Cyber Cease-Fire: US v. China

100615-640x400

As published on Norse on October 6th, 2015

Interesting times indeed, now that the outcome of Chinese president Xi Jinping’s two-day visit to the White House last week has been made public. According to the White House press release, this is what was agreed:

  • The United States and China agree that timely responses should be provided to requests for information and assistance concerning malicious cyber activities.  Further, both sides agree to cooperate, in a manner consistent with their respective national laws and relevant international obligations, with requests to investigate cybercrimes, collect electronic evidence, and mitigate malicious cyber activity emanating from their territory.  Both sides also agree to provide updates on the status and results of those investigation to the other side, as appropriate.
  • The United States and China agree that neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.
  • Both sides are committed to making common effort to further identify and promote appropriate norms of state behavior in cyberspace within the international community.  The United States and China welcome the July 2015 report of the UN Group of Governmental Experts in the Field of Information and Telecommunications in the Context of International security, which addresses norms of behavior and other crucial issues for international security in cyberspace.  The two sides also agree to create a senior experts group for further discussions on this topic.
  • The United States and China agree to establish a high-level joint dialogue mechanism on fighting cybercrime and related issues.  China will designate an official at the ministerial level to be the lead and the Ministry of Public Security, Ministry of State Security, Ministry of Justice, and the State Internet and Information Office will participate in the dialogue.  The U.S. Secretary of Homeland Security and the U.S. Attorney General will co-chair the dialogue, with participation from representatives from the Federal Bureau of Investigation, the U.S. Intelligence Community and other agencies, for the United States.  This mechanism will be used to review the timeliness and quality of responses to requests for information and assistance with respect to malicious cyber activity of concern identified by either side.  As part of this mechanism, both sides agree to establish a hotline for the escalation of issues that may arise in the course of responding to such requests.  Finally, both sides agree that the first meeting of this dialogue will be held by the end of 2015, and will occur twice per year thereafter.

 

Second-guessing

At first glance this sounds wonderful, but it didn’t take long before the second-guessing started. With Barack Obama making statements such as “What I’ve said to President Xi, and what I say to the American people, [is] the question now is: ‘Are words followed by actions?’”.

It’s important to look at this meeting in the context in which it was held. As most people are aware, the US has been experiencing cyber-attacks almost non-stop for years now, on multiple fronts. The US criticizes China for attacking not only US government infrastructure, but commercial enterprises are suffering massive theft of intellectual property in almost every industry as well. The widely publicized OPM hackwas only the most recent event that made the American cup ‘runneth over’.

But the US is hardly the innocent victim that it portraits itself to be. Well-known whistleblower Edward Snowden revealed that the US has actively been attacking Chinese infrastructure as well, in order to ‘prepare the battlefield’ for any potential physical conflict. They have admitted doing so, but claim that no intelligence from the large cyber intelligence gathering ‘driftnet’ known mostly by its moniker PRISM is fed to American enterprises for their commercial benefit. Whether that is true, of course, remains to be seen. After all, accusations of unfair commercial advantages through government espionage have been shown to contain some substance in the past.

 

Limiting cyber-attacks

In this regard, it is not surprising that it is the US calling for an agreement on limiting the cyber-attacks between the two nations. When taking the theft of intellectual property into account, the US simply has more to lose. It should also not be forgotten that not long ago China signed a treaty with Russia that, among other things, contained a pledge that they would not hack each other. This same treaty also further solidified their efforts to influence global internet governance, about which I commented in an earlier article, giving the US all the more reason to try to calm the waters with China.

 

So what does this treaty mean?

Of the four points covered under Cybersecurity, only the first two are points with some meat to it. As also mentioned in my previous article, the Chinese are very unlikely to sign any treaty on internet norms of behavior that include a reference to the UN’s definition on human rights. The entire bullet point might as well not have been there. It is window dressing and was probably only agreed upon because it shows a willingness to ‘get along’, whether real or imagined. The last point about the ‘cyber hotline’ doesn’t actually say a whole lot at all, so let’s move on to the more salient points.

It should be noted that the US is trying to stop the attacks against American businesses while trying to keep the option of ‘battlefield preparation’ on the table. This isn’t guesswork, its public record; just look atwhat American politicians are saying on the subject. In other words, both countries now seemingly agree that attacks on government networks are more-or-less allowed, but commercial enterprises are considered off-limits. In the unlikely event that both parties actually honor the agreement, this would be a clear win for the US.

 

An unlikely agreement

And that the agreement will be honored does seem very unlikely. For one, the Chinese government has never acknowledged that it has any involvement in cyber-attacks against commercial enterprises, and it is highly unlikely that they ever will. If those attacks would now suddenly cease, it would be a tacit admission that it had such control in the first place and put the lie to every official statement the Chinese government has ever issued on this topic. Another important factor is the simple question of “Cui Bono?”. Who benefits? The Chinese would lose a very effective method for national advancement in many areas, and the only cost thus far has been (relatively light) international criticism. They would gain nothing, whereas the US would gain a stopgap in the massive IP drain.

In short: The agreement seems a bit one-sided and that does not bode well. It may well be that China agreed only to stave off the sanctions that the US has been casually dropping to the press recently. Whether China takes these sanctions seriously is debatable, because China still remains the greatest holder of US debt, which means it can give a considerable pushback. Then again, China not honoring the agreement is probably expected. Despite what some critics may say, the people involved in drafting this treaty are not fools. With this agreement on the table it makes the American case much stronger if Chinadoes violate it, as Jason Healey points out.

As always, time will tell.

 

PRISM: Tip of the Cyber Intel Iceberg

PRISM Slide 1When Edward Snowden published information on PRISM – a rather drastic intelligence gathering program in which several (assume All) government agencies such as the FBI and the NSA draw intelligence from major tech companies such as Microsoft, Skype and Facebook – he was immediately revered and reviled by the general populace. Especially within the US armed forces community, the general sentiment seems to be that he’s a traitor and someone needs to go fetch a rope. But really, how much of this is new or even unexpected?

Right after the 2nd World War in March of 1946, a multilateral agreement between the UK, the US, Canada, Australia and New Zealand was signed in which they agreed to cooperate and share intelligence. This was originally intended to be mostly Signals intelligence, but has long since been extended to include much more. This intelligence alliance between those five nations has become known as Five Eyes. It was a secret treaty (allegedly even kept from the Australian PM’s until ’73) but has been exposed for quite some time now. In fact, Canadian Brigadier-General James S. Cox (RET) wrote a rather salacious paper on this treaty, and to illustrate just how well this treaty is working out can be gleaned from the following paragraph in the executive summary of said paper (emphasis mine):

 “The Five Eyes intelligence community grew out of twentieth-century British-American intelligence cooperation. While not monolithic; the group is more cohesive than generally known. Rather than being centrally choreographed, the Five Eyes group is more of a cooperative, complex network of linked autonomous intelligence agencies, interacting with an affinity strengthened by a profound sense of confidence in each other and a degree of professional trust so strong as to be unique in the world.” – “Canada and the Five Eyes Intelligence Community” by Brig-Gen James S. Cox (RET).

This profound sense of confidence in each other likely stems from the fact that they’ve been doing this for over 60 years, and I would hazard that this partnership has had its strength tested a few times. Successfully, from the looks of it. Either way, I think it is a safe assumption that the UK, Canada, New Zealand and Australia are as much to blame for PRISM as the Americans. Funny how none of them have mentioned their unfettered access to this raw data, hmm?

What boggles my mind is how little people seem to care. Maybe the name ECHELON rings a bell? This was an expansion on collection and analysis in the 60’s to this same Five Eyes program. I should stress that the actual gathered (and shared) intelligence included much more than just signals intelligence. We’re talking raw internet data. Raw, meaning absolutely everything that passed through, without any kind of filter. If you said it through any kind of internet-connected medium, through any American provider, service or product, you have definitely been logged there. And even not using any of said American providers, services or products, your traffic could still have been routed through PRISM, depending on where you are, where the servers are that you connected with, or how traffic was routed. And that’s just assuming that this traffic was really only collected in the US, which may not be the case now that we’ve established that at least 4 other countries were actively in on this program.

Now that we’ve firmly established the “who” part of this whodunit –or at least establish who benefits-, its time to look a little closer at what happened.

So what happened with PRISM?
Simply put, since somewhere as early as 2007 the various US intelligence and Law Enforcement agencies used the law to gain access to information harvested by tech giants such as Microsoft, Google, Apple, Yahoo, Facebook, Skype and Youtube. This means that they had access to a multitude of heavily used social media sites such as Facebook, Skype, Twitter and Youtube, but also cloud services such as iCloud, Google Drive and Dropbox. This was all done legally under US laws. Their alleged goal was to monitor foreign communications that take place on US servers, but of course it couldn’t hurt that what they collected included everything under the virtual sun – including stuff on American citizens and US allies.

Edward Snowden brought to light just exactly what is going on, and how it’s done. For those of us who have an IT-technical background, it doesn’t take much imagination. It can be done easily, and not to my surprise, this is what they did. Snowden published a PowerPoint presentation containing 41 slides on this, but interestingly only 5 of those slides were published. The remaining slides are, apparently, so “hot” that nobody wants to burn themselves by publishing it. Both the Guardian’s Glenn Greenwald and the Post’s Barton Gellman have made it clear that the rest of the PowerPoint is dynamite stuff which we’re not going to be seeing any time soon. “If you saw all the slides you wouldn’t publish them,” wrote Gellman on Twitter, adding in a second tweet: “I know a few absolutists, but most people would want to defer judgment if they didn’t know the full contents.”. I think that I speak for most Europeans when I say that I disagree strongly with Gellman, and would very much like to see the remaining slides.

Although the slides that have been published can be easily found without my help, I would be remiss in not adding them here for your enjoyment. Much of the international outrage can be explained by these pictures. And by outrage, I mean by the people, not the other governments. Any outrage on their behalf is geopolitical theatre, because every government in the world is either doing this, or would very much like to. You only have to look at the recently unveiled DGSE (French secret service) surveillance program which operates in exactly the same vein as PRISM.

Without further ado, here are the slides that were published from Snowden’s originally 41 slides:

PRISM Slide 1

 

PRISM Slide 2

 

PRISM Slide 3

 

PRISM Slide 4

 

PRISM Slide 5

 

UPDATE
My apologies. Apparently I had missed the release of 4 more slides by Washington Post around July 1st. Unfortunately these slides don’t really do much but add to the confusion. Nevertheless I would like to share these with you too.

prism slide 6

 

 

prism slide 7

 

prism slide 8

 

prism slide 9

The Chilling State of Cyber Affairs

CWWith all the attention pointed towards PRISM, another interesting publication was virtually overlooked. Earlier last month, a taskforce belonging to the US DoD’s Defense Science Board (DSB) released a final report titled “Resilient Military Systems and the Advanced Cyber Threat” [PDF], that reports on the findings of an 18-month research project. The DSB is a committee of civilian experts that is to advise the US DoD on scientific and technical matters. I just threw that line in here to point out that this committee is staffed by individual civilians and not representatives of the industrial military complex. This is worth mentioning, because a good portion of the report is absolutely riveting in its description of how bad they think the situation is, and this is automatically bound to become a target for those people who still don’t believe in Cyber Warfare. The report starts off with a sentiment many of us will find reasonable, and applying to cyber security as a whole (as opposed to cyber warfare specifically):

Cyber is a complicated domain. There is no silver bullet that will eliminate the threats inherent to leveraging cyber as a force multiplier, and it is impossible to completely defend against the most sophisticated cyber attacks. However, solving this problem is analogous to complex national security and military strategy challenges of the past, such as the counter U-boat strategy in WWII and nuclear deterrence in the Cold War. The risks involved with these challenges were never driven to zero, but through broad systems engineering of a spectrum of techniques, the challenges were successfully contained and managed.”Mr. James R. Gosler & Mr. Lewis Von Thaer – Resilient Military Systems and the Advanced Cyber Threat.

In this same opening letter, some fairly damning statements are made. One of the most significant observations was that DoD Red Teams were defeating defending teams in exercises ‘with relative ease’ by hammering them with exploits and tools found on the internet. It also mentions that the DoD networks and systems have a weak cyber hygiene position, and even the Classified networks have experienced “staggering losses” in compromised data due to successful breaches (full quote to follow).

As an aside it is mentioned that in general, security practices have not kept up with adversarial tactics and capabilities. This statement is significant because of the context it is placed in. You see, the DoD security practices are fairly solid and, in general, followed quite well. These are the same (though possibly more stringent) security practices they teach infosec practitioners in certifications such as CISSP and apparently they don’t work anymore.

The report has a long list of very interesting little factoids, but the following list of bulletpoints is a direct quote from the report:

  • “The cyber threat is serious, with potential consequences similar in some ways to the nuclear threat of the Cold War
  • The cyber threat is also insidious, enabling adversaries to access vast new channels of intelligence about critical U.S. enablers (operational and technical; military and industrial) that can threaten our national and economic security
  • Current DoD actions, though numerous, are fragmented. Thus, DoD is not prepared to defend against this threat
  • DoD red teams, using cyber attack tools which can be downloaded from the Internet, are very successful at defeating our systems
  • U.S. networks are built on inherently insecure architectures with increasing use of foreign-built components
  • U.S. intelligence against peer threats targeting DoD systems is inadequate
  • With present capabilities and technology it is not possible to defend with confidence against the most sophisticated cyber attacks
  • It will take years for the Department to build an effective response to the cyber threat to include elements of deterrence, mission assurance and offensive cyber capabilities.” – Resilient Military Systems and the Advanced Cyber Threat.

One has to wonder how much of these observations are grounded in actual fact, and what is part of the disinformation operation that is almost certainly running in the background somewhere. Regardless, there has been sharp criticism about this level of public disclosure. Should the US be publishing this information so openly? Why and to what end? Truth be told, it is hard to argue that the experience of publication is merely a positive one. You can be certain that every other nation on the planet is carefully pouring over every word, analyzing if weaknesses can be discovered. If the following quote is to believed, the US found plenty on their own:

 The DoD, and its contractor base are high priority targets that have sustained staggering losses of system design information incorporating years of combat knowledge and experience. <…> Perhaps even more significant, they gained insight to operational concepts and system use (e.g., which processes are automated and which are person controlled) developed from decades of U.S. operational and developmental experience—the type of information that cannot simply be recreated in a laboratory or factory environment. Such information provides tremendous benefit to an adversary, shortening time for development of countermeasures by years.Resilient Military Systems and the Advanced Cyber Threat.

And of course, the US faces challenges in the Cyber arena that few other players will ever encounter because of the high costs associated with it. I am speaking, of course, of Supply Chain Security – also known as Hardware Hacking. In 2010, the 2nd International Conference on Information Engineering and Computer Science (ICIECS), published an article titled “Towards Hardware Trojan: Problem Analysis and Trojan Simulation” authored by members of the Zhengzhou Institute of Information Science and Technology in China, which outlined the technical approach elements for developing covertly modified hardware.

A successful corruption in an enemy’s supply chain which manages to insert malicious chips onto say, a desktop or server, would evade all security measures installed on said device. Only a particularly well tuned (and carefully looked at) network monitor would have a chance at picking up the phone-home signal or, in case of a successful intrusion, the data exfiltration itself. Given the costs associated with supply chain corruption, it would be a very safe bet that the utmost effort is done to hide any outbound traffic or to make it seem innocuous enough that you miss it when investigating. You would need a really excellent understanding of your network traffic to spot traffic that wants to stay hidden.

The entire DSB report contains so much interesting information that I couldn’t possibly put all of it in one article. One last tidbit that I would like to include here, is a quote that contains some of the ideas I wrote about in my very first article on Cyber Warfare (emphasis below is mine).

The benefits to an attacker using cyber exploits are potentially spectacular. Should the United States find itself in a full-scale conflict with a peer adversary, attacks would be expected to include denial of service, data corruption, supply chain corruption, traitorous insiders, kinetic and related non-kinetic attacks at all altitudes from underwater to space. U.S. guns, missiles, and bombs may not fire, or may be directed against our own troops. Resupply, including food, water, ammunition, and fuel may not arrive when or where needed. Military Commanders may rapidly lose trust in the information and ability to control U.S. systems and forces. Once lost, that trust is very difficult to regain.” 

The impact of a destructive cyber attack on the civilian population would be even greater with no electricity, money, communications, TV, radio, or fuel (electrically pumped). In a short time, food and medicine distribution systems would be ineffective; transportation would fail or become so chaotic as to be useless. Law enforcement, medical staff, and emergency personnel capabilities could be expected to be barely functional in the short term and dysfunctional over sustained periods. If the attack’s effects were reversible, damage could be limited to an impact equivalent to a power outage lasting a few days. If an attack’s effects cause physical damage to control systems, pumps, engines, generators, controllers, etc., the unavailability of parts and manufacturing capacity could mean months to years are required to rebuild and reestablish basic infrastructure operation“. – Resilient Military Systems and the Advanced Cyber Threat.

There really isn’t more I could add to this. I have no doubt that development on offensive cyber capabilities will continue and the next decade will bring about possibilities we can only dream of now. With this build-up of virtual arms between the worlds’ largest nations, a comparison with the Cold War is hard to avoid. Lets just hope cooler heads will prevail again.

The Dutch, the Yanks, the Cloud and YOU

Recently a research project by the Amsterdam University [PDF Alert] revealed that US law allows for the US government to access information stored in the Cloud, by (ab)using the PATRIOT act. Multiple Dutch politicians have started asking questions from state secretary Teeven of the Justice department as to whether he knew about this before the research project, and whether he did anything to prevent this or to warn Dutch citizens about this potential breach of privacy. He has since sent in an official answer. Unsurprisingly, he confirms that the issue is real, but does not answer the question about whether he knew about this beforehand. He goes on to saying that it is up to each individual to be careful with any information they publish online, be it to a cloud-based service or anywhere else.

What surprises me, is that people still don’t seem to understand what the Cloud is, what it does and how it works. The effects of the PATRIOT act have long been known, and its effects have been hotly debated for years. How is this any surprise to anyone?

Please follow this logic:

The Cloud is the Internet. It really is that simple. Cloud Services are simply applications that run on clustered computer systems. Maybe on two, ten, a hundred or a thousand systems at a time, it doesn’t matter. Users –and data- are replicated to every system in this cloud regardless of where they are. There could be ten in your own country, twenty in the US and another fifty in Russia. This is (most often) invisible to the end user, and very often special effort is made to keep this invisible to the end user, and to make it one big system regardless of what server you are connecting to, or from where. To be on the safe side, you should assume that regardless of where you are located when you upload data, it is uploaded to the entire grid – not just the part in your country.

And it matters where these systems are located geographically, because that is the only factor in the question as to what country’s laws this system –and more importantly the data on that system- is subject to. For example: Google has servers dedicated to Google Docs in a lot of countries such as the Netherlands, Germany, Britain, the US and probably several countries in Asia. You upload a document to Google Docs while in the Netherlands. As soon as you do, it is replicated to either all the systems all over the globe, or replicated between central data storages all over the globe. It is generally safe to assume that your data will be everywhere, regardless of where you are. ANY country that has Google servers for Google Docs within its borders can in theory –this depends on what laws exist in said country- demand access to this data. The US is almost certainly not the only government that can do this, but even if no other country has such laws, you can rest assured that if the need ever arises (from a national security standpoint) to access your data, things tend to get very ‘flexible’ on very short notice in most countries. Therefore you should assume that you can not trust any online service with your data, regardless of its classification or nature.

As has always been the case, in the end you –and only you- remain the only person responsible for what happens to your data. If you absolutely do not want it leaked, don’t put it on the internet.

Correlating and Escalating Cyber

On September 20th, CNet reported on a new wave of malware called ´Mirage´, embedded in PDF´s that were distributed through spear-phishing attacks against a multitude of targets, such as a Philippine oil company, a Taiwanese military organization and a Canadian energy firm. The attackers´ target set also included firms in Brazil, Israel, Egypt and Nigeria. Their report was based on the findings of Silas Cutler, a security researcher at Dell CTU. The researchers declined to comment on the origins of this new malware, but as we´ve seen before the characteristics of this digital crimewave are a dead match to the likes we´ve encountered during Night Dragon, Operation Aurora and pretty much everything we´ve seen coming out of China the last decade. Call me old-fashioned, but when I read attack characteristics such as these, I feel confident that a talk with the PRC is warranted:

  • Widespread – broad targeting of an entire industry, aiming for commercially sensitive data;
  • Not extremely sophisticated, just adequate to get in;
  • Supporting command and control network is highly active;
  • Attacks seem well-prepared and highly organized;
  • Some of the malware is made by the Honker Union (a well-known Chinese hacker group);
  • Command and control IP address belonging to China, as did three others that have been used in the Sin Digoo affair earlier;

Looking at this pretty much confirms that those talks US Secretary of Defense Leon Panetta had with the Chinese recently about exactly these kinds of cyber-attacks, had little effect. Considering how much American debt is held by the Chinese, you would have to ask yourself just how hard a line the US can draw against such practices, but other countries would probably do well to start talking more sternly through the diplomatic channel with China. Make no mistake: the economic damages of these attacks are so high that involvement is definitely required at the state level.

Getting out of Dodge first
So here we have a rather clear-cut case of attacker correlation which, as ever, is done pretty much after the fact by an international firm who investigated the malware. My question is: How do you deal with this as a nation, as it happens?

This one question breaks down into a number of smaller issues. First off, you´d have to establish at least somewhat formally who defends what network. And let’s be fair: if you´re a democracy, it’s unlikely to be just one entity. The second issue you have to tackle is detecting the actual attack as it happens. Some network administrators will be able to, others won´t. To be of any use on a national level, defenses on all networks should probably be somewhat similar. At least quality-wise, you´d need them to be similar otherwise you wouldn´t be able to determine the whole scope of each outbreak, even after the fact.  This begs the question as to how wise or desirable it would be to regulate information security measures in some way. In many companies, information security is still seen only as an expense and not as a requirement, even though we can cite countless examples of companies being severely damaged by successful cyber-attacks.

So let’s assume we know who defends every network, and assuming they can all detect a new wave of malware as they happen. Then what? This information is usually kept a secret (or ignored, but that’s another matter entirely) and no signals are exiting these defending parties. When is the last time you called your government after a major cyber-attack hit your company? If you can answer that question, you´re really in a minority and most likely operating in a heavily regulated industry such as Finance or Healthcare. The rest is pretty much left to fend for itself. Attacked entities need a local place to send information about these attacks. I would argue that for governments to be able to correlate various cyber-attacks, it must first have a central authority to which each entity can report attacks on their networks and systems. I haven´t heard of any country having this, but a while back a couple of my friends here in the Netherlands started talking about the lack of such an authority. This was thought up during a brainstorming session at the Dutch MoD and initially dubbed a Security Operation Center (SOC). Even though I feel this name is somewhat ambiguous, let’s keep it for now. Given its national scope, we should probably stick to the CERT naming convention and call it GOVSOC.

Alright, then what?
At the risk of becoming repetitive, let’s assume for now that such a GOVSOC is formed and operational. You´d then need to devise thresholds and escalation paths, along with policies to deal with all eventualities. You´d also need some pretty good agreements with law enforcement, the military and civil government. All three of these parties need some kind of mandate to be able to act on information. It would also need to be covered how each of these parties will act on given information. In case of an actual cyber-attack wave being detected, it would first need to be established on whether there is nation-state involvement or if it´s cybercrime. In case of nation-state involvement, what would you want your government to do? Even when you´re certain who did what, what are thresholds to acting on it? How big must the damage be before diplomatic relations deteriorate? Is this affected by how much you engage in these activities yourself?

Maybe I’m wrong, and I sure hope I am, but I haven´t heard of any country getting to this point yet. Many have been debating these and similar questions, but how about some action? For instance, in the Netherlands the National Cyber Security Center (NCSC) seems like a great candidate to embed that GOVSOC function in. Its government, but it’s a public-private collaboration. If you know of any such developments in your country, please share it with me.