Cybersecurity

Federal cybersecurity initiatives timeline - Draft 1.b

An amended first cut at a list of Federal cybersecurity initiatives.  I intentionally left out some of the purely ornamental functions (White House CTOs CIOs, NSTIC, etc.) or Departmental initiatives.  There are some recurring themes (military operations, critical infrastructure protection), a lot of organizational and governance efforts, and a few dead spots.  Rough count: Clinton: 4; Bush: 6; Obama: 17.  We'll continue to refine this.

 

Timeline: Federal Cybersecurity Efforts

Clinton

1998       PDD63 - critical infrastructure (http://goo.gl/omfH05)

               Creation of CIAO/NIPC 

               Federal Computer Incident Response Center (http://goo.gl/481aiA)

1999       Encryption decontrol (https://goo.gl/aEb9iM)

 

Bush

2002       NSPD 16 - offensive cyber operations

2003       DHS (https://goo.gl/sJNZ3P)

               US-CERT (https://goo.gl/Gly3M0)

               HSPD-7 - critical infrastructure (http://goo.gl/DZyl84)

2004       NSPD 38 National strategy (https://goo.gl/OX7L7V)

2008       NSPD 54 Cybersecurity policy (CNCI) (http://goo.gl/7T7nYN)

 

Obama

2009       60 Day review (https://goo.gl/b5vK7Y)

               White House coordinator (https://goo.gl/cmbr9N)

               DHS Deputy Undersecretary for cyber (https://goo.gl/63ihOH)

               NCCIC (https://goo.gl/KEQ8tb)

               Cyber Command (http://goo.gl/XnRylS)

2010       National Cyber Incident Response Plan (http://goo.gl/PL53dG)

2011       International Strategy (https://goo.gl/vauxL1)

              Coordinator for International Cyber Issues (http://goo.gl/K075wE)

               DOD Strategy (http://goo.gl/8xIK3W)

2012       PPD 20 (military cyber operations)

2013       EO 13636 - critical infrastructure (https://goo.gl/A2ePX2)

2014       NIST Framework (http://goo.gl/83loue)

2015       EO Information Sharing (https://goo.gl/saV4WM)

               EO Cyber Sanction (https://goo.gl/bLUsOX)

               DOD Cyber strategy update (http://goo.gl/v8ld6p)

               Creation of CTIIC (https://goo.gl/XM5HKm)

2016       EO CNAP (https://goo.gl/EHfGUq)

 

Congress

2002      Homeland Security Act (https://goo.gl/xOJp8b)

              Federal Information Security Management Act (FISMA) (http://goo.gl/B4VH2Z)

2014      Federal Information Security Modernization Act (https://goo.gl/eG4nuc)

2015      Cybersecurity Information Sharing Act (http://goo.gl/C9G3Dr

Indictments, Countermeasures, and Deterrence

“What counts are the political and military consequences of a violation…since these alone will determine whether or not the violator stands to gain in the end.”
Fred Ikle, “After Detection, What?” 1961

The announcement of the indictment of seven Iranian hackers is part of a larger effort to reshape adversary thinking about the costs of attacking the United States. There has been a sequence of linked events - the PLA indictments, the response to Sony, the threat of sanctions before the Xi-Obama summit, and now these indictments. The effect is to push back against foreign-state hackers. These actions create consequences for malicious actions in cyberspace (recommended in a 2013 CSIS Report). When there is no consequence or penalty, there is no incentive to stop. Cyberspace has been largely penalty-free until recently. The indictments signal to our opponents to realize that attacking the United States can have consequences.

Iran rapidly developed its cyber-attacks capabilities after its “Green Revolution,” where political opponents of the regime used the internet to organize protests and dissent. These attack capabilities let them manage and then eliminate the political threat created by the internet. In developing these capabilities, Iran was helped by Russia, or at least by Russian hackers with the approval of the Russian state. There are no freelance hackers in Iran - the attackers are funded and controlled by the Iranian Revolutionary Guard. Iran routinely probes American critical infrastructure networks to locate vulnerabilities, has launched massive denial of service attacks against leading U.S. banks (apparently to protest sanctions) and disrupted networks and data at the Sand Casino in an effort to intimidate and punish its owner. What Iran did to Aramco in 2012 shows the kind of damage they could do in the United States, if they thought they could get away with it.

The United States has been aware of Iranian activities for several years, but was hesitant to say so. When the Department of Homeland Security (DHS) briefed critical infrastructure companies on how their networks were being probed, they were denied permission by the Intelligence Community, for reasons best known to itself, to even say the word “Iran” in the briefing even though it was an open secret. Actions like this (the DHS briefing was reported in the press) inspire more ridicule than caution in opponents. The likely cause for the self-imposed restraint was probably a desire not to put the nuclear talks at risk. This may explain why Sony received presidential attention while Sands did not.

This is not name-and-shame. Iran’s leaders do not burst into tears when they are named. Naming must be accompanied by consequences or the threat of consequences if it is to have effect. The Department of Justice’s approach has been to develop the case as if it was really going to court. They do a lot of work on evidence. We will probably never see these people stand trial (as with the PLA indictments) but Justice prepares as if this was a possibility. This slows any response - as does the need to find companies willing to go public about being the victim of hacking - but the wealth of evidence in an indictment is compelling, perhaps even frightening to opponents.

The latest indictments send a powerful message. The responses to China, North Korea and now Iran say two things: attackers are no longer invisible and there will be consequences for their actions. This message reshapes opponent thinking about the risk and potential costs of cyber actions against the United States. The effect of this is not always clear to American commentators - diplomacy and espionage are colored in half tones, not the black-and-white, clear distinction of popular culture. The most obvious evidence of change is that the PLA indictments, widely questioned when they were announced, contributed significantly to the Chinese decision to agree to refrain from commercial cyber-spying.

The United States faces four major opponents in cyberspace and the name missing from this list is Russia. Russian hackers, presumably acting with the permission of the Russian state, are the most energetic and skilled in committing financial crimes against Wall Street and other financial centers. There have been indictments against Russian hackers and some, foolish enough to travel outside of Russia, have been arrested, but these have not stopped cybercrime, suggesting that Russia has a higher tolerance for risk and a greater willingness (or desire) to flout the United States. This has implications for future actions - the United States cannot rest on its laurels and stop with these actions against China, North Korea and Iran, but must continue to create consequences for hacking incidents.

We can draw lessons from these incidents about what should be the nature of any future action. Signaling to opponents that U.S. attribution capabilities have improved markedly is a first step - the President’s 2015 State of the Union Address briefly revealed how and why they have improved when he said “we're making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism.” This means the ability to blend cyber espionage, signals intelligence and human sources gives the United States an unparalleled advantage in identifying hackers.

The second step involves countermeasures. The United States has held a long, painful discussion of cyber-deterrence that has been handicapped by approaching deterrence as a military problem, as if we were still in the Cold War. Complications arise from trying to identify how military force can be used in a “proportional response” to hacking and cybercrime, where no incident would justify a military response. The most effective actions to date in causing state attackers to recalculate risk have not depended on the Department of Defense or Cyber Command, but on attribution, indictments and the threat of sanctions. Looking for a military solution to cyber deterrence has tied us in knots. The better response lies in countermeasures that fall below the level of the use of force. Indictment and sanctions can make opponents wary. This will wear off if not refreshed, but the latest indictment are something we should have done a long time ago to construct the rule of law in cyberspace. Indictments make clear that the Wild West days of cyberspace are (slowly) coming to an end.

Cybersecurity Report 2016: Are We Ready in Latin America and the Caribbean?

On March 14, 2016 CSIS hosted a discussion on the state of cybersecurity in Latin America and a roll-out of the Cybersecurity 2016 report. This event was jointly sponsored by the Center for Strategic and International Studies, the Inter-American Development Bank, and the Organization of American States.

The report is available for download  in both English and Spanish HERE.

Posturing and Politics for Encryption

The encryption debate has been largely unencumbered by facts. That deserves a separate discussion, but for now, let us consider Apple’s stout refusal to cooperate with the FBI in gaining access to data stored on the phone of one of the San Bernardino murderers.

Apple’s motives are clear, if not clearly expressed. The Snowden revelations damaged the brand of all American technology products. To assuage their customers, some companies offer “end-to-end” or unrecoverable encryption. It is the growth of these commercial encryption services offering unrecoverable encryption to a mass market that is of the greatest concern to law enforcement and intelligence agencies. To reassure a global market, these companies announce they will not cooperate with American authorities. This is a reasonable response to rebuild credibility, but it is not sustainable.

Managing Risk for the Internet of Things

New CSIS Report - Managing Risk for the Internet of Things: Executive Summary https://csis.org/publication/managing-risk-internet-things.

The majority of Internet “users” are machines, not people.  The devices that make up “the Internet of Things” (IoT) connect to the internet, take action, and create immense amounts of data. These devices will perform progressively more functions, creating new risks for safety and security, but we need more than anecdotes to assess risk and devise useful policies.  An initial conclusion about security and the Internet of things is that popular portrayal significantly exaggerates and misrepresents risk. 

Actually, it's peut être: "Cryptographic backdoors? France says, “Non!”

So emphatic, but still open to question.  Maybe this is intended to influence the UK parliamentary debate, but it's confusing.   

It’s not the French government, but the Minister for Digital Stuff.  French intelligence programs are still kept very close hold, with only a few political types in the national security realm being informed.   Maybe this Minister knows, maybe they don't. 

France has extensive surveillance authorities.  Renouncing "backdoors" does not mean endorsement of unrecoverable encryption. 

Moving Forward with the Obama-Xi Cybersecurity Agreement

Moving Forward with the Obama-Xi Cybersecurity Agreement

China’s leaders often talk about the need for a “new model of great power relations.” The agreement on cybersecurity between President Xi and Obama is a first step in defining it. The agreement does not mean we are done with cybersecurity. It is the start of a long journey to define both cyberspace and the larger relationship.

Serious discussions on how to respond to China’s cyber espionage began several years ago. A strategy that combined pressure and accommodation seemed the best alternative to passivity, and U.S. concerns were raised many times, including in a December 2013 non-paper given to Chinese officials that discussed sanctions, indictments and other measures if matters did not improve. At the time, there were objections that this approach wouldn't work because Chinese culture and attitudes worked against reaching any agreement and that we could not influence their decision-making. These criticisms were wrong. If there are grounds for criticism, they would be that it was wrong to let so many months pass between indictments (which, contrary to much of the public discourse, had a powerful effect) and any follow on action.

Measuring Cybersecurity Success at the Summit

Measuring Cybersecurity Success at the Summit

If press reports are accurate, it is a welcome development that the United States and China (in response to the threat of sanctions) have begun negotiations on cyber security in preparation for the upcoming summit. The Obama administration has a unique moment of leverage on cyber security with China and must be careful not to squander it. We cannot expect the summit to “fix” the problem – this will be a long process if it is serious – but we can look for certain outcomes that can demonstrate whether these presidential talks point to progress or are just another gesture.

Friends Don't Let Friends...

Friends Don't Let Friends...

Recent leaks reporting that the United States might sanction China reflects growing – but not universal - agreement in Washington that the United States needs to respond forcefully to rampant Chinese cyber espionage and that the authorities established by April’s Executive Order on cyber sanctions are the best option. There are several reasons for this. First, nothing has worked when it comes to economic espionage. According to data collected by the FBI and NSA, China is responsible for more economic espionage directed at U.S. companies than any other country – perhaps more than all other countries combined. This has been true for years.

The amount of economic espionage is troubling, but even more troubling is China’s decision to ignore hints, suggestions and direct requests from the United States. This indicates a certain disrespect and is a disturbing indicator for the bilateral relationship. Cyber espionage has been raised at senior levels repeatedly since 2009. President Obama made it agenda item number one at the Sunnylands Summit. The Chinese ignored all this. The only U.S. action that got their attention was the indictment of five PLA officers in 2014. Some Americans greeted the indictments with misgiving (and other with confusion), but the indictments remain the most effective public action the United States has taken to date. The chief criticism of the indictments is that the United States has been slow to follow up. If any sanctions are a “one-off,” not followed with concrete proposals for reducing tensions, we will not gain much at all.

Some Observations about Enforcement Standards from 2,000 Pages of FTC Documents

Earlier this year I filed a FOIA case against the FTC for its failure to produce any documents in response to my request for the standards it uses in deciding whether to open an unfair trade practice investigation, or bring an unfair trade practice legal action, regarding cybersecurity under section 5 of the Federal Trade Commission Act.  On Christmas Eve last year, the FTC denied my request, saying, “We have located responsive records, all of which are exempt from the FOIA’s disclosure requirements[.]”  The FTC produced no documents, not even in redacted form.  After I filed an administrative appeal, which was denied, I filed suit in order to better inform the public about what standards are used by the FTC when deciding whether to bring a case.  On July 21, 2015, in the course of the litigation, the FTC produced over 2,000 pages of documents, consisting almost exclusively of presentations, testimony, and other public communications.  Here are some observations from these documents.  You can find a more detailed analysis, with citations, here.

UN publishes latest Report of the Group of Government Experts

Seventieth session

Item 94 of the provisional agenda*

Developments in the field of information and
telecommunications in the context of international security.

 Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security

 

Note by the Secretary-General

The Secretary-General has the honour to transmit herewith the report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security. 

Russian Newspaper Kommersant Interviews Special Representative Krutskikh on UN GGE Cyber Arrangements

Russian Newspaper Kommersant Interviews Special Representative Krutskikh on UN GGE Cyber Arrangements

What follows is a rough translation of an interview Russian daily Kommersant conducted with Andrei Krutskikh, special representative of the Russian President for international cooperation in the field of information security and envoy of the Russian Foreign Ministry. He speaks about recent successes in the UN Group of Government Experts (GGE) regarding agreement on "the conditions of confrontation and sanctions" and potential areas for cooperation in cyberspace between the U.S. and Russia. The interview provides a rare window into the Russian perspective on principles for conduct in cyberspace.  

LOT Airlines IT System Error Caused Flight Cancellations but Cause Unknown

LOT Airlines IT System Error Caused Flight Cancellations but Cause Unknown

On June 2, the Polish airline LOT canceled 10 flights because of an IT system failure initially believed to have been caused by hackers attacking the ground computer systems. Another 12 flights were delayed. The systems taken down were those used to issue flight plans and were down for about 5 hours.

New White House Cyber Fact Sheet

Yesterday, the White House released a fact sheet comprehensively detailing all the efforts under the current Administration to bolster cyber defenses, organize internally more effectively, enhance public-private collaboration, and engage internationally.

The timing of the fact sheet's release is meaningful, of course, but the document contains some initiatives that may be less familiar to the wider public. These include the FTC's identitytheft.gov website launched earlier this year, the Federal CIO's new dedicated "E-Gov Cyber" team, the planned deployment of EINSTEIN 3A across all federal civilian agencies by the end of 2015, new federal cyber workforce efforts, and proposals to update the Racketeering Influenced and Corrupt Organizations Act (RICO) to include provisions relating to cybercrime. 

For these alone, it's worth a read. The same document can be found on the White House website

FBI Director James Comey Testifies on "Going Dark"

FBI Director James Comey testified before the Senate Judiciary Committee (SJC) and the Senate Select Committee on Intelligence (SSCI) today on “Going Dark” and the balance between public safety and privacy. Director Comey didn't say much that was new in his testimony, but there are a few things we picked up on.

Coast Guard Commandant Addresses Cybersecurity Vulnerabilities on Offshore Oil Rigs

At a CSIS event on the Coast Guard’s new cybersecurity strategy this past Tuesday, Commandant of the Coast Guard, Admiral Zukunft, highlighted a case in which workers on a mobile offshore drilling unit (MODU) in the Gulf of Mexico had inadvertently introduced malware to the rig’s computer system. Once inside the system, the malware disabled the signals to the dynamic positioning thrusters, which caused the floating unit to drift off of the well site. As a result, the well was temporarily shut down. It turns out that the MODU’s navigational control system is the same system that workers use to plug in smartphones and other personal computer devices. Unsuspecting individuals had downloaded infected files from online music and pornography sites, which then crossed over to the rig’s computer systems when the devices were plugged in.

An Abbreviated History of Recent Foreign Intelligence Disasters

This is not the other side collecting military, political, or economic, intelligence on us.  This is the other side collecting intelligence on how we collect intelligence.  More later.

2015 - Sequence of hacks of health care companies, background investigators, culminating (so far) in OPM.  Chinese obtain security clearance background information on millions of Feds.

2015 - State Department and unclassified White House networks penetrated again, probably by Russians.

2014 - State Department and unclassified White House networks penetrated.

On the record....

I was at an event with Lisa Monaco and two other speakers last night.  It was on the record, so nothing of interest was said.  Earlier in the day I'd talked with a group of Fortune 500 CFOs and I think their questions to her would have been:

Why is the White House so keen on information sharing?  We won't share information until we have guarantees that you won't turn around and use what we share to punish us.  

Speaking of punishment, why aren't federal agencies liable for their screw-ups?  Who will be held accountable at OPM?

 

 

OPM Hack - causes not symptoms

Listening to NPR this morning reminded me how much of the cyber security discussion is like classic crime reporting, focused very much on symptoms rather than causes.  Let's take a step back and ask what the OPM hack tells us:

1.  This kind of hack is what people do to those they regard as opponents.  The PLA, the security services and the Party leadership, regard the US as their primary opponent.   Some of this is vestigial Maoism - you can't have thirty years of bellowing about hegemony with it leaving some trace.  Some of this is an immature approach to great power politics tinged with Lenin's theory of imperialism.  If China at large is ambivalent about peaceful rise, the military and security services are not.  They believe that the US is their opponent and seeks to defeat them.  The US doesn't help with its various half-hearted efforts (like internet freedom) that the Chinese leadership sees as intended to undermine the regime.  The internet is a mortal threat to the Party's rule and they justify their actions by saying that what the US seeks is regime change.  We also spy like crazy on them, which they knew and resented even before Snowden.

Hunting for Hackers, N.S.A. Secretly Expands Internet Spying at U.S. Border

Hunting for Hackers, N.S.A. Secretly Expands Internet Spying at U.S. Border

An excerpt from a November 2009 discussion paper:

An alternative would be to allow the U.S. to exercise broad warning and control functions and undertake to defend cyberspace at traffic aggregation points.  Aggregation points exist in the “backbone” services of large telecommunications and internet service providers.  More than 90% of internet traffic in the U.S. passes through these service providers.  An ability to monitor traffic for malicious code and neutralize that code before it reaches its intended targets, by combining broad communications surveillance with an ability to exploit foreign intelligence to identify and defeat cybersecurity threats, would significantly improve our cyber defense.

This kind of monitoring requires “looking” at all traffic.  Congress wrote the laws regulating such monitoring for an era when it was technically impossible to review traffic for malicious code without also “reading” it - gaining an understanding of its content.  Technology can now scan traffic for malicious code without “reading” the content – like giving a person a letter written in a language they do not understand and telling them to look for a certain pattern of symbols.  They “read” the letter and look for patterns without understanding its content.  Using this to secure national networks would require broad communications surveillance combined with an ability to exploit foreign intelligence to identify and defeat cybersecurity threats.