Friday, December 29, 2006

Hard Rain Journal (12-29-06): Stalking Cyber Terrorists in Sofia, Secrets Stolen/Fortunes Lost, Ten Years in the Wilderness -- An Existential View

Image: Statue of St. Sofia in Sveta Nedelja Square, Sofia, Bulgaria

NOTE: I do not write much about my cyber security work on this blog. But for the last two years, my friends and colleagues at Peltier Associates have asked me to contribute to their Year in Review publication. Here is an expanded version of the piece I wrote for this year's edition.]

Hard Rain Journal (12-29-06): Stalking Cyber Terrorists in Sofia, Secrets Stolen/Fortunes Lost, Ten Years in the Wilderness -- An Existential View

By Richard Power

There I was, standing in the dark of night, on a deserted street in Sofia, with Romania to the North, the Black Sea to the East, Greece and Turkey to the South, Macedonia and Serbia to the West.

I felt the whole of it pulsating underneath me – strata below strata spiraling backward -- eight thousand years of the human struggle to live, to live free and to savor this life, eight thousand years: a strange swastika made of frog legs carved into the stone by some unknown ancient culture, its name lost long ago, then the Thracians, who gave us the Orphic Mysteries, and after them wave after wave of conquest, migration and melting pot -- the Roman Empire, the Bulgar tribes, Ottoman Empire, the Nazis, the Soviet Red Army and now the Economic Hit Men of the West.

Eight thousand years swirling in a single breath.

The richness and potency of this incredible saga is embodied in the statue of the voluptuous goddess Sophia (a.k.a. “Saint Sofia”); she carries a bird of prey on her right arm and an olive branch in her left hand, and stands on a high pedestal overlooking downtown Sofia.

Not far away there is a cathedral with seven bells. The bells were forged from the bullets fired in the great battle for independence from the Ottoman Empire. When those bells were tolled for the first time they shattered all the windows in the vicinity of the cathedral.

Why was I in Sofia?

I was there to speak at the NATO Advanced Research Workshop on Cyber Terrorism as a New Security Threat.

The two-day event was hosted by Bulgaria’s Center for Law of the Information and Communications Technologies (CLICT), in collaboration with the Computer Crime Research Center (CCRC), which is based in the Ukraine. The workshop provided a forum for researchers and practitioners from NATO and Partners for Peace countries, particularly new NATO member states (e.g., Bulgaria) and potential NATO member states (e.g., Ukraine).

Participants exchanged ideas, established personal contacts and explored avenues for future cooperation.

Stalking Cyber Terrorists

[NOTE: Here is an excerpt from "Stalking Cyber Terrorists in Sofia," co-authored by my friend and colleague Dario Forte (who also spoke at the NATO workshop) and I for our monthly column, War and Peace in Cyberspace, in Elsevier’s Computer Fraud and Security Journal. The piece is based on our presentations in Sofia.]

We cannot afford to assume “Cyber Terrorism” won’t occur because it hasn’t (or perhaps merely because it hasn’t been acknowledged to already have happened).

In regard to the Who and Why of Cyber Terrorism, my intelligence analysis offers a rather different perspective and prioritization for the list of usual (and unusual suspects):

• Jihadists bent on delivering crushing economic and psychological blows
• Nation States, i.e., hegemons and rogues, bent on distracting and debilitating the adversary
• Cults and loners bent on hastening the apocalypse, or tearing down the social order
• Criminal elements bent on extortion or reprisal
• Corporate enemies bent on foiling competitors
• Political enemies bent on subverting democratic institutions

Although most conventional wisdom focuses on cyber terrorism related to Jihadists or Nation States, in our view, it is quite likely that the world will experience acts of Cyber Terrorism perpetrated by cults and loners in furtherance of their bizarre world-views.

The Aum Shinrikyo (Supreme Truth) cult, which was responsible for the 1995 Sarin gas attack on the Tokyo subway system, and Theodore Kaczynski (aka the Unibomber), who was responsible for sixteen letter bomb attacks over a span of years from 1978 until 1995, exemplify these threats.

Perhaps the most extraordinary twist in the Aum Cult story is that it didn’t end with the capture of Shoko Asahara and other cult leaders. In 2000, the BBC reported: “Japan’s Defense Agency delayed deployment of a new computer system after discovering that it used software developed by members of the Aum Shinri Kyo cult. The Defense Agency was only one of 90 government organizations and private companies that unknowingly ordered software produced by the cult. “(BBC, 3-1-00)

As recently as September 2006, the cult was still a source of concern: Japanese security officers today raided 25 offices of the doomsday cult behind the 1995 Tokyo subway nerve gas attacks, after its founder lost a last appeal against his death sentence. Since his death sentence was finalized, we are afraid that his followers may possibly plan something illegal, said a Public Security Intelligence Agency spokesman....(The Australian, 9-16-06)

Just as the story of Aum Shinrikyo provides a stunning example of what a cult bent on wreaking havoc and mayhem could do, using Cyber Terrorism as a tool, the remarkable tale of Ted Kaczynski, the Unibomber, illustrates what one profoundly disturbed individual can carry out on his own. Working without accomplices, living in seclusion in a shack in the mountains of Montana, without a telephone or a car or electricity or running water, Kaczynski eluded a nation-wide FBI manhunt for many years.

All the while, he never betrayed himself, even as he crafted meticulous letter bombs and delivered them, undetected, to commit numerous acts of murder and attempted murder -- until he sent his “Unibomber Manifesto” to the newspapers for publication, and in reading it David Kaczynski thought the ideas and writing style bore a striking resemblance to his brother.

Imagine what a Cyber Unibomber could do using Cyber Terrorism to target critical infrastructure. Imagine how long he could elude identification and capture.

Just as plausibly, I also suggested we could see acts of Cyber Terrorism come from elements of organized crime -- either in pursuit of profit or in an effort to intimidate governments and societies.

Consider this excerpt from a recent news story:

Cyberscams are increasingly being committed by organized crime syndicates out to profit from sophisticated ruses rather than hackers keen to make an online name for themselves, according to a top U.S. official….Christopher Painter, deputy chief of the computer crimes and intellectual property section at the Department of Justice....The FBI estimates all types of computer crime in the U.S. costs industry about $400 billion while in Britain the Department of Trade and Industry said computer crime had risen by 50 percent over the last two years....A growing worry is that cybercrooks could target emergency services for extortion purposes or that terrorists may be tempted to attack critical utility networks like water and electricity. Painter said there was a recent case in the U.S. where two young hackers inadvertently switched off all the lights at the local airport. (Reuters 9-15-06)

Secrets Stolen, Fortunes Lost

The NATO event was one of the highlights of a seven venue speaking tour, which also included key-noting the Santa Fe Institute’s Adaptable and Resilient Computing Conference (ARCS), moderating an expert panel on incident response and crisis management at Emerging Trends in Information Security & the Law: “Plausible Deniability is Dead, sponsored by Georgetown University Law Center and the Information Systems Security Association (ISSA), and playing the role of the Chairman of the Joint Chiefs of Staff for The Day After: 2010 (a updated version of RAND’s historic war game) that the Pentagon’s Jim Christy conducted for his graduate students at George Washington University.

I also key-noted at Secure Computing Magazine’s SC Forum in Silverado, California along with another collaborator, Christopher Burgess, who recently retired after a distinguished thirty year career in the Central Intelligence Agency, which included service as Chief of Station and Senior Operations Officer.

Our SC Forum presentation was based on our shared interest and exploration of the issues of economic espionage and intellectual property theft.

In March 2006, we published a four-part series, Secrets Stolen, Fortunes Lost: How Economic Espionage & Intellectual Property Theft Destroy Businesses & Endanger the Global Economy, for CSO Magazine:

Economic espionage is as real a threat as terrorism or global warming. But it is subtle, insidious and stealthy. Even if the United States finds the will to come to grips with the many threats it faces, this silent, invisible hemorrhaging of intellectual know-how and trade secrets could deliver the death blow to our pre-eminent place in the global economic world before we even wake up to the magnitude of the danger....USA could win the war on terrorism, overcome the challenges of global warming, balance the federal budget, strengthen the United Nations, end global armed conflict and restore our edge in science and engineering, and still end up behind China, India, Japan, Russia or Brazil in several vital sectors of the economy, and at a serious, if not fatal, disadvantage within the global marketplace.

In Secrets Stolen, Fortunes Lost, Burgess and I articulated two misconceptions we found prevalent among corporate executives and security professionals:

Misconception #1: The threat of economic espionage or trade secret theft is a limited concern, i.e., that is it only an issue if you are holding on to something like the formula for Coca-Cola or the design of the next Intel microprocessor. The case studies included in Secrets Stolen, Fortunes Lost illustrate the fallacy of thinking that this threat is someone else’s problem.

Misconception #2: Another great misconception, held by many of those business leaders who do acknowledge the danger to their trade secrets and other intellectual property, is that the nature of this threat is sufficiently understood and adequately addressed. Often, on closer inspection, the information protection programs these business leaders rely on are mired in Industrial Age thinking, i.e., they have not been adapted to the dynamic and dangerous new environment forged by Globalization and the rise of the Information Age.

One Step Forward, Two Steps Back or Two Steps Forward One Step Back?

It was poignant for me to conclude my 2006 tour at Eugene Spafford’s Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University in West Lafayette, Indiana.

At CERIAS, I delivered One Step Forward, Two Steps Back or Two Steps Forward One Step Back? A Ten-Year Retrospective on Cyber Crime & Cyber Security 1996-2006. The presentation, the same one I delivered at the Santa Fe Institute, explores the ground gained and the ground lost in the battle for cyberspace since those historic US Senate hearings on “Security In Cyberspace,” chaired by Sen. Sam Nunn (D-GA) held over a decade ago.

At the Nunn hearings, I testified on the nature of the threat and on the importance of awareness and education:

Human beings are building systems, deploying them and breaking into them. So it is human beings that we have to reach in terms of training, awareness, and understanding their responsibility, not only to their corporations, or to their own job security, but to their country, and to the world.

I also invoked the names of some heroes, most notably Eugene Spafford, who were, with dedication, integrity and clarity of mind, making a profound difference on the side of the Good.

Well, here it is over a decade later, and awareness and education is still under-funded, under-tasked, under-utilized, largely misrepresented, misused and misunderstood; and Eugene Spafford is still out there fighting the Good Fight.

For a 10 year retrospective roundtable Dario and I conducted for Computer Fraud and Security Journal, I asked Spaf three big questions:

#1: Where are attacks and countermeasures today vis-à-vis ten years ago, or even five years ago? What are you seeing out there today that surprises you?

SPAFFORD: “What is surprising is that the countermeasures we are using are basically the same as a decade ago. We have not advanced much in that regard -- the technology has simply become more widespread, and a little more robust. The threats have gone from proof of concept and "hobbyist" to very wide-scale, organized criminal activity. Instead of bragging rights, the goal is now widespread, major fraud. What also surprises me is how we have seen business and government standardize on what may be the most vulnerable products and configurations rather than promoting research, diversity, and investing in safer products.”

#2: What kind of evolutionary or revolutionary spirals can be expected in attacks for the next two to three to five years?

SPAFFORD: “I expect to see continued development of software that is highly stealthy and incredibly difficult to remove once present. The criminal activities we are seeing now will escalate as world population increases. Furthermore, I think we'll see some competition and maybe even consolidation of the criminal groups behind all this. The online population will grow, provide more fertile ground for crime -- and for growing criminals. I think we'll see more cases of extortion of one kind or another, perhaps including threats against other kinds of businesses (it is primarily against financial institutions right now). We will see growing international issues, both for countries that are threatened, and for those that harbor cyber criminals.”

#3: In general, in terms of cyber security and cyber crime, would you say "one step forward two steps back" or "two steps forward one step back"? Or would you characterize it some other way?

SPAFFORD: “It's almost like we are making no steps. We have kept adding new technologies that are dangerous, seen our decision-makers choosing the path of least cost but significant danger, and they have consistently applied band-aides for the most current threat but failed to heed long-term advice, or provide investment for research to really break out of the rut they have gotten into.
Overall, I'm not very optimistic about the future.”

Yes, it was a poignant moment, just as poignant as standing on that dark street in Sofia and feeling eight thousand years swirling under the earth beneath me.

Although I still write and consult extensively on cyber security, my work has expanded to other dimensions of the risk and threat matrix, I now also write and consult now on crisis management, counter-terrorism, the security implications of global warming, sustainability and other environmental issues.

But it all started for me in the wilds of cyberspace.

Stephanie Salter was an Op-Ed page columnist for the San Francisco Examiner, back before it decided it didn't want to be real newspaper anymore. Now she is home in Indiana, where she writes for Terra Haute's Tribune Star (that's where most of the real journalism is now, at the local and regional level).

Salter covered my talk at CERIAS, and here are a few excerpts from her piece:

When people ask Richard Power what cyber security concerns we should have, he usually asks them questions. A favorite set of queries is this:
“What if the last thing you heard and saw was the second plane going into the World Trade Center? Then your TV screen went blank and your land line and cell phone wouldn’t work? What if the FAA hadn’t been able to communicate to land all those planes that were in the air?”
Such total chaos is unthinkable for most of us. Power says it is entirely possible — with no new technology necessary.
“Using all known methods available, those things can happen now, today,” he said. “And it doesn’t have to be some trans-national, high-financed terror institution. A cyber Uni-bomber or Timothy McVeigh, working with a couple of people, could do this.”
The really scary news: To Power and many other information security wonks, cyberspace is only a sliver of the big glass ball of vulnerability we call contemporary life.
Just ask them about global warming.
I have known Power since the mid-1980s when he was among many p.c. software pioneers who made the San Francisco Bay Area a magnet for cyber creativity. About 15 years ago, he turned his attention to information security....
His short conclusion: From first-responder systems to computerized vote tabulators, the world has not spent a very productive decade trying to close its windows of cyber vulnerability. Money? That’s a different story. Billions have been spent with little to show but a new wealthy class of information security consultants and product marketers selling mostly “hokey” solutions....
The lack of progress since 1996 is not due to a skill shortfall in cyber space, he said. Rather than juvenile or show-off “martial arts” hackers, disgruntled former employees or even terrorists, the worst enemy of public and private information security forces lurks within business and government structures.
High within.
“It’s leadership failure on every level. Corporate and government failure of leadership is our most dangerous adversary,” Power said.
The failure is evident in the particular: the cyber security czar was downgraded from a White House position to just one of the crowd at Homeland Security. And it is evident in the general: multi-billion-dollar corporations tend to apply a return-on-investment approach to information security.
“I ask them, ‘Do you consider return on investment with your sprinkler systems? With fire escapes?’ Of course they don’t,” Power said. “You think this is different?”
...After the Purdue event, I asked Spafford how many information security experts share his and Power’s general view.
“No more than 50 in the United States have this big-picture view and perspective of history,” he said.
Generally not among that group are folks with the purse strings, corporate and government officials who fund research — or don’t. Less money than ever is going for genuine cyber security research.

Stephanie Salter: What if we don’t fix cyber, Terre Haute Tribune Star, 12-2-06

Richard Power writes and consults on Security, Sustainability and Spirit. For more information, go to Power blogs at With Dario Forte, Power co-authors a monthly column for Computer Fraud and Security Journal (Elsevier). Power also contributes a monthly column on crisis management, travel security and personnel security issues for the Research and Technology Protection (RTP) program on the FBI InfraGard site.

, , , , , , , , , , , , , , , , , ,, , , , , , ,