Friday, November 4, 2011

The Happy Time

One of the benefits of blogging and speaking about topics that I’m passionate about is that I get to meet many fascinating people who are interested in the same things. One such person is law student Joel Kosh who attended a presentation I gave recent recently at Yeshiva’s Cardozo Law School. Joel found this magnificent January 2010 TED talk by Guy-Philippe Goldstein entitled “How cyberattacks threaten real-world peace”. Guy-Philippe made many insightful points during this talk, but the point that really stuck with me was where he spoke about the imbalance of weapons technology contributing to the likelihood of conflict. During the talk Guy-Philippe stated:

Similarly, if we'd had this talk 30 or 40 years ago, we would have seen how the rise of nuclear weapons, and the threat of mutually assured destruction they imply, prevents a direct fight between the two superpowers. However, if we'd had this talk 60 years ago, we would have seen how the emergence of new aircraft and tank technologies, which give the advantage to the attacker, make the Blitzkrieg doctrine very credible and thus create the possibility of war in Europe. So military technologies can influence the course of the world, can make or break world peace -- and there lies the issue with cyber weapons.

Guy-Philippe went on to explain that we are in a time where we have a technology imbalance when it comes to cyber weapons. This imbalance has increased the risk of conflict that could spill over into the physical world.  He explained it this way:

Just last week, in a New York Times article dated January 26, 2010, it was revealed for the first time that officials at the National Security Agency were considering the possibility of preemptive attacks in cases where the U.S. was about to be cyberattacked. And these preemptive attacks might not just remain in cyberspace. In May 2009, General Kevin Chilton, commander of the U.S. nuclear forces, stated that in the event of cyberattacks against the U.S., all options would be on the table.

We’re definitely in a time where the battlefield favors the attacker. Corporate and government networks are built for business purposes rather than defensive military purposes. One of the primary themes that I bring out in my APT presentations is that while basic information technology controls are critical, they will not keep out advanced actors. An information security model that is focused solely on prevention will fail and will likely do so in a catastrophic manner that will result in substantial loss of intellectual property, customer data, and competitive advantage. The model has to be one that embraced prevention, detection, response, and remediation. The weapons imbalance is so great that keeping attackers out of your network with certainty isn’t a viable option. The cyber version of the Maginot Line makes about as much sense in the 2011 cyber world as it did in the 1940 physical world.

I’m an amateur student of history. I find military history to be particularly instructive because so much of human history revolves around conflict. Human conflict is a historical constant and is a frequent catalyst for substantial change in the course of human events. Just look at how the last couple world wars transformed the course of human history. We’re now in an period of history where it’s possible that cyber warfare could result in similar change if it were to spill over into the physical geopolitical world.

I know most analogies don’t work all that well, but I have been curious about analogies in the physical warfare world that could be used as a tool to help people understand the cyber warfare world. There are several that come to mind from the last century that I think provide a reasonable illustration of the “detect and respond” model where preventative controls (such a fortresses, walls, and mutually assured destruction) either aren’t available or would be ineffective.

The first is the Battle of Britain. This was a conflict where fortifications didn’t apply since it was air warfare. Both sides engaged in traditional intelligence gathering methods for their threat intelligence purposes and ultimately it boiled down to the Royal Air Force being able to quickly detect and respond to German air attacks via the Dowding System. I like this analogy even though it doesn’t apply completely to modern cyber warfare since we have more preventative controls available that can help us win than the British did. However, the core of it is still very similar. The British used threat intelligence and real-time detection methods such as radar to pinpoint where they needed to send their expert incident responders (their pilots).  Processes (such as the formations they flew in) and tools (their aircraft) where important, but the core of their victory came from well led pilots and the people who supported them.

SubmarineThere is a second one that I think I like a bit better and that’s the Battle of the Atlantic. The German Navy knew it had a problem with sea power because of the British Navy’s dominance in this area. Sure, the Bismark was impressive, but it lasted about as long as you expected it would given the threat environment it faced where the British dominated the surface of the sea. Submarines, however, provided the German Navy with a substantial weapons technology imbalance that they exploited with fantastic success during “The Happy Time” where the Allied powers were very poor at detecting and responding to undersea weapons. Eventually, the Allies were able to leverage the proper people, processes, and tools to counter the threat, but only after suffering an incredible amount of damage to their war effort. We are in a cyber version of “The Happy Time” where nation-state and other advanced actors on the attack have a dominant position over those of us on defense.  We need to work very hard to quickly develop the proper people, processes, tools, and geopolitical policies to bring things back into a closer balance or we’re in big trouble.

ONCIX Report

The United States Office of Counter Intelligence released a report titled “Foreign Spies Stealing US Economic Secrets in Cyberspace - Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011” to the United States Congress this week. There have been plenty of news stories that have summarized the report such as this one from the Wall Street Journal.  It should not come as a surprise to anyone, but the report spends a considerable amount of time talking about the threat from nation-states such as China and Russia.  I’m glad that it didn’t just focus on China. As I have been explaining in my v APT presentations, cyber espionage isn’t unique to any particular country. It’s natural for state intelligence agencies to use cyberspace as part of their information collection methods. Not all espionage is equal, however, especially when the intelligence collection departs from traditional goals such as determining intentions and capabilities of a national government and its military and moves into wholesale economic espionage.


Speaking of my APT presentations, I will be giving one on November 16th at 7PM at the November NYC4SEC Meeting. The meeting will be held at the John Jay School of Criminal Justice in NYC. I’ll go through my presentation and there will be plenty of time afterwards for questions and discussion.

Registry Decoder

The nice people at Digital Forensics Solutions have released version 1.1 of their Registry Decoder tool. This is a free tool that you can use for your registry forensics investigations. They have been working very hard on the development of this tool so please give them all of the constructive feedback that you can once you have tested this tool for awhile.


I’ve gone back and forth on how I would use my LinkedIn profile. I started out being pretty permissive with who I’d accept invitations from and then took a much more restrictive stance later on when I realized that I didn’t know many of the people in my network. I’ve decided that the former option is the best use of the profile because it’s a very nice way to meet all sorts of people who would like to connect and communicate with me. Thus, if you have a LinkedIn profile and are in the field, feel free to send me an invitation. I make it a policy not to link my actual profile from my blog because I like to keep a degree of separation between the blog and my employer. However, it’s not all that hard to find me if you just search on my name. Thank you to everyone who have sent me invitations to your network. It’s been great fun getting to know the people who read the blog and to see all of your respective backgrounds.