Thursday, September 02, 2010

The Inside Scoop on DoD Thinking

I wanted to help put some of you in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mindset of a DoD person when reading recent news, namely Defense official discloses cyberattack and Pentagon considers preemptive strikes as part of cyber-defense strategy, both by Washington Post reporter Ellen Nakashima. I'll assume you read both articles and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 references.

Deputy Defense Secretary Lynn's article (covered by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first Post story) is significant, perhaps for reasons that aren't obvious. First, when I wore cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 uniform, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact that a classified system suffered a compromise was itself classified. To this day I cannot say if a classified system I used ever suffered a compromise of any kind. Readers might be kind enough to say if this policy is still in effect today. So, to publicly admit such a widespread event -- one that affected classified systems -- that is a big deal.

Second, Lynn said "this previously classified incident was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most significant breach of U.S. military computers ever." That is significant. It sets a bar against which ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r incidents can be measured. Why was it so bad?

Adversaries have acquired thousands of files from U.S. networks and from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 networks of U.S. allies and industry partners, including weapons blueprints, operational plans, and surveillance data.

That's serious, and specific.

Third, after citing Google's January admission, Lynn says:

Although cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threat to intellectual property is less dramatic than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threat to critical national infrastructure, it may be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most significant cyberthreat that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 United States will face over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 long term.

Every year, an amount of intellectual property many times larger than all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intellectual property contained in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Library of Congress is stolen from networks maintained by U.S. businesses, universities, and government agencies.

As military strength ultimately depends on economic vitality, sustained intellectual property losses could erode both cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 United States' military effectiveness and its competitiveness in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 global economy.


I interpret this as saying cyberwar is hurting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 US specifically because non-military targets are being hit, repeatedly and persistently.

Finally, I'd like to provide a counterpoint regarding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 second Post article. Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r pundits are calling DoD's potential offensive strategy "beyond stupid." I'd like to know what's stupid: more of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same failed vulnerability-centric policies and approaches of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last, what, 10, 15, 20 years, or taking a threat-centric approach to apply pressure on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 adversary? I also wrote about this in 2007, like some ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r pundits. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 three years since, playing defense hasn't helped much. Expect more on offensive options in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 coming years, in all sectors -- not just cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 military.

9 comments:

kme said...

The problem with "offensive options" is that, as I'm sure you well know, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 US has never been particularly good at countering asymmetric warfare. It doesn't come much more asymmetric than "cyberattacks" stealing intellectual property.

The attackers are guerillas - cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y don't do cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 online equivalent of marching around in divisions.

The failure of vulnerability-centric techniques implies nothing about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 success of threat-centric techniques.

MisterReiner said...

"...cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact that a classified system suffered a compromise was itself classified."

Still true.

"...this previously classified incident was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most significant breach of U.S. military computers ever."

What he should have said was, "This is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most significant breach of U.S. military computers that was declassified so we can talk about publicly."

Don't believe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hype. It's just propaganda to generate support from taxpayers.

"Every year, an amount of intellectual property many times larger than all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intellectual property contained in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Library of Congress is stolen from networks maintained by U.S. businesses, universities, and government agencies."

I wish he would have sited a specific significant example. I'm pretty sure it's not just a line, but what, exactly, has cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 enemy done with this so called stolen intellectual property - or is that too classified to put in print? I'm sure cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re must be something that was stolen over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last 10 years from a business or university that can now be publicly disclosed.

"... or taking a threat-centric approach to apply pressure on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 adversary?"

I'm going to side with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "beyond stupid" folks. How will cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 U.S. ever justify taking out zombie home and business computers in foreign countries? That's a serious breach of protocol in my opinion. Is it going to be okay for foreign countries to take out our zombie home and business computers?

"...more of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same failed vulnerability-centric policies and approaches of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last, what, 10, 15, 20 years..."

Unfortunately, that's were people's heads are at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se days. How about we just re-engineer everything instead, like I'm always advocating:

Is it possible to engineer a computer that is 100% secure?

Why cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 current computer security paradigm is analogous to fixing a leaky dam

An open letter to Bill Gates, Steve Jobs, Paul Otellini, Steve Ballmer, Dirk Meyer, Michael Dell, Larry Ellison and Jim Whitehurst

H. Carvey said...

Of course playing defense hasn't helped much...anything not done correctly can easily be presumed to have failed.

As a 2dLt in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Marine Corps, I learned about defense in depth and maneuver warfare. Map what I learned to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 digital realm, and as an IR consultant, I see organizations fall victim to having data stolen, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y weren't even aware of it until someone outside of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir organization told cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m.

What I learned about defenses had to do with what was being protected, what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "terrain" looked like, threats, avenues of attack, etc. Those same basic core principles apply to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 digital realm...but if you have no idea where your data resides, nor any concept of who has access to it, and you have NO visibility into your infrastructure...why are you cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n surprised when data is stolen and exposed/used?

Network "defenses" cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se days are tantamount to nothing more than a wooden frame of a building, and little more.

The fact of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 matter is that if you do not follow basic core principles, it's very easy to say that defense work failed. But a closer look will tell you that you never had what amounted to basic defenses in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first place.

Anonymous said...

Any infosec person knows full well that pure defense is impossible and unrealistic. No matter how good a coder, appliance or combination you have, you will suffer for it.

One thing that our government (and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 media) tend to forget is that we are no longer in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wonderful Clausewitz Battlefield. Though this is still being taught to our field grade officers in all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 War Colleges. What we have in military terms is Guerilla warfare, unrestricted (not to segue into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Chinese document of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same name - Unrestricted Warfare - which should be required reading) and without cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traditional Gentlemanly Causes applied.
We have two basic battlefields- thos folks that are truely motivated by whatever cause or belief (Fundamentalists, for example) and those that are motivated by money. both are quite experienced and prevelent in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Cyber arena.

To extend into this area, we need to move away from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Cold War attitudes, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 WWII attitudes and start thinking and acting like guerilla warriors. Times have changed, and traditional processes do not work. NewThink needs to step in and guide our hands in this area. We need to stop thinking that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are diplomatic (cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y aren't) and that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is some obscure reason cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y might stop if we ask cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m nicely and give cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m a lot of money in aid. They don't care, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y will take our money at will, since we can't secure our online transactions, and still attack us.

proactive efforts are NOT revenge. Revenge is a scorched earth policy. This is just letting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m know we are not going to sit and let cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m bleed us dry.

you are correct Richard - we need to step up and be more than defensive in this area.

/john

Steve Miller said...

Hey Richard, I thought I'd chime in that your non-disclosure policy was still in effect as of 2007, when I left cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 DoD. I don't see why people are leaking information on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 breaches, as if this would raise awareness of anyone that is important to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 situation.

Anonymous said...

For all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 money and resources DoD spends on "security", I find cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were so comprehensively rolled by something so easy to defend against (ie, by disabling autorun and forbidding cross-domain rewritable media movements) racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r concerning.

Maybe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y should at least try getting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir own house in order before trying to hit cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 adversaries for whom cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y make life so easy?

kme said...

john, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem is that a nation-state simply does not have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 option to "act like guerilla warriors".

Guerilla warfare is only possible when you don't have large, permanent installations that are vulnerable to attack. Guerilla tactics really are a luxury available only to small or decentralised belligerents, who can disappear into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tactical environment and choose when and where to engage cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir enemy.

Dan said...

"I'd like to know what's stupid"

How about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 extreme, real life difficulties in determining cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exact source of attacks within any sort of useful time-frame? If we can't do this _after_ attacks, how will we do it with any accuracy _before_ attacks?

Obviously, you blow up comm infrastructure in a war. But do you really let your DoD hack a web server or DoS a hosting provider in a neutral or allied country based on unreliable info?

IMO, We'd be better off with more effective frameworks for international law enforcement action.

Anonymous said...

Law enforcement action isn't of much use when you're dealing with something that you reasonably suspect (or can prove) to be state sponsored.