The Most Important Cyber Issue in 2013: Offense as Defense

Between SECDEF Panetta signaling Iran and other states that the U.S. won't tolerate increased cyber attacks without a response and the increasing impatience on the part of the private sector of being legally restrained from doing anything when they see their stolen data sitting on a foreign server, I predict that the most important cyber topic of 2013 will be active defense. In fact, we had a lively discussion about this very topic last Thursday at Suits and Spooks Boston.

In order to provide a forum where the various implications of taking offensive action under the umbrella of active defense can be explored, debated, and tested, I've decided to dedicate our next Suits and Spooks event to this critical area. I've also expanded it from a single day to a two-day event that will feature hands-on labs in addition to plenary sessions. And unlike SNS Boston, journalists will be welcome at SNS DC 2013.

Two speakers and one lab that are already lined up include Dr. Boldizsar Bencsath, director of the Laboratory of Cryptography and System Security, Budapest who's lab first discovered DuQu, Richard Bejtlich, the Chief Security Officer of Mandiant, and via IRC in one of our labs - th3j35t3r (hacktivist for good). Dr. David Bray, who had been earlier announced, may have a conflict on either of those days so his may be a last minute appearance. Many more speakers and labs will be announced in the coming weeks.

It will be held in the same venue as our February 2012 event - The Waterview Conference Center; a spectacular space overlooking the Potomac river and the Capital from the 24th floor. I'm inviting both national and international experts to participate and am open to your suggestions for the types of labs that you'd like to participate in as well as receiving inquires from companies who'd like to be a sponsor.

As is our custom, attendance will be capped at 100. I've set up a super early bird rate in order to help keep your costs associated with attending low. Considering the controversial nature of this topic in combination with its criticality, I expect fully expect this event to sell-out. See you in DC.

Suits and Spooks DC: Offense as Defense

• February 8-9, 2013 at the Waterview Conference Center, Arlington, VA
• Featuring plenary and breakout sessions (labs)
• Two Continental breakfasts
• Two lunches
• A free signed copy of my new book "Assumption of Breach: A New Security Paradigm" (O'Reilly Media, 2013)

Registration:
Super Early Bird $225.00 (until November 9, 2012)
Early Bird $395.00 (until January 9, 2013)
Standard $595.00 (until February 7 or when the event is sold-out)

Options

Super Early Bird registration $225.00 USD

Add to Cart View detail

U.S. SECDEF on Attribution - A Little Too Optimistic?

U.S. Secretary of Defense Leon Panetta gave a speech on Thursday, October 11, 2012 at the Business Executives for National Security (BENS) Eisenhower Award dinner in New York City where he made the following statement:

In addition to defending the Department’s networks, we also help deter attacks. Our cyber adversaries will be far less likely to hit us if they know we will be able to link them to the attack, or that their effort will fail against our strong defenses. The Department has made significant advances in solving a problem that makes deterring cyber adversaries more complex:the difficulty of identifying the origins of an attack. Over the last two years, the Department has made significant investments in forensics to address this problem of attribution, and we are seeing returns on those investments. Potential aggressors should be aware that the United States has the capacity to locate them and hold them accountable for actions that harm America or its interests.

With great respect for our former Director of Central Intelligence, now SECDEF, I don't believe that we're anywhere near being able to identify sophisticated adversaries in cyberspace that extends beyond being able to give code names to anonymous hacker groups or recognizing certain TTPs. For one thing, five seconds before Secretary Panetta made the above remarks he said "Moreover, DoD is already in an intense daily struggle against thousands of cyber actors who probe the Defense Department’s networks millions of times per day." So clearly if we have "made significant advances to link our cyber adversaries to an attack" and we're still fending off thousands of cyber actors probing DoD networks every day, then someone didn't get the memo!

In fairness, the Secretary didn't say that we are able today to solve the attribution problem. He said that we're making "significant advances" which is too nebulous a phrase to have a fact-based discussion about. The reason why I'm skeptical is because attribution is the kind of hard challenge that DOD farms out to private contractors, who sub-contract that work out to specialists at boutique security firms and I know a lot of those firms. They're all still focused on finding an answer by focusing on the forensics, and the answer won't ever be found through pure forensic research. Why? Because everything that we know about forensics is also known by our adversaries thanks to 900 security cons held worldwide annually and because our adversaries in cyberspace are highly skilled.

It's also ironic that while the SECDEF talks about our growing ability to deter through attribution, that it was the U.S. who was caught conducting a cyber-sabotage operation against Iran's Natanz nuclear fuel enrichment plant, and is suspected in two other high profile cyber attacks (DuQu and Flame). If anyone has demonstrated their ability to disguise their own cyber attacks while attributing the attacks of others, it would be Russia. Many of the U.S. security companies who promote their ability to identify bad guys to the DOD and IC never seem to catch Russia doing anything, yet Kaspersky Labs produces report after report post-Stuxnet on malware that seems to have originated with the U.S. Perhaps we could solve our attribution problem by hiring more Russian security engineers.

Add to Cart View detail