Thursday, April 24, 2014
It addresses thorny questions regarding China as President Obama visits South Korea, Japan, Malaysia, and the Philippines.
I wanted to share five quick thoughts on the article, fully appreciating I don't have all the answers to this complex strategic problem.
1. "Many in China see the U.S. rebalance as ill-disguised containment, while many in the United States see Chinese military modernization and territorial assertiveness as strong indications that Beijing seeks to undermine Washington's alliances and drive the United States from the Western Pacific."
I agree with these statements as being perceptions by both sides, but I also think they are closer to the truth than what the authors believe. I recommend Dr Ashley Tellis' monograph Balancing Without Containment: An American Strategy for Managing China as the best strategy I've seen for handling this aspect of the problem.
2. "Compounding this challenge, the long-term intentions of both sides are inherently unknowable. The inclination in the face of such uncertainty is to prepare for the worst -- which all too frequently becomes a self-fulfilling prophecy."
I disagree that long-term intentions are inherently unknowable. Building on the first point, the Chinese want to project regional power without US interference, and the US wants to maintain the ability to protect power globally. That means the two sides will be in conflict in the South China Sea and other regional Chinese waters.
3. "That does not mean Washington must immediately unsheathe the sword if tensions escalate over China's actions near the Senkakus or disputed islands in the South China Sea, but it must make clear that it is prepared to impose significant costs if red lines are crossed -- which is why the response to Russia's actions in Ukraine is so salient to the situation in East Asia."
I believe many commentators and policymakers cringe at the term "red lines" when applied to the current administration. The President's use of the term with respect to Syrian weapons of mass destruction has weakened his position. Perhaps more importantly, just what are the "red lines" in the South China Sea? The authors recommend meeting alliance commitments, but what does that mean?
4. "U.S. allies in Asia worry that China's ability to impose economic costs against the United States might deter Washington from acting -- a concern exacerbated by U.S. and European caution in imposing costs on Russia. The late March expansion of sanctions against Russia should help reassure U.S. allies of Washington's willingness to accept the risks of economic retaliation in order to impose costs on those who cross red lines."
There are few similarities between the US-Russia and US-China economic relationships. The risks of economic retaliation from Russia are far smaller than those that could be applied by China. US allies should worry about China's ability to impose economic costs against the US, but that is tempered somewhat by the effects those sanctions could have against China itself.
5. "The United States and its allies also have an interest in reassuring China that if Beijing acts responsibly, they will not seek to thwart its future prosperity and security... These might include "Open Skies" reconnaissance agreements, where both sides allow territorial overflights to reduce concerns about concealment...
Just as important as formal agreements is the willingness of both sides to exercise restraint in defensive actions that might appear threatening; to enhance transparency to dispel misunderstandings; and to reciprocate positive actions to stimulate a virtuous circle of enhanced confidence. This might mean Chinese willingness to slow the rate of its military buildup rather than race for parity." (emphasis added)
What does "act responsibly" mean? In US eyes, it probably means the Chinese allow the US to project power globally, including in the South China Sea. As I mentioned above, the Chinese don't want this to be the case in the medium and long term.
"Open skies" agreements and "enhanced transparency" are non-starters for China, just as they were non-starters for the Soviet Union in the 1950s. Strategic theory explains why. China is militarily weaker than the United States. They fear that the more the US learns about Chinese capabilities, the more accurately and effectively the US will be able to target and neutralize those capabilities. The Chinese follow this approach with nuclear weapons and cyber weapons, as we saw with the latter recently (see Adam Segal's What Briefing Chinese Officials On Cyber Really Accomplishes.)
I see few situations where China would slow its military buildup, with the exception of nuclear weapons. With nuclear weapons, the important feature is a first-strike-survivable retaliation capability. The Chinese don't need to match the US warhead-for-warhead if the US knows we can't get away with a first strike against China. (To learn more about this dynamic, see Strategic Stability: Contending Interpretations.)
On the conventional side, the Chinese are more likely to try to outbuild the US, because they still lack a qualitative advantage compared to US forces. Given declining US budgets, the Chinese should be able to out-spend and out-build the US Navy and Air Force, the two most critical services for a future US-China conflict.
Overall, this is a very tough problem, but I recommend reading the piece by Dr Tellis for the best answer I've read concerning strategic approaches to the US-China issue in the South China Sea.
Thursday, March 20, 2014
Fifteen countries were involved in producing this document: Argentina, Australia, Belarus, Canada, China, Egypt, Estonia, France, Germany, India, Indonesia, Japan, the Russian Federation, the United Kingdom of Great Britain and Northern Ireland and the United States of America.
Within the section titled "Recommendations on norms, rules and principles of responsible behaviour by States," I found the following noteworthy:
19. International law, and in particular the Charter of the United Nations, is applicable and is essential to maintaining peace and stability and promoting an open, secure, peaceful and accessible ICT environment...
23. States must meet their international obligations regarding internationally wrongful acts attributable to them. States must not use proxies to commit internationally wrongful acts. States should seek to ensure that their territories are not used by non-State actors for unlawful use of ICTs.
The first statement is important because it "imports" a large body of external law and agreements into the cyber field, for good or ill.
The second statement is important because, if States obey these principles, it has interesting effects upon malicious activity leaving State networks. Collectively these sentences imply that States are responsible for their networks. States can't claim that they are only innocent intrusion victims, and that any malicious activity leaving their State isn't their fault or problem.
Whether States try to meet these obligations, and whether others call them out for not meeting them, is another matter.
Sunday, March 16, 2014
I wanted to share five thoughts based on excerpts from the VADM Rogers' answers to written questions posed by the Senate Armed Services Committee.
1. The Committee asked: Can deterrence be an effective strategy in the absence of reliable attribution?
VADM Rogers responded: Yes, I believe there can be effective levels of deterrence despite the challenges of attribution. Attribution has improved, but is still not timely in many circumstances...
Cyber presence, being forward deployed in cyberspace, and garnering the indications and warnings of our most likely adversaries can help (as we do with our forces dedicated to Defend the Nation). (emphasis added)
I wonder if "cyber presence" and "being forward deployed in cyberspace" means having access to adversary systems? There's little doubt as to the source of an attack if you are resident on the system launching the attack.
2. The Committee asked: Is it advisable to develop cyberspace officers as we do other combat arms or line officers? Why or why not?
VADM Rogers responded: ...We must find a way to simultaneously ensure combat arms and line officers are better prepared to contribute, and cyberspace officers are able to enjoy a long, meaningful career with upward mobility. A meaningful career should allow them to fully develop as specialized experts, mentor those around them, and truly influence how we ought to train and fight in this mission space.
I am especially interested in the merit of how a visible commitment to valuing cyberspace officers in our ranks will affect recruitment and retention. I believe that many of today’s youth who are uniquely prepared to contribute (e.g. formally educated or self-developed technical expertise) do not feel there is a place for them in our uniformed services.
We must find a way to strengthen the message of opportunity and I believe part of the answer is to do our part to ensure cyberspace officers are viewed as equals in the eyes of line and combat arms officers; not enablers, but equals. Equals with capabilities no less valued than those delivered by professional aviators, special operators, infantry, or surface warfare. (emphasis added)
In my opinion, the best way to meet these goals is to create a separate Cyber Force. Please read the article Time for a US Cyber Force by Admiral James Stavridis (ret) and David Weinstein.
3. The Committee asked: The Unified Command Plan (UCP) establishes U.S. Cyber Command as a subunified command reporting to U.S. Strategic Command. We understand that the Administration considered modifying the UCP to establish U.S. Cyber Command as a full combatant command.
What are the best arguments for and against taking such action now?
VADM Rogers responded: ...The argument for full Unified Command status is probably best stated in terms of the threat. Cyber attacks may occur with little warning, and more than likely will allow only minutes to seconds to mount a defensive action seeking to prevent or deflect potentially significant harm to U.S critical infrastructure.
Existing department processes and procedures for seeking authorities to act in response to such emergency actions are limited to Unified Combatant Commanders. If confirmed, as the Commander of U.S. CYBERCOM, as a Sub-unified Combatant Commander I would be required to coordinate and communicate through Commander, U.S. Strategic Command to seek Secretary of Defense or even Presidential approval to defend the nation in cyberspace.
In a response cycle of seconds to minutes, this could come with a severe cost and could even obviate any meaningful action. As required in the current Standing Rules of Engagement, as a Combatant Commander, I would have the requisite authorities to directly engage with SECDEF or POTUS as necessary to defend the nation. (emphasis added)
I'm dismayed but not surprised by this argument. I'm dismayed because it sounds like the most important reason to establish a unified cyber command is the perception that "cyber attacks...allow only minutes to seconds to mount a defensive action." This is just not true for any strategically significant attack.
If you only have "minutes to seconds" left for defense, you are way too far down the kill chain. You need to be intercepting the adversary in the reconnaissance phase, or at least no earlier than the stage whereby the threat explores the target searching for critical elements. I fear the "minutes to seconds" camp is a legacy of the bad old days of Internet worms from 10 years ago.
4. The Committee asked: How could the Internet be redesigned to provide greater inherent security?
VADM Rogers responded: Advancements in technology continually change the architecture of the Internet. Cloud computing, for instance, is a significant change in how industry and individuals use Internet services...
Several major providers of Internet services are already implementing increased security in email and purchasing services by using encryption for all transmissions from the client to the server. It is possible that the service providers could be given more responsibility to protect end clients connected directly to their infrastructures.
They are in a position to stop attacks targeted at consumers and recognize when consumer devices on their networks have been subverted. The inability of end users to verify the originator of an email and for hackers to forge email addresses have resulted in serious compromises of end user systems... (emphasis added)
So, we see reference to cloud computing, encrypting client-to-server communications, ISPs protecting end users, and email verification. Think of all the tactical and technology options that were not mentioned here. Also notice the lack of discussion of better operations/campaigns and strategies. Finally, notice the Committee asked about redesigning the Internet, an engineering-focused approach.
5. I am glad to live in a country where a candidate to lead important military and intelligence agencies can be questioned in then open for public benefit. However, I am disappointed that the Unified Command Plan (UCP), referenced several times in the Q&A, remains a classified document.
The best we seem to have is The Unified Command Plan and Combatant Commands: Background and Issues for Congress, (pdf) a 2013 Congressional Research Service document hosted by FAS, and History of the Unified Command Plan (pdf), hosted by dtic.mil. The 2012 CRS report is posted on a state.gov Web site. It would be helpful to read an unclassified version of the next UCP, which is due anytime it seems.
PHOTO CREDIT: Gary Cameron, Reuters.
Saturday, March 08, 2014
This class is the perfect jumpstart for anyone who wants to begin a network security monitoring program at their organization. You may enter with no NSM knowledge, but when you leave you'll be able to understand, deploy, and use NSM to detect and respond to intruders, using open source software and repurposed hardware.
The first discounted registration deadline is 11:59 pm EDT June 2nd. The second discounted registration deadline (more expensive than the first but cheaper than later) ends 11:59 pm EDT July 26th. You can register here.
Please note: I have no plans to teach this class again in the United States.
Since starting my current Black Hat teaching run in 2007, I've completely replaced each course every other year. In 2007-2008 I taught TCP/IP Weapons School version 1. In 2009-2010 I taught TCP/IP Weapons School version 2. In 2011-2012 I taught TCP/IP Weapons School version 3. In 2013-2014 I taught Network Security Monitoring 101. This fall I would need to design a brand new course to continue this trend.
I have no plans to design a new course for 2015 and beyond. If you want to see me teach Network Security Monitoring and related subjects, Black Hat USA is your best option.
Please sign up soon, for two reasons. First, if not enough people sign up early, Black Hat might cancel the class. Second, if many people sign up, you risk losing a seat. With so many classes taught in Las Vegas, the conference lacks the large rooms necessary to support big classes.
Several students asked for a more complete class outline. So, in addition to the outline posted currently by Black Hat, I present the following that shows what sort of material I cover in my new class.
Saturday, February 22, 2014
I had three reactions to this post.
First, I recognized that it's written by someone who is not responsible for defending any network of scale or significance. Network defense is more than tools and tactics. It's more often about people and processes. My initial response is unsatisfying and simplistic, however, even though I agree broadly with his critiques of anti-virus, firewalls, WAFs, and some traditional security technology.
Second, staying within the realm of tools and tactics, Dave is just wrong on several counts:
- He emphasizes the role of encryption to defeat many defensive tools, but ignores that security and information technology architects regularly make deployment decisions to provide visibility in the presence of encryption.
- He ignores or is ignorant of technology to defeat obfuscation and encryption used by intruders.
- He says "archiving large amounts of traffic is insanely expensive and requires massive analytics to process," which is wrong on both counts. On a shoestring budget my team deployed hundreds of open source NSM sensors across my previous employer to capture data on gateways of up to multi-Gbps bandwidth. Had we used commercial packet capture platforms we would have needed a much bigger budget, but open source software like Security Onion has put NSM in everyone's hands, cheaply. Regarding "massive analytics," it's easier all the time to get what you need for solid log technology. You can even buy awesome commercial technology to get the job done in ways you never imagined.
Third, and this is really my biggest issue with Dave's post, is that he demonstrates the all-too-common tendency for security professionals to constrain their thinking to the levels of tactics and tools. What do I mean? Consider this diagram from my O'Reilly Webinar on my newest book:
Here is an example of one strategic security approach to minimize loss due to intrusions, using a strategy of rapid detection, response, and containment, and NSM-inspired operations/campaigns, tactics, and tools.
Now I don't want to seem too harsh, because tool- and tactics-centric thinking is not just endemic to the digital security world. I read how it played out during the planning and execution of the air campaign during the first Gulf War.
John Warden and the Renaissance of American Air Power and learned how the US Air Force at the time suffered the same problems. The Air Force was very tactics- and technology-focused. They cared about how to defeat other aircraft in aerial combat and sought to keep the Army happy by making close air support their main contribution to the "joint" fight. The Air Force managed to quickly deploy planes to Saudi Arabia but had little idea how to use those forces in a campaign, let alone to achieve strategic or policy goals. It took visionaries like John Warden and David Deptula to make the air campaign a reality, and forever change the nature of air warfare.
I was a cadet when this all happened and remember my instructors exhibiting the contemporary obsession with tactics and tech we've seen in the security world for decades. Only later in my Air Force career did I see the strategic viewpoint gain acceptance.
Expect to hear more from me about the need for strategic thinking in digital security. I intend to apply to a PhD program this spring and begin research in the fall. I want to apply strategic thinking to private sector digital defense, because that is where a lot of the action is and where the need is greatest.
For now, I talked about the need for strategy in my O'Reilly Webinar.
Thursday, February 06, 2014
1. Unknown parties, probably Russian SIGINT operators, intercept and record a phone call between US Assistant Secretary of State Victoria Nuland and US Ambassador to Ukraine, Geoffrey Pyatt. In the phone call, the parties use language which could be considered inflammatory or insulting to EU politicians.
2. The interceptors pass the phone call recording to a private third party.
3. Either that third party, or some recipient down the line, posts the audio and a video overlay on Youtube.
4. The third party Tweets about the video.
5. Russian-sponsored television begins broadcasting stories about the video.
6. Reputable news media begin broadcasting stories about the video.
7. The rift between American and European leaders widens (possibly).
I find several aspects of this story fascinating.
First, I am surprised that whomever intercepted the phone call decided it was worthwhile to probably burn an intelligence source. It's possible the Americans were using consumer cell phones, subject to monitoring by foreign intelligence services. If true, the Americans were not very OPSEC-aware. If the Americans were using a line which they thought was secure, then the interceptors just revealed they know how to access it.
Second, the use of third parties is characteristic of Russian activities. We are all familiar with the role of patriotic hackers, youth groups, etc. when doing normal "cyber" activities. This sort of propaganda activity, with direct ties to a probable SIGINT operation, is interesting.
Third, I wonder about the cost of this operation. In some ways it is very cheap -- Youtube, Twitter, etc. In other ways, it may be expensive -- interception and probable manual auditing of the audio to identify divisive and "offensive" content.
I don't pretend to be a Russian SIGINT expert, but I wanted to document this case in my blog. Constructive commentary is welcome but subject to moderation due to spam countermeasures. Incidentally, if I got the origin or order of any of these events wrong, I'm open to that too. I didn't ask my Russian-speaking friends to comment -- I'm just noting this story for future reference.
Update: I noticed that sources like Kyiv Post say:
Among the first to tweet the audio recording was an aide to Russian Deputy Prime Minister Dmitry Rogozin, named Dmitry Loskutov, who also wrote: "Sort of controversial judgment from Assistant Secretary of State Victoria Nuland speaking about the EU."
However, the timestamp on this Russian aide Tweet is "11:35 PM - 5 Feb 2014" whereas the private Tweet I mentioned earlier shows "9:36 pm - 4 Feb 2014" -- a day earlier.
Sunday, January 26, 2014
Let me set the stage. First, Internet governance.
Too often the Internet governance debate is reduced to the following. One side is characterized as "multi-stakeholder," consisting of various nongovernmental parties with overlapping agendas, like ICANN, IANA, IETF, etc. This side is often referred to as "the West" (thanks to the US, Canada, Europe, etc. being on this side), and is considered a proponent of an "open" Internet. The other side aligns with state governments and made its presence felt at the monumental December 2012 ITU World Conference on International Telecommunications (WCIT) meeting. This side is often referred to as "the East" (thanks to Russia, China, the Middle East, etc.), and is considered a proponent of a "closed" or "controlled" Internet.
Continuing to set the stage, let me now mention theft of secret documents.
One of the critiques of Edward Snowden involves the following. He stole documents on his own accord, claiming he had the right to do so by the "egregious" nature of what he found (or was sent to find). Critics reply that "no one elected Edward Snowden," but that the programs he exposed were authorized by all three branches of the US government. Because that government is elected by the people, one could say the government is speaking on behalf of the people, while Snowden is acting only on his behalf.
Here's the problem.
If you believe that elected governments are the proper forum for expressing the wishes of their people, you should have a difficult time defending a "multi-stakeholder" model that puts groups like ICANN, IANA, IETF, etc. on equal footing (or even above) representatives of elected governments. If you believe in the primacy of the democratic system, you should also believe forums of elected representatives are the proper place to debate and decide Internet governance.
That chain of logic means Western democracies who support representative government should view government-centric bodies like the ITU in more favorable light than they do presently. After all, who created the UN? Where is the organizations headquarters? Who pays its bills?
You probably detect the "escape hatch" for the multi-stakeholder proponents: my use of the term "elected governments." If a regime was not properly elected by its people, it should not have the right to speak for them. This applies to governments such as those in the People's Republic of China. Depending on your view of the legitimacy of the Russian election process, it may or may not apply to Russia. You can extend the argument as necessary to other countries.
The bottom line is this: be careful promoting multi-stakeholder Internet governance at the expense of representation by elected governments, if you also feel that Edward Snowden has no right to contravene the decision of a properly elected American government.
PS: If you want to know more about WCIT, try reading Summary Report of the ITU-T World Conference on International Telecommunications by Robert Pepper and Chip Sharp.