Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.

February 06 2012

Business-government ties complicate cyber security

From time to time, we like to check in with "Inside Cyber Warfare" author Jeffrey Carr to get his thoughts on the digital security landscape. These conversations often address specific threats, but with the recent release of the second edition of Carr's book, we decided to explore some of the larger concepts shaping this space.

Are corporate and government interests in the U.S. becoming one and the same? That is, an attack on an American business' network may be regarded as an assault on the country itself?

Jeffrey Carr: Due to the dependence of the U.S. government upon private contractors, the insecurity of one impacts the security of the other. The fact is that there are an unlimited number of ways that an attacker can compromise a person, organization or government agency due to the interdependencies and connectedness that exist between both.

Are national network security and media piracy becoming interrelated and confused?

Jeffrey Carr: It has definitely become confused to the point where the Department of Homeland Security (DHS) is now the enforcement arm of the Recording Industry Association of America (RIAA), which I find utterly disgraceful. It's due entirely to the money and power that entertainment industry lobbyists have to wave in front of members of Congress. It has absolutely nothing to do with improving the security of our critical infrastructure or reducing the attack platform used by bad actors.

Flipping this around, how much of a cyber threat does the U.S. pose to other countries?

Jeffrey Carr: The U.S. is probably as capable or more capable at conducting cyber operations than any of the other nation states who engage in it. It's not a question of "they do it to us, but we don't do it to them." It's a question of how to defend your critical assets in light of the fact that everyone is doing it.

What recent technologies concern you the most?

Jeffrey Carr: We are racing to adopt cloud computing without regard to security. In fact, many customers wrongly assume that the cloud provider is responsible for their data's security when the reverse is true. Not only is security a major problem, but there's no telling where in the world your data may reside since most large cloud providers have server farms scattered around the world. That, in turn, makes the data susceptible to foreign governments that have cause to request legal access to data sitting on servers inside their borders.

Inside Cyber Warfare, 2nd Edition — Jeffrey Carr's second edition of "Inside Cyber Warfare" goes beyond the headlines of attention-grabbing DDoS attacks and takes a deep look inside recent cyber-conflicts, including the use of Stuxnet.

This interview was edited and condensed.

Related:

December 05 2011

Why cloud services are a tempting target for attackers

The largest cloud providers today are Google, Microsoft, and Amazon; each offering multiple services and platforms for their respective customers. For example, Microsoft Azure, Google Apps, and Amazon EC2 are all hosting and development platforms. Google Docs, Acrobat.com, and Microsoft Office 365 all provide basic word processing, spreadsheets and other applications for individuals to use via the web instead of on their individual desktops. Then, of course, there's social networks, online gaming, and video and music sharing services — all of which rely on a hosted environment that can accommodate millions of users interacting from anywhere on earth, yet all connected somewhere in cyberspace. While the benefits are many, both to individuals and to corporations, there are three distinct disadvantages from an individual and national security perspective:

  • The cloud provider is not responsible for securing its customers' data.
  • Attacking a cloud-based service provides an economy of scale to the attacker.
  • Mining the cloud provides a treasure trove of information for domestic and foreign intelligence services.

No security provisions

A Ponemon Institute study (pdf) on cloud security revealed that 69% of cloud users surveyed said that the providers are responsible, and the providers seemed to agree. However, when you review the terms of service for the world's largest cloud providers, responsibility for a breach of customer data lies exclusively with the customer.

For example:

  • From Amazon: "Amazon has no liability for .... (D) any unauthorized access to, alteration of, or the deletion, destruction, damage, loss or failure to store any of your content or other data."
  • From Google: "Customer will indemnify, defend, and hold harmless Google from and against all liabilities, damages, and costs (including settlement costs and reasonable attorneys' fees) arising out of a third-party claim: (i) regarding Customer Data..."
  • From Microsoft: "Microsoft will not be liable for any loss that you may incur as a result of someone else using your password or account, either with or without your knowledge. However, you could be held liable for losses incurred by Microsoft or another party due to someone else using your account or password."

Not only do none of the three top cloud providers assume any responsibility for data security, Microsoft goes one step further and places a legal burden upon its customers that it refuses to accept for itself.

An economy of scale

NASDAQ's Directors Desk is an electronic boardroom cloud service that stores critical information for more than 10,000 board members of several hundred Fortune 500 corporations. In February 2011, an un-named federal official revealed to the Wall Street Journal's Devlin Barrett that the system had been breached for more than a year. It's unknown how much information was compromised as well as how or when it will be used.

From an adversary's perspective, this type of breach offers an economy of scale that has never been seen before. In the past, several hundred Fortune 500 companies would have to be attacked, one company at a time, which costs the adversary time and money — not to mention risk. Now, one attack can yield the same amount of valuable data with a significant reduction in resources expended as well as risk of exposure.

An intelligence goldmine

China's national champion firm Huawei is moving from selling telecommunications network equipment toward developing Infrastructure-as-a-Service software (IaaS) needed to provide a highly scalable public cloud like Microsoft's Azure or Amazon's EC2. If it sells IaaS with the same strategy that it uses in selling routers and switches, Amazon, Google, and Microsoft can expect to begin losing a lot of enterprise business to Huawei, which will cut pricing by 15% or more against its nearest competitor. Cloud customers can expect their data to reside in giant state-of-the-art server farms located in Beijing's "Cloud Valley" — a dedicated 7,800-square-meter industrial area that is home to 10 companies focusing on various aspects of cloud technology, such as distributed data centers, cloud servers, thin terminals, cloud storage, cloud operating systems, intelligent knowledge bases, data mining systems, and cloud system integration.

Cloud computing has been designated a strategic technology by the People's Republic of China's State Council in its 12th Five-Year Plan and placed under the control of the Ministry of Industry and Information Technology (MIIT). MIIT will be funding research and development for SaaS (Software as a Service), PaaS (Platform as a Service), and IaaS (Infrastructure as a Service) models as well as virtualization technology, distributed storage technology, massive data management technology, and other unidentified core technologies. Orient Securities LLC has predicted that by 2015, cloud computing in China will be a 1 trillion yuan market.

According to the U.S.-China Council website, MIIT was created in 2008 and absorbed some functions from other departments, including the Commission of Science, Technology, and Industry for National Defense (COSTIND):

From COSTIND, MIIT will inherit functions relating to the management of the defense industry, with a scope that covers the national defense department, the China National Space Administration, and certain administrative responsibilities of other major defense-oriented state companies, such as the China North Industries Co. and China State Shipbuilding Corp. MIIT will also control weapons research and production in both military establishments and dual-role corporations as well as R&D and production relating to "defense conversion" — the conversion of military facilities to non-military use.

Clearly, the PRC has made a serious commitment to cloud computing for the long term. This doesn't portend well for today's private cloud service providers like NetApp or public cloud providers like Amazon, Google, and Microsoft — especially if buying decisions are based on price.

What to consider

The move to the cloud is both inevitable and filled with risk for high-value government employees, corporate executives, and companies engaged in key market sectors like energy, banking, defense, nanotechnology, advanced aircraft design, and mobile wireless communications, among others.

To make matters more complicated, cloud providers may move data to different server farms around the world rather than keep it in the same country as the corporation or individual that owns it. That could potentially put the customer's data at risk for being legally compromised under foreign laws that would apply to the host company doing business there. For example, Microsoft UK's managing director Gordon Frazier was recently asked at the Office 365 launch, "Can Microsoft guarantee that EU-stored data, held in EU-based datacenters, will not leave the European Economic Area under any circumstances — even under a request by the Patriot Act?" Frazier replied, "Microsoft cannot provide those guarantees. Neither can any other company."

The best advice for individuals and companies at this time is to insist that cloud providers build a measurably secure infrastructure while providing legal guarantees and without the use of foreign data farms. Until that occurs, and it's highly unlikely to happen without strong consumer pressure, there are significant and escalating risks in hosting valuable data with any cloud provider.

Inside Cyber Warfare, 2nd Edition — Jeffrey Carr's second edition of "Inside Cyber Warfare" goes beyond the headlines of attention-grabbing DDoS attacks and takes a deep look inside recent cyber-conflicts, including the use of Stuxnet.

Associated photo on home and category pages: Dark Cloud, Blue Sky 2 by shouldbecleaning, on Flickr.

Related:

August 24 2011

Four short links: 24 August 2011

  1. STM in PyPy -- a proposal to add software transactional memory to the all-Python Python interpreter as a way of simplifying concurrent programming. I first learned about STM from Haskell's Simon Peyton-Jones at OSCON. (via Nelson Minar)
  2. Werner Vogels' Static Web Site on S3 -- nice writeup of the toolchain to publish a web site to static files served from S3.
  3. China Inadvertently Reveals State-Sponsored Hacking -- if UK, US, France, Israel, or Chinese citizens believe their government doesn't have malware and penetration teams working on extracting information from foreign governments, they're dreaming.
  4. MyChinese360 -- virtual foreign language instruction in Mandarin, including "virtual visits" to Chinese landmarks. The ability to get native speakers virtually into the classroom makes the Internet a huge asset for rural schools. (via Lucy Gray)

February 14 2011

Trend to watch: Formal relationships between governments and hackers

Cyber security grabs headlines when something big happens, like last year's Google-China flap, but it's one of those topics that dissipates. That's perhaps because a "cyber war" is hard to imagine — typing on keyboards doesn't have the visual clarity of tanks maneuvering into position.

However, it's important to not equate a lack of mainstream attention with a reduced threat. That's why we'll be checking in from time to time with Jeffrey Carr, author of "Inside Cyber Warfare" and CEO of Taia Global. He'll key us in to the important cyber security trends he's monitoring.

The first interview, posted below, focuses on the rise of formal arrangements between governments and hackers.



Jeffrey CarrJeffrey Carr: We're going to see a trend in 2011 — maybe longer — of governments enlisting civilians as part of an organized cyber militia.

There's information about Estonia doing this. Also, late last year an official Iranian newspaper said the Iranian paramilitary corps may recruit hackers to conduct a "soft war" in cyberspace. Iran already has a lot of active hacker groups, and I think they're simply formalizing a relationship. I wrote about this recently.

Countries like Russia and China use hackers and other civilian resources, but they do it in a covert way. Iran and Estonia are being open about it.

Other countries get ideas when a government like Estonia's, which you wouldn't suspect of doing illegal things with their civilian hackers, says they're going this route. The upside — and the reason why Estonia and Iran are engaging in these activities — is because it's an economical way to tap a great pool of talent. You don't have to reinvent the wheel to create a cyber defense.

The same topic pops up in U.S. debates almost every year. The people in favor of government-hacker programs sometimes refer to a Letter of Marque, which historically allowed governments to enlist private vessels &mdsash; and pirates — in exchange for immunity from prosecution.

But I think it's going to be a long time before we see government-hacker relationships in the U.S. because the Department of Defense is likely averse to this type of thing. There are models that could serve as potential examples, like the civilian Coast Guard Auxiliary, but the big difference between something like that and what you're seeing in Estonia is that Estonia is saying "It's part of our government, and we're doing it."

This interview was edited and condensed.

Inside Cyber Warfare: This book provides details on how nations, groups, and individuals throughout the world are using the Internet as an attack platform to gain military, political, and economic advantages over their adversaries.


Related:


June 13 2010

Gov 2.0 Week in Review

As usual, there's no shortage of news in the government 2.0 world. There has been one watershed event since our last Gov 2.0 Week in Review, however: the early results of the decision to open up community health data. Here come the healthcare apps. Will the Department of Health and Human Services make community health information as useful as weather data? Will the innovation and associated business value match that unlocked by GPS and NOAA weather data?

it-dashboard.jpg

An even more pressing question is whether information technology can help close the yawning gap in federal and state government budgets. "Budget director Peter Orszag's speech, Closing the IT Gap, explains what we're about with Gov 2.0 Events," tweeted Tim O'Reilly earlier this week. Peter R. Orszag, Director of the Office of Management and Budget, spoke at length at the Center for American Progress on a "significant IT gap" that has developed between the public and private sector. Orzag cited this IT gap as a big part of the productivity divide between the two.

"Closing this IT gap is key to boost efficiency and make government more open and responsive to the wants and needs of the public," wrote Orzag at WhiteHouse.gov, where he linked to budget guidance for agencies and a memo that instructs them to identify "their bottom 5 percent performing programs."

One of the ways that the federal government plans to save some taxpayer dollars will be through data center consolidation. Another will be through bread and butter IT, like the green data center in the House of Representatives that I reported on last year. A third will likely be cloud computing, given the millions that Los Angeles saved in IT costs or estimated $750,000 saved though moving Recovery.gov to Amazon's cloud, though serious questions will persist about what government sites or services can be moved to public clouds. A new European Union project on economic effects of open government data may shed light upon whether that approach offers cost savings as well.

More on the past week, including cloud computing, cybersecurity, the 2010 Personal Democracy Forum and Twitter in government, after the jump.

Cloud computing costs, claims and future

If you missed it, Federal CIO Vivek Kundra delivered a keynote at the Cloud Computing Forum and Workshop last month, embedded below. In the speech, Kundra called for the use of cloud computing to narrow a gap between consumers and government while maintaining security, data portability and interoperability.

A new Pew Internet report on the future of cloud computing offered many more perspectives on the topic. A solid majority of respondents agreed with the contention that by 2020, "most people will access software applications online and share and access information through the use of remote server networks, rather than depending primarily on tools and information housed on their individual, personal computers."

O'Reilly Radar's own Andy Oram contributed to Pew Internet report on cloud computing. He's quoted in the findings, recommending that "cloud application providers recognize the value of grassroots innovation - following Eric von Hippel's findings - and solicit changes in their services from their visitors. Make their code open source - but even more than that, set up test environments where visitors can hack on the code without having to download much software. Then anyone with a comfortable keyboard can become part of the development team. We'll know that software services are on a firm foundation for future success when each one offers a 'Develop and share your plug-in here."'

Reflecting the internationalization of the trend, where NASA and Japan announced a cloud computing collaboration that will explore interoperability opportunities between NASA's Nebula Cloud Computing Platform and Japan's NII Cloud Computing Platform. "By demonstrating how cloud interoperability can facilitate international collaboration and seamless global access to public data, NASA hopes to accelerate the development of cloud standards and the adoption of cloud infrastructure services by the scientific community," said Chris C. Kemp, NASA's Chief Technology Officer for Information Technology.

Kemp spoke with me about his role at NASA and Nebula at the Gov 2.0 Expo last month:

As Carl Brooks reported at SearchCloudComputing.com, the first comprehensive, vendor-neutral cloud computing benchmarks are in the wild at CloudHarmony.com.

Looking back at Personal Democracy Forum 2010

Can the Internet fix politics? The answer to that question may not be clear for years. After the Personal Democracy Forum's annual conference, it's clear that the Internet has significantly disrupted the ways that candidates campaign, officials govern and agencies form policy. Highlights of Personal Democracy Forum included some fascinating applications, including TransparencyData.com, SeeClickFix and Meetup Everywhere.

As Nick Judd reported that mainstream media is a part of the solution for fixing government. Change agents inside of government and engaged citizens are also crucial. All three parties could benefit from publishing public data online, as the FTC highlighted in its discussion draft on the future of journalism.

Federal CTO Aneesh Chopra spoke at length about rethinking government, which he later blogged about at the Huffington Post in empowering Americans through open government. Chopra highlighted the Community Health Data Forum, "Apps for Healthy Kids" and IT dashboards for spending, among other initiatives.

As his wont, Clay Shirky delivered a thoughtful talk on the Internet, citizenship and lessons for government agencies that are looking for feedback online. Hint: use taxonomies to aggregate ideas instead of a single list.

Can technology forge a new relationship between government and the public? Arianna Huffington considers the possibility after PDF 2010, where she participated in the closing panel. That discussion, which also included Tim O'Reilly, Saul Anuzis, Nick Bilton, Andrew Rasiej. and Newark mayor Cory Booker, is embedded below:

And in a huge win for Jen Pahlka's big idea, the Omidyar Network announced a $250,000 grant to Code For America, which is now recruiting fellows. "Ask not what your country can code for you - Ask what you can code for your country."

Twitter looks for a government liaison

Why is Twitter hiring a government liason? Twitter VP Sean Garrett offered up some insight on a new opening for a government liaison, which he said will serve as "a point person that can help verify government IDs, someone that can be down the street to meet with officials in their office, or serve as an overall point person for government outside the Beltway." The Department of Human Services’ new media guru, Andrew P. Wilson, offered up a thoughtful Top 10 Requests for the New Government Liaison at Twitter.

Internet Freedom and U.S. Foreign Policy

As clashes and protests are reported in Iran on the one year anniversary of the historic protests there, the Wall Street Journal reported that the U.S. stepped up tech support for Iranian dissidents. Should the U.S. support Internet freedom through technology? As I reported in my interview with Secretary of State Clinton's senior innovation advisor, Alec J. Ross, technology for Internet freedom and innovation is supported by the State Department.

Using the Internet to communicate about the oil spill

USCG commander Thad Allen and White House press secretary Robert Gibbs held a live briefing on the Obama administration's response to the Deepwater oil spill in the Gulf of Mexico that was streamed through WhiteHouse.gov/live. Affected parties are urged to submit claims to BP using DisasterAssistance.gov. Carol Browner, Assistant to the President for Energy and Climate Change, also took questions on the oil spill in a live Web chat using Facebook and WhiteHouse.gov. The archived video is embedded below:

Digital Capitol Week

dcweek-logo.jpg

Here in the District of Columbia, Digital Capitol Week is now underway. While many of the workshops, clinics, festivals and parties are well worth the time of the thousands of registered attendees, look for the Gov 2.0 and Org 2.0 Day to be particularly notable for this space, along with the DC 140 Conference, where I'll be speaking with NPR's Andy Carvin about "Emergency Response 2.0." For more, iStrategy Labs has helpfully published "the one post you'll need to read" about Digital Capitol Week.

Government 2.0 Bits and Bytes

Elsewhere on the Web, David Eaves offered some thoughtful advice to governments on how to engage with social media and suggested that cities should fork the Kuali Foundation to save millions of dollars.

I posted video of how intelligence agencies are connecting the dots with Intellipedia.

The clever developers at the Guardian created coins.guardian.co.uk for easy browsing of government spending.

The new Texas.gov features an open data section and the first state use of Get Satisfaction. If you missed it last month, there's also a newly-redesigned CA.gov, including a refreshed data repository and an Apps for California contest.

For more on such endeavors, make sure to read Mark Headd's "A 'Glass Half Full' View of Government App Contests and Government "Apps" Move from Cool to Useful in Governing.

Germany's President resigned last week, due in part to the power of social media, which played a role in Köhler's departure and replacement.

Military intelligence is tapping social networking skills, enabling a distributed force to conduct swarm warfare via chatrooms. As a guest post on Boing Boing revealed, the military has improved its language education through innovative use of brochures and virtual education.

The State Department launched a mobile website at m.state.gov.

bloomberg-ipad.jpg

Mike Bloomberg has earned some plaudit as an "iPad Mayor." As Javier Hernandez reported for the New York Times, while Bloomberg is still mastering the device, his deputy mayor for operations, Stephen Goldsmith, is apparently interested in using his iPad to monitor city data and take notes at meetings. “This is the future of public service — digital data pushed to workers who use better information to make smart decisions,” he wrote to Hernandez.

Finally, Mike Kujawski posted a series of great links and takeaways from the Gov 2.0 Expo, proving that's it's never too late to post your impressions.

What else is happening in Gov 2.0?

Inevitably, we're going to miss some links, so make sure to read Nancy Scola at techPresident and follow my Gov 2.0 list on Twitter, embedded below. And as always, if you have tips or suggestions, please email them to alex@oreilly.com or leave links in the comments.

February 11 2010

Cyber warfare: don't inflate it, don't underestimate it

jcarr-cyber-warfare-cover.pngThe public rift between Google and China may have elevated cyber security and cyber warfare into the public's consciousness, but truth is, network attacks and Internet-based espionage are nothing new.

In the following interview, Jeffrey Carr, author of "Inside Cyber Warfare," takes a measured look at cyber attacks -- the major players, the hot spots, the huge problems, and the realistic solutions. He also reveals the one cyber warfare target that keeps him up at night.

Cyber warfare: What it is, where does it comes from?

Mac Slocum: If you had five minutes or less to give somebody a firm sense of cyber warfare, how would you do that? What would you tell them?

Jeffrey Carr: I like the illustration of the introduction of the handgun. When Colt invented it, it became known as the great equalizer. So the way that the handgun revolutionized warfare is being done now, again. And it would be fair to call cyber warfare the great equalizer because it balances the scales between a vastly superior force and any nation. That's because of two things: the vulnerability of the current Internet and because most modern military forces are network-centric. The reliance on networks, particularly power networks, to conduct war is critical. Anybody who can attack the network can greatly inhibit a superior adversary. So I think that's a revolutionary step forward.

MS: Does the cyber warfare threat come from a specific government, or is it more broadly disbursed than that?

JC: I think that every government potentially would use cyber warfare in its own defense, including the ones that we normally would think of. So when it comes to China, for example, they've made it very clear they'll act defensively. You can go back historically and see that.

Part of the Chinese government's operational guidance for their military is that if an imminent attack was present from the United States, they would launch a preemptive network attack. And so in order to be able to do that, they need to have access to our network beforehand. And that's why I believe this is such a serious matter. You may not hear about blackouts or power grid failures or any kind of cyber intrusion into the vast electrical grid system, but I think you need to accept the Chinese military at their word and recognize that this is their goal.

Russia, on the other hand, has not made it as clear as China. And Russia has not demonstrated that it would only attack in self-defense. It has used cyber attacks in an aggressive, offensive manner many times, going back into the late '90s. It's a whole different ballgame there.

So it really depends on the state. Is it an aggressor nation? Then they'll use it offensively like Russia has done. There are numerous states in Africa that are using cyber in an offensive manner against internal opposition. We're going to see more of the prevailing party attempting to silence the opposition party through various means, including cyber attacks.

MS: Doesn't that mean we've got an awful lot of states infiltrating and spying on each other's systems right now?

JC: Sure. But that's not new. I call espionage the world's third oldest profession because it's been around forever. This is just a new way to conduct espionage that we didn't see before.

MS: How long has cyber warfare been going on?

JC: It was already happening back in the late '90s. There was a commission during the Clinton administration. They released the Marsh Report [PDF] in 1997 and it discussed a lot of the same things that we're hearing about today. It's not new. It just happens to be a hot topic today.

Governments should worry, not people

MS: Clearly, there's a threat. And clearly, it's been present for quite a while. But if we take this down to the individual level, how does personal privacy factor into all this?

JC: Most people don't have to worry about it. Like the current deal that's being negotiated between Google and the NSA. The NSA really doesn't care about most people. They're only looking for certain things. So I don't think privacy is an issue.

However, the more important part about privacy is that we've already given up privacy voluntarily because of what we post on Facebook, MySpace, Twitter, LinkedIn, Live Journal, and a host of other smaller but still available web forums. So if all a country is doing is mining what's already out there, then is that considered a violation of privacy? Because it's publicly available and you made it available.

MS: So how should people approach this?

JS: What I do is if I don't want it to be known, I don't post it. I don't care if it's password protected or not.

But you don't want to get carried away. You need to consider: What do I have that's of value to someone else? That's what you don't want to post. Like your bank information. Or if you work for a government or a company and you're in a position where you know that you're going to be targeted, then you would have a different approach to your Internet security vs someone who just works in his own neighborhood. That guy doesn't have any national security ties or work for any industries that are of interest to foreign estates. Most likely, he's perfectly safe. He shouldn't really be too concerned.

MS: That's just common sense, right?

Yeah. I really do want to see it balanced. I hate exaggeration on either side. To over blow the threat is just as wrong as to hide it. What I tried to do in the book is just make it as factual and as balanced as I possibly could.

MS: So some people might work themselves up unnecessarily, but what about governments? Do they take this seriously enough?

JC: The U.S. government is clearly not taking it seriously enough. It makes absolutely no difference what they say because, like I said, you can go back to 1997 and read the Marsh Report and see for yourself. Action is what counts.

My biggest aggravation -- I published a post about this on my blog -- is you need to start putting your country first. I realize that sounds corny. But in adversary states, it's not corny. They do put their nation's interests first. In the U.S., we push that aside for profit. If it hurts business, if it hurts the economy or if it even has the potential of doing that, then we set it aside. And that's taken us to a place of high vulnerability.

I would like to see people put their self-interests aside, recognize the seriousness of the threat, and collaborate together on actions that can defend us.

The solutions

MS: So what recommendations would you make to governments? What actions can be taken?

JC: The first thing that I would do is enforce the existing requirements that ISPs vet their customers. By ISP I mean any Internet service company that sells or leases servers to host websites. Servers are used as attack points, and if they're in the United States that's the best because you've got reliable power, great up-time, and it's relatively cheap. Attribution is almost impossible because you're attacking a U.S. government website from a server that's located in the U.S. So who's responsible?

We can fix that if you simply bring the law to bear on these companies and force them to vet their customers and to monitor what their customers are doing. You could solve a lot of problems overnight because you would force them [countries/people looking to conduct cyber warfare] to find other servers outside of the U.S. It would help attribution and it would help reduce the vulnerability via the internet.

The other thing I would counsel is to evaluate what you own that's at risk. Consider taking it entirely off the internet. Crucial infrastructures use what's called an air-gapped strategy, where the control servers have no connection whatsoever to the public Internet. The U.S. government does that with their secret network. SIPRNet is completely isolated from NIPRNet, which is the unclass intranet that runs throughout the government.

MS: You mentioned cyber attack attribution. How are you tackling that?

JC: Most companies are trying to find a technical solution. The thinking is: If you look at the malware closely enough, if you look at the nodes, is there a particular signature that assigns attribution? I'm not convinced there will ever be a technical solution to attribution.

What my company does is expand the picture greatly. We start at the state level. What do we know about what those states are doing? What R&D projects are they financing within their research institutions? That's where you have to begin because once you know what's been attacked, then the next question is who does that serve? Who would find that information of value? Is it only of value to a state? That's where you'll start looking.

If you can find a state who is actively researching a particular area, and the information that was stolen supports that research, that adds another brick to the wall. We're looking at it like a criminal case. You have to build a full picture because you'll never find a smoking gun.

No source, no counter-attack

MS: If a cyber attack can come from anywhere, how does that change the whole notion of a counter-attack?

JC: Right now, that's why deterrence is impossible. As long as attribution is not forthcoming, you cannot deter. You cannot respond, unless you completely change the model of attribution. And that might be possible. That's what my company and others are working on. We're building a more comprehensive model of how to identify where an attack has come from. So it is a challenge that's being addressed, but it's going to take a little time before we have an agreed upon way of doing that.

It requires international cooperation. I think the U.S. is on the right track when it comes to trying to have agreements signed among various law enforcement agencies to pursue cyber criminals across borders. It's the same network. The network that's being used to send out phishing scams and botnets is, often times, the very same network that's used to launch various attacks against nation states.

MS: Is "warfare" the wrong word to describe what's happening? Is it dangerous to categorize cyber warfare as a military domain, like "air," "land," or "sea"?

JC: The name of the book is "Inside Cyber Warfare," but I hate using that word. I used it because that's what everybody's using. But there is no agreed upon definition of what an act of cyber warfare is. It just doesn't exist. There's cyber conflict. There's cyber attacks. There's cyber espionage. There's all of that. But there is no cyber war that we can point to that has any legal substance.

I think it's dangerous to define domains in the sense you don't want to put limitations in your mind about what's possible via the Internet. The Internet is so completely pervasive that if you only think of it as a single domain, you're going to block out threat possibilities that could impact other domains. You're not safe if you're at sea from a network attack. You're not safe in the air from a network attack. That's why I think it's limiting and probably shouldn't be defined that way.

A different view of China

MS: For China in particular: what are the things to consider and what are the things to look out for?

JC: China clearly has a lot of problems internally. Their economy is growing, but it's still relatively fragile and highly dependent on the U.S. The difference in economic conditions varies radically from the countryside to the cities. On the other hand, they own over a trillion dollars of U.S. debt. That gives them incredible leverage. So that's a balancing act that's going to be very interesting to watch, especially over this Google issue. But they'll never concede to eliminating censorship on their Internet. They'll walk away from Google if that's what it takes.

People inflate fear about China, but China has no interest in attacking the U.S. They want the same things that any country would want. And they're going about it the same way that we would go about it. We're doing espionage. We're looking after our interests. We're exerting our will as a nation. It's silly to try to take the moral high ground here. It doesn't serve any useful purpose.

MS: One of the interesting points that came out of the Google-China analysis is the idea that Google has its own foreign policy now. Do you think that's the case?

JC: Honestly, I don't see it as anything new. The idea of a new, more sophisticated attack against Google that we've never seen before, I think that's overblown. The idea that you have hackers who gain entrance to a network and then exploit data from that network, that's not new. This is all just espionage. Google is just another company that has something of value.

But Google does represent a turning point because it's getting so much press. It's raising the issue to the point where the U.S State Department got involved. That's all good.

Near-term hotspots and the most vulnerable target

MS: Broadly, what do you see happening within cyber warfare over the next few years?

JC: Africa has a huge population of infected computers. I read one estimate a few months ago that they have about 100 million PCs scattered throughout the continent and maybe 80 percent of those are infected. Once broadband hits Africa, then you've got this huge opportunity for botnets to spring up. These mega botnets could conceivably dwarf Conficker or some of these other huge botnets.

East Africa is another spot to watch. In Somalia, where piracy is lucrative and the area is so lawless, it's such a chaotic environment. There's a growth of religious extremists there as well. So you've got criminals with a huge pile of cash, these pirates, and then you have these radical extremists looking for ways to create havoc. Should their interests coincide, I would fear for very destructive Internet attacks.

MS: Last question: Out of all this, what's the thing that keeps you up at night?

JC: The most worrisome thing to me is the vulnerability of the power grid. I just released a report on this -- it's Project Grey Goose's Report on Critical Infrastructure -- where I and my team of researchers document the problem. The Department of Defense has identified 34 critical assets to conducting its mission. Thirty-one out of the 34 are dependent on the public power grid.

I know in my state of Washington, they tell us that if there's an earthquake or some other natural disaster, you can expect no help for at least seven days. There will be no police response, no 911 response, no National Guard for at least seven days because they'll all be busy protecting critical infrastructures. And so that's what I worry about. The grid is so vulnerable. It would cause a lot of chaos here if somebody were to actually attack it.

Note: This interview was condensed and edited.

Older posts are this way If this message doesn't go away, click anywhere on the page to continue loading posts.
Could not load more posts
Maybe Soup is currently being updated? I'll try again automatically in a few seconds...
Just a second, loading more posts...
You've reached the end.

Don't be the product, buy the product!

Schweinderl