Let me start by saying that for my entire adult life I’ve been studying how to break into computer networks and systems. Luckily for me I did this during the growth and now ever-presence of the Internet, first at the NSA and then in private industry. What that means, realistically, is I’ve broken into almost everything, like a lot of people who came of age during that time. The company I help run, Immunity, based in the blistering tropical crossroads of Miami, now secures large banks and manufacturing organizations.
I have fifteen minutes and I did have a very corporate, very boring speech for you set up where I talked about current day risks to your companies and some strategic things you can do to maybe help. But on the flight over, I reconsidered. What I really want to do is tell you about a threat you haven’t yet seen coming.
Like anyone who started their career in intelligence I find reading news reports stultifying because I believe nothing in them, but I want to pick some pieces out to illustrate a trend. The first one is the meaning of Stuxnet, which you have all read about in the economist or perhaps Wired magazine about, especially those of you who work at Siemens. Despite the muddled messages coming out of NATO, cyber war is, in my opinion, very real, and while other wars were all about mechanized destruction, cyber war is all about mechanized covertness. Our confusion about Stuxnet is a clear example of the dangers there.
And because of that covertness, the messages that normally would function as deterrence and capability announcement are muddled and our global policy on cyber security is muddled as a result. As Thomas Dullien, the famous German cyber strategist now working for Google points out: The US is keen on using new technological fronts in war, such as drones or cyber, and then screaming for international norms the minute someone else catches up.
So back to Stuxnet, or OLYMPIC GAMES, or whatever you want to call it - it was the not just a cyber effort against Iran’s nuclear capability but the announcement of a team. A rather huge team that has been playing World-Cup level soccer on the cyber battlefield for a decade and a half. It is in that sense a formidable and hungry teenager - perhaps one that I helped give birth to.
When I was a teenager I was in Fairfax Virginia, a few minutes from Washington DC, and when I go back now I don’t even recognize it. The past fifteen years have had it boom with giant crystalline structures - massive glass houses for rootkit writers and exploit developers - hackers, in all but name. The Iraq war and the Afghanistan wars were also cyber wars in ways that are just beginning to come out.
Not incidentally, the same thing is true when you go to Beijing and visit their Center for Internet Security. You can look across the table at the Chinese hacker team there and see in their eyes that they’ve hacked everything. It’s a weird thing, that look in their eyes. Knowing the world’s secrets because you’ve had to manually pull them out of mail spools for hours a time.
I’ve seen it in Chinese, Russians, Germans, Italians, French, American hackers. You can’t throw a rock from my childhood house without hitting someone who specializes in some kind of router exploitation technique. Look, here’s the really scary part of the story: The world is now full of hackers. The last fifteen years have created a cadre on all sides. We have poured our money into it in a way that we didn’t pour our money into advanced nuclear reactors. We live in a world that is safer in some ways because of it, and much more dangerous in other ways. You have been colonized with a crew that may or may not share your values.
Even before we get into the minutia of how you can protect yourself, I have to redefine something in your heads: The very nature of a cyber weapon. Because hackers don’t think of them the way you hear about them in the news. Imagine, if you will, that cyberspace was a terrain, and that weapons were anything that could change the surface structure of that terrain.
When the details of NSA’s QUANTUM were released by Edward Snowden, people focused on the exploitation - the breaking into of German phones is sexy. But the shaping of the flow of data is the key to QUANTUM and the most beautiful part. The art of cyber war is about controlling and understanding information paths. Or to paraphrase our initial speaker paraphrasing Napoleon: Cyber war is about controlling your opponent’s internal chaos by using their computers against them.
Ironically the most common kind of cyber weapon is the ability to disseminate information. The Pirate Bay, for one, which now even has a political party attached. Wikileaks, for another. It’s not accident both were started by elite but independent hacker teams. Think Guccifer and the Russian Business Network as other examples.
The other definition that I hope to change in your mind today is that of a computer. In particular there is an anecdote that Thomas Watson, president of IBM in 1943, said there might be a world market for maybe five computers. This is one of those statements that is tritely amusing if you look at your desktops and mobile phones.
But to a hacker, he was not wrong in his assessment of the market! Right now, in fact, there are probably less computers. We know, because we give all the real computers human names. You may have heard of them: Azure, Alexa, Google, Siri, and possibly an NSA computer in that giant plant in Utah. Isn’t it an interesting accident that all the real computers are American?.
What I’m saying is: If you cannot seamlessly scale your computation, along with everything that implies in terms of redundancy, accounting, data transfers, parallelism APIs, and storage management - then you have a pocket calculator good for games and trivia and pictures of cats, not a computer.
If you don’t have a computer, it is much harder to break into networks, for technical reasons that are beyond the scope of this talk. It’s also harder to protect privacy when all your information is stored overseas and so I see a frustration in Europe at the power of all the multinationals that own real computers, which I think has less to do with privacy perhaps, and more with a concrete sense of a loss of national power in a new domain.
If you read Sebastian Dullien, a German economist who is among other things a Senior Policy Fellow at the European Council on Foreign Relations, and you SHOULD be reading him, then you know he has written about how to create European champions in the digital space, as he calls it. In other words, a European Google or Facebook or Apple. How does one create the kinds of investments that would make them, because without them, without any native European computers by a hacker’s definition - large scale computing minds - European companies are dependant on research done everywhere else to secure themselves.
It is easy to misread Dullien’s work and other economist’s work as a call for European protectionism - to use EU Data protection standards as an aerial denial weapon against US Internet companies, which is exactly how they are viewed in the States. But it is also a warning. If protectionism doesn’t work then EU companies would be largely left undefended.
To draw a painful analogy: the Immune system response to almost every security problem is “segmentation”, think firewalls, and Export control. But a better answer is an extremely close cooperation, which echoes our other conversations here at the Summit.
Let me tell you this: The current day threat is real. Right now, I’m 100% sure there are North Korean hackers are inside German Banks, trying to leverage their access for massive wire transfer fraud. Russians are preparing the battlefield as well. I know they’re doing this, because that’s what I would do. German Intellectual property is being stolen by the Chinese the same way it was from American companies: On a massive industry-ending scale, but dealt with, as I’ve heard from members of the Summit, with resignation.
In the future we will have to deal with the fact that we’ve trained thousands and thousands of people in the dark arts of cyber war, with the skills to infiltrate any network and sometimes even the desire. But right now, you need to take crufty twenty year old technology installed everywhere that runs your businesses and find a way to just make it to tomorrow without bleeding out.
And putting my commercial hat on, let me say that this is not a problem you can just throw money at and get clear results. Cyber security is a community of snake oil driven by marketing and slick sales. The only way forward is as if you were at the top of the Alps - every step must be tested, and you are roped to the people next to you so they can catch you if you fall.
To put this into practical terms: When you purchase security products, you must commit to testing that they perform their function as if you were the adversary! This means a focus from the beginning on learning and valuing the offensive side of information security, which acts as a guiding light to your defensive efforts. Resist the urge to demonize the hackers among you, or the tools they use. I have spent the last two years of my life arguing with European diplomats about whether penetration testing tools should be included in the Wassenaar arms control agreements, and let me say, that’s a backwards step into a crevasse.
And you must find a way to broadly share intelligence on threats you see with your peers in industry. This sounds easy. But revealing your threats requires coming to grips with the regulators who are going to see it as a weakness and want to penalize you, and it means your direct competition will get inside information on your operations.
When you’re doing serious mountaineering they say “There is no privacy at the top of a mountain”. And, based on some personal experience, they really really mean it. Today my goal is to help the business community recognize they are at the top of the mountain when it comes to information security, and they have a long, painful, march back down to base camp. And it’s in many ways just you - the Government is not going to come to your aide.
In conclusion - we have come an unbelievably long way in the past fifteen years, and we recognize that cyber security touches everything we do, usually in a pretty painful way. But I think it’s important to see that we’re all still new at it. We’re still feeling our way around, and building relationships and learning what works and what doesn’t the hard way. I look forward to chatting with you all, and again, thank you for having me.