As the Libyan war came to a close, the computer networking blogosphere was chock-a-block with speculation that the U.S. government chose not to employ cyber attacks against Gaddafi’s air defense network on the principle that it would not be the first country to do so.
Perhaps it did. According to Henry Bar-Levav*, head of ace cyber security firm Recursion Ventures and a pioneer of the commercial Internet, “War is deceit. Forensics depends on attribution. Falsification is trivial these days.”
Speaking with JINSA Policy Director James Colbert, Bar-Levav, asked whether he thought that, like Israel’s assumed nuclear arsenal, America’s cyber warfare capabilities were purposefully being kept opaque, replied, “Can you imagine a country ‘declaring’ cyber warfare?
Smoking guns are often wishful thinking… Geography is largely irrelevant. One group can ‘mass their “cyber” troops’ with almost no possibility of detection or attribution.”
Cyber Warfare and Opacity
Continuing on this theme, Bar-Levav declared that, “Cyber warfare will remain opaque because it is fundamentally asymmetric, deniable, and, strangely, because any group can claim attribution to scare others and to increase the group’s morale.”
Implying a more aggressive approach to America’s cyber warfare plans, U.S. Deputy Defense Secretary Bill Lynn recently said that “a fortress mentality will not work in [the] cyber [realm].” Asked what he thought this meant, Bar-Levav replied that, “there are three basic security strategies: security by obscurity (passwords, crypto), security by correctness (education, following secure procedures), and security by isolation (air gapping, the fortress mentality). Defense in depth requires all of these approaches working in harmony.”
After all, he explained, “a firewall might get you 80% of the way there, but you need to realize that all aspects of security are converging, and you have to take all of them into account, and realize you can be compromised anyway, say by a rogue CFO. So, we must develop and practice emergency preparedness including incident response, public relations, disaster recovery, etc.”
“What I hope Secretary Lynn meant,” he continued, “is that ‘A fortress mentality alone will not work…’ The silver lining of 9-11 should be the lessening of the complacent belief in Fortress America, both physical, and virtual.
National Cyber Defense Stymied
Asked whether he believes the U.S. government’s growing array of cyber security agencies and military cyber warfare centers will be adequate to defend not only government networks but private industry, Bar-Levav responded with an emphatic, “No.”
“Hackers can’t really be trained – at least not the best ones – and attacking and defending are pure meritocracies,” Bar-Levav noted. “If you win, you win. It’s a way of thinking, not a set of procedures. These are people who ‘repurpose’, and they’re not going to go to work for the U.S. government.”
In fact, Bar-Levav declared that the U.S. government’s hidebound practices with regard to security clearances and corporate contracts hurts its ability to attract the best talent. “The enemy doesn’t have top secret clearances, why should our defenders? Right now, the government has little chance, because the first question they ask after ascertaining that they want your help is ‘do you have a contract vehicle?’ This has nothing to do with security.”
But what about so-called public-private cyber defense partnerships, can they work? “Sure. Microsoft successfully shut down botnets in concert with the FBI and a bunch of warrants. But, to make this strategy sustainable, the U.S. government needs to allow what we call an ‘unregulated well-armed militia’ of security experts with ‘letters of marque’ to be able to point out and solve security problems in a risk-neutral, indemnified environment.”
Bar-Levav did allow that, “There is some interesting work going on in certain agencies, but our experience is that it’s being done by isolated brave individuals who are bucking the system, and we’ll see how well their careers develop.” The biggest challenge in this realm, he said, is that, “the bad guys don’t have to follow any rules, and we do.” We are hamstrung by “risk-averseness.”
Stuxnet-type Threats to National Infrastructure
Asked to assess the degree of vulnerability of American industrial facilities and utilities to Stuxnet-style attacks on vital control systems, Bar-Levav said that, “It’s a serious threat, made worse because the motivations are much more political and ideological than economic.”
Told that the cyber security firm Symantec had announced that some 60 percent of the 100,000 Stuxnet-infected computers worldwide were in Iran, leaving some 40,000 computers infected elsewhere in the world, Bar-Levav said, “Stuxnet had one aspect that was novel, the specificity of the target. In this case it was the Siemens SCADA systems at the Iranian enrichment facility at Natanz.
It’s a good bet to assume that Stuxnet looked for characteristics like a Farsi language pack and Siemens software and would be quite harmless to any other system. Don’t worry about Stuxnet harming anyone but who it was meant to harm.”
Regarding rampant speculation about the provenance of Duqu, the Trojan Horse with strong similarities to Stuxnet, Bar-Levav asked, “Who had the motive? Even if it wasn’t Israel, it doesn’t hurt them for everyone to believe it was.
The fact is, malware researchers all pay attention to the cyber arms race, and it’s not at all surprising if we found out that Duqu’s creators were inspired by the techniques used by the creators of Stuxnet. Technologically and financially, a private group could have created both of these attacks. These aren’t at the level of the Manhattan Project.”
A New Breed of Security Required
“Even if they brilliantly secure their networks, the greatest threat that organizations face is that they are still vulnerable if their minimum wage security guards are disgruntled or their physical access control systems can be easily bypassed,” Bar-Levav explained.
“Today, security must be holistic. It must include securing information, hardware, physical access and business processes. An attacker will find and exploit any vulnerability not just the vulnerabilities the organization has self-identified. Security is no longer the domain exclusively of the IT department or of the security guards. Attacks come opportunistically,” he warned.
* On November 7, 2011, Bar-Levav addressed JINSA’s Board of Directors at their Fall Meeting
Cross-posted from The Sentry