Monday, March 14, 2016

Cyber Norms: The futility of blacklisting critical infrastructure

First I want to quote from an email here: """
Cyber security policy is not a greenfield space!

I did post these to regs@ in December and am guessing you still have not read them. Of interest : Section III, ‘Norms rules, and principles for the responsible behaviour of States’.[1] China and Russia in fact co-authored a Code of Conduct in support of the larger report.[2]
[1] pp. 6-7,
[2] pp. 4-6,

If you read those two papers you will see the UN doing their usual "let's all be friends" in cyber ranting about how great it would be if all States avoided conflict on any level. There are a few recurring themes in cyber policy work at this level:

  • Please don't hack critical infrastructure
  • Please control hacking from your own territory, for the love of all that is holy
  • Please censor SOME stuff, which we can all agree on (?) but not TOO much stuff (because of human rights)
  • "Confidence building is important" (but only between Nation States, not with companies or communities)

The next set of blogposts here will discuss all four of these issues, starting with critical infrastructure, and how our previous efforts in the area are doomed to failure and why.

To be fair, previous cyber norms policy worked at some level. We have a LOT of cooperation between States when it comes to criminal prosecutions and gangs (Eastern Europe and Russia in surprising particular). We do have people to call in Russia who will tell us that the JPMorgan hack "was not them", even if it takes several months. The law enforcement side of cyber norms is far far ahead of the war and intelligence side.

Critical Infrastructure

That seal is a NY Dam waiting to happen.

First of all if you've done 15 years of scoping penetration tests or hacking Nation States, you know the idea of blacklisting "critical infrastructure" is bullshit.

A simple truth about the cyber domain: My goal is not to hack your critical infrastructure. My goal is to figure out which infrastructure on your network is critical that you didn't think was critical, and hack that. The stuff you already knew was critical is protected by the NSA. The stuff you didn't think was critical is defended by Symantec or Microsoft Defender. 

Likewise, much as there is no difference technically between penetration testing software and hacking software, there is no difference technically between allowable pre-positioning and intelligence gathering and "trespassing" on critical infrastructure systems.

One idea they have not tried of course, is the idea of placing signed tokens on machines which they feel are too sensitive to have Iranian implants on them because they would offer the chance of critical failure. Then in theory, an Iranian hacker could check for those signatures before putting the rootkit on the box, right?

Going through that mental exercise demonstrates the difficulty of the goal of blacklisting critical infrastructure. Networks are fully connected things by their very nature. And the data layer is even more connected than the network layer.

And that will let us segue in to "Controlling your own territory from the cyber norms perspective", which will be tomorrow's policy blogpost. :)

No comments:

Post a Comment