Wednesday, October 21, 2015

How “Hat-tribution” on China Has Harmed U.S. National Policymaking

Back in the early 2000’s, cybersecurity researchers blamed every financial services attack on Russian or Eastern European hackers and every non-financial services attack on China. Every attack literally fell into one of those two buckets. U.S. Air Force officers in the 90’s were convinced that only the Chinese government was interested in stealing non-financial data like intellectual property. They were so positive that they gave China a code name — Advanced Persistent Threat (APT). Some of those Air Force officers later founded Mandiant and commercialized the name APT in a white paper that they released in 2010. In those years, APT was a “who”, not a “what”.

After the Office of the National Counterintelligence Executive issued its report in 2011 which named at least four nations that were responsible for intellectual property theft: China, Russia, France, and Israel; Mandiant began losing the battle for keeping APT as a code name for China and it quickly evolved into a generic description for how hackers attack a network.

Mandiant made a fortune from its long-standing policy of blaming every network breach on Chinese hackers; a fact that didn’t go un-noticed by almost every other cybersecurity company. Between 2010 and 2015, any report that named China as the culprit caught the attention of corporate CEOs as well as major news outlets. In 2013, Mandiant issued its APT1 report. By the end of the year, it was acquired by FireEye for $1B.

In 2014, Crowdstrike issued its own PLA report which identified by name an alleged PLA hacker based in large part upon a photo that showed a PLA officer’s hat. CrowdStrike executives called it “hat-tribution” and the PLA hacker group was named “Putter Panda”.

That Crowdstrike considered a hat in a photo as evidence is a commentary on how badly private companies have handled intelligence collection and analysis. That, and a 10 year + history of mis-attributing every intellectual property attack that ever happened to the government of China has brought us to the inevitable end result — putting the White House in an uncomfortable diplomatic position with the Chinese government who may very well be keeping its word. Ironically, it’s Crowdstrike executive and co-founder Dmitri Alperovitch whose blog post brought this controversy about.
The very first intrusion conducted by China-affiliated actors after the joint Xi-Obama announcement at the White House took place the very next day — Saturday September 26th. We detected and stopped the actors, so no exfiltration of customer data actually took place, but the very fact that these attempts occurred highlights the need to remain vigilant despite the newly minted Cyber agreement.
We are releasing below the timeline of intrusions into these commercial entities that we detected over the course of the last 30 days. It is important to note that this is not an exhaustive list of all the intrusions from Chinese-government affiliated actors we have detected during this time period; it is limited only to commercial entities that fit squarely within the hacking prohibitions covered under the Cyber agreement. The intrusion attempts are continuing to this day, with many of the China-affiliated actors persistently attempting to regain access to victim networks even in the face of repeated failures.
We assess with a high degree of confidence that these intrusions were undertaken by a variety of different Chinese actors, includingDEEP PANDA, which CrowdStrike has tracked for many years breaking into national-security targets of strategic importance to China, as well as commercial industries such as Agriculture, Chemical, Financial, Healthcare, Insurance, Legal, Technology and many others.

This company blog post combined Crowdstrike’s threat intelligence with a marketing pitch for its Falcon platform. The post speaks for itself, blaming China for ongoing cyber attacks after the Xi-Obama agreement. However, after AP, CBS, and the Washington Post picked up the story, Alperovitch attempted to walk back his post’s claims by saying “We are not stating anywhere that the Chinese are violating the agreement. It is not up to us to draw that conclusion.”

A White House spokesman who spoke with Foreign Policy wouldn’t comment on the Crowdstrike blog post except to say “As a general matter, malicious cyber actors from a variety of nations find U.S. networks and companies attractive targets, and seek access to sensitive or proprietary information for a variety of purposes.”

How many of those “malicious cyber actors from a variety of nations” use China to launch their attacks from?

How many independent, non-state-affiliated Chinese hackers launch their own attacks for fun and profit?

And how does Crowdstrike, Mandiant or any other company differentiate between those and actual Chinese government attacks?

I’ve been challenging security intelligence companies to answer that question for years and have yet to hear a responsible answer from any of them.

Tuesday, October 13, 2015

Win A Free Trip To Suits and Spooks Paris!

UPDATE: As of this morning (Oct 16th), we have only 2 tickets remaining for this promotion.  Act fast to secure your chance to win a free trip to Paris Suits and Spooks.

UPDATE: As of the 15th, we have only 5 tickets remaining. This promotion will end at close of business omorrow, Friday Oct 16th.

For the next 48 hours, we will make ten tickets for Suits and Spooks DC (Feb 11-12, 2016) available for purchase at a huge discount- only $324. Our normal rate for October is $399 and effective Nov 1 it will go up to $499.

Even better, by taking advantage of this promotion, you'll enter our drawing to win roundtrip airfare (economy class from JFK or IAD) and one night hotel accommodations to our very first Paris Suits and Spooks event next March! 

Your admission to Suits and Spooks DC is 100% refundable prior to December 31, 2015. It includes:

  • Our Aerospace block which will feature panels from two of the world's largest  aerospace and defense companies,
  • Our Future Warfare block which will feature a panel of experts debating international law as it relates to cyber warfare,
  • Our Critical Infrastructure block that will explore vulnerabilities in transportation, communication, and utilities,
  • Our Financial Services block that will look into international investments in cyber security as well as challenges to global bankers.
We'll pick the winner in a blind drawing on New Years Day. Airfare and hotel will be prepaid and may not be substituted for cash. If you have already registered for Suits and Spooks DC, your name will automatically be entered for the Paris drawing, but please share this email with any of your peers who you think would be interested.

Register now and save $75 on our already low rate, and earn a chance to win a trip to Paris Suits and Spooks in March 2016. 

Good luck everyone!

Friday, September 4, 2015

What Will The Cost of Chinese Sanctions Be For U.S. Companies?

According to major media outlets, the U.S. government will soon announce economic sanctions against the Chinese government for its acts of economic espionage; especially cyber espionage that benefits Chinese companies. This tactic clearly has political appeal but it will fail to stop the Chinese government (as well as any other government who had similar sanctions taken against it) from continuing its long-standing program of technology acquisition by any means available. It will also put U.S. businesses who do business in China in harm's way if the Chinese government chooses to retaliate.

Here's why it will fail to stem the tide of IP theft by China:
1. The Chinese government uses a wide variety of legal means to acquire foreign technology. Sanctions will have no effect on that.
2. China's Internet space is used by a wide variety of foreign hackers to launch attacks from against U.S. companies. China is the perfect patsy for every false flag operation in the world. Sanctions will have no effect on that.
3. At least one Chinese hacker group (written about in the FBI's indictment against Chinese businessman Su Bin) never launches its attacks from within China or receives electronic files within China. It only runs its operations from countries outside of China. Isn't that the minimum tradecraft that we would expect from the Ministry of State Security, the PLA, and every other foreign intelligence service that ever existed - EVER - in the history of the f__king world?

Now that you know why sanctions will fail to accomplish its stated goal of stemming China's acts of economic espionage, what will the cost of sanctions be to U.S. businesses?

In 1998, the U.S. International Trade Commission studied the effect of unilateral U.S. economic sanctions on U.S. businesses. At that time, the only countries who the U.S. government had issued sanctions for were tiny or economically insignificant with the exception of India and Pakistan in 1998. But even then, the U.S. energy sector was adversely effected. Imagine how they'll fare when the target of sanctions is China - a huge global energy consumer?

The questions that the report authors posed for U.S. companies 17 years ago are still relevant today and include:
  1. the business losses experienced, compared to the returns expected if sanctions had not been in place;
  2. the effects of delayed entrance into a market because of sanctions;
  3. the business losses incurred because sanctions may cause U.S. firms to be perceived as unreliable suppliers, due to the threat of future U.S. unilateral economic sanctions.
Most of the Fortune 1000 are either doing business in China or want to do business in China. The larger they are, the more this applies. Each one of those companies should contact the White House and find out what the President is planning, then determine how it will effect them because one thing is for sure - they won't see any upside. It's only going to bring them pain.

Tuesday, September 1, 2015

The Legal Rationale For Killing An Enemy Hacker (or Could You Be The Next Junaid Hussain)?

The Pentagon has confirmed [1] that a British hacker named Junaid Hussain was targeted and killed in a military air strike on August 24, 2015. Pentagon spokesman Air Force Col. Pat Ryder (USCENTCOM) gave the following rationale for targeting Hussain:
  • He was involved in actively recruiting ISIL sympathizers in the West to carry out lone wolf attacks
  • He was responsible for releasing personally identifying information of approximately 1,300 U.S. military government employees
  • He specifically sought to direct violence against U.S. service members and government employees
According to the Wall Street Journal [2], he was a Chief in the Islamic States' electronic army. The U.S. government has been conducting military operations against the Islamic State (ISIL), a group responsible for atrocious war crimes and human rights abuses.

Legal Status (Combatant or Civilian)

When looking at the rationale for the lethal targeting of a hacker, it might help to picture a decision tree. Assuming that there is an armed conflict underway at the time (a requirement for the targeting of a civilian to occur), the first question to ask pertains to the target's legal status. According to Rule 34 of the Tallinn Manual (TM) [3], the following persons may be lawful objects of attack:
  1. members of the armed forces
  2. members of organized armed groups
  3. civilians taking a direct part in hostilities, and
  4. in an international armed conflict, participants in a levee en masse (a military draft or conscription)
In the case of Hussain, his affiliation with ISIL makes him a member of an organized armed group, which makes him a legitimate target regardless of what types of cyber attacks he engaged in. But what if his legal status wasn't so clear cut?

Civilian Status: DPH or IPH

If the target is not a member of the armed forces or of an organized armed group, then the next step is to ascertain whether he was a Direct Participant in Hostilities (DPH) or an Indirect Participant in Hostilities (IPH). Only the former may be attacked.

According to the International Council of the Red Cross (ICRC) [4]:
Persons participate directly in hostilities when they carry out acts, which aim to support one party to the conflict by directly causing harm to another party, either directly inflicting death, injury or destruction, or by directly harming the enemy's military operations or capacity. If and for as long as civilians carry out such acts, they are directly participating in hostilities and lose their protection against attack.
When it comes to cyber attacks, the definition of "causing harm" becomes more fuzzy, which could be problematic for civilian hackers who engage in cyber attacks for reasons of their own. The ICRC specifically calls out interfering with military computer networks and transmitting tactical targeting intelligence for specific attacks as examples of DPH. Hussain took credit for hacking the Twitter account of U.S. Central Command and publishing personally identifiable information for 1,300 government military employees along with inciting personal attacks against those employees from his Twitter account.

Taken in isolation, hacking a social media account is child's play when two-factor authentication hasn't been activated (which it hadn't been in CENTCOM's case). The only result emanating from that hack and others like it is temporary embarrassment of the victim. However, in the Hussain case, it's being used as part of the justification of the attack by the Pentagon [5]. As mentioned above, it isn't the primary justification - that would be Hussain's membership status with an organized armed group (ISIL).

Rule 30 of the TM defines what a cyber attack is for purposes of warfare: 
"A cyber attack is a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects."
Rule 35 of the TM explicitly states that "civilians enjoy protection against attack unless and for such time as they directly participate in hostilities". The supporting text goes on to state that this rule's application is limited to individuals who engage in hostilities and are not affiliated with a militia or who are affiliated with an "ad hoc group" that lacks the requisite degree of organization. 

Three Conditions Must Be Met

The ICRC has set three conditions that must be met for a civilian to be classified as a DPH[6]:
  1. Threshold of Harm. The act must have the intended or actual effect of negatively affecting the adversary's military operations or capabilities, or inflicting death, physical harm, or material destruction on person' or objects protected against direct attack (threshold of harm).
  2. Causal Link. A direct causal link between the act in question and the harm intended or inflicted must exist.
  3. Belligerent Nexus. The act must be directly related to the hostilities.
If any one of these isn't met, the person cannot be targeted. 


What would it take for a hacker to land on the Pentagon's Disposition Matrix [7] like Junaid Hussain did? If you're a hacker who is conducting any kind of network attack against foreign government entities, especially the United States or its key allies, here are three important tips to keep in mind:
  1. Be careful about who you affiliate with. If you align yourself with a group that the U.S. government eventually considers an organized armed group, you may lose the protection of your civilian status and become a target by virtue of your affiliation alone. The fact that you also have mad hacker skills will just be the icing on the Pentagon's cake.
  2. Don't think that low-level, unsophisticated network and social media attacks will make you less of a target than attacks that actually cause harm to an object or person. Hussain hacked a Twitter feed and posted names and email addresses for government employees, among other things. 
  3. If you decide to support another nation's or group's activities that are deemed hostile to a foreign government, such as a color revolution or something equivalent to the Arab Spring, that government may deem you a legitimate target under these same legal principles. 
Remember that your online activities, no matter how minor you believe them to be, may under the right combination of circumstances, result in a lethal outcome. The Hussain killing should be taken seriously by everyone in information security who's involved in hacking as a profession or a hobby.

[3] Tallinn Manual on the Internal Law Applicable to Cyber Warfare, Cambridge University Press, 2013
[6] The Tallinn Manual, p. 119, footnote 63

Sunday, August 16, 2015

DSS Reports Foreign Governments Increasing Espionage Activities Against U.S. Defense Industrial Base Companies

The Defense Security Service just issued its 2014 report "Targeting U.S. Technologies: Trend Analysis of Cleared Industry Reporting" (.pdf). DSS's mission is, in part, to secure the nation's technological base against acts of industrial espionage. These annual reports highlight specific technologies that have been targeted by foreign actors as reported to DSS. In FY13, the agency received and reviewed over 30,000 reports.

Each year DSS highlights a technological sector. In 2014, it was "Inertial Navigation Systems" used in commercial and military aircraft, spacecraft, and naval vessels.

Based on information received from cleared defense sector companies, DSS analysts were able to identify five distinct methods of operation when targeting INS technologies:
  1. an attempt to purchase (usually by finding a corrupt company in an allied State to act as the middleman)
  2. academic solicitation
  3. solicitation or marketing services
  4. sending a Request For Information (RFI)
  5. foreign visit (such as attending a conference in a foreign State)
DSS analysts also break down collector affiliations into five categories: commercial, government, government-affiliated, individual, and unknown.


 This is easier to do with tangible collection activities as described above than with cyber attacks, which DSS (to its credit) acknowledges in the conclusion of its report (p.71). With an RFI or an invitation to attend a conference, you know who sent the invitation. With a cyber intrusion or what DSS calls "Suspicious Network Activity (SNA), it could be anyone.

However, cyber espionage is simply a new way to conduct industrial espionage so it's reasonable to assume that governments and corporations who are attempting to acquire a specific technology in any of the five ways detailed by DSS will also use a network attack if it will produce a successful end result. See our white paper on espionage-as-a-service, for example.

What the DSS Report Won't Tell You

The Defense Security Service produces one of the very best analytic reports available today, both in terms of sound intelligence collection and analysis methodologies (missing from 90% of cyber intelligence reports) as well as actionable content. However, it doesn't tell you who is doing the collecting. It also doesn't provide the entirety of any nation's technology acquisition interests. If your company doesn't produce any of the INS-related technologies mentioned in this report, does that mean that you're safe from foreign collection efforts? Absolutely not.

That's why we built the Redact™ knowledge base and the OverWatch™ intelligence feed. Used in conjunction with the DSS report, you can identify which Chinese and Russian government institutes, universities, state key labs, and state-owned enterprises have received funding for high priority technology R&D projects, and which of those have been reconnoitering your company's website for product information. We are also mining South Korean and French institutes and will be adding more nations over the next few months.

Compatible with Maltego and other Threat Intelligence Platforms

Our OverWatch™ intelligence feed is written in Common Event Format (.CEF) and is compatible with many SIEM products including ArcSight ESM, Splunk, and ThreatStream. We are also about to launch our Maltego transform.

OverWatch™ will alert in real-time when one of the foreign government research institutes that we track is visiting your website while Redact™ will provide you with the details on their government funded R&D projects. We are currently scheduling demos for new corporate customers as well as federal agencies who are approaching the end of the federal fiscal year.

Redact™ is the only commercial database of its kind outside of a classified environment. Read our current product brief and contact us today for an online demonstration.

NOTE: This is cross-posted from the original article at the Taia Global website's blog.

Thursday, August 6, 2015

Why Retaliation Against China for the OPM Hack is a Bad Idea

I've written an OpEd on why the White House needs to look at deterrence in cyberspace differently based upon their announcement via David Sanger at the New York Times that they're looking at taking action against China for the OPM hack.

You can read it at the Christian Science Monitor or at The Diplomat. Comments are always welcome.

Thursday, July 16, 2015

Suits and Spooks at the Wingtip Club - Oct 6th - By Invitation Only

The Wingtip Club in San Francisco is a renovated 13,000 square foot duplex penthouse decorated in the old Gold Coast style atop the historic 1908 Bank of Italy building in downtown San Francisco. On Oct 6, 2015 it will be the venue for the most unique and luxurious Suits and Spooks event that we've ever held.

Taia Global and our event sponsors including Norse Corporation are picking up the tab for this full day of security talks and networking with intelligence veterans and executives from entertainment, banking, security, and technology companies.

Our speakers include:
  • David Fichtner: David Fichtner served 27 years at the CIA working on Soviet Military Forces, Nuclear Weapons Security, Proliferation issues, and information operations. While at CIA, Mr. Fichtner was selected for the Congressional Fellows Program serving on Senator John McCain’s staff. He is also a graduate of the Navy Fighter Weapons School (Topgun) and a designated Air Combat Tactics Instructor. Since retiring, Mr. Fichtner has worked as a consultant on Russian Intelligence services IO for Taia Global.
  • Christopher Burgess: Served 30+ years with the Central Intelligence Agency, serving in South Asia, Southeast Asia, the Middle East, Central Europe and Latin America. Currently the co-founder, President and CEO of Prevendra
  • Anna Vassilieva: Expert in contemporary Russian politics; Professor of Russian Studies at Monterey Institute of International Studies.
  • Simon Baker: Formerly Bloomberg's Head of Information Security and CISO in New York. Currently  advises a number of early security startups as well as the World Economic Forum.
  • Niloofar Razi Howe: Currently Chief Strategy Officer at Endgame and an Operating Partner at Paladin Capital Group.
  • Kurt Stammberger: Founder of the RSA Conference, expert in cryptography, threat intelligence, and security business strategy. Currently Senior VP of Marketing at Norse Corporation.
  • Jeffrey Carr: Founder, Taia Global and the Suits and Spooks conference; author and consultant to U.S. and foreign multinational corporations and government agencies.

Speakers and attendees will enjoy the Wingtip's new "Wine Cave" as their venue for this all-day event starting with a continental breakfast at 9am, lunch at 1pm, and a Whiskey tasting at 5pm.

Unlike other Suits and Spooks events, this will be limited to 30 invited attendees at the Director-level or above from industries including technology, aerospace, entertainment, banking, and biomedicine.

If you'd like to receive an invitation or discuss sponsorship options, please contact Taia Global. Both the number of sponsors and the number of attendees are limited so act soon.