Cyber Security: No Pain, No Gain

July 15, 2015

By Hans Holmer

Senior Cyber Strategist, Technical Counterintelligence Center

INTELLIGENT DECISIONS

Leaders of companies frequently find themselves at a loss for how to lead in the cyber arena.  Typically, from the C-Suite point of view,  “cyber” appears to be a technology problem rather than a people problem–and the technology moves way too quickly for us ordinary mortals to keep up.  Too often the “people aspect” of cyber security is overlooked and, yet, it is one of the most critical areas, where leaders can do their company and their employees the most good.  In fact, cyber security is like exercise: No pain, no gain.

For example, the traveling executive is likely to be the senior leader who travels the world carrying electronic devices that hold crucial company intellectual property and proprietary data.  He or she is also too busy to deal with painful security requirements that interfere with work and their computer has just the sort of data that are of critical value to the business… and to competitors or even foreign governments.  It doesn’t take a genius to know that a number of countries are gaining access to US intellectual proprietary and patented information by cyber means.  As of mid-2014, Bloomberg estimates that more than $445 billion worth of intellectual capital was lost this way. (http://www.bloomberg.com/news/articles/2014-06-09/cybercrime-remains-growth-industry-with-445-billion-lost )

So how can companies protect their traveling executives and lead their business in cyber security?  By demonstrating that cyber security is business resiliency. That data protection is important enough to put above the pain of “not doing things the way you’ve always done them.”  By proving that you are willing to accept pain to secure their data when traveling. All the data show that changing our behavior is the key to stopping breaches, hacks, and data loss.

  • Take the time to install every security update and patch. Almost all intrusions depend on software vulnerabilities for which patches have been issued but not installed.  Computers that connect inside and outside the corporate network are particularly at risk because users rarely are willing to let the update process detract from work demands.  So if traveling senior executives demonstrate how protecting their computer is critical to the business and demand that their computers maintain the highest levels of security, this alone would be a major step forward in corporate cyber leadership.
  • Use a designated computer for foreign travel. This reduces the amount of intellectual property within the computer and, in turn, reduces the chances that the computer can introduce malware when returned to the corporate network. It also prevents the disclosure of corporate log-in credentials overseas.
  • Keep computer, phones, and other devices in your sight at all times.  Sure, it can be painful.  But not as painful as the loss of intellectual property, competitive advantage, and lost business.

When corporate leadership demonstrates that cyber security is important and that useful countermeasures are worth the pain, it sets the priorities for the rest of the organization.  By taking the lead in secure technology use while traveling abroad, senior leadership can set the tone for the entire corporation and enjoy increased cyber security practices.  In the process of learning to use  technology securely, everybody benefits.  It’s a win for leadership and for cyber security.  Not only does it demonstrate that mitigating risks while traveling is important, but also that protecting company data on the corporate network is important.  The same countermeasures that secure a travel computer will secure a corporate network. Doing one but not the other is nothing more than a waste of time.  Cyber security is very much an all-or-nothing kind of problem; it’s “data ecology.” The entire network as well as all the employees need to actively participate.  And it starts at the top.

 

Hans Holmer works in the Technical Counterintelligence Center of Intelligent Decisions.  He can be reached at hholmer@intelligent.net or 703.599.4735.

Hans is a retired CIA officer with about 20 years in cyber, 26 years in intelligence  and over 40 years in computers and similar technologies.


Cyber: Lightning or potholes?

May 8, 2015

By Hans Holmer

When you read about big breaches of corporate data, the breaches are generally described as the computer equivalent of “lightning,”  something so fearsome and unstoppable that only the government and draconian laws could prevent those breaches.

To the cyber practitioner, the more apt analogy for breaches is potholes.  Like potholes, vulnerabilities in software and hardware are ubiquitous, not that hard to fix, and new ones are discovered all the time.  The sheer scales of devices that need to be patched and the number of patches and updates that need to be deployed is daunting but the actual installation of a patch is not complex.  This is important because almost all breaches depend on unpatched computers to succeed.  The lightning strikes, more properly called 0-days, are extremely rare.

The key to keeping a street pothole-free is first to know what streets you are responsible for and what kinds of road surface they use.  The same is true of computer networks.  You need to know all the devices and software on your network – PCs, printers, servers, routers, scanners, etc.  Any devices and software that are not yours present a threat unless moved to a separate network.  When you know your network you can patch it – all of it.

Once you know the roads you are responsible for, you can determine whether the road surfaces are appropriate for the traffic that uses them.   You’ve noticed that highways have different surfaces than neighborhood roads.  In IT network terms, you need to ensure that users and processes have credentials that are appropriate for the kind of work they do so that no users or processes have more access than they need.  Only a small percentage of users should have administrative privileges, and those privileges should be allocated for particular purposes.

When it comes to detecting potholes, system administrators have an easier time than city managers.  Most modern operating systems benefit from monthly patch-cycles.  If you have computers that no longer receive patches, such as 13-year old Windows XP operating system, it might be time to repave that road.  It is no surprise that breaches are ubiquitous given that 17% of computers still run Windows XP one year after Microsoft stopped issuing patches and it is hard to blame those vulnerabilities on hackers.  By the way, the most common Windows operating system, with 58% of the total market, is Windows 7 which was released in 2009.  It is now on “extended support” until 2020.  There is a strong argument for re-paving the road before it becomes one giant pothole.

You already know that most urban streets have more potholes than are good for your car.  In a nutshell, this is because inadequate resources are devoted to maintaining the streets and nobody wants to block the street while repaving it.  The same is true of computer networks.  The damage done to vehicles is not borne by the city and the cost of a network breach is similarly unpredictable, unlike the cost of securing the network.  In both cases, high known costs outweigh uncertain, but almost certainly orders of magnitude higher, future costs.

If you had to track the pothole repair metrics, you’d track the number of streets that are completely patched.  You can do the same for networks.  If you compile the percentage of PCs that are fully patched plus the percentages of all other devices which are fully patched, that would create an indicator of the security of a network.  Given that the vast majority of breaches exploit these fundamental vulnerabilities, it is an adequate proxy for the security of the network.

Once you have reached a state where your average security is predictably high, it is time to bring in experts who can help you defeat the lightning strikes.  It is well known that 0-days seek your most valuable items, in whatever form it takes, be it intellectual property, customer specifics or money.  By implementing expert countermeasures focused on protecting your critical data and processes, you can reach that rare state of having neither potholes nor lightning in your network.

 

Hans Holmer works in the Technical Counterintelligence Center of Intelligent Decisions.  He can be reached at hholmer@intelligent.net or 703.599.4735.

Hans is a retired CIA officer with about 20 years in cyber, 26 years in intelligence  and over 40 years in computers and similar technologies.


Federal Allies Institute Interview: Kevin D. Freeman, New York Times Best-Selling Author on Economic Warfare and Cyber

March 17, 2014

Federal Allies  Recently, the Russia invasion of the Crimean peninsula utilized both conventional and cyber attacks.  In your latest book Game Plan, you outline the potential threats against the U.S. economy and how Americans can be prepared to protect their savings and investments.  In other words, what Americans see as the marketplace, our enemies now view as the battle space to include cyber economic attacks for a global economic war.  You have written several books on the subject.  Can you enlighten us on your federal agency meetings and what has been their response to the potential for economic warfare and cyber attacks?

Freeman  It is important to understand that the critical issue is economic warfare and cyber is a powerful way to conduct that war. Without understanding that the war is economic, cyber becomes a catch-up battle with malware, viruses, and hacking—something for which you might install some good defensive software but not create a threat doctrine.

Most of my meetings have been with Defense and Intelligence agencies. Initially, the meetings were based on curiosity as the concept of economic warfare and financial terrorism was viewed as outside the mainstream of discussion. In one case, a group was convened to determine how offensive weapons could be deployed using financial strategies.

In most cases, after the meeting, there was a general acknowledgment of the threat but little willingness to address it. “It’s not in our lane,” was a common response. In other cases, there seemed to be a denial of the entire concept. “No one would be able to do that,” and “why would anyone harm our economy when they would be hurt in the process,” were typical responses. Since 2008, I have met with a dozen or so different Pentagon-related offices, top leadership (past or present) from three different intelligence agencies, various appropriators, Federally-funded research labs, and others.

Over time, with further revelations, however, the idea of economic attacks, especially cyber in nature have gained critical acceptance. I recall a meeting at the FBI, for example, where the whole idea of attacking our financial system was ridiculed. A couple of weeks later, the NASDAQ was hacked and it was acknowledged that the resources behind the breach leaned more to nation state that criminal organization. And, there have been directed threats by Putin against our markets and currency, the flash crashes, and other incidents that support my general thesis that the next war is economic with cyber weaponry. Then, there were the revelations from Juan Zarate in his book, Treasury’s War that acknowledged not only that we had developed economic weaponry to use against terrorists but also that we were vulnerable to a host of financial attacks.

Unfortunately, the problem remains that the broad issue of economic warfare and financial terrorism, despite its serious nature, doesn’t “belong” in any one location and may not reside anywhere. We are looking at cyber, but unless we see it in the context of economic warfare we won’t address it properly. Outgoing head of the NSA, General Keith Alexander acknowledged our vulnerability in a 60 Minutes interview (as excerpted from Forbes December 15, 2013):

“On the CBS program 60 Minutes tonight, National Security Agency (NSA) director Gen. Keith Alexander admitted that ‘a foreign national could impact and destroy a major portion of our financial system’ by placing a virus in our computer systems ‘and literally take down the U.S. economy’ if the virus was spread around … While mentioning known attacks by China, Deborah Plunkett, another NSA official spokesperson, told CBS: ‘Don’t be fooled. There are absolutely nation states who have the capability and the intention to do just that,’ i.e. ‘literally take down the U.S. economy.’”

Federal Allies  How big of an issue is cyber in comparison to all other concerns?

Freeman  Our potential enemies have cyber as the #1 means of future warfare.  That says something. It is likely that all future conflicts will have at least a cyber component. The risk is, with cyber or EMP or other attacks that Pearl Harbor and Hiroshima could be combined into a single event. There are sovereignty ending risks if the electric grid is wiped out, or the financial system completely collapses. Consider this from Wired Magazine in 2010:

“Cyberspace has become the fifth domain of warfare, after land, sea, air and space. Some scenarios imagine the almost instantaneous failure of the systems that keep the modern world turning. As computer networks collapse, factories and chemical plants explode, satellites spin out of control and the financial and power grids fail.”

The Russians used cyber attacks both in Georgia and more recently the Ukraine. China, Iran, and North Korea, and multiple terror groups/international criminal organizations have all developed sophisticated cyber units as a primary means of war fighting. They are testing and probing our systems daily.

Federal Allies  The Defense Department named cyberspace a new domain of warfare in 2011. Today, U.S. Cyber Command, the services, and U.S. partners and allies are working together to make that inherently collaborative, adaptable environment a suitable place for military command and control.  Which federal agencies are leaders on cyber?

Freeman  DoD through Cyber Command and NSA and Homeland Security are key leaders, with significant cyber efforts at FBI and throughout the Intelligence Community. I am concerned, however, that the effort isn’t fully integrated as would be required to develop an economic war footing. It’s a little like pre-9/11 when anti-terrorism was split across a variety of efforts with little coordination or cooperation.

Federal Allies  Which published government reports do you recommend would bolster our readers?

Freeman  All of my work has been through existing contractors. I recommend my DoD reports, my books, and blogs with info at http://secretweapon.org.

Federal Allies  As you look across the agencies, who is leading the most important initiatives underway?

Freeman  From my limited vantage point, DoD has shown the most interest which is appropriate as this is an economic war with a cyber dimension.

Federal Allies  What would you like to leave our readership thinking about?

Freeman  I believe we are potentially facing a third World War fought primarily through economic means. Most prospective enemies of the United States would prefer not to match our kinetic weapon systems. But, they view our underlying strength coming from our economy and our economy appearing vulnerable. Unfortunately, our nation tends to prepare for the next war based on the weapons from the last war. This is a mistake. It is critical that we develop a complete economic warfare doctrine and build integration for key cyber efforts to that doctrine.

Federal Allies  Thank you.

 

Read Federal Allies News March 2014 edition: Economic Warfare and the Use of Cyber. An in-depth interview of New York Times Best-Selling Author Kevin D. Freeman. www.FederalAllies.org  Interview conducted at CPAC and online.

@FederalAllies Interview with Kevin Freeman (March, 2014 Issue): secretweapon.org/federal-allies… #GamePlan