Bottom-Up Versus Top-Down Cyber Defense

BIRMINGHAM – Wired’s Danger Room is reporting that General Keith Alexander is throwing in the towel. In an address to the FBI sponsored International Conference on Cyber Security he is quoted: “15,000 enclaves: You can’t see ’em all. You cannot defend them all,” Alexander told an FBI-sponsored gathering of law enforcement and cybersecurity professionals at New York’s Fordham University. “You’ve got to have an infrastructure that is defensible.”

It is a reality that you cannot achieve a defensible network with the typical process for fixing problems that the military and most government agencies use: A high level officer or “Czar” is assigned. That person convenes a group to study the problem and make recommendations. By the time they are ready to report the top person is ready to move on, his or her term has expired, or the situation has changed. So the process starts over. Look at the multiple infrastructure security reviews that the office of the President has instituted. There have been five Cyber Czars since 2001 (I add Amit Yoran to this list on Wikipedia), they have each called for top level reviews. Even the GOP candidates are calling for security reviews in the unlikely event one of them takes office in 2013.

In the meantime threat actors have no such review process. They continue to develop advanced tools and methodologies and engage in more and more serious attacks.

In 2003 I had a chance to view the Pentagon’s networks first hand. There were 20 of them inside one building, each with its own administrators, often from different branches of the military, and often with conflicting purposes. Classic controls like limiting insecure protocols (Telnet for one) were not even considered possible to enforce. When suggested, even today, the response is “oh you just try to shut down port 23. You tell the Two Star that you broke his application.”

General Alexander ( a Four Star) is indeed faced with an impossible task. You cannot, from the top, dictate granular policy. Even the NSA and CyberCom do not have the personnel to audit and enforce those policies across 15,000 networks and a million nodes.

Change has to come from the bottom up. How do you do that? By assigning responsibility *and* real consequences for failure.

Take for instance the simplest and direst dictate to all military personnel from the inception of military commands: a soldier may never fall asleep while on guard duty. Does the battalion leader personally patrol the check points to ensure that this dictate is maintained? No. The soldiers have this rule pounded into them from the day they are recruited and they have all heard of the dire consequences of sleeping on the job. It is there own responsibility and they know it.

Today’s military has tens of thousands of people who never see a battle field. They maintain IT systems. They must be impressed with the responsibility to maintain the security of those systems. A successful hack of the systems they are responsible should come with dire consequences, demotion, berating, even court marshal. Of course they must be supplied with the tools to monitor, configure, and protect their IT assets. They must be trained and proper shifts must be provided since, indeed, security is a 24×7 responsibility. Duty rosters cannot be 9-5.

If there are 15,000 separate digital enclaves simply designate 15,000 people with primary responsibility for doing their jobs: protecting their territory.

No, General Alexander, you do not need to perform a top down review or build a “defensible infrastructure”, you need to ban Telnet from all government networks. Do that and another hundred best practices today and you will have fewer intrusion this week.

For a glimpse into the world of cyber attacks and hacktivists, buy CyberStyletto, a new cyber crime novella that looks at the world of hacking. Richard Stiennon of IT-Harvest is the technical advisor.

BIRMINGHAM – After each major breach security pundits are quick to pile on the victim. The Stratfor breach by Anonymous seems to have raised more the usual amount of ire. Bloggers are criticizing the blatant lack of security controls which included unprotected servers, simple hashes for passwords, and no encryption for credit card data. Perhaps it is because so many security pundits had their own data leaked, often with easily crackable passwords.

Is Stratfor doomed? Is it going to go out of business? No, of course not. This week, Stratfor came back online after a three week absence. They have moved their hosting provider to Cloudflare, a load balanced CDN for websites. Stratfor founder George Friedman has posted a sincere apology to his clients and readers. It is well worth reading for those who may have to face a similar situation one day.

In what is turning into a PR coup Stratfor is making their content available for free. The trove of great analysis of world geo-political hotspots is serving to drown the critical Twitter posts. A search for “Stratfor” on Twitter reveals more links to their content then to articles about the breach.

Stratfor will survive this episode. I predict they will even thrive.

Meanwhile, Anonymous seems remarkably quiet on the threatened leak of over 5 million emails stolen from Stratfor. If and when they are published there will be a flurry of news stories and allegations of subterfuge. But the real value is going to be for foreign intelligence services who will mine the emails for identities, connections, and correlations.

a>>