Figure 1: Secret Service agent warns off a vehicle following too closely

Now imagine if we protected these critically important individuals the way that we protect our most critical data:

Figure 2: vehicle parked alongside high traffic roadway

SECRET SERVICE AGENT: “Don’t worry, Mr. President. You’re off the freeway in a parked vehicle surrounded by metal and windows with safety glass. No one will even know you’re here.”

Then when this happens:

Figure 3: car gets crushed by falling boulder

We wonder what the hell went wrong. We had security through obscurity, our antivirus was up to date, and our firewall could do everything but cook us dinner.

There needs to be a new paradigm for protecting critical assets. The capitol police in Washington DC use entirely different tactics to protect a large building than the Secret Service does to protect an individual. Likewise, a corporation must protect its critical data differently from how it protects its enterprise network, which is why we are launching a new company to do just that – Taia Global – the world’s first personal cyber security company.  Contact us for more information about our unique approach to safe-guarding your most critical assets.

When I read the news of this acquistion, I was stunned by its national security implications. Intel has had a cozy relationship with the Russian government and its Federal Security Service (FSB) since 2002 with its sponsorship of a laboratory on wireless technology at Nizhny Novgorod State University (NNGU). The laboratory, located in the Department of Radiophysics, benefits from NNGU’s decades long experience with Russia’s defense industry, especially the radar and air defense sector. According to a 9 August 2004Businessweek article, the lab was working on security software for high-speed wireless applications.

The laboratory’s activity is overseen by a guidance board that includes Leonid Yurevich Rotkov, the head of the Center for Security of Information Systems and Telecommunications Facilities also located in NNGU’s Department of Radiophysics. Leonid Rotkov is a noted expert on IT security. Conference agendas show he works as a security consultant for the Federal Security Service (FSB).

Until around 2008, the Center’s website stated that it was sponsored by the Federal Security Service (FSB). This statement has since been removed. However, the faculty listing for the Center includes one individual who is also an employee of the Nizhny Novgorod Branch of Scientific Technical Center (STC) Atlas. STC Atlas was previously directly subordinate to the FSB, however, it is now a Federal State Unitary Enterprise (government owned) research institute that still works on IT security. The Nizhny Novgorod branch is one of four major STC Atlas research facilities. STC Atlas is currently certified by FSB for work on security issues including cryptology and “special studies.”

Intel’s Chairman and CEO at that time was Craig Barret who is now one of the founders of the Skolkovo Fund which will be financing the construction of the Skolkovo Innovation Center outside of Moscow. The interesting thing about this center is that it’s focus is to bring foreign high tech companies into Russia for R&D work on technologies that President Medvedev has identified as critical: nanoelectronics, semiconductors, photonics, robotics, cloud services, and ICT related to health care and governance. This strategy has worked incredibly well for the Peoples Republic of China (PRC). They have over 1200 foreign R&D labs operating in and around Shanghai, and the PRC’s economic growth (at least 10% each year) combined with its increase in patent filings (up 500% in the last 5 years) is very impressive.

Unfortunately, what’s good for Russia and China is not necessarily good for the U.S., particularly when part of that technology transfer occurs through acts of cyber espionage and insider theft. That’s the ugly truth that no one wants to speak about but everyone knows is happening – especially the leadership of Intel who seem to have no problem with the security lapses occuring at their Nizhny Novgorod lab even when told about them by U.S. government officials. In fact, Intel frequently hires highly trained Russian engineers for positions in their security department; at least one of whom simultaneously taught an InfoSec course for the FSB.

Intel CEO Paul Otellini had this to say at a recent press conference on the McAfee acquistion:

We have concluded that security has now become the third pillar of computing,” he told his listeners, “joining energy-efficient performance and Internet conductivity in importance.”

And that third pillar, Otellini believes, will be best implemented in silicon, not software. “We believe that security will be most effective when enabled in hardware,” he said. “Joining the assets of McAfee with Intel will accelerate and enhance the combination of hardware and software solutions.”

At a time when cyber espionage by Russia and China is one of the greatest threats to U.S. national security today, Intel is helping build a billion-dollar honey trap (aka Skolkovo) for U.S. companies in Russia. Now it owns one of the largest software security companies in the world. So I have to wonder, when Otellini talks about the importance of security – security against whom exactly?

Since MTS trades on the New York Stock Exchange (MBT), it has to file with the SEC. That filing contains the following information under “Equipment Certification”:

“a Presidential decree requires that licenses and equipment certifications be obtained from the Federal Security Service to design, produce, sell, use or import encryption devices. Some commonly used digital cellular telephones are designed with encryption capabilities and must be certified by the Federal Security Service.”

MTS’ Vice President of Corporate Security is Pavel D. Belik, who’s prior employer was  the Federal’naya sluzhba bezopasnosti Rossiyskoy Federatsii (Federal Security Service of the Russian Federation); popularly known as the FSB. Hence, there is little doubt that MTS complies with Russian law which requires that encrypted messages be decoded. It also requires remote access from a console installed in FSB headquarters which reports the names of the sender and receiver of the targeted phone call, e-mail, or SMS message, the message itself, and the geo-location of the sender as well as access to the customer database and billing records.

Operation Roadside

Operation Roadside was a 2006 espionage case in Moscow that involved MI6 agents and their Russian assets who used an electronic dead drop disguised as a rock. The “rock” was actually a sophisticated receiver and transmitter contained within a rock-like casing. It would receive and transmit information protected by encryption without the person having to stop and physically place or remove anything. When the FSB rounded up the individuals involved and examined the rock, they discovered that it was powered by a Blackberry (Moscow NTV Mir in Russian 1735 GMT 29 Jan 06 – “Emergency Incident: Investigation” television program). Considering that this happened in 2006 in the same year that Research In Motion was struggling to gain entrance to the Russian market, I would rate the possibility that RIM received a pass from the FSB to abide by its monitoring requirements at about 0%.

These are just some of the facts regarding RIM and its dealings with the Russian government in order to sell its products and services to Russian consumers. Rather than issuing public statements like this one, RIM should simply acknowledge that it is no different from any other telecommunications provider as regards complying with monitoring laws of the countries in which they sell services, and that its corporate customers in those countries do not enjoy secure communications across the board. A little honesty and transparency would be a refreshing change from RIM’s current strategy of employing corporate doublespeak in communications to its customers and the general public while secretly engaging in negotiations with governments that belie its public announcements.

1. The government of (________) mandates that all communications services be monitored and supervised.

2. Research In Motion sells communications services in (__________).

3. Therefore, Research In Motion’s customers in (________) are subject to supervision and monitoring.

You may fill in the blank with the state of your choice. Deductive reasoning stipulates that if the premises of an argument are true (1 and 2), then the conclusion must also be true (3). Everything else is a moot point (BES encryption hacks, the existence of back doors, compromised third party applications, etc.).

So when the executives at Research In Motion send a statement like this one to their customers (“RIM respects both the regulatory requirements of government and the security and privacy needs of corporations and consumers”), you can call it for what it is – a logical impossibility.

My issue with this is not that RIM is abiding by the laws of the nation within whose borders they want to conduct business. That’s what companies do – Google’s dealings with China being the latest example. The issue that has prompted this Project Grey Goose investigation is RIM’s lack of transparency regarding which governments have the ability to monitor their customers message traffic and which do not. That is a critical bit of data for enterprise blackberry users to know who, by virtue of their place of employment, are high value targets for cyber attacks including espionage by state or state-sponsored actors.

Research In Motion executives are invited to provide an accurate accounting at any time. In the meantime, if you’d like to participate in discovering which other countries have the ability to decrypt your Blackberry’s email or other encrypted messages, please let me know via the Contact button on this website.

What’s interesting is that one of the deal points was for ICQ’s servers to be moved from Israel (their present location) to Russia. By law, Russian companies must comply with orders from the Federal Security Service to reveal their user data when asked if it impacts Russia’s national security. GreyLogic published a private report earlier this year on the ramifications of FSB law to both Russian and foreign-owned companies operating inside the RF. Under Article 15, the FSB may:

• require both private and public enterprises to assist the FSB whenever asked.
• make changes in hardware and/or software as requested if it will assist the FSB in fulfilling its mission.
• hire FSB officers to work in their offices.

So if you’re on ICQ, and you work for an employer who may be of interest to the FSB, now would be a really good time to close your account.

The People’s Republic of China considers the United States a technologically superior adversary, and is simultaneously dependent upon U.S. consumers and the support of U.S.-based multi-national corporations. What is the appropriate military strategy for a nation that finds itself in such a position?

“Therefore the skillful leader subdues the enemy’s troops without any fighting; he captures their cities without laying siege to them; he overthrows their kingdom without lengthy operations in the field.” (Sun Tzu, 500 BC)

It shouldn’t be surprising that a nation which can trace its history back thousands of years is still influenced by the writings of an ancient Chinese general. Today, the PRC is engaged in a subtle dual strategy of network penetration and data exploitation. The early penetration of U.S. critical infrastructure provides it with a preemptive strike option should it believe that a U.S. attack is imminent, while the exfiltration of intellectual property provides its many excellent engineers and scientists with a way to accelerate its technological growth beyond anything that we’ve seen before. For example, in the past 5 years alone, patent filings from the PRC have increased five-fold compared with the previous 5 year period.

China, like all major powers, does have its share of vulnerabilities. The drafting of the Twelfth Five Year Plan (2011-2015) is currently underway, with a presumed emphasis on increasing domestic consumption (which has dropped in recent years) and urbanization of its populace (which will serve to drive domestic consumption). China’s two major vulnerabilities are a reliance on foreign consumption of its goods (particularly the U.S.) and a shortage of energy resources needed to power its growth. Unfortunately, there are too many policy makers in the U.S. who have failed to grasp this and who still believe that an attack by China against the power grid could happen at any time. Only an irrational State or terrorist group would conduct an attack that would result in its own demise, which is precisely what would happen to China should a catastrophic cyber-based event occur against U.S. critical infrastructure. It is currently in the PRC’s interest to keep the U.S. economy healthy while simultaneously encouraging major U.S. corporations to open manufacturing facilities and R&D labs on Chinese soil. As of 2007, the PRC reported 1,160 foreign R&D labs in China. In 2000, that number was a mere 112 – an increase of 1000 percent in only 7 years.

The overt advantage to China in hosting so many facilities is the technology transfer that occurs when Multi-National Corporations (MNC) hire Chinese employees to work in their labs, particularly when they are scientists or highly skilled engineers. These individuals must be trained in the particular technology that they have been hired to innovate upon. Their acquired knowledge and/or skills, in turn, become assets of the State. Their loyalty, after all, lies with their country, not their foreign employer.

China’s covert advantage lies in its legal ability to monitor all communications traffic originating from inside its borders, including those from foreign-owned labs. For example, Article 15 of China’s Telecommunications law states, “International communications businesses based inside the People’s Republic of China shall carry out their operations via international communications gateways set up by approval of the competent telecommunications authorities.” Article 23 requires those “competent telecommunications authorities” to establish supervision and monitoring systems, while Article 27 specifies the scope of monitoring to include “wireless frequencies, satellite orbits, telecommunications network numbering, Internet protocol addresses and Internet domains used to realize telecommunications functions”. In other words, if your company has an office in China, you are transmitting across their network. By law, those transmissions are monitored.

In addition to its official supervision and monitoring policies, the PRC also engages with Non-state actors to surreptitiously penetrate corporate and government networks in the U.S., Australia, the U.K., India, many of the developing countries in Africa, and even Vietnam, and exfiltrate valuable information that serves to advance China’s current strategic priorities. These include:

• high end microprocessors
• next generation wireless mobile communications
• large scale oil, gas, and coal mining
• pharmaceuticals
• advanced aircraft design

While there is ample historical evidence that Chinese hackers rush to their country’s defense in the case of an affront or an attack (the 1999 bombing of the Chinese embassy, the 2001 EP3 collision w/ Chinese aircraft, the 2009 DNS poisoning of Baidu, etc.), this is more of a patriotic expression of support than a carefully orchestrated act of State cyber power. State-sponsored attacks, whether they emanate from the PRC or the Russian Federation (RF), are well-funded, carefully planned, patiently executed and more frequently than not go undetected. Since these operations are expensive to pull off, assets are not wasted on noisy DDoS attacks. They are reserved for engagements which align with their strategic priorities.

The Russian Federation’s approach to Information Warfare is similar to the PRC’s, but has noteworthy differences as well. They have legislative authority to monitor all traffic flowing through Russia’s pipes, including the communications of foreign corporations operating on its soil. They, too, align their network exploitation activities against foreign corporations and government networks with their current strategic objectives:

• Nanoelectronics
• Robotics
• Cloud services
• Information and Communications Technology (ICT) for Medicine and Governance
• Semiconductors
• Photonics

However, the RF is much more aggressive than the PRC in its use of non-state actors to conduct computer network attacks against internal political opponents as well as problematic States in the North Caucasus and members of the Commonwealth of Independent States such as Estonia, Georgia, Kyrgyzstan, Ukraine, and Lithuania.

There are two key components to Russia’s IW strategy:

• The use of the Nashi as an intermediary between the Russian government and its hacker population. The Nashi leadership are either former or current members of the State Duma and a portion of its funding comes from the State Committee for Youth as well as Gazprom Investment Holdings, whose Chairman is Russian Oligarch Alisher Usmanov.
• The acquisition of, or investment in, social network platforms around the world under the auspices of Russian investment firm Digital Sky Technologies (DST) which, like the Nashi, was formed in 2005 and is also a beneficiary, like the Nashi, of significant investments by Alisher Usmanov.

Social networks are used by hundreds of millions of people on a daily basis, which make it an Open Source Intelligence gold mine for every Nation State’s intelligence apparatus, the FSB (Russia’s Federal Security Service) included. Today, Yuri Milner, Alisher Usmanov and their DST partners have become the favorites of Silicon Valley start-ups. Armed with one billion dollars to invest, they make it easy for the companies that they’re targeting to say yes. U.S. venture capital firms are beginning to feel the effects of DST’s success and are adjusting their term sheets to become more competitive. In the meantime, a Facebook algorithm has found its way onto the Russian Internet in the service of the Ministry of the Interior – compliments of Milner, Usmanov, et al. Not only does Russian Security Services have insider access to the world’s largest social networks, it’s turning a profit as well.

Plausible deniability, self-funding intelligence operations, and technology transfer from foreign R&D labs characterize the three key strategies of what I’ve termed Ultra Low Intensity Asymmetric Warfare. It’s “Asymmetric” because it meets Kenneth MacKenzie’s definition of “leveraging inferior tactical or operational strength against the vulnerabilities of a superior opponent to achieve disproportionate effect with the aim of undermining the opponent’s will in order to achieve the asymmetric actor’s strategic objectives”. I refer to it as “Ultra Low Intensity” because it does not meet the definition of “Low intensity warfare” as defined in the US Army Field Manual (FM) 100-20: “Low intensity conflict is a political-military confrontation between contending states or groups below conventional war and above the routine, peaceful competition among states.” Instead, an “Ultra Low Intensity” state of conflict is one in which the superior adversary is not aware that it is in a war at all. In fact, just the opposite. The superior State engages the weaker State in trade, technology transfer, joint ventures, and other peacetime activities while oblivious to the subtle but powerful strategies being pursued against it by the weaker State or States, a few examples of which I described above.

The impetus is now upon the U.S. and its allies to recognize this new state of warfare and devise and implement the appropriate countermeasures. What those countermeasures should be is a topic for a different paper.

-END-

© Jeffrey Carr 2010 All Rights Reserved

Then we come to your assessment of Sun Tzu’s advice regarding knowing your enemy:

You can take the time to try to know all the different kinds of attackers hitting your networks, but you can never claim victory. If we board up our windows against a hurricane, we don’t “win” if our homes and windows survive the storm. It would make more sense for InfoSec practitioners to learn from hurricane or flood preparedness than Sun Tzu. For most of us, attacks on our networks are more like the constant and varied attacks from weather, and rather than try to wrap ourselves up in the glorious wisdom of Chinese philosophy and the excitement of some amorphous global “cyberwar”, we should probably focus on the mundane, boring details of maintaining and monitoring our networks.

The reason why you don’t know how to assign or even begin to think about attribution is because you are too consumed by the minutia of your profession. Frankly speaking, the high tech company executive who accepts what you advocate from his own InfoSec people has put his company squarely in the 10 ring of the target that an adversary state like China or Russia is shooting at. Instead, that executive would better serve his corporation’s interests if he took the advice of someone like Dan Geer:

When you are losing a game that you cannot afford to lose, change the rules. The central rule today has been to have a shield for every arrow. But you can’t carry enough shields and you can run faster with fewer anyhow.

The advanced persistent threat, which is to say the offense that enjoys a permanent advantage and is already funding its R&D out of revenue, will win as long as you try to block what he does. You have to change the rules. You have to block his success from even being possible, not exchange volleys of ever better tools designed in response to his. You have to concentrate on outcomes, you have to pre-empt, you have to be your own intelligence agency, you have to instrument your enterprise, you have to instrument your data.

Dan Geer, in my opinion, is one of this country’s best minds in the field of Information Security partly because he approaches this problem in the same way that successful Generals have assessed battlefield strategy from the time of King Leonides and Sun Tzu to the present – at the 10,000 foot level. Once you understand that the scope of this problem extends far beyond the firewall logs, you’ll be in a better position to organize a solution for attribution by categorizing actors at the State and State-sponsored level then working your way down to the technical forensics of the attack. The only reason why some (OK, many) InfoSec engineers haven’t put 2+2 together is that their entire industry has been built around providing automated solutions at the microcosmic level. When that’s all you’ve got, you’re right – you’ll never be able to claim victory.

Fortunately, the tide is beginning to turn away from that position and towards one that I and Project Grey Goose researchers have been advocating since 2008 – an all-source approach that combines server-level data with actor data eventually allowing decision makers (whether in the boardroom or the White House) to at least “know their enemy”, even if they still don’t adequately “know themselves” – but that’s an article for a different day.