Friday, November 14, 2008
The general in charge of the U.S. Air Force's cyberwarfare effort says plans for his unit have been scaled back because staff who would have been used to set up a cybercommand will be allocated to the service's new nuclear command instead.
Air Force Cyber Command was to be established as a major command alongside the service's space, air-combat and other commands -- last month. However, those plans were suspended over the summer after Defense Secretary Robert M. Gates fired the Air Force's civilian and military leaders because of lapses in the security of the nation's nuclear arsenal.
Last month, plans for a full-fledged major command for cyberwarfare were scrapped.
Maj. Gen. William T. Lord, commander of Air Force Cyber Command, says better training is needed to respond to cyberwarfare.
The Pentagon's Armed Forces News Service reported on Oct. 8 that a gathering of the service's leadership in Colorado was told that cyberoperations would be a numbered Air Force component -- one step down from a major command in organizational terms.
Maj. Gen. William T. Lord, commander of Air Force Cyber Command, told United Press International that the change helped solve the organizational challenge of creating a new nuclear command "with the manpower that was going to be allocated to make cybercommand a major air command allocated instead to fix the more pressing problem... [of] making sure that people are comfortable that we in fact have our eye on the ball of our nuclear enterprise."
Gen. Lord said the headquarters billets that were going to be allocated to cybercommand were used to create the Air Force's Global Strike Command.
The new command brings together all the Air Force's nuclear weaponry under one leadership and is one of a series of measures taken to restore confidence in the service's stewardship of the nation's atomic arsenal after some high-profile missteps.
An internal report released in early June was sharply critical of the Air Force, focusing on a mistaken shipment to Taiwan of four Air Force electrical fuses for ballistic missile warheads. In August 2007, a B-52 bomber was mistakenly armed with six nuclear warheads and flown across the nation without anyone realizing it.
As a numbered Air Force component, the cybercommand will be a force provider to the U.S. military, organized within Air Force Space Command - much as a bomber wing forms part of Air Combat Command, which provides air power to the joint combatant commands.
Gen. Lord said the new arrangement is "a good marriage between the expertise capabilities inside Air Force Space Command and the capabilities we're tying to bring on in the cyberbusiness."
Space Command is already the repository of the technical and engineering expertise required, he said. He dismissed suggestions that the Air Force was rebuffed after an overreaching power grab -- which is how some critics of the service saw its plans for a major cybercommand.
Amit Yoran, former National Cyber Security Division director within the Department of Homeland Security, said that whatever the reason behind the decision, it showed Air Force leaders were "still being open-minded to evolve their strategy based on feedback and input they got" from the civilian leadership and cybersecurity experts.
Dave Aland, a senior analyst for El Segundo, Calif.-based Wyle Laboratories Inc., which supports the Department of Defense and other clients, declined to comment directly about the Air Force decision but said that, in general, the military needs to address the issue of cyberwarfare "considerably more collaboratively."
He said that applies to interservice cooperation as well as relations between the military and other federal entities and allies.
"The spillover is very broad-based," he said of potential collateral damage from cyberattacks.
Mr. Aland said the nature of cyberconflict made it practically impossible to distinguish warfare from crime or terrorism.
"The only real difference is in the target set, which bleeds over dramatically from one [category] to the next - and the intent of the actors," which is all but impossible to determine, he said.
"It becomes impractical to work out who the actors are... and apply the relevant legal framework," Mr. Aland said, adding that there needs to be a "wholly new approach."
Gen. Lord agreed.
"When does a cyberattack on a bank change from being just a cybercriminal to being someone attacking the nation's banking system?" he asked.
"Some would argue it doesn't matter," he said, "and it may not matter if you are inside the bank, but it matters if you are following U.S. law in determining what action, what activity, you can take against -- if you can figure out who the attacker is."
He also said the laws that govern traditional conflicts apply to U.S. cyberwarfare efforts, much the same way targeting decisions for U.S. air power are bound by the restrictions of the Geneva Conventions.
"You still have to look at reciprocity, at collateral damage," he said. "We do consider cyber as a war-fighting domain, but one in which places like the Internet exist, and you have to de-conflict all that."
Those decisions lie with the combatant commanders and, specifically, with the commander of U.S. Strategic Command, which is also setting the requirements for the Air Force's cyberforces.
Gen. Lord said the top-priority requirement right now is training, "all the way down from the Air [Force] Institute of Technology to basic military training." He likened the basic training to "equipping airmen with cybersidearms... officers, enlisted and maybe even contractors, so that they know their responsibilities for behavior on the network today."
Gen. Lord said the numbered Air Force cybercomponent will also support U.S. Northern Command, which controls all U.S. military forces within the continental United States, whether it is needed in response to a cyberattack or as a result of a more conventional disaster, such as a hurricane.
"It's not just the attack-and-defense piece; there's consequence management, too," he said, "where military personnel and equipment could get broken networks up and running for the civilian population."
If you thought UF’s problems with technology began and ended with the unreliable ISIS system and the always–crashing UF WebMail, you thought wrong.
Apparently UF’s computer servers play defense about as well as the Gators’ last five opponents. That’s right, we’ve been breached again.
To clear up any possible misunderstanding before it begins, the Editorial Board would like to emphasize that we aren’t budding computer engineers. We e–mail, we Facebook and we solitaire (sometimes spider) — we might not have the clearest understanding of the UF network.
It seems to us, though, that having three security breaches within the past six months, in tandem with the faulty WebMail system, paints a picture that says UF has a lot of information technology kinks to work out.
UF’s College of Dentistry was targeted this time. The college’s server contained personal information on more than 344,000 patients. In accordance with the law regarding these kinds of problems, the college contacted everyone who may have been put at risk by the security breach.
If you think you’re at risk, check your e–mail. An empty inbox should relieve your fears.
The fact that UF is attacked via computer with success so often worries us a bit. We like our identities, and we don’t want anyone taking them.
OK, the last breach was a personal error, not the result of a hacker’s illegal intrusion. Still, that leaves two security breaches in the past six months, which doesn’t sit well with us.
We don’t have the answers for these perceived IT problems, but we hope someone around here does.
Well, I (Steve here) finally succumbed to my temptation and saw the blockbuster hit Eagle Eye. (http://www.eagleeyemovie.com/ and http://www.fandango.com/eagleeye_110111/movieoverview). I’ll do my best not to ruin this movie in the event that you have not yet seen it while trying to make the key point of this blog.
Eagle Eye is based on the premise that someone, well in actuality, something (okay, I’ll stop with the hints) has extensively hacked into the power grid. While watching the movie, you’ll witness remote control of public transportation systems, cranes, demolition equipment, electricity transmission lines, etc. While the extent of exposure conveyed in the movie is quite far fetched, it does bring up a very important consideration: What are you doing in regards to your event monitoring operations?
In Eagle Eye, several severe breaches transpired before any one involved in several of our critical infrastructures became aware that such breaches had occurred. Further, a considerable amount of time following the point at which the breaches became known elapsed before the root cause of the breaches was identified. Pursuant to my previous consideration, it is critical to understand the implications associated with SCADA and process control systems security.
Unlike several professions, many aspects of critical infrastructure operations and other business operations involving SCADA and process control systems can be life threatening if a security breach occurs. For example, what could happen to a patient receiving radiation therapy from a device that is accessible from within a hospital’s wireless network? What could happen to passengers in a subway if the operations of the rail system were somehow overtaken by malicious parties? Similar questions are numerous.
While it is not possible to achieve 100% security; that is, to be impenetrable to malicious attack or inadvertent human error, it is possible to achieve robust and sufficient monitoring capabilities. However, what continues to plague this aspect of companies’ business operations is the perception that it is too costly and impractical to implement and execute sufficient 24x7 event monitoring and notification capabilities. The question is, “Is it really impractical to implement and execute sufficient 24x7 event monitoring and notification capabilities?” Matt, take it from here…
Steve, you bring up a very significant and valid point. The answer is, “No, it is not impractical as long as the organization understands what their critical business operations and their underlying support systems are.” And, Eagle Eye does depict some things entirely far-fetched, such as the transmission line over voltage scenario. What was that? For some reason I hear power engineers scoffing.
Nonetheless, commonly a lack of clarity exists between traditional business operations, information technology, and industrial control. The challenge is to understand the business’ role and then map this in to technology appropriately.
For instance, what does a failed access attempt mean to business operations?
1. Someone is attempting to log into an email account
2. Someone is attempting to log into the corporate VPN
3. Someone has attempted to open a door
4. Someone is attempting to log into the operator HMI
5. A new system is attempting to interact with the historian
6. A new remote host is polling via ICCP
7. …
All of these situations have varying corporate responses that may differ with association and event context. For instance, whose email account? Log into the corporate VPN with what laptop or from what IP address? Open the door at what time? Log into the operator HMI before or after opening a door? Another directly related example would be your home. Would you respond differently to someone knocking on your front door versus your backdoor? Absolutely!
Context is very important to detecting events of interest. It is also very important to understand a system’s normal behavior. Specifically, how it operates normally - what processes are running, how much memory and CPU are utilized and to what does it normally communicate. Identifying system normalcy provides a valuable baseline to analyze against and, luckily, our process control systems are very deterministic in nature in one of two operating states - normal and emergency conditions.
We recommend starting with very specific monitoring criteria for control systems. Typically the focus is on access attempts and with what a system communicates; exactly how to architect this depends on the control system, network, and vendor. We have recommended on many occasions using a modified network IDS to only track conversations and system event log generation, followed by sending these events to a correlation and log engine for real-time monitoring and event archival. It is recommended to start simple with the following event monitoring:
1. System logging of authentication system events directly from the HMI, FEP, and Historians; and
2. Generating netflow communications data between nodes to monitor approved and therefore unapproved system to system communications.
Some of our peers recommend using IDS signatures that are unique to control networks; however, our experience shows that this is not necessarily the best solution. Traditional signature based IDSs have proven repeatedly to fail in their implementations. Many vendors exist for monitoring traditional IT systems – and you can use this same environment for control systems. Make sure to ask your control system vendor about what they will support; you do not want to void your support agreement by modifying the system or network and you do not want the extent of such an investment to collect dust as ‘shelf ware’.
The best option is to reference Department of Homeland Security’s “Cyber Security Procurement Language for Control Systems”. Of course, this is most helpful when you are in the initial procurement stages of a system or support agreement; however, it can also be used to identify appropriate security controls for your specific environment. Note that caution has been continuously urged by Rita Wells of Idaho National Laboratory to use the procurement language as a tool for the process, but do not simply staple the language to a vendor order. The language is provided as a reference for selecting security options and if simply added to a vendor contract will include many conflicting alternatives.
Attorneys for the University of Tennessee student accused of breaking into Alaska Governor Sarah Palin's email account have filed a small forest's worth of court documents in defense of the high-profile suspect. Among them is a motion to prohibit prosecutors from referring to their client as a hacker.
The terms "hacker" and "hacking" have no basis under the statute Kernell is accused of violating, a motion filed in US District Court in Knoxville argues. It goes on to seek an order forbidding prosecutors and their witnesses from using those words when referring to the case.
"Because of the negative connotations evoked by these terms, there is a significant danger of unfair prejudice, confusion of the issues, and misleading the jury," the motion states. "Hackers are commonly portrayed as dangerous criminals who are involved in malicious conduct such as credit card fraud, stealing, intentional disruption of legitimate activities and causing economic damages."
According to accounts provided in court documents and a narrative taken from the 4chan website, Kernell accessed Palin's Yahoo email account by correctly guessing three password-reset questions using information that was readily available online.
"'Hacking,' which implies the use of sophisticated means or specialized computer skills, is not applicable to the alleged conduct," attorneys for Kernell wrote.
They aren't the first people to quibble with use of such terms in describing the acts Kernell allegedly carried out. Some seasoned security experts have also taken issue with use of the word "hack" to be synonymous with "electronic intrusion."
"It doesn't constitute what we would label as advanced hacking," Rob Graham, CEO of consultancy firm Errata Security, said of the acts alleged in the indictment. "It's something that a teen can figure out, rather than an advanced professional."
The document is one of three defense motions filed since Kernell was indicted in early October for intentionally accessing a protected computer without authorization. The barrage suggests attorneys for Kernell, the son of a a Democratic Tennessee state lawmaker, intend to mount a defense that is considerably more vigorous than many in computer crime cases.
One motion argues that prosecutors improperly charged Kernell with a felony instead of a misdemeanor, as the statute in the case calls for. Under the law, the unauthorized access of a protected computer should be classified as a misdemeanor except when it is used to further a separate crime. In Kernell's indictment, that other crime is the unauthorized access of Palin's email account.
The indictment "is very strangely pled and circular," said Jennifer Granick, a staff attorney for the Electronic Frontier Foundation. "It's not surprising given the nature of the charges and given the quality of the indictment that the defendant would see a real opportunity here to make some points in favor of the defendant."
A separate motion jointly filed by the prosecution and defense seeks to delay the trial date, which is currently set for December 16. The judge in the case has yet to rule on any of the motions. Don't expect this case to be settled anytime soon. ®
A telecoms company owned by Russian billionaire Mikhail Fridman claims to be the victim of espionage and black propaganda and has urged a rival company to investigate any possible involvement.
Altimo, whose advisory board includes a former head of Britain's GCHQ listening station and a former deputy chief executive of Vodafone, said it has received evidence of wide-ranging attempts to discredit the company.
Altimo alleges the interception of emails and tapping of telephone calls, surveillance of executives and shareholders, and payments to journalists to write damaging articles.
The claims come in the wake of of Altimo's long-running dispute with Oslo-based Telenor, the Nordic region's largest phone company. The two companies are locked in a dispute over the expansion of a joint venture, VimpelCom, Russia's second-largest mobile phone business. Altimo is part of Alfa Group, run by Mr Fridman, one of four Russian businessmen involved in a bitter dispute with oil giant BP earlier this year.
Yesterday, Andrei Kosogov, Altimo's chairman, wrote an open letter to Telenor's chairman, Harald Norvik, asking him to explain what Telenor's role has been and "what activity your agents have directed at Altimo". He said that he was "reluctant to believe" that Mr Norvik or his colleagues would have sanctioned any of the activities complained of.
Evidence of an alleged campaign was contained in documents sent to each member of Altimo's advisory board some time before October. The board is chaired by ex-GCHQ director Sir Francis Richards, and includes Lord Hurd, a former UK Foreign Secretary, and Sir Julian Horn-Smith, a founder of Vodafone.
Mr Kosogov said he first wrote to Telenor in October asking if the company knew of the alleged campaign, but received no reply. In yesterday's letter to Mr Norvik, Mr Kosogov writes: "We would welcome your reassurance that Telenor's future dealings with Altimo will be conducted within a legal and ethical framework."
A Telenor spokesman said yesterday that "the documents either have nothing to do with Telenor or have been clearly altered or forged." One Telenor adviser said that an email alleged to have been sent by him was mis-dated and clearly fabricated. "They are welcome to check my computer," he said.
Mr Horn-Smith told The Daily Telegraph that the dossier he received was "very serious", but he added: "I would counsel a calm and wise head on both sides."