With the escalating threat environment, how do corporations and smaller countries defend against foreign nation states who may be super powers with many offensive weapons? For that matter, how does a super power like the U.S. defend, when they are so vulnerable and defenses are so porous? No one’s doing a great job but there’s no defender advantage with current technology. There is a level of defensive capability that delivers defender advantage, and that’s trustworthy computing. There’s not much doubt that it’s needed.
First, was APT
In the past a smaller country, like Canada, might face difficulty when a foreign nation state that happens to be a large super power, has been detected hacking government or private networks. For some time government officials and companies with glints of Chinese contracts in their eyes, had been tone-deaf to many warnings from security professionals regarding the Chinese appetite for data. Canada eventually woke up and realized that Chinese dragons and others have possibly been hoovering up all kinds of government and corporate intelligence for years, just as we know they did at Nortel over a decade ago.
At the time, Ben Makuch wrote here, that former Canadian CSIS intelligence officer and Asia-Pacific Chief for Canadian spooks Michel Juneau-Katsuya told him that,
“Canada was in an open economic and cyber espionage conflict with the Chinese”
This isn’t the playground, it’s high stakes, and a difficult problem. David Mulroney, Canada’s ambassador to China from 2009 to 2012 summarizes the whole political balancing act here.
“This is unacceptable, but here’s the hard part: we can expect more of the same. A rising but insecure China will not shrink from clandestine and downright unfriendly tactics to advance its interests.
“So let’s start by banishing the rhetoric. China is not our best friend, any more than it is the sum of all fears. We do need to acknowledge and address the real threat China poses to our security.”
When the attacker is known to be a super power holding most of the cards, and who doesn’t really care what you think, what can one do? Not a whole lot, realistically.
Enter the Bear!
We next heard accounts of of Russian groups attacking western business interests. Articles such as, “Russian Hackers Said to Loot Gigabytes of Big Bank Data” framed the question of whether private enterprise could withstand cyber attacks by either foreign nation states or criminal groups sanctioned by them. Some things that were speculated at the time are taken more at face value now. It pays to know what adversaries are capable of so you might take note of the following article. At the time, the “Why Russian hackers are beating us” raised some eyebrows.
From it, Tom Kellerman tells us,
“They’re complete geniuses because of how they operate with their very chess-like perspective on IT and cyber security”
Was he right? Maybe one should think of Russians as APT with mathematical rigor?
On the Precipice?
The OPM hack attributed to China signaled the start of very visible hacking that threatened National Security. In the last week, the world has seen Whitehouse measures supposedly in retaliation to alleged Russian interference in the US Presidential election in November. There are links below to fill you in on the cyber war implications of these current events, but the essay by Molly K. McKew, “Putin’s Real Long Game” is informative on their brand of information warfare. Some important points from it are,
“What both administrations fail to realize is that the West is already at war, whether it wants to be or not. It may not be a war we recognize, but it is a war. This war seeks, at home and abroad, to erode our values, our democracy, and our institutional strength; to dilute our ability to sort fact from fiction, or moral right from wrong; and to convince us to make decisions against our own best interests.”
” … it’s all one war machine. Military, technological, information, diplomatic, economic, cultural, criminal, and other tools are all controlled by the state and deployed toward one set of strategic objectives. This is the Gerasimov doctrine, penned by Valery Gerasimov”
“ … information warfare is not about creating an alternate truth, but eroding our basic ability to distinguish truth at all. It is not “propaganda” as we’ve come to think of it, but the less obvious techniques known in Russia as “active measures” and “reflexive control”. Both are designed to make us,designed to make us, the targets, act against our own best interests.”
Attribution is problematic. Even when it doesn’t fail, (one can accurately identify attack source) rhetoric or political posturing may not be an effective response, depending on the adversary involved. Punitive measures against North Korea may be one thing, but any real responses against China or Russia may result in some form of retaliation and risk escalation. This is one of the questions raised when people discuss deterrence. But it’s also a concern when folks such as Sen. Roger Wicker (R-MS) say this;
“It concerns me that we really don’t know what the deterrence ought to be”
There is still much debate about how much cold war thinking is transferable to the cyberwar arena. The question is, at what point could cyber retaliation lead to a kinetic escalation, especially between super powers? This is still new ground.
The Best Defense is a Good Defense
In his great essay here, Marcus Ranum explains to us that,
“If your defenses are really, really good, you don’t have to worry about deterring attack, or disrupting an attacker’s operations: you can just grin and bear it…Since there are infinite enemies, some of which are unknown, a good defense can cost those enemies an infinite amount of frustration and expense.”
” … the cyberspace equivalent would be to be able to deflect an infinite number of attackers, equally effectively, simultaneously and long-term. A great defense is the gift that keeps on giving.“
James Lewis of CSIS concurs and writes, “Cybersecurity: America needs a better defense“. Unfortunately, in terms of defensive capabilities, too many governments and private enterprises are operating at the equivalent of a casual game of checkers at the cottage picnic table. Where’s the urgency, if national security is at stake? If elite Russian hacking groups are operating with the “nudge-nudge, wink-wink” approval of their government, who’s showing leadership to stop them?
The best way to stand up to any adversary, especially it a super power foreign nation state, is to beat them at the “data protection” game.
It’s time for governments and enterprises to realize that their best option is to get better at defending. Big time.
What if an adversary, or multiple adversaries …
… can’t hack into your networks?
What are they going to do, – complain? An added bonus would be, that whenever networks can be successfully defended against adversaries, the political games and posturing over cyber issues are less necessary. The question is how to ramp up capabilities in this direction.
In this post, Philip Lieberman talks about defending against Russian adversaries in an interview.
“… the lesson to be learned is that the financial services sector needs to up its cyber security game to move up from commercial security to military level security.”
While military level security means many things to many people, let’s assume he’s referring to a level of protection and assurance that is much better than the current infosec model, unless you’re as smart as Marcus Ranum. To stay the current course, is to continue to use insecure and low assurance COTS systems. The hope is that network speed bumps, or shared threat intelligence and breach info can compensate. But these things don’t address the root cause of system insecurity, do they?
Trustworthy Computing for Defender Advantage
Recently though, NIST has called for improvements in system security engineering and design for trustworthy computing with the NIST 800-160 standard. Trustworthy computing does come out of the military paradigm, and it delivers the highest level of defensive security posture possible.
“The National Security Agency (NSA) defines a trusted system or component as one “whose failure can break the security policy”, and a trustworthy system or component as one “that will not fail“.”
Based on this definition, we should modify the statement about best defense, to the following;
“The best defense is a defense based on trustworthy computing.”
Few people are familiar with trustworthy computing but it is from the military security paradigm. Traditional implementations were too complex, costly and impractical for everyday use. However, trustworthy computing does ramp up defensive capability and raise the bar for attackers. It delivers defender advantage against hackers, dragons and bears alike. It can provide a better means to protect national security interests than the status quo.
KSE Trustworthy Computing
The barrier for using trustworthy computing has been finding away to make it usable and affordable for widespread use. That is where KSE, or Kernel Security Enforcer by Trustifier comes in. The administrative overhead for KSE is about 1% of a traditional implementation such as SELinux or Trusted Solaris.
KSE by Trustifier is a security sub-system that delivers a user-friendly, yet mathematically verifiable implementation of trustworthy computing for COTS systems. KSE enables trustworthy computing as called for by NIST 800-160. In other words, it provides the components to reproduce trustworthy systems and devices where you need them. KSE can be dropped on existing systems or embedded into an OS prior to development and then activated for QA testing, say for embedded devices.
KSE reduces complexity, overhead, cost of ownership and facilitates security management. TUX AI by Trustifier now orchestrates and automates the use of KSE and other Trustifier solutions in security operations as well. You can learn more about KSE here, or on the Trustifier web site.