Whitehouse – Hacked, OPM – Hacked, Pentagon – Hacked. We’re in a CyberWar. As I predicted in my 2015 Year of RAT Threat Report, see: http://www.snoopwall.com/reports/ all of these and many other news-making breaches start as follows:
Reconnaissance to learn about how email on public facing networks are being sent and received. In this process they probe, look for vulnerabilities, exploit these holes quietly and then start observing email address communications between target employees. For example, let’s say they eavesdrop on the mail server and see that [email protected] owes [email protected] an excel spreadsheet. Then, they strike. They send a forged email from Jane Doe with a fake spreadsheet attachment that is actually a Remote Access Trojan, a RAT. These RATs are getting more and more sophisticated. In the case of the July 25, 2015 breach of the Pentagon’s public facing email accounts, roughly 4,000 accounts being victimized, we’re seeing this malware RAT being more ‘self-aware’ and automated. It can send and receive information to/from command and control (C&C) channels disguised as dynamically generated TWITTER, FACEBOOK and GITHUB accounts. It can upload stolen files to a ‘cloud-based’ storage location (probably a GOOGLE DRIVE). Why does this keep happening to the most powerful government in the world?
We have to look back to understand how we got here in the first place. In less than a century, the United States has grown into the World’s #1 superpower – in particular, over Russia. There is a well written article about this subject in the Washington Post by Mike McConnell, where he wrote, way back in 2010, that looking back, during the Cold War, we see that the US operated with a deterrence strategy based on four key elements:
- Attribution – who attacked us;
- Location – where did the strike come from;
- Response – being able to respond if attacked first;
- Transparency – The enemy’s knowledge of our capability and intent to counter, massively.
As we focus this discussion on Russia, remember that we did much to gain intelligence behind the “Iron Curtain” with eavesdropping techniques, early-warning radar systems, underwater listening posts and field operatives. We invested heavily in our ability to respond to any form of attack through intercontinental ballistic missiles, nuclear weapons development, submarines, long-range bombers, high speed spy planes and so much more. We were ready for anything and President Reagan played his part well, wielding the might of this technology and a well-trained human force – our soldiers, ready to fight back if the Soviets wanted to go to War. Meanwhile the song from Sting rang in our ears “I hope the Russians love their children too…” Looking back, this was a very scary time to be growing up in America, thinking that either side could literally blow up the entire planet. Talk about a deterrent. It seems we were lucky.
Another model I like to describe, which is used by the US Military, is the 4D’s. Simply put, it’s:
- Detect – any threat to our great Nation.
- Deter – the enemy from gaining the advantage.
- Defend – our Constitution and great Nation against all enemies, whether foreign or domestic.
- Defeat – any and all threats to America.
While diplomacy should always win the day, it is only a piece of the bigger picture when we enter the Fog of War. At this moment in time, with the proliferation of billions of computers, and hundreds of millions of web sites, routers, servers and other networked devices including foolishly, critical infrastructure, where SCADA and TCP/IP should never have met, here we stand, not yet on the brink of mass destruction, but a few stepping stones away, as Cyber War rages on, quietly. Just look at http://map.ipviking.com and you’ll see this is happening every single second of every single day.
How can we apply deterrence in an age of cybercrime, cyber espionage, cyber terrorism and cyber warfare? What can we do when there is no Geneva Convention for the blurred lines of internet attacks? What can we do to make “Cyber Peace” and is it ever going to be possible? It seems we are in the days of the fifth dimension of War – no longer simply land, sea, air and space – this new dimension is information technology based and it starts with computers, routers, massive amounts of data and vulnerabilities to be exploited.
Now is the time for the United States to build a cyber-army like no other and bring the 4D’s into the information age. Shame on us for letting North Korea’s cyber army exceed our capacity when they have only 600 public IP addresses and we have potentially billions of public IP addresses…or for letting the Chinese continue to hack us, infect our smartphones, break into our business networks to steal proprietary trade secrets…or for both Russian cyber gangs to steal our identities and sell them on the black market while the Russian government hacks into the Pentagon at the same time. We’re at a point where the United States must take a creative, innovative, proactive and very different approach to solving this problem.
We’re up against complex independent and nation state actors. We’re understaffed and outgunned. What do American’s do when this happens? Now is the time to push for tremendous Cyber defense funding and mandatory social engineering 101 training for all US Government personnel. If government employees in the White House or Office of Personnel Management or the Pentagon can’t tell the difference between a trustworthy email with attachment and a rogue email with malware then we will continue to leak information beyond repair. In addition, if our critical infrastructure is not hardened against cyber exploitation, we will see this spill into civilian population risks – loss of electricity and loss of life will result.
One of the biggest challenges, however, is to understand the dynamics of the forces in motion. We cannot simply throw money at the problem. We need to create a plan that actually works. I once helped the White House on a Plan to Secure Cyberspace and upon its release, well timed, many years ago, the Office of Management and Budget (http://www.whitehouse.gov/omb) was auditing different departments not only on their financial management but also on their network security. Most had failing grades. Today, many years later, it’s the same old story.
This Guy Could Probably Hack DPRK for Breakfast but would the US Gov Hire Him?
Unlike North Korea, where the DPRK will mandate your entire life for you, setting you up for your math and computer science degree and then sitting you down at a computer to be part of their cyber army and possibly shooting you in the head if you fail your duties, we must rely on an American strategy of innovation. We need to bend the rules on how the US Government background checks and drug screens personnel. Some of the best coders are probably looking at the clock at 4:20pm and smoking a joint. Hours later they are back at the keyboard until midnight or later, drinking Red Bull or Coke and solving complex problems about encryption, bitcoins, Tor and other challenging INFOSEC problems. Meanwhile, they are currently un-hirable by the current US Government standards. In addition, if recruited, they probably wouldn’t accept the job if given the opportunity. This must change.
US Cyber Command – Smart, Talented and completely UNDERSTAFFED
The United States government needs to create a cyber-defense and cyber warrior team, the likes of which, the world has never seen. We invented the internet. We need to be able to manage and protect it, without, of course, taking away the rights of citizens to their freedoms and privacies they don’t just deserve, the don’t just earn, but they have by nature, as sovereign human beings. Our founders would be proud of us for the advances we’ve made here in America. From walking on the moon to sending a rover to the planet Mars. It’s time to take back that amazing ingenuity and re-invigorate not a 4th dimension of War “space program” but a fifth dimension of War “Information technology program”. The Fog of CyberWar has arrived. Let’s understand what’s at stake and take the defense of our intellectual property, our personal identities, our critical infrastructure and our government networks much, much, much more seriously before it is too late.
Until then, I implore you to follow my tips about Spear Phishing and RAT attacks, here:
and here:
If you do so, being ever so vigilant, you will NOT be the next victim.
About the Author
Gary S. Miliefsky is CEO of SnoopWall and the inventor of SnoopWall spyware-blocking technology. His company produces AppCrusher, which gives companies a detailed analysis of any vulnerabilities or risks in their mobile apps. Miliefsky is a founding member of the U.S. Department of Homeland Security and serves on the advisory board of MITRE on the CVE Program, and is a founding board member of the National Information Security Group (see: https://en.wikipedia.org/wiki/Gary_S._Miliefsky). He’s also the original inventor of the NetBeat NAC product line which was recently acquired by SnoopWall to protect networks from the inside and against bring your own device (BYOD) mobile threats. Reach him online at http://www.snoopwall.com and at [email protected].