Cyber Fisticuffs

You can read a transcript of Secretary of Defense Leon Panetta’s remarks: News Transcript: 11 October 2012: Remarks by Secretary Panetta on Cybersecurity to the Business Executives for National Security, New York City. I will be quoting from that document in this post.

I know that when people think of cybersecurity today, they worry about hackers and criminals who prowl the Internet, steal people’s identities, steal sensitive business information, steal even national security secrets. Those threats are real and they exist today.

Right. But we aren’t securing against them. When SSN (Social Security Number) as an authenticator became readily stolen, the fix was to have organizations using it as a mere identifier stop doing so. But it’s still used for both authentication and authorization! It’s ludicrous. They haven’t fixed the problem, and, instead, we have a new “identity protection” industry that tries to paper security over the cracks.

There was a recent story (Slashdot: 9 September, 2012: It’s Easy to Steal Identities (Of Corporations)) showing the same sort of problem for business identities.

I can’t even instantly authenticate the remarks of the Secretary of Defense (sure, I could pull up video footage and see if it matches the transcript, but that’s time consuming). Forget about getting cryptographic proof that the police car pulling you over isn’t someone driving a replica, wearing a Halloween costume.

And the convenience of classified documents drastically undercuts both transparency and security. We, the public, should have a bulk of the currently classified documents in our hands, with only the properly compartmentalized information anonymized. That’s a basic tenet of governance by the people: that we have oversight to the extent that is technologically feasible.

The clearances rely upon anecdotal evidence and proven-invalid nerve-o-meters (“lie detectors”).

In recent weeks, as many of you know, some large U.S. financial institutions were hit by so-called Distributed Denial of Service attacks. These attacks delayed or disrupted services on customer websites. While this kind of tactic isn’t new, the scale and speed with which it happened was unprecedented.

DDoS attacks are a general problem, which can be grossly undermined through service federation. That is, just as the military does not have one giant installation, a service can be fragmented so that a DDoS attack becomes much less feasible. It would require attacking many services simultaneously, which requires far more attack bandwidth.

This is an example of a case where businesses that are interested in monopolizing in various ways (usually with an eye toward exclusive access to customer data, for resale and/or mining) are fundamentally at odds with best security practices and with consumer interests.

But even more alarming is an attack that happened two months ago when a very sophisticated virus called Shamoon infected computers in the Saudi Arabian State Oil Company Aramco. Shamoon included a routine called a ‘wiper’, coded to self-execute. This routine replaced crucial systems files with an image of a burning U.S. flag. But it also put additional garbage data that overwrote all the real data on the machine. More than 30,000 computers that it infected were rendered useless and had to be replaced. It virtually destroyed 30,000 computers.

Without knowing the specific vector this attack used, it’s hard to speculate on the best remedy. It probably involves the use of thin clients (or possibly a hybrid where the thin client is run atop virtualization using a copy of the data saved to a separate drive in a revision control system) and proper backups. But that’s without looking at the specific vector, which might be easier to fix than changing infrastructure over.

One thing seems likely, that insider knowledge was used in such an attack. Which goes back to compartmentalization of sensitive data.

They are targeting the computer control systems that operate chemical, electricity and water plants and those that guide transportation throughout this country.

And if those facilities are proper, the most they should get is data that is public knowledge and nothing more. We’re talking about a man who has spent his entire professional career knowing the security measures surrounding nuclear weapons. Yet suddenly it’s like he can’t remember that a hardened protocol is feasible. That or the nuclear security is far weaker than it should be, or relies far more on snake oil (like the aforementioned stress detectors) than it ought.

You get to a point where you recognize that true cyber security relies on a hell of a lot more than letting a few smart folks at NSA or DoD play WarGames against other nations and shadowy groups of organized criminals. It relies much more on rewiring our outlook on the Internet, to one where things like federated services are the norm, because of the security federation affords.

It relies on having distributed digital payment systems that aren’t reliant on a few choke points. The ability to escrow small amounts for various new service models which fees make impossible today.

Distributed login/credential systems that mean that Facebook and Google don’t own you, and that you can sign up for the latest service or manage your account without a headache. But they also mean the job of attackers just got harder, as they can’t exploit one hole in one monolith to topple a large swath of business.

I am not at all confident in our capacities to guard against cyber attacks if we are unwilling to look at the whole system and recognize that we may have to dismantle some monopolies and disarm some business models. The notion of winning fights one-handed is not how free nations operate.

Threat elimination does not only mean murdering the threat. More often it means rendering the vector itself innocuous.