With all the attention pointed towards PRISM, another interesting publication was virtually overlooked. Earlier last month, a taskforce belonging to the US DoD’s Defense Science Board (DSB) released a final report titled “Resilient Military Systems and the Advanced Cyber Threat” [PDF], that reports on the findings of an 18-month research project. The DSB is a committee of civilian experts that is to advise the US DoD on scientific and technical matters. I just threw that line in here to point out that this committee is staffed by individual civilians and not representatives of the industrial military complex. This is worth mentioning, because a good portion of the report is absolutely riveting in its description of how bad they think the situation is, and this is automatically bound to become a target for those people who still don’t believe in Cyber Warfare. The report starts off with a sentiment many of us will find reasonable, and applying to cyber security as a whole (as opposed to cyber warfare specifically):
“Cyber is a complicated domain. There is no silver bullet that will eliminate the threats inherent to leveraging cyber as a force multiplier, and it is impossible to completely defend against the most sophisticated cyber attacks. However, solving this problem is analogous to complex national security and military strategy challenges of the past, such as the counter U-boat strategy in WWII and nuclear deterrence in the Cold War. The risks involved with these challenges were never driven to zero, but through broad systems engineering of a spectrum of techniques, the challenges were successfully contained and managed.” – Mr. James R. Gosler & Mr. Lewis Von Thaer – Resilient Military Systems and the Advanced Cyber Threat.
In this same opening letter, some fairly damning statements are made. One of the most significant observations was that DoD Red Teams were defeating defending teams in exercises ‘with relative ease’ by hammering them with exploits and tools found on the internet. It also mentions that the DoD networks and systems have a weak cyber hygiene position, and even the Classified networks have experienced “staggering losses” in compromised data due to successful breaches (full quote to follow).
As an aside it is mentioned that in general, security practices have not kept up with adversarial tactics and capabilities. This statement is significant because of the context it is placed in. You see, the DoD security practices are fairly solid and, in general, followed quite well. These are the same (though possibly more stringent) security practices they teach infosec practitioners in certifications such as CISSP and apparently they don’t work anymore.
The report has a long list of very interesting little factoids, but the following list of bulletpoints is a direct quote from the report:
- “The cyber threat is serious, with potential consequences similar in some ways to the nuclear threat of the Cold War
- The cyber threat is also insidious, enabling adversaries to access vast new channels of intelligence about critical U.S. enablers (operational and technical; military and industrial) that can threaten our national and economic security
- Current DoD actions, though numerous, are fragmented. Thus, DoD is not prepared to defend against this threat
- DoD red teams, using cyber attack tools which can be downloaded from the Internet, are very successful at defeating our systems
- U.S. networks are built on inherently insecure architectures with increasing use of foreign-built components
- U.S. intelligence against peer threats targeting DoD systems is inadequate
- With present capabilities and technology it is not possible to defend with confidence against the most sophisticated cyber attacks
- It will take years for the Department to build an effective response to the cyber threat to include elements of deterrence, mission assurance and offensive cyber capabilities.” – Resilient Military Systems and the Advanced Cyber Threat.
One has to wonder how much of these observations are grounded in actual fact, and what is part of the disinformation operation that is almost certainly running in the background somewhere. Regardless, there has been sharp criticism about this level of public disclosure. Should the US be publishing this information so openly? Why and to what end? Truth be told, it is hard to argue that the experience of publication is merely a positive one. You can be certain that every other nation on the planet is carefully pouring over every word, analyzing if weaknesses can be discovered. If the following quote is to believed, the US found plenty on their own:
“The DoD, and its contractor base are high priority targets that have sustained staggering losses of system design information incorporating years of combat knowledge and experience. <…> Perhaps even more significant, they gained insight to operational concepts and system use (e.g., which processes are automated and which are person controlled) developed from decades of U.S. operational and developmental experience—the type of information that cannot simply be recreated in a laboratory or factory environment. Such information provides tremendous benefit to an adversary, shortening time for development of countermeasures by years.“ – Resilient Military Systems and the Advanced Cyber Threat.
And of course, the US faces challenges in the Cyber arena that few other players will ever encounter because of the high costs associated with it. I am speaking, of course, of Supply Chain Security – also known as Hardware Hacking. In 2010, the 2nd International Conference on Information Engineering and Computer Science (ICIECS), published an article titled “Towards Hardware Trojan: Problem Analysis and Trojan Simulation” authored by members of the Zhengzhou Institute of Information Science and Technology in China, which outlined the technical approach elements for developing covertly modified hardware.
A successful corruption in an enemy’s supply chain which manages to insert malicious chips onto say, a desktop or server, would evade all security measures installed on said device. Only a particularly well tuned (and carefully looked at) network monitor would have a chance at picking up the phone-home signal or, in case of a successful intrusion, the data exfiltration itself. Given the costs associated with supply chain corruption, it would be a very safe bet that the utmost effort is done to hide any outbound traffic or to make it seem innocuous enough that you miss it when investigating. You would need a really excellent understanding of your network traffic to spot traffic that wants to stay hidden.
The entire DSB report contains so much interesting information that I couldn’t possibly put all of it in one article. One last tidbit that I would like to include here, is a quote that contains some of the ideas I wrote about in my very first article on Cyber Warfare (emphasis below is mine).
“The benefits to an attacker using cyber exploits are potentially spectacular. Should the United States find itself in a full-scale conflict with a peer adversary, attacks would be expected to include denial of service, data corruption, supply chain corruption, traitorous insiders, kinetic and related non-kinetic attacks at all altitudes from underwater to space. U.S. guns, missiles, and bombs may not fire, or may be directed against our own troops. Resupply, including food, water, ammunition, and fuel may not arrive when or where needed. Military Commanders may rapidly lose trust in the information and ability to control U.S. systems and forces. Once lost, that trust is very difficult to regain.“
“The impact of a destructive cyber attack on the civilian population would be even greater with no electricity, money, communications, TV, radio, or fuel (electrically pumped). In a short time, food and medicine distribution systems would be ineffective; transportation would fail or become so chaotic as to be useless. Law enforcement, medical staff, and emergency personnel capabilities could be expected to be barely functional in the short term and dysfunctional over sustained periods. If the attack’s effects were reversible, damage could be limited to an impact equivalent to a power outage lasting a few days. If an attack’s effects cause physical damage to control systems, pumps, engines, generators, controllers, etc., the unavailability of parts and manufacturing capacity could mean months to years are required to rebuild and reestablish basic infrastructure operation“. - Resilient Military Systems and the Advanced Cyber Threat.
There really isn’t more I could add to this. I have no doubt that development on offensive cyber capabilities will continue and the next decade will bring about possibilities we can only dream of now. With this build-up of virtual arms between the worlds’ largest nations, a comparison with the Cold War is hard to avoid. Lets just hope cooler heads will prevail again.