Wednesday, March 13, 2013

A Light Look at Cyberwar Capabilities

There has been lots of news for several months about military-grade offensive security capabilities. Within the past couple of weeks this focus has ratcheted up. The tipping point, in my mind was when Mandiant[1] released a report on Chinese hackers that they were tracking. The report claimed a lot of things, among them that the individuals mentioned in the report were carrying out offensive attacks for the Chinese military, against the US military, military contractors and other companies. That's pretty scary stuff! But keep in mind that this report was heavily hyped and coincided with one of the biggest security conferences, so maybe pure altruism wasn't at the heart of the report, maybe it was also in large part driven by PR value.

So now there are lots of people at high levels in the government talking more openly about cybersecurity threats. Generals are testifying in front of congress, the president is meeting with CEOs (I guess they're security experts?), everybody in the government seems to be saying the US is under attack and needs to defend itself. The rhetoric is building to a fever pitch and I'm a bit concerned about what this means for the future. But for now let's look at what the current situation is like.

What a lot of the talk comes down to is one thing: we're being spied on. Well hey that's no surprise is it? Isn't that what the whole Cold War was about? "But" we hear "spying is a lot easier with computers because..." and then they go off and spout a lot of nonsense that comes down to "...we got caught off guard and didn't protect ourselves early enough." OK well that's too bad and we need to fix that problem so let's go do that.

But then if it's so easy for other people to spy on us, isn't it easy for us to spy on them too? Aren't we already doing that? That's a side of the conversation that not a lot of mainstream media talks about, but that a lot of people in the security industry are laughing about. Just within the last couple of years there have been reports of Iranian nuclear facilities being targeted by sophisticated malicious software and most of the evidence points to the US or US contractors as having created it. Ironically about a year before it was officially-unofficially reported that the Iranian cyberattacks were authorized by the Presidenthe declared that cyberattacks against the US would be considered acts of war. Whoops.

So let's look at what we know about the US cyberwar capabilities. The first thing I'll do is to look at where these US capabilities come from. There's several different angles so I'll take a shot at enumerating them for discussion but I'm sure I haven't gotten them all called out so leave comments if you know of others.
  • US Civilian Government Cybersecurity groups like those run in the NSA.
  • US Militarty Cyberwarriors.
  • US Government contractors.
  • US allies like Israel who supposedly has a pretty potent force.
Alright, so let's see if we can take a guess about what resources we have to bring to bear.

  • US Civilian Government Cybersecurity - I mentioned the NSA. The CIA probably also has some people. Maybe FBI. Maybe some others. I haven't run across much information here, but if you know of where some of that could come from I'd love to look at it. The White House wants a lot more of these people and I'm sure Congress is going to fund that. Now it's an interesting thought experiment to ask whether CIA analysts and traditional spies are actually cyberspies. They probably use computers as well as other techniques to carry out their jobs, but does that put them in the cyber arena? 
  • US Military Cyberwarriors - There's a great article over at Foreign Policy magazine came up with 53,000-58,000 Cyber troops. That's the ones that you can count and I've got to suspect that there's more. Also important to note that these are just troops with an offensive mission, not a defensive one. Now to put that into perspective, this is about 4% of the 1.5M active duty troops and is more than all of the CIA (20K according to Wikipedia) and FBI (36K according to their site) agents combined! Hardly a small number. And that's just the obvious ones. No word on what they're spending, but probably a good deal of money here.
  • US Government Cyber security contractors - This is probably one of the largest parts of the cyberwarrior force. There are a lot of reasons that the government would use private companies for this, including the fact that these companies can do things that are illegal if done by the government. Also there's a lot less red tape and oversight so you can hide a lot of money and efforts this way and get them out fast. Most people suspect this is who largely developed the malicious software that targeted Iran over the better part of the last decade. We also know that companies like HB Gary have been supplying cyberweapons to the government for a while, and companies like VUPEN sell attacks as well. I think it's safe to assume that if it's true, this is a pretty mature part of capabilities. 
  • US allies - The US allies can provide a lot of things to the US, probably mostly access and information.  I don't have a lot of knowledge about this so I won't go into it too much but if you know something, share.
That's a lot of force that the US has to bring to the cyber fight without spinning up a bunch of hype and rhetoric. So why are politicians and others talking so much about this stuff? Why not just go out and do what you want? I can't really say. I think it either comes down to distraction from other problems they would rather not address (healthcare, finances, economy, drones) or they need popular support for some new thing that they want to do and they know you wouldn't support it unless you were scared of hackers.

"What does this mean for your weekend?" or "So what?" Well for starters I think it's important to understand that there's more than one side to every story. The reality is that the US has been engaging in cyberwarfare already. Definitely against Iran and most likely against

A lot more people a lot smarter than me have written good stuff about this too, here are some:
Cyberwar: You Lack Imagination by Erratasec
APT1: The Good, The Bad and The Ugly by Krypt3ia
Comments on Comment Crew by Kyle Maxwell
Mandiant APT1 Report has Critical Flaws by Jeffrey Carr
Chinese Hackers and Security Theater - a three-part series by Cyber Nonsense
Cyberwar: The Pentagon Cyberstrategy - a multi-part series by the excellent Marcus Ranum from a few years ago

[1] Mandiant seems to have gotten the lion's share of the attention (and rightly so, the report and the video they released are compelling to look at) but they're far from the only ones selling Fear, Uncertainty and Doubt (FUD). I'm not singling them out for that, just for the fact that their report and all the hype that followed in its wake seemed to make for a tipping point.