US DOD Cyberspace Operations Doctrine

“… the United States (US) Department of Defense (DOD) is responsible for defending the US homeland and US interests from attack, including attacks that may occur in cyberspace. … the DOD seeks to deter attacks and defend the US against any adversary that seeks to harm US national interests during times of peace, crisis, or conflict. To this end, the DOD has developed capabilities for cyberspace operations and is integrating those capabilities into the full array of tools that the US government uses to defend US national interests…”
The Department of Defense Cyber Strategy, April 2015

While disinformation campaigns waged by state actors, criminal groups, and terrorist organizations have become familiar stories, little is discussed or understood about comparable operations conducted every day by Western countries’ militaries and intelligence organizations. While the emphasis on these operations are directly attributable to their respective sources (e.g. that people know they come from the military), units are specializing in marketing, ads, information, and even disinformation work to support broad and specific missions at home and abroad.

These US military units operate, out of necessity, outside the public eye, but some of the tools, strategies, and methods that they use are emerging into the public eye, and often the cause of severe collateral damages to the innocents. Military units members used an arsenal of tools (weapons) to allow mass email delivery, spoof SMS messages, impersonate social media posts (e.g., Facebook, Instagram), change online poll results, and artificially increase website traffic.

Their targets ranged from China, Iran, North Korea, Russia, countries across Africa, and areas within their own country. The necessity of this kind of cyber information warfare poses many problems, especially for democratic governments, who must walk a fine line between transparency and authoritarian behaviour.

The US DOD like many other countries’ military developed its own cyber and hybrid warfare strategies and this publication “Cyberspace Operations” provides an overview of the joint doctrine to plan, execute, and assess cyberspace operations.

Download a copy here: https://fas.org/irp/doddir/dod/jp3_12.pdf

One of the West’s biggest cybersecurity vulnerabilities

It is just amazing with nearly weekly news of hack, security breaches, and alarming cyber crimes (too often without describing the ingenuity or deviousness involved) that computers, hard drives, and/or RAM are not wiped clean when they are disposed of as they can be a valuable source of intelligence for those who want it. However what is worst is that there are so many good and free apps are available (DBan, Eraser, Disk Wipe), and if you need an industrial size app, there is Blancco Drive Eraser and KillDisk, and few others; or you can buy your own terminal solution easily.

1: Don’t merely format a disk or RAM as it does not erase the data, only the address tables.

2: Media sanitization and secure data sanitation standard found in NIST SP 800-88 presents the best methodologies to clear, purge, and destroy digital data; however, the responsibilities and challenges to clear, purge and destroy digital data rest squarely with the information owner, and no he or she cannot delegate the responsibility ever.

3: The final solution is using a data destruction system (available on Amazon under hard drive crusher or for a more complete range of solutions see Security Engineering Machinery (SEM) site for ideas).

Edwards, Jim, 2019. “One of the West’s biggest cybersecurity vulnerabilities is our idiotic habit of sending servers full of sensitive information to foreign countries” Business Insider, Sunday, January 6, 2019.
https://www.greenwichtime.com/technology/businessinsider/article/One-of-the-West-s-biggest-cybersecurity-13511895.php

Handbook of Russian Information Warfare

The implications of facing a combined effort of cyberwarfare and hybrid warfare attacks with traditional subversion and active measures are critically important for all. This Handbook of Russian Information Warfare is an exciting introduction to current and projected Russian operations in the information and cyber domains.

It is publieshed by NATO Defense College’s Research Division,  “The Handbook of Russian Information Warfare” is an introductory guide to Russia’s doctrine and activities in this field, including elements of cyber warfare. For those unfamiliar with Russian principles of warfighting, but requiring an introduction to this essential element of how Russia projects state power, this is a good start.

This publication is based primarily on Russian sources. As such, it fills an important gap in the Western study of Russia’s approach to this aspect of inter-state confrontation, representing the principles and practice of information warfare in Russia’s own words. The handbook illustrates key concepts and approaches and explained by direct quotations from senior members of the Russian defence and security communities. The guide also functions as a source book for further detailed research as required; each section concludes with a list of recommended reading for deeper research on specific topics.

Please download a PDF copy of the Handbook of Russian Information Warfare here: https://t.co/AVzQWydsbq

Cyber attacks are inevitable, but can we fight back? (Part 2 or 2)

“Cyber warfare is as much about psychological strategy as technical prowess.” 
― James Scott, Senior Fellow, Institute for Critical Infrastructure Technology

However, what if the attack is against a Northern country’s power grid in the dead of winter? This kind of attack would have military consequences if it were extensive. Most militaries, first responders, and many large organizations have backup power generation capability as well as stocks of fuel reserves, but these stores are not infinite. However, an cyber attack on a country’s infrastructure would likely have military consequences, definitely the case for a cyber retaliation, or even a cruise missile strike, or enven invasion.

Even if the country’s power grid were severely affected by a cyber attack and the government knew with a high degree of confidence which the guilty party was, there would be reasons for caution, primarily if the attack was an isolated incident, and there were no other signs of hostility or harmful intent because cyber attacks can have unanticipated consequences. With any military strike, collateral damage is always possible, but with most conventional attacks, methods of assessing and avoiding collateral damage are well-developed and based on well-established physics principles and observational experience. However, cyber weapons do not operate like missiles or tanks. They attack the underlying network or computer systems. The possibility of unexpected effects in the cyberspace is much higher.

For example, a cyberattack on an electrical grid might be intended to knock out the lights in a specific location, but end up affecting a whole region’s energy supply. The world saw this potential with the Stuxnet worm which was intended for a very specific, isolated Iranian control system, the worm was discovered precisely because it spread beyond its intended target into other related networked systems. Stuxnet did not attack other control systems, but only because the designers programmed in a self-destruct date. If the designers had been less cautious, its effects would have been much more widespread.

Therefore, before targeting a cruise missile at some cyber hub in a country, a coutnry’s leadership would want to have at least some knowledge of both the intentions of the attacker and the consequences (including secondary effects) of the response, otherwise the country might be starting a war by accident. However, a desperate foreign leader might miscalculate that he can get away with a surreptitious cyber attack on an ennemy’s infrastructure for exactly these reasons, and that in and of itself is cause for concern.

Context can make a huge difference. It is relatively easy to assess the damage done by an cyber attack on a country’s infrastructure, but less easy to assess the intent of that attack. If a cyber attack seriously disrupts a country’s power grid during an ongoing war with a known aggressor it is easier to strike back, with military force or with cyber weapons because it is easy to assume the attack was intentional.

Alternatively, given that cyberwarfare is a great field leveller a fearful foreign leader might lash out at a superpower if she or he fears one is on the verge of conducting a devastating cyberattack. The hostility might come in the form of a massive, pre-emptive cyber attack, a conventional attack, or in the extreme, even a nuclear salvo.

Since the ability to mount cyber attacks depends on keeping targeted vulnerabilities secret, both sides may fear that their adversaries possess capabilities that have far-reaching destructive potential, even when they do not. This fear in turn could increase the tendency toward pre-emptive action in cyberspace, followed by devastating escalation.

Cyber adds new and significant uncertainty to warfare and justice, making it difficult both to deter effectdively and respond adequatly. To this effect an International Attribution Consortium consisting of a “broad team of international experts would provide independent investigation of major cyber incidents for attribution. Membership should include representatives from two sectors: (1) technical experts from cybersecurity and information technology companies, as well as academia, and (2) cyberspace policy experts, legal scholars, and international policy experts from a diversity of academia and research organizations. A credible and transparent attribution organization should not include the formal representation of nation-states, to avoid an appearance of bias and to protect transparency.”[i]


[i] Davis, John S. II, Benjamin Boudreaux, Jonathan William Welburn, Jair Aguirre, Cordaye Ogletree, Geoffrey McGovern, and Michael S. Chase, Stateless Attribution: Toward International Accountability in Cyberspace. Santa Monica, CA: RAND Corporation, 2017. https://www.rand.org/pubs/research_reports/RR2081.html

“International hacker-for-hire jailed for cyber attacks on Liberian telecommunications provider,” UK National Crime Agency
http://www.nationalcrimeagency.gov.uk/index.php/news-media/nca-news/1542-international-hacker-for-hire-jailed-for-cyber-attacks-on-liberian-telecommunications-provider

 

Cyber attacks are inevitable, but can we fight back? (Part 1 or 2)

“There is no blood in cyberspace, but there is incredible danger.” ― Donghui Park, International Policy Institute Cybersecurity Policy Fellow, University of Washington

Sadly, now countries aggressively use cyberspace to maximize their national interests.  Cyberspace is a key domain (as in crucial territory) in today’s conflicts and only gain more importance in coming years not only for militaries, but terrorists and criminals.

Imagine that all the sudden that websites of major banks malfunction; ATMs stop working; and banks’ internal systems go haywire. Thousands of businesses and millions of people are affected. Within hours Computer Emergency Response Team (CERT) point to a cyber attack. In the following day there is a run on supermarkets for daily necessities and petrol stations; after a few days the strain on multiple supply chains is showing.

What is the government to do? Well, we know politicians would demand their security advisors to point a finger to the guilty party or parties PDQ. Who? Was it a country? Was it organized crime? Was it a thrillseeker? Why? Was it an accident? Is it a crime? Was it a deliberate attack? Is a prelude to war?

All would be demanding attribution first and like the why later from the national-level intelligence agency(ies) to determine a measured reaction, but would it/they know for certain who had launched the cyber attack. Attribution uncertainty for a crippling cyber attack would make it hard to deliver a measured response by the appropriate department or agency, national security, national law enforcement, alone or with allies…

In the event of a major cyber attack, public pressure for government to respond would be instantaneous and very forceful. If the cyber attack is wrongly attributed because the forensics was wrong and a country strikes back inadvertently starting a war, retraction maybe costly.

Russia’s alleged cyberwarfare and hybrid warfare attacks on the Baltic countries,[i] the Ukraine, the US have kept the issue of cyberspace warfare and undeclared war in the top of the news, but the promises these raise are only the tip of the iceberg when it comes to the role of cyber operations in future warfare. However, it is hard to say with certainty the exact role and impact cyber operations in future conflicts present. Unlike conventional arms cyber weapons impact and effects on the information domain are much harder to ascertain and possibly contain.

Even in cases one country can attribute with great certainty where a cyber attack originated, say from a country that considers cyberspace as just another theater of war like China, Iran, Israel, North Korea, Russia, or the US, it could be hard to know for sure whether its government ordered it. In some cases governments rely on third parties to develop their cyber weapons and conduct their attacks, using mercenary for hire to offer Hacking as a Service (HaaS) or Cybercrime as a Service (CaaS). Third party, especially located elsewhere say Israel’s Unit 8200, offers governments many benefits such as the obvious one, deniability; but it also offers them less control over what their cyber mecenaries do, creating a so called “principle agent problem.”

Also, an attack that originates from within one country’s cyberspace might or might not be the work of that country, further complicates the choice of response. Sometimes, the culprit is clear, of course. However, the question is how, specifically, to respond.

Now that almost all countries of cyberwarfare units, some want to retaliate in kind with a cyber counter attack to inflicts equal damage on the guilty party. However, this is not always possible. If the perpetrator is a terrorist group, then there is no equivalent financial system to target. Then should a country instead use conventional military weapons like a cruise missile? However, what if the country’s financial system had recovered in the interim with relatively minimal real damage, as military response might look as excessive.


[i] Radin, Andrew, Hybrid Warfare in the Baltics: Threats and Potential Responses. Santa Monica, CA: RAND Corporation, 2017.
https://www.rand.org/pubs/research_reports/RR1577.html

Bodine-Baron, Elizabeth, Todd C. Helmus, Andrew Radin, and Elina Treyger, Countering Russian Social Media Influence. Santa Monica, CA: RAND Corporation, 2018.
https://www.rand.org/pubs/research_reports/RR2740.html

Chase, Michael S. and Arthur Chan, China’s Evolving Approach to “Integrated Strategic Deterrence”. Santa Monica, CA: RAND Corporation, 2016.
https://www.rand.org/pubs/research_reports/RR1366.html

What of collateral damages in undeclare wars?

Today’s security environment is unpredictable. Threats can come from states cyber and hybrid warfare units at work and non-state actors’ cyber attacks by criminals, overseas adversaries, and terrorists. Now cyber exploits blur the lines between a prelude to war or plain old crimes.  Countries are invading one another’s cyberspace, releasing exploits to assess the level of damages to they can inflict or the level of penetration (compromise) they can achieve on computer networks, any network (Local Area Networks (LAN), Personal Area Networks (PAN), Home Area Networks (HAN), Wide Area Networks (WAN), Campus Networks, Metropolitan Area Networks (MAN), Enterprise Private Networks (Intranet), Internetworks, Backbone Networks (BBN), Wireless Broadband Network, even the Internet). If these networks were towns and cities, it would be an act of war, but no one wants to claim an act of war over hostile or warlike events in cyberspace, yet.

However, insurance companies are claiming these hostile or warlike actions by countries or people acting on behalf of a said nation means they don’t have to pay out for damages incurred by their insured claimants; they claim such cyberattacks fall under the ‘war exclusion’ section. Case in point, Mondelēz is suing its insurance firm Zurich for refusing to pay out on a $100m claim for damages caused by the devastating NotPetya attack that rendered 24,000 laptops and 4,000 servers permanently dysfunctional following the attack.

For those whose memories need jogging, the NotPetya attack was an extensive wiper ransomware campaign. Major organizations around the world were affected, the likes of A.P. Moller-Maersk, Merck & Co, Reckitt Benckiser Group, Beiersdorf AG, WPP plc, and many others across the world. The entire goal of NotPetya was to inflict as much damage as possible on affected networks.

Many companies affected by NotPetya made claims for the cost of damages on their property insurance policy. Many policies suggested companies’ coverage for physical loss or damage to electronic data, software and physical damage caused by the malicious code makes a cyber attack a valid claim. The insurance companies cite an exclusion in most policies that a “hostile or warlike action” (war exclusion clause) by a country or people acting on behalf of a said nation means it did not have to pay out.

The case has the making of a precedent as governments blamed the NotPetya attack on the Russian military, this link could affect future insurance claims. It gives both insurer and insured firms pause for thought when it comes to their insurance policies. However, most cyber attacks to date have hit civilian (as in non-military) targets who conduct their business and lives unaware that an undeclared war is taking place. The economic damages from such malicious event can only but increase, and blurs the line between cyber crimes from criminals, malicious act by thrill seekers, or deliberate pre-emptive strike prelude to outright war. What if it is an accidental release during a test of a weaponized cyber exploit? Would a country admit its error and pay compensation? Not likely, even if its secret hacking tools fell into unknown hands, remember the Cisco Exploit that came to light after the Shadow Brokers reveilled the NSA was hording zero day exploits.

The attribution of cyber exploits to countries like China, Iran, North Korea, Russia, the UK and US, or group of states like NATO and the 5 Eyes could see this play out in future, where insurers use the link as a legal argument in cases relating to cyber attack claims. It remains to be seen whether these changes materialize as cyber-specific policies purchased by firms or a tightening of terms and conditions for their general coverage in a company property insurance.

One thing is for sure, cyber and hybrid warfare have taken root in cyberspace as they are great field leveller especially for countries with small less capable militaries than the world superpowers. These warfare posturing will surpass the Cold War from a few players to too many, thus resulting in ever-increasing damages to innocent bystanders with no recourse than to reduce their cyberspace footprint, imaginably reducing their business potential as they lose their grip on the Information Age, and slip back into the Industrial Age.

One thing is for sure; countries will continue to exercise their cyber and hybrid warfare skills weaponizing exploits simply because everyone seems to be doing it, and no one wants to be caught flat-footed like Ukraine which was one of the first guinea pigs for Russia. Hence, this can only lead to more severe cyber attacks or cyber incidents (accidents) that increase the costs of collateral damages to civilians without ever being aware that a state of war exists.

As for the ‘war exclusion’ claim by insurance companies, is this a ploy to extort more premium from insurance buyers in the future or limit insurers’ exposures, since we all know that cyber incidents are on the increase, as is their severity, hence their costs? This could be an impetus for organizations to truly consider Zero Trust systems and data encryption at rest and in motion more seriously.

As for cyber and hybrid warfares, will governments learn that if you let slip the dogs of war in chicken coops it will reduce the production of eggs? Doubtful!

Nonetheless, it is imperative that we consider the value of an independent global organization whose mission consists of investigating and publicly attributing major cyber attacks. To this effect, I recommend reading Rand’s Stateless Attribution: Toward International Accountability in Cyberspace. [Davis, John S. II, Benjamin Boudreaux, Jonathan William Welburn, Jair Aguirre, Cordaye Ogletree, Geoffrey McGovern, and Michael S. Chase, Stateless Attribution: Toward International Accountability in Cyberspace, Santa Monica, Calif.: RAND Corporation, RR-2081-MS, 2017.]

Cyberwarfare is the use or targeting in a battlespace or warfare context of computers, online control systems and networks. It involves both offensive and defensive operations about the threat of cyber attacks, espionage and sabotage. (Wikipedia)
Hybrid warfare is a military strategy that employs political warfare and blends conventional warfare, irregular warfare and cyber warfare with other influencing methods, such as fake news, diplomacy, lawfare and foreign electoral intervention. (Wikipedia)

Good news for end-to-end encryption

First, what does End-to-End Encryption mean? It means encrypting communications to make information unavailable to third parties. So when two or more devices communicate via an app that features this level of encryption, the data will be transmitted using a secret code rather than insecure plain text. As a result, only the people communicating can read the messages and no other person; not even Internet service providers, the app maker, the government or anyone else. The data is protected against tampering, surveillance, cybercriminals while it’s transmitted and stored. The encryption key is stored locally, for improved protection. For users, end-to-end encryption provides an assurance of privacy which is a growing concern in the wake of incidents such as 2018’s Cambridge Analytica scandal.

Now for the good news, Snapchat is currently the latest social media messaging platform to add end-to-end encryption. The end-to-end encryption ranks are growing from the likes of WhatsApp, Wickr, Viber, LINE, Telegram, KakaoTalk, Signal, Dust, Threema, Cyphr, CoverMe, Silence, SureSpot, and Wire, and now Snapchat. The feature is looking increasingly likely to become standard across the industry, despite governments and law enforcement concerns

Until then, remember that favourite apps like Twitter, Instagram, or Facebook Messenger don’t use end-to-end encryption, so your conversations and files may not be fully secured. However, if you are like me, a Skype user, the good news is that the company introduced end-to-end encryption at the beginning of 2018; thank you Microsoft.

Note: That since Spring of 2018 Twitter is reportedly testing a secret, encrypted messaging option that would enable its platform. At last news, the “testing is at an advanced stage, but not in place.”

What is a Cyberist?

Chris Ensor, Deputy Director Cyber Skills & Growth, at the UK National Cyber Security Centre (a part of GCHQ) said it best in his blog.

Chris wrote the following:

“The term ‘Cyberist’ describes, in a positive light, the role of someone who works in the cyber security profession. Far from being a shadowy figure, a Cyberist is someone with a dynamic career who plays a vital role in the community and wider society, protecting the information and systems we care about and rely on in our daily lives.

That said, it’s been clear from the response that this is quite an emotive subject. One of the immediate lessons we’ve learnt is that you can’t just invent a new word (or re-purpose an existing one) and expect everyone to accept your definition. We asked the target audience what they thought of the term, and received some positive responses, but this was only a small sample. So we’ll use our summer courses to get a much broader view, and maybe discover some alternative suggestions that we can put to a vote – at the risk of course of getting egg all over our ‘Cyber McCyberface’.

In the meantime, if you’ve any thoughts on the term ‘Cyberist’, or what we should use to inspire the next generation of cybersecurity professionals, feel free to comment below.”

Like Chris, I’ve been in this business nearly 30 years, or almost 50 years if I tag my time with Signal Intelligence and Electronic Warfare while in the Canadian Forces (CF) and the Royal Canadian Navy (RCN), and I still struggle to explain what I do to people in general also. Over the years I’ve been described as an operator, technician, technologist, engineer, a computer and information security geek, an information assurance expert, and now cybersecurity professional. However, none of these terms describe what we do, or what the job is. None of these designations will inspire the next generation to think of cybersecurity as a career. Moreover, when you add to this films, novels, TV programmes, and the Internet portrait of cybersecurity, which is usually a guy in darkened rooms, wearing a hoody, full of malice, you’ll appreciate that we face quite a challenge in naming ourselves.

I for one like Cyberist very much, and from there named my company Cyberistix (as in futuristic).

Endangering our data security

Governments all over the world are trying to abolish encryption or force application and service providers to allow for backdoors, or having users reveal their encryption keys on demand, thus endangering all our data security. Many governments are hiding behind vague ill-informed ‘national security’ clauses to make up for their national security and law enforcement agencies lack of skills, and outright laziness to weaken our national safety and security.

Instead, they are providing hackers, cybercriminals, malfeasants, and just plain old thrillseekers with greater opportunities to create a wide range of havoc that in the end will cost users far more than just money.

Politicians and bureaucrats in their ignorance are providing hackers, cybercriminals, malfeasants, and just plain old thrillseekers with more significant opportunities to create a wide range of havoc that in the end will cost users far more than just money, and creating loopwholes for law enforcement abuses. (Hint: secret backdoors never remain secret for long, remember EternalBlue.)

Governments should promote Zero Trust systems architecture (basically, never trust; always verify), always encrypted data at rest and in motion, and Trust No One computing, while using existing laws and rules to target suspected criminals and terrorists, instead of casting as wide a net as possible for the just in case.

Smartly segmented Zero Trust networking involves an IT department verifying all users before granting access privileges. Effectively managing access to accounts is more important than ever with 58 percent of small to midsize businesses (SMBs) reporting data breaches in 2017, according to the 2018 Verizon Data Breach Investigation Report.

So Zero Trust networking with all data encrypted at rest and in motion sounds like common sense. Yet, governments only pay lip service to cyber and information security, and they are quick to deplore and point fingers to the enemy of the day when they patrons decry the theft of their data and money with a tendency to overreact. What governments should be doing is using legislative power to mandate cybersecurity at all levels, support real-world effective and enforceable cybersecurity standards (like CIS Controls, ISO/IEC 27000 series, NIST Cyber Security Framework for a start), subsidize third party information systems audits, but more importantly promote a wide range cyber and information security education programmes using cyber and information security best practices in schools and offices (like GCHQ’s National Cyber Security Center CyberFirst courses), a little bit like mandatory home economics classes.

Welcome to Cyberistix!

In what will follow I hope to share some of my experiences with Information and Supply Chain Security, Cyber Intelligence (OSINT: Open Source Intelligence). Also, share my opinions on all matter cyber found in various news and blog outlets, and not only remind you that it is an ugly world out there, but there are lots of great sources material to help you be secure.

I hope to remind my readers that security is not for the passive!