We've been hearing about "cyber war" for some time now. It has been held out as an existential threat by some people, been the topic of scores of books, and led to the establishment of military organizations in several countries, including the U.S. Cybercommand, China's Blue Army, in the UK, and more. The definition of "cyberwar" has been somewhat imprecise, in part because some people trying to define it don't necessarily understand the full range of whatever "cyber" actually encompasses. It is also the case that definitions that include some current activities might imply that we're at war, and that has political ramifications that might be unpleasant to confront. The range of activities often discussed — including snooping, theft, espionage, and DDOS — don't really seem on the same level as a tank blitz or nuclear attack. After all, would an inability to shop online for a week really be a form of battle damage?
Of course, our whole definition of "war" is itself a little muddled. We have the World Wars, certainly. But from a strictly U.S. perspective, consider the Korean and Vietnam conflicts — were those wars? Or the Gulf War, Bosnia and Herzegovina, Iraq, Afghanistan — was the U.S. at war? And is that what is going on with Libya? In one sense, yes, because in each we employed military forces against a defined enemy. But how many of those had a formal declaration of war? And none were really existential threats that required the entire U.S. to be involved. War, historically, has usually been an issue of whether a state continued to exist under its current rule or not, and sometimes whether a significant percentage of the current population continued to live or not; some wars resulted in all the adult males being killed or enslaved, or whole populations slaughtered.
Then there is the War on Drugs, the War on Poverty, and most recently, our War on Terror (among others). In these conflicts we don't actually have a nation-state as an enemy, but we do have some defined objective requiring concerted, forceful action. (Of course we also have silly, demeaning uses of the term, such as the inane "War on Christmas.")
This can all lead to a certain confusion of definitions and roles. Prior to 9/11/2001, terrorists on U.S. soil were criminals. Whether it was Timothy McVeigh, Ramzi Yousef, Eric Rudolph, Ali Abu Kamal, or the ELF, civilian law enforcement, civilian courts, and civilian prisons were the mechanisms involved. Since 9/11, we have a strong contingent claiming that terrorism is now solely a military matter, that military courts must be used, and civilian prisons are somehow insufficient (although supermax prisons have held worse mass murders and gang members for years). Why? Because we are in a "war on terror." Further, administrative rules and laws were passed to classify a particular class of terrorists as belonging under military jurisdiction as enemy combatants and heated political debate occurs around any aspect of how to deal with these individuals.
This essay is not an attempt to sort out all those issues: I'm going after something else, but I needed to illustrate these few points, first. Above, I noted that "war" is a somewhat fuzzy term, as are the definitions of who might wage it. Next, let's consider how we have been preparing to react to cyber incidents.
With the fuzziness about defining "war," and the shifting boundaries of whether it is something confronted by law enforcement or the military, it is not surprising that "cyber war" has not really been well-defined. What has happened over the last decade is that stories of potential "Cyber Pearl Harbors" have been presented to legislators, coupled with demonstrations of vulnerabilities, to justify a massive investment in the military cyber arena — but not so much our civilian law enforcement. It is simple to scare policy makers with tales that the country might be destroyed by evil hackers working for another country's military; cyber crime does not make for as compelling a picture. The result has been massive buildup in offensive military tools, intelligence support, and personnel training to support military missions.
But that buildup does little to help civilian companies under attack within U.S. borders by unknown parties. So, we now have civilian companies turning to DHS for help rather than the FBI or another law enforcement agency. But the responsibility of DHS is to secure the .gov systems, so they are now turning to the military (NSA) because they don't have the infrastructure or expertise they need for even that. We are thus well down a path to turn over the bulk of our law enforcement in cyber to the military, with the specter of terrorists and cyber war held out by those who benefit from this situation continuing to push us in that direction. Soon we will have so much infrastructure built up we will not be able to afford to go back. The Posse Comitatus Act of 1878 was intended to keep the military from becoming a national police force, but this will further erode what is left of that law. Many people reading this will say "So what?" because we're now safer against a cyberwar attack as a result of this buildup — aren't we?
But here comes the problem, and the main point of this essay. We have a history of our military and leaders preparing to fight the last war. They are preparing for an offense that is unlikely to come at us the way they have portrayed. They are building a Maginot Line for a frontal attack that any intelligent adversary will never attempt.
In fact, we're under attack NOW. And we're losing. We're losing billions of $$ worth of intellectual property per year to foreign intelligence services, foreign competitors, and criminals, and we have been for years. U.S. companies and taxpayers are effectively paying for the R&D that is supporting huge amounts of foreign development. And we are also seeing billions of $$ of value being bled from the economy in credit card fraud, bank fraud and other kinds of fraud, including counterfeit pharma and counterfeit electronics sales, with all that money going to buy houses, cars, and consumer goods for people in Eastern Europe, China, Russia, and so on — in non-US economies. (And not only victims in the U.S., but Canada, the UK and a number of other countries.) It is a war of economic attrition and it is one that the DOD is never going to be in a position to fight because it has no kinetic component, no uniformed foe, no base of operations, and no centralized command. Once again, we have been preparing for the last war, so we are losing the current one. Most of our leaders don't even seem to recognize that we are in one. If we fall, it will not be by the swift stroke of the sword, but by the death of a thousand cuts.
If we are to have any hope of surviving, we have to completely change the way we look at this situation. Every intrusion, theft, or fraud should be reported, investigated and prosecuted (when possible). It should be tallied and brought to public attention, at least in aggregate so we understand the magnitude of what is going on. Right now, too much is hushed up or written off because each incident is too small to follow up, but the combined weight is staggering; for years I've been calling it "being pecked to death by ducks" because no single duck is lethal, but millions are. By letting so many incidents go, we encourage more and fund the development of yet new crime We need to refocus ourselves with a massive law enforcement effort, with a weighting towards local response, filtering up to Federal, not a Federal response directing local response. All those billions being dumped into the Federal contractors for cyber weapons should be directed to cyber law enforcement and investigation, to development of forensic tools, and to raising awareness at the local level. Your average business and consumer is going to be much more likely to install patches to protect against criminal behavior if encouraged by local authorities than told by someone in DC to install patches against some robotic threat from overseas. And we should adopt a get-tough policy at the diplomatic level to start demanding that countries that harbor criminals see some pushback from us; the new Federal international strategy on cyberspace is a good start on this.
I have described it to some people this way: our traditional DOD is structured to protect our borders and keep enemies from crossing those borders, or even getting near them. They are very, very good at that. In fact, they're so good, they may even stop an enemy from crossing their own borders to get here! However, the enemy we're engaged with is already here — is installed on millions of our computers and has thus subverted millions of citizens throughout the country without their knowing it....including some of the military. It is like the movie "The Puppet Masters." This can't be fought by the DOD — they aren't equipped to train their weapons inward. It requires an entirely different approach, but unfortunately, our leadership doesn't understand this, and the loudest voices right now are those of the lobbyists and members of the military who stand to benefit most in the short term by continuing the status quo, and by those who don't understand the magnitude of the situation.
Concomitant with this, within the next decade I fear that we will start seeing more of our best and brightest students from the US going to universities in India, China and other countries the way those countries' students have been coming to the US for years; I'm not the only one predicting this. Why? In the US we are shuttering university programs, decreasing funding, and shrinking campuses across the country, and politicians are vilifying K-12 teachers as if they are somehow part of the problem instead of being part of the cure. Meanwhile, in India, Russia, China, Korea, Taiwan and the Middle East they are opening major new universities and hiring away faculty from the US, Australia, the UK and elsewhere to staff their research labs, paying them extraordinary salaries and benefits and giving them access to modern resources. Major corporations have already located labs near those places because of cheap labor and are helping to subsidize the growth of the universities as are the national governments so as to obtain trained help. Our national policy of booting new PhDs & MS graduates who aren't citizens, and restricting so many high-tech jobs to US nationals only means that we train the world's best, then send them back to their own countries...to compete with us. The Rising Above the Gathering Storm and Rising Above the Gathering Storm, Revisited: Rapidly Approaching Category 5 reports nailed this, but were largely ignored by policymakers and certainly by the general public. Not only are we indirectly funding other countries' ascendency via their largely unhindered theft of our intellectual property and fraud, we are accelerating it by strangling our own intellectual capital and increasing theirs.
Everyone in IT and beyond should understand — fundamentally — that this is a new form of competition, of warfare (if we are to use that term). It is competition of the mind. It is information warfare in a much more fundamental sense than using information in support of kinetic weapons. It is employing information resources in a vast strategic way, across industries and generations to shape the future of nations. We do not have enough people who are able to think strategically, with that long a view and an understanding of the issues to see the threats, to see the trends, and to see the hard choices necessary to take a safer path. We, as a people, do not have the patience. Unfortunately, some of our enemies do.
What inspired the above, in part, is that this is Memorial Day Weekend. Many people will celebrate it as a holiday with picnics or trips, watch the Indy 500, and break out the summer clothes.
But Monday is a special day in the U.S. to remember the many men and women who sacrificed their lives in the service of the country, while serving in uniform. Whether in declared war or standing guard, whether grizzled veteran or new recruit, whether defending the bridge at Concord in 1775, or on patrol in Kandahar in 2011, those who did not return home deserve special thought from those who are here to enjoy this weekend. They had husbands, wives, children, siblings, parents and friends who treasured them. On Memorial Day, we should all treasure their memories as well.
And perhaps that is the one good thing about "Cyber War" — by nature, it is unlikely to add to the list of those we should remember on Memorial Day who are not here with us.
One of the best ways to honor their memory is to remain vigilant, and that is why I wrote the above.
As a researcher and educator, I regularly follow many newsletters, blogs and newsfeeds on a near daily basis. Some items I bookmark for my classes and research, but most I simply read, note, and discard. I read many dozen such items per day -- sometimes as many as 100 when there is a lot happening and I have a backlog.
After news of the Sony incident broke on April 20th, I saw items about how some people knew about vulnerabilities in parts of the Sony network, and servers running old versions of the Apache webservers. Those postings had material similar to what was published in Wired on April 28th. To the best of my memory, at least one of those postings mentioned that some of these vulnerabilities were exposed to Sony in a mailing list or blog prior to the compromise. It may be that the reference was to the PSN webserver vulnerabilities, it may have been about the earlier flaw with the PS3 connecting to the PSN, or it may have been some other vulnerabilities...but I am pretty certain it was about the webservers. There was no discussion about how the breach occurred or whether the old software played a part in those breaches.
After reading these stories, I moved on to other issues. I was not a customer of Sony or the Playstation Network (PSN), and they have never had a relationship with our research group, so I had no reason to pay close attention to the story. Furthermore, we were approaching the end of the semester, I was teaching a graduate class and also preparing for two trips to workshops. Thus, I had several other things to occupy my time and attention, and this story was definitely not one of them.
On May 1st, in my capacity as chair of USACM, I received an invitation to appear at a House subcommittee meeting on the morning of May 4 on the issue of data breaches and privacy. This is a topic that has been one of USACM's main thrust areas, and is in my main areas of interest, so even though it was extremely short notice, I said yes. I spent the next 48 hours frantically trying to rearrange my teaching and administrative schedule at the university while also producing a formal written testimony to deliver to Congressional offices by a Tuesday noon deadline. This occurred, but with very little sleep over that two day period. Tuesday afternoon I had to drive to Indianapolis to fly to Washington for the Wednesday morning hearing.
Wednesday morning at 9:30am. the House Subcommittee on Commerce, Manufacturing and Trade of the House Energy and Commerce Committee held its hearing on “The Threat Of Data Theft To American Consumers.” I was the 4th witness in the panel (our written statements are available online). Three days of little sleep and too much coffee, plus the TV lights, combined to give me quite a headache, but that may not be evident if you watch the C-SPAN recording of the hearing.
In my written testimony I indicated that "...some news reports indicate that Sony was running software that was badly out of date, and had been warned about that risk." During questioning, I stated that I had read this on security lists that I normally read.
The fun begins
My comment that I had seen accounts about the server software being out of date and no firewalls was reported accurately by a few media outlets. However, a few others widely misquoted as me stating, authoritatively, that Sony was running outdated, unpatched software and implied that this was somehow the cause of the breach. Other news sources, blogs, and aggregators then picked up this version of the story and repeated it as their own, often with some other embellishment.
In only a few cases did a responsible journalist contact me to fact-check the story and determine what I had actually said, and what I actually knew.
I tried to correct one or two of the incorrect reports, but most occurred in places where there was no contact address for corrections, and they soon were spreading faster than I could possibly respond. I gave up.
Soon after the stories started circulating, I received email from Eugene Alvarado (he has given me permission to name him), who indicated that in early February he reported to Sony that there was widespread hacking of the network going on that was interfering with use of the network. He never got a response. So, at least one other person observed problems and reported them to Sony in advance of the breach in April. If the problem was significant, there may well have been others.
More recently, at least one "commentator" who "thinks" he is "clever" because he can put quotes around words like "security expert" to imply something meaningful about my expertise has posted a critique pointing out that some of Sony's servers were, in fact, up-to-date. However, at least one follow-up by someone else observes that other Sony servers (with interesting names such as "Login" and "Auth") were running software dated 2008. Thus, it may well be the case that some of the systems were current and some not. As we well know, it only takes one system out of rev or with a missing patch to serve as an entry point to a whole network.
To this day, I have never heard from nor spoken with anyone at Sony. I have never bothered to probe or investigate their systems, because frankly, I don't care. Those issues are for others to determine and settle. What I think were the bigger issues to the story at the hearing were about having standard breach notifications and the 24 USACM privacy principles that were in my testimony. There are hundreds of other breaches occurring every year in the U.S. resulting in fraud, identity theft, and other crimes. Those are smaller than this incident with the PSN, but the victims are no less damaged. We need for the FTC and law enforcement to have more resources to help fight these problems, and we could definitely use some appropriate Federal legislation on minimum privacy protections and breach notifications. Read the 4 written testimonies from the hearing to get a sense of what is involved.
As to the spurious story, I tried to be clear in my testimony (written and oral) that I was simply repeating what I had read in some online newsgroups. I am really quite appalled at the number of places that have twisted that into a claim that Sony was somehow, definitely, running substandard software or systems. It is possible they were, but it is also possible they were running very well-maintained systems that fell prey to a clever attacker. That has happened to other high profile victims.
I certainly bear the good folks at Sony no ill will, and I hope they resolve the situation with the Playstation Network soon.
In the meantime, perhaps this can serve as an abject lesson about dealing with the media and bloggers — some of them want a sensational story, whether the facts support it or not, and you had better not get in the way!
A recent article contains information indicating there was obvious evidence in Sony's logs of scanning activity starting March 3rd that should have been noticed.
Another recent article provides more information about the scanning activity preceding the breach, and suggests that it occurred from more than one source.
Here is a very nice timeline and summary of Sony security incidents that seem to keep on coming.