The former head of the Department of Homeland Security’s Cyber Security Division warns that the U.S. military’s preoccupation with secrecy could hamper efforts to get the upper hand in cyber security.
An article last week by the U.S Deputy Secretary of Defense put the U.S. military’s cybersecurity plans in the spotlight. Writing for the magazine Foreign Affairs, William J. Lynn III confirmed that a 2008 security breach resulted in a malicious code infection that touched both classified and unclassified intelligence networks and prompted a ground-up rethinking of the Pentagon’s approach to cyber security.
Lynn painted a mostly optimistic picture of the Military’s about face on cybersecurity, which culminated in the creation of a Cyber Command, under the direction of a four star general and with a direct line of communication to the Secretary of Defense and Commander in Chief. Lynn also declared a new era in the arena of computer intrusions and defense, with cyber a new theater of warfare in need of a tried and true approach: Cold War style alliances with allies and the private sector to spot and thwart emerging threats.
What does it all mean? To get a better understanding of what’s really changed, Threatpost.com sat down with Amit Yoran, CEO of Netwitness and a former head of the Department of Homeland Security’s Cyber Security Division to talk about cybersecurity, federal policy and what the country really needs to do to secure its critical infrastructure.
ThreatPost (TP): Deputy Secretary of Defense Lynn’s article generated a lot of press coverage, but how much of what he revealed was really news?
Amit Yoran (AY): The way I looked at this is that Deputy Secretary of Defense Lynn said classified networks were compromised as part of an infestation. If that’s the story that’s out there, then that’s pretty significant. Its not that there haven’t been incidents involving unclassified information and networks. We know about thousands of incidents involving military and Pentagon networks and elsewhere. But there haven’t been disclosures about incidents on classified networks. So that’s a pretty significant precedent, by the mere fact that information that travels on classified networks has the potential to have grave consequences for national security if it’s disclosed. So that’s newsworthy and, as we work through our cyberstrategy, a significant data point.
The other issue is that the Deputy Secretary of Defense made the point that this was a nation-state sponsored attack. Now you can question the quality of analysis, and its not that mistakes don’t happen. But with an issue like this that is so highly visible, for the Deputy Secretary of Defense to write that a foreign intelligence service is behind the incident, we should asssume that a fair bit of analysis has been done to come to that conclusion.
TP: Do you find it at all surprising that a pretty typical virus infection, circa 2008 (Agent.btz), was attributed with delivering the ‘wake up call’ to the Pentagon? Doesn’t that strike you as a bit late in the day for a wake up call?
AY: I think it shows you that not everything has to be an original exploit to bypass signature based platforms. Attackers can modify known pieces of malware that are not detectable by traditional AV products. That’s something that’s not as well known in the market. We hear a lot about “advanced persistent threats,” but its not really “advanced” its, maybe, “reasonably advanced.”
TP: Deputy Secretary Lynn’s piece is fairly optimistic. He talks a lot about the changes that were made in the way the military addresses cyber threats – notably: the creation of a unified Cyber Command. Do you feel like advances have been made?
AY: I think it would be difficult to claim victory at this point. I think the reorganization has been successful and Cyber Command is off and running. So “yes,” there has been progress. There’s more awareness. But if you ask “Is the response sufficient or adequate to address the threat or commensurate with the need?” I’m not convinced that the answer is “Yes.” I think its too early to tell.
Looking at it from the outside, I think we continue to fall further behind in the cyber domain. A lot of activity is still occurring at the classified level and that’s unfortunate for many reasons. Our reliance on classified information is problematic from a public policy, privacy and legal perspective. That doesn’t mean that the classified program is illegal, but the legal analysis of it is classified, too. If you don’t have even the legal analysis done in the open, you’re really operating on very thin ice. You don’t have the best legal minds and scholars. You don’t have an appropriate, critical eye. You end up with a terror screening program and the legal challenges that occurred with that. I think what we’ve got is very reminiscent of Bush-era intelligence activities. There’s a public policy dialog that’s crippled by the classified nature of these programs.
The other issue, when we discuss the level of conversation, is that we get into scenarios where few people know what’s going on. When you have information that’s tightly controlled, you don’t have the type of information sharing broadly among different operators. So the intelligence community isn’t sharing information with the folks who run systems or with the private sector and people are at a loss – they don’t understand the threat environment and what they need to do to protect themselves. They’re uniformed about risk management practices. The results is that they get compromised and leak intellectual property. So, at a policy level, that’s difficult. At an operational level, you have IP addresses and information about exploits that are classified and can’t be uploaded to unclassified systems for analysis. That’s a very sensitive issue that hasn’t been significantly changed since the Bush era.
The question that’s unanswered here really is “What is the role of government in detecting, preventing and responding to attacks against private industry in the U.S.?” “Who has authority to monitor all communications and, if they’re monitoring, do they have the right to defend and protect those communications? Are they accountable if they do it? What if they alter packets that have financial impact to a trading firm?” There’s a lot of very complex legal and policy issues and operational issues that need to be discussed openly, but they aren’t because of the nature of these programs and the classification issues.
TP: One of the suggestions in Deputy Secretary of Defense Lynn’s article is an expanded role for the NSA that might include more domestic monitoring…
AY: That’s a reason why we need transparent public debate about the proposal. Clearly, the NSA is one of the most significant resources the government has and it has some of the most powerful capabilities and assets in the cyber domain. As a national policy, do we want to see them evolving beyond signals intelligence and deeper into cyber? That makes a lot of sense. Cyber is pervasive around the world, so having NSA maintain superiority in that domain is critical to our national interests.
But when you get to questions like what the role of the NSA will be and how involved it will be in monitoring, or what organizational structure will be for different missions? Those are questions that need tremendous and healthy public policy debate. In any attack scenario you have questions about collateral damage to organizations that are not targeted but that have been compromised. Perhaps you have data that’s valid, but that includes some encapsulated malware or payload or other issue. Is the NSA going to block it or delay it or screen that traffic? Is the NSA going to make that determination for American businesses? These are not trivial legal and policy issues that require a significant public debate, or we could find ourselves with a very different culture and different set of challenges facing the nation ten or 20 years from now.
TP: Deputy Secretary of Defense Lynn uses the analogy of the Cold War to describe the U.S.’s new approach to fighting the cyber threat, by which he means that the U.S. will leverage its allies and strategic partnerships to try to contain the cyber threat and anticipate new threats. What do you think of that analogy?
AY: When you’re in a broad domain like cyber, it can be difficult to come up with an appropriate analogy. As for the cyberwar – Cold War analogy, I think there’s some validitiy to it, but some gaps as well. For one, (cyber war) is clearly not a matter of traditional warfare in the sense of government versus government and military versus military. Its more of a matter of economic advantage and attacks are frequently done by non-state actors. So if you don’t take into account the international nature of business today, — its reliance on information flows, whose assets are what and how they’re intertwined, then there are a lot of flaws to the warfare analogy. Its not that its not applicable, but it has limitations.
TP: One of the significant challenges Deputy Secretary Lynn points out is in the arena of human resources – keeping parity with other developing nations in areas like engineering. You served as the Department of Homeland Security’s Cyber Security Division during part of the Bush Administration, what are your thoughts on what the country needs to do to succeed in the cyber arena?
AY: I think the American character is what makes us successful elsewhere and is our greatest asset in the cyber domain, as well. American entrepreneurship, ingenuity and creativity. If you think about how cyber is done, engineering disciplines are important and I would certainly say we need to support programs that encourage the development of those skills. But in and of themselves, they’re not the only factors for success. You’re going to have a healthy amount of creativity and entrepreneurship to address gaps in the market where people aren’t able to accurately defend themselves. One thing you need is transparency: a clear articulation of the threat so people can analyze it and address and better mitigate the risks they have. As I’ve said, I worry that this is being crippled by the reliance on classification, so until we have more transparency I worry that we’ll continue to fall short in areas like product requirements and functionality that allow people to better protect themselves. If we continue to rely on the NSA and the classified intelligence community, we’ll continue to have businesses that suffer from the gross inability to defend themselves. Like it says in the Bible, you’ve got to teach people how to fish. The government has a responsibility to create transparency around the threat, and we won’t be broadly successful as a nation until they do so.