JHU/APL Rethinking Seminar Series Rethinking Global Security Constructs, Threats and Potential Responses www.jhuapl.edu/rethinking 18 February 2016 Colonel Michael Brown (USMC, ret) Johns Hopkins University Applied Physics Laboratory Rethinking Cyber Warfare Notes: 1. The opinions expressed by the speaker are solely his own and do not necessarily represent the opinions of the Johns Hopkins University Applied Physics Laboratory. 2. Below are informal notes taken by a JHU/APL staff member at the Seminar. 3. Links to the video, audio, bulletized notes, and any presentation files for this and past seminars can be found on www.jhuapl.edu/rethinking and the JHU/APL YouTube Playlist. Introduction Colonel Brown began his discussion of the growing convergence of cyber espionage, cyber crime, and cyber warfare by noting how much cyber has become part of our lives. IPhones weighing only ounces and costing a couple hundred dollars can now be used for running GPS applications, tracking stocks, providing various forms of communications including email, and much more. Only 46 years ago Apollo 11 took to the moon a 75-pound computer that cost about $3.5M and had about 1300% less computing power than today’s average IPhone. Given that we can expect major technological leaps forward every 18 months, cyber problems are likely to increase. Cyber Case Studies The Maroochy Shire Incident (Australia, 2000) A computer expert, Vitek Boden, who was turned down for a government job near Brisbane, decided to take revenge using only a notebook PC and a radio transmitter Boden had been working for a company that installed SCADA (supervisory control and data acquisition) systems for a local wastewater facility In a 2-month time frame Boden was able to take control of the wastewater facility 46 times and spilled over 250,000 gallons of liquid human waste into nearby river, causing $1M in damage Stuxnet – The Gold Standard in Cyber Attacks (Iran, 2010) What made Stuxnet so effective and so dangerous was that it was designed like nesting dolls with several key components having probably been introduced from a thumb drive Basically, a worm that was capable of propagating itself, entered into the SCADA system which controlled about 19,000 centrifuges involved in uranium enrichment Two root links were also installed – one to hide the malicious code which was put into the operating system and one so that operators could not see what was happening with the centrifuges o Operators believed that the equipment was working correctly but the centrifuges were made to spin at a much higher rate than normal As a result, thousands of centrifuges were ruined 1 Saudi Aramco (Saudi Arabia, 2012) Believed by some to be Iran’s response to Stuxnet The oil conglomerate’s computer network was struck by a self-replicating virus that infected and ruined up to 30,000 of its 50,000 computers A month later Wall Street firms started seeing similar denial of service attacks o The situation got so bad that the US military offered to help o Little came out publicly since the firms didn’t want to scare investors and depress the market Other Threats Edward Snowden in 2013 took vast amounts of NSA material to Hong Kong, provided it publicly, and is now living in Russia to avoid his indictment under the 1917 Espionage Act Russia has apparently launched cyber attacks against Ukraine and other foreign entities A young hacker used social engineering to get into the private email accounts of CIA Director, John Brennan Bottom line: This is the new norm and will be getting worse as our world and our electronic devices becomes more interconnected giving adversaries more opportunities Cyber History 1930s: Allan Turing proposed concepts that would lead to computers and the internet 1946: The US Ballistics Research Lab built the first operational computer to help with artillery calculations 1960s: ARPA, UCLA, and Stanford found a way for early computers to talk to each other 2 1970s: Personal computer modems, Apple II with a color interface, and a keyboard and mouse were introduced 1979: NORAD accidently loaded exercise tapes into their computers making it appear to operators as if thousands of Soviet missiles were on the way 1983: The movie War Game came out o Then: no one knew what a hacker was and the lead actor in War Game was told his character was to be bright but unmotivated o Now: We must deal with hackers who are extremely bright and extremely motivated 1984: Tim Berners-Lee invented the world wide web 1991: First web page was written – now there are over 30 billion webpages 2000: Internet had 360 million users with the number growing to 2 billion by 2010 2008: Malicious worms appeared but the game changer was the 2010 Stuxnet – a weapon that no one has yet claimed showing that can no longer be sure who the adversary is because all was happening in code 2009: US Cyber Command was established 2013: Joint Staff agreed to a Cyber Mission Force of about 6,300 cyber warriors probably in response to Saudi Aramco and Wall Street cyber attacks—at a time when the overall forces are being drawn down Cyber Adversaries Most sophisticated: Russia o Big problem is that those attacked may not even know the Russians are in their systems o Russian hackers have created a variety of problems in Estonia, Ukraine, Georgia, etc. o Putin just added $500M to the military budget to increase cyber capabilities o Russian hackers are using these denial of service attack attempts to test what they could do against the West China has the next best capabilities but has been concentrating on stealing intellectual property o Best example is the very close resemblance between China’s newest fighter jet, the J-31, and the US Joint Strike Fighter Iran has carried out attacks mostly in the financial and utilities sectors North Korea is best known for the attack against Sony Pictures and has recently added 6,000 more people to its cyber attack efforts Lesser tier o Syrian Electronic Army since 2013 has attacked the Associated Press, the White House, Facebook, and others o Non-state hacktivists have caused a growing number of problems, especially the group Anonymous Lowest tier o Problem: Distinctions between hacktivists and state-sponsored actors have been blurring Russia in particular has used hacktivists as cut-outs for their actions Likely to see more of this o ISIS was effectively using Facebook, Instagram for comms and C2 of operations Then moved to PlayStation once they knew they were targeted on Facebook Their success in drawing young people to their views is aided by the fact that young people are so completely tied into using these social media systems The Operating Environment: Crime vs. Espionage vs. War – Blurred Lines and Motivations The Obama Administration defined cyber warfare as activities that would have a significant consequence o However, the attack on Sony Pictures allegedly by N. Korea was not considered war while it did cause significant consequences to a large multi-national organization Complicated by the difficulty of proving that the culprits were N. Korean 3 o o For retaliation, we normally use proportionality and discrimination – a concept that works in the laws of war but can’t really be used in the cyber domain Adversaries may also use cut-outs, which may be operating across the globe from where the attack was perpetrated US response capabilities o The first slide below identifies government entities and their roles in the cyber domain o The second slide details DOD entities in the cyber domain and their relationship to one another o o FBI has world-class cyber capability for cyber forensics when conducting criminal investigations especially in their NCIJTF and the cyber unit of the New York Field Office Department of Homeland Security is also doing good work and has been given permission to establish 48 cyber protection teams under the new Cyber Security National Action Plan Expect to see DHS take a more proactive role in cyber Principal role is to protect the .gov entities and work with .com and other public and private partners 4 o DoD established Cyber Command and its commander is also the Director of the National Security Agency Also, moving cyber efforts from the Title 50 domain to the Title 10 domain National Mission Forces work under Cyber Command Each of the service’s cyber components have Cyber Mission Teams (CMT) for offensive operations and Cyber Protection Teams (CPT) for defensive operations Already have 133 cyber teams – including some in the Coast Guard For their 15,000 networks the Services already had Computer Network Defense Service Providers (CNDSP) Now the CPTs are permitted to do interior patrolling and to take actions to find and rout out adversaries within networks – game changer CPTs now will also support cyber requirements of the Combatant Commanders Protecting the Combat Commanders (COCOMs) involves combining cyber with all of the traditional domains (air, sea, land, SOF, etc.) o Concept has only been exercised once o Exercises once involved specific locations (latitudes and longitudes) to identify areas of concern Now must worry about areas of interest and influence which could be worldwide and cross COCOM boundaries Will often find the source server far from where the action is taking place 5 o Exercise Cyber Flag 2014 was designed to build new ways of working jointly to face cyber threats The Way Ahead – What DoD Needs DoD needs a permanent cyber exercise environment o DoD has specific exercise areas for the various domains (land, sea, air) but has nothing similar for cyber o Cyber Flag 2014 established a network to work cyber problems but it was disestablished once the exercise was over Although a decision to establish such a training environment was made in 2014, it has not yet been implemented Portsmouth, VA, appears to be the most likely location In the cyber fight the US lacks operational level art and design o At the strategic level there are already established policies, guidelines, and most of the needed authorities o At the tactical level DoD already has very good cyber operatives especially on the defensive side o US lacks that middle operational art level and so needs: A better understanding of adversaries’ command and control: Would allow the Combatant Commander to fight against the adversary’s forces more directly Must figure out how to make own force connections that are necessary Better planning: Determine how to bring cyber into the joint operating planning process Effects based operations was at one time a central concept and then discarded but now must consider what effects cyber actions can create Sometimes it is too difficult to explain to non-technical leaders what will be done with some binary code so need to look at the effects o Instead must describe the tactical effect such as degrade the adversary’s systems in certain ways Must avoid getting too bogged down in technical jargon DoD must fight as it trains – learn to be resilient o Need to be able to fight in a degraded electronic environment Too often take perfect comms capabilities for granted In wartime should expect to lose GPS and have limited C2 Need again to train to use old HF nets, paper and pen, celestial navigation, etc. o Expect adversary to attack cyber elements because they are the source of US strength DoD needs to step up its recruiting and training of cyber warriors o Type of recruits the military usually gets is not what they need for cyber duties o Will need cyber warriors who are nefarious – not the type to make it through normal military screening for morality and behavior Need defenders who first can think as attackers do Must figure out how to get such hackers out of their basements o DoD must be willing to pay cyber warriors what industry would pay for the same qualifications o Must train all recruits to think critically – not just go by the traditional checklists Need critical thinkers at the E-4/E-5 level; can’t wait for them to mature Now don’t get much critical thinking training until field grade The younger these recruits are the better it will be for DoD Bottom line: Need improved cyber C2, planning, resiliency, recruiting and training o DoD is making progress but not enough 6 Way Ahead Nationally – Protecting the US Center of Gravity, the Economy Attacks against systems supporting the economy went up by 1700% between 2011 and 2013 o Adversaries know where they can attack the US so need to shore up the weak spots Laws needed to expand functions have been sitting in Congress since 2013 waiting for passage while adversaries are not waiting to exploit US systems Improved integration is needed between DoD, Homeland Defense and the FBI o Apple’s refusal to crack into the San Bernardino terrorist’s phone had more to do with stockholders concerns than the government’s or civil liberties Problem: How can the government work with industry without sacrificing individual civil liberties? JHU/APL held a 4-day tabletop exercise to help integrate DoD, FBI, and DHS so that they could work better together o Such exercises need to be held more often than once a year o Industry players must also be invited in as partners Protection of Civil Liberties Situations and capabilities are moving very quickly Example: High school senior with a cell phone app to disrupt Bluetooth device repeatedly shut down the projector in a class he found boring until the unaware teacher ended the class Given the tremendous growth of cyber capabilities, how much license will the American people give to the government to take action? o Big debate has already be raging up at NSA for years o The current FBI/Apple issue may be the catalyst for the necessary discussion QUESTION & ANSWER SESSION Re: FBI & Apple Dispute over Opening a Terrorist IPhone FBI sees the situation as a criminal matter Phone was owned by terrorist’s government employer making the situation more complicated Generally would side with Apple since opening the phone would make everyone more vulnerable o It’s a good thing that IPhones provide individual uses another level of security o The FBI should find other ways to crack the case Re: Using Cyber Means in War In cyber warfare don’t need to go computer versus computer o Need to identify adversary’s center of gravity and go against whatever supports it in the best way possible o Best way may be the SCADA system, but young cyber operators may not be that familiar with such systems Need to go to very nuanced and skilled training to get that understanding SCADA understanding should be in cyber operators immediate vernacular Example: Should not go after N. Korea’s missile launch systems but against the SCADA and other systems which support the missile systems Missile would then be useless Need to determine how to train cyber operators to work in this area Example of a potential asymmetric use of cyber: In 2003 powerline in Ohio caused a problem that cut power for two days because of a SCADA glitch o Had an impact on 8 states and part of Canada costing the region $6B in lost revenue 7 o A carefully designed cyber attack could have an immense asymmetric impact o Most people aren’t prepared to be without power even for a few days after storms o Long term degraded utilities could cause anarchy Massive transformers are the backbone of the power system and hard to replace o 75% of these devices are now made overseas mostly in China and take 6 months to build o May take 22 days to transport across the Pacific and then would need special rail cars to carry a new transformer that could weigh 400,000 to 600,000 pounds – very slowly o What would the environment look like while waiting so long for a new transformer? Former SecDef and former CIA Director Leon Panetta warned that it might take a cyber Pearl Harbor to push the US to do more to be prepared Re: Hybrid Warfare Russia appears to be writing the blueprints on how to carry out this type of war Goes beyond denial of service attacks and social media exploitation to very sophisticated cyber capabilities Russians are better at Operational Art The US is hindered because it follows international rules of law and its own laws, while Putin doesn’t need to follow any Re: Identifying Cyber Crime vs. Espionage vs. Warfare Experience has shown that we generally start out considering cyber incidents as a criminal activity unless it can be traced to a specific adversary probably determined by FBI forensics operators Edward Snowden’s activity began as a crime that moved into espionage Could use the same way of thinking that the Supreme Court did in 1984 on obscenity: I can’t define it, but I can recognize it when I see it Need to identify the motivation behind cyber incidents to determine which entity will handle the response – FBI if crime; NSA or DoD if determined to be a cyber attack What the Administration chooses to consider an incident will have significant consequences o Loss of life would be considered significant o Could use a monetary consequences as a method to decide when to shift from one to another but what would the threshold be? o The attack on Sony was more about a loss of intellectual property Re: Need for a Cyber Force A separate cyber service is not necessary since it is important that each of the services brings its own culture and way of thinking to the cyber domain The concept of Space Command becoming a service was talked about a great deal, but nothing happened there although some talk still lingers o Something similar may happen in cyber More important is inculcating cyber training throughout the services from the entry level o The Marine Corps is now only talking a little about cyber at the 0-3/0-4 level o Need to begin teaching cyber understanding starting with recruits Cyber Security National Action Plan was just released and contains a call to arms for the country to get more involved in cyber including building interfaces between government and industry o Includes incentives for college students to get more involved in cyber security even funding opportunities for those getting degrees o Actually need to begin building an understanding of cyber issues in grade school – make them sexy enough for well-qualified high school students to take an interest in security 8 Re: Foreign Nationals at Universities and Individual State Threat Intel Fusion Centers Foreign nationals pay a great deal more than US students to attend college so we will have to expect to continue to seeing foreign nationals in American universities More importantly, there should be greater efforts put into the state-supported threat intel fusion centers that all states were to build after 9/11 Not all have, but Kansas has the best so far o Run by the National Guard, it even has SCIF capabilities o The FBI also is involved as are entities of the state and local governments o Representatives of the private sector have been invited in o On occasion, the center had identified foreign national students who were doing nefarious things, and the universities involved were notified o Center could also better protect the Kansas corn and livestock from bio-weapons o Kansas should be a model for all the other states States may not have enough money to build such capabilities but they must get started o The federal government can’t do everything o However, if an incident causes catastrophic problems, the states will be the ones to react Re: Big Data Analysis Big Data and the analytic schemes to support Big Data are the future APL and other research organizations are working on efforts The future is already here as is cloud computing and what DoD is trying to do with the Joint Information Environment. Re: Cyber Culture vs. Military Culture The military is trained to follow all the rules, but that does not work well in the cyber domain Cyber warriors need to be trained first as attackers so that they can understand how to defend o Currently, DoD is training defenders to be defenders, not to think as attackers would Now giving them toolkits and rules that say use this tool against that malware Instead they should stand back to determine what is the right tool in each case o Not giving them the critical thinking training to help identify what was the adversary’s intent behind the attack o In reconstructing a cyber attack, often find that the adversary has us looking over in one direction when the real damage was being done elsewhere Too much emphasis on patching problems when the real damage is being done with less noticeable backdoors o May find that there is an operational gain/loss that we don’t want o May even be best to let an incident play out a little further while watching everywhere for a different incursion Re: Social Media The services are already looking at social media as an element of all-source intelligence gathering Example #1: Mass shooting at a mall caused great confusion for hours after the shooter was dead o Tweets and texts were coming from all over the mall from people remaining in voluntary lockdown o Responders did not know the shooter was dead for some time even though their command center was swamped with tweets and texts o APL afterwards came up with a way to gather and sort these info sources as intel and provide information back to those inside the mall by asking people in the mall Exactly where they were in the mall and what they could see To send pictures from their phones 9 Example: #2: The 2013 Super Typhoon in the Philippines o Great damage everywhere but phones still worked o A US Joint Task Force arrived to provide triage for relief needs o Would have been useful to send images of the damage to get a better idea of what suppliers were needed and what needed to be done o Targeting needs would help cut down the amount of time it would take to get relief where it was needed Bottom line: Social media can be used as part of an all-source intel capability o Some policy elements need to be worked out to figure out what the military can do using Facebook and other similar systems Likely be sorted out so that responders can take advantage of existing capabilities o Must also look at the way that ISIS is using Facebook, Instagram, Twitter, etc. to run command and control as well as for its fund raising and recruiting Need to know how to get into that system to influence those involved Re: Recruiting Cyber Warriors with the Proper Ethics and Morality May fear that cyber recruits who can think in a nefarious manner about cyber will also be ethically challenged, but strong non-commissioned officers could keep them straight 10