OffensiveDimensionsofCyberSecurity: …Col!Ma’eo!G.!Martemucci,!USAF...
Transcript of OffensiveDimensionsofCyberSecurity: …Col!Ma’eo!G.!Martemucci,!USAF...
Col Ma'eo G. Martemucci, USAF 318th Cyberspace Opera1ons Group Joint Base San Antonio-‐Lackland, TX
Offensive Dimensions of Cyber Security: Strategy and Policy Challenges
August 2014
Stanley Baldwin: “The bomber will always get through”
“The Hacker will always get through” …will he?
Nature of the Threat
• WHAT is an aMack? • WHO is aMacking (or may aMack)? • WHY are they aMacking (or why would they)?
Methodology: • Historical understanding (based on wri1ngs AND ac1ons)
• Threat = capability + intent
What is a Cyber AMack ? • The four “D’s” in the US Military defini1on (and now 4DM) • The Grey areas: difference between an a#ack and an exploit • Cyber A#ack vs. Cyber Espionage
1. Informa1on aMacks – Spectrum from Strategic Comms to Psyops/Tac1cal Decep1on
2. Physical Infrastructure aMacks – SCADA/ICS on Water, Power, Sewage, refineries, etc.
3. Economic Infrastructure aMacks – Stock Exchange, Banking, credit card infrastructures – American businesses & intellectual property
From Where Could [Do] AMacks Come?
• Over the Internet (if you have an IP address, you are vulnerable) • Supply Chain (even if you have great firewall/perimeter defenses, you
are vulnerable
• Insiders (even if you are “air gapped,” you are vulnerable)
“Smart Grid” = “Vulnerable Grid”
Cyberwar as a Dis1nct Element of Power: Cyber AMacks on Estonia 2007
• Significant DDOS aMacks crippled the country for days
• Regardless of aMribu1on, the percep1on was that “Russia” sent a strong message
• What if Estonia had invoked Ar1cle 5 of the NATO charter?
Sources: “Estonia accuses Russia of 'cyberaMack,’” Chris:an Science Monitor, May 17, 2007 & “Newly nasty,” Economist, May 24, 2007
Cyberwar as a Complement to Kine1c War: Russia-‐Georgia Conflict 2008
Source: Jeffrey Carr, Inside Cyber Warfare, O’Reilly 2012 & Siobhan Gorman, “Georgia States Computers Hit By CyberaMack,” Wall Street Journal, 12 Aug 2008, and John Markoff, “Before the Gunfire, CyberaMacks” New York :mes, 12 Aug 2008
Na1onal Strategy for Cyber Opera1ons
US Military Cyber Mission Forces
• 13 Na1onal Mission Teams (NMTs) with 8 Na1onal Support Teams (NSTs) • 27 Combat Mission Teams (CMTs) with 17 Combat Support Teams (CSTs) • 18 Na1onal Cyber Protec1on Teams (CPTs) • 24 Service CPTs • 26 Combatant Command and DOD Informa1on Network CPTs
Source: 2014 Quadrennial Defense Review and Secretary of Defense Hagel, speech at Ft. Meade, 28 March 2014.
Total Cyber Mission Force will total 6,000 personnel by 2016
Full-‐Spectrum Cyberspace Opera1ons
Defensive Cyberspace Opera1ons (DCO) DCO-‐RA (Response Ac1ons)
Offensive Cyberspace Opera1ons (OCO)
Passive
Watering hole
Phishing Ac1ve spear phishing
Honey pot/net
Whaling
Benign Aggressive
Ac1ve
“Hunt” on your own networks
Hunt outside your own network (“hack back”)
blocking
Reac1ve defense (signature-‐based IDS/IPS)
Proac1ve defense (Heuris1c-‐based defense)
-‐ Deny, Degrade, Disrupt Destroy, Manipulate
-‐ Kine1c & non-‐kine1c
Computer Network ExploitaUon
Beaconing implants -‐ MITM -‐ supply chain interdic1on Management of Botnets
Computer Network Defense/A'ack
Propaga1ng (Network enumera1ng) agents
Full-‐Spectrum Cyberspace Opera1ons
Build a fence, deadbolt door, bars on windows
Deterrence in Cyberspace
Basic network defense
Benign Aggressive
Issue declaratory policy
Demonstrate intent -‐ conduct military exercises -‐ conduct military opera1ons
Neighborhood Crime Analogy:
Defense in depth
Close garage door
Ac1ve defense
Electrify fence, get a dog
Demonstrate willingness/ability to respond
Ac1ve defense
Full-‐Spectrum Cyberspace Opera1ons
Passive Defense (DCO)
Ac1ve Defense (Response Ac1ons) -‐ Pre-‐approved ac1ons -‐-‐ Automated responses -‐-‐ Hun1ng beyond defended enclaves
Offensive Cyber Opera1ons (OCO)
Benign Aggressive
Necessity of a'ribuUon
The Necessity of A'ribuUon
Challenges for the Defense Department
• Authori1es/Laws/Oversight – Full-‐spectrum ops authorized by EXORDs, which are few – Review/approval process for full-‐spectrum ac1on is not fast
• AMribu1on, misaMribu1on and escala1on – AMribu1on to an adversary is cri1cal for full-‐spectrum response – Burden of proof is on defender – risk of misaMribu1on hinders defense – Risk of escala1on due to unintended effects drives current resistance to
move right along the spectrum of cyber opera1ons
• Risk of involving non-‐combatants in this dual-‐use domain
• Capacity
Legal implica1ons of Cyber Conflict
Source: J. Picted (ed.), Commentary on the Geneva Conven:on for the Ameliora:on of the Condi:on of the Wounded and Sick in Armed Forces in the Field, ICRC, Geneva, 1952, P.32
• Jus Ad Bellum – Just cause, competent authority, last resort, etc. – What if it is not war?
• Jus in Bello – Geneva Conven1on & Law of Armed Conflict (LOAC):
• Military necessity, dis1nc1on, & propor1onality • Who are combatants? • What are protected sites? • No weapon that is Malum in se (evil or wrong in itself)
Who’s in Charge of U.S. Cyber Security? • .mil = Dept of Defense • .gov = Dept of Homeland Security (+ finding aMribu1on = FBI) • .com, .net, .edu, etc… = ???
• Role of US Gov’t vs. private sector in an overlapping domain • Pending Cybersecurity legisla1on – compe1ng interests
“We have to deconflict these issues and instead we remain foggy and keep pun:ng”
– Sen Barbara Mikluski (D-‐Md)
Col Ma'eo Martemucci, USAF 318th Cyberspace Opera1ons Group Joint Base, San Antonio -‐ Lackland, TX
QuesUons/Discussion
Backup/Discussion Slides
Who Are the Actors?
• Na1on-‐States – The “usual suspects” – …and others…
• Non-‐Governmental Orgs – Transna1onal terrorist organiza1ons – Interna1onal criminal organiza1ons – Home-‐grown organiza1ons
• Individual Actors – “Hac1vists”
Cyberspace as a Virtual Conflict Zone: The Sri Lankan Example
Source: Harinda Vidanage, “Rivalry in Cyberspace and Virtual Contours of a New Conflict Zone”, in Cyber Conflicts and Global Poli1cs, Edited by Athina Karatzogianni, Routlege Press, 2009
“We rose through the internet, if cyberspace was not there we could not be in poli1cs”
-‐ LTTE dissident leader
Three Challenges to an Effec1ve Nat’l Security Strategy in Cyberspace:
1. The Threat Percep1on Problem: no duck & cover drills for a “Cyber Armageddon”
2. The AMribu1on Problem: real challenge or an excuse for inac1vity?
3. Interagency Bureaucracy: authori1es, civil liber1es, percep1ons & poli1cs, public-‐private responsibili1es
Who’s in Charge of U.S. Cyber Security?
• .mil = Dept of Defense • .gov = Dept of Homeland Security (+ finding aMribu1on = FBI) • .com, .org, .net, .edu, etc. = ???
• Role of US Gov’t vs. private sector in an overlapping domain • Pending cyber security legisla1on – compe1ng interests
“ We have to deconflict these issues and instead we remain foggy and keep pun1ng”
-‐ Sen. Barbara Mikluski (D-‐MD)
Authori1es to Operate in Cyberspace
• Public Law – Titles of US Code • Title 10: Military [combat] opera1ons • Title 50: Intelligence opera1ons • Title 18: Law enforcement opera1ons • Title 32: Na1onal Guard opera1ons
Some Promises • This talk will raise more ques1ons than answers • All concrete examples are pulled from open source materials & all hypothe1cal scenarios discussed are just that – hypothe1cal.
• Designed to get you thinking about role of the Military, Gov’t, Industry, and the Individual as they relate to cyberspace and Na1onal Security
Purpose of the Talk
The Ubiquity of Cyber Weapons: Available to All
• Type “hacking tools” into Google – result: About 8,130,000 results (0.14 seconds)
• “Script kiddie” tools are becoming increasingly lethal
• Stuxnet source code now available on the internet
Cyberspace as a Vehicle for Economic Espionage:
• Intrusions into – Google, Oil & energy companies, Fortune 500 manufacturing company,
Lockheed Mar1n, US Chamber of Commerce, etc.
• Of the seven cases adjudicated under the Economic Espionage Act in 2010, six involved a link to China
• Economic loss es1mates range from 2 to 400 Billion dollars per year – Reflects the scarcity of data and disparity in measurement – NSF es1mates that the US spends $398B on R&D (2.8% of GDP)
• There is no current “disincen1ve” for cyber espionage Source: Office of the Counterintelligence Execu1ve Report to Congress: Foreign Spies Stealing US Economic Secrets in Cyberspace, Oct 2010
Does Economic Espionage = Cyberwar?
How Much is our Economy Tied to NaUonal (or InternaUonal) Security?
A Proposal to Consider:
• The greatest threat to US Na1onal security (and interna1onal rela1ons) is an economic one.
• The most dangerous (and most likely) long-‐term struggle in cyberspace will be an economic one
• Cyberspace makes it easier to cheat and steal, and in the game of economic espionage, the US has the most to lose
“Asymmetric Warfare” and the New Playing Field of Cyberspace
• Asymmetric warfare made more easy in this increasingly networked world (across the D.I.M.E.) – Easier to conduct Informa:on warfare (PM, SC)
– Easier to conduct Military opera1ons against tech-‐dependent adversary AND a non-‐technical adversary
– Easier to conduct Economic warfare
– Diplomacy made difficult due to challenges of aMribu1on, red lines, and the dependencies brought about by cyberspace & globaliza1on
The Intelligence Agency’s Dilemma • Do you share what you know is really happening in order to 1. foster
informed debate leading to sound public policy and 2. mo1vate people (public, pundits, policy makers) into ac1on?
-‐ or -‐ • Do you keep what you know close-‐hold in order to protect your
informa1on advantage over the adversary (i.e. don’t let him know that you know)?
• IGL calculus
The Business’s Dilemma • When your brand is based on customers’ percep1on of security & stability,
what is your obliga1on to disclose your vulnerability?
• Recent SEC guidance about disclosure of cyber risk
How Much is our Economy Tied to Na1onal (or Interna1onal) Security?
• If the answer is anything more than “a liMle bit,” then we must add this to the discussion
• We must explore the grey areas (gaps and seams) between law enforcement, homeland defense, and military ac1on – Title 10, Title 32, and Title 50 of US Code
Does Economic Espionage = Cyberwar?
• Tradi1onal espionage is understood to be poli1cally or militarily mo1vated
• Other countries have the most to gain and the US has the most to lose in economic espionage
• Tradi1onal espionage has been considered “fair game” with its own sets of rules (everyone does it, we all know it, we’re civil about exchanges of spies, etc.)
• Economic espionage seems to be different (how?)
Measuring “Cyber War Strength”
• It’s a ques1on of rela1vity – Who has more strength, but who has more to lose?
• In terms of economic espionage, the incen1ve to spy if far greater for a county like China than it is for the US (include stats about # of patents & loca1on of Fortune 500 companies)
• In a US vs. N. Korea conflict, for example, how much does cyberspace access factor into each side’s calculus?
Source: Richard Clarke & Robert Knake, Cyber War, Harper Collins, 2010
A review of USG Strategy Documents
• 2011 Interna1onal Strategy for Cyberspace • 2011 Na1onal Strategy for Trusted Iden11es in Cyberspace • 2010 Na1onal Security Strategy • 2009 Comprehensive Na1onal Cybersecurity ini1a1ve (CNCI) • 2009 Na1onal Infrastructure Protec1on Plan • 2008 (Jan) NSPD 54/HSPD 23 “Cybersecurity Policy” • 2006 Quadrennial Defense Review (QDR) • 2006 Na1onal Military Strategy for Cyberspace Opera1ons • 2003 Na1onal Strategy to Secure Cyberspace
The Efficacy of a Declaratory Policy for Cyberspace
• Example 1: Univ. Declara1on of Human Rights – Spawned numerous follow-‐on trea1es
• Example 2: Cyberspace “Monroe Doctrine” – Both reflec:ve of and contribu:ng to the furthering of overall Na1onal (or interna1onal) Security
• Lukasik’s 4 criteria for effec1ve declaratory policy: – Verifiable – Reciprocal – Robust under Change (toughest for cyberspace) – Consistent with Prior Agreements
Business vs. Gov’t approaches to Risk Management
• Risk is a func1on of Threat, Vulnerability, and Consequences
• Business model: Profit mo1ve, risk=reward • Gov’t model: minimize risk at expense of efficiency.
Trust no one…But I have to!
• Reliability/Integrity – Can I trust that the system will be there when I need it?
• Validity/Veracity – Can I trust that the data on the system are accurate?
• GPS accuracy (military applica1ons are obvious, but what about commercial airlines, truck fleets, smart phones & personal GPS?
• Strategic-‐level: Percep1on management through media manipula1on -‐ examples from the extreme to the benign. – nK propaganda vs. Reagan during the Summit talks w/ Gorbachev (get
photo – “Photo narra1on” – M. Darnell p.77
Legal challenges to Cyber War
• What does Interna1onal Law say about cyber weapons?
• Exis1ng Treaty obliga1ons • New interna1onal agreements that will necessarily arise – Increasing work in UN building up trend toward increasing cyber norms (Maurer paper, Harvard)
– LOAC and Jus in Bello – Necessity, Propor1onality, immediacy