return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

A greased pig race: US cybersecurity architecture and organization

  #

 

The nature of modern cyberwarfare makes a mockery of present legal boundaries that have heretofore usefully served the US and its citizens.

 

The similarities between asymmetric and cyberwarfare are striking, so much so that it is increasingly useful to interchange titles of one when reading materials about the other. It is already clear that cyberwar cannot be won with the equivalent of 'conventional forces':

  • State and nonstate actors coexist and cooperate, with nonstate actors offering useful plausible denial.
  • Attacks, botnets included, have both foreign and domestic computer and network components, many of which are unwitting accomplices.
  • Attacks are increasingly a swarm of blended attacks combining probing, intelligence gathering, phishing (including spear phishing), DDoS, interruption/disruption, spoofing/sensor overload and/or tampering, penetration.
  • Hostile C2 (command and control) nodes may rotate, either for security or operational needs.
  • Attacks can share cyber and electrical grid components, with attacks on one compromising the capacity of the other.
  • Only certain parts of the attack may be visible at any one time - and those visible parts viewed in isolation without confirming intelligence - may have severe jurisdictional and statute roadblocks.

Generally speaking, the ability of states - at least the OECD states - and their militaries to adapt to these asymmetrical challenges seems perpetually in doubt; bureaucratic and doctrinaire issues alone make established bureaucracies and armies vulnerable. We know that, "Systems fail at their boundaries, and that includes boundaries between components and clusters of components that act as subsystems." See: Structured IT risk remediation: Integrating security metrics and Design Basis Threat to overcome scenario spinning and fear mongering, 5/17/2007.

 

It is painful to watch someone so attentive to cyber issues as Defense Tech's Kevin Coleman as he attempts to parse cyber threat ownership in such a fluid, borderless environment. Without a wholistic analysis capacity of all active and passive threats, regardless of the jurisdiction of first observance, subtle signals of surveillance and attack patterns will be missed until it is too late.

 

Time to zero exploit is narrowing. Writing in 2004, Delta between worst-case and realistic cyberattacks narrow:

[cyberattacks come in] three categories: data, analysis of data, and control. Data is often of modest value, especially when data volumes are large and/or frequently changing, and time is short. Actionable information comes from the speedy analysis of data. Poor design, design driven by cost cutting, and design taking immediate advantage of newer technologies without thinking of security intrusion have conspired to create conditions in which data, analysis and control increasingly merge...

 

I submit that increasing systems interconnectivity and interdependence is narrowing the gap between loss of data and loss of life. Pursuing the analysis of data as opposed to raw data allows perps to obtain insight that allows them to attack a target either directly or gain an understanding of the means to attack its control systems. If the default shutdown conditions of a control system are poorly designed, interrupting the control system is tantamount to overtaking the system... If the perps can spot an asymmetrical weakness they will take that path of least resistance, least cost, and least exposure.

Quaint idea: The Forward Edge of the Battle Area

 

Neither cyberwars or contemporary battlefields have a well defined FEBA (Forward Edge of the Battle Area). In many instances they share little of conventional battle structure:

Substitute cyber warriors for asymmetricals in this item from a conference on complex systems, of which homeland security was one of over forty topics:

For insurgents to exploit their asymmetries, they must also negate the asymmetries that favour the conventional force. In particular, they must avoid direct, large scale confrontation against the better equipped, trained and synchronized conventional force. This can be understood using a multi-scale perspective: by generating and exploiting fine scale complexity, insurgents prevent the conventional force from acting at the scale they are organised for: large scale but limited complexity environments.

 

By dispersing into largely independent cells, insurgents can limit the amount of damage any single attack from the conventional force can inflict. This significantly reduces the threat of retaliation from acting as a deterrent, since the insurgents have negligible physical resources exposed to retaliatory attack. Insurgents that do not wear uniforms and blend into a civilian population cannot be readily identified or targeted until they attack, in a situation of their choice. There is no longer a forward edge of the battle line, meaning softer support units are vulnerable. The number of possible locations, times and direction of attack increases significantly compared to attrition warfare, increasing fine scale complexity. The heightened potential for collateral damage from mixing with civilian populations dramatically increases the task complexity for a conventional force that must minimise the deaths of innocent civilians for any hope of strategic victory.

US cyberdefense cannot be a perpetual 'greased pig race'

 

Having long struggled for an appropriate analogy to our dysfunctional cyber jurisdictional divisions between DHS, DoD, NSA, CIA and the FBI, I first chose baseball’s Pennant Race, then NASCAR’s Race to the Chase. But both pretend too much structure; I finally settled for old fashioned pig wresting or greased pig chases. It should be noted that the pig is a juvenile, merely evasive, not hostile. Were the pig an adult sow or boar, its pursuers would be greatly the worse for wear.

 

In yet another failed run at the pig, a recent director of the National Cyber Security Center (NCSC), Rod Beckström, resigned "over what he said is the National Security Agency's (NSA) domination of the nation's cybersecurity efforts" and that "allowing the NSA to control national cybersecurity efforts is a "bad strategy on multiple grounds."

 

My observations:

  • "Homeland security" starts far beyond US borders; waiting till it arrives onshore to be discovered by DHS is too late.
  • DHS may be the traditional protector of civilian networks but they have done an miserable, execrable job of it, washing through one cyber-czar after another. (When even Dick Clarke departs, you know the situation is untennable, and there has been no effective improvement.)
  • Anyone who thought that a tiny appendage within DHS such as Rod Beckstom's National Cyber Security Center (NCSC) could perform a task that Clarke could not has no clue of how the federal bureaucracy functions, but then Beckstrom was the infinite outsider.
  • Only a group with the prestige, capability, scope and bureaucratic muscle of an NSA can mandate a Pax Cyberica.
  • NSA has the rigor and resources to work out standards of reasonably scalable response protection whereas no one in the commercial sector can come near.
  • Protecting civilian networks is herding cats UNLESS changes/upgrades are mandated to all parties lest one player think that another player is gaining a competitive advantage by skipping infrastructure upgrades. (This is exactly the same problem that is inhibiting protective improvements in the commercial power grid).
  • Yes, NSA has, in my opinion, made missteps but I extend the benefit of the doubt in saying that NSA was forward leaning in a very permissive, even cheerleading, environment coming on the heels of 11 September. Better to hold judgment until operation is reviewed under Obama’s rules.
  • I suggest that the "Beckstrom function" needs to exist, if nothing else, to deliver external news, needs and opinion back to NSA, but to do that it needs to be a group attached more to DCI and not DHS.

In a similar vein, an earlier head of DHS’s National Cyber Security Division, Amit Yoran, stated that while DHS had been demonstrably inept (demonstrated "inefficiency and leadership failure"), ceding the function to the one group that could reasonably work the problem, the intel community and NSA in particular, placed the nation in "grave peril." I submit the greater peril is to continuing to chase pigs while expecting different results.

 

The following snippets from Yoran carry my observations following COMMENT:

The government's national cybersecurity efforts would be in "grave peril" if they were dominated by the intelligence community

COMMENT: Possibly, by no means an absolutism. 

"One of the hard lessons learned from the Terrorist Surveillance Program is that such a limited review can lead to ineffective legal vetting of a program," Yoran said. "The cyber mission cannot be plagued by the same flaws as the TSP."

COMMENT: Agreed. TSP was dimly architected, archaic in responsiveness. In short, all manner of silliness that should not be repeated in any application.

Yoran said the intelligence community's mission -- to collect information on adversaries -- is at odds with the mission to secure networks. Faced with a network compromise, the intelligence community's focus would be on counterintelligence activities targeted at the offender rather than working with the public and private sector to secure the network. "Simply put, the intelligence community has always and will always prioritize its own collection efforts over the defensive and protection mission of our government's and nation's digital systems,"

COMMENT: The reflex is in that direction, but a charter can be established to achieve the mission, including all the standard career tracking for those involved so that it does not become a black hole. Also, staff must be selected, not subject to the "each dept give x people" as those people will be the most expendable.

"High levels of classification prevent the sharing of information necessary to adequately defend our systems... It also creates insurmountable hurdles when working with a broad range of government IT staffs that do not have appropriate clearances, let alone when trying to work with, communicate and partner with the private sector. Classification cannot be used effectively as a cyber-defensive technique, only one for avoiding responsibility and accountability."

COMMENT: Can be, but if standards are going to be mandated, they must be discussed for impact and rolled out to all. There can be no effective standards proliferation without sharing, negotiating, and defining both process and firmware changes.

Charney said that there was no question that the NSA was the government's center of technical expertise, but that to get the public "to trust that the networks are being secured well in a transparent fashion, the mission cannot reside in NSA."

COMMENT: The mantle of the new administration can wipe away much of that 'trust' issue. As to mechanics, see answer immediately above.

Instead, he recommended that the DHS retain its lead operational role over cybersecurity but work with the NSA in a way that utilizes the agency's technical expertise.

COMMENT: DHS has been copeless at worse, not architected to deliver or enforce at best. DHS is categorically not the center of excellence in IT hardening skills. Only NSA fullfills that role whereas DHS is seen, with good reason, as feckless.

Yoran said DHS had demonstrated "inefficiency and leadership failure" in its cyber efforts and that "administrative incompetence and political infighting" had squandered its efforts to secure the nation's infrastructure for years.

COMMENT: Correct, and if you believe this, you cannot possibly park the cyber effort within DHS.

 

The forgotten asset

 

It was widely recognized among the military collection assets, Army Security Agency (disbanded, assets rolled into INSCOM), Naval Security Group (now NIOC), and the Air Force Security Services (now Air Force Intelligence, Surveillance and Reconnaissance Agency (IRS), that they were regarded by NSA as "cheap hired help" in field collection and analysis.

 

Conversely, conventional force commanders of all services rarely understood what these three security services did and how conventional forces could reduce their electronic vulnerability. Career intelligence soldiers that did not command an infantry or armored unit, vessel or aircraft did not ascend the promotion ladder, often being transferred into non-technical billets.

 

It appears that matters are now worse as the need is ever more critical. Writing in Spring 2009 issue of the Information Assurance Technology Analysis Center (IATAC) newsletter, two serving officers, Conti and Surdu, state:

The Army, Navy, and Air Force all maintain cyberwarfare components, but these organizations exist as ill-fitting appendages that attempt to operate in inhospitable cultures where technical expertise is not recognized, cultivated, or completely understood. The services have developed effective systems to build traditional leadership and management skills. They are quite good at creating the best infantrymen, pilots, ship captains, tank commanders, and artillerymen, but they do little to recognize and develop technical expertise. As a result, the Army, Navy, and Air Force hemorrhage technical talent, leaving the Nation’s military forces and our country under-prepared for both the ongoing cyber cold war and the likelihood of major cyberwarfare in the future. One need only review the latest computer security report card, which gave the Federal Government an overall grade of C, and the Departments of Agriculture, Commerce, Defense, Interior, Treasury, Transportation, and Veterans Affairs a grade of D or lower, to understand our nation’s vulnerability.

Richard Bejtlich summarizes the issues and provides corroborating personal observations. The implications for a sustaining military cybersecurity asset are ugly and not easily resolved.

 

 

Microsoft Executive Tapped For Top DHS Cyber Post

By Brian Krebs

Security Fix

Posted at 6:53 PM ET on Mar 11, 2009

 

A Ship Without a Captain

Kevin Coleman

Defense Tech

March 10, 2009 07:49 AM

 

NSA Dominance of Cybersecurity Would Lead to 'Grave Peril', Ex-Cyber Chief Tells Congress

By Kim Zetter

Wired

March 10, 2009 | 6:24:42 PM

  

A Struggle Over U.S. Cybersecurity

By Brian Krebs

Washington Post

March 10, 2009

 

10 IT agenda items for the first U.S. CIO

Obama's appointment of Vivek Kundra marks an important first step for rectifying the nation's concerns about IT

By Paul Venezia

InfoWeek
March 09, 2009

 

Federal cybersecurity director quits, complains of NSA role

Rod Beckstrom resigns from NSCS after less than a year, citing concerns over what he said is the NSA's domination of the nation's cybersecurity efforts

By Jaikumar Vijayan

InfoWorld

March 09, 2009

 

Cybersecurity chief Beckstrom resigns

Reuters

Sat Mar 7, 2009 6:19am EST

 

Cybersecurity Chief Resigns

By SIOBHAN GORMAN

WSJ

MARCH 7, 2009

 

Cyber-Security Czar Quits Amid Fears of NSA Takeover

By Noah Shachtman

Wired

March 06, 2009 | 11:52:14 AM

 

New Cyber COCOM Likely

By Colin Clark Friday,

DoD BUZZ

March 6, 2009 6:44 pm

 

NSA gains support for cyber security role

HS Daily Wire

Published 4 March 2009

 

NSA should beef up civil cybersecurity

Ian Grant

Computer Weekly

Posted: 17:39 26 Feb 2009

 

ANNUAL THREAT ASSESSMENT

HEARING OF THE HOUSE PERMANENT SELECT COMMITTEE ON INTELLIGENCE

WITNESS: MR. DENNIS C. BLAIR, DIRECTOR OF NATIONAL INTELLIGENCE

CHAIRED BY: REPRESENTATIVE SILVESTRE REYES (D-TX)

LOCATION: 334 CANNON HOUSE OFFICE BUILDING, WASHINGTON, D.C.

TIME: 9:00 A.M. ET

DATE: WEDNESDAY, FEBRUARY 25, 2009

 

Statement for the Record

Annual Threat Assessment of the Intelligence Community for the House Permanent Select Committee on Intelligence

Dennis C. Blair

Director of National Intelligence

25 February 2009

Buck Surdu and Greg Conti Ask "Is It Time for a Cyberwarfare Branch?"

Posted by Richard Bejtlich

TaoSecurity

February 24, 2009

 

Army, Navy, Air Force, and Cyber—Is it Time for a Cyberwarfare Branch of Military?

by LTC Gregory Conti and COL John "Buck" Surdu

IA Newsletter (IATAC)

Volume 12 Number 1, pp 14-18, Spring 2009

 

Outsider to Run Cyber-Security Initiative

By SIOBHAN GORMAN

WSJ

MARCH 20, 2008

About the bears and the bees: Adaptive responses to asymmetric warfare

Alex Ryan, DSTO, Australia

Proceedings of the Sixth International Conference on Complex Systems

Editors Ali Minai, Dan Braha, Yaneer Bar-Yam

June 25-30, 2006, Boston, MA

 

U.S. cybersecurity chief resigns

By Robert Lemos

Staff Writer, CNET News

October 1, 2004 2:52 PM PDT

 

Where is the Battle-line for Supply Contractors?

By Susan A. Davidson, Maj, U.S. Army
AU/ACSC/038/1999-04

April 1999

Reprinted: Air Force Journal of Logistics, Vol 23, No 2, pp 12-19

Summer 1999

Published by DIANE Publishing

ISBN 1428990941, 9781428990944

 

FM 101-5-1/MCRP 5-2A

Operational Terms and Graphics

Headquarters, Department of the Army/U.S. Marine Corps

30 September 1997

 

Gordon Housworth



Cybersecurity Public  InfoT Public  Infrastructure Defense Public  Intellectual Property Theft Public  Risk Containment and Pricing Public  Strategic Risk Public  
 
In order to post a message, you must be logged in
Login
message date / author


There are no comments available.

In order to post a message, you must be logged in
Login