Tuesday, September 14, 2010

buckshot yankee: cowboys and indians in cyberspace

if you've been following security news in the past month or so you've probably heard about the DoD revealing that an autorun worm managed to get onto classified systems. maybe you were even curious when they attributed it to an unspecified (and possibly unknown) foreign intelligence agency. maybe you were even surprised to learn that this was the genesis of the US cyber command.
my first reaction to hearing these things was something along the lines of:
holy crap, the origins of the US cyber command are a farce!
now, don't get me wrong, i think the idea of the US cyber command is probably a good one. but the idea that it was formed because of a run of the mill autorun worm, a profound skills/knowledge deficit (disabling autorun was a security best practice even then and there was a similar incident with NASA earlier that same year so what were their infosec people thinking?), and a hammer&nail mentality (when all you have is a hammer everything looks like a nail, when all you have is military training everything looks like the work of enemy agents) is actually kind of scary.

not only is it scary because of how badly they can blow banal malware incidents out of proportion, but also because in all the investigation and subsequent reorganization to form the cyber command they never seem to have overcome that skills deficit enough to realize their error and get that realization to the top level decision makers. so we're going to have a military body enforcing it's will in cyberspace, developing new and interesting ways of exercising it's authority, but still unable to distinguish between an attack with direct human intent from the actions of an autonomous software agent.

they don't call them viruses just because it sounds cool, folks. these things spread by themselves like a disease. they don't need to be aimed, they don't need someone intentionally helping them along by setting up websites or sending commands or any of that junk. heck, earlier that same year another autorun worm managed to spread to computers on the international space station. you think viruses in space was an intended goal? if it were then it wouldn't have had code to steal online gaming passwords. it boggles my mind how after over 25 years, more than a quarter century, people (even security folks) don't get that computer viruses spread by themselves like a disease without the need for intentional assistance. that's why it's called self-replication.

as such, without clear evidence of intent (and i've yet to hear about any such evidence nearly a month later), occam's razor dictates that we have to assume it wasn't an intentional act by a foreign intelligence agent ($deity help us if the military for the most powerful country in the world see's fit to ignore occam's razor). the supposed foreign agent is most likely imaginary and the military has spent the past 2 years engaging in make-believe. all that time, effort, and money that went into buckshot yankee and the development of the cyber command would have been better spent on overcoming their skills deficit and the institutional issues that allowed that deficit to persist.

that is of course unless the department of defense is actually telling us a partial fiction and the cyber command arose out of early speculation that a foreign power might be involved. i imagine, however, that they'd have a much harder time selling the new budgetary requirements for such a development on speculation alone, so an imaginary foe would have been required, and a virus infecting classified systems would have provided excellent context for selling that story.


Brad said...

Since when is Occam's Razor a universal law for choosing between explanations? Has a philosopher proved it and I missed it? I don't care which explanation is simplest; I want the one that's correctest.

The common interpretation of the Razor (which is different from the Razor itself) is, at best, a handy heuristic for guiding investigation into multiple possibilities. At worst, it's an excuse people use to be lazy.

kurt wismer said...

seriously? ok fine, occam's razor is garbage, there was a foreign intelligence agency at work. it was the martians who did it.

occam's razor isn't a hypothesis or theorem that you prove. it's a maxim, much like shannon's maxim.

yes it's an imperfect guide to finding the right explanation for things, but in spite of being imperfect it is still very good at it's job. it eliminates explanations that invoke assumptions for which there is no basis and usually only steers us wrong when there are facts that are not yet known or accounted for.

and since i started that paragraph with a caveat for the razor's use, i stand by that usage WITH that caveat.

Charles Jeter said...

Hi Kurt,

Great perspective, however there is no hard and fast Occam's Razor solution to intelligence / counter-intelligence. The beautiful part about weaponizing the web is that attribution is super difficult. Even if you get it back to a person, proving they're involved up to their eyeballs with an actual nation state, terrorist cell, or cybercrime organization takes a trip right back into the physical realm. So you have to have super net detective work combined with real world intelligence, and the sad part is most of one half or the other is classified by one agency or the other.

Just like the days prior to 9/11, the right people often can't or don't talk to the other right people.

There's another side which often fits investigation: when you've exhausted all the leads except for the wild ones, the wild ones may indeed be true, no matter how oddball they may be.

And finally, to discount the existence of a real intelligence threat via the web is flying in the face of virtually every dotgov and dotmil person who has the clearance to put the attributions together. San Diego's US Attorneys prosecute the most computer intrusion cases out of 94 districts in the US and two years ago they and the FBI had some pretty hard facts to disclose. We have some of that panel discussion on tape over at youtube/securingourecity - look for the nine minute long video.

Additionally, in April I covered a lot of the challenges in my blog post 'From Megatons to Megapings' over at ESET's Threat Blog:

Key Analysis: Continued Confusion
Expect some legislature to be proposed (and to most likely die horribly) to give the FCC authority to regulate the ISPs. Expect the tinfoil hat crowd to always speculate that any cyberwarfare attempt is really a ‘false flag operation’.

Regarding attribution of attacks, expect controversy whenever anything occurs and mass confusion to rule in case there are megapings. I recommend watching PBS Frontline’s Cyberwar or at least reading the transcript.

Disclaimer: I write this on my own, etc. etc. nobody else is responsible, etc. etc. from my company. My intent is to get a true dialogue going and Kurt seems like a hell of a guy to do it with.

kurt wismer said...

@charles jeter:
just to be clear, i don't discount the existence of a real intelligence threat in cyberspace - i should hope my posts on cyberwar and cyberwarfare make that abundantly clear.

my problem is with the particulars of this specific case. the malware in question was a run of the mill member of a fairly large malware family, and it happens to be a type of malware that spreads quite successfully all on its own without intentional assistance. a foreign intelligence agency wasn't required in order for the reported outcome to be realized - it could very easily have been the result of the malware's own natural spreading capability.

if they caught the guy responsible, or even if they just got his computer and found evidence on it that he intentionally prepared an infected USB drive, then fine, i'll accept the explanation that a foreign agency was involved. but i haven't seen anything reported that would even hint at the involvement of someone acting with intent.

that lack of reporting, combined with the military's obvious inability to handle basic malware threats in the first place makes me think they have read far too much into the compromise of their systems.

Charles Jeter said...

Hi Kurt,

Thanks for your reply. At the point of trust with the reporting agencies, this falls into two categories which each of us fall into:

Those that believe the government tells the truth.

Those that don't.

Without forensic analysis results actually being posted, there's no way to actually tell exactly when the USB drive was inserted.

Without physical security access logs from the site in question, or the sworn testimony of those involved (PC owner if it were a laptop, etc.) there's no way to tell exactly when the physical security exposure took place.

Without an actual confession from a foreign agent provacateur, there's no way to tie the whole thing up without doubt.

What we're left with at the end of the day is whether we believe those who've passed on the knowledge, in this case the Assistant Secretary of Defense, or we don't believe them.

I, for one, believe in as much transparency as permitted, but the caveat to the intelligence game is in protecting the resources (HUMINT) or methods (SIGINT) used to get the conclusions. "Need to know" reigns supreme or the counter-intelligence workers have a much much harder job tomorrow.

Great dialogue! Thanks for the opportunity.


kurt wismer said...

@charles jeter:
while it's true that you can delineate people on the basis of whether or not they think the government tells the truth, i put forward the possibility of falsified reporting in the last paragraph of my post only as an alternative explanation for those who didn't care for the picture i was painting throughout the majority of the post.

i like to give people the benefit of the doubt when it comes to the issue of deceptive behaviour - 'never attribute to underhandedness what can be adequately explained by incompetence'

while i offered the possibility that the government was telling a half-truth, the main thrust is that i believe they don't know what the heck they're talking about and are chasing fairytales. they didn't understand the malware threat at the beginning of the incident (otherwise they would have already disabled autorun as a result of viruses in space) and i suspect that ignorance remained throughout. that perceptual biases endemic to that environment pointed them towards the wrong conclusion and their lack of understanding of the malware threat meant they lacked the checks and balances that would have otherwise corrected their course.

Anonymous said...

I was a bit surprised to see reactions here. Given what little has been disclosed about the incident, and given some technical knowledge on how such USB-borne malware works, I'd also default to an opinion that no foreign intelligence master plan was in action. I don't see how that is a hard conclusion to see. Maybe I don't watch enough James Bond or crime thrillers or 24...

...fine. I can see how we might need to entertain the idea of some more complex series of events being the cause. I mean, it's a *safer* approach, right? That bump at the window during a windy storm was probably a branch, but did you *know* it was?

At that point, I guess it all depends on how much you want to invest in that investigation...me not being a part of a government or organization with national secrets ties probably has less tolerance (in money, time, and risk) to investigate such things very deeply. :)

But still, it was silly to start equating that USB-malware episode to be the birth or even just a catalyst to the Cyber Command. It trivializes the whole thing and makes them out to be rather unintelligent. Careful, sure, but careful would have been anticpating this many years ago. Many.


kurt wismer said...

i think you and i are on the same page. i agree that the possibility of foreign agency involvement needs to be investigated, but if you're going to report to your superiors and the american people that one was involved you really need to provide some justification for that claim.

as for them being careful - mere months earlier a similar piece of malware was spreading on the international space station and it was big news - careful would have been having defenses in place before-hand thanks to the demonstration by another government agency how virulent such a threat can be. it's almost like they were living in their own little world and weren't paying attention to what was going on around them.

Marcel said...
This comment has been removed by a blog administrator.