Personal Reflections on Suits and Spooks DC 2013

Now that I've had a chance to decompress from and reflect upon the terrific Suits and Spooks DC conference last weekend, I want to share some surprising shifts in thinking that occurred for me during those two days.

The speakers were all terrific, but some topics triggered a lot of passionate debate amongst the speakers and the attendees. You can get a sense of what transpired by reading the live Twitter stream from the event. How those passions were channeled and the manner in which some speakers conducted themselves in the heat of the moment really impressed me. Keep in mind that the speaker to attendee ratio was 1:4. That's unheard of at most conferences. In fact, I don't know of another event where it's that low, which is too bad because I believe that it makes for a much more valuable experience for both the attendees and the speakers.

Some of the areas in which my thinking has shifted includes:

International Cooperation. The international speakers that I invited to attend did a phenomenal job. I particularly want to commend Marco Obiso of the ITU. He was on the receiving end of a lot of heated debate and pointed comments and parried them all without loosing his temper (I can't say the same about some of his opponents). Marco did an excellent job of explaining the ITU's sometimes controversial platform while always responding to his critics in a balanced and informed way. The lesson for me was in watching how he wants engagement while his critics don't. Obiso and the ITU came out ahead because of that. In an adversarial debate, the side which has a deep expertise and is confident in their ability to engage can do so in a balanced way. Some of the ITU opponents weren't able to do that and they lost the debate as far as I was concerned.

Kaspersky. I take a lot of shots at Eugene Kaspersky, but his employee Roel Schouwenberg did a terrific job in explaining Red October. He provided some new information - that Kaspersky's client who brought ROCRA to their attention was from the European Union. Despite Kaspersky's contractual and non-contractual relationships with the Russian government, they are the world's fourth largest security software vendor and they arguably do the best work in writing reports that describe important malware attacks. Roel will always be a welcome speaker at future Suits and Spooks events.

Hack-Back and Active Defense. Some of the speakers who favored hack-back were successful in describing scenarios that made sense and seemed possible to implement without causing unfortunate blow-back. Other speakers took "hack-back" off the table when describing other active defense practices, particularly deceptive techniques. My take-away was that active defense including hack-back could probably be implemented responsibly by a few private parties but certainly would be taken advantage of by less responsible ones so I think that law enforcement oversight is a requirement. Also, the CFAA definitely needs to be modified from its out-dated current language.

Opinions Derived From Online Interactions. One of the most refreshing things that happened to me was how much I enjoyed interacting with people whom I had previously only known online. We all form opinions about people based upon limited interactions. In today's networked world of social media, many of those opinions are formed without the benefit of personal interactions. And sometimes those opinions conflate individuals with the companies that they were formerly employed by. Last week's Suits and Spooks was a joy for me to participate in because I was newly impressed by some people who I had previously only known from the news or social media. Those newly positive impressions came about precisely because of the extended interaction (two days), low attendee:speaker ratio, and heated discussions. Just meeting someone in "real life" often isn't enough to change perceptions. Extended interaction in combination with engagements or arguments over heated issues makes all the difference.

Feedback. In closing, I'm happy to share some of the feedback that I received from speakers and attendees of Suits and Spooks DC 2013:

"SNS provides a first-class forum to openly (and professionally) debate cyber security policy issues.  Everyone benefits from hearing all sides of the issues and, correspondingly, leave with new perspectives." - Robert Bigman, former CISO, Central Intelligence Agency

"One of those rare conferences where even the speakers learn something new."
- Stewart A. Baker, former General Counsel, National Security Agency; former Ass't Secretary for Policy, Department of Homeland Security

"Suits and Spooks provided a unique forum for discussing the hard, unanswered questions with leading technical and policy experts."  - Jim Denaro, founder of CipherLaw

"SNS provided a spotlight into the evolving edge of cyber." - Greg Hoglund, former founder, CEO of HBGary, Inc.

"Suits & Spooks brought together that right mix of backgrounds that allowed for informed discussion on the challenges of employing offensive techniques in support of defensive measures.  The networking alone made this conference worth being there." - Jim Butterworth, Commercial Chief Security Officer, HBGary, Inc.

"The most interesting, provocative, lively discussion of cyber conflict issues I’ve seen. And that’s my layman’s view." - Tom Gjelton, National Public Radio journalist

If you attended SNS DC 2013 and want to send me a quote to use, please do so via Twitter or email. If you didn't attend, but you want to be informed about upcoming events, you can follow Suits and Spooks on Twitter. Our next event will be announced shortly.

Add to Cart View detail

Five Critical Panels on the Use of Offensive Tactics in Cyberspace

On February 8-9, 2013, 24 world-renowned speakers will address and interact with about 80 attendees from the public and private sectors in a beautiful conference center high above the Potomac river on some of the most important issues in cyberspace - the controversial use of offensive tactics in defending networks (i.e., Active Defense). The full agenda can be seen here, but five critical panels are as follows:

• How is Russia and Georgia engaging in Active Defense?
• Featuring Ambassador David J. Smith (ret.) and Ms. Khatuna Mshvidobadze (Georgian Security Analysis Center)
• How Duqu, Flame, Gauss, and Shamoon can be reconfigured and reused against different victims (i.e., Iran against Saudi Arabia)?
• Featuring Dr. Boldizsár “Boldi” Bencsáth (Associate Professor, Laboratory of Cryptography and Systems Security (CrySyS), Department of Telecommunications, Budapest University of Technology and Economics) and Brig. Gen. Jim Jaeger (USAF, ret), Vice President of Network Defense & Forensic Services, General Dynamics
• How Much Leeway is there in the Computer Fraud and Abuse Act and International Law for Offensive Actions in Cyberspace?
• Featuring Dr. Catherine Lotrionte (Director of the Institute for Law, Science + Global Security, Georgetown University),  Mr. Stewart A. Baker (Partner, Steptoe & Johnson), Mr. Frank J. Cilluffo, Director, Homeland Security Policy Institute at George Washington University, and Mr. Marco Obiso (Cybersecurity Coordinator, International Telecommunications Union (ITU)
• What’s the Downside of Private Sector Offensive Engagement?
• Featuring Dr. Anup Ghosh (Founder and CEO at Invincea), Mr. Jeffrey Carr (Founder and CEO, Taia Global, Inc.), Mr. David Dittrich (Chief Legal Officer, The Honeynet Project), and Mr. Robert Bigman (former CISO, Central Intelligence Agency).
• If the ITU Assumes Ownership of the Internet, How May That Impact International Offensive Cyber Operations by Nation States?
• Featuring Mr. Marco Obiso (Cybersecurity Coordinator, International Telecommunications Union (ITU), Dr. Catherine Lotrionte (Director of the Institute for Law, Science + Global Security, Georgetown University), Mr. Robert Bigman (former CISO, Central Intelligence Agency), and Brig. Gen. Jim Jaeger (USAF, ret), Vice President of Network Defense & Forensic Services, General Dynamics

There are only 28 seats remaining and the Early Bird discount expires in one week so register today to be a part of the year's most unique and informative security event - Suits and Spooks DC 2013. If your employer is interested in joining RSA and Basis Technology as a sponsor, please contact me via email for details.

Add to Cart View detail

Cyber Laws May Need Tweaking

The following is an excerpt of an article that I wrote for SC magazine on the need to amend the Computer Fraud and Abuse Act to keep pace with active defensive options by corporations; an issue that we'll be exploring indepth at Suits and Spooks DC (Feb. 8-9, 2013):

"Law in the United States has not kept pace with the tsunami of cyber attacks that have overwhelmed corporations and the government. It's become such a frustrating problem that information security start-ups, like CrowdStrike, as well as established ones like Mandiant, are pushing for a “strike-back” capability, something that the Computer Fraud and Abuse Act(CFAA) prohibits. Even if a company takes a network counter-attack off the table and just wants to encrypt its own data which it finds stored on another computer, the CFAA makes even that common-sense action illegal. I don't think that will be the case for much longer. In fact, I predict that 2013 will be the year when the concept of “active defense” will finally become a reality.
"It's been a year since the directors of the National Security Agency and the Defense Advanced Research Projects Agency both acknowledged that the U.S. government has been unable to protect its own networks and asked for help from private industry. Earlier this year, two high-profile FBI officials and an Air Force general left government service to join CrowdStrike, a decision driven in part out of the same frustration. Then there was the provocative and somewhat disturbing speech given by Secretary of Defense Leon Panetta in October which warned foreign adversaries that we had significantly improved our attribution capabilities (although there's little evidence to support that claim) and that we would respond militarily to anyone who launched a “destructive” cyber attack against us.
"The drive by private industry to be more aggressive in defending corporate networks and the “signalling” by Panetta that we will respond to destructive cyber attacks are both examples of a military strategy known as “active defense.” However, while computer attacks between nation-states may be allowable under certain conditions, such as a presidential finding under Title 50 for a cyber covert action or under the Law of Armed Conflict, there is no such leeway for private corporations under Title 18, Section 1030 – and there's the rub."

Read the rest of the article at SC Magazine.

Add to Cart View detail

Active Defense as a Chinese Military Strategy for Informatized Warfare

U.S. Secretary of Defense Leon Panetta said in a speech in New York City on October 11, 2012 that “If we detect an imminent threat of attack that will cause significant physical destruction or kill American citizens, we need to have the option to take action to defend the nation when directed by the President.” This is known as active defense and its a strategy that China had adopted back in the mid-90’s when the PLA decided to mount a revolution in military affairs in order to confront the U.S. military’s new network-centric warfare doctrine.

Recent military writings published in the journal China Military Science continue to emphasize the need for an active defense:[1]

“While post-emptive moves are a self-defensive strategy of defense upon which our military must insist in the opening of war, it is not an effective way to seize the initiative on the informatized battlefield. To achieve the goal of seizing the initiative, the art of controlling war situations in the initial stage of combat must emphasize active offense, striving to dominate the enemy by capturing early moments of opportunities and conquering the enemy in early battles.”
“[O]ur military’s seizure of early moments of opportunities to dominate the enemy by conducting offensive operations cannot be separated from the basic requirements of active defense.”

According to Timothy L. Thomas[2], the author of many books on both Chinese and Russian Informatized Warfare, an informatized offense is part of China’s active defense plan. This is best described in a 2005 article published in Chinese Military Science “Systems of Military Strategy in the Information Age” about which Thomas writes:[3]

“The primary objective consists of paralyzing an opponent’s strategic command systems to introduce the deterrence function. The five steps to this process are striking at an opponent’s strategic command system, their economic foundations, that nation’s transportation infrastructure, the human resources of the country (especially reserve personnel), and the armed strength of the country in question.”

This 5-part strategy was refined in 2011 in a paper written by Ye Zheng and Zhao Baoxian, “How Do You Fight a Network War?”[4] wherein the authors detailed the following 5 operational forms:

• Network intelligence
• Network paralysis
• Network defense
• Network psychology
• Network-electromagnetic integration

Finally, Major General Dai Qingmin, author of New Perspectives on War[5], wrote about the need to expand an information attack beyond combat systems to include the enemy’s critical infrastructure (financial, transportation, communication, and power).

System of Systems
In 2010, Chairman Hu Jintao used the phrase “System of Systems” in describing priorities in strategy and planning for the Peoples Liberation Army[6]. Unfortunately, the exact meaning of the phrase is difficult to determine. It isn’t a concept that’s unique to China. U.S. military writers used the phrase as early as the mid-90’s.[7] Tim Thomas dedicated a chapter in his book to exploring this important topic but wasn’t able to come to a clear distinction between what it means for the PLA versus the U.S. Armed Forces. Thomas quotes one PLA research fellow who said the difference came down to “capabilities and objectives” between the two nations.


In this author’s opinion, the phrase System of Systems as used by Chinese military theorists refers to an over-arching strategy that assumes network dependence by both sides and seeks to gain control over a greater system within which network-centric warfare is a subset. One example might be the dependence that critical DOD bases have upon the public power grid. The local energy provider will be a much softer target than the military base and the base is most likely entirely dependent upon it. Another example of a System of Systems strategy may be corrupting the supply chain that provides the integrated circuitry used in weapons systems. The bottom line is that when faced with a superior adversary, you don’t attack the adversary directly. You attack the systems which sustain him.


Active Defense Workshop at Suits and Spooks DC
This blog post comes from the research that I've been doing for my next book "Assumption of Breach" which will feature a chapter on Active Defense. I'll also be conducting a one hour workshop at Suits and Spooks DC on Feb 8-9, 2013 which examines active defense in Chinese and Russian military theory. Hopefully, Dr. Thomas will get approval from DoD to speak as well. He's been invited - confirmation is pending. Registration is limited so I encourage you to sign up early.


NOTES:
[1] Thomas, Timothy L., Three Faces of the Cyber Dragon, Foreign Military Studies Office, Fort Leavenworth, KS, 2012, p. 144
[2] Lieutenant Colonel Timothy L. Thomas, U.S. Army, Retired, is a senior analyst at the Foreign Military Studies Office (FMSO) at Fort Leavenworth, Kansas. He holds a B.S. from the U.S. Military Academy and an M.A. from the University of Southern California

[3] Thomas, ibid, p. 151

[4] Ye Zheng and Zhao Baoxian, “How Do You Fight a Network War?”, Zhongguo Qingnian Bao Online, 3 June 2011

[5] Dai Qingmin, New Perspectives on War, PLA Publishing House, 2008, p.64 (quoted by Thomas, ibid)

[6] Li Huamin, Zhang Kejin, and Fu Wenwu “Fierce Tigers of Tashan Ask for Directions in Guagxi – Record of Actual Events about Group Army of Guangzhou Military Region Building Greater Capability for System of Systems Operations,” Jiefangjun Bao Online, 30 July 2010 (quoted by Thomas, ibid)

[7] Manthorpe Jr., W.H., "The Emerging Joint System-of-Systems: A Systems Engineering Challenge and Opportunity for APL," Johns Hopkins APL Technical Digest, Vol. 17, No. 3 (1996), pp. 305–310.

Add to Cart View detail

The Most Important Cyber Issue in 2013: Offense as Defense

Between SECDEF Panetta signaling Iran and other states that the U.S. won't tolerate increased cyber attacks without a response and the increasing impatience on the part of the private sector of being legally restrained from doing anything when they see their stolen data sitting on a foreign server, I predict that the most important cyber topic of 2013 will be active defense. In fact, we had a lively discussion about this very topic last Thursday at Suits and Spooks Boston.

In order to provide a forum where the various implications of taking offensive action under the umbrella of active defense can be explored, debated, and tested, I've decided to dedicate our next Suits and Spooks event to this critical area. I've also expanded it from a single day to a two-day event that will feature hands-on labs in addition to plenary sessions. And unlike SNS Boston, journalists will be welcome at SNS DC 2013.

Two speakers and one lab that are already lined up include Dr. Boldizsar Bencsath, director of the Laboratory of Cryptography and System Security, Budapest who's lab first discovered DuQu, Richard Bejtlich, the Chief Security Officer of Mandiant, and via IRC in one of our labs - th3j35t3r (hacktivist for good). Dr. David Bray, who had been earlier announced, may have a conflict on either of those days so his may be a last minute appearance. Many more speakers and labs will be announced in the coming weeks.

It will be held in the same venue as our February 2012 event - The Waterview Conference Center; a spectacular space overlooking the Potomac river and the Capital from the 24th floor. I'm inviting both national and international experts to participate and am open to your suggestions for the types of labs that you'd like to participate in as well as receiving inquires from companies who'd like to be a sponsor.

As is our custom, attendance will be capped at 100. I've set up a super early bird rate in order to help keep your costs associated with attending low. Considering the controversial nature of this topic in combination with its criticality, I expect fully expect this event to sell-out. See you in DC.

Suits and Spooks DC: Offense as Defense

• February 8-9, 2013 at the Waterview Conference Center, Arlington, VA
• Featuring plenary and breakout sessions (labs)
• Two Continental breakfasts
• Two lunches
• A free signed copy of my new book "Assumption of Breach: A New Security Paradigm" (O'Reilly Media, 2013)

Registration:
Super Early Bird $225.00 (until November 9, 2012)
Early Bird $395.00 (until January 9, 2013)
Standard $595.00 (until February 7 or when the event is sold-out)

Options

Super Early Bird registration $225.00 USD

Add to Cart View detail

The Use of Covert Cyber Counter Strikes as Active Defense (and other topics) at Suits and Spooks DC

Waterview Conference Center,  Rosslyn VA

Can the U.S. legally engage in covert cyber counter strikes as a form of active defense against hostile actions by non-state actors in Russia, China or elsewhere? That's one of the forward-looking talks being given at Suits and Spooks DC by Professor Catherine Lotrionte of Georgetown University.

Are tamper-proof chips really tamper proof? Can firmware be extracted from the locked chips such as those used on the captured RQ-170? Travis Goodspeed will show how it can be done on the cheap.

Can a privately funded spy satellite system be used to secure evidence targeting criminal behavior by governments or their officials? Thanks to the work of the Enough Project organization, we know the answer to that question is yes. Jonathan Huston will explain how they did it.

And that's just 3 of our talks. In addition to Catherine, Travis, and Jonathan, Suits and Spooks attendees will interact with:

• Don O'Donnell - Rand Corporation
• Rand Waltzman amd Randy Garrett - DARPA
• Dan Geer - In-Q-Tel
• Anup Ghosh - Invincea

Then from outside of the InfoSec space, reflecting our multi-disciplinary approach, we'll hear talks from:

• Christopher Burgess - Atigeo
• Ben Milne - Dwolla
• Janina Gavankar - Posterous Spaces for Actors
• John Robb - author, Brave New War
• Jodee Rich - CEO, PeopleBrowsr

Every attendee will have an opportunity to ask questions and interact with the speakers in an elegant setting overlooking the Potomac river and the Capital. The entire day will be focused on brain-storming new security solutions that we hope will give birth to a revolution in security affairs. Real-time analysis on a Palantir workspace will be flashed onto a screen behind the speakers and a final report will be issued afterwards to members of Congress and interested agencies.

Pricing includes breakfast, lunch, and a wine reception afterwards:

• Students and academics: $195
• Gov't employees: $295
• Early bird registration: $395
• Standard registration: $495

The early bird registration ends January 6, 2012 and we are capping attendance at no more than 100 individuals, including speakers so reserve your seat today.

Add to Cart View detail