In a first for any nation, the Islamic Republic of Iran has announced that a division of its Armed Forces – the IRGC – has launched a cyber attack against an alledged U.S. spy network financed by the CIA under cover of the U.S. State Department’s International Broadcasting Bureau (IBB). The announcement was made via a 10 minute television program on the IRIB, produced by Iran’s Intelligence service.  According to the program, the IRGC made 30 arrests of individuals working under cover of an NGO called “Association for Defending Human Rights”.

Iranian intelligence described the plot as being formulated in 2006 by the CIA named “Operation Destabilizing Iran” with a $400 million dollar budget. It’s goals were purported to be (machine translation):

1 – create a spy network data collection, especially identification of nuclear scientists
2 – identify, recruit and organize Iranians abroad in some countries such as USA, Canada, Germany, France and Turkey
3 – Jryansazy and reporting to psychological warfare against the Islamic Republic and the sacred religious and send it to foreign media, human rights organizations and institutions
4 – holding illegal gatherings and to encourage the presence of disturbances after the election
5 – انشتار News lies Hftadv including two killed in accidents after the elections and arrested and killed as child Saieedeh Pvraqayy Shahid
6 – Photo and media support of terrorist Grvhk·hay Rigi and Royal Society
7 – Causing illegal transfer and individuals Msylhdar abroad through Grvhk·hay Zdanqlab
8 – Ayzayy and Hkry measures to influence public servers for unauthorized access of confidential information to a spy services and their complete database
9 – Planning for Urban Disorder and the network management system, including Khdmatrsany Fuel Samanh people to create discontent
10 – creating security coatings for New Phase of armed action against the Islamic Republic

Earlier, the Iranian Judiciary announced that 30 members of this operation had been arrested for allegedly gathering information on Iranian nuclear scientists, encouraging people to take part in anti-government demonstrations and further attracting and dispatching them to PMOI camps in Iraq to be trained as rebels.

One of the NGO’s targed by Iranian Intelligence in this operation was The Peoples Mujahedin of Iran. It’s website is hosted in Berkely, CA by LMI.net, so at least one of the networks attacked by the IRGC was on U.S. soil. This action on the part of Iran dramatically raises the stakes for the need to define where espionage ends and warfare begins. This may qualify officially as a terrorist attack because in 2007 the IRGC was listed as a terrorist organization, the very first official government agency to ever be added to that list.

The Intelligence Community’s version of DARPA, known as IARPA, has issued a fascinating pre-solicitation (IARPA-RFI-10-04) which asks for a brief pager on how immersive games and virtual worlds can help overcome some of the common problems experienced by intelligence analysts, such as groupthink, premature attachment to early hypotheses, confirmation bias, and cultural bias.

From the solicitation:

IARPA is interested in focused, quantitative research to understand how virtual worlds and immersive games may have RW effects, particularly those effects that could positively impact individual and group analytic performance. What are the important VW (and RW) environmental variables that control the strength and persistence of such effects? Examples of variables include, but are not limited to: degree of fidelity, image and sound quality, level of immersion, amount of repetition, social effects, narrative structure, language skills, and cultural background.

Submissions should be theory-driven, and any prospective VW or game development, along with experimental paradigms to test their effectiveness, should be informed by existing or new theories. Theories may be derived from a number of disciplines, including but not limited to: education, clinical psychology, social psychology, health care, or neurology.

Submissions may also address one or more of the following topics:
1. Alternative virtual environments, ranging from Virtual Reality rooms to desktop/laptop applications to mobile handheld devices/applications
2. Quantitative methods for reliably predicting and objectively measuring expected RW effects and actual RW effects due to the complex variables, including longitudinal effects
3. Literature reviews or perspectives on research. Research does not need to be directly related to analytic processes, but may be based in other domains such as VWs for education/training, or gaming for health.

The responses to this RFI will be used to help in the planning of a one to two day workshop. The results of this workshop may justify a multi-year competitive program. The selection of topics, participants, and setting of the agenda of this workshop will in part be informed by the responses, with responders potentially being invited to participate and present at this workshop. It is anticipated that this workshop will be held in May 2010.

Instructions on how to respond are in the pre-solicitation. The deadline is April 10, 2010 so get moving on this!

- I’m honored that I’ve been asked by Forbes.com to write for their new blog The Firewall. My first post is up entitled “In the Land Where Profit is King, Security Suffers“. Please check it out, and pass the word.

- My blogging pal and sometimes debating partner Tim Stevens is part of a very ambitious online magazine project called Current Intelligence which features the work of Charli Carpenter, one of my favorite writers on social anthropology as it relates to warfare. I just discovered that she’s on Twitter, too. Definitely worth a follow. Best of luck to everyone at Current Intelligence.

- When I posted my views on Mandiant and APT, I ruffled a few feathers and probably could have been more diplomatic about it (not my strong suit). Fortunately Ryan Naraine just published the best piece on what APT really is that I’ve ever read. It’s long but please read the entire article. In fact, I’ll reproduce the short version for you right now:

Figure 1: Tide of protests engulf more Russian cities

Of all the countries in the world which are developing cyber capabilities, the Russian Federation leads the pack in its use of Information Warfare (the Kremlin’s terminology for cyber operations). It’s happened during the Tulip revolution in Kyrgyzstan (tomorrow, March 13, 2010 is the 5 year anniversary) and versions of it are regularly employed to control opposition political parties inside the RF (e.g., Anna Bukovskaya).

Now, as another election approaches on March 14th, more and more Russian citizens are voicing their protests against corruption and an increasingly unbearable economic split beteen the haves and the have-nots. The following is an excerpt from a feature story by Clair Biggs that’s getting broad coverage across Eurasia:

“In places as varied as Samara, Irkutsk, and Archangelsk, disgruntled residents have been joining forces to protest low pay, mounting unemployment, police abuse, and what increasing numbers of Russians see as a corrupt government on both the local and federal level.

The largest demonstration, held last month in the Baltic city of Kaliningrad, drew as many as 10,000 people.

The demonstration will be repeated on a nationwide scale when Kaliningrad becomes one of at least 15 cities to stage coordinated protests on March 20.

And the protest is not limited to banners and slogans shouted on cold city squares; some prominent Russians, too, are voicing their resentment at the regime built by Vladimir Putin over the past decade.

“The rich are becoming even richer, the poor even poorer. Corruption is total, everyone is stealing,” veteran rock star Yury Shevchuk told his fans at a March 7 concert in Moscow. “The system has built a brutal, cruel, and inhumane government in our country. People are suffering, not only in prisons and camps, but in orphanages and hospitals as well.”

The recent protests are a notable shift from the public passivity of the early and mid-2000s, when the country was enjoying an unprecedented wave of stability and economic prosperity. Political analyst Dmitry Oreshkin says much of the roiling discontent now is due to the economic crisis, which has hit Russia particularly hard after almost a decade of oil-fueled growth.

“Unemployment is on the rise, prices are soaring, livings standards are worsening,” he says. “Television tells us tales that we are rising from our knees, but this no longer reassures people.”

Nervous Kremlin?

Curiously, authorities are allowing the opposition rallies and police so far have largely refrained from arresting or beating protesters.

Oreshkin says Russia’s political leaders understand that using force to stem such a wave of discontent could turn against them.

“Authorities are rational enough not to follow the Chinese path,” he says. “They would happily break the arms of protesters, but when these protesters number 1,500 or even 10,000, it’s better to find a compromise with them. This signals an evolution of society’s political culture, a very slow evolution that is taking place with the change in generation.”

As patient as the Kremlin may be in addressing this growing wave of dissent, I’m anticipating an increase in the use of Russian social media by Medvedev and Putin-friendly bloggers and politically-connected youth organizations. Since this will be expensive, expect to see a bump in cyber crime to fund it.

The US Army’s new Cyberspace Operations Concept Capability Plan 2016-2028 is an outstanding piece of work; not just because it underscores much of what I’ve been saying since 2008, but because it builds a detailed framework of cyberspace as an operating environment which will prove invaluable to every agency in the Intelligence Community and the Department of Defense as well as Congress, the White House and the American public. The following is a brief excerpt which accompanies the above graphic. Do yourself a favor and read at least the Executive Summary. You’ll quickly see why I’m so pleased with it.

——————–

“Cyberspace can be viewed as three layers (physical, logical, and social) made up of five components (geographic, physical network, logical network, cyber persona, and persona) (see figure 2-1).

TSA, which has seemed completely lost in the woods regarding how to accomplish its mission, will finally have the benefit of an experienced intelligence officer at the helm. The following comes from AviationNews.net:

President Obama’s decision to nominate retired Army Maj. Gen. Robert Harding as TSA administrator brings the agency a chief with “national security expertise and extensive experience in the intelligence community,” DHS Secretary Janet Napolitano said.

“Effective transportation security involves protecting our citizens from constantly evolving threats while facilitating legal travel and trade around the country and throughout the world,” Napolitano said. “Bob’s national security expertise and extensive experience in the intelligence community and U.S. Army will be a great asset to the department in our efforts to ensure the safety of the nation’s transportation systems.”

Harding currently is president and CEO of his own security consulting firm, Harding Security Associates, LLC.

Harding’s 33 years of military service included assignments as the deputy to the Army’s Chief of Intelligence, as the director for operations in the Defense Intelligence Agency, and as the commander of the Army’s only organization focused on homeland security. He also served as the executive vice president for operations at a medium-sized logistics and supply-chain security company. He has extensive experience running global operations, as well as providing security for sensitive national programs, facilities and technologies.

Harding’s education includes a bachelor of science degree in business administration from Bowie State University, a master of science in business from Salve Regina University, and a master of arts degree in national security and strategy from the U.S. Naval War College. His education also includes the Armed Forces Staff College and the U.S. Naval War College.

While there’s far too much information about the December attacks on Google and 30+ other companies that remain unknown, consider what the following companies who were victims of these attacks have in common:

• Google
• Yahoo
• Adobe
• Intel
• Rackspace
• Juniper Networks

They either provide Cloud services (Google, Yahoo, Adobe) or support them in some way, i.e.:

• Juniper Networks (the Cloud-ready Data Center)
• Rackspace (The Rackspace Cloud)
• Intel (Trusted Execution Technology for secure Cloud computing)

If my speculation is correct, then I wouldn’t be surprised to hear that Amazon and Microsoft were also hit since both are major Cloud service providers (EC2 and Azure).

Think of this as the cyber equivalent of a reconnaissance mission where the task was to survey and exfiltrate information on the major Cloud service providers as well as the companies that provide hardware and software to support  and/or secure Cloud operations. That would imply that the actual attack is yet to come, and it won’t be about Chinese dissidents having their gmail accounts hacked.

Arbor Networks recently released its Fifth Annual Infrastructure Security report: and one of its highlights for 2010 is:

Attacks Shift to the Cloud: Nearly 35% of respondents believe that more sophisticated service and application attacks represent the largest operational threat over the next 12 months.

It should be noted that Google has denied that its attack had anything to do with the Cloud in, tellingly, it’s Enterprise blog. This post was written by David Girouard, president of Google’s Enterprise group:

“This was not an assault on cloud computing. It was an attack on the technology infrastructure of major corporations in sectors as diverse as finance, technology, media, and chemical. The route the attackers used was malicious software used to infect personal computers.”

I don’t mean to mock Google’s not-so-subtle attempt to protect it’s income stream but doesn’t this response remind you of that scene from Jaws when the mayor tried to explain to the police chief how he should be more careful with his words?

Mayor Vaughn: Martin, it’s all psychological. You yell barracuda, everybody says, “Huh? What?” You yell shark, we’ve got a panic on our hands on the Fourth of July.

By the way, there’s nothing in the unclassified 12 initiatives of the CNCI that call out this critical problem, yet its one of the easiest and least expensive problems to solve.

• rob banks on a massive scale unlike anything we have ever seen
• commit acts of espionage against U.S. corporations that costs the U.S. millions of dollars in stolen intellectual property
• commit acts of espionage against Department of Defense and DoD contractor networks that serves to accelerate other nation states’ race to achieve parity or near-parity with superior U.S. military technology
• commit acts of network intrusion into U.S. critical infrastructure for the purpose of remaining dormant until needed to delay or stop an imminent U.S. military action against an adversary state.

And these bullet points are just the tip of the iceberg, but they’re sufficient to make my point, which is that arguing about what we call this issue shoud be at the very bottom of the list of things that need to be done right now. I agree that Mike McConnell over-stated the case but that doesn’t mean that everything he said was wrong. I think Howard Schmidt under-stated the case, but that’s understandable considering his position as cyber coordinator. And I think that Ryan Singel, while he detests hype used by others, is not adverse to using it himself; i.e., “Cyberwar Hype Intended to Destroy the Internet“. Really? “Destroy the Internet”? Come on.

I couldn’t believe this story when I first read about it on August 31, 2008. In fact, I blogged about it at the time because it reminded me of the accidental shooting scene in Pulp Fiction. Here’s how RIA Novosti reported it back then:

MOSCOW, August 31 (RIA Novosti) – The owner of a banned website in the Russian North Caucasus republic of Ingushetia died of gunshot wounds sustained while riding in a police car on Sunday.

Magomed Yevloev died in hospital in the republic’s largest city of Nazran.

A source in the republic’s Interior Ministry told RIA Novosti that Yevloev’s death had come about after he was detained by police at Magas Airport. Police officers then put him in a police car to take him to Nazran to give testimony regarding “a criminal case.”

“Preliminary reports say that as the vehicle that Yevloev and the police officers were in was moving, one of the police officers’ guns accidentally went off, and a bullet hit Yevloev in the head,” the source said.

“He was shot straight in the temple,” said Magomed Khazbiyev, Yevloev’s official representative, adding that doctors had done all they could to save his life.

The police officer who shot him was sentenced to 2 years in a penal colony after being convicted of “negligent homicide owing to the improper discharge by a person of his professional duties“, however that has now been reduced to two years of house arrest because the crime was changed to negligent homicide. A high court judge dropped the “improper discharge” part.

I thought that the killing of  Yevloyev was so noteworthy that I used it to open Chapter 1 of my book:

Whenever someone asks if anyone ever died in a cyber war, Magomed Yevloev springs to mind.

On August 31, 2008, in the North Caucasus Republic of Ingushetia, Yevloev was arrested by Nazran police, ostensibly for questioning regarding his anti-Kremlin website Ingusheta.ru. As he was being transported to police headquarters, one of the officers in the car “accidentally” discharged his weapon, … into the head of Magomed Yevloev.

The U.S. Department of State called for an investigation. Vladimir Putin reportedly said that there would be an investigation. To date, nothing has been done. Ingushetia.ru (now Ingushetia.org) and the Chechen website kavkazcenter.com are some of the earliest examples of politically motivated Russian cyber attacks dating as far back as 2002. In other words, in addition to Russian military operations in Chechnya, there were cyber attacks launched against opposition websites as well.

The Russia Georgia War of August 2008 is the latest example, occurring just a few weeks before Magomed Yevloev’s killing. If anyone would qualify as a casualty of cyber warfare, it might just be this man.

Now I see that the man who took over Ingushetia.ru after Magomed Yevloev’s death was also killed last October, albeit under mysterious circumstances.