In my last column, we looked at cyberterror and puzzled aloud about "if it's so horrible, why isn't it happening?" In this episode, we're going to tackle the most straightforward aspect of cyber-badness: espionage. While it's straightforward, it scares me more than any of the other cyber-badness.
This series of columns is based on a set of talks I gave as the keynote for IDC's CEMA Security Roadshow in 2008, with additional material and commentary. As always, I welcome constructive feedback at [email protected].
Perhaps the salient point about espionage - all espionage - is that destroying or damaging the target is self-defeating. The effective spy is a parasite; they embed themselves somewhere they can see, hear and collect data unobtrusively. Espionage is a strategic activity, not a tactical one: you want to have your spies in place in deep cover for a long time, so that they can provide strategy-building information during peacetime and carefully selected tactical information during wartime. We're all probably familiar with the famous story of ULTRA during WWII - Churchill had to allow a convoy to fall prey to a U-boat wolf pack because if the convoy changed course the German Naval command might have realized their codes had been compromised. Converting strategic espionage assets into tactical assets almost always increases the chance they will be compromised or the enemy will change their procedures.
Imagine, if you will, a planning meeting between cyberwarriors and cyberspies. It would not go well. The cyberwarrior thumps his fist on the table and announces, "At 2:15am tomorrow, we launch the attack and collapse the enemy's command/control network!" The cyberspy, horrified, rejoins, "If you do that, you'll completely blind half our assets at the most critical moment in the battle. Thanks, you big idiot!"
Historically, armed forces have tactical intelligence-gathering capabilities, as well as strategic intelligence capabilities directed toward likely foes. In the US, the Pentagon has the Defense Intelligence Agency (DIA) which is separate from the former strategic intelligence agency, the Central Intelligence Agency (CIA).(1) This compartmentalization is useful for preventing exactly the kind of problems I'm describing - parallel organizations working at cross-purposes may not be as efficient but it gives security. So, how does cyberespionage fit in? Simple: it's just another form of "espionage as usual." Competent spies will adopt The Internet as a convenient replacement for dead drops and will find it's a lot easier to copy data onto a thumb-drive than to photograph it with a miniature camera - but that's nothing new.
Aldrich Ames, the KGB's mole in the CIA, carried Top Secret data home on floppy disks and CDROMs; does that make him a cyberspy? I don't think that's a worthwhile distinction.
The CyberEspionage Kerfluffle
Recently there has been a great deal of news-play about supposed Chinese cyberespionage "attacks" against US Government agencies and defense-related firms. The entire situation puzzles me greatly, because none of the players involved are acting the way I would expect them to act if they were performing competently. Both the FBI and CIA have had spokespeople make public comments about penetration attempts originating from China - but no credible evidence (other than "the IP address came from over there!") has been presented.
Since the FBI's charter, as a law-enforcement organization and part of The Department of Justice, is to build cases and collect evidence, you'd expect something better than "we could tell you, but then we'd have to kill you" smoke-blowing. Anyone who has worked the computer security field for more than a couple of years knows that claims from federal agencies that are backed by "...but we can't talk about it" are 99.9% likely to be false. If someone actually knows something they "can't talk about" they won't say anything on the topic at all; that's just introductory-level tradecraft. And if someone from law enforcement throws around public accusations without presenting evidence, they're skating on very thin ice, indeed.(2) Worse, in this case, it represents a potential incident between superpowers armed with nuclear weapons - throwing around unsubstantiated accusations amounts to posturing while lives are at stake.
Meanwhile The Chinese do not appear to be acting competently, either, if they are actually involved in what's going on. Surely, the Chinese cyberespionage agency (if one exists) is competent enough to launder their connections through someplace else. In fact, I would think that laundering connections would be the first thing you'd learn in introductory cyberspy school. Since cyberspies aimed at the US would need to read American English fluently, I'd expect their internal chatting would be carried out in the target language, as well. None of this matches the rumors we hear of "Chinese chatter in hacker chat rooms" or "connections from universities in China." Do you really expect that professional cyberspies would use hacker chat rooms or a university connection? It's plausible, but only if you're willing to assume that the Chinese are stupid. I'm not.
Whenever I make these observations publicly, I invariably get Emails from people saying, "yeah, but - if you knew what I know..." And, invariably, they're touting myths that I've heard before.
Just to give you an example: one fairly well-known security practitioner who has fallen for the whole "China cyberspy" story started quoting an anonymous government source to me about how they were uncovering "Blacknet." You've got to laugh - Blacknet(3) was a fictional concept-piece written to illustrate how anonymous remailers and e-currency could be used to build a covert information exchange economy. The Blacknet document was written in the early 1990s and I actually ran across it being taken seriously at a meeting at The White House, when it was handed to me by a highly placed member of US law enforcement that was investigating it. When I explained it was a USENET posting he asked me "What is USENET?" For all I know, the government has a Blacknet task force out there, somewhere, wasting taxpayers' dollars chasing a fiction. Jumping at shadows is what you do when you're dangerously ignorant.
Considering how utterly terrible our federal agencies are with anything to do with computer security, I wouldn't believe anything they said unless it was backed with hard evidence. Right now cyberwarfare/cybersecurity/cyberespionage remains a coveted hot potato in federal circles. A coveted hot potato is one that everybody wants but can't hold. How many federal agencies, today, are vying for the position of coordinating cybersecurity? Everyone wants the budget and the prestige but they are all just empty shells made out of PowerPoint decks and staffed by contractors.
Now, Let's Think
Imagine that we were setting up a cyberespionage capability for a rival superpower. How would we do it if we were professionals? Well, first off, we would recognize that cyberespionage was just a sub-discipline (or a footnote, really) of regular espionage, so we'd simply create a core team of technically savvy operators that existed to facilitate computer-related activity within our espionage agency. In other words, they'd be primarily just another data source that would feed into our analysts. They'd develop bits of custom code as well as useful technologies for our normal field operators. The field operators would be "plain old spies" and they'd target the outsourcing agencies that manage the US Government's IT infrastructure. Since we're talking about a strategic intelligence capability, it would be built over a long period of time, quietly and carefully. The last thing we'd ever do is an amateurish "smash and grab" attempt at some government agency's firewall. Why would we do something that silly, when the firewall administrator works for a contractor and we've got one of our people in the contractor's NOC? Why would we bother wasting the bandwidth to suck files out through the firewall, when the guy who makes the backups works for us? The last thing we'd want to do is rock the boat by having our victim think they were being penetrated by professionals!
I suppose it might be fun to watch the target waste its money and efforts trying to figure out what hijinks the hacker kids are getting up to. Simply by choosing to prosecute severely any hackers going against our government systems (in China, hackers have been sentenced to death) we would be implicitly encouraging them to target their efforts someplace else. Let an army of "useful idiots" keep the target busy and, perhaps they might turn up something useful. The ultimate form of asymmetric warfare is when you have something that costs you nothing but costs your opponents millions and millions of dollars while making them look stupid and feel outclassed.
See what I'm getting at? The public scenarios of cyberespionage are mostly laughable movie scripts. The reality could be much more sobering.
Next, we'll look at cyberwarfare. Of all the threats we're looking at, it's the only one that's just flat-out silly.
(1) I choose my wording very carefully here. The CIA's failures as a strategic intelligence-gathering force are manifest. If the US had a real strategic intelligence capability, we would not have been conned into believing there was a "missile gap" or surprised by the introduction of Soviet missiles into Cuba. Nor would the collapse of the Soviet Union have been a surprise. Instead of a strategic intelligence capability, the CIA evolved into "the foreign department of dirty tricks" Readers with further interest in this topic should read Mark Reibling's
and Tim Weiner's "Legacy of Ashes"
(2) The FBI has a long history of smearing its own face with egg by doing this. Wen Ho Lee, Richard Jewell, and Stephen Hatfill, could all tell you. The FBI's announcing Hatfill as a "person of interest" resulted in the taxpayers paying Hatfill $5.8 million in damages. Jewell recovered millions from The FBI and CNN, and Wen Ho Lee's lawsuits will cost the news media and taxpayers millions by the time it's all over.