to the smaller States that could use our help (most of the Commonwealth of Independent States and Taiwan, for example). An international law enforcement effort led by the FBI and other agencies could provide welcome assistance to these states’ respective agencies who are also victims of the same criminal hacker gangs. This would provide us with the first four of David Kilcullen’s 28 Articles:

1. Know your turf

2. Diagnose the problem

3. Organize for intelligence

4. Organize for interagency operations

2. Reduce their attack platform by compelling U.S. Internet Service Providers (ISP) to verify ALL of their customers’ registration data and turn off every customer with inaccurate information until they correct the problem. This is a vital step because so many bad actors rely on services provided by U.S. ISPs (20 of the world’s top 50 bad ISPs are in the U.S.).

3. Break trust in their tools and alternative payment channels (I won’t elaborate on this in a public forum but I’m happy to discuss it privately).

These steps can be taken today with no extra funding, no re-engineering of Internet architecture, and no Congressional approval. And once taken, the criminal hacker gangs who have been enjoying a perfect storm of high profit and low risk will immediately begin feeling the pain.

Cyber Intelligence through the LookingGlass

Last Updated on Friday, 12 February 2010 11:51 Written by Jeffreycarr Friday, 12 February 2010 11:51

I don’t know if it’s the name of the company or their product, but after watching a demo of LookingGlass’ ScoutVision platform, GreyLogic’s business focus for 2010 suddenly became crystal clear.

Right now there are multiple ideas around what constitutes “cyber intelligence”. I’ve said in past posts (here and here) that the OSINT model used in various cyber intelligence efforts needs updating. Today I was able to clearly see how my company GreyLogic fits into that picture. And since I’m more of a symbologist than a technologist, I’ll start by asking you to imagine Ancient Egypt along the Nile river.

In Ancient Egypt, the Nile river separated the land of the living (east bank) from the land of the dead (west bank), known as “necropoli”. All along the western river bank, one could see the pyramids which were built to house the remains of Egyptian royalty. It was from these pyramids and other numerous sacred sites that a soul would enter the land of the dead. Obviously, it was important to keep a great divide between the two worlds, and the Nile river served that purpose.

Now imagine that the east bank of the Nile represents the technical data of a cyber attack while the west bank represents uncovering the hidden actors (State and non-State) behind the attack. The Nile itself symbolizes the data stream. In order for a government agency, military command, or corporate boardroom to make a correct decision, each must perform its version of an Intelligence Preparation of the Battlespace.

Today there is an ample supply of technical data regarding cyber attacks, but there is little to no corresponding data regarding the actors behind the attacks, from the State level on down. No one company has all of the resources or skills necessary to produce that degree of granularity. Customers will need a variety of data sources and a platform upon which they can analyze them. To that end, I’m now in discussions with several companies to syndicate our intelligence research so that the end user can get, for once, a complete real-time picture of the global cyber threatscape on whichever platform they happen to be using. If this sounds of interest to you, please let me know.