Wassenaar Meeting with Department of Commerce on 10/28

So I went to the Department of Commerce to speak at one of their export control working group meetings. It was fascinating. Not my talk, which is here, but the meeting itself.

For example, one of the items on the list was the machine used to make wrapping paper. Apparently modern wrapping paper is very similar to stealth coatings and other important things. But obviously, restricting a machine used to make wrapping paper is a useless task. 

The Commerce Department is not crazy about doing dumb things that hurt the US economy. WHICH IS GOOD NEWS FOR THE SECURITY COMMUNITY, because meetings like this one clearly show that they are listening on the "Intrusion items" export control issue, and are unlikely to bow to State Dept or NSA/DoD pressure to eviscerate our whole industry.

Some bulleted thoughts:

• State Dept pointed out that while many people think of this as a human rights issue, it is not. This agreement and process is solely about National Security, so we can table all the discussion of human rights issues with regards to "intrusion software" 
• Nobody in the room (or anywhere else) is willing to support the export control language as written, which means one way or the other it has to change. This includes the human rights community, but also State and NSA (who were in the room)
• There was a lot of clarification of the role and value of Penetration Testing as a process, and how that would be adversely affected. We handed out a sample deliverable, for example. Also I invited everyone to INFILTRATE.
• FS-ISAC weighed in as an "End User" and said "We are regulated by certain laws, and this proposed wording violates those laws."
• The idea that you can separate intrusion software ("not regulated") and software used to generate and control intrusion software ("Super Regulated") was shut down pretty heavily both by the Coalition for Responsible Security and by other speakers
• Microsoft is one of the strongest voices against this regulation, along with the Coalition
• Commerce does not like regulations with so many carve-outs that they don't have anything actually BEING regulated. They actually like nice clean regulations the way we like nice clean programs. This is not the kind of thing they like.
• Other topics that came up: Real time information sharing conflicts with regulation, the fact that any regulation needs to be "cloud friendly", export control not being the place for this sort of thing, many others which point out that this regulation cannot go forward

State Dept has another meeting today, which I'm not going to, but hopefully it will not be a backwards step.

Our Ironic Pearl Harbor

"And with each passing year it is going to seem more quaint, the little tin airplanes bombing the sleepy iron giants" -J. MacDonald

December 7th marked the 73rd anniversary of Pearl Harbor, one of the scariest events in our nation's history.

These days a nation-state can terrorize you (and by “you,” I mean anyone or anything - an entire country, a government branch, a company, an individual) with computers alone. In this week's case, the “you” is Sony Pictures’ employees, who may well be out of a job before the attack by North Korea is over. But it also includes banking executives such as those at JPMorgan who are dealing with a constantly escalating threat from cyber attacks.

Don’t be fooled by the rather circumstantial public evidence that ties the Sony attack to North Korea - that’s just cover for the real intelligence behind the attribution assertion, which is no doubt air-tight. As “hard” as the attribution problem is, major attacks always have attribution if for no reason than because North Korea’s military needs to make their point not to “mess with them.”

And if you’re sitting in your living room or office, far away from Sony Pictures, you should still be scared, because in its own way, this is worse than Pearl Harbor. A naval battle is something only another nation-state could do - but a cyber attack can be done by a near peer. In the case of the Sony Pictures attack, it seems clear this was conducted by North Korea; but the next Sony-like attack could easily be done by angry environmental groups, a religious sect, or a group of people simply “out for the lulz.”

So what can we do about this new reality? The first step is to embrace it. We cannot ask our government to do more to protect us. In fact, we need to ask it to do less. We’ve drained our investigative resources by having having the FBI and Secret Service spend their time tracking down every teenager who managed to collect some stolen credit cards. We need to make a shift into letting that risk be the problem of people who built the broken credit card system in the first place.

Likewise, right now the government is trying to negotiate on behalf of American businesses with the Chinese. The trillions of dollars worth of IP being stolen by their military-grade hackers every year is going directly to Chinese businesses. This negotiation is going to fail because those Chinese businesses own the Chinese Government the way our big companies own ours.

Businesses need to prepare to take actions directly to protect themselves - both by massively investing in effective information security technology practices they can support, changing the way they do business to avoid exposing themselves, and allowing themselves to punish Chinese companies and people directly for involvement in IP theft. Right now, technical experts walk right out of "APT1" and into the arms of jobs at American cyber security companies. This could easily stop with a simple "no hire" policy, draining the Chinese state of their offensive talent. 
  

Sony's terrible week is not the beginning, any more than Pearl Harbor was a beginning. But it changes the security story for every US company. It used to be compliance drove spending. Expect to see real security spending driving adoption of new technologies and macro-sized budgets. It's ironic a Japanese company had to die to teach us that lesson...

The new team on a new field

We are now starting to see what the team is going to look like in the Federal sector of cyber security at the very top: Brennan (DCIA), Hagel (SoD), and Keith Alexander (DIRNSA) .

John Brennan

Obama has been personally involved in cyber efforts for some time, and hence, Brennan has as well. Below are some articles which highlight his efforts in our area:

• http://www.talkradionews.com/news/2012/08/08/brennan-president-open-to-executive-action-on-cyber-security.html
• http://articles.washingtonpost.com/2012-04-15/opinions/35454335_1_infrastructure-cyberthreat-disruptions
• "Our nation’s security and economic prosperity depend on the security, stability, and integrity of communications and information infrastructure that are largely privately-owned and globally-operated."

I think we can depend on Mr. Brennan to continue to invest heavily in the cyber industrial complex, and have a leading role in helping build the legal and policy frameworks that cyber desperately needs. His experience with counter-terrorism will be vital, but his challenge will be to port that to the traditional intelligence role of large nation state versus large nation state. 

Chuck Hagel

The NY Times pointed this quote out:

“Cyber is a huge issue, that cyberwarfare dimension which we are just now just getting our arms around, as other nations are. If you concentrate on that arena of warfare, you can completely paralyze a nation. You can paralyze power grids; you can paralyze financial services; you can stop a country; you can paralyze computers on ships. I think the greater threat to all of us is going to be directly a dagger at the heart of economic interests, and certainly I would start with cyber. All the other threats are still going to be there — nuclear proliferation, terrorism, weapons of mass destruction, and all the things we're dealing with today. But, in the end, we can deal with those; we can manage those; we can work our way through those. The big issues are things like cyber, that's where we've really got to pay attention. It's not like sending one army against another. You're not going to win that by having a bigger navy that the other guy's navy. You need big navies, you need strong security, but you need so much more now today to protect our economic interests, which are our vital security interests."– PBS Interview, "Great Decisions in Foreign Policy," May 2012

Other than that quote, there's not a whole lot available on his views there. One thing is sure about Hagel: He's into international alliances - something that cyber depends on to a great degree. And I think it's telling that one major thing Chuck Hagel realizes he's protecting against cyber attack is the economy. The financial sector is highly sensitized to its weakness when it comes to cyberwar - and for good reason.

So to sum up: Cyber (both defense and offense) will find continued strong support in the coming administration. The worm in the soup here is, as always, congressional support, which means the dollars and cents budgetary glop that cyber is unfortunately having to wade through at the moment. These are not small programs, and they are not small changes, and having large scale uncertainty about which things will have to be cut to meet a sequester could hamstring any major efforts to improve cyber security, or take the ball on offense.

Tools of Oppression

"In reality, cyber tools of oppression are most often in the form of databases."

http://infosecisland.com/blogview/22587-The-EFF-is-Losing-Its-Way-on-Internet-Freedom.html

Just a short note for the day. Gary McKinnon not being extradited is interesting as well - truth be told, America's sentencing guidelines for hackers tend to be far out of the ordinary for a first world nation. Generally a hacker is looking at more time than a rapist or murderer, which is probably a bit out of whack.

You don't see the EFF going on about this though. You do see them talking about exploit sales, which I think is a misjudgment.

Being "held accountable" is the new black.

There's a general proscription in the IC about talking in any way about offensive things - for good reason. For for that reason, I recommend you take a little grain of salt with some of the things in Secretary Panetta's talk (here).

But even more alarming is an attack that happened two months ago when a very sophisticated virus called Shamoon infected computers in the Saudi Arabian State Oil Company Aramco.  Shamoon included a routine called a ‘wiper’, coded to self-execute.  This routine replaced crucial systems files with an image of a burning U.S. flag.  But it also put additional garbage data that overwrote all the real data on the machine.  More than 30,000 computers that it infected were rendered useless and had to be replaced.  It virtually destroyed 30,000 computers.

For example, the reason the Iranians named their module "wiper" is to reflect the name against their attackers, who had previously destroyed some Iranian oil refinery computers (http://news.techworld.com/security/3379060/mystery-wiper-malware-linked-to-duqu-says-security-firm/) .


Over the last two years, DoD has made significant investments in forensics to address this problem of attribution and we're seeing the returns on that investment.  Potential aggressors should be aware that the United States has the capacity to locate them and to hold them accountable for their actions that may try to harm America.

Likewise, offensive operations are how you do attribution, although defensive tools (such as forensics) typically have a small role as well (IMHO).

A big question here is the meaning of "Hold them accountable." Does this mean targeted assassination, the way it does with Iranian nuclear scientists? Is that how far we've come?

Debates

There's been no real "Cyber Security" in the last two debates, either the Presidential or last night's VP debate. In fact, there's been very little "tech" at all in the last few debates, although the Republicans are coming out as "anti-green-energy-subsidies" which may or may not be a good political move.

Is it possible we'll get all the way to the election without cyber security becoming a Presidential-level issue?

There are Consequences for Getting Caught

So the big news is about to drop. The unfortunate thing, whether Huawei has been spying or not, is they are in a very difficult and indefensible position. Even their direct whitepaper response leaves a lot to consider.

Huawei's response that it would required hundreds of thousands of people to pull off an attack of this magnitude is false. The final firmware burn-in on their products would be controlled by very small teams, if not individuals. A well placed government asset in this position could very easily slip code in that passes all regression testing by the quality assurance team, but has additional behaviour that doesn't affect the end product.

Assuming their manufacturing process is locked down, do they apply the same rigor when handling remote firmware updates? Numerous times in the past we've seen build servers (ala Adobe) or source repositories get remotely compromised. The result varies, but the typical end goal is to backdoor the product, and Huawei is a prime target for an attack of this nature. The important thing to note is that this does not require an embedded government asset, only a well placed attack. Let's not forget that Cisco had their own breach that saw an 800MB chunk of source code get stolen, some of which was later publicly posted. Had the Cisco attacker used a little less ego, he very well could have begun a targeted campaign to backdoor Cisco products or IOS updates.

It begs to ask the question: how does the CSO of Huawei, or the US government know that the supply chain has or hasn't been compromised? The only way for the US to know this for certain is to have someone embedded at the same trust level as the people actually coordinating or carrying out the espionage. Disclosing this fact compromises their own position, so less likely, but still a possibility.

Could it also be that Huawei has been caught enough times, and a mountain of independent evidence has finally piled up to a tipping point? If this is the case then how does their CSO not know that they have been compromised? If this is true, it is the most damaging situation Huawei could find themselves in.

I often wonder why the US has picked Huawei out of a number of foreign telecommunications manufacturers. Why aren't we examining all foreign entities that power critical infrastructure in North America? The unfortunate thing is the congressional report will give the high level information, but their classified annex will have the real dirty details as to why they did this in the first place. Information that only a select few will have access to.Yet they are still free to wage a very public campaign against Huawei.

There is a key takeaway from this story that other foreign companies should be aware of. If the US comes knocking at your door: open it, let them do what they want, see what they want, and record what they want or they will make you pay dearly for it.


UPDATE: The committee report is here.