Hoff Interviews Andy Jaquith

Just a quick note -- Hoff conducted an excellent interview with Andy Jaquith at Take5 (Episode #6) - Five Questions for Andy Jaquith, Yankee Group Analyst and Metrician.... I liked this part (among others):

The arguments over metrics are overstated, but to the extent they are contentious, it is because "metrics" means different things to different people. For some people, who take a risk-centric view of security, metrics are about estimating risk based on a model. I'd put Pete Lindstrom, Russell Cameron Thomas and Alex Hutton in this camp.

For those with an IT operations background, metrics are what you get when you measure ongoing activities. Rich Bejtlich and I are probably closer to this view of the world. And there is a third camp that feels metrics should be all about financial measures, which brings us into the whole "return on security investment" topic. A lot of the ALE crowd thinks this is what metrics ought to be about. Just about every security certification course (SANS, CISSP) talks about ALE, for reasons I cannot fathom.

Once you understand that a person's point of view of "metrics" is going to be different depending on the camp they are in -- risk, operations or financial -- you can see why there might be some controversy between these three camps. There's also a fourth group that takes a look at the fracas and says, "I know why measuring things matter, but I don't believe a word any of you are talking about." That's Mike Rothman's view, I suspect.

Read More

China Cyberwar, or Not?

I've been writing about the Chinese threat for a while. I was glad to see Professor Spafford chime in with Who is Hacking Whom?:

It remains to be seen why so many stories are popping up now. It’s possible that there has been a recent surge in activity, or perhaps some recent change has made it more visible to various parties involved. However, that kind of behavior is normally kept under wraps. That several stories are leaking out, with similar elements, suggests that there may be some kind of political positioning also going on — the stories are being released to create leverage in some other situation.

Cynically, we can conclude that once some deal is concluded everyone will go back to quietly spying on each other and the stories will disappear for a while, only to surface again at some later time when it serves anoher political purpose. And once again, people will act surprised. If government and industry were really concerned, we’d see a huge surge in spending on defenses and research, and a big push to educate a cadre of cyber defenders.

You might also be wondering if the West and its allies is engaged in a "cyberwar" with China. Some might be asking if this is "information warfare." Here is my perspective.

DoD Joint Publication 3-13, Information Operations, differentiates between two sorts of offensive information operations.

1. Computer Network Exploitation. Enabling operations and intelligence collection capabilities conducted through the use of computer networks to gather data from target or adversary automated information systems or networks. Also called CNE.


2. Computer Network Attack. Actions taken through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves. Also called CNA.

You can think of CNE as spycraft, and CNA as warfare. In the physical world, the former is always occurring; the latter is hopefully much rarer. I would place all of the publicly reported activity from the last few months in the CNE category.

So why the war in the media over Chinese activity? I think this is part of the answer: what else can the West or China do? Consider similar situations and their consequences.

• The UK seeks the extradition of Andrei Lugovo for the murder of Alexander Litvinenko. Russia refuses, so the UK expels four Russian "diplomats." Russia responds by expelling four UK "diplomats."


• Russian bombers encroach on the North Sea. The UK scrambles interceptors.


• The FBI discovers Robert Hansen is a Russian spy. The US expels six Russians, and the Russians seek to match that with their own expulsions.

This is how the international relations game is played. When the players have no way to express their concerns or make their intentions known, they are left with making statements to the media. The question is whether anything else might happen.

Read More

US Needs Cyber NORAD

In addition to the previous Country v China stories I've been posting, consider the following excerpts. First, from China’s cyber army is preparing to march on America, says Pentagon:

Jim Melnick, a recently retired Pentagon computer network analyst, told The Times that the Chinese military holds hacking competitions to identify and recruit talented members for its cyber army.

He described a competition held two years ago in Sichuan province, southwest China. The winner now uses a cyber nom de guerre, Wicked Rose. He went on to set up a hacking business that penetrated computers at a defence contractor for US aerospace. Mr Melnick said that the PLA probably outsourced its hacking efforts to such individuals. “These guys are very good,” he said. “We don’t know for sure that Wicked Rose and people like him work for the PLA. But it seems logical. And it also allows the Chinese leadership to have plausible deniability.”

On one side we have the Chinese military organizing hackfests and sending work to the best. On the other side we have defense contractors often selected by lowest bidder. Worse, when those contractors are actually clueful and resourceful (like Shawn Carpenter), they are fired. From Cyberspies Target Silent Victims:

The U.S. Department of Defense confirmed last week that cyberspies have been sifting through some government computer systems. What wasn't said: The same spies may have been combing through the computer systems of major U.S. defense contractors for more than a year.

"There's been a massive, broad and successful series of attacks targeting the private sector," says Alan Paller, director of the SANS Institute, a Bethesda, Md.-based organization that hosts a response center for companies with cybersecurity crises. "No one will talk about it, but companies are creating a frenzy trying to stop it..."

None of the companies have publicly reported data breaches, though many have informed the Department of Defense. "Reporting an event like this would kill your stock price," says a source close to the military contractor industry who asked not to be named...

When Carpenter warned government officials in the Army and the FBI of his findings in 2004, he was fired. Sandia officials declined to comment on any subject relating to the Titan Rain hackings. Carpenter says his former employer's attempts to keep the incident quiet are typical.

In China as Victim I noted the following:

Lou said the electronic espionage against China has met with success. It therefore needs to be addressed by President Hu Jintao's government, he added, with additional investment in computer security and perhaps formation of a unified information security bureau.

That's China saying they need a high-level, concentrated group to protect Chinese assets. On what does the US rely? Apparently, the Department of Homeland Security and an assistant secretary for cyber-security and telecommunications.

Let's find this person on the DHS organizational chart.



Missed the assistant secretary for cyber-security and telecommunications? That's because he's not even in the top chart. He's working for the Under Secretary for National Protection Programs, whose peers include an Under Secretary for Management and an Under Secretary for Science and Technology. Seriously.



The more I think about it, the more of a disgrace this is. Consider: every single government agency uses computers. Not only that, every single US company uses computers. (If they don't, I doubt they qualify as a company!)

We often hear that the private sector should protect itself, since the private sector owns most of the country's critical infrastructure. Using the same reasoning, I guess that's the reason why Ford defends the airspace over Dearborn, MI; Google protects Mountain View, CA, and so on.

No? (By the way, I know that the US through the FAA "owns" the airspace over the country, but it's literally not the airspace itself that matters; it's what is underneath -- people, buildings, resources, and so on.)

I plan to develop this thought further, but for now I take comfort in knowing the Air Force Cyber Command is coming. Remember the Air Force started as

a small Aeronautical Division to take "charge of all matters pertaining to military ballooning, air machines and all kindred subjects"

on 1 August 1907. 100 years later, Cyber Command is coming. Hopefully a "Cyber NORAD" might follow. Remember, monitor first.

We might eventually get a new Cyber Force focused solely on defending the digital realm. Stay tuned.

Read More

Australia v China

My blog readers are quick. No sooner do I ask about Australia do I get a link to China 'hacked Australian government computers':

CHINA has allegedly tried to hack into highly classified government computer networks in Australia and New Zealand as part of a broader international operation to glean military secrets from Western nations.

The Howard Government yesterday would neither confirm nor deny that its agencies, including the Defence Department, had been subject to cyber attack from China, but government sources acknowledge that thwarting such assaults is a continuous challenge.

"It's a serious problem, it's ongoing and it's real," one senior government source said...

Australian Attorney-General Philip Ruddock is sufficiently concerned about cyber attacks to be spending more than $70 million to improve the e-security of government and private computer networks.

Read More

Air Force Cyber Command Provisionally at Barksdale

What a busy night. I just read Wynne taps Barksdale to host Cyber Command:

The Air Force Cyber Command will be headquartered, at least on an interim basis, at Barksdale Air Force Base, La., Secretary of the Air Force Michael Wynne announced Wednesday while visiting Barksdale and the base’s surrounding communities.

Wynne is expected to offer more details about Cyber Command on Tuesday as the part of the Air Force’s Pentagon celebration of its 60th anniversary.

The command will likely be led by a two-star general, officials said. While four-star generals traditionally head Air Force major commands, commands with fewer members, such as Air Force Special Operations Command, have two- or three-star generals in charge.

Like the other major commands, Cyber Command will answer directly to the secretary and the chief of staff.

There had been some consideration that Cyber Command would come under Air Combat Command’s 8th Air Force, headquartered at Barksdale. The 8th oversees much of the service’s computer network defense and information warfare capabilities. The commander of the 8th, Lt. Gen. Robert Elder, has been the service’s point man for mapping out Cyber Command’s structure and requirements for training members and acquiring equipment.

Barksdale won on an interim basis because the Air Force Network Operations Center is there, although this AFNOC Fact Sheet mentions that the AFNOC Network Security Division is at Lackland Air Force Base, Texas and the AFNOC Network Operations Division is at Gunter Annex, Alabama.

I think Air Force Cyber Command will be permanently based in San Antonio (to leverage AFISR Agency) or potentially a base near DC, to facilitate coordination with Ft Meade.

I am really looking forward to attending Victory in Cyberspace, hosted by the Air Force Association:

The Eaker Institute will release a report “Victory in Cyberspace” and host a panel discussion about the Cyberspace domain at 1 p.m., Tuesday, Oct. 9, at the National Press Club...

This Eaker Institute Panel will discuss how cyberspace should become equal with air and space in the Air Force’s mission set and how that affects the airman’s profession and the nation’s security priorities. Participants include Lt. Gen. Elder, who commands the Air Force headquarters for cyberspace, global strike and network operations, including establishing a new Cyber Command; Gen. Jumper (ret.), former Chief of Staff of the Air Force; and Lt. Gen. Baker (ret.), former Vice Commander, Air Mobility Command [and one of my AIA commanders].

I expect to hear more about Air Force Cyber Command on the Air Force 60th Birthday on 18 September.

Read More

China as Victim

China has pointed the finger back at the West, according to China says suffers "massive" Internet spy damage:

China has suffered "massive" losses of state secrets through the Internet, a senior official said, as China faces reports that it has raided the computer networks of Western powers.

Vice Minister of Information Industry Lou Qinjian said his country was the target of a campaign of computer infiltration and subversion...

"The Internet has become the main technological channel for external espionage activities against our core, vital departments," he wrote in Chinese Cadres Tribune, a magazine.

"In recent years Party, government and military organs and national defense scientific research units have had many major cases of loss, theft and leakage of secrets, and the damage to national interests has been massive and shocking..."

China's computer networks were riddled with security holes that made a mockery of the ruling Communist Party's censorship and exposed valuable secrets to spies, Lou said.

The United States and other "hostile" powers were exploiting those weakness and their dominance of technology to use the Internet for "political infiltration", he said.

"In the Internet technology products exported by the United States there are 'back doors' planted to engage in technological infiltration and theft of secrets," Lou said.

The story Chinese Official Accuses Nations of Hacking has more details:

Lou said the electronic espionage against China has met with success. It therefore needs to be addressed by President Hu Jintao's government, he added, with additional investment in computer security and perhaps formation of a unified information security bureau.

"In recent years, party, government and military organs and national defense scientific research units have had many major cases of loss, theft and leakage of secrets," he said, "and the damage to national interests has been massive and shocking." (emphasis added)

Imagine the Chinese are considering a "unified information security bureau." What do we have? Check the next post for thoughts on that.

Read More

Canada v China

Just as I posted my last story on New Zealand I noticed the following in Editorial: The spy business is alive and well:

SIS head Warren Tucker said government computer systems had been hacked into by foreign states. Information had been stolen and hard-to-detect software installed that could be used to take control of computer systems, he said.

Mr Tucker would not name the culprits. But he did refer to recent comments by Canada's security service about Chinese spying. Canada's spy-meister, Jim Judd, has said that almost half his security intelligence efforts were focused on that country's spies.

Canada, eh? Next I found China is top espionage risk to Canada: CSIS:

Almost half the effort the country's spy-watchers put into monitoring suspicious foreign activity in Canada is devoted to Chinese operatives... Jim Judd, director of the Canadian Security Intelligence Service, said... 15 countries account for most of the concern when it comes to foreign intelligence-gathering or interference in Canadian affairs.

He wouldn't identify all those countries, but did tell senators that China tops the list...

Prime Minister Stephen Harper, when he was still Opposition leader, claimed there were up to 1,000 Chinese agents in Canada.

He quoted a CSIS official as saying that Chinese spies stole $1 billion worth of technological secrets every month.

Last year, Foreign Affairs Minister Peter MacKay said he wanted a crackdown on Chinese espionage. MacKay is currently on a China visit.

In a 2004 report, CSIS said Chinese economic espionage targeted information including contract details, supplier lists, planning documents, research and development data, technical drawings and computer databases.

Foreign students and scientists, business delegations and immigrants were among those recruited as informants, the spy agency said.

Only Australia needs to be mentioned now.

Read More