CWFI Presentation Version 1


Published on

Presentation on cyber warfare, recent examples, current capabilities of the major players, and issues relating to the advancement of cyber warfare and cyber security in the United States. The Cyber War Forum Initiative is promoted for its role in solving many elements of the issues facing the US.

Published in: Technology, Business
1 Comment
1 Like
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

CWFI Presentation Version 1

  1. 1. The Cyber Warfare Initiative the Good, the Bad, and the Ugly LiveSquare Security
  2. 2. Overview <ul><li>Cyber Warfare – hype?
  3. 3. Cyber what?
  4. 4. A recent example
  5. 5. The Players
  6. 6. Why Now? </li></ul><ul><li>The Good
  7. 7. The Bad
  8. 8. The Ugly
  9. 9. What next?
  10. 10. Resources </li></ul>
  11. 11. Cyber Warfare - Hype? <ul><li>” Moonlight Maze” - 1999 – attributed to Russia
  12. 12. ” Titan Rain” - started 2003 Titan Rain hackers gained access to many U.S. computer networks, including those at Lockheed Martin, Sandia National Laboratories, Redstone Arsenal, and NASA. China.
  13. 13. Estonia – March 2007, Ukrain – November 2007
  14. 14. Lithuania – June 2008, Georgia – November 2008, Kyrgistan 2008
  15. 15. ” GhostNet” – 2008 to present – China, KyLin OS (BSD or ???)
  16. 16. DOD, White House, Congress, Lockheed Martin (F35 fighter)
  17. 17. Dali Lama, Germany, France, India, Australia
  18. 18. Iran
  19. 19. The battle is fought every day. </li><ul><li>If you run a network, and do not think you are being attacked... </li></ul></ul>
  20. 20. Cyber What? <ul><li>Cyber Warfare </li><ul><li>Structured seeking / intercepting / manipulating / destroying of industrial, military, economic, and social data and information systems.
  21. 21. ” Everyone is attacking everyone.”
  22. 22. Country vs. Country, Entity vs. Country, Entity vs. Entitiy, Entity vs. Individual </li></ul><li>Why? </li><ul><li>Money – western and eastern countries have publically admitted that data gathered of industrial value is passed to domestic industries. Acceleration. R & D efficiency, etc. - also a neat way to fund attackers and their toys. Money laundering.
  23. 23. Political / Military – strategic asset identification. Intelligence, Target optimization. Economic pressure and articulation. Revenge. Combined kinetic and info attack to paralyze enemy, disinform, weaken, force them to expend resources.
  24. 24. Social – why are you targeted? Why did/does Isreal socially map US phone calls? If you own a business, are in IT, or especially if you operate a security consulting practice why does your web site get visited daily by folks in China? Why is Identity Theft so huge? Do you facilitate money laundering? </li></ul></ul>
  25. 25. Cyber war: What to do <ul><li>Disrupt communications – military, business, personal
  26. 26. Disrupt and mix up commercial / financial transactions </li><ul><li>Steal money – move it away, delete it </li></ul><li>Use combination of internal and external propaganda sources to confuse / scare population and disorient ”response” entities, limit international response
  27. 27. Cause enemy to expend resources and time on futile tasks
  28. 28. Create crisis of confidence in enemy's currency, leadership, perceived stability, etc
  29. 29. Modify / Destroy information sources, infrastructure, systems – change reality / history </li></ul>
  30. 30. A Recent Example: Iran <ul><li>” hacktivisim” </li><ul><li>Austin Heap – IT guy in SF giving people instructions on how to set-up proxies to defeat state based censorship, then gave how-to do that, then how-to attack Iran's government servers. 87 countries offer proxies. Thousands of proxies. Most blocked. Iran fights back and dDOS' his servers.
  31. 31. Twitter – stopped regular maintenance to aid coordination of dissent in Iran. Aided by State Dept. and a few others.
  32. 32. Hundreds of folks around the world trying to make new ”pathways” out from Iran to send news, online video, social networking sites, and Twitter. </li></ul><li>Response </li><ul><li>Iran shuts down and shifts its Internet connections, they are back up... Values domestic intelligence gathering over PR losses?
  33. 33. The monitoring capability was provided, at least in part, by a joint venture of Siemens AG, the German conglomerate, and Nokia Corp., the Finnish cellphone company, in the second half of 2008, Ben Roome, a spokesman for the joint venture, confirmed. Source WSJ
  34. 34. Iran uses kinetic attack to stop university students from communicating to the outside world. Students killed.
  35. 35. Iran plays whack-a-mole with phones, sat phones, ”rogue” Internet connections
  36. 36. Bans all foreign media, blocks farsi news sites outside Iran, etc.
  37. 37. Iran declares an ”official end” to freedom of expression, people reject this...
  38. 38. Using a phone, if you mention the wrong keyword, your line goes dead
  39. 39. Pro-iran regime “hacktivists” breach the U of Oregon and leave a message... </li></ul></ul>
  40. 40. Lessons Learned <ul><li>Governments cannot control the Internet in their country </li><ul><li>China is failing continually, Iran has failed
  41. 41. ” Turning off the Internet” does as much damage as good
  42. 42. Choking resources does not work </li><ul><li>Proxies, non-terrestrial communications, radio relay </li></ul></ul><li>dDOS of resources can be stopped </li><ul><li>Just block / blackhole the IP space of the aggressors </li></ul><li>The flow and the information / content is as valuable as kinetic capability </li><ul><li>Truth and perception thereof is based on who can still talk. </li></ul></ul>
  43. 43. Cyber War - The Players <ul><li>More than 120 countries have or are developing cyber warfare capability.
  44. 44. China – National network configuration enhancing cyber defense, KyLin, ”green dam”, email trojans – known to have penetrated 103 countries, especially email systems. - military value
  45. 45. RBN – email malware, identity theft, BOTnets
  46. 46. The Brits, Israel (info and kinetic e.g. Gaza), Palestinians, Islamic Jihad, Al Qaeda, Russia to Uzbekistan relating to American Base.
  47. 47. Anyone who wants to play </li></ul>
  48. 48. Cyber War - The Players <ul><li>The West </li><ul><li>Estonia Cyber Defense Center of Excellence (CCD COE) - an academic cyber think tank that deals quite a bit with technical analysis of cyber events and discussion of international cyber policy to include the legal aspects of cyber warfare. (NATO) Does no monitoring, only analysis.
  49. 49. The Cyber Warfare Forum Initiative – US and allies
  50. 50. A big mess of agencies and players with many unresolved issues. </li></ul><li>The East </li><ul><li>Hundreds of cyber warfare groups funded by China, Russia, North Korea
  51. 51. Formal and excellent training in hacking / cracking systems
  52. 52. Financial funding and rewards for success to anyone
  53. 53. Russian Business Network and other organized crime
  54. 54. The East has a plan is is doing well </li></ul></ul>
  55. 55. The Players in Depth - China <ul><li>Track record of success on a large scale </li><ul><li>w/ Plausible deniability, RBN via China?, Trojan hardware </li></ul><li>Significant funding </li><ul><li>Committed to advancing offensive and defensive capabilities
  56. 56. Rewarding those who advance / prove their capabilities </li></ul><li>Hainan is a center of cyber attack activity and research. </li><ul><li>Also center of military research, major sub base, center of conflict with US ships
  57. 57. Military outpost since 110 BC! </li></ul><li>Imported software must be certified, under tax scheme
  58. 58. Building secure microprocessors with a secure operating system that runs on those chips
  59. 59. National connectivity is designed to move through ”gateways” </li></ul>
  60. 60. The Players in Depth - Russia <ul><li>Well known to use cyber warfare </li><ul><li>For war, for pressure on foreign governments </li></ul><li>Uses RBN and other groups as contractors </li><ul><li>Plausible deniability (law) </li></ul><li>Precedes kinetic war with cyber war </li><ul><li>Suggests highly tuned military strategy </li></ul><li>dDOS, malware, communications interference, propaganda </li></ul>
  61. 61. The Players in Depth - USA <ul><li>Many different players on the board </li><ul><li>Capabilities and authority in government spread thin </li></ul><li>Started seeking offensive capability in 2008 </li><ul><li>Current strategy: BOTnets, malware, interference </li></ul><li>Heavily constrained by US law, and adherence to International law
  62. 62. National communications infrastructure a disadvantage – nearly 100% privately owned
  63. 63. Capabilities largely from large US security firms that will not cooperate well
  64. 64. Successes: Trojan hardware, communications intercept </li></ul>
  65. 65. Why now? <ul><li>White House indicated and prioritized national cyber security which is based on our ability to execute and defend against cyber war. This was driven by a long series of public penetrations and a serious penetration of the Obama campaign. High visibility to the top.
  66. 66. The security industry in general sees an opportunity to resolve long standing issues.
  67. 67. Members of the security industry got together to form a ”community” driven effort to cross contaminate and share information to induce improvements and knowledge sharing. </li></ul>
  68. 68. Why now? <ul><li>WH - appoints cyber czar, national CIO, and several other IT advisory positions
  69. 69. Debate rages on who should be the top dog: person, agency, budget authority: lots of dialogue and posturing
  70. 70. Security vendors see wash of funds and line up with their suits on
  71. 71. The security community suddenly sees the need to help people to understand where we are and what is going on. </li></ul>
  72. 72. Why now? <ul><li>Although the quotes from our officials say that there is a three way tie between the US, Russia, and China... </li><ul><li>we are clearly poorly organized
  73. 73. we may have ”the capabilities” we need, but can we mobilize and utilize them? In time?
  74. 74. it should be ”self-evident” that we both need and want to improve our footings
  75. 75. The US faces a more difficult task in cyber defense than others due to network design, laws, and other issues. </li></ul></ul>
  76. 76. So? <ul><li>If China and Russia are the big competitors, and we need to ”get better”... </li><ul><li>Where are we really?
  77. 77. Who does what?
  78. 78. Is this a simple, or complex set of problems? </li></ul><li>Do the problems get solved by government, private industry, or both? </li><ul><li>Who does what?
  79. 79. Can we define the problems? </li></ul></ul>
  80. 80. CWFI – Cyber Warfare Forum Initiative <ul>Founder - Paul V de Souza, Chief Security Engineer AT&T Our mission is to promote Cyber Warfare awareness within the U.S Military, U.S Government, U.S private companies and U.S Citizens. Such mission is to be extended to all U.S allies all over the world with the intent of guarding our cyber freedoms and protecting our way of life. The Cyber Warfare Forum Initiative (CWFI) promotes innovation, unity and collaboration of various cyber security communities of interest all over the world. Our mission will be accomplished by active engagement of our team members in the fields of education (conferences and training), information sharing (forums, reports and news) and partnerships with the military, government and private sector. We invite all to join us in the fight for a safer cyberspace where confidentiality, integrity and availability rest assured. Under one umbrella of collaboration and knowledge, we can make a difference. We have a very unique group of professionals. </ul>
  81. 81. Questions <ul><li>Government is asking questions like... </li><ul><li>At what point does cyber security need, override US law?
  82. 82. When can the military ”shut down” domestic ISPs?
  83. 83. Does the Constitution allow for the government to ”take control” of the cyber security issue for everyone or just itself?
  84. 84. Is it possible to solve this problem in the private sector? </li></ul><li>Business groups / owners are asking... </li><ul><li>Can we even really defend ourselves?
  85. 85. Is this really a government / countrywide problem or should the private sector be in charge of its own house? If so, how is it a cyber defense (national)? </li></ul><li>People are asking... </li><ul><li>Why am I not safe now?
  86. 86. When will I be safe? </li></ul></ul>
  87. 87. What a mess! <ul><li>Where are we? </li></ul>
  88. 88. The Good <ul><li>CWFI on LinkedIn – debate --> policy makers (direct)
  89. 89. OWASP - Open Web Application Security Project
  90. 90. /
  91. 91.
  92. 92. OpenDNS for small business and consumers
  93. 93. Numerous web sites with links to resources... the pieces of the puzzle are out there
  94. 94. We are the most innovative people on the planet... </li></ul>
  95. 95. The Bad - Government <ul><li>NATO does not define cyber attack as an attack. Therefore, NATO countries have no defense under Article 5.
  96. 96. Investigating entities will not pursue breaches resulting in less than 700k in damages. </li><ul><li>Prosecuting external aggressors is nearly impossible </li></ul><li>China has prioritized recruiting hacking / cracking talent and is funding them as part of a national security effort. The US has a problem with hiring hackers /crackers and has done very little. This creates an asset shift to China in capabilities and R&D.
  97. 97. China's new wall has limited ex-filtration from the country and therefore, sources of attacks cannot easily be determined as they are aliased. Infiltration is shut down by shutting down the gateways. A comprehensive strategy exists in China. The US, not so much.
  98. 98. US law and constitutional issues should prevent the ”solution” from being a government owned and operated entity. However, all seem to be looking to the government for ”the solution”.
  99. 99. If the business community / private sector is the solution... </li></ul>
  100. 100. The Bad – Private Industry <ul><li>Culture problems in the security world </li><ul><li>The big squish the small - take all oxygen
  101. 101. The big security companies actively suppress the smaller companies via a multitude of means. This harms innovation. They are also not buying innovation from the smaller companies so they are simply shutting the other guys out.
  102. 102. Not Invented Here (NIH) - Anybody else's products are crap.
  103. 103. Turtle Complex - all issues within an organization must be concealed to prevent embarrassment or worse... questions.
  104. 104. Hollywood Simplex I - if you are a security vendor at a client, you are the only one doing anything of value. The others are there to try to steal your spotlight.
  105. 105. The Kids Clubhouse - if you are not a part of the *con speakers and/or attendees club then obviously you know nothing about security. Only people that attend or speak at conferences know anything worth while.
  106. 106. Power User Macho - even if you really have little understanding about what is going on: be aggressive. Ignorance is best concealed behind a good offense.
  107. 107. Megalomania - with this security product / concept / method - I shall rule the world. All others shall bow to me. Ah ha ha ha ha ha.
  108. 108. Monopoly mindset - it's better to stay on top and regularly fail than to let some punk small company show us up. </li></ul><li>Many in the information security business believe that accurate ”attribution” of cyber attacks is impossible. Therefore, no cyber warfare defense can be effectively created.
  109. 109. Little collaboration combined with the stiffling of innovation = bad day for US. </li></ul>
  110. 110. The Bad – Security Consumer <ul><li>I can't have someone embarrass me by changing &quot;my strategy&quot;. Therefore, the vendor needs to fit into my world concept
  111. 111. If people find out our problems I might lose my job... &quot;So we are fine.&quot;
  112. 112. We don't do anything with jet fighters, therefore our problems are much smaller and very different.
  113. 113. We can't solve every problem, so we will focus on responding to the stuff that hits us. We will react to issues as they come up.
  114. 114. We don't want to work with other companies. We want attackers to leave us alone and attack them. Our strategy is displacement.
  115. 115. Alphabet-soup - even though the letters and credentials have no track record of success. It is still mandatory. Letters are cool.
  116. 116. Job-dutious-abandoness - the more security stuff I/we do, the more likely it is to catch someone's eye and embarrass me/us. Wait for something bad, jump in and be a hero. Leaders are often shot in the back. </li></ul>
  117. 117. The Ugly <ul><li>Culture problems in the security industry prohibit real dialogue and solutions.
  118. 118. Most programmers do not know how to secure code.
  119. 119. Most companies don't allocate resources to security testing
  120. 120. Most ”outsourced and off-shored” projects are never reviewed for security. That ends up biting us in the... e.g. FBI, RNC
  121. 121. Controversial Assertion by me: ”Trusted Computing” is a fallacy
  122. 122. Public Key / Private Key: PKI failed and has multiple defeats (SHA1)
  123. 123. The proliferation of super computers </li><ul><li>Peer-to-Peer supercomputing – bigger than government can buy </li></ul><li>Attack sophistication is improving exponentially
  124. 124. Our enemies are more patient than we are </li></ul>
  125. 125. The Ugly <ul><li>Most ”hands on” techies leave the hands on world within 5 years. Our plans and designs are based on limited knowledge.
  126. 126. Our business' can see only one year at a time. This limits real or focused results.
  127. 127. Cloud computing companies offer outstanding local attack centers.
  128. 128. No such thing as an objective measurement or standard.
  129. 129. Folks in government ”have to spend to much time and money” to test any new technology. Slows adoption or even sensible change.
  130. 130. Breaches are so frequent, coupled with the very real problem of lingering infections from prior breaches, that quantifying and eradication of threats is nearly impossible.
  131. 131. The sophistication of the attackers vs. our ability to defend is definitely a knife to a gunfight scenario. </li></ul>
  132. 132. What next? <ul><li>US legal and Constitutional issues
  133. 133. Political football
  134. 134. More of the same
  135. 135. US becomes a distant third, 4th?
  136. 136. - or - </li></ul><ul><li>Dreamland... </li><ul><li>A move to a merit based system – everyone can play
  137. 137. Better co-operation in the security industry
  138. 138. Large coalitions of collaborators (geocentric?)
  139. 139. A ”caustic cauldron” for security testing (community based) </li></ul></ul>
  140. 140. We can see the future... <ul><li>The solution is in the private sector
  141. 141. Government shall need to protect its systems </li><ul><li>Can facilitate when necessary
  142. 142. Needs to be able to order ISP shutdowns, blocking of aggressors, and real time intelligent identification of aggressors in times of emergency / crisis
  143. 143. May regulate by sector
  144. 144. Cyber Minuteman defense? </li></ul><li>“ Attacks” must be viewed, measured, and responded to intelligently </li><ul><li>Likely a multi-stage process </li><ul><li>Not 2 stage </li></ul></ul></ul>
  145. 145. What Next? Action! <ul><li>Newbies – go and learn, read and follow, ponder and invent, educate your peers
  146. 146. Small players – collaborate, continue your innovation, evangelize
  147. 147. Big players – innovate or buy, stop the stifle, sub-contract
  148. 148. Government – national testing labs (caustic cauldron) , don't go to the dark side, open up the gene pool </li></ul>
  149. 149. Resources <ul><li>CWFI -
  150. 150. White House Cyberspace Policy Review -
  151. 151. Cyber Attacks Against Georgia: Legal Lessons Identified -
  152. 152. OWASP -
  153. 153. Dark Reading -
  154. 154. Packet Storm -
  155. 155. Security Lists -
  156. 156. Sickurity -
  157. 157. SANS TOP 25 Most Dangerous Programming Errors - </li></ul>
  158. 158. Resources <ul><li>The Evolution of Cyberwar -
  159. 159. 2001 – Report to Congress on Cyber warfare -
  160. 160. Estonia Cyber Defense Center of Excellence -
  161. 161. Searchable NIST Common Vulnerability Enumeration Database - - FREE
  162. 162. Common Attack Pattern Enumeration and Classification - - FREE
  163. 163. LiveSquare's Daily Security Bulletin - – FREE to you! </li></ul>
  164. 164. Thank you! <ul><li>Thank you Barry Wade!
  165. 165. Thank you Arizona Security Practitioners Forum
  166. 166. Thank you for coming!
  167. 167. I thank those of you who have decided to participate moving forward and look forward to your contributions. </li></ul>