DHS and deterrence: "complacency is being replaced by consequences."
US Secretary of Homeland Security (DHS) Kirstjen Nielsen addressed the RSA Conference and flashed some steel on behalf of the Administration. She called for international norms that might govern conduct in cyberspace and ameliorate the damage that full-scale warfare in that domain might bring about. Such norms remain to be developed. International cyber accords lag related areas of international law like the law of armed conflict and the law of the sea.
Most of her presentation focused on DHS and its mission to protect critical infrastructure. She called for increased cooperation among companies and Government agencies to meet the challenges of both cyber crime and international cyber conflict (Security Now).
Her talk, however, was by no means entirely diplomatic or even defensive. She warned foreign bad actors (and it was clear from context and current events that Russia is the bad actor principally on the US Government's mind) that they shouldn't believe they can strike at the US and its allies with impunity in cyberspace. "The United States possesses a full spectrum of response options—both seen and unseen—and we will use them to call out malign behavior, punish it, and deter future cyber hostility," she said (Department of Homeland Security).
Thus her presentation put down a clear marker: the US reserved the right to conduct offensive cyber operations in response to cyber attacks (CNET). These would be considered alongside other options: sanctions, prosecution, naming-and-shaming, and in certain circumstances kinetic operations.
It's worth noting that the US is neither alone nor first in putting down this marker. Sorely provoked by the Salisbury nerve agent attacks and evidence of battlespace preparation in its power grid, Britain had already warned Russia directly that Britain reserves the right to retaliate with cyberattacks (Geo TV).
Private-sector norms of cyber conflict.
Microsoft's President Brad Smith announced an industry undertaking to refuse to conduct offensive cyber operations on behalf of any government. Thirty-four companies have signed the Cybersecurity Tech Accord. The companies' concern is commendably peaceable, but one notes that the signatories are unlikely to have offensive cyber capabilities as part of their offerings. Some of the companies on board with Redmond are Facebook, Cisco, Avast, Nokia, Dell, RSA, FireEye, LinkedIn, Symantec, and Juniper Networks.
The companies who signed committed themselves to four undertakings:
"Stronger defense. The companies will mount a stronger defense against cyberattacks. As part of this, recognizing that everyone deserves protection, the companies pledged to protect all customers globally regardless of the motivation for attacks online.
"No offense. The companies will not help governments launch cyberattacks against innocent citizens and enterprises, and will protect against tampering or exploitation of their products and services through every stage of technology development, design and distribution.
"Capacity building. The companies will do more to empower developers and the people and businesses that use their technology, helping them improve their capacity for protecting themselves. This may include joint work on new security practices and new features the companies can deploy in their individual products and services.
"Collective action. The companies will build on existing relationships and together establish new formal and informal partnerships with industry, civil society and security researchers to improve technical collaboration, coordinate vulnerability disclosures, share threats and minimize the potential for malicious code to be introduced into cyberspace."
Marketing ploy or serious call for restraint?
Microsoft has long pushed for adoption of a "cyber Geneva Convention." The Accord represents a private sector move in that direction (Search Security). The "No offense" clause is interesting in that it actually does seem to approach a Geneva Conventions-like determination to establish protected classes of noncombatants who would be placed outside the set of legitimate targets. It's noteworthy that the signatories promise not to assist cyberattacks "against innocent civilians and enterprises." Many have read the accord as approaching a kind of pacifism (E&E News), but it does seem to leave the door open to assisting with cyberattacks against legitimate military targets. (Fancy Bear, are your patches up-to-date? Energetic Bear? Lazarus Group?)
Microsoft didn't immediately respond to questions about how the accord would affect its business. Nor did it respond to obvious questions like, has Microsoft engaged in supporting state-directed offensive operations in the past (Reuters)?
Not everyone agrees this is a fully thought-through idea (CRN). Some observers think that concepts like "offense" and "innocent civilians and enterprises" require further clarification. And some suggest it's as much a marketing move as a principled stand (SecurityWeek). That may be unfair to the signatories. Marketing or not, the accord isn't obviously any emptier than the Geneva Conventions themselves have been. We'll watch with interest.
The signatories are all from North America, Western Europe, and the parts of East Asia aligned with the West. There are no Russian, Chinese, Iranian, or North Korean firms on board. Conspicuously absent as well from the thirty-four parties were Google, Apple, and Amazon, who didn't immediately comment on why they weren't involved (Guardian).
Reflections on cyber warfare: a domain, but not an isolated one.
Recorded Future organized an interesting off-site, after-hours panel on cyber conflict. Three well-informed panelists, Matt Tait, Robert M. Lee, and Juan Andrés Guerrero-Saade, discussed cyber warfare in a session moderated by Recorded Future CEO Christopher Ahlberg. The panel agreed that cyber warfare was undoubtedly real, but also thought it made little sense to talk in terms of a "cyberwar" as a mode of conflict that could be confined and contained within that single, fifth operational domain. This doesn't reflect reality any more than "space war" or "sea war" do. Instead, nations use cyberattack tools in the course of larger conflicts.
We are, the panel thought, effectively in a state of continuing cyber conflict, which is to say, simply in a state of continuing conflict. This is a sharper version of Clausewitz's famous dictum that war is the continuation of policy by other means. Consider, panelist Lee said, speaking more-or-less hypothetically, a hellfire strike against an ISIS cyber operator in the Levant. That sort of (clearly kinetic, and lethal) action might itself be understood in the context of cyber warfare: ISIS operators could not be placed on notice more forcefully that their activities, even if conducted from a keyboard, makes them combatants. This observation clearly has implications for considerations of cyber deterrence.
The panel's other considerations included thoughts on recognized false-flag operations (Russia's Olympic Destroyer that presented itself as a DPRK operation was the first such false flag recognized and unmasked), on officialdom's unrealistic squeamishness about attribution (Russia's two attacks on Ukraine's power grid were not only obvious, but were intended by the Russians to be seen and interpreted as their work), and a need for clarity when drawing red lines (if NATO intends to invoke Article 5 in response to a cyberattack, the Alliance might in the interest of deterrence say where an attack would rise to the level of an act of war). And there was much skepticism expressed concerning the effect of US indictments of foreign individuals carrying out attacks on behalf of their governments.
Cyber tensions between Russia and the West remain high.
Strikes against Syrian chemical weapons facilities last weekend have influenced Western countries' calculations of the likelihood of Russian cyber retaliation (Evening Standard). The coordinated strikes, carried out by US, British, and French forces operating in the region, were an attempt to cripple the Syrian government's chemical warfare capabilities and punish the regime for its recent use of them against Syrian civilians in the city of Douma. The strikes were also a warning to Russia, which is the Assad regime's principal international prop.
The first Russian responses to the strikes have been information operations, both online and published sympathetic media outlets following government lines in Syria, Russia, and Iran. The US Department of Defense Saturday reported a large increase in Russian trolling, quoting a figure of 2000% (USA Today). This should probably be read as "a big increase in information operations" dressed up in some snazzy but informal quantification ("2000% compared to what?" as Sputnik asked).
Other Russian information operations involve allegations, which Moscow intends to bring up to the United Nations, that apparent victims of a Sarin nerve agent in Syria were bribed to falsely report the attack (Times).
British authorities have warned that a Russian attack on that country's critical infrastructure could prompt cyber retaliation. It's likely, however, that Russian reprisals for strikes in Syria will at least initially take a different form. Prime Minister May has been briefed on the likelihood that leading British public figures, including members of the Cabinet and other Members of Parliament, will be attacked through release of scurrilous material, "kompromat" (Times).
Germany's Foreign Minister this weekend reiterated his government's attribution of cyberattacks on German networks to Russia (Reuters).
The US, UK, Australia, and New Zealand have all warned that they're seeing what can be construed as Russian battlespace preparation against infrastructure (Fortune, West Australian, Secure Brief). US-CERT's second warning, issued early this week, is longer and more explicit than the first one it released. The "staging" consists (at least in part) of exploitation of vulnerabilities in the Smart Install tool found in widely used Cisco routers. The FBI's preliminary assessment of the risk focuses on the likelihood of espionage as the initial stage of any Russian operation, with the possibility of other offensive operations to follow (Bloomberg). Cisco's Talos research unit estimates that some 168,000 systems could be affected.
Gold Galleon afflicts the maritime sector.
Secureworks has described a Nigerian criminal operation, "Gold Galleon," that concentrates on stealing from maritime shipping firms and their customers. Their customary approach is business email compromise, a well-known form of social engineering in which a criminal impersonating an executive sends an email to an employee directing them to transfer funds to the criminal's account (SecurityWeek). (No mentions of princes, their widows, or any such phishbait Nigerian gangs are known for.)
Google Play ejects a RAT.
Researchers at Lookout have found a remote access Trojan, mAPT ViperRAT, circulating in Google Play. Google has ejected afflicted apps from the store (Lookout).
The difficulty of recovering from ransomware.
The US city of Atlanta continues its slow recovery from a crippling attack that hit municipal systems with SamSam ransomware on March 22nd. Police files in particular are proving difficult to recover. Direct costs of remediation are said to have amounted to $2.7 million (AL.com). Some observers have pointed out that the ransom is believed to have amounted to only $51 thousand, but that's still not a good reason to pay the extortionists. There's no particular reason, any more, to think the criminals are likely to make good on their promise to restore your files, and there's also the general principle that one should avoid encouraging crooks.
RSA's Innovation Sandbox, 2018 edition.
The annual Innovation Sandbox at the RSA Conference has for a number of years identified impressive rising talent among cybersecurity startups. This year's ten finalists didn't disappoint. They included: Alcavio (deception technology), Awake (security investigation platform that scales high-level expertise), BigID (advanced personal data discovery), BlueVector (machine learning and speculative code execution engines), cyberGRX (third-party cyber risk management), Fortanix (self-defending key management service), Hysolate (user freedom within air-gap security), ReFirm Labs (enterprise IoT firmware verification and validation), ShieldX (multi-cloud security platform), and StackRox (security for containerized and cloud-native applications).
Two finalists were selected from the field. One was Fortanix, whose runtime encryption protects data in use, and thus offers cloud users a trusted enclave. Applications run inside a secure envelope that travels with the app wherever it moves. The other finalist was BigID, which offers a solution to a range of privacy challenges by identifying personal data, correlating it with persons, and placing those data in context.
The judges finally selected BigID as the winner. The topicality of the challenges the company addresses, and those challenges' attendant market needs, carried the day. Privacy rights are in the forefront of most enterprises' concerns, especially with full implementation of the European Union's General Data Protection Regulation (GDPR) just a month away. As BigID pointed out in their presentation, rights adhere to persons, and if you can't associate the data with the people, you can't really protect their rights to those data.
It's worth bearing in mind that simply making it to the Sandbox is a significant accomplishment. All ten companies will bear watching over the next few years.
Patching notes.
Cisco has patched a vulnerability (CVE-2018-0112) in its WebEx videoconferencing software. The bug is a serious one, but it appears to have been caught and fixed before it could be exploited in the wild (Help Net Security).
Oracle released it quarterly set of patches this week, addressing some two-hundred-fifty-four issues (Security Boulevard).
Chrome 66 is out, released into the stable channel. The upgrade is described as focusing on improved security (Bleeping Computer).
Industry news.
ZTE and Huawei have both been hit hard by US sanctions, and the two Chinese companies face a basilisk's glare from most of the other Five Eyes (Nikkei Asian Review). The US has sanctioned ZTE for circumventing sanctions, particularly those in place against North Korean, Sudan, Cuba, and Iran. The company has protested that it's being unfairly singled out, but the US seems unlikely to soften its stance. Consumer advocates show why this is going to be particularly tough on ZTE: they're advising people against buying the companies devices until it becomes clear that ZTE will be able to provide updates (Reuters). Huawei for its part seems to have decided to exit the US market altogether, where concerns about security have effectively blocked its products. The company hopes to make good the loss of the US by doubling down on Europe (Android Central).
Polaris Alpha continues to build its cyber capabilities through acquisition, picking up Fourth Dimension Engineering (Jane's 360). Terms (indeed specifics) weren't immediately available.
Polyverse, specialist in Linux security products, has raised an additional $7 million in venture funding (GeekWire).
Carbon Black's coming IPO gets some early attention from financial analysts and investors (Seeking Alpha). Onapsis is another privately held company looking towards a possible IPO in the next three to four years. Along the way the ERP security shop has picked up a $31 million funding round led by LLR Partners (BostInno).
DCInno has a list of the ten best funded cybersecurity companies in DC, Maryland, and Northern Virginia. They are Tenable ($300 million and considering an IPO with its well-known monitoring solutions), IoT security firm Alarm.com ($163 million), Cyren (now listed on the Nasdaq, but with venture investments DCInno reckons at $124.2 million), LookingGlass Cyber ($108.7 million, known for its ScoutVision product), Endgame (endpoint security specialists who've attracted $92.6 million), Lockheed Martin spinout and Office of Naval Research SBIR success story Savi Technologies ($82.5 million; they're known for their RF ID work), polymorphic malware killer AppGuard ($80 million), Sonatype (automated policy-driven component security, $74.7 million), cloud operations and security shop Fugue ($73.7 million), and Mandiant ($70 million before its exit through acquisition by FireEye).