Wednesday, January 17, 2018

The role of the shotcaller

In Overwatch and many online games, one player is often decreed the "shotcaller" on your team. This person has a scope of the battlefield (i.e. is a backline player), and while they are not responsible for the overall strategy (i.e. team composition, initial setup positioning), they do make "Calls".

  • Use Ultimates/Don't use (we've already won/lost)
  • Fight (We have a chance top win!) or Run/Die on Purpose (We have lost, time to regroup) 
  • Status of enemy cooldowns, location of important enemies (such as snipers)
  • Target focus (Roadhog is alone!)/Healing focus (Our Reinhardt needs heals!) 

This has direct analogies to cyber operations. I know right now military people are nodding about the ooda loop, but people always focus on the "action" portion of the ooda loop, whereas in cyber, you gain your advantage from speeding up the analysis portion.

To give you an example, let's say you ssh into a box with a stolen key, and then you notice the admin is on the box poking around. You have a set up choices. Do you immediately log out, and hope the admin doesn't notice the logs you have left by logging in? Do you root the box with an 0day, then clean up the logs, then leave immediately? Do you just continue on your mission as if they were not there, since you are probably in and out before they can figure out what's going on?

Ana (who is usually the shotcaller)'s seated pose is from Carlos Norman Hathcock's pic...

A lot of people will say "This is what the operator does" but the decisions you make here affect your global scope. If you try your 0day on boxes where you are likely to get caught, that 0day can easily be burned. But if you log off immediately, your stolen key will likely be burned. If you root the box to clean up, but don't finish your mission, then they may patch or secure the box before you can get back in. A good shotcaller is NOT TOO PARANOID because the question of "Have we been found?" is a very hard one to get right and extremely high consequence.

In other words, the decisions of a shotcaller in a cyber operation (or a penetration test) are the same as in Overwatch. When to go in, when to get out, when to use which tools, where to be persistent and where to leave alone. This is different from your operational planner, which is going to be more tightly connected to your development arm and decide which tools to build and how to tie them together to get an operational capability.

Since this blog is for policy people I want to also point out the policy implications of the Persistence part of APT. Persistence induces many additional risks, especially when done in the face of an active attempt to remove you from a network. There are opsec risks, of course, but what I want to focus on are the risks to the target network.

In order to remove a persistent threat, the target is going to have to rip up large portions of their network, and the attacker is going to have to use techniques that have a chance of causing permanent damage to hardware or causing downtime. If, say, the Chinese QWERTY PANDA group's policy is to stay resident on the DNC's network even after being found, that introduces an escalatory problem first for the DNC, and then for the US.

Most government have a default policy of "If you get caught, get out" for opsec reasons only. I would argue that it makes sense as a norm for other reasons.

Thursday, January 11, 2018

Rethinking Rethinking Security

It's worth reading Jim Lewis's paper from this week on the CSIS website. That said, I can also summarize it polemically by paraphrasing it as "Westphalian states remain the only players that really matter, and cyberwar won't change how they interact that much."

Needless to say, I think he's very very wrong in ways that are important enough to write a blog post about.

We haven't seen a cyber 9/11 only if you refuse to recognize a cyber 9/11 when it is the headline of every politico article for the past two years!

He thinks that if we define "attack" to be equivalent to "coercion against a state to achieve political effect" that it's not happened and all any of us can do is look around and see it happening in real time! Likewise, his claims of states being robust organizations that shake cyber operations off is totally true except that really Westphalian states are giant balloons made of reputation and shared mythos and cyber seems like a bullet created to pop exactly that sort of thing!

My S4 talk, which is what I'm supposed to be working on right now, is the exact opposite of this position. But it's that way not because I feel like aggrandizing cyber operations, but because I have seen a different history and I honestly believe it is impossible to analyze the strategic impact of Mendez's little creation without having that whole picture. Jim says in his paper that the Internet is a creation of Millenial ideals, but the 90's hackers have had a massively larger impact on it. What does he think w00w00 is doing right now?

Where is Dug Song when you need him?

To me, not understanding click-scripts and why they are used and still doing strategic analysis is the same as not understanding the longbow but still trying to understand the battle of Agincourt. This, of course, is the kind of opinion that gets you not invited to write Lawfare pieces. :)

I'm not saying states are powerless, but if he was hanging around inside the NSA while cyber started, and then watched it grow, he'd probably believe the river of talent and technology was mostly running the opposite way, that non-nation-states may have capabilities that rival or eclipse EVEN THE MOST ADVANCED NATION STATES, and to think otherwise is to continue to develop the same cyber policy that has led to us wandering the cyber desert for forty years and I for one think it's time to hire a cartographer or two!

I mean if he thinks nation states are so resilient as an institution, then why exactly? Has he noticed that his barber and taxi driver are both pretty invested in bitcoin right now? Does he know a state with a unvarnished reputation for truthfulness that could withstand all forms of cyber coercion right now? Did he just watch the US govt come out with an attribution of Wannacry that was several months after Google's and backed up with basically the same stuff?

As far as I can tell the argument is this:

  • Cyber operations have had limited impact on states
  • What impact they HAVE had is beyond reach of non-state players
  • Conclusion: Don't Panic

I just think those things are so obviously false that to me the whole concept of the conclusion falls into wishful thinking. It's not just him, of course, I think there's a massive element of cognitive dissonance in a lot of people who do cyber policy. Partially because, unlike other areas of policy, a lot of people (NOT EVERYONE) just don't want to read the source material, which in this case, is often source code.

Coming back to S4, which is a conference mostly about ICS - you get the feeling from reading Jim's paper that he thinks non-nation-state hackers cannot really do the complicated modeling and physical-cyber coordination to cause physical effects. Look, the real reason, is they don't feel like it.


Tuesday, January 2, 2018

What hasn't happened

When turning around a ship of this size, there's going to be a long moment where you make neither forward nor backward progress...

I wanted to provide a counter-tale to the Paul Rosenzweig piece in Lawfare last week. We can sum it up with this quote:
Trump’s efforts in cybersecurity have not been terribly impressive. He has made some modest policy improvements and begun putting together a good team—but not much more.
But in fact I think it is a mistake to say that doing nothing is not progress and all the areas where I have been directly involved have been massive improvements on that front. In particular:

The VEP process was one of a bad idea that was about to be codified into law. Instead, it has been shaped by a team that understands the real equities and supply chain issues involved, to try to make it work strategically as opposed to being driven by a an unrealistic ideology. The message previously was "We don't understand why we even need this line of the modern SIGINT business." That goes into massive brain drain and strategic failure. Now: Exactly the opposite message, even though the policy has not changed a lot, as Paul mentions in his article.

A similar thing is true for the export control area. The idea that you have to cut two regulations to add any one regulation is a silly one. But it works. Previously there literally was no concept of reducing the regulatory burden from things like export control, one of the most spaghetti codes on our lawbooks, and one that applies equally to all American businesses, big and small. If we had a Democratic administration I have no doubt that we would have implemented the Wassenaar Arrangements broken cyber tools controls without even bothering to change them - or more importantly, without examining WHY they were broken in the first place.

Needless to say, the fact that the EU and the US are going in very different directions on cyber regulations is not something we can just paper over, but without some of the sillier rules in place, and a savvy and business friendly appointment at Commerce, we wouldn't have situational awareness of our policy gaps going into the near future (AI, Quantum, etc.).

To sum up: America's cyber policy overall has been moving towards something more data-based, and realistic as opposed to something purely aspirational. While yes, as Paul and many people have noted, we don't have a Universal Theory or a detailed national strategy for dealing with many of our currently known systemic threats, we are at least demonstrating that we can change our policy based on evidence, which is a good first step.

P.S. I also think the Kaspersky thing is a sign of progress, but hard to detangle that argument here. :)

Thursday, December 28, 2017

A Permanent Revolution

I wanted to end the year on a positive note, by highlighting people, some of whom you won't know, who I think represent a new wave of technical cyber policy experts doing great work on the various subjects needed in this area.

I'm not saying that this team agrees with each other on every issue, but as a whole, the community is changing to be more technical and more reality focused, and that's a good thing, and a lot of progress was made there this year. The vectors are trending up, and the enemy's gate is always down. :)

Wednesday, December 27, 2017

A slow acceptance

It's worth putting the latest Foreign Affairs piece by Susan Hennessey into context.

I'm still curious what line the OPM hack in theory crossed?
It's been obvious to many of the readers that part of the reason this blog even exists is because a lot of the members of the offensive community found it perplexing that our strategic policy centers were so off base. Last year I had a whiskey-and-policy meeting with a former govt official in the space and when he asked why I was so worked up over VEP and Wassenaar I said "Because I'm sick of getting our asses handed to us by Wikileaks and a dozen other bit players because we can't figure out where first base is let alone hit a home run once in a while!"

I see Susan Hennessey's piece as a way to try to begin to acclimatize the policy world that drastic changes need to take place. Her piece is on deterrence, but every part of the cyber policy community is heavily linked and in weird ways. You don't get deterrence without making some sort of grand bargain on crypto backdoors, in other words.

The last line is telling. It is exactly worth pointing out that not only did the last policy fail, but that it failed in predictable ways for predictable reasons.

For fifteen years we've had people at the top of the cyber policy food chain who only gave nominal support to the positions their technical community cared deeply about. Not only did the State Dept cyber team or the Obama White House cyber team not see or not care about the obvious ensuing chaos while it was signing the Wassenaar Arrangement. They didn't know who to call to ask about it even if they did care. It's essentially a sign of hostility to the technical community that they would ban penetration testing software without so much as sending a Facebook message to any of the companies in the States who sell penetration testing software. That hostility is the root cause of why we can't have deterrence, or other nice things.

But this has changed. There is hope, as General Leia would say. But that hope comes at the cost of acknowledging not just failure, but why we failed.

Sunday, December 24, 2017

Book Review: On Cyber: Towards An Operational Art for Cyber Conflict

Authors: Greg Conti and David Raymond

Annoyingly and ironically this book is only available in paperback, and not in electronic format.
I spent Christmas Eve on the beach re-reading this book. Moments later these same seagulls issued a flank attack that stole my apple pastry from me. :(
So I went through this book carefully looking for serious flaws. I came up with a few minor issues instead. But this and Matt Monte's book are the books that should be getting read by teams looking to get up to speed from a military angle. Maybe I would add Relentless Strike as well.

The reason this book works is that resume matters. You don't see tons of quotes from the authors stolen from the traditional canon of B.S. policy papers or Wired magazine articles. Nothing in this book is quoting a NY Times article that everyone in the know already has discounted as a disinformation effort via targeted leaks. 

I'm not saying this to be harsh - but it's a fact that almost all the books in this space suffer from a lack of experience in the area. These authors know what they're talking about in both of the domains this book straddles and it would be clear even if you didn't know who they were. The book quotes Dual Core and Dan Geer as easily as Clausewitz. 

If there are gaps in the book, they are in a failure to go the extra mile philosophically to avoid ruffling feathers in the policy world. What does it mean that cyber operations can engage in N-dimensional flanking operations? They often point to contentious issues with regards to how traditional thought runs without directly naming and shaming. Tell me again how the US copyright regime is in some way different technologically from the Chinese effort against Falun Gung? 

When it comes to predictions, the book fails to predict the worm revolution we're in now and is heavily focused on AI and scale, since the US military is so focused on C2-based operations, but that's a myopia that can only be corrected after operational planners have mastered the basics of maneuver in cyber. It's a US focused book, but what else would you expect?

The book also could use more direct examples than it has - if for no other reason than because they push the concepts better than raw text does. They get close to adopting the offensive community's definition of a cyber weapon, but fail to mention Wikileaks, for example. What is a click-script? Why do they exist? I want to ask this book just to have it written down in a way that future operators need to see. There are real gaps here and I'm not sure if they're intentional efforts at abstraction.

A good cyber operations class for future officers, in the US military and beyond, would do well to expand upon this book's chapters with direct examples from their own experience. But even if all they do is assign this book as required reading, they'll have done pretty well.

Saturday, December 23, 2017

Innocent until Covertly Proven Guilty

Tom Bossert made some interesting publicized comments on the Wannacry worm a few days ago. Some of the media questions were leading and predictable. There was the usual blame-the-NSA VEP nonsense which he pushed back on strongly and (imho) correctly. Likewise, there was the International Law crowd trying to claw back relevance.

Mostly what we learned from press conference is that Tom Bossert is smart and knows what he's talking about. Likewise, he realistically pointed out that DPRK has done pretty much everything wrong a State can do, and hence we've essentially emptied our policy toolbox over their heads already.

But, of course, he also made a comment on the MalwareTechBlog/Marcus Hutchin's case, essentially saying that we got lucky that he registered the Wannacry killswitch domain. Sam Varghese over at ITWire immediately wrote an article claiming I had egg on my face for my positing that MalwareTechBlog in fact had prior knowledge of Wannacry, and was not being honest about his efforts. In fact, I had bet @riotnymia some INFILTRATE tickets that this would go the other way. Looks like she should book a trip! :)

A more balanced approach was taken by TechBeacon taking into account Brian Kreb's article.

Marcus himself has been busy calling me stupid on the Internet, which I find amusing in so much as I've been around a lot of people in legal trouble over the years, from various members of the TJMaxx hacking incident, to a bunch I won't mention currently going through legal issues with computer hacking, to, even more oddly, a romantic relationship with someone whose family got accused of murder (and who also hooked up famed 4th Amendment lawyer Orin Kerr with his wife, fwiw, because the legal world is positively tiny).

Here's what I know about all people in those positions: They are essentially driven insane, like portraits shattered by a hammer. Orin, surprisingly, will argue against all evidence that we treat cyber criminals the same in the States as overseas. But we don't. We resolutely torture people and companies accused of hacking based on essentially tea-leaf reading from law enforcement (on one hand) or our intelligence organizations (in the case of nation state attribution).

Kaspersky, of course, is one of those. And it's interesting how the stories change from the news paper leaks (was involved in FSB op) to the standing statements on the podium from government officials across the world, which state only that Kaspersky presents "An unnecessary risk when placed in areas of high trust". What we've learned is that the UK and Lithuania have both also essentially banned Kaspersky.

In other words: We live in a world where nothing is as it seems, except when it is.