Home » Cyber Security (Page 2)

Category Archives: Cyber Security

New CCHS essay on “The Internet of Everything”

Earlier this week the US Chamber of Commerce Foundation convened a symposium, entitled “The Internet of Everything: Data, Networks and Opportunities,” and released a compendium of essays on that theme. CCHS Director Frank Cilluffo and I contributed to that volume, with an analysis that speaks to the challenges of critical infrastructure protection in the era of the “Internet of Things.”

Among our key points:

The smarter the device, the more likely an adversary can do harm—to it, to the owner, and to third parties. … This built-in weakness, which exponentially expands the surface for potential attack, is particularly problematic when it comes to critical infrastructure sectors…

Recall the widespread concern generated by the shutdown of the New York Stock Exchange in July of this year. The apparent culprit there was just a technical “glitch.” Imagine the damage and mayhem that an actor with malicious intent could cause. …

No system will be foolproof though, so resilience is an equally crucial aspect of the equation. The ability to bounce back and to do so quickly is perhaps the greatest deterrent to those who may wish to do us harm.

Read the entire article, titled “Vulnerability and Resilience in the Internet of Everything,” here.

Remedying the OPM hack: we need an innovative policy response, not just credit and identity monitoring

In the wake of the recent major hacks of Office of Personnel Management (OPM) databases, OPM has announced that the federal government will be offering the millions of affected individuals with access to identity theft monitoring and restoration services. For individuals who are affected by the background check database hack, additional online services will be offered to protect against fraud, misuse of minors’ identities, etc.

The provision of these types of identity theft and credit monitoring services has become a reflexive action for companies and government agencies. When Company Z gets hacked and tens of millions of its customers’ personal and financial information is at risk, it offers free credit monitoring. When Government Agency Y has a data breach, the same routine. These entities then offer to provide such online services for a fixed period of time, and a limited number of affected individuals bother to sign up, at a cost to the company or agency at around $5/month per enrollee. Those who do sign up get a sense of security that any financial misuse of their information will be detected.

But with respect to the recent hack of the OPM security clearance database, the offering of such services is is a woefully inadequate remedy. As former CIA official Charlie Allen noted in a recent piece, this hack creates “a national security risk unlike any I’ve seen in my 50 years in the intelligence community”. Former CIA and NSA Director Michael Hayden provided a similarly dire commentary in a Washington Times op-ed in June.

Given this context, the offering of online credit and identity monitoring services to the affected population is necessary but should only be viewed as a small, preliminary step in responding to this hack. The U.S. government needs to focus its attention on implementing a broader set of policy remedies that will help to prevent and deter the foreign entity that hacked this database from being able to exploit this information for counterintelligence or other nefarious purposes.

One such policy remedy would be a law or executive order (EO) that protects affected individuals against the adverse consequences of public disclosure of information that had been willfully disclosed on an SF-86 but would provide harm or embarrassment if publicly disclosed. For example, such a law or EO could clarify that it is impermissible and illegal to use SF-85/86 information, if derived from hacked documents, in an employment action or in a legal proceeding, with very limited exceptions. If such a policy remedy were put in place, this would hinder the ability of foreign intelligence services to blackmail and recruit Americans working in positions of trust who are potentially exposed by this hack.

The foreign entity that hacked the OPM security clearance database and stole this information could also attempt in the coming months and years to use information to try to smear and slander individuals (perhaps selectively targeting its high-level critics in government), using unwitting third-parties in the news media and other online mechanisms. The federal government needs to look carefully now at how it can protect otherwise innocent employees against such personal attacks, and needs to bring federal law enforcement agencies and Inspectors General into this discussion, so that they can better differentiate between legitimate predicates for internal investigation versus when they have been baited to investigate by an entity that is using misappropriated information. This will also be an area where Congress will need to carry out judicious oversight and perhaps consider legislation.

These are just two examples. There are other scenarios where one can envision this hack leading to the risk of unique adverse consequences for the affected population, in ways that are ultimately harmful to U.S national security. The federal government needs to be much more forward-leaning in addressing this issue than it has been to date (at least based on its public statements), and develop, publicly explain, and implement innovative policy remedies, working with Congress, that can mitigate the counterintelligence risks of this hack and re-establish trust and confidence within the U.S. national security workforce.

Cyber reliability and confidentiality: lessons from the 19th century?

By Sam Klein and Greg Gardner

In light of the significant hack of the Office of Personnel Management (OPM) and the recent revelations by the Washington Post about the insecurity of the internet, it is now time to revisit a proven method for ensuring the viability and privacy of international communications: establishing a truly international, multi-stakeholder organization that places an emphasis on reliability and privacy, oversees policy and standards, and facilitates/coordinates the actual transmission of communications. Globalized, multistakeholder organizations effectively govern other types of communication networks; the same approach would work just as well with the Internet.

In 1875, European governments agreed to ensure confidentiality of telegraph messages under Article 2 of the International Telegraph Convention (ITC). In 1878, the Universal Postal Union (UPU) unified the world’s commercial and private mail networks and promoted robust principles of reliability and confidentiality. And in 1906, European governments extended similar protections to radio communications with the International Radiotelegraph Convention. Of course, there are exceptions, but today, almost 200 countries abide by these conventions.

Unfortunately, as the Washington Post articles demonstrate, this historic respect for assured communications, confidentiality, and privacy does not exist for users of the Internet.

An emphasis on reliability and privacy by international, multi-stakeholder organizations pushed states to respect the structure and contents of mail, telegraph, and radio networks. However, such motivations do not currently exist in the same way for users of computer networks. The Internet emphasizes speed and ease of use to govern messages transiting transit cyberspace. Once countries open their borders to Internet traffic, the Border Gateway Protocol (BGP) automatically routes information packets, regardless of whether the information will remain private while en-route.

Under this design, speed and convenience trump security, tossing reliability and privacy concerns out the window. Unlike users of mail, telegraph, or radio networks regulated by the UPU and its sister organizations, those who send information via the Internet can not choose between ease of use and privacy due to the automatic routing of messages. The paradox of the InfoSec Triad acknowledges this trade-off between ease of use and security – a trade-off that causes friction between users and those responsible for maintaining security and protecting privacy.

Consider the case of Egypt (a member of the UPU since 1875) near the end of the Mubarak regime. On January 27, 2011, in large measure because it could not control the flow of Internet communications, the Egyptian government severed the country’s connections to the Internet, shutting it down. Over 93 percent of Internet connections were severed; only government institutions remained online. With the Egyptian economy losing tens of millions of dollars per day and in the face of increasing domestic unrest and international condemnation, the shutdown did not last long; by 1 February 2011, Internet Service Providers (ISP) were reestablishing all of their services. This event demonstrates, however, how easy it is for a government uncertain about unregulated Internet traffic to operate independently and assert control over digital information flows quickly and decisively despite the presence of a modern, multidimensional, and privatized information sector.

Similarly, the multifaceted approach of government regulation, censorship, monitoring, self-regulation, and protectionism in China (a UPU member since 1914) has been highly effective in restricting the access and digital privacy of China-based Internet users.

The international, multistakeholder governance models that underpin the UPU and the ITC (now known as the International Telecommunication Union) are widely accepted and have much to offer. As Shawn Roberts and Michael Jablonski point out, the origins of those organizations and the historical conditions prompting their charters offer important precedents. For example, the UPU not only standardized postal policies and costs across international borders, but more importantly it fostered norms favoring the availability and confidentiality of correspondence. These policy, standards, and norms were considered crucial to maintaining the world’s first coordinated system of global communication. We would do well to look to them again.

It is time now to establish a similar set of transparent rules governing the assurance and security of global Internet traffic. It is simply unacceptable for the majority of Internet communications to be subject to the whims of either government entities or private service providers and, because they are managed by an automated protocol, to be generally unsecure and unprotected. Security and assured performance must truly co-exist with functionality and ease-of use. We need a Universal Internet Union representing the interests of countries, corporations, and private citizens alike that takes back control of the Internet and brings assured governance to the digital communications that have come to dominate our world.

And we need it now.

Samuel Klein earned his B.A. from The George Washington University where he studied international affairs, cyber-security, and mandarin Chinese. His honor’s thesis investigated China’s information warfare strategy and objectives to assess the possibility of a Chinese cyber-attack targeting US critical physical infrastructure.

Greg Gardner, PhD, is a Senior Fellow with the GW Center for Cyber and Homeland Security.

Cyber attack on Canadian government points to need for resilience

Last week, the Canadian government was hit by a distributed denial of service (DDoS) attack. The hacktivist group Anonymous claimed responsibility, saying the attack was a protest against proposed federal anti-terrorism legislation that has since become law.

Curiously, the incident seems to have generated little analysis or comment in the public square, at least beyond the initial media reports. Perhaps we have simply become inured to the pace, breadth, and depth of cyber events in the headlines worldwide?

Whatever the case, we would all do well to re-energize and refocus our efforts on cyber-resilience, given the scope and scale of global cyber challenges. See my commentary on the subject, which takes the Canadian case as jump-off point, and which was published today by IPI’s Global Observatory.

Bouncing off the cyber walls

In the movie “Apollo 13,” the saga of the near fatal moon mission, there is a harrowing scene toward the end of the film that has reminded me of the last several days in cyber world. Two of the exhausted astronauts get into a horrific argument over their plight. The commander, Jim Lovell, equally tired tells them to “stop bouncing off the walls” as their problems will remain the same after whatever time they waste yelling about it. So, it is with our current beatings taking place over the OPM information breach and its potential consequences.

Whatever the finger pointing and vituperative remarks, there remain four fundamental issues that must be addressed in our Federal government’s cyber world, or the mistakes of the past will continue to be repeated:

First, we need to the address the “ignorance” of senior managers regarding their IT systems. This problem lies with the challenge of getting government IT guys wrapped in their own world to better explain exactly what the risks are to their management and their personnel. Legacy systems and no centralized buying procedures have been a bane of IT people within the government and that needs to be fully explained as well. But, also, it would not hurt for the senior managers to take some time to listen and fully engage with their IT people.

Second, contractors must be able and willing to tell the truth about the vulnerability of their systems and government procurers have to stop beating them up for it. No contractor – no matter how good they are — wants to say their product can’t fully protect the system they are bidding to install and/ or proposing to protect. The government must also understand that there is no such thing as 100 percent security in any system – no matter what the promises.

Third, everyone needs to understand the challenge of internal threats and outside capabilities to break into systems will exist no matter what. This is a simple case of risk management in a risk averse age. No matter what we spend on security, how often we give background checks or polygraphs to the information handlers, something is going to happen. If you don’t want your “crown jewels” stolen, limit your access to them. But realize that there will always be some form or way to get to them.

Fourth, and finally, this is the moment for a true public-private partnership on the subject of IT security. Both sides need to come together to discuss best practices in a comprehensive way now. The government simply cannot do this on its own. There is too much going on that is cutting edge in the private sector, and government ignorance of the full field of what is available is costing us too much in privacy and in national security threat to its employees.

As much as it is a feel good exercise to beat up OPM, bouncing off the cyber walls gets us nowhere. We know the problems. It is up to senior members of our government to act swiftly to take care of them.

Ronald Marks is a member of the GW Center for Cyber & Homeland Security’s Board of Directors.

Paying for Non-Secrets

Former Director of Central Intelligence George Tenet famously said when asked about so-called open source (unclassified) intelligence, “we only pay for secrets.” He spoke with the confidence of a man born and raised in the world of the 20th century spy and the Cold War. With the massive leak of government employee information from the Office of Personnel Management (OPM), Director Tenet’s statement has been proven quite wrong for the 21st century. China and others are willing to pay for “non-secrets” and they matter.

As data breaches go, the OPM break in was not the biggest one experienced in the past few years. Target, JP Morgan Chase and a few others were larger in breath and scope. But, they did not contain information that could be used to target and engage in spying on the US government.

As an old spy, I wanted information. I wanted people’s background: where they live and had lived, who their relatives were, and what personal problems they might have. That way I could figure out how to develop a successful “relationship” with someone who would spy for me. And, also, target more successfully – not waste time on someone who did not matter.

You see, the real trick is human intelligence is finding people with access to important people and their information. I don’t want to recruit the Secretary of State — too big, too awkward to meet and not likely to be recruited. No, I want someone on his staff or someone who has access to his staff and especially their work product.

The OPM leak contains millions of personnel files that will help China do just that. Files on government employees and their contractors with a summary of their backgrounds and what programs they have access to is quite sufficient for my targeting purposes.

In the 21st century, information contained in files like OPM need to be treated like the old fashioned state secrets were. I am sure whatever investigation there is will turn up either woefully inadequate IT security, inside actions, or both. I am not going to debate that right now.

What I am going to say is it up to the current Administration and those going forward to understand why data breaches like OPM are so dangerous to the national security of this country. Just because something is unclassified does not make it unworthy of security.

Welcome to 21st Century cyber conflict. Information is a weapon to use and target and cyber space is the battlefield. So far, if OPM is the indicator, the U.S. government is getting skunked.

New CCHS analysis of the OPM cyber hack

Yesterday CCHS Director Frank Cilluffo and I published a commentary on the OPM hack traced to China and affecting millions of US government employees.  The article appeared in The Conversation and is entitled: “Massive government employee data theft further complicates US-China relations.” 

Details continue to emerge and it’s not yet clear whether the Chinese government was involved in the incident.  Interestingly however, the case has been revealed publicly just weeks before the annual US-China Strategic and Economic Dialogue scheduled for June 22-24.

Against this background, here’s the key takeaway from the piece:

If both sides are genuinely serious about addressing cybersecurity, this would be a timely and appropriate opportunity to demonstrate their commitment by skipping the pomp and circumstance to address the tough issues.

In short, if indeed this massive hack is the work of a criminal enterprise, then this is China’s opportunity to show that it is serious by conducting a joint investigation with the United States and by prosecuting wherever the facts and evidence lead.

Should China be reluctant to proceed in this manner, then the United States should look to its own legal instruments and invoke and apply them.

In that sense, the case is a litmus test for this country’s policies and practices as well.

You can read the full article at this link.

Protecting 911 call centers from cyber threats: Federal action needed

The growing threat of cyber attacks on 9-1-1 call centers, also known as public safety access points or PSAPs, has become a serious homeland security concern. PSAPs are the public’s vital link to life saving emergency services. As of March 2015, there are some 5,906 primary and secondary PSAPs in the United States, to which 240 million calls are made to 9-1-1 each year. The next generation of public safety communications will be even more reliant on information technology.

Existing narrowband, circuit switched 9-1-1 networks carry only voice and very limited data, so PSAPs have focused largely on preventing Telephony Denial-of-Service attacks. Advancements in Next Generation IP-based systems and emerging mobile technologies increase the threat of infiltration and exploitation of emergency communications systems. Next Generation 9-1-1 (NG911) systems will be a “network of networks” providing connectivity between PSAPs regionally and nationally. As these systems become connected to the Internet, public safety communications will be increasingly vulnerable to the same threats as other IP networks.

NG911 will allow our growingly wireless society to access 9-1-1 through texting and mobile apps, as well as send images, videos, emails, and other documents…any of which could contain embedded viruses that rapidly infect the network. First responders are also making greater use of data and cloud computing. Sensitive public safety information stored on the cloud such as emergency medical patient care reports and police body camera video could become targets for cyber hacking.

Unfortunately, information sharing across all levels of government and the private sector is lacking, often leaving local public safety blind to the latest threats to public safety cyber infrastructure. PSAPs may not be aware of steps that should be taken to mitigate emerging threats to networks.

Ultimately, the primary responsibility for protecting critical NG911 infrastructure lies with PSAP owners and operators themselves. But the federal government has a crucial facilitative role to play in public safety cyber security, which includes:

  • Protecting critical infrastructure. DHS has begun collaborating with public safety sector stakeholders to address cyber security implications of information and communications technology through the National Infrastructure Protection Plan. DHS must continually engage NG911 and Nationwide Public Safety Broadband Network officials to create sector-specific plans within the NIPP framework.
  • Providing forums where industry stakeholders can engage in risk assessment and mitigation. The federal government needs to work with public safety agencies, and engage private communications and cloud service providers, to ensure the security of critical infrastructure from cyber threats. Use of models for information sharing, such as the Multi-State Information Sharing and Analysis Center (MS-ISAC), must be encouraged.
  • Providing tools for prevention and intervention. The federal government should disseminate cyber intrusion, detection, and prevention tools to public safety partners, and be permitted, when required, to provide assistance to localities and other entities in addressing and repairing damages from a major cyber-attack and for advice on building better defenses.
  • Improving information sharing. The multiple cybersecurity information sharing bills currently being considered in the House and Senate would require federal agencies to develop and promulgate procedures to promote the timely sharing of cyber security threats to prevent or mitigate adverse effects. Congress must work to pass legislation that removes existing impediments and improves incentives for information sharing, while also safeguarding the civil liberties and privacy of citizens.

Scott Somers is a senior fellow with the GW Center for Cyber and Homeland Security and sits on the Center’s Preparedness and Infrastructure Resilience task force. He previously served on the FirstNet Public Safety Advisory Council and SAFECOM Executive Committee.

A recap of our event with NSA Director Rogers

Yesterday the Center for Cyber & Homeland Security convened a forum, “State of the Cybersecurity Union,” featuring Admiral Michael S. Rogers, Commander of U.S. Cyber Command, Director of the National Security Agency, and Chief of the Central Security Service. Below are some of the highlights of Admiral Rogers’ remarks, which spoke to the current state of cybersecurity threats to the United States, and what both CYBERCOM and NSA are doing to address these threats, in light of the new Department of Defense cybersecurity strategy released last month.

On the evolving threat: “A whole set of actors is increasingly using encryption to evade the law/law enforcement and intelligence. Being in an environment where threat is up and trust is down is bad for a nation. The greatest segment of capability in the cyber arena continues to be criminal.”

On cyber deterrence: “Cyber is a great equalizer. It doesn’t take millions of dollars or decades of R&D to achieve capability. It’s hard to convince actors that they won’t be successful at cyber-attacks, so we need to raise their costs. Merely because an opponent comes at us in the cyber domain doesn’t mean that our response has to be in that domain. Response is situation dependent.”

On offense, defense: “DOD intends to generate a series of offensive cyber capabilities that will be applied as necessary within a legal framework. The defensive piece is our priority and it’s also our challenge.”

On the role of the private sector: “Partnerships between nation-states and the private sector offer great promise. If we can’t do this it’s like fighting with one hand. In the United States we don’t use the capabilities of our intelligence community to generate benefits for our private sector.”

For more of Admiral Rogers’ thoughts, watch the archived event webcast here.

For selected media coverage and analysis of the event, see these articles: Agence-France Presse, CNN, FCW, Wall Street Journal, and Washington Post.

New report on use of cyber espionage in Russian warfare

In a recently released report entitled “Operation Armageddon:  Cyber Espionage as a Strategic Component of Russian Modern Warfare,” cybersecurity firm Lookingglass details evidence and constructs a timeline in support of the following argument regarding Russian activities in the conflict with Ukraine:

The campaign reveals a Russian state-sponsored cyber espionage campaign that is designed to give decision-making advantage to the Russian leadership by targeting Ukrainian government, law enforcement, and military officials in order to steal information that can provide insight into near term Ukrainian intentions and plans. Temporal analysis of the campaign indicates a direct correlation between the cyber attacks and the ongoing war in addition to highlighting an alarming blend between cyber espionage, physical warfare, and the driving political forces behind them.

While the suggestion that Russia has integrated cyber instruments and operations into its kinetic battlefield strategy should come as no great surprise (recall the 2008 war with Georgia for example), the report and this analysis by Aarti Shahani, NPR’s Business Desk Tech Reporter, make the interesting point “that when both sides negotiated a cease-fire last June, the cyber attacks stopped for that same period as well.”

Citing Indiana University law professor Fred Cate, the NPR piece elaborates: “It looks like the hackers see themselves as part of the battlefield…, `and so they stop those attacks when a cease-fire’s in place — as opposed to thinking of themselves as just intelligence gathering, which usually continues even during a cease-fire’.”  In other words, “`It’s like the adversaries are actually thinking of themselves as attacking’.”

As a corollary, Shahani observes:  this also “raises the question of when hacking constitutes an act of war.”  Again, not a new question — but it springs from a set of circumstances that give new pause for thought.