Yell “Chinese dissidents’ gmail hacked” and people say “huh?” Yell “Cloud” and you lose millions.

Last Updated on Tuesday, 9 March 2010 10:44 Written by Jeffreycarr Tuesday, 9 March 2010 10:44

While there’s far too much information about the December attacks on Google and 30+ other companies that remain unknown, consider what the following companies who were victims of these attacks have in common:

• Google
• Yahoo
• Adobe
• Intel
• Rackspace
• Juniper Networks

They either provide Cloud services (Google, Yahoo, Adobe) or support them in some way, i.e.:

• Juniper Networks (the Cloud-ready Data Center)
• Rackspace (The Rackspace Cloud)
• Intel (Trusted Execution Technology for secure Cloud computing)

If my speculation is correct, then I wouldn’t be surprised to hear that Amazon and Microsoft were also hit since both are major Cloud service providers (EC2 and Azure).

Think of this as the cyber equivalent of a reconnaissance mission where the task was to survey and exfiltrate information on the major Cloud service providers as well as the companies that provide hardware and software to support  and/or secure Cloud operations. That would imply that the actual attack is yet to come, and it won’t be about Chinese dissidents having their gmail accounts hacked.

Arbor Networks recently released its Fifth Annual Infrastructure Security report: and one of its highlights for 2010 is:

Attacks Shift to the Cloud: Nearly 35% of respondents believe that more sophisticated service and application attacks represent the largest operational threat over the next 12 months.

It should be noted that Google has denied that its attack had anything to do with the Cloud in, tellingly, it’s Enterprise blog. This post was written by David Girouard, president of Google’s Enterprise group:

“This was not an assault on cloud computing. It was an attack on the technology infrastructure of major corporations in sectors as diverse as finance, technology, media, and chemical. The route the attackers used was malicious software used to infect personal computers.”

I don’t mean to mock Google’s not-so-subtle attempt to protect it’s income stream but doesn’t this response remind you of that scene from Jaws when the mayor tried to explain to the police chief how he should be more careful with his words?

Mayor Vaughn: Martin, it’s all psychological. You yell barracuda, everybody says, “Huh? What?” You yell shark, we’ve got a panic on our hands on the Fourth of July.

Imagine if Russia or China announced a formal policy of using non-state actors in cyber deterrence

Last Updated on Wednesday, 3 March 2010 10:56 Written by Jeffreycarr Wednesday, 3 March 2010 10:56

As I pointed out earlier, Initiative #10 states that the U.S. will be “building an approach to cyber defense strategy that deters interference and attack in cyberspace by improving warning capabilities, articulating roles for private sector and international partners, and developing appropriate responses by both state and non-state actors.“

About a month ago, the Russian Federation released their military doctrine for 2020. As far as cyber operations go (the RF calls it Information Warfare), it was almost a non-event, which is partly why I haven’t blogged about it (yet). Still, for the purpose of comparison between what the Kremlin released and what the White House released, I think its a constructive exercise. So according to the RF’s Military Doctrine and Principles of state policy on nuclear deterrence to 2020, the following sections relate to Information Warfare:

12. (d) Acknowledgment of the intensification of the role of information warfare in contemporary military conflict.

13. (d) The prior implementation of measures of information warfare in order to achieve political objectives without the utilization of military force and, subsequently, in the interest of shaping a favorable response from the world community to the utilization of military force.

41. The tasks of equipping the Armed Forces and other troops with armaments and military and specialized equipment are: (c) to develop forces and resources for information warfare

And that’s pretty much it. But what if 41 (c) said “to develop state and non-state actors as forces in the use of information warfare”. Can you imagine the uproar that would occur; that Russia has “outed” its own use of non-state actors? Well, that’s essentially what this document has done for the U.S. government.

Now if this document were released in a vacuum, it could be argued that it’s just a statement that could have been written a little clearer; that my concerns are excessive and over-blown. Fair enough, but it wasn’t released in a vacuum. Many other nations in the world community see the U.S. in a more negative way already because 20 of the world’s top 50 worst ISPs for serving malware operate in the United States. This creates the illusion that the US is responsible when in fact foreign actors use US servers to mask attribution and, as a side benefit to them, feed anti-US sentiment. This strategy seems to be working according to the McAfee report “In the Crossfire” (.pdf), which surveyed “600 IT and security executives from critical infrastructure enterprises across seven sectors in 14 countries”. According to the report, the U.S. is seen as the “most worrisome potential aggressor”.

Ironically, China will surely use this document against us as they continue to accuse the U.S. of launching cyber attacks against .cn websites. China, PRC officials will say, is busy shutting down bad ISPs and enforcing its own anti-hacking laws (which they are doing, by the way), while the U.S. does nothing about its own infected computers and badware.

While I have no doubt that the intentions of those who wrote this Initiative were good, announcing it in the public version is a potential disaster for us.

Please read James Fallows’ article “Cyber Warriors”

Last Updated on Tuesday, 9 February 2010 10:09 Written by Jeffreycarr Tuesday, 9 February 2010 10:09

James Fallows’ “Cyber Warriors” in The Atlantic is a must-read piece for everyone with an opinion on cyber war; particularly if you’re suffering from “Red Menace” fever.

Naturally, I liked reading that the consensus of Fallows’ round table of experts including James Lewis, Mike McConnell, Ed Georgio, Eugene Spafford, and others agreed with my own oft-repeated request for more openness and an end to keeping secrets about network breaches.

“As a matter of domestic U.S. politics, McConnell argues that we now suffer from a conspiracy of secrecy about the scale of cyber risks. No credit-card company wants to admit how often or how easily it is cheated. No bank or investment house wants to admit how close it has come to being electronically robbed. As a result, the changes in law, regulation, concept, or habit that could make online life safer don’t get discussed. Sooner or later, the cyber equivalent of 9/11 will occur—and, if the real 9/11 is a model, we will understandably, but destructively, overreact.

While trying to build bridges to the military, McConnell and others recommend that the U.S. work with China on international efforts to secure data networks, comparable to the Chinese role in dealing with the world financial crisis. “You could have the model of the International Civil Aviation Organization,” James Lewis said, “a body that can reduce risks for everyone by imposing common standards. It’s moving from the Wild West to the rule of law.” Why would the Chinese government want to join such an effort? McConnell’s answer was that an ever-richer China will soon have as clear a stake in secure data networks as it did in safe air travel.”

The other important take-away from this article is that China is not and should not be our number 1 (or 2) concern regarding cyber threats. Those positions are held by the Russian Federation (James Lewis and I agree on this) and (in my opinion) any State that is technologically skilled and religiously motivated – that could be Israel, Iran, Turkey, or, in the near future, an outlaw State like Somalia. So if you’re looking for one article to read in the sea of cyber-related press out there, this should be the one.