I guess I am in like a book posting series for now but since I had to do a book review to earn CPE credits for my CISSP certification I thought it would get a cheap blog entry this month with it.
This book was a great follow up to Fatal Systems Error for me. Joel Brenner, the author, is a former Inspector General of the National Security Agency, NSA, and was also the head of U.S. Counterintelligence for the director of National Intelligence. This book explores both Cybercrime and Cyberwarfare with more emphasis in the latter. The author does give the reader a primer on Cybersecurity and how some attacks such as DDoS for example take place. However, because of Brenner’s insight into the US national intelligence system, the book focuses on what State-sponsored Cyberthreats represents to the international community, especially so to The US without going into much detail into how attacks happen. It describes how Cybercrime has evolved as a potential lethal weapon to a nation’s critical infrastructure (e.g. power, financial, communications, and military industries) by using the internet to disturb communications and information flow during warfare and references to how Serbians manipulated these tools during the Kosovo War; most recently you could probably relate to the Egypt Revolution and the critical role that communications and Social Media played there, and continues threats by the Iranian government to shut down communications in their country as a way to control and intimidate their opponents. When The People´s Republic of China, PRC, realized that they were too far behind from The US economics and military forces they identified an opportunity to explore other ways to build their technology and industries by exploiting the weaknesses of our current industries and military forces to steal classified information and intellectual property that they have used to catch up with the our technology and use it against us. Both government and the private sector are at fault here by not implementing the necessary security control and most importantly by failing to educate and create security awareness within their organizations.
The moment of truth for me during this read was when I came acrros the excerpt below. The reason being that I work in a mid-size law firm and I couldn’t agree more with this statement which actually comes from a lawyer and partner in one of the largest 100 law firms in the US.
"The Chinese have other even subtler methods of stealing our know-how. Several years ago, while serving as the national counterintelligence executive, I sat with colleagues discussing how we would plan an espionage attack against an American business. And then a lightbulb went on: the law firms! Of course: A company’s outside intellectual property lawyers have its technical secrets, and their corporate law colleagues are privy to strategic business plans. And lawyers don’t like taking instructions from anybody, particularly their less well paid underlings who are responsible for network security. They’re impatient. In some firms the rainmakers have nixed even simple steps, like requiring a password on mobile devices that connect with the firm’s servers. They couldn't be bothered. Privileged with secrets, highly paid, often arrogant and usually impatient, lawyers are the perfect targets. I cannot disclose what I know because it's classified, but I can disclose that I know that my surmise was soon justified. U.S. law firms have been penetrated both here and abroad. Firms with offices in China and Russia are particularly vulnerable, because the foreign security services are likely to own the people who handle the firms' physical and electronic security. These services are not interested in stealing brilliant legal briefs; they want information about the firm's clients. Every law firm with offices in several continents holds privileged and sensitive electronic documents worth millions of dollars to a foreign service, ranging from investment plans to negotiating and business strategies, and much more." Think I got hooked up here? No kidding! This is what I am dealing with every day and is such a great challenge and opportunity for me as a professional. If you are in legal and have kept up with the news then you now know what Brenner knew. There are plenty of articles out there on how Chinese are attacking firms, security in law firms, or recent incidents such as Anonymous attacking law firms. Dear lawyers, this is a real issue for us and you guys need to pay attention.
Brenner also does a great job on identifying one of the most important problems that governments face: finding balance between transparency and privacy. While transparency says “Open Up”, privacy says “We are watching you and you are very restricted to what we want you to do.” Both transparency and privacy are about information which he refers to as being liquid. I love that analogy because information as liquid can take any form and be anywhere. The problem is that once liquid leaks, it is hard to figure out how, when and where it happened, not to mention that it is nearly impossible to recover it all. During this segment the author also references how organizations such as WikiLeaks operate by “turning the hose on” to let the precious liquid out. The appearance of WikiLeaks was a critical milestone to the proliferation of Hactivist groups such as Anonymous which supported them by launching DDoS to organizations such as PayPal and MasterCard that froze WikiLeaks funds in an attempt to stop their operations. It is important to note that WikiLeaks has a more organized structure governed by their decision maker Julian Assange, while hactivist groups do not have any type of hierarchy or governing entity and function as a group of people that support the same “values or ideas”.
In chapter 7, the author presents a hypothetical scenario where he illustrates how China could potentially create serious damage and pretty much “own” The US on the verge of war using techniques such as shutting down entire power grids in the US, sending off undetectable submarines to face The US Navy crafts and disturbing the financial markets. He actually mentioned that while his scenario is fictional, some of the penetrations and techniques used by the PRC have actually already happened.
Finally, Brenner presents what he believes are good practices to get both the public and private sectors together. Many of them are widely known, yet not practiced much. Here they are in a nutshell:
- Stronger trade regulations and contracting. Requiring higher security standards from its vendors.
- Make Service Providers accountable. For example require ISP to notify customers whose machines are infected by a botnet.
- Stronger Energy Standards. Limit connectivity to a public network.
- Tax code. Use tax incentives to encourage investment in cybersecurity
- Encourage and found research.
- Securities regulations
- International relations. International community needs to come together in all of these efforts.
- Clean up your act! Assume that you have been attacked so monitor and mitigate.
- Control WHAT is in your system.
- Control WHO is in your system.
- Protect what is valuable.
- Patch, patch, patch.
- Train, train, train.
- Audit for operational effect.
- Manage overseas travel behavior.