The Most Important Cyber Issue in 2013: Offense as Defense

Between SECDEF Panetta signaling Iran and other states that the U.S. won't tolerate increased cyber attacks without a response and the increasing impatience on the part of the private sector of being legally restrained from doing anything when they see their stolen data sitting on a foreign server, I predict that the most important cyber topic of 2013 will be active defense. In fact, we had a lively discussion about this very topic last Thursday at Suits and Spooks Boston.

In order to provide a forum where the various implications of taking offensive action under the umbrella of active defense can be explored, debated, and tested, I've decided to dedicate our next Suits and Spooks event to this critical area. I've also expanded it from a single day to a two-day event that will feature hands-on labs in addition to plenary sessions. And unlike SNS Boston, journalists will be welcome at SNS DC 2013.

Two speakers and one lab that are already lined up include Dr. Boldizsar Bencsath, director of the Laboratory of Cryptography and System Security, Budapest who's lab first discovered DuQu, Richard Bejtlich, the Chief Security Officer of Mandiant, and via IRC in one of our labs - th3j35t3r (hacktivist for good). Dr. David Bray, who had been earlier announced, may have a conflict on either of those days so his may be a last minute appearance. Many more speakers and labs will be announced in the coming weeks.

It will be held in the same venue as our February 2012 event - The Waterview Conference Center; a spectacular space overlooking the Potomac river and the Capital from the 24th floor. I'm inviting both national and international experts to participate and am open to your suggestions for the types of labs that you'd like to participate in as well as receiving inquires from companies who'd like to be a sponsor.

As is our custom, attendance will be capped at 100. I've set up a super early bird rate in order to help keep your costs associated with attending low. Considering the controversial nature of this topic in combination with its criticality, I expect fully expect this event to sell-out. See you in DC.

Suits and Spooks DC: Offense as Defense

• February 8-9, 2013 at the Waterview Conference Center, Arlington, VA
• Featuring plenary and breakout sessions (labs)
• Two Continental breakfasts
• Two lunches
• A free signed copy of my new book "Assumption of Breach: A New Security Paradigm" (O'Reilly Media, 2013)

Registration:
Super Early Bird $225.00 (until November 9, 2012)
Early Bird $395.00 (until January 9, 2013)
Standard $595.00 (until February 7 or when the event is sold-out)

Options

Super Early Bird registration $225.00 USD

Add to Cart View detail

Fact-checking Secretary Panetta's Speech Regarding a Preemptive Strike

In an important speech on Thursday night, Defense Secretary Leon Panetta spoke about how the Department of Defense has improved capabilities to protect the U.S. against the threat of a catastrophic cyber attack; that if such an attack were imminent, the U.S. would strike first. While this statement was clearly mean't to deliver a message to Iran which featured prominently in the Secretary's remarks, the U.S. lacks the technical ability to deliver on that threat.

According to the Law of Armed Conflict, a nation state must be under imminent threat of an attack which will cause grievous harm to its populace before it can launch a pre-emptive strike in self defense. Rather than a traditional kinetic attack, Secretary Panetta specifically referred to a cyber attack by "an aggressor nation or extremist group [who] could gain control of critical switches and derail passenger trains, or trains loaded with lethal chemicals". The Secretary went on to say that "If we detect an imminent threat of attack that will cause significant physical destruction or kill American citizens, we need to have the option to take action to defend the nation when directed by the President".

The fact is however that neither the NSA nor any other agency has the ability to identify a malicious program that was custom-written to target an industrial control system before the attack occurs. It cannot "see" such a program traveling across the Internet backbone assuming that were the delivery method. More likely, as in the case of Stuxnet, Shamoon, and other malware, it would be hand-carried onto the target's premises and inserted via removable media into a networked computer which bypasses the capabilities of any NSA-run signals intelligence program to identify it.

Even if we had the ability to discern the purpose and target of malware in-transit, we'd also have to know which nation state was behind it. Although Secretary Panetta claimed that DoD has made "significant advances" in determining attribution, there's ample reason to doubt that statement - the most obvious being the Secretary's own words that "DoD is already in an intense daily struggle against thousands of cyber actors who probe the Defense Department’s networks millions of times per day." Anonymity has provided much of the impetus for the increasing number of automated and targeted attacks against the U.S. and other countries. Those attacks are on the rise because anonymity remains intact.

U.S. offensive cyber warfare capabilities are second to none, but in the words of General Peter Pace, the former Chairman of the Joint Chiefs of Staff, we cannot defend against what we send out, and since what we have sent out (like Stuxnet) is being reverse-engineered, we should re-think whether our being in a weak defensive state is really the best time to be running offensive cyber operations in the first place.

Add to Cart View detail

U.S. SECDEF on Attribution - A Little Too Optimistic?

U.S. Secretary of Defense Leon Panetta gave a speech on Thursday, October 11, 2012 at the Business Executives for National Security (BENS) Eisenhower Award dinner in New York City where he made the following statement:

In addition to defending the Department’s networks, we also help deter attacks. Our cyber adversaries will be far less likely to hit us if they know we will be able to link them to the attack, or that their effort will fail against our strong defenses. The Department has made significant advances in solving a problem that makes deterring cyber adversaries more complex:the difficulty of identifying the origins of an attack. Over the last two years, the Department has made significant investments in forensics to address this problem of attribution, and we are seeing returns on those investments. Potential aggressors should be aware that the United States has the capacity to locate them and hold them accountable for actions that harm America or its interests.

With great respect for our former Director of Central Intelligence, now SECDEF, I don't believe that we're anywhere near being able to identify sophisticated adversaries in cyberspace that extends beyond being able to give code names to anonymous hacker groups or recognizing certain TTPs. For one thing, five seconds before Secretary Panetta made the above remarks he said "Moreover, DoD is already in an intense daily struggle against thousands of cyber actors who probe the Defense Department’s networks millions of times per day." So clearly if we have "made significant advances to link our cyber adversaries to an attack" and we're still fending off thousands of cyber actors probing DoD networks every day, then someone didn't get the memo!

In fairness, the Secretary didn't say that we are able today to solve the attribution problem. He said that we're making "significant advances" which is too nebulous a phrase to have a fact-based discussion about. The reason why I'm skeptical is because attribution is the kind of hard challenge that DOD farms out to private contractors, who sub-contract that work out to specialists at boutique security firms and I know a lot of those firms. They're all still focused on finding an answer by focusing on the forensics, and the answer won't ever be found through pure forensic research. Why? Because everything that we know about forensics is also known by our adversaries thanks to 900 security cons held worldwide annually and because our adversaries in cyberspace are highly skilled.

It's also ironic that while the SECDEF talks about our growing ability to deter through attribution, that it was the U.S. who was caught conducting a cyber-sabotage operation against Iran's Natanz nuclear fuel enrichment plant, and is suspected in two other high profile cyber attacks (DuQu and Flame). If anyone has demonstrated their ability to disguise their own cyber attacks while attributing the attacks of others, it would be Russia. Many of the U.S. security companies who promote their ability to identify bad guys to the DOD and IC never seem to catch Russia doing anything, yet Kaspersky Labs produces report after report post-Stuxnet on malware that seems to have originated with the U.S. Perhaps we could solve our attribution problem by hiring more Russian security engineers.

Add to Cart View detail