Thursday, February 21, 2013

This is How China Hacks America: Inside the Mandiant Report

An unusually detailed 60-page study, just released by Mandiant, an American computer security firm, tracks for the first time individual members of the most sophisticated of the Chinese hacking groups — known to many of its victims in the United States as “Comment Crew” or “Shanghai Group” — to the doorstep of the military unit’s headquarters.

Get it here: Mandiant APT Report

Mandiant has also released an automated assessment tool that can tell if you've been infected. Contact IDP for more information.

Monday, February 11, 2013

America's embarrassingly redundant and entangled cyber security complex

Thank goodness no serious observer of electronic warfare considers a cyber-9/11 possible, let alone imminent
 

The cyber security capabilities of the United States have come under scrutiny in light of recent high-profile Chinese penetrations of American corporate networks. In many ways, cyber has become the handwavium of warfare — step two in a three-step process, sandwiched between "Meet the enemy in battle" and "Victory!"

Before the relatively new interest in cyber security, the fastest way for public agencies to increase their share of a budget was to build a special operations capability. That's why such noted demilitarized zones as Bloomington, Minn., have their own special operations forces, and every Mayberry police department in post-9/11 America wants federal funds to buy drones, periscopes, and assault rifles.

But ersatz commandos are so Bush-era. These days, if you want in on the best federal grants, you're going to need a place on the virtual battlefield. Forget the National Guard; if you want to avoid the next draft, join the Ohio Cyber Security Council. Every government agency with a computer and copy of DOS for Dummies is singing "goodbye my sweetheart, hello cyber war." And in a sickening display of naked ambition by the military-industrial complex, defense contractors are buying up every cyber research firm on the market.
It's hard to take warnings of an "imminent" cyber-9/11 seriously, in part because no serious observer of electronic warfare considers it possible, let alone imminent. (Cylons rank higher on my list of imminent threats.) In his confirmation hearings, Secretary of State John Kerry actually called cyber security our "greatest threat" and a "21st century nuclear weapons equivalent." This is shameless, first-rate scare-mongering, the likes of which the world hasn't seen since — well, ever. At least nuclear weapons have the virtue of actually being able to do what we fear they can do. Detonate a minuscule one-megaton nuclear bomb in Times Square and then launch the most catastrophic cyber attack in human history against Los Angeles and see which one is worse. Infect the people of Dayton, Ohio, with smallpox and then have the nerve to suggest, "Well, at least it's not a direct-denial-of-service cyber attack!"

In 1951, General Walter Bedell Smith, the father of the modern Central Intelligence Agency, took measure of the Armed Forces Security Agency and decided to scrap the whole thing. Signals intelligence was too important to entrust to the "divided authorities and multiple responsibilities" of the branches of the armed forces. He wanted a "consistent, firmly administered security program," removed from the institutional stupidity of the Joint Chiefs of Staff, and persuaded Harry Truman to sign a memorandum creating the National Security Agency.

Today, the NSA is a massive, effective, well-run organization. And its establishment should have been the model for the nation's cyber security efforts. But instead of one centralized, effective body largely removed from the petty grievances and rivalries of government, the military-industrial complex created a many-headed hydra of cyber agencies, each of which pumps billions of dollars into Booz Allen, General Dynamics, and Lockheed Martin.
Here's how the nation's extraordinarily entangled cybersecurity organization looks:
The director of the National Security Agency, who is always a four-star general, reports directly to the undersecretary of defense for intelligence, and through the commander of U.S. Strategic Command, to the secretary of defense. The NSA director is also in charge of U.S. Cyber Command (CYBERCOM), and is responsible for protecting the federal government's computer networks from "cyber terrorism." CYBERCOM, meanwhile, is in charge of securing military computer networks and for planning cyber offensives on the battlefield — same leader, same job, and two different top-level-domains — dot-gov and dot-mil.

CYBERCOM itself splits into four service components. Yes: The Army, Navy, Air Force, and Marine Corps each need their own cyber warfare capability, in spite of a 40-year effort to bring joint capabilities to the battlefield. The U.S. Air Force 67th Network Warfare Wing, for example, is charged with "carrying out information operations to augment war fighting commands and national decision makers." That sounds an awful lot like Second Army's mission to "conduct cyberspace operations in support of full spectrum operations to ensure U.S. and allied freedom of action in cyberspace, and to deny the same to adversaries." It's not so different from the Marine Corps Forces Cyberspace Command, whose job it is to "conduct activities to direct the operations and defense of specified Department of Defense information networks and prepare to — and when directed — conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure U.S./Allied freedom of action in cyberspace and deny the same to our adversaries." What of the Navy's Fleet Cyber Command vision? You probably already know: To "conduct full-spectrum operations in and through cyberspace to ensure Navy and Joint/Coalition Freedom of Action while denying same to our adversaries."

Four branches, each with robust and almost-entirely overlapping missions, reporting to a command that belongs to the director of the National Security Agency, an agency that has largely the same mission on a different top-level-domain. This is alongside the Defense Information Systems Agency, which "provides, operates, and assures command and control, information sharing capabilities, and a globally accessible enterprise information infrastructure in direct support to joint warfighters, National level leaders, and other mission and coalition partners across the full spectrum of operations." (Even if you don't speak propeller-head, that's not too far from the defensive cyber missions listed above.)
Meanwhile, over at the hapless Department of Homeland Security, which has thus far been run by one feckless government functionary after another, there is the National Cyber Security Division (NCSD), whose mission is to maintain a cyberspace response system, and to devise and issue programs for the protection of critical infrastructure. The NCSD has under its charge a dozen divisions, programs, and offices that do various things that the NSA and CYBERCOM also do.

In many ways, this is but a fleeting glimpse of the government's cyber security missions from 30,000 feet. But it should be clear, at least in the abstract, that when you've got a hundred thousand people from a couple of dozen agencies, organizations, and offices, each with massively overlapping areas of responsibility, you're completely undermining the cyber-9/11 fear-mongering on which your expanded federal appropriations rest. In fact, you're practically begging for a cyber-9/11 — there's no way such a lumbering beast could ever react nimbly to a truly catastrophic attack. Which is why it's reassuring, on some level, that no such attacks exist even in theory.

A massive, ineffective apparatus to fight a threat that doesn't actually exist? This is the war our sorry government was elected to fight. I'm just looking forward to hearing what word Lee Greenwood rhymes with "cyber."


D.B. Grady is co-author of The Command: Deep Inside the President's Secret Army. He is a correspondent for The Atlantic, and lives in Baton Rouge, La. See more of his work at DBGrady.com.