Jim Kelly: The State of Cyber Warfare

Written by Jim Kelly

Cyber warfare is inevitable. It’s what think tanks, intellectual leaders and the director of the NSA believe. Why are we not doing more to prepare?

aNewDomain — Democratic frontrunner and former Secretary of State Hillary Clinton has been under continual, relentless fire during the two-year Congressional Benghazi investigation, which involved the tragic 2012 deaths of an esteemed U.S. ambassador and four others at the high-walled Libyan consulate, a partially burned and still abandoned villa.

emailgate hillary clintonLast week on October 22, Clinton headed to the Hill and faced her Republican persecutors for the second time. She already testified in 2013 before the Senate Foreign Relations and House Foreign Affairs Committees about the fatal incident that terrible night. Political pundits have been spinning and weaving viciously for months, including Committee Chairman Rep. Trey Gowdy, who is under dire pressure “to put up or shut up” during the full day of Congressional testimony of Clinton, who sat in the hot seat to protect her leadership and management of security issues as former Secretary of State.

Sharply undercutting the circus of Republican partisan attacks against Clinton, the CIA testified last weekend that disputed emails exchanged on an unsecured server between then-Secretary Clinton and her high-level friend and advisor, Sidney Blumenthal, were not deemed “classified” for national security purposes. This was the “bullseye” issue that Republicans on the committee have been dogging Clinton for.

To her credit, Clinton has expressed deep regrets about the terror strike in Libya that killed four Americans and has apologized about the confusion surrounding the email flap that involed Libya and the department’s efforts to strike an accord in the Middle-East between Israel and Palestinians.

More than anything (especially Clinton’s reputation) this controversy serves as an urgent wake-up call for government officials. They can no longer ignore routine security audits. They need to identify flaws in their networks. And, most importantly, they must execute new security paradigms to prevent international incidents and the U.S. from vicious hacking attacks.

Foreign Nation-States, Organized Crime and Hacktivists

Independent audits over the course of several years have issued warnings to the State Department for weak cybersecurity, especially during Clinton’s watch. Reports from 2011 through 2014 show clear failures and the worst report card in federal government since 2009.  The department’s inspector general claimed that the agency’s cybersecurity had a “significant deficiency.” The pending 2015 assessment has not yet been disclosed.

State Department spokesman Mark Toner disagreed with the poor appraisal of the department’s cybersecurity. He said,

The department has a very strong cybersecurity program … we have successfully defeated almost 100 percent of the 4 billion — and I’ll say that again — 4 billion attempted intrusions that we experience each year.”

He further claimed that the Clinton State Department created an exemplary model of cyber monitoring, which has since been implemented in other agencies.

darknet memexHowever, the issue isn’t how many attempts have been thwarted — it’s how many have penetrated the firewalls into sensitive government IT operational systems. The Clinton-Kerry State Department falls under greater scrutiny in protecting against cyber attacks than other outfits, so investigation of its methods are ever-present. For instance, government officials are attempting to confirm the claims of a hacker (still in high school, if they can be believed) that said they broke into personal email accounts of 25-year spy veteran, CIA Director John Brennan (who reportedly may still be using an AOL account), and Department of Homeland Security Secretary Jeh Johnson.

Concerning other agencies’ data security profiles, a September report released by the Government Accountability Office (GAO) identifies perpetual weaknesses in data security across 24 agencies in the past two years, and GAO’s multiple recommendations have not been implemented. Moving forward from these obvious vulnerabilities, the U.S. will need to have cyber accountability and crack down on lax agencies and their leadership (much as the private sector has) if they are to shield against future attacks.

Intelligence officials have warned the Senate Armed Services Committee that cyber attacks are becoming “more frequent, more sophisticated and more severe.” They identified specific concerns about foreign government-sponsored hackers, data manipulation and corporate espionage that could undermine the nation’s infrastructure. It’s clear that the security needed to defend against cyber warfare is paramount.

U.S. and China Call Truce on Cyber Security Law

The Office of Personnel Management (OPM) weathered severe criticism over the summer after acknowledging malicious cyber theft involving breaches of government databases, including the Pentagon, which exposed sensitive personal information of over 22 million people.

As I stated in “DARPA Memex: How It Works and What It’s Up To — Really:”

In June, OPM disclosed an October 2014 breach of systems maintained at a Department of the Interior shared-services data center, which led to the exposure of an estimated 4.2 million personal records. Applicants for clearances complete a 127-page Standard Form-86, which contains all of their personal information, work history, family, associates, deviances and proclivities. Consequently, an unknown adversary now possesses the granular personal information belonging to the 19.7 million U.S. citizens who have requested or possessed a security clearance since the year 2000.

Numerous officials, including U.S. Intelligence Chief James Clapper, have attributed the attack to China. FireEye, iSight Partners and other firms attribute the attack to a Chinese state sponsored APT group, referred to as “Deep Panda.” “Deep Panda” steals PII from U.S. commercial and government networks for Chinese intelligence and counter-intelligence purposes. Even worse, the amount and detail of information about each victim increases in proportion to the individual’s level of security clearance.

cyber warfare china cyber securityFor purposes of espionage, this means that individuals with the highest clearance levels are at the greatest risk of exploitation.

In September, the U.S. and China were working on a truce to refrain from cyber attacks against critical infrastructure — including nuclear power, energy, theft of intellectual property with the intent to gain competitive advantage and aerospace. This would only be in effect during peacetime.

Dan Kritenbrink of the National Security Council serving Asian affairs commented:

“I’m reluctant to raise expectations but it’s a long term goal … We’re a long ways from getting there but that certainly is a goal.”

Although surveillance will carry on (business-as-usual), if the outlined cyber goals are unfulfilled, the U.S. will resort to “punitive measures,” including economic sanctions. “Sanctions remain a tool and we are prepared if necessary to pursue sanctions if we felt a case that merited that type of punitive action,” Kritenbrink said.

Morgan Wright, a cyber security analyst and senior fellow at the Center for Digital Government, said,

“There is never, ever a silver bullet. You cannot prevent everything from happening … You can’t stop fires from happening, but what you want is the fastest fire department on the planet.”

However, in the government’s “one-size-fits-all” philosophy, it’s evident so far that an entry-level janitor has the same level of “protection” as the Seal Team 6 super-soldier. This is due to a lack of vision within OPM’s bureaucratic haven, given that there were no disciplinary measures for the catastrophic security breach, other than OPM’s director, Katherine Archuleta, stepped down from her leadership post.

Nevertheless, last week, regulators issued a stern warning to Wall Street that financial firms with lax cybersecurity practices will suffer a regulatory crackdown. The director of the SEC’s Division of Enforcement, Andrew Ceresney, in reference to a confidentiality rule that mandates financial institutions to protect customer monetary data and proprietary information, firmly stated: “If firms don’t have appropriate policies and procedures in place, that could be a [regulation S-P] violation.”

Antiquated Systems Must Be Upgraded

James Scott, a senior fellow at the Institute for Critical Infrastructure Technology who recently co-authored a report on the OPM breach — shared his view:

“You can’t really protect against a breach … What you have to do is count on a breach happening and timely intervene to stop a bad actor within the system.”

Scott observed that the OPM breach occurred due to the department’s dated technology and antiquated encryption systems. In other words, security must be purposeful — not an afterthought.

cyber warfare FBI NGIThe use of behavioral analytics or biometrics could help, according to Scott. In the last few years, federal law enforcement agencies have been expanding biometrics programs. The massive face recognition system Next Generation Identification (NGI) database is one such example. There’s also portable, mobile biometrics (i.e., handheld Androids) that are made for “time-critical situations” for street-level fingerprinting via the Repository for Individuals of Special Concern (RISC).

However, collecting information on Americans for non-criminal purposes and then using the same biometrics for criminal purposes has moral issues. With this technology the government can submit the personal data of innocent civilians without any connection to the criminal justice system in the process of conducting thousands of criminal searches each day.

Martin Libicki, a RAND Corporation cybersecurity expert, stated that investment banking firms, pharmaceutical researchers and defense contractors as high-risk targets are far more effective than the government sector in minimizing their attack surface while anonymizing themselves from the hacktivists and nation states wishing to cause them harm. On August 6, 2015, ICIT issued a chilling white paper titled, “How to Use Encryption and Privacy Tools to Evade Corporate Espionage.” It describes leading world economic and political powers as carrying out a cyber arms race and buildup of Cold War proportions:

The threat is much greater than you can imagine. We have passed the escalation phase and have engaged directly into full confrontation in the cyberwar. State-sponsored hacking groups are regularly committing targeted and complex attacks against governments, businesses, and individuals.”

Bureaucrats cannot seem to wrap their heads around the government’s desperate need for technology acquisition and this has severely inhibited cybersecurity evolution. The government’s belated attempts to accelerate technical competency continue to fall behind in spite of a recent survey of cybersecurity by BitSight that ranks the government as the second highest performing sector in the U.S. economy. In the world of rapid and flourishing high-tech development, the competitive edge is completely lost in the government sector due to delays, like 12 to 26-month wait periods, during which developments become outdated.

Cybersecurity thought leaders have drafted basic rapid-response protocols in a security intelligence platform that will help to combat advanced cyber threats and active hack attacks. They are:

  • Threat intelligence is automatically received from multiple sources in real time.
  • A threat analysis system automatically correlates threat data to specific risks and then takes risk-based automated actions while alerting management.
  • Emerging internal and external threat intelligence and correlated log analysis are used to predict future attacks.”

admiral michael rogers cyber warfareIn this vein, Admiral Michael Rogers, director of the National Security Agency (NSA) and U.S. cyber commander, recited earlier this week to the WSJ the three persistent cyber issues that keep him awake at night:

  1. Cyber Attacks Targeting Damaging Infrastructure

It is only a matter of ‘when’ that someone users cyber as a tool to do damage to the critical infrastructure of our nation.”

I’m watching nation states, groups within some of that infrastructure. At the moment, it seems to be really focused on reconnaissance and attempting to understand the characteristics of the structure, but it’s only a matter of time I believe until someone actually does something destructive.”

  1. Data Tampering and Manipulation

Historically, we’ve largely been focused on stopping the extraction of data and insights, whether for intellectual property for commercial or criminal advantage, but what happens when suddenly our data is manipulated and you no longer can believe what you’re physically seeing?”

As a military guy, who’s used to the idea that, ‘I can look at a display, I can look at a set of data, and I can very quickly draw conclusions and start to make risk-based decisions quickly,’ what happens if that gets called into question? I believe that’s going to happen.”

  1. Non-State Actors (ISIS)

“What happens when a non-state actor, who literally has no interest in the status quo — take ISIL for an example, whose vision of the world is diametrically opposed to ours — starts viewing the web as not just a vehicle to generate revenue, to recruit, to spread the ideology, but instead they view it as a weapon system?”

Rogers believes that all these traumatic scenarios may actually play out in the emerging cyber environment. He says,

I fully expect that during my time as the commander and the director of the NSA, this stuff is going to happen … And the nation is fully counting on us to be ready.”

The NSA has faced intense scrutiny since former NSA contractor Edward Snowden leaked documents revealing many of its intelligence apparatus, including global surveillance tactics. As aNewDomain writer David Michaelis noted in “Vetting NSA and CIA Applicants and the Black Budget,” Snowden’s actions to expose the issue of state surveillance to the worldwide media continues to have ripple effects. As Michaelis said, “The process of vetting CIA and NSA applicants is turning out to be a real challenge — who exactly can you trust in the post-Snowden era?”

Political Solutions and Millenials’ Role in Future Cyber Leadership

Private industry and cyber think tanks led by Morgan Wright have prompted a political movement, Cyber Decision 2016, an effort to bring cybersecurity forward as a key issue in the 2016 presidential race. During the first-round Democratic debate, candidate Jim Webb identified cybersecurity as one of the most serious of collective threats facing the U.S. presently, but the issue has barely been addressed.

For all the fracas and fireworks between the exasperating, guffawing Republican frontrunner Donald Trump and former Florida Governor Jeb Bush over 9/11 preparedness, Bush wholly failed to defend himself. Wright notes that Bush probably should have mentioned that he has a plan on his website to deal with cybersecurity and protect our critical infrastructure.

‘I would like to see the candidates be more articulate’ on cybersecurity issues, Wright said, in conjunction with articulation about other sophisticated issues such as economics and the environment. ‘If I have to, I will shame candidates into answering this questionnaire.'”

However, the issue has been muddled and seemingly lost in the midst of the Clinton controversy.

According to Wright, the government’s response to cybersecurity threats must be forward-thinking and the leadership must prioritize and make structural changes. He says, “It’s a paradigm shift that needs to happen.”

Just as foreign enemies, such as ISIS, are gearing up its children and youth for future warfare, the NSA has announced its national initiative at “Day of Cyber,” which will provide elementary and middle school children, as well as college students, with online tools to introduce cybersecurity into the nation’s classrooms to gain a new understanding of future challenges.

“You want to harvest in the fall,” Wright concluded, “you’ve got to plant in the spring … What are they going to do right now to start planting the seeds of change?”

Due to their elders’ current failure to confront these cyber issues (unless there is an unprecedented effort to accelerate cybersecurity evolution) this action may fall into the hands of millennials. Many of the generation are already fed up with the NSA.

Who will lead us to a cyber secure future? And how long will it take?

For aNewDomain, I’m .

Images in order: Electronically Cloned Robots by Surian Soosay via FlickrHillary Clinton in 2007 at Senate Armed Services CommitteeDarknet by Daniel Rehn via Flickr; Cyber China screenshot courtesy NBC; NGI Biometrics courtesy FBI; Admiral Michael Rogers via Wikimedia Commons