SlideShare a Scribd company logo

BSides Delhi-2018 Keynote by Pukhraj Singh (Politics & Power in Cybersecurity)

P
Pukhraj Singh

BSides Delhi-2018 Keynote by Pukhraj Singh (Politics & Power in Cybersecurity)

Technology
1 of 29
Download to read offline
Politics & Power in Cybersecurity Pukhraj Singh @RungRage
Territoriality CausalityProportionality Legality War Crime Espionage Defence Power & Conflict in Meatspace* * This graph is a rough generalisation
Territoriality CausalityProportionality Legality War Crime Espionage Defence Power & Conflict in Cyberspace
“Cyberspace is [a] continuously contested territory in which we can control memory & operating capabilities some of the time but cannot be assured of complete control all of the time or even of any control at any particular time” -- Richard Danzig, adviser to President Obama A Contested Territory
“Possession, ownership & control [of data & assets in cyberspace] do not overlap” -- Thomas Dullien, Google Security A Contested Territory
“[Cyber] offence & defence is the wrong dichotomy: it should be control & non-control” -- Dave Aitel, former NSA cyber operative A Contested Territory
“Think about it for a moment - we share the same network with our adversaries” -- George Tenet, former CIA director (exactly 20 years ago) A Contested Territory
This anxiety around the paradox of control, or the lack of it, in cyberspace has not waned even a bit A Contested Territory
“NSA’s aim: mass compromise & expansion of compromise boundaries” -- Morgan Marquis-Boire, former writer with The Intercept (Possibly inspired by Dullien’s work) Try replacing “boundaries” with “territories”… A Contested Territory
“If we were to score cyber the way we score soccer, the tally would be 462-456 twenty minutes into the game, i.e., all offence” -- Chris Inglis, former deputy director with the NSA Structural Dominance of Offence via Politics
“If we were to score cyber the way we score soccer, the tally would be 462-456 twenty minutes into the game, i.e., all offence” -- Chris Inglis, former deputy director with the NSA Structural Dominance of Offence via Politics
Cyber offensive A-teams rely more on political subterfuge than technical • NSA’s TAO, SCS, etc., are hybrid & interdisciplinary teams • “Insert vulnerabilities into commercial encryption systems, IT systems, networks, & endpoint communications devices used by targets” – 2012 budget document of the NSA • Traditional cryptanalysis & hacking gave way to clandestine intelligence activities or black-bag jobs of TAO via the CIA, DIA, FBI, State Deptt., NSF & NIST • “[S]ecret efforts by the U.S. intelligence community to interdict the shipment of advanced encryption technology to America's enemies around the world & insert ‘back doors’ into commercially available computer, communications, and encryption technologies” – Matthew Aid, Foreign Policy Structural Dominance of Offence via Politics
Cyber offensive A-teams rely more on political subterfuge than technical “[T]he NSA reviewed National Science Foundation grant…the agency appeared to use this process to exercise control over nongovernmental cryptography research” “[T]he NSA reviewed & approved an NSF grant application from Ron Rivest…An internal NSA history suggests that the agency would have tried to derail Rivest's grant application if the reviewers had understood what Rivest would do with the money” -- Henry Corrigan-Gibbs, Stanford Magazine Structural Dominance of Offence via Politics
Cyber offensive A-teams rely more on political subterfuge than technical “The [EuroCrypt’92] conference again offered an interesting view into the thought processes of the world’s leading ‘cryptologists.’ It is indeed remarkable how far the Agency has strayed from the True Path” -- An anonymous NSA cryptologist writing for CryptoLog, an agency newsletter declassified in 2014 Structural Dominance of Offence via Politics
But why political? “Investment in a high end "Man on the Side" technology stack can run you into the billions. You'd better hope the meta doesn't change until your investment pays off. And what are the strategic differences between TAO-style organizations and the Russian/Chinese way? It's possible to LOSE if you don't understand & adapt to the current up-to-date Meta of the domain you are in, no matter what your other advantages are” -- Dave Aitel To rewrite the physics of the domain at will Structural Dominance of Offence via Politics
Cyber Meta has a political architecture • TURMOIL/QUANTUM: “Relies on its secret partnerships with US telecoms companies” • BULLRUN: “There will be NO 'need to know’” Structural Dominance of Offence via Politics
Cyber offensive A-teams rely more on political subterfuge than technical Structural Dominance of Offence via Politics Dave Aitel • The SuperMicro story, even if partially true, follows the same political template of A-team operations • Were the Chinese using political leverage to tackle attribution?
Political bureaucracy as the technical signature of a cyber operation Lineage & Mathematics Verner von Braun et al. > US space programme • Nazi rocket scientists Helmut Gröttrup et al. > Soviet space programme • CV Raman > Homi Bhabha > Vikram Sarabhai > Indian space programme Structural Dominance of Offence via Politics
Political bureaucracy as the technical signature of a cyber operation • “Your adversary has a boss and a budget” – The Grugq • It defines operational tooling, tactics & tempo of the offensive team • Is code reuse a technical thing or an expression of political semantics? • Exploitation is a technology tree & targeting is limited by policy restrictions -- Aitel • Did Metasploit originate in the public from the exploitation Meta of pre-2004 TAO toolchains? Structural Dominance of Offence via Politics
Political bureaucracy as the technical signature of a cyber operation Code Reuse: Opcodes & Ontology • 2006: Thomas Dullien ran a “phylogenetic clustering algorithm” on a genus of malware, finding that “although we have ~200 samples, we only have two large families, three small families, two pairs of siblings, & a few isolated samples” • 2011: Google acquires Zynamics • 2012: Google acquires VirusTotal • 2017: Structural Dominance of Offence via Politics
Political bureaucracy as the technical signature of a cyber operation Code Reuse: Opcodes & Ontology • 2018: Structural Dominance of Offence via Politics
Political bureaucracy as the technical signature of a cyber operation Code Reuse: Opcodes & Ontology • Exploitation is a technology tree • Operation Aurora -> Barium/Winnti/APT17/Axiom • Winnti >>> Hashing subroutine <<< ShadowPad/NetSarang • Winnti >>> base64 <<< CCleaner Stage 1 • Winnti >>> String obfuscation <<< CCleaner Stage 2 (Sources: Costin Raiu, Kaspersky & Intezer) Structural Dominance of Offence via Politics
Politics influences industry choices & dynamics • The ciphers you use • The processors, routers & antivirus you run • The defensive “innovations” in the security industry • The unjustifiable persistence of centralized architectures like DNS, SSL & BGP, etc. • Bug classes like Spectre & Meltdown • What hackers say, or do not say Structural Dominance of Offence via Politics
The political choice for markets like India is whether to choose Kaspersky or FireEye • Cybersecurity vendors become foot soldiers • Malware used by the U.S. in offensive cyber-operations plays “nice”…”We see guardrails on malware from nations like the U.S.” -- Kevin Mandia, CEO, FireEye • CyberScoop recently reported that FireEye had drawn a red line around exposing certain activities by so-called “friendlies” Structural Dominance of Offence via Politics
Politics severely degrades the defensive architecture Structural Dominance of Offence via Politics Imagine this for commercial-grade enterprise security?
Cybersecurity as A Function of Power “[C]ybersecurity is all about power & only power” -- Dan Geer, CISO, In-Q-Tel
Cybersecurity as A Function of Power “Cyberweapons are power projection tools” -- Gen. Michael Hayden, former director of the CIA & NSA
Cybersecurity as A Function of Power The Declaratory Model: 1995-2014 Aitel labelled Stuxnet as the “announcement of a team” more than anything else, which could take out any factory, any time The current structures of offence are biased towards declaratory dominance
Cybersecurity as A Function of Power The Escalatory Puzzle Look, we’re moving into a new era here where a number of countries have significant capacities…But our goal is not to suddenly, in the cyber arena, duplicate a cycle of escalation that we saw when it comes to other arms races in the past, but rather to start instituting some norms so everybody’s acting responsibly -- Barack Obama, 2016

Recommended

Synergy in Joint Cyber Operations - Indian National Defence University & HQ I...
Synergy in Joint Cyber Operations - Indian National Defence University & HQ I...Synergy in Joint Cyber Operations - Indian National Defence University & HQ I...
Synergy in Joint Cyber Operations - Indian National Defence University & HQ I...Pukhraj Singh
 
Understanding the 'physics' of cyber-operations - Pukhraj Singh
Understanding the 'physics' of cyber-operations - Pukhraj SinghUnderstanding the 'physics' of cyber-operations - Pukhraj Singh
Understanding the 'physics' of cyber-operations - Pukhraj SinghPukhraj Singh
 
Pukhraj Singh - Keynote - ITWeb Security Summit-2019, Johannesburg, South Africa
Pukhraj Singh - Keynote - ITWeb Security Summit-2019, Johannesburg, South AfricaPukhraj Singh - Keynote - ITWeb Security Summit-2019, Johannesburg, South Africa
Pukhraj Singh - Keynote - ITWeb Security Summit-2019, Johannesburg, South AfricaPukhraj Singh
 
The death of enterprise security as we know it - Pukhraj Singh - RootConf 2018
The death of enterprise security as we know it - Pukhraj Singh - RootConf 2018The death of enterprise security as we know it - Pukhraj Singh - RootConf 2018
The death of enterprise security as we know it - Pukhraj Singh - RootConf 2018Pukhraj Singh
 
In cyber, the generals should lead from behind - College of Air Warfare - Puk...
In cyber, the generals should lead from behind - College of Air Warfare - Puk...In cyber, the generals should lead from behind - College of Air Warfare - Puk...
In cyber, the generals should lead from behind - College of Air Warfare - Puk...Pukhraj Singh
 
Cyberwarfare and Aggressiveness in Cyberspace
Cyberwarfare and Aggressiveness in CyberspaceCyberwarfare and Aggressiveness in Cyberspace
Cyberwarfare and Aggressiveness in CyberspaceJarno Limnéll
 
Cyber Ethics: TechNet Augusta 2015
Cyber Ethics: TechNet Augusta 2015Cyber Ethics: TechNet Augusta 2015
Cyber Ethics: TechNet Augusta 2015AFCEA International
 
Cyber Warfare vs. Hacking (in English)
Cyber Warfare vs. Hacking (in English)Cyber Warfare vs. Hacking (in English)
Cyber Warfare vs. Hacking (in English)Digicomp Academy AG
 

Recommended

Synergy in Joint Cyber Operations - Indian National Defence University & HQ I...
Synergy in Joint Cyber Operations - Indian National Defence University & HQ I...Synergy in Joint Cyber Operations - Indian National Defence University & HQ I...
Synergy in Joint Cyber Operations - Indian National Defence University & HQ I...Pukhraj Singh
 
Understanding the 'physics' of cyber-operations - Pukhraj Singh
Understanding the 'physics' of cyber-operations - Pukhraj SinghUnderstanding the 'physics' of cyber-operations - Pukhraj Singh
Understanding the 'physics' of cyber-operations - Pukhraj SinghPukhraj Singh
 
Pukhraj Singh - Keynote - ITWeb Security Summit-2019, Johannesburg, South Africa
Pukhraj Singh - Keynote - ITWeb Security Summit-2019, Johannesburg, South AfricaPukhraj Singh - Keynote - ITWeb Security Summit-2019, Johannesburg, South Africa
Pukhraj Singh - Keynote - ITWeb Security Summit-2019, Johannesburg, South AfricaPukhraj Singh
 
The death of enterprise security as we know it - Pukhraj Singh - RootConf 2018
The death of enterprise security as we know it - Pukhraj Singh - RootConf 2018The death of enterprise security as we know it - Pukhraj Singh - RootConf 2018
The death of enterprise security as we know it - Pukhraj Singh - RootConf 2018Pukhraj Singh
 
In cyber, the generals should lead from behind - College of Air Warfare - Puk...
In cyber, the generals should lead from behind - College of Air Warfare - Puk...In cyber, the generals should lead from behind - College of Air Warfare - Puk...
In cyber, the generals should lead from behind - College of Air Warfare - Puk...Pukhraj Singh
 
Cyberwarfare and Aggressiveness in Cyberspace
Cyberwarfare and Aggressiveness in CyberspaceCyberwarfare and Aggressiveness in Cyberspace
Cyberwarfare and Aggressiveness in CyberspaceJarno Limnéll
 
Cyber Ethics: TechNet Augusta 2015
Cyber Ethics: TechNet Augusta 2015Cyber Ethics: TechNet Augusta 2015
Cyber Ethics: TechNet Augusta 2015AFCEA International
 
Cyber Warfare vs. Hacking (in English)
Cyber Warfare vs. Hacking (in English)Cyber Warfare vs. Hacking (in English)
Cyber Warfare vs. Hacking (in English)Digicomp Academy AG
 
Cyber Conflicts - Time for Reality Check
Cyber Conflicts - Time for Reality CheckCyber Conflicts - Time for Reality Check
Cyber Conflicts - Time for Reality CheckJarno Limnéll
 
Are we ready for Cyberwarfare
Are we ready for CyberwarfareAre we ready for Cyberwarfare
Are we ready for CyberwarfareAurin Sheikh
 
Cyberwarfare
CyberwarfareCyberwarfare
CyberwarfareSpace Defense Newsletter
 
2020 12 nyu-workshop_cog_sec
2020 12 nyu-workshop_cog_sec2020 12 nyu-workshop_cog_sec
2020 12 nyu-workshop_cog_secSara-Jayne Terp
 
Defending Your Base of Operations: How Industrial Control Systems are Being T...
Defending Your Base of Operations: How Industrial Control Systems are Being T...Defending Your Base of Operations: How Industrial Control Systems are Being T...
Defending Your Base of Operations: How Industrial Control Systems are Being T...AFCEA International
 
Crim cybersecurity_jarno_limnéll
Crim cybersecurity_jarno_limnéllCrim cybersecurity_jarno_limnéll
Crim cybersecurity_jarno_limnéllJarno Limnéll
 
Cyberwarfare
CyberwarfareCyberwarfare
Cyberwarfareshifahirani
 
Cyberwar and Geopolitics
Cyberwar and GeopoliticsCyberwar and Geopolitics
Cyberwar and Geopoliticstnwac
 
Cyber warfare an architecture for deterrence
Cyber warfare an architecture for deterrenceCyber warfare an architecture for deterrence
Cyber warfare an architecture for deterrenceBikrant Gautam
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introductionjagadeesh katla
 
2019 11 terp_mansonbulletproof_master copy
2019 11 terp_mansonbulletproof_master copy2019 11 terp_mansonbulletproof_master copy
2019 11 terp_mansonbulletproof_master copySara-Jayne Terp
 
About cyber war
About cyber warAbout cyber war
About cyber wareugenvaleriu
 
Global Partnership Key to Cyber Security
Global Partnership Key to Cyber SecurityGlobal Partnership Key to Cyber Security
Global Partnership Key to Cyber SecurityDominic Karunesudas
 
Why_TG
Why_TGWhy_TG
Why_TGTOP GUN
 
Is the us engaged in a cyber war
Is the us engaged in a cyber warIs the us engaged in a cyber war
Is the us engaged in a cyber warDavid Willson, Attorney, CISSP, Security +
 
Cyber weapons 1632578286
Cyber weapons 1632578286Cyber weapons 1632578286
Cyber weapons 1632578286Udaysharma3
 
Insa cyber intelligence 2011
Insa cyber intelligence 2011Insa cyber intelligence 2011
Insa cyber intelligence 2011Mousselmal Tarik
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat IntelligenceNTT Innovation Institute Inc.
 
Due Diligence Considerations for Scientists, Commanders, and Politicians As T...
Due Diligence Considerations for Scientists, Commanders, and Politicians As T...Due Diligence Considerations for Scientists, Commanders, and Politicians As T...
Due Diligence Considerations for Scientists, Commanders, and Politicians As T...Dr. Lydia Kostopoulos
 
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...Sara-Jayne Terp
 
Cyber Security for Oil and Gas
Cyber Security for Oil and Gas Cyber Security for Oil and Gas
Cyber Security for Oil and Gas mariaidga
 
Event: George Washington University -- National Security Threat Convergence: ...
Event: George Washington University -- National Security Threat Convergence: ...Event: George Washington University -- National Security Threat Convergence: ...
Event: George Washington University -- National Security Threat Convergence: ...Chuck Brooks
 

More Related Content

What's hot

Cyber Conflicts - Time for Reality Check
Cyber Conflicts - Time for Reality CheckCyber Conflicts - Time for Reality Check
Cyber Conflicts - Time for Reality CheckJarno Limnéll
 
Are we ready for Cyberwarfare
Are we ready for CyberwarfareAre we ready for Cyberwarfare
Are we ready for CyberwarfareAurin Sheikh
 
2020 12 nyu-workshop_cog_sec
2020 12 nyu-workshop_cog_sec2020 12 nyu-workshop_cog_sec
2020 12 nyu-workshop_cog_secSara-Jayne Terp
 
Defending Your Base of Operations: How Industrial Control Systems are Being T...
Defending Your Base of Operations: How Industrial Control Systems are Being T...Defending Your Base of Operations: How Industrial Control Systems are Being T...
Defending Your Base of Operations: How Industrial Control Systems are Being T...AFCEA International
 
Crim cybersecurity_jarno_limnéll
Crim cybersecurity_jarno_limnéllCrim cybersecurity_jarno_limnéll
Crim cybersecurity_jarno_limnéllJarno Limnéll
 
Cyberwar and Geopolitics
Cyberwar and GeopoliticsCyberwar and Geopolitics
Cyberwar and Geopoliticstnwac
 
Cyber warfare an architecture for deterrence
Cyber warfare an architecture for deterrenceCyber warfare an architecture for deterrence
Cyber warfare an architecture for deterrenceBikrant Gautam
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introductionjagadeesh katla
 
2019 11 terp_mansonbulletproof_master copy
2019 11 terp_mansonbulletproof_master copy2019 11 terp_mansonbulletproof_master copy
2019 11 terp_mansonbulletproof_master copySara-Jayne Terp
 
Global Partnership Key to Cyber Security
Global Partnership Key to Cyber SecurityGlobal Partnership Key to Cyber Security
Global Partnership Key to Cyber SecurityDominic Karunesudas
 
Cyber weapons 1632578286
Cyber weapons 1632578286Cyber weapons 1632578286
Cyber weapons 1632578286Udaysharma3
 
Insa cyber intelligence 2011
Insa cyber intelligence 2011Insa cyber intelligence 2011
Insa cyber intelligence 2011Mousselmal Tarik
 
Due Diligence Considerations for Scientists, Commanders, and Politicians As T...
Due Diligence Considerations for Scientists, Commanders, and Politicians As T...Due Diligence Considerations for Scientists, Commanders, and Politicians As T...
Due Diligence Considerations for Scientists, Commanders, and Politicians As T...Dr. Lydia Kostopoulos
 
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...Sara-Jayne Terp
 

What's hot (20)

Cyber Conflicts - Time for Reality Check
Cyber Conflicts - Time for Reality CheckCyber Conflicts - Time for Reality Check
Cyber Conflicts - Time for Reality Check
 
Are we ready for Cyberwarfare
Are we ready for CyberwarfareAre we ready for Cyberwarfare
Are we ready for Cyberwarfare
 
Cyberwarfare
CyberwarfareCyberwarfare
Cyberwarfare
 
2020 12 nyu-workshop_cog_sec
2020 12 nyu-workshop_cog_sec2020 12 nyu-workshop_cog_sec
2020 12 nyu-workshop_cog_sec
 
Defending Your Base of Operations: How Industrial Control Systems are Being T...
Defending Your Base of Operations: How Industrial Control Systems are Being T...Defending Your Base of Operations: How Industrial Control Systems are Being T...
Defending Your Base of Operations: How Industrial Control Systems are Being T...
 
Crim cybersecurity_jarno_limnéll
Crim cybersecurity_jarno_limnéllCrim cybersecurity_jarno_limnéll
Crim cybersecurity_jarno_limnéll
 
Cyberwarfare
CyberwarfareCyberwarfare
Cyberwarfare
 
Cyberwar and Geopolitics
Cyberwar and GeopoliticsCyberwar and Geopolitics
Cyberwar and Geopolitics
 
Cyber warfare an architecture for deterrence
Cyber warfare an architecture for deterrenceCyber warfare an architecture for deterrence
Cyber warfare an architecture for deterrence
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introduction
 
2019 11 terp_mansonbulletproof_master copy
2019 11 terp_mansonbulletproof_master copy2019 11 terp_mansonbulletproof_master copy
2019 11 terp_mansonbulletproof_master copy
 
About cyber war
About cyber warAbout cyber war
About cyber war
 
Global Partnership Key to Cyber Security
Global Partnership Key to Cyber SecurityGlobal Partnership Key to Cyber Security
Global Partnership Key to Cyber Security
 
Why_TG
Why_TGWhy_TG
Why_TG
 
Is the us engaged in a cyber war
Is the us engaged in a cyber warIs the us engaged in a cyber war
Is the us engaged in a cyber war
 
Cyber weapons 1632578286
Cyber weapons 1632578286Cyber weapons 1632578286
Cyber weapons 1632578286
 
Insa cyber intelligence 2011
Insa cyber intelligence 2011Insa cyber intelligence 2011
Insa cyber intelligence 2011
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat Intelligence
 
Due Diligence Considerations for Scientists, Commanders, and Politicians As T...
Due Diligence Considerations for Scientists, Commanders, and Politicians As T...Due Diligence Considerations for Scientists, Commanders, and Politicians As T...
Due Diligence Considerations for Scientists, Commanders, and Politicians As T...
 
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...
 

Similar to BSides Delhi-2018 Keynote by Pukhraj Singh (Politics & Power in Cybersecurity)

Cyber Security for Oil and Gas
Cyber Security for Oil and Gas Cyber Security for Oil and Gas
Cyber Security for Oil and Gas mariaidga
 
Event: George Washington University -- National Security Threat Convergence: ...
Event: George Washington University -- National Security Threat Convergence: ...Event: George Washington University -- National Security Threat Convergence: ...
Event: George Washington University -- National Security Threat Convergence: ...Chuck Brooks
 
Hunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systemsHunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systemsFidelis Cybersecurity
 
Cyber(in)security: systemic risks and responses
Cyber(in)security: systemic risks and responsesCyber(in)security: systemic risks and responses
Cyber(in)security: systemic risks and responsesblogzilla
 
Systemic cybersecurity risk
Systemic cybersecurity riskSystemic cybersecurity risk
Systemic cybersecurity riskblogzilla
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Don Grauel
 
Art Hathaway - Artificial Intelligence - Real Threat Prevention
Art Hathaway - Artificial Intelligence - Real Threat PreventionArt Hathaway - Artificial Intelligence - Real Threat Prevention
Art Hathaway - Artificial Intelligence - Real Threat Preventioncentralohioissa
 
December ISSA Meeting Executive Security Presentation
December ISSA Meeting Executive Security PresentationDecember ISSA Meeting Executive Security Presentation
December ISSA Meeting Executive Security Presentationwhmillerjr
 
Cybersecurity Strategies - time for the next generation
Cybersecurity Strategies - time for the next generationCybersecurity Strategies - time for the next generation
Cybersecurity Strategies - time for the next generationHinne Hettema
 
A1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecurityA1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecuritySpark Security
 
Artificial Intelligence and Cybersecurity
Artificial Intelligence and CybersecurityArtificial Intelligence and Cybersecurity
Artificial Intelligence and CybersecurityOlivier Busolini
 
Introduction to National Critical Infrastructure Cyber Security: Background a...
Introduction to National Critical Infrastructure Cyber Security: Background a...Introduction to National Critical Infrastructure Cyber Security: Background a...
Introduction to National Critical Infrastructure Cyber Security: Background a...Jack Whitsitt
 
Cyber Security Lessons from the NSA
Cyber Security Lessons from the NSACyber Security Lessons from the NSA
Cyber Security Lessons from the NSACipherCloud
 
Records Management: The Future is Not What it Used to Be
Records Management: The Future is Not What it Used to BeRecords Management: The Future is Not What it Used to Be
Records Management: The Future is Not What it Used to BePaul W. Taylor
 
20101012 isa larry_clinton
20101012 isa larry_clinton20101012 isa larry_clinton
20101012 isa larry_clintonCIONET
 
Iurii Garasym. The future crimes and predestination of cyber security. Though...
Iurii Garasym. The future crimes and predestination of cyber security. Though...Iurii Garasym. The future crimes and predestination of cyber security. Though...
Iurii Garasym. The future crimes and predestination of cyber security. Though...IT Arena
 
Cyber War ( World War 3 )
Cyber War ( World War 3 )Cyber War ( World War 3 )
Cyber War ( World War 3 )Sameer Paradia
 
Cloudcamp Chicago Nov 2104 Fintech - Dwight Koop "East / West Chalkboard Talk"
Cloudcamp Chicago Nov 2104 Fintech - Dwight Koop "East / West Chalkboard Talk"Cloudcamp Chicago Nov 2104 Fintech - Dwight Koop "East / West Chalkboard Talk"
Cloudcamp Chicago Nov 2104 Fintech - Dwight Koop "East / West Chalkboard Talk"CloudCamp Chicago
 

Similar to BSides Delhi-2018 Keynote by Pukhraj Singh (Politics & Power in Cybersecurity) (20)

Cyber Security for Oil and Gas
Cyber Security for Oil and Gas Cyber Security for Oil and Gas
Cyber Security for Oil and Gas
 
Event: George Washington University -- National Security Threat Convergence: ...
Event: George Washington University -- National Security Threat Convergence: ...Event: George Washington University -- National Security Threat Convergence: ...
Event: George Washington University -- National Security Threat Convergence: ...
 
C3 Cyber
C3 CyberC3 Cyber
C3 Cyber
 
Hunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systemsHunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systems
 
Cyber(in)security: systemic risks and responses
Cyber(in)security: systemic risks and responsesCyber(in)security: systemic risks and responses
Cyber(in)security: systemic risks and responses
 
Systemic cybersecurity risk
Systemic cybersecurity riskSystemic cybersecurity risk
Systemic cybersecurity risk
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012
 
Art Hathaway - Artificial Intelligence - Real Threat Prevention
Art Hathaway - Artificial Intelligence - Real Threat PreventionArt Hathaway - Artificial Intelligence - Real Threat Prevention
Art Hathaway - Artificial Intelligence - Real Threat Prevention
 
December ISSA Meeting Executive Security Presentation
December ISSA Meeting Executive Security PresentationDecember ISSA Meeting Executive Security Presentation
December ISSA Meeting Executive Security Presentation
 
Cybersecurity - Sam Maccherola
Cybersecurity - Sam MaccherolaCybersecurity - Sam Maccherola
Cybersecurity - Sam Maccherola
 
Cybersecurity Strategies - time for the next generation
Cybersecurity Strategies - time for the next generationCybersecurity Strategies - time for the next generation
Cybersecurity Strategies - time for the next generation
 
A1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecurityA1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for Cybersecurity
 
Artificial Intelligence and Cybersecurity
Artificial Intelligence and CybersecurityArtificial Intelligence and Cybersecurity
Artificial Intelligence and Cybersecurity
 
Introduction to National Critical Infrastructure Cyber Security: Background a...
Introduction to National Critical Infrastructure Cyber Security: Background a...Introduction to National Critical Infrastructure Cyber Security: Background a...
Introduction to National Critical Infrastructure Cyber Security: Background a...
 
Cyber Security Lessons from the NSA
Cyber Security Lessons from the NSACyber Security Lessons from the NSA
Cyber Security Lessons from the NSA
 
Records Management: The Future is Not What it Used to Be
Records Management: The Future is Not What it Used to BeRecords Management: The Future is Not What it Used to Be
Records Management: The Future is Not What it Used to Be
 
20101012 isa larry_clinton
20101012 isa larry_clinton20101012 isa larry_clinton
20101012 isa larry_clinton
 
Iurii Garasym. The future crimes and predestination of cyber security. Though...
Iurii Garasym. The future crimes and predestination of cyber security. Though...Iurii Garasym. The future crimes and predestination of cyber security. Though...
Iurii Garasym. The future crimes and predestination of cyber security. Though...
 
Cyber War ( World War 3 )
Cyber War ( World War 3 )Cyber War ( World War 3 )
Cyber War ( World War 3 )
 
Cloudcamp Chicago Nov 2104 Fintech - Dwight Koop "East / West Chalkboard Talk"
Cloudcamp Chicago Nov 2104 Fintech - Dwight Koop "East / West Chalkboard Talk"Cloudcamp Chicago Nov 2104 Fintech - Dwight Koop "East / West Chalkboard Talk"
Cloudcamp Chicago Nov 2104 Fintech - Dwight Koop "East / West Chalkboard Talk"
 

Recently uploaded

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 

Recently uploaded (20)

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 

BSides Delhi-2018 Keynote by Pukhraj Singh (Politics & Power in Cybersecurity)

  • 1. Politics & Power in Cybersecurity Pukhraj Singh @RungRage
  • 4. “Cyberspace is [a] continuously contested territory in which we can control memory & operating capabilities some of the time but cannot be assured of complete control all of the time or even of any control at any particular time” -- Richard Danzig, adviser to President Obama A Contested Territory
  • 5. “Possession, ownership & control [of data & assets in cyberspace] do not overlap” -- Thomas Dullien, Google Security A Contested Territory
  • 6. “[Cyber] offence & defence is the wrong dichotomy: it should be control & non-control” -- Dave Aitel, former NSA cyber operative A Contested Territory
  • 7. “Think about it for a moment - we share the same network with our adversaries” -- George Tenet, former CIA director (exactly 20 years ago) A Contested Territory
  • 8. This anxiety around the paradox of control, or the lack of it, in cyberspace has not waned even a bit A Contested Territory
  • 9. “NSA’s aim: mass compromise & expansion of compromise boundaries” -- Morgan Marquis-Boire, former writer with The Intercept (Possibly inspired by Dullien’s work) Try replacing “boundaries” with “territories”… A Contested Territory
  • 10. “If we were to score cyber the way we score soccer, the tally would be 462-456 twenty minutes into the game, i.e., all offence” -- Chris Inglis, former deputy director with the NSA Structural Dominance of Offence via Politics
  • 11. “If we were to score cyber the way we score soccer, the tally would be 462-456 twenty minutes into the game, i.e., all offence” -- Chris Inglis, former deputy director with the NSA Structural Dominance of Offence via Politics
  • 12. Cyber offensive A-teams rely more on political subterfuge than technical • NSA’s TAO, SCS, etc., are hybrid & interdisciplinary teams • “Insert vulnerabilities into commercial encryption systems, IT systems, networks, & endpoint communications devices used by targets” – 2012 budget document of the NSA • Traditional cryptanalysis & hacking gave way to clandestine intelligence activities or black-bag jobs of TAO via the CIA, DIA, FBI, State Deptt., NSF & NIST • “[S]ecret efforts by the U.S. intelligence community to interdict the shipment of advanced encryption technology to America's enemies around the world & insert ‘back doors’ into commercially available computer, communications, and encryption technologies” – Matthew Aid, Foreign Policy Structural Dominance of Offence via Politics
  • 13. Cyber offensive A-teams rely more on political subterfuge than technical “[T]he NSA reviewed National Science Foundation grant…the agency appeared to use this process to exercise control over nongovernmental cryptography research” “[T]he NSA reviewed & approved an NSF grant application from Ron Rivest…An internal NSA history suggests that the agency would have tried to derail Rivest's grant application if the reviewers had understood what Rivest would do with the money” -- Henry Corrigan-Gibbs, Stanford Magazine Structural Dominance of Offence via Politics
  • 14. Cyber offensive A-teams rely more on political subterfuge than technical “The [EuroCrypt’92] conference again offered an interesting view into the thought processes of the world’s leading ‘cryptologists.’ It is indeed remarkable how far the Agency has strayed from the True Path” -- An anonymous NSA cryptologist writing for CryptoLog, an agency newsletter declassified in 2014 Structural Dominance of Offence via Politics
  • 15. But why political? “Investment in a high end "Man on the Side" technology stack can run you into the billions. You'd better hope the meta doesn't change until your investment pays off. And what are the strategic differences between TAO-style organizations and the Russian/Chinese way? It's possible to LOSE if you don't understand & adapt to the current up-to-date Meta of the domain you are in, no matter what your other advantages are” -- Dave Aitel To rewrite the physics of the domain at will Structural Dominance of Offence via Politics
  • 16. Cyber Meta has a political architecture • TURMOIL/QUANTUM: “Relies on its secret partnerships with US telecoms companies” • BULLRUN: “There will be NO 'need to know’” Structural Dominance of Offence via Politics
  • 17. Cyber offensive A-teams rely more on political subterfuge than technical Structural Dominance of Offence via Politics Dave Aitel • The SuperMicro story, even if partially true, follows the same political template of A-team operations • Were the Chinese using political leverage to tackle attribution?
  • 18. Political bureaucracy as the technical signature of a cyber operation Lineage & Mathematics Verner von Braun et al. > US space programme • Nazi rocket scientists Helmut Gröttrup et al. > Soviet space programme • CV Raman > Homi Bhabha > Vikram Sarabhai > Indian space programme Structural Dominance of Offence via Politics
  • 19. Political bureaucracy as the technical signature of a cyber operation • “Your adversary has a boss and a budget” – The Grugq • It defines operational tooling, tactics & tempo of the offensive team • Is code reuse a technical thing or an expression of political semantics? • Exploitation is a technology tree & targeting is limited by policy restrictions -- Aitel • Did Metasploit originate in the public from the exploitation Meta of pre-2004 TAO toolchains? Structural Dominance of Offence via Politics
  • 20. Political bureaucracy as the technical signature of a cyber operation Code Reuse: Opcodes & Ontology • 2006: Thomas Dullien ran a “phylogenetic clustering algorithm” on a genus of malware, finding that “although we have ~200 samples, we only have two large families, three small families, two pairs of siblings, & a few isolated samples” • 2011: Google acquires Zynamics • 2012: Google acquires VirusTotal • 2017: Structural Dominance of Offence via Politics
  • 21. Political bureaucracy as the technical signature of a cyber operation Code Reuse: Opcodes & Ontology • 2018: Structural Dominance of Offence via Politics
  • 22. Political bureaucracy as the technical signature of a cyber operation Code Reuse: Opcodes & Ontology • Exploitation is a technology tree • Operation Aurora -> Barium/Winnti/APT17/Axiom • Winnti >>> Hashing subroutine <<< ShadowPad/NetSarang • Winnti >>> base64 <<< CCleaner Stage 1 • Winnti >>> String obfuscation <<< CCleaner Stage 2 (Sources: Costin Raiu, Kaspersky & Intezer) Structural Dominance of Offence via Politics
  • 23. Politics influences industry choices & dynamics • The ciphers you use • The processors, routers & antivirus you run • The defensive “innovations” in the security industry • The unjustifiable persistence of centralized architectures like DNS, SSL & BGP, etc. • Bug classes like Spectre & Meltdown • What hackers say, or do not say Structural Dominance of Offence via Politics
  • 24. The political choice for markets like India is whether to choose Kaspersky or FireEye • Cybersecurity vendors become foot soldiers • Malware used by the U.S. in offensive cyber-operations plays “nice”…”We see guardrails on malware from nations like the U.S.” -- Kevin Mandia, CEO, FireEye • CyberScoop recently reported that FireEye had drawn a red line around exposing certain activities by so-called “friendlies” Structural Dominance of Offence via Politics
  • 25. Politics severely degrades the defensive architecture Structural Dominance of Offence via Politics Imagine this for commercial-grade enterprise security?
  • 26. Cybersecurity as A Function of Power “[C]ybersecurity is all about power & only power” -- Dan Geer, CISO, In-Q-Tel
  • 27. Cybersecurity as A Function of Power “Cyberweapons are power projection tools” -- Gen. Michael Hayden, former director of the CIA & NSA
  • 28. Cybersecurity as A Function of Power The Declaratory Model: 1995-2014 Aitel labelled Stuxnet as the “announcement of a team” more than anything else, which could take out any factory, any time The current structures of offence are biased towards declaratory dominance
  • 29. Cybersecurity as A Function of Power The Escalatory Puzzle Look, we’re moving into a new era here where a number of countries have significant capacities…But our goal is not to suddenly, in the cyber arena, duplicate a cycle of escalation that we saw when it comes to other arms races in the past, but rather to start instituting some norms so everybody’s acting responsibly -- Barack Obama, 2016