Browsing Tag

cyber

Threats of Cyber Attacks Against Russia: Rationale on Discussing Operations and the Precedent Set

November 6, 2016

Reports that the U.S. government has military hackers ready to carry out attacks on Russian critical infrastructure has elicited a wide range of responses on social media. After I tweeted the NBC article a number of people responded with how stupid the U.S. was for releasing this information, or what poor OPSEC it was to discuss these operations, and even how this constitutes an act of war. I want to use this blog to put forth some thoughts of mine on those specific claims. However, I want to note in advance this is entirely my opinion. I wouldn’t consider this quality analysis or even insightful commentary but instead just my thoughts on the matter that I felt compelled to share since I work in critical infrastructure cyber security and was at one point a “military hacker.”

The Claim

The claim stems from an NBC article and notes that a senior U.S. intelligence official shared top-secret documents with NBC News. These top-secret documents apparently indicated that the U.S. has “penetrated Russia’s electric grid, telecommunications networks and the Kremlin’s command systems, making them vulnerable to attack by secret American cyber weapons should the U.S. deem it necessary.” I’m going to make the assumption that this was a controlled leak given the way that it was presented. Additionally, I make this assumption because of the senior officials that were interviewed for the wider story including former NATO commander (ret) ADM James G. Stavridis and former CYBERCOM Judge Advocate (ret) COL Gary Brown who likely would not have touched a true “leak” driven story without some sort of blessing to do so. I.e. before anyone adds that this is some sort of mistake this was very likely authorized by the President at the request of senior officials or advisers such as the Director of National Intelligence or the National Security Council. The President is the highest authority for deeming material classified or not and if he decided to release this information it’s an authorized leak. Going off of this assumption let’s consider three claims that I’ve seen recently.

The U.S. is Stupid for Releasing This Information

It is very difficult to know the rationale behind actions we observe. This is especially true in cyber intrusions and attacks. If an adversary happens to deny access to a server, did they intend to or was it accidentally brought down while performing other actions? Did the adversary intend to leave behind references to file paths and identifying information or was it a mistake? These debates around intent and observations is a challenge for many analysts that must be carefully overcome. In this case it is no different.

Given the assumption that this is a controlled leak it was obviously done with the intention of one or more outcomes. In other words, the U.S. government wanted the information out and their rationale is likely as varied as the members involved. While discussing a “government” it’s important to remember that the decision was ultimately in the hands of individuals, likely two dozen at the most. Their recommendations, biases, views on the world, insight, experience, etc. all contribute to what they expect the output of this leak to manifest as. This makes it even more difficult to assess why a government would do something since it’s more important to know the key members in the Administration, the military, and the Intelligence Community and their motivations rather than the historical understanding of government operations and similar decisions. Considering the decision was likely not ‘stupid’ and more for some intended purpose let’s explore what two of those purposes might be:

Deterrence

I’m usually not the biggest fan of deterrence in the digital domain as it has since not been very effective and the qualities to have a proper deterrent (credible threat and an understood threshold) are often lacking. Various governments lament about red lines and actions they might do if those red lines are crossed but what exactly those red lines are and what the response action will be if they are crossed is usually never explored. Here however, the U.S. government has stated a credible threat: the disruption of critical infrastructure in Russia (the U.S. has shown before that they are capable of doing this). They have combined this with a clear threshold of what they do not want their potential adversary to do: do not disrupt the elections. For these reasons my normal skepticism around deterrence is lessened. However, in my own personal opinion this is potentially a side effect and not the primary purpose especially given the form of communication that was chosen.

Voter Confidence

Relations between Russia and the U.S. this election have been tense. Posturing and messaging between the two states has taken a variety of forms both direct and indirect. This release to NBC though is interesting as it would be indirect messaging if positioned to the Russian government but it would be direct messaging if intended for the U.S. voters. My personal opinion (read: speculation) is that it is much more intended for the voters. At one point in the article NBC notes that Administration officials revealed to them that they delivered a “back channel warning to Russia against any attempt to influence next week’s vote”. There’s no reason to reiterate a back channel message in a public article unless the intended audience (in this case the voters) weren’t aware of the back channel warning. The article reads as an effort by the Administration to tell the voters: “don’t worry and go vote, we’ve warned them that any effort to disrupt the elections will be met with tangible attacks instead of strongly worded letters.”

It’s really interesting that this type of messaging to the American public is needed. Cyber security has never been such a mainstream topic before especially not during an election. This may seem odd to those in the information security community who live with these discussions on a day to day basis anyway. But coverage of cyber security has never before been mainstream media worthy for consistent periods of time. CNN, Fox, MSNBC, and the BBC have all been discussing cyber security throughout the recent election season ranging from the DNC hacks to Hillary’s emails. That coverage has gotten fairly dark though with CNN, NBC, Newsweek, and New York Times articles like this one and prime time segments telling voters that the election could be manipulated by Russian spies.

This CNN piece directly calls out the Kremlin for potentially manipulating the elections in a way that combines it with Trump’s claims that the election is rigged. This is a powerful combination. There is a significant portion of Trump’s supporters who will believe his claim of a rigged election and in conjunction with the belief that Russia is messing with the election it’s easy to see how a voter could become disillusioned with the election. Neither the Democrats or Republicans want less voters to turn out and (almost) all of those on both sides want the peaceful transition of power after the election as has always occurred before. Strong messaging from the Administration and others into mainstream news media is important to restore confidence to voters both in the election itself as well as the manner to which people vote.

Unfortunately, it seems that this desire is being accidentally countered by some in the security community. In very odd timing, Cylance decided to release a press release on vulnerabilities in voting machines on the same day, unbeknownst to them, as the NBC article. The press release stated that the intent of the release was to encourage mitigation of the vulnerabilities but with 4 days until the election, as of the article’s release, that simply will not be possible. The move is likely very well intended but unlikely to give voters much confidence in the manner to which they vote. I’ll avoid a tangent here but it’s worth mentioning the impact security companies can play on larger political discussions.

The Leak is Bad OPSEC

I will not spend as much time on this claim as I did the previous but it is worth noting the reaction that releasing this type of information is bad operational security. Operational security is often very important to ensure that government operations can be coordinated effectively without the adversary having the advance warning required to defend against the operation. However, in this case the intention of the leak is likely much more around deterrence or voter confidence and therefore the operation itself is not the point. Keeping the operation secret would not have helped either potential goal. More importantly, compromising information systems is not something that has ever been see as insurmountably difficult. For the U.S. government to reveal that it has compromised Russian systems does not magically make them more secure now. Russian defense personnel do not have anything more to go off of than before in terms of searching for the compromise, they likely already assumed they were compromised, and looking for a threat and cleaning it up across multiple critical infrastructure industries and networks would take more than 4 days even if they had robust technical indicators of compromise and insight (which the leak did not give them). The interesting part of the disclosure is not the OPSEC but in the precedence it sets which I’ll discuss in the next section.

The Compromises are an Act of War

Acts of war are governed under United Nations’ Article 2(4) where it discusses armed conflict. The unofficial rules regarding war in cyberspace are contained in the Tallinn Manual. In neither of these documents is the positioning of capabilities to do future damage considered an act of war. More importantly, in the NBC article it notes that the “cyber weapons” have not been deployed yet: “The cyber weapons would only be deployed in the unlikely event the U.S. was attacked in a significant way, officials say.” Therefore, what is being discussed is cyber operations that have gained access to Russian critical infrastructure networks but not positioned “weapons” to do damage yet. Intrusions into networks have never been seen as an act of war by any of the countries involved in such operations. So what’s interesting about this?  The claim by officials that the U.S. had compromised Russian critical infrastructure networks including the electric grid years ago.

For years U.S. intelligence officials have positioned that Russian, Chinese, Iranian, and at times North Korean government operators have been “probing” U.S. critical infrastructure such as the power grid. The pre-positioning of malware in the power grid has long been rumored and has been a key concern of senior officials. The acknowledgment in a possibly intended leak that the U.S. has been doing the same for years now is significant. It should come as no surprise to anyone in the information security community but as messaging from senior officials it does set a precedent internationally (albeit small given that this is a leak and not a direct statement from the government). Now, if capabilities or intrusions were found in the power grid by the U.S. government in a way that was made public the offending countries could claim they were only doing the same as the U.S. government. In my personal experience, there is credibility to claims that other countries have been compromising the power grid for years so I would argue against the “U.S. started it” claim that is sure to follow.  The assumption is that governments try to compromise the power grid ahead of time so that when needed they can damage it for military or political purposes. But the specific compromises that have occurred have not been communicated publicly by senior officials nor have they been done with attribution towards Russia or China. The only time a similar specific case was discussed with attribution was against Iran for compromising a small dam in New York and the action was heavily criticized by officials and met with a Department of Justice indictment.  Senior officials’ acknowledgment of U.S. cyber operations compromising foreign power grids for the purpose of carrying out attacks if needed is unique and a message likely heard loudly even if later denied. It would be difficult to state that the leak will embolden adversaries to do this type of activity if they weren’t already but it does in some ways make the operations more legitimate. Claiming responsibility for such compromises while indicting countries for doing the same definitely makes the U.S. look hypocritical regardless of how its rationalized.

Parting Thoughts

My overall thought is that this information was a controlled leak designed to help voters feel more confident in terms of both going to cast their ballots and in the overall outcome. Some level of deterrence was likely a side effect that the Administration sought. But no, this was not simply a stupid move nor was it bad OPSEC or an act of war. I also doubt it is simply a bluff. However, there is some precedent set and pre-positioning access to critical infrastructures around the world just became a little more legitimate.

One thing that struck me as new in the article though was the claim that the U.S. military used cyber attacks to turn out the lights temporarily in Baghdad during the 2003 Iraq invasion. When considering the officials interviewed for the story and the nature of the (again, possibly) controlled leak that is a new claim from senior government officials. There was an old rumor that Bush had that option on the table when invading Iraq but the rumor was the attack was cancelled for fear of the collateral damage of taking down a power grid. One can never be sure how long “temporary” might be when damaging such infrastructure. The claim in the article that the attack actually went forward would make that the first cyber attack on a power grid that led to outages – not the Ukrainian attack of 2015 (claims of a Brazilian outage years earlier were never proven and seem false from available information). However, the claim is counter to reports at the time that power outages did not occur during the initial hours of the invasion. Power outages were reported in Iraq but after the ending of active combat operations and looters were blamed. If a cyber attack in Iraq ever made sense militarily it would not have made as much sense after the initial invasion.

I’ve emailed the reporter of the story asking what the source of that claim was and I will update the blog if I get an answer. It is possible the officials stated this to the reporters but misspoke. In my time in the government it was not a rare event for senior officials to confuse details of operations or hear myths outside of the workplace and assume them to be true. Hopefully, I can find out more as that is a historically significant claim. Based on what is known currently I am skeptical that outages following the initial Iraq invasion in 2003 were due to a cyber attack.

Reflecting on the Leadership I Saw in the Air Force

August 1, 2015

Reflecting on the Leadership I Saw in the Air Force

Today is the first day in my adult life as a civilian.  I loved the people in the Air Force but there were numerous reasons it was time for me to leave. I will continue to work with my peers in the AF to write and try to influence positive change but I will keep my reasons for leaving to myself. It seems to be particularly common now days to complain publicly on the way out – maybe as a way to hope for change but also to cope with leaving. It’s common enough that the DuffelBlog (a joke news site) posted a mock opinion piece by the “greatest officer ever” leaving the military. I personally far more enjoyed the mock reply from the “Joint Chiefs” to that article. This is not to say that those in uniform do not deserve to publicly ask for change – those public statements can be a highly debated thing to do but serve as a catalyst for discussion that is, in my experience, vastly positive. It is the right of the service member to do as long as it’s from a place of hope and not cynicism or done while exiting. I took that luxury multiple times while in the Air Force.

Instead of talking about the negatives though I want to use this blog to talk about the positives: the leadership I saw in the Air Force. I often get asked what went right for me. People see my skills or accolades and wonder what the Air Force did for me or what occurred to make me more successful than I was when I entered. I would argue that the Air Force itself didn’t do anything. As one of my commanders once told me “Big Air Force doesn’t know who you are, but your squadron does, and we always take care of our own.” What helped me was passion and working hard – but it was the leadership within the Air Force that enabled and empowered that far more than I could have achieved on my own. There were many leaders I met in my career. Civilians, contractors, other services, allied countries’ members, and chiefly my enlisted troops. But a few leaders stuck out the most to me and had the most influence on me. I have extracted a few lessons below about the leaders I met and the personal stories about my journey to accompany the lessons. What they did for me through their leadership was develop who I am today. Hopefully, this will serve as a good piece to other leaders looking to inspire and lead in the Air Force cyber community.

Lesson 1: Tailor Rewards to Your Troops

There is a dangerous myth in the community today that more money is what is needed to encourage retention in the Air Force cyber community. The troops did not sign up for the paycheck. What people signed up for is contributing to an exciting and fulfilling mission. In the Air Force cyber community many of the young troops want personal growth and to learn new skills that they can apply. When they are not grown or allowed to flex their talents though stagnation occurs and they will eventually leave. Sometimes leaders try to reward their folks with things such as Quarterly or Annual awards. For many though those awards, while nice, are not true rewards.

While serving in the intelligence community I had an Air Force commander who understood this – and understood me. While he and his commanders rewarded me with awards and stratifications he understood me and that these things, while good for my career, were not what interested me. What interested me was leading troops and personal growth. My mother and father are retired Senior Master Sergeants (the second highest enlisted rank). I admire them. I grew up around enlisted and my dreams of being an officer were largely based around being able to serve the enlisted as a leader. But I also really enjoyed intel and cyber and wanted to remain technical. So what my commander did was tailor the rewards he wanted to give me for good work to who I was and to continually use those to grow me. He made me a Flight Commander ahead of when I normally should have been one which gave me troops to directly lead. He understood though that I wanted to remain technical so he allowed me to keep the role of an analyst and to take the position of a technical lead in the agency we supported. He understood me. He didn’t shy away from “over-tasking” me because he understood the duality of my jobs balanced my duties. And he knew he could leverage what I valued to reward me and keep me inline. And I would have served with him anywhere for it.

Lesson 2: Truly Lead by Example

We often hear the phrase “lead by example.” Sometimes folks believe that means running fastest in physical training. Or having a really sharp looking uniform. And while those things help it meant more to me when I saw my commanders lead by doing the mission better than I thought was possible given their responsibilities as commanders. My squadron commander in my intelligence squadron and the two group commanders I had led by example. My commanders were experts in their fields even while doing diverse intelligence work and sticking to the Air Force’s passion for “more with less” (i.e. under resourced but more missions). My squadron commander as an example made sure that instead of just letting his Flight Commanders do technical missions while also being AF leaders he would do the same. The responsibilities and time commitments of a commander are far more than 8 hours a day even without doing the mission. But this AF leader led the squadron and picked up a position to take part in the mission directly. He spoke multiple languages, knew the ins and outs of every operation, and challenged all of his subordinates as we tried to keep up with him.

As a small example, I one time had to analyze a threat to critical systems that drew the attention of senior Air Force leaders. The only tangible thing I had was a packet capture that I analyzed in Wireshark. My squadron commander wanted to make sure he knew what was going on so that he could support me as I had to brief the senior leaders on this threat and why it was such a big deal. He took an interest and asked about Wireshark. I jokingly told my squadron commander, who was an intelligence officer and never had done anything ‘cyber’, that if he wanted to learn he could start with Laura Chappel’s Wireshark Network Analysis – an 800 page book. So he did. He went home and over a week read the entire book, downloaded samples and analyzed them, and by the time I had to brief the senior leaders again had come to the exact conclusion I had about the threat. I was shocked. He led by example.

The stories are too many to recount here. My group commanders were the same. Both of them were experts in their fields and leveraged that to directly support the mission instead of “just” being a group commander. They knew everything that was going on, did all the normal morale work, the normal paperwork drills and exercises, and still found time to stay technical and further themselves. One of my group commanders as an example continually published articles challenging Air Force mindsets on weapon systems and tactics. This was right when I was aspiring to become an academic and he kept challenging me in this right. Any time I published an article or had some accolade that would have expanded my ego – he had already done it or was doing it again. He kept me in check. I could have become a pompous young officer – he made sure I was guided in my growth and forced humility on me. Through example and not words he reminded me that I was better than no one but was simply contributing to the work so many others were also doing. It was leadership by example when I needed it most.

Lesson 3: Top Cover Actually Means Something

Top cover in the military means that if senior leaders get angry or want to punish one of your subordinates – you cover them. You take the heat. I don’t know how many times I have heard AF officers claim to provide this but I found it rare that many truly meant it. My commanders did though and my group commander embraced it. At the time I had just written my “Failure of Air Force Cyber” article that quickly caught the attention of junior and senior ranks around the Air Force. Enlisted and junior officers emailed me daily with support and thanking me for the article – but daily I also received threats from senior officers. I don’t know how many times I was threatened with Article 15s or career lasting impacts from folks I had never heard of before. When my squadron commander found out he tried to ensure that everyone that wanted to threaten me came through him first. My group commander and he started fielding those emails and phone calls. That is an uncomfortable position when the person upset is a three star general.

I remember vividly my group commander pulling me into his officer over the article and some of the other pieces I had written. I thought I was dead. Instead of yelling at me or counseling me he mentored me. He showed his support of what I had written and echoed his own experiences writing unpopular but needed articles. He related to me. He gave me guidance on how to come off “less blunt” and how to try to more appropriately get my points across. He then also made sure that I knew there were senior leaders out there that supported what I had said. He printed off an email from a senior AF leader and handed it to me to read – it was the general offering support to me and what I had written. The letter encouraged me not to let the “REMFs” (an acronym that I learned then and love to this day) get me down and to keep pushing forward. I know it was my group commander that prompted that letter from the general and more importantly he didn’t just forward me the email. You see, he not only provided top cover for me and support when I needed it the most – but he protected the senior leader as well. By handing me a printed copy of the email and then taking it back he ensured that I wasn’t going to be over excited and start forwarding around the email that was definitely meant to be private. It was an extremely classy move by someone who truly understood what top cover meant.

Lesson 4: Leadership Requires Risk

I was truly lucky with the leaders I had while I was in the intelligence community. My commanders up to the highest level all were on the same page and pushed the mission forward together. It showed in the morale of the organization. I did not have favorites amongst my commanders – they were all who I needed them to be at the right time. But the one who changed my life the most and served as my closest mentor was my first group commander. His motto to the group and his squadrons was to take risks. He encouraged people to make mistakes. This is exactly when the AF culture was discouraging that very attitude. Taking risks in the Air Force could quickly lead to officers being forced to leave. There was a zero tolerance type atmosphere even in innovation towards the mission. He built a culture opposite of that.

When I arrived to my first squadron I did not fit in. I was this young “cyber officer” and “cyber” had just become a thing in the Air Force – previously it was all “comm” and “communications officers.” While I valued the mission, the captain who was my boss let me know that he both hated me because I was a “cyber” officer and because I had went to the Air Force Academy. I had heard there were some rivalries in the Air Force depending on where you received your commission – but I thought that it was far to petty to be realistic. He attempted to make my life hell and it was only through the leadership of amazing enlisted members that I found it worthwhile to come in to work each morning. I sought outside fulfillment and had begun publishing papers and giving presentations at conferences about “cyber” since I couldn’t mutter the word at work. This caught the attention of my group commander.

My group commander called me into his office and talked with me about my papers and presentations. To my surprise he had not only read everything I had written but had his own experiences and thoughts to contribute. It was quickly evident that while I was calling this thing “cyber” he had been doing it for years as “intel” in its various forms. He confided in me stories and experiences that made me understand more about the history of where we had been as a community and where we were going. But he also believed in taking risks. He began heavily investing in our intelligence community partners’ missions and efforts. He used Air Force troops to bolster the joint fight and worked heavily with his Army and civilian peers to ensure that we were doing our best to serve the American people – not our own efforts. For context, it is unheard of for leaders to give up people. You often hear in the Air Force how people protect their “rice bowls” to mean funding and personnel. Both are hard to come by. This group commander would give up both in a heartbeat if he thought it would help the mission.

He ended up asking me one day in a Matrix styled “red or blue pill” type choice if I wanted to go deeper into the Intelligence Community. It would require me to move to some place I had never heard of before and do a mission I was unfamiliar with. He ensured me I was a perfect fit – so I agreed. It set me on the path for everything I have today. Without that move I wouldn’t have met Dr. Thomas Rid and started my PhD, I wouldn’t have needed to work after hours to develop the skills I have today, and I would never have met my beautiful fiancée. The problem with all of this though – is I’m fairly confident the move and assignment wasn’t allowed. I hadn’t served my allocated time at the Air Force base I was at, the Air Force wouldn’t support me moving or give me the funds to do so, there was technically no position there for me to fill, and I’m certain a significant amount of rules were broken to get me to that new team. But my group commander understood what I needed for my personal growth, he understood the importance of that mission and the team out there, he believed I had the right skills to help, and he embraced risk instead of shying away from it. It may not seem like much to the average reader but he literally risked his career and his command not just in my case but in many others to ensure that the mission succeeded – not just that it looked good on paper for policy and reports.

Conclusion

There are two things that stick out in writing this that I feel are worth noting. The first, is a common theme amongst these four lessons. Each leader I admired and that helped me grow did what they said. It wasn’t a slide in a PowerPoint presentation, a quote in a signature block in an email, or just words over beer in a bar. Whether it was in taking risks, providing top cover, leading by example, or rewarding troops – whatever they said they would do they did. They did it so well that it was at times shocking that they kept to their word when any reasonable person would understand there should be exceptions granted (like not providing top cover to a young officer who decided to publish his thoughts Air Force wide).

The second is that none of my best leaders in the Air Force cyber community were cyber officers. That is not meant as a slight – I know firsthand that there are amazing cyber officers leading day in and day out as well – it’s just by the nature that most of my career as a “Cyber Warfare Operations Officers” was in the Intelligence Community – sampling bias at its best. Usually, I was the only “cyber” guy amongst all intelligence member teams. I make this point though because in the Air Force there is a serious problem with “rice bowls” and “tribes.” It can often times hamper the mission. But the people that took care of me the most, who grew me the most, weren’t in my “tribe” as far as career fields are concerned. They just led me because it was the right thing to do. They led me because they believed in me and wanted to empower me. They led me even when it wasn’t beneficial to them but because it was beneficial to the bigger Air Force and its mission. That’s leadership.

As I leave the Air Force, this piece is my therapeutic writing – but not in the normal complaint driven article that I mentioned as common at the start of this piece. Instead, my exit thoughts are only of pride and gratitude. The Air Force cyber community needs help. But it has amazing people and will succeed despite adversity. And I feel I have new adventures in front of me and limitless opportunities because of those experiences. I will miss it dearly. I am forever grateful. I owe everything to the leaders I met while I had the privilege of serving.