Category Archives: Uncategorized

US Cyber Command: An Assiduous Actor, Not a Warmongering Bully

Jason Healey recently posted an interesting piece on The Cipher Brief, US Cyber Command: “When faced with a bully…hit him harder.” Healey writes: “Cyber Command’s new strategy demands that, ‘We must not cede cyberspace superiority.’ The goal is ‘superiority’ through ‘persistent, integrated operations [to] demonstrate our resolve” even at “below the threshold of armed conflict.’….Despite being the right move, however, it is also an incredibly risky one.”

I largely agree with Healey’s account of the first U.S. Cyber Command Symposium. As the United States is moving away from a strategy of deterrence to a strategy of persistence, it has to be careful that it is not creating the opposite effect of what it intends to do.

Indeed, one concern that could be raised is that this new strategy might be dangerously escalatory. The statement was made that, “It might get worse, before it gets better.” When do we reach the tipping point, if there is one? And how can we know? Cyber Command’s view is that it has learned over time through observation, and believes that their strategy will lead to stabilization. This needs to be scrutinized and studied.

Yet, my take away from the U.S. Cyber Command symposium is also different from Healey’s in a several important ways: I didn’t sense the same level of emotion and warmongering from the speakers and panelists as Healey does.

U.S. Cyber Command does not ask for “looser rules of engagement” as per Healey – it asks for ‘closer organization integration’ and a better understanding of the ‘box’ in which it is allowed to operate. Healey suggests, that “The gold medal will go to the nation prepared to be the most ruthless and audacious.” U.S. Cyber Command rather argued that advantage lies in the initiative.  (Indeed, as someone noted at the event, “In cyberspace, it is not the big that eat the small; it is the fast that eat the slow.”)

“Seizing the initiative” – a phrase frequently used at the conference – is not about “hitting back harder” as Healey writes. Instead, it is as much about prevention and control as it is about post-action. And I didn’t hear them talking about “lethality” nor about “revenge.”

As Henry Kissinger observed in World Order: “Internet technology has outstripped strategy or doctrine – at least for the time being. In the new era, capabilities exist for which there is as yet no common interpretation – or even understanding. Few if any limits exist among those wielding them to define either explicit or tacit restraints.” For any country, it requires significant efforts to articulate a strategy, align interests and coordinate around these new capabilities.

A more positive account of the U.S. Cyber Command is that the organization is continuing to explore new approaches to ‘maneuver’ in this new ‘domain of warfare.’ In doing so, it is willing to also open up to a broader community – as this inaugural annual symposium indicates – and talk about how to interpret and understand the explicit and tacit restraints of wielding these capabilities.

Another way to describe the Command’s new efforts is that it intends to be assiduous in this new domain of warfare: In an environment of constant contact, it aims to constantly (or ‘persistently’ as conference speakers would say) engage with the adversary – both defensively and offensively, if these can be separated in this domain – whilst doing so in a planned, diligent manner.

Finally, there were several other interesting takeaways from this event which deserve attention.

First, more insight was provided on the current progress within the organization. The goal of Cyber Command is to have 133 operational units. Officials revealed that they currently have 128.

Second, ‘agile’ was indeed a widely used buzzword, almost seen as a panacea against all organizational problems. For example, it was said by one of the speakers, “We need to combine maintenance and maneuver. Agile is the solution.” Yet, its meaning in this context remains vague.

Third, while former U.S. Secretary of Defense Ash Carter recently expressed his disappointment at the U.S. military’s failure to integrate cyberattacks into its war-fighting against ISIS, U.S. Cyber Command provided, unsurprisingly, a more positive account at the conference. This was repeated in NSA & Cyber commander Adm. Mike Roger’s Senate testimony: “Today, ISIS’s so-called ‘Caliphate’ is crumbling….Cyberspace operations played an important role in this campaign, with USCYBERCOM supporting the successful offensive by U.S. Central Command, U.S. Special Operations Command, and our Coalition partners.”

This article was first published by The Cipher Brief

Dutch Hacking: The Rise of a New Cyber Power?

The world opened its eyes to a new cyber power. Last month, Dutch reporters from Nieuwsuur and de Volkskrant revealed that in mid-2014 the Dutch Joint Sigint Cyber Unit (JSCU) infiltrated the computer networks of the infamous Russian hacker group “Cozy Bear.”

By sharing information with their U.S. counterparts, JSCU helped oust the Russian government-linked group thought to be responsible for the Democratic National Committee breach during the 2016 U.S. presidential campaign.

Hacking by its very nature is a secretive business. Although numerous states reportedly are interested in the development of offensive cybercapabilities, we typically hear about only a small set of state actors conducting operations. The public disclosure of Dutch intelligence success — based on leaked information — has important signaling effects, both internationally and domestically. And it bumps the Netherlands high in the world pecking order of offensive cyber-capability.

There’s a paradox about signaling offensive cyber-capability

It is difficult for an actor to prove its offensive cyber-capability without playing its hand — and losing this advantage. This is in part because cyber-capabilities are difficult to showcase — other than waving your hand with a USB stick containing malicious code. As strategic studies scholar Thomas Rid notes, “You can’t parade a code on the streets of Moscow.”

My research on the transitory nature of cyberweapons also explains that once a country’s cyber-capability is exposed, the adversary can often relatively easily adapt its systems to avert intrusion. Revelations about a country’s cyber capability after the fact are therefore essential to gauge an actor’s ability to conduct cyber-operations. 

These factors create a number of paradoxical dynamics. The release of classified NSA documents by Edward Snowden was perhaps the most embarrassing episode in the history of the intelligence agency. Yet the Snowden disclosures also exposed the U.S. government’s impressive arsenal, including at least 231 offensive cyber-operations in 2011. As RAND Corporation scholars David Gompert and Martin Libicki point out, the leaks ironically “broadcast how deeply the NSA can supposedly burrow into the systems of others.”

After Kaspersky Lab, a Russian anti-virus company, reported in 2014 on the espionage platform “Animal Farm,” many analysts believed the French government to be behind the sophisticated intel capabilities embedded in the malware. The French government initially denied any role.

During a lecture in mid-2016, however, Bernard Barbier, the former technical head of France’s external intelligence agency, admitted his agency had developed the malware. Security blogger Bruce Schneier points out Barbier “talked about a lot of things he probably shouldn’t have.” But for France, this post-hoc confirmation of capabilities likely enhanced the government’s reputation in this new area of conflict.

A well-placed leak — or just lucky timing? 

It remains unclear whether the signaling was intentional in the Dutch case. Access to the computer networks of Cozy Bear was already lost — perhaps because the Russians were alerted after earlier Washington Post revelations. And the Dutch government may see a diplomatic backlash from the Trump administration as the intelligence helps the FBI investigation — similar to what some say happened to Australia after officials passed information about Trump’s possible campaign links to Moscow, triggering the initial Russia inquiry.

There were certainly gains at home from this type of signaling. Last Friday, Dutch Prime Minister Mark Rutte didn’t go into any detail about the case but told members of the media he was “immensely proud” of the intelligence unit’s success. And Rutte used the occasion to stress the importance of a controversial Dutch intelligence law from June 2017 that would allow the government to conduct large-scale, untargeted tapping of Internet traffic. Even though it is certain the law will come into effect on May 1, critics were able to enforce a national “advisory referendum” on the issue this March. With the government under pressure, the achievement of the Dutch intelligence apparatus is a very welcome PR success. 

What’s next for the Netherlands?

As of now, Dutch cyber-capability has yet to produce a major military activity. It remains to be seen just how the JSCU, a relatively small unit, is organized within the General Intelligence and Security Service and the Military Intelligence and Security Service.

The two Dutch reporters who broke the case mistakenly wrote that JSCU has the authority to conduct computer networks attacks. This is not the case; the JSCU cannot“disrupt, deny, degrade, or destroy.” It can, however, conduct computer network exploitation — that is, espionage.

Of course, network exploitation and network attacks can be quite similar. As former NSA and CIA director Michael Hayden states in his book, “Playing the Edge”: “Reconnaissance should come first in the cyber-domain. … How else would you know what to hit, how, when — without collateral damage?”

At the moment, it remains unclear to what degree the JSCU capabilities support the maturation of the Dutch military cyber-command — which does have full authority to attack computer networks. Although organizational integration and coordination between network espionage and network attacks may be beneficial — increasing the opportunity for knowledge transfer and more efficient allocation of resources — my research on organizational integration indicates it is not a given within any government.

In the U.S. government, for instance, NSA and U.S. Cyber Command have numerous coordination problems. Not least among them is the fact that the NSA is not always willing to share capabilities with the military as it increases the risk that its espionage efforts — exploiting the same vulnerabilities and following similar coding procedures — also are exposed. Dutch cyber-capabilities historically reside in the intelligence community, as well. It would be hardly surprising if the Dutch government is dealing with similar organizational problems.

Finally, (cyber) power comes with a price. Russian hackers — and other actors — may now see the Dutch intelligence services as a more interesting target. Russia may retaliate accordingly — and publicly — against the Dutch to signal mutual vulnerability. At least the Dutch government seems to have taken precautions, choosing to tabulate election results by hand earlier this year.

This article is an edited version of my op-ed published by the Washington Post, The Monkey Cage

Contesting “Cyber”

Here are the links to all the New America blog posts:

Part I: Cyber: not just a confused but also a contested concept.

Part II: The Connotations of “Cyberspace” Shift From Opportunity to Threat

Part III: Substantive vs. implied definitions: A Mundane stuff or the Wild West?

Part IV: “Cyber Exceptionalism”

Part V:  ARPANET; Where did it all start again?

Part VI: Exit, Voice, and Cyberspace

Contesting “Cyber” – Introduction and Part I

By Max Smeets and James Shires. More info about the series here

Introduction

Over the last few decades there has been a proliferation of the term “cyber”, and commensurate levels of inconsistency. This series argues that the inconsistent application of the prefix “cyber” stems not only from confusion, as some scholars and policymakers have proposed, but also from contest. Our goal of this series is not to resolve conceptual disputes, but instead to understand how and why contests occur, and whether, once the lines along which contests occur are identified, resolution is possible.

As the prefix “cyber” has rarely been used alone, we place the concept of cyberspace at the centre of analysis, for two reasons. First, it is considered to be the “elemental” concept in the field, and demarcates the boundaries of relevant technical and social activity through an intuitive geographical metaphor. Second, selecting the concept “cyberspace” for analysis can be considered a least-likely (or least-obvious) study of contest. The attachment of the prefix “cyber” to various nouns has left cyber-related concepts with a variety of underlying normative connotations. On the one side, some concepts describe a clear activity or state of affairs, which are prima facie undesirable, like “cyber warfare” or “cyber threat”. On the other side, various concepts reflect a more positive degree of attractiveness—“cyber democracy” is a good example of this. The obvious normative aspects of these terms to which the cyber prefix is attached make these likely sites for contest, whereas “cyberspace” is seemingly more neutral. We suggest instead that it is the ominous calm at the heart of the storm, providing an excellent case in which to study the tension regarding the prefix more broadly.

Over the next six days, we will publish a series of blog post that show that cyberspace is contested in a number of ways: through its change in connotations from opportunity to threat; through the existence of substantive and implied definitions, with different rhetorical functions; and through competing understandings of the key historical exemplar for cyberspace: that of ARPANET. We therefore note that the prospects for agreement regarding cyberspace are low. Overall, this presents the choice of what we term, following Hirschman, an ‘exit’ rather than ‘voice’ strategy, to use other concepts instead. An initial post in this series was published last Friday at Slate’s Future Tense and can be found here.

PART 1. Cyber: not just a confused but also a contested concept.

Since the early 1990s the prefix “cyber” has become widespread. As often noted, its use stretches back to Norbert Wiener’s coinage of “cybernetics” from its Greek equivalent in the 1940s. It is similarly canonical to cite novelist William Gibson as creating the “ur” metaphor for this prefix in the early 1980s by combining it with “space”. Almost three decades later in an interview with The A.V. Club, Gibson argued that “‘cyberspace’ as a term is sort of over. It’s over in the way that after a certain time, people stopped using the prefix ‘-electro’ to make things cool, because everything was electrical. ‘Electro’ was all over the early twentieth century, and now it’s gone. I think ‘cyber’ is sort of the same way”.

In contrast to Gibson’s prediction, a simple automated content analysis using Google Trends indicates that the popularity of the prefix “cyber” has remained stable (with a spike in November each year for “cyber Monday”). There are ever more applications of this prefix, to words such as crime, law, cafe, hate, bullying, attack, war, vandalism, politics, dating, security, and power. Today, more people enter the search term “cyber” into Google than the term “democracy” or “terrorist”. Needless to say, the term “cyber” has also gained in prominence in academia and policymaking.

The proliferation of this prefix has, inevitably, led to substantial inconsistencies in its use. On one level, these contradictions may stem from simple confusion. As Michael Hayden, former director of the CIA and NSA, remarked: “rarely has something been so important and so talked about with less clarity and apparent understanding than this phenomenon.” Scholars and policy-makers, among others, are not always consistent in their own usage of cyber-related concepts, and they sometimes reinterpret the definitions employed by others, especially when given a liberal dose of cross-disciplinary fertilization.

Many hold that such disagreement is primarily caused by the apparently abstruse and multifaceted nature of the phenomenon. For example, in a Foreign Policy article, Stephen Walt notes that “the whole issue is highly esoteric—you really need to know a great deal about computer networks, software, encryption, etc., to know how serious the danger might be,” concluding that “here are lots of different problems being lumped under a single banner, whether the label is ‘cyber-terror’ or ‘cyber-war’. If this is the case, more research can iron out the lack of clarity surrounding this relatively young concept, and then we can get to the one and only “meaning of the cyber revolution,” as Lucas Kello emphasizes in his recent book (and earlier article). However, in this article series we argue that the inconsistent application of the prefix “cyber” stems not only from confusion, but also from contestation.

In other words, the roots of disagreement are deeper than a mere struggle to absorb the collective knowledge of another discipline, but stem from underlying normative disagreements.

Understanding the nature and extent of this contestation of “cyber” is important for both policy-making and academic research. For policy-makers, the promise of what Joseph Nye Jr. calls “rules of the road” in cyberspace is much diminished if the very domain itself remains in question (also see the UK government strategy). Constructing effective international cyber-governance becomes more difficult—although not impossible—if the scope of what to be governed is fundamentally disputed.

For academics, if the roots of disagreement are deeper, then faith in a unified understanding of the cyber-issue is utopic; and further investigation of why and how broader political disputes are translated into problems with this proliferating prefix is urgently required.

Here we will explore what it means when we talk about cyber, and address the nature of contestation from various angles.

This article was originally posted @NewAmerica

When Naming Cyber Threat Actors Does More Harm Than Good

Cybersecurity firms, despite their increasing prominence in light of greater media attention at Russian and Chinese cyber operations, are often criticized for their biases when identifying advanced persistent threat actors (APT). Two critiques are most-often heard. Security researcher Carr put his finger on one of the sore spots:

“How is it that our largest infosec companies fail to discover APT threat groups from Western nations (w/ @kaspersky as the exception)” (Twitter)

A second issue frequently mentioned is that threat intelligence firms have an incentive to exaggerate the cyber threat. If a firm is able to discover a highly advanced threat, it must mean that it has advanced detection capabilities and you should buy their product.

There is a third and potentially more damning charge that can be levelled against cybersecurity firms. Like palaeontologists or astronomers, cybersecurity firms like to name their new discoveries. But unlike other sciences, the liberal naming of threat actors and incidents causes a host of problems that confuses accurate data collection and determining whether a threat group still constitutes a threat.

First, giving the same name to different cyber incidents is unnecessarily confusing. Cloud Atlas is also named Inception. Saffron Rose also goes by the name Flying Kitten and Ajax Team. Dark Hotel is also called Tapaoux, Luder or Nemim. Dyncalc is APT12 or Numbered Panda. Hangover is Viceroy Tiger. Mirage is Vixen Panda. Cabarnak is Anunak. Sofacy is also called APT28, OP Pawn Storm or Fancy Bear. The list goes on. Can you still keep them separate?

Granted, attribution is more difficult in cyberspace. Unlike palaeontologists, cyber threat intelligence firms can’t use carbon dating to identify the origins or age of their discoveries. But that makes it all the more important that firms are cautious with their labelling.

Cybersecurity firms mostly rely on circumstantial evidence, and different firms rely on different data, techniques and resources to extract this information. New pieces of evidence can increase the plausibility of a given attributive theory or raise doubts about it, but are not decisive by themselves. It means security researchers constantly need to link (new) pieces of evidence to update their beliefs about a threat actor. By giving the same threat different names, they might miss out on knitting the pieces of evidence together.

Perhaps some in the information security community have less difficulties understanding the diverse threat landscape. However, the confusing labelling creates a barrier for others, particularly with policymakers and journalists who do not have the time or knowledge to cross-reference the alphabet soup of labels. When the information security community claim that ‘others’ don’t get it, the accusation might sometimes be a fair one. However, the liberal labelling behavior is more likely to widen than narrow the gap.

The constant urge to (re)name makes it also more likely that cybersecurity firms refer to old threats as new ones. The same actor may have simply acquired new skills. A hacker group on a given day might have analyzed the code of another cyberattack and realized they could include a certain part in their platform as well. Being too quick in naming new threat actors, firms are more likely to lose sight of how actors might have evolved. They are more likely to exaggerate network learning effects (i.e. that one threat actor learned from another actor) and underestimate a single threat actor’s ability to learn (i.e. that the same actor acquired new skills).

There are a few steps that cybersecurity firms could do to remedy the naming problem. First, if a competitor has already discovered a threat actor, the threat actor shouldn’t be renamed to fit another company’s branding. Even though renaming is in a firm’s interest to promote its brand, it sows confusion across the cybersecurity community and frustrates efforts to obtain accurate data on incidents and threat actors.

Second, when a firm decides to name a new cyber threat, it should also publish a public threat report about it. Dmitri Alperovitch, co-founder of Crowdstrike, presented a paper in 2014 listing various adversaries.  However, Crowdstrike hasn’t published any technical reports on many of these APTs—like Foxy Panda and Cutting Kitten. Additionally, when naming a cyber threat, cybersecurity firms need to be clearer whether it refers to a campaign (e.g. a series of activities carried out by a specific actor), the type of malware, the incident or a specific actor.

Third, the cybersecurity industry should create a set of common criteria to determine when an APT should be classified as such. Currently, it is unclear which criteria companies use before publicizing and categorizing the discovery of a new threat. For example, Stuxnet is often referred to as a single cyber weapon despite the fact that it is two separate entities, each with different targets. One focused on closing the isolation valves of the Natanz uranium enrichment facility and the other aimed to change the speeds of the rotors in the centrifuges. The second one was also heavily equipped with four zero-day exploits and used various propagation techniques, whereas the first one did not. Finally, some have hypothesized that Stuxnet changed hands a few times before it was deployed. If the target, technique, and threat actor are not the same, why do so many still refer to Stuxnet as one APT?

If cybersecurity firms were bit more careful with labelling, they would help themselves and others in the field find out which ATPs are new and which ones are extinct.

This article was first published on the Net Politics Blog of the Council on Foreign Relations.