Tuesday, January 17, 2017

The Atlantic Council Paper

The Atlantic Council released a new paper on cyber security strategy from Jason Healey: PDF Link

Video Introduction Panel:

You can learn a lot from watching the video, and most importantly that in Jason's worldview, the attackers are the Other. The video itself, like many of these panel discussions, is largely people agreeing with each other.

They start the discussion by talking about strategies of the past and how easy they were to summarize. Two examples below:

Containment: A one word strategy ftw!

COIN: Kill the bad guys, win the hearts of the good guys.

But more truthfully, if you had to draw COIN into a memo it would be "Know everything about everyone". In WWII we used to send these spotter planes out into the ocean, which "happened" to come across shipments which we then sunk. The goal, obviously, was to have the ships radio back "SHIT WE'VE BEEN SPOTTED", and protect our real source, which was breaking their crypto and knowing their exact path. Drones are the same thing. They're the scary face of our surveillance, the frontman built mostly out of Java middleware. But they're just like those spotter planes - sent to give you something to fear that's not the real boogeyman. In other words, our COIN strategy is our cyber strategy, mostly redirection and slight of hand.

But yes, when we take a hit, we realize that what we need is a mixed martial art for cyberspace. And that's what this paper SHOULD be.

In the early 2000's, I sat in Harlem starting Immunity and also helping build the early version of our cyber war strategy (and in particular how to glue CNE to IO, which is what Assange was figuring out as well).  Quickly we realized we needed to understand how humans form groups in the internet age. Only one professor has interesting things to say about that as far as I can tell, and that's Clay Shirky. You'll want to read his blog and his book. He was a visionary around all of this material which at the time had very little traction in the computer security world, but if you specialized in offense (as we did) you could see how important it was because so many of our instinctual reactions in defense are wrong.

In Jiu-Jitsu, the first thing you learn is that many of your built in instincts about protecting yourself will get you tapped out. In particular, when someone is sitting on your chest, and you push them off you with your arms, you immediately get your arm broken (armbarred).

The crowd that argues that we should always "lean towards defense" in the cyber policy world likes to use vulnerability discovery as their demonstration for how we should create policies that do that. In particular they think our use of unknown vulnerabilities should be highly limited, and any we find should be immediately given to the vendor. This establishes an outstretched link of information from our signals intelligence arms to our adversary, which is as good an idea as reaching out your arm to a BJJ fighter sitting on top of you.

You can not "lean" in any one direction. In fact, rather than "offense" and "defense" a better mindset is understanding what you control and what you do not, just as in jiu-jitsu. Is ubiquitous stronger crypto leaning towards defense or is it preventing defense (because you cannot look into and filter traffic?).  Advantage in this space is not linear, and the core argument of the paper is overly simplified because of that.

Let's talk more specifically about the paper's arguments:

Note that Dept of Commerce funding is on a trendline down, from 10.2 to 8.5 Billion USD. Dept of Defense is at $521B or so. Let's just say TWO ORDERS OF MAGNITUDE BIGGER. But more than that, the mission of the Dept of Defense is to be a giant software and IT company. They connect millions of people as a matter of day to day survival, and always have.

But part of the reason for why the DoD is a center of gravity in cyber policy is simply that power in cyberspace is maybe best defined as "We know things that you don't." The IC is a natural fit. Commerce is not.

This entire paper is mostly about item 6 on his list. Immunity gave a whole talk in 2011 on why this is misleading, but we will go over how this paper handles it in depth in this blogpost. It's interesting that despite the fact that Jason is from Columbia University, his worldview is directly rooted in Silicon Valley. :)

I have been on the offense for two decades and I can say one thing about it: The grass is always greener on the other side of cyberspace. While every defender, including this paper, laments that the field is tilted towards offense, offensive teams know that you only have to be caught once to lose your entire toolchain, a toolchain that was going bad faster than tomatoes left out in the Florida sun, except a million times more expensive.

You think the NSA wants to be writing and maintaining an entire toolkit that trojans the microcode inside hard drive controllers? They do this because they are at a disadvantage, not as a show of strength.

Let's examine his argument for why Offense > Defense a bit:
Attackers have had an easier time than defense, owing to at least four key failures: Internet architecture, software weaknesses, open doors for attackers, and complexity.

In particular, he claims that internet protocols were designed without security, software has bugs and there are not really market incentives to produce secure code, the cliche argument that attackers always attack the weakest point whereas defenders have to defend all points, and that the interactions between all sorts of our processes on the internet are so complex they cannot be reasoned about and hence defended.

Skip down to Page 30 where he tries to address our issues with cyber defense with strategic countermeasures.

The questions in this paper demonstrate how little we often know about this space before trying to make major policy decisions. The Wassenaar debacle this year is an example of us trying to "lean towards defense" and look where that got us.

Check out the wishful but patriotic thinking in the following paragraph, clearly written before the election happened:

Remember that time Apple told China to go to hell when they asked it to remove LinkedIn from all Chinese iPhones? OH THAT ISN'T WHAT HAPPENED?!?

William Gibson famously said about the future that it was not universally distributed. The paper suggests various ways we can get technology from silicon valley that will help us with this whole defense problem:

Generally the goal of this effort is to accomplish these three things, according to the paper:

  1. Secure Cyberspace as a Means to Advance Prosperity: First and foremost, US policy must ensure cyberspace and the Internet advance US and global prosperity, not least through continuous and accelerating innovation. Other priorities are important, but subordinate.
  2. Maintain an Open Internet to Support the Free Flow of Ideas
  3. Secure US National Security in and Through Cyberspace: (aka, spy)

Look at these policies in the language of "control" rather than "defense" and you'll see that a policy that "leans towards defense" is a thin cover for the desire more nakedly espoused by the outgoing NSC of controlling the entire vulnerability market, maintaining an open internet is a thin cover for trying to control other country's internets and "preventing balkanization".

This is essentially an ideology of complete control. A defensible internet is a totalitarian playspace for big software and media companies that somehow ignores the fact that China wants to censor the Falun Gong out of existence.

Ok, how do we create one of these playspaces, according to the paper?

  1. Issue a New Strategy Prioritizing a Defense-Dominated Cyberspace
  2. Improve US Government Processes on Cyber
  3. Sow the Seeds for Disruptive Change
  4. Develop Grants to Extend Nonstate Capabilities
  5. Regulate for Transparency, Not Security
  6. Long-term Focus on Systemic Risk and Resilience
  7. Look Beyond a Security Mindset to Sustainability

Basically we're going to hope Silicon Valley drags our ass out of the fire if we give them more money to "innovate"?

So, as I'm often criticized for simply criticizing, here is my counter-plan:

If we do need a motto, then it needs to be: Acknowledge that Cyberspace is Different.

  1. Immediately depreciate protocols and products that are as under-water as a Miami Beach house: specifically IPv4, email, Microsoft Office, Microsoft Windows. This is the one thing we could do immediately that would drastically change our defensive posture. 
  2. Fire the head of any agency when any massive data breach impacts the operations of it, up to and including DIRNSA
  3. Revise the clearance system which is old and brittle and not working well for anyone at this point other than Russia and China 
  4. Normalize and address the fact that foreigner's packets and data are identical to domestic packets and data. Nothing in our law and policy handles this at the moment. We clearly have to specifically revise title 10 vs title 50 issues as opposed to monkey-patching it with "legal understandings".
  5. Dominate the information battlespace including in the Law Enforcement area by giving the NSA and CIA room to work (i.e. no more VEP that "leans towards defense" but is just for PR) and building a national mobile forensics center.

This plan is better specifically because it works by controlling ourselves, and not trying to extend our control to the entire software ecosystem and internet.

In other words, we cannot wait for Silicon Valley to come up with a way to secure Microsoft Windows and our old way of doing business: We need to accept a new way of doing business on ChromeBooks and iPhones and other hardened devices that cannot run Microsoft Office or be Phished.

To make it a motto: My problem with Jason Healey's paper is that he proposes we wait for the future to secure us. But the future is now, if we want it.


Ok, as a P.S.: This is the craziest idea in the paper. I mean, I like that he's thinking about metrics, but it's an example of a way of thinking that is as carbonized as Han Solo.

That doesn't mean there isn't work to do, but that work needs to be spent building an internet that is immune to the effects of botnets, not trying to combat the existence of botnets themselves.

Tuesday, January 10, 2017

How do you handle a bug class drop?

So one thing to ask yourself is whether your organization can handle the discovery (or public release) of an entirely new bug class. For example, when Format Strings became known, people adjusted their source code analysis tools, software development lifecycles including their COMPILERS, inventory systems, and entire understanding of classes of vulnerabilities. Not to mention all the offensive teams that need to jump on this sort of thing.

We talk often about how private entities know more bug classes than you do. But few people have any level of preparation for when the next bug in libc comes out.

Sunday, January 8, 2017

The CSIS Paper Review - Part 1

So the CSIS paper shines when it gets a bit "salty", in the parlance of the times. In many ways the INTRODUCTION of the paper is its best part, which is rare.

"Turning to technologists didn't work" - I wonder if this was written by a lawyer! :)

This section is the best section in the whole paper, and worth a deeper look. Because all of these papers are the same, be they from MIT/Brookings/Stanford/CSIS or the team I'm working with. They all look at where we are, realize it was not a huge success (which frankly, several months ago was not consensus), and then try to determine a GRAND BARGAIN that can break the logjam we're in and move the needle.

Many of these groups think that moving the needle means "Securing the whole internet", which is a conceptual trap they've fallen into. But every group seems to know that without dealing with everything holistically, you are getting nowhere. That means we have to actually come to an agreement on gnarly domestic issues, such as encryption, warrants, and liabilities, to international relations issues such as what it means to go to war over the internet.

And there is, somewhere, a core of agreement between all of the policy groups positioning themselves on this issue.

The easiest way to judge these papers is to look at where they stand on a few clear issues that I've selected as tests:

  1. How do they prevent the next OPM
  2. How do they prevent the next "electoral hacking"?
  3. What harsh truths do they admit, in particular, do they admit we are going to have strong crypto on phones one way or the other, and what are they going to do about it?
  4. How do we protect Jordan in cyberspace since we need them to project our power in meat-space?
  5. Do we have any answer whatsoever to ransomware?
For the first one, which is legitimate espionage on one hand, but something we need to defend ourselves against, it's clear the answer is not in the thicket of "deterrence", which always drags every discussion towards "this is someone else's problem, maybe the military's, maybe the State Dept, but not mine, for sure?" 

The Federal CISO's Role

Federal policy types (stereotyping here to annoy Mara), as in that CSIS introduction, often see a CISO role or CIO's role as "manage the IT stuff to make it secure so I can run my business/administration". Nothing could be further from the truth. A CISO's role is to manage what your business is. They don't tell you what computing infrastructure you need to have a branch office in China securely; they tell you you can't have a secure branch office in China. 

And this is where the policy people with deep expertise in federal structure can really lend value in this process: Tell us the organizational innovations that can make it possible to manage the Information Security of the federal government in all its complexities. Where non-technologists go wrong is in trying to set policy in a space they cannot predict tomorrow in. And where technologists go wrong in these papers is in trying to suggest policy solutions that don't work in the current management miasma of the federal government. 

But we need both: A federal government that is unmanageable in the information security sense is unmanageable in any sense in the modern world. Eight years from now, one way or the other, the federal government will have a biometric record of every person in the States, or who has ever been in the States.  And if your Cybersecurity Agenda for the 45th President can't get us there, then it needs to be reworked.


Let's move on to what I consider some debatable prospects. I don't think many of these papers are really meant to be read for content, so much as a collection of resumes applying to have influence and a statement of worth, but it's still worth doing:

attack->attacks (I do all the proofreading for you). Also interesting how Risks are measured in dollars here mentally, and I'd caution that stealing the RIGHT billion dollars worth of information can have strategic effect larger than the monetary value...

Ask yourself if any reasonably sized penetration testing team (NCCGroup, for example) could have done the attacks against our electoral process that resulted in our recent Russian Sanctions. Even the small players in this field do similar attacks EVERY DAY. And somehow policy teams continue to insist that the greatest risk is from attacks whose effect is equivalent to use of physical force? Nothing could be further from the truth. This weird fetish for "equivalent to physical force" is an example of people who are not comfortable with the cyber domain. 

Is the internet just some machines routing packets? "They exist in physical space somewhere!" you can hear the Tallinn philosophers opine. Or is it a software layer where no particular request is routed to any particular storage center, as Microsoft would inform you if you ask them. 

But this is why when lawyers, especially those with backgrounds in the law of war, try to project the future, they fail at seeing the risks right in front of them. The only actors capable of the most damaging attacks are nation states? Yet 90% of politico was Julian Assange this year, and as much as people try to make him out as a Russian Stooge, he's something else even more annoying to our worldview - a non Nation-State actor.

Reread this document with an eye that non-nation-state actors already have the capabilities they assumed they would not "for the next few years" and you'll come to different conclusions.

The Security Umbrella

This is a two-pronged question but deep down WHO do we have doing a more formal approach to building security and stability is the hard part. We tend to focus on really big countries, like Brazil and India and China and Russia but equally important are Jordan and Israel and Singapore and Argentina.

How do you extend your security umbrella to your allies? What does that even mean? These are hard questions and I try to read all these papers for ideas around that.

In some senses, this is similar to our domestic problem of sharing information with industry partners, but sharing information doesn't help you unless you also share actions, as we've learned.


Every single working group on this subject wants to finally get over the encryption issue and has come out against backdoors or any legislative solution. Law Enforcement is going to have to deal. In the long run, we need to remove crypto from export control as well. I'm not making this as an argument here, only pointing out that every single working group producing these papers says the same thing in slightly different ways. They should probably be more explicit with what the FBI would do with more dollars, and include state and local police in the solution. But we've gone over that before.

This particular paper comes out against active defense as well, which is worth discussing later, but at least they have a position and section on it. :)


These sorts of papers represent a lot of work, and it's interesting that they don't get ripped up a bit more - possibly because I overthink them. But regardless, if you're one of the authors and you disagree feel free to ping me and I'll amend this in place or add a section on why I'm wrong. MAYBE MORE BEST PRACTICES FROM NIST IS EXACTLY WHAT WE NEED! :)

Saturday, January 7, 2017

"Zero Day===Totally Gnarly"

So RDanzig sent an email to someone I'm working with on a policy paper and he corrected a term "Zero Day" to be "Zero Day Exploit vs Zero Day Vulnerability". This insistence on broken terminology is common among a certain set of policy people and it's a bit laughable.

"Zero Day" does not have a technical meaning, despite any Rand papers to the contrary, and the honest truth of it is that it is synonymous in the technical community to "Totally Gnarly". In your head, replace "Zero Day" with "Totally Gnarly" when reading a paper by any of the policy teams and they'll make equal amounts of sense.

I want to, of course, focus on the recent CSIS paper, which we've all read by now. It has a broken section on "Zero Vulnerabilities", which at first I read as similar to "Zero Inbox", but turns out to just be their West Coast team not knowing that it's "Zero Day" and then trying to put extremely dangerous policy ideas into their paper, seemingly without any internal peer review process?

A legally enforced code of conduct for all security researchers? Imagine the fun of trying to get that working when we can't even agree on basic principals around the subject in 40 years of trying. NIST, which had the NSA backdoored random number generator debacle and lost all industry trust, is going to "Gather best practices" on vulnerability handling? Is that really something we need? NO. GIANT WASTE OF TIME IS WHAT IT IS. The US Government can't even get CVE working properly without a brouhaha and that's just about counting bugs, like the most basic biology lab on Earth.

Mandate publication of security assessments? I'm sure every vendor will sign right up for that and that won't cause any problems. This whole thing was written by a bug bounty vendor who wants the contract for a federal bug bounty program. It has no ideas worth using, and what REALLY should worry you, is there are a lot of super smart people who worked on this CSIS report, and none of them read this section closely enough to even correct the title from Zero Vulnerabilities to Zero Day Vulnerabilities which is what I assume they meant.

There's some good stuff elsewhere in the report, but why didn't anyone even bother to read this section? How can we trust the other sections went through an internal peer review process?

Wednesday, January 4, 2017

Targeting Cyber Whales and Catching Cyber Minnows

President Obama has been criticized for being too weak in his response to Russia’s interference in the US presidential election. But I would argue the opposite. They actually set a risky precedent which has been unexplored in the policy space.

What I want to point out here is that the White House miscalculated when it leveled sanctions against Russian private contractors, in addition to the GRU members responsible for the operation. Singling out Russia’s intelligence officials and state operatives for punishment of this nature is fine; it’s a limited move, and relatively ineffective, but it’s well within our rights and at least it sends a message. But private individuals should be off limits even when their technology and know-how is used in operations we do not like. If Trump’s administration plans to roll back any part of Obama’s sanctions, it should be those.

"Technical Research and Development"? "Specialized Training"?

The question no one in the policy sect seems to be asking is: Do we really want our own private contractors singled out and targeted by foreign powers? Is that a ‘norm of behavior’ that is in our best interests? How are cyber operation responses, which share a lot of similarities to criminal prosecutions, different? Nearly the entirety of the US Information Security industry has taught a class at /Training/Etc in Columbia MD at one point or another. Our current sanctions action puts them all on the plate for Russian retribution. Not to mention our Anti-Virus industry is heavily populated with technical experts directly from APT1, now working to defend our systems. Strategic disruption of our adversaries means getting closer to, not further from, their teams of hackers. In many cases these contractors may have been working for the Russian government under duress. Can we judge their motivations along with their efforts?

Cyber Security Strategy is all about the Lemmas and Dilemmas

Regrettably, the US response to Russia’s cyber operation faced serious dilemmas from the start. For instance, how do we achieve a deterrent effect on future efforts by Russia and other nations, while at the same time prevent the confrontation from escalating into an actual “cyber war” or threatening our partnerships abroad, particularly in Syria? Additionally, how do we avoid exposing our sources and methods within the highest levels of Russia’s government? We have attempted to solve these issues by relying on sanctions, which are an easy PR win - a NY Times headline series waiting to happen. But targeting sanctions or criminal prosecutions at small contractors, no matter what their involvement, is a long-term strategic mistake without appreciable benefit.  

This is an issue that needs to be considered very carefully, not only in terms of how it affects current operations, but also how it could limit our capabilities in the future. For instance, this precedent will make it extremely difficult to involve America’s private security community in “active defense” missions in the future, which is a key area of reform the next President should be reviewing.

Another question worth asking is, if private contractors are now fair game, could forensics firms such as CrowdStrike or Mandiant or other AV firms also be targeted for making “false allegations” about a specific country’s involvement? Also, is it possible the research community could be targeted for vulnerability discoveries which are later used by state-sponsored or criminal groups to carry out attacks?

These questions may seem far-fetched now, but we can’t underestimate the potential for an adversarial nation like Russia to use whatever means are available to make its point or redress grievances. Using US policy and precedent against us is a likely action by Russia. There's a reason you use nation-state policy efforts against nation-states instead of criminal law - otherwise you make all former TAO members responsible for TAO's mission, which is not well loved outside of the US.

The small companies and individuals running those companies may well be deeply involved with the DNC hack and related operations, but deterrence efforts around sanctions may require that we are able to make a public and convincing case regarding their guilt. Without that ability, they can easily deny their involvement, and our efforts look misguided at best. Of course, targeting individuals has the other side effect of pissing them off personally, and small groups of individuals with grudges and high levels of capability are very hard to deter by a nation state.

The Obama administration should be credited for its strong focus on cybersecurity issues during the last eight years. However, it has relied too heavily on the threat of broad-based sanctions for deterrence. This strategy worked well with China, but Russia is a different story and the Obama administration knows it - hence, the current sanctions are mostly about PR, not achieving a real strategic win. Going forward, the US needs to develop stronger and more diverse capabilities for response which will allow us to create real deterrence among all of our enemies, without resorting to counterproductive policies that are more PR than substance.

More Resources:

  • Jake talks a lot about this as well.
  • Alisa's postings in the community are well known, but here are some: Slideshare, Phrack
  • From an effectiveness and image perspective, releasing “indicators of compromise” is a fairly amateur thing to do. While it works for Crowdstrike and Mandiant and other commercial entities, the USG has better things it could do. In particular, these signatures were of rather low quality (See Robert Lee’s report as well), which makes us look bad, not scary, the opposite of what we are trying to do.
  • Sanctions from a historical standpoint

Tuesday, December 20, 2016

The Wierding Way

You don't have to believe I know anything about cyber combat or science fiction, but if you read this blog, and haven't read Dune, you're missing out on the philosophy behind how cyber offense works. 
I want to teach the whole Policy World about the Weirding Way in this blogpost. It is hard to explain, but I want to start with this: Scrippie is a better exploit writer than I ever was. I am in the good fortune to be able to watch world class exploit writers do their work. Even now, when I should be selling INFILTRATE tickets, I stand around behind people and talk to them about their exploitation strategies and how they are manipulating a heap overflow to do what they want and what their chances of success are. Sometimes I can help. Mostly I just help by letting them talk it out.

I know that no policy lawyer can read Bratus's paper on Weird Machines. I also know that even Halvar's INFILTRATE keynote on the subject is probably too technical.

But let me tell you something in the Wassenaar Arrangement that is leading the policy world down the wrong path, a sugar coated path of simplicity: The idea that computer code has intent, and even a chain of preferred execution!

The reason Scrippie is a better exploit writer than I am is because he flattens the code out in his head. He reads the whole thing, and then inside his head the input parsing routines and the heap allocation routines and even the KERNEL system call routines are all at the same level, literally as if they are all in a line and he is simply calling them with his data.

This is what it takes to do real exploitation in the world where you don't have Javascript around to do your heap grooming for you. Because most policy experts have only really seen clientsides in occasions where there is a Javascript interpreter, they have a warped view of how exploitation works in general.

Below, I respond to Nicolas Weaver's Lawfare post, but with <sarcasm>, which translates poorly on Twitter.


Ok, so if you're still with me, I want you to think of it this way: Data is also code. I don't mean "Code can be represented as data because everything is just bytes". I mean, the data I pump into your algorithm controls it as much as the executable code itself does. That's how hackers think of your code and it's closer to the true nature of the code than how the regulators and most academics are thinking right now. It's why every time an academic paper comes out on "ROP/JOP/etc" hackers find it redundant and hilarious.

To make this a Koan: Your computer is a state-space, and our data explores it. When it has no input, your computer program is in all potential quantum states - literally anything is possible because it is Turing complete if it has enough complexity. When we give it data, we collapse that waveform into a particular state of our choosing.

Hopefully that helps?