Scenes from the 2010 Cyberwar between the US and China Marcus J. Ranum CSO Tenable Network Security, Inc. Joking Aside • There is a tremendous amount about the “cyberwar” rhetoric that utterly puzzles me – I’d like to share my puzzlement with you The Run Up • Some historians date the beginning of the cyberwar to May 19, 1998 – Pieter Zatko (AKA “Mudge”) testimony to congress claiming “I could take down the entire Internet in 30 minutes” – Based on • publication of books like “hacking exposed’ • organizations like SANS training thousands in penetration testing • annual DEFCON attendance The Run Up (cont) – People’s Liberation Army commanders determine that they have a “hacker gap” and begin cyberwar catch-up program • First step: recruit and train 180,000 cyberwarriors Joking Aside #1 • It’s extremely weird that the US is complaining so much about hostile “cyberwar” preparations considering that we’re the most open about: – proliferating “cyberwar” technologies (think: Core Impact, Metasploit) – training and promoting hacking techniques (think: hacking exposed, SANS, DEFCON, pwn2own) Joking Aside #1 (cont) – DARPA is constantly funding research in security technologies (Mudge is now a program manager there) – We “own” the search engines (think: what value would there be to knowing what the whole world’s searches look like?) – We publish more articles on hacking technique than anyone else Accusations of Targeting Dissidents • The Chinese Government is accused of targeting dissidents’ accounts on Gmail – Additionally, researchers working on analyzing botnets discover huge botnets and apparent focus on collecting information on dissident activities Joking Aside #2 • Meanwhile, it is revealed that every major carrier in the US sells wiretaps – What? It’s a profit center Accusations of Censorship • China, of course, practices censorship • Thursday Jan 10 2010: – “Hillary Clinton today called on Beijing to hold a thorough and open investigation into the hacking of human rights activists' email accounts” Joking Aside #3 • Every ISP in the US is required to retain a variety of transactional data in case the US Government wants it – I.e.: FBI don’t need to hack, just ask – At least we were smart enough to require the ISPs to retain the information at their own expense Joking Aside #3 (cont) • I wonder whose capabilities are more advanced, the US’ or China’s? – Either way: it sucks being a “dissident” or a “terrorist” or “online sexual predator” or whatever excuse du jour works to justify government snooping Joking Aside #4 • I probably shouldn’t even mention USC18:2257 – Intended to protect children’s eyes from crippling pr0nzography • It has been repeatedly found to be unconstitutional but a mix of administrations’ Justice Departments keep re-tuning it and trying to put it back in place – At an enormous cost to taxpayers • At least we can see online video of Tienamen Square, though, thank goodness! Suppressing Dissidents • March 2008: The US DOD considers hacking wikileaks in order to shut it down – Chinese Government spokesperson calls US Secretary of State Hillary Clinton “a big fat hypocrite” (OK that didn’t happen) The US Fires Back (albeit in a different direction) • US Officials encourage Twitter to stay online in Iran to support organizers of anti-government protests that are using Twitter to coordinate operations – The Iranian government is not amused – June 2006, Congress targets social networking sites for data retention • Presumably the FBI could get access to those tweets but nyah nyah you Iranian secret police can’t have ‘em! Joking Aside #5 • March 2010, Iran arrests 30 in USinspired “cyberwar” – Twenty-nine Websites hacked to prevent further espionage, Iranian government says among other things, they were distributing US-made anti-censorship software • I wonder if it was TOR, or what? 180,000 Script Kiddies • Classified FBI report on Chinese cyberwar capabilities is shown to a reporter • Note: Yes, the FBI is in the business of leaking its own classified materials – Report alleges 180,000 Chinese cyberwarriors – Report alleges these spies launched 90,000 attacks last year Joking Aside #6 • That’s 1/2 attack per cyberwarrior! • Thought: – they should download metasploit • This is unbelievably lame! Are they going to do a human wave attack? Charges of Cyber Economic Espionage • Too many instances to cite; tremendous concern voiced in Washington by FBI and others regarding Chinese cyberespionage aimed at economic information Joking Aside #6 • Duh? But, Seriously… Case Study • Founded in 1979 • 3Com initial partnership with Huawei formed Chinese subsidiary H3C in 2003 • Manufacturing and R&D done in China – Build LAN switches, Routers, firewalls, etc • Then Huawei starts competing with US router manufacturers like Cisco – Lawsuits start, etc. Case Study (cont) • How to steal intellectual property from capitalists: • Offer them a new tax-free home in a place where manufacturing is cheap • This is nothing new! It has been going on since before the industrial revolution … and it’s a lot easier than stealing it over the Internet More Cybereconomic Espionage • 2003: In order to secure access to Chinese market, Microsoft “opens source code” to Chinese Government – Chinese are concerned about trapdoors and want to look at it – Government also wants to know how to write better spyware for watching its citizens Joking Aside #7 • How do you steal economic secrets from a capitalist? A) Ask nicely B) Threaten them with Linux C) Dangle an opportunity to penetrate a new market D) Make protectionist rumbles E) All of the above Back To the FBI Report • FBI report contains the spine-chilling claim: “WMD-like” destruction capabilities” – If hearing about branches of the US Government’s intelligence apparatus talk about WMD doesn’t make you run for cover, you must have been sleeping under a rock the last decade “We are fighting and losing….” • Defense contractors Booz Allen Hamilton run a “training exercise” for the US Congress called “Cyber Shockwave” • The scenario is, <sarcasm>“credible”</sarcasm> – A worm in smart phones – Data networks collapse under DOS – Which takes down Wall St – Air travel is disrupted “We are fighting and losing….” (cont) – We all know that having “air travel disrupted” results in massive economic damage, civil unrest, and cannibalism • Like the way Europe fell into chaos following the Icelandic volcano’s ash cloud • Joking aside, BBC did report that some retailers in Hong Kong ran out of sales stock of belgian chocolates – OMG! Teh horrorz! Teh horrorz! “We are fighting and losing….” (cont) – and then the US collapses into chaos when people’s iPads break – But the real icing on the Cyber Shockwave cake happens when “IEDs are used to destroy part of the power grid” • What?! Joking Aside #8 • Scenarios like that make me wonder if the guys who are writing the scenarios understand networking or how networks collapse under load – It sure takes down your inline command and control – If it takes actual acts of physical war to make “cyberwar” work what’s so “cyber” about it? • Compare/contrast with “commando operations” Economic Collateral Damage • CIA and FBI say that the US “Smart Grid” power systems are broadly compromised by state-sponsored hackers Joking Aside #9 • US Power companies bid on $3 billion+ program to help China build its own “Smart Grid” for future power – Sheer marketing genius! – “Buy our technology! After all, it’s so user friendly even a 15 year old living in his mom’s basement can control it!” Some Serious Thoughts for a Moment • If I may What’s Really Going On? • There is a revolving door between spooks in the intelligence community and beltway bandits – The guys hyping this stuff are mostly former NSA/CIA types • It’s the China Cyberwar Economic Stimulus package • They’re greedy bastards whose lust for a quick buck is probably a bigger threat to our security than anyone hostile to us “Specialize in - diseases of the rich…” -Tom Lehrer Marx May Have Been Right • How Do You Defeat a Capitalist? – Load it down with enough parasites that it dies of blood loss • One of the quotes that sticks in my mind from researching this: – “Chinese hackers even managed to penetrate DHS’ $1.5billion network…” • WTF are they using to build networks these days, platinum cat-5? Louis Vuitton routers? Cybercriminal • Agenda: – Diffuse and profit-driven – Tactical: short-term • The threat: – Profitably “hit and run” – Cannot eradicate: more will take their place – Creative – Rapidly shift to where the money is Cyber Spy • Agenda: – Surreptitiously gather secrets – Suborn and manage trusted agents in critical positions – Strategic: long-term • The threat: – The cyber-era simplifies some technical aspects of espionage a bit while complicating others a bit Cyberterrorist • Agenda: – Ideological maximum-damage maximumprofile highly visible attacks with no restraint – Tactical: “Hit and run” to Cause Fear • The threat: – Targets will be civilian infrastructure that results in explosions, destruction and death • Power, water, oil, shipping, vehicle control Cyberwarrior • Agenda: – Be prepared to attack/degrade/penetrate enemy command and control systems as an adjunct to physical military operations – Strategic: Long-term covert warfare • The threat: – Targets will be high-value, high-cost, and will have varying “hardness” against attack Agenda Mis-Alignment Cybercriminal Cyberspy Cyberterrorist Cyberwarrior Cybercriminal Compete Provide cover Provide cover Provide cover Interfere with ops May provide tech Interfere with ops Cyberspy No effect No effect May detect Counterintelligence May compromise ops Cyberterrorist No effect No effect No effect No effect No effect May interfere with ops during a conflict No effect Direct engagement during a conflict Cyberwarrior Defense Strategies Response, by target Government Private Sector “typical computer security” (firewalls, antivirus, patch management, IDS, system log analysis) “typical computer security” Cyberspy Counterintelligence + “typical computer security” Expect the government to deal with it Cyberterrorist “typical computer security” “typical computer security” Cyberwarrior Counterintelligence + “typical computer security” Expect the government to deal with it for anything beyond “typical computer security” Cybercriminal And There is the Rub • There’s nothing more than “typical internet security” or counterintelligence – There are no secret government-only doodads to add atop “typical internet security” because if there were, they’d already be commercialized (thanks capitalism!) and everyone would have them – Counterintelligence is too expensive • Except for the free-lance counterintelligence effort we call “the honeynet project” What Scares Me Most • “We” are about to be browbeaten into giving $billions to the same idiots who built the government’s current networks, in the name of improving them to be more secure – Give more money to the person who caused a disaster and what you’ll get is a bigger, better disaster • Think $1.5 billion for DHS network, what will the ‘secure version’ cost? The Cyberwar of 2010 • Didn’t happen, of course – What did happen is that the money-valve has been jammed permanently into the “ON” position – Security will get no better