"Hacking as an Act of War!"

Hacker Hotshot: Hacker Hotshot: G. Mark Hardy @g_mark

Wednesday November 14th 2012 12pm EST/ 9am PST


Max, Concise Courses:
It's 12 p.m. eastern standard time. We are very lucky to have G. Mark Hardy with us this afternoon. G. Mark is the president of the National Security Corporation and the presentation today is "Hacking As An Act Of War". So usual ground rules, if anyone has questions, please use the chat box and hold your questions back until the end of the presentation. Without further ado, G. Mark, thank you for joining us.

G Mark Hardy:
You're most welcome. I'm happy to talk today about Hacking As An Act of War. Now, it's interesting because if we think about it, militaries don't change because they win wars or battles, it's because they lose them. So we have to make sure that as we find that when we're comfortable, there's really an opportunity to gain some insight because we keep doing what we've been doing because we are successful.

Now what really is war? If we look at General Carl von Clausewitz who wrote that, "War is the continuation of politics by other means" we find out that for the most part you call the defense department, only after the state department has failed to complete the mission. And the reason being, is diplomacy is usually more efficient and it's cheaper and less costly. But there are some times when diplomacy just doesn't work and then often the government is going to resort to military force.

Now, we're talking about cyber war, which is an interesting concept because if we take a look at the militarization of cyber space. Over the last couple of years, we've seen some rapid advancements in that area. For example, the Israeli defense force has been "engaged in cyber activity consistently and relentlessly." That's they're quote, by the way, from their web site.

The 30,000 Saudi Aramco systems that got wiped out a few weeks ago by the Shamoon virus, which was indicated as the most destructive ever to hit a non-military target. Even Taiwan is stepping up to cyber capabilities to counter the perceived PRC threat. So it looks like everybody is arming up in the cyber warfare space. But what does that mean for the rest of us?

If you look at the United States, the Cyber Security Act of 2012, which was proposed back in February, I've got a sole source that says it was voted down yesterday [November 13th 2012] 52 to 46. I wasn't able to confirm that, but I'll report that because that was the likely prospect of this particular piece of legislation.

Interestingly enough [November 13th 2012] President Obama last month signed a classified document called Presidential Policy Directive 20 that dealt with cyber security, and perhaps it does address some of the issues that were not going to be addressed by the voted down Cyber Security Act, but without a security clearance and without a secure forum to discuss it, those exact details really can't be made public.

The U.S. Cyber Command, which is a militarily 4 Star Command, stood up the last couple of years to be able to take care of the cyber threat. General Alexander, dual head of the National Security Agency; there's now a proposal to make that a combatant command, which is as high as you can go in the U.S. Military, because you are given a theatre of an area of operation where you are actually controlling the operating forces.

But perhaps the biggest cyber war issue is that we're witnessing is a huge theft of intellectual property. The giant sucking sound of the south that we heard about in the presidential debates back in 1992 with Ross Perot, is now being replaced with a giant sucking sound going into the Far East of [is] intellectual property.

It's estimated that the entire volume of the U.S. Library of Congress (equivalent information) is being stolen every year. Which requires, of course, a lot of people to be able to sift through all that data. The most likely culprits may have all that capability because as we look at what the potential threat is out there, we're concerned about anonymous because they represent a very credible, viable attack force to be able to go after people that they don't particularly like. But the reality, is that from a cyber warfare perspective, it's often this is our concern: we're worried about other nations incorporating cyber warfare as part of their national policy in training their own military forces to be able to operate in that domain.

So we look at who's out there. Who do you point to? Is it China? It seems like China is the whipping boy for a lot of this cyber stuff. We hear bad things about them. We blame them. They get in the press. There's a lot of negative publicity.

But the reality is that one of the most difficult things to do in cyber is attribution. How do you prove who done it? And the answer is you usually can't. So there is often a plausible deniability that surrounds an attacker's identity. And as we remember from our friend Bart [Simpson], "Nobody saw me. You can't prove anything. I didn't do it." So this becomes deniable from both a publicity prospective as well as a human technology perspective. And, yes, you can trace it down to an IP address, but that IP address might be of a system that got on by something else. And furthermore, you're never going to see a judge that's going to order computers clock speed to be stepped down 50 percent and have the memory chips removed for 30 days as punishment. We tend to go after the carbon elements of the network, not the silicon.

So it's deniable but if we take a look at some of the capabilities, there is a reporter that claimed that he had seen a leaked FBI report which said that the Red Army has at least 180,000 trained professionals doing cyber work - that's an alarming number! If you look at the size of the United States Marine Corp in its entirety and you compare it to this number, you find out that they have very much the same number of magnitude. So what are we up against and what do we need to worry about?

If we go back and we look at the Chinese general from about 24 centuries ago, Sun Tzu, he prefaces: The Art Of War on chapter one, page one, line one, as "All warfare is based on deception." And that represents a fundamental tenant of cyber warfare in that you tend not to come directly into the front door.

"Knock knock.
"Who's there?
"It's an intruder.
"I'm here to take all of your intellectual property."
"Okay. Come on in."

It's always through some form of deception, some way of tricking or deceiving systems or people or both to be able to complete the attack. Professor Liotta at the Naval War College said that, "All warfare tends toward asymmetry." Asymmetry means a small amount of effort creates a large output. Think of something like that 911 attacks or even back in World War II, the V2 Rockets, which were fairly inexpensive to build, and yet they caused massive amounts of damage on the other end of the delivery.

And if you go back to the Prince and you read Machiavelli, he says, "There is no avoiding war. It can only be postponed to the advantage of others." So for those who are questioning whether we are in a cyber war or not, some would say, yes, we are. We've seen the shots fired. Others are saying, no, the worst is yet to come. The reason it's probably not full blown cyber war right now is because it's being postponed to the advantage of others.

Now, what can happen with a cyber warfare attack? If we take a look back in May of 2007, we find that the nation of Estonia was targeted after they had relocated a statue of a Russian soldier from one of the downtown squares to another location. Reportedly, it was actually going to a nicer place, a place of higher honor, but that was not the perception that came out.

So what happened was that there was a number of cyber attacks that took place -going after the banking and government organizations, etc. It's significant that it was Estonia, because Estonia was the most wired country on the planet at that time, so they were most likely to suffer victims from cyber attacks, but also the most likely to recover.

In Georgia, in August of 2008, just about the same time that the Olympics were opening in China in August of 2008, Russian tanks rolled into the provinces of South Ossetia and Abkhazia to go ahead and combine with cyber attacks, which essentially blinded and took the government offline. The strategic communications were disrupted. Now the interesting thing was, the reports were that the president of the nation of Georgia and the president of the company of Atlanta Georgia who does web hosting in the conversation it was said, "Hey, we're under attack. We can't run our hosting." He said, "Hey, I will host your systems for you." So that creates an interesting issue. Does that then make a company in Atlanta, Georgia a participant to a combatant effort of war back in Georgia and Russia?

If we look at the NATO Article 5 for mutual defense, the North Atlantic Treaty organization was formed back in 1949, as sort of a cooperative defense against Russia. If Russia or the Soviet Union came rolling through then everybody said, "We'll all come to each other's defense."

Since 1949 that mutual defense has only been invoked once, and that was right after 9/11. It's also the potential reason why many of the eastern European nations want to be in NATO, and it's also perhaps one of the reason why Western Europe does not want them in NATO. So if you look at things like Belarus and the Ukraine and you wonder, well, they definitely have a concern about Russia. Politically and perhaps militarily they do, because we've already seen the already the attacks on Georgia.

But this is untested in cyber. And would America risk the lives of our sons and daughters and our brothers and sisters, to go fight a kinetic war, if the enemies' attacks were purely cyber and it was against another country?

Another trivia question: When was the last time the United States formally declared war? We kind of declared war on 9/11. We didn't quite declare war in Korea. And some people say maybe it's Japan or Germany. Actually, it's Bulgaria, Hungary, and Romania in June of 1942, so that means it's been 70 years since the U.S. congress, who under the Constitution can declare war, has not declared war. Everything we've done has been either a police action or some other type of operation, but we avoided that exact label.

Now, United Nations does have an Article 51, that permits an individual to self defense if armed attacks occur against somebody. It was actually invoked in 1950, when the Soviet delegate walked out of the United Nations over protests or something and the Americans said, "Hey, let's move to the top of the agenda - we should go ahead and vote for Chapter 7 forces in Korea", and with the Soviet Union not there to cast the vote that could have vetoed it, it went through and thus we got the Korean conflict.

But we see it again and again. Somalia, Rwanda, even Afghanistan. And the Soviet Union did challenge the legality of NATO under this article saying, "Hey, we need self defense! These guys are ganging up on us." But because of the way politics went back then, they said, no, not quite, it's not a military threat, per se.

Let's roll back to Estonia. The capital of Estonia is Tallinn; turns out that after that attack back in 2007, NATO set up its center for Cyber Security of Excellence there. And over the last three years they've been working with an international group of experts to create a report in terms of "how international law apply to cyber warfare" - because there are no laws on cyber warfare today, but there's plenty of laws on the books that have been agreed to internationally, etc. about regular warfare. So they put together a 215 page report. It's going to be published early next year. If you want to preview it you can go to [do so here,] it gives you an opportunity to see how you map real world war, legislation, or laws, or the legal system into the cyber world.

So it looks [the report] at international law governing cyber warfare. How does it do about justice or law with regard to before war and then while war is actually going on? If it's below the use of force, it's not really considered war; therefore, they're not addressing it here. And it's not a manual on cyber security or cyber crime. They also want to point out that although it was sponsored by this NATO group, it's not meant to reflect NATO doctrine.

Now, this particular document has come up with 95 Rules of Cyber Warfare. I guess they're going to nail those things to the door or everybody out there, and say "Here's what we're going to try to lay the foundation of what it means for cyber war."

Of the 95 rules, I just picked four to take a quick look at. Rule 9 says, an injured state may resort to proportionate countermeasures, including cyber. Well, proportionate means that of course if somebody shoots a rifle across your boarder, you don't roll a thousand tanks back. You're supposed to shoot a rifle back or maybe two, but keep it proportionate. Well, now the thing is basically saying that there's justification for defending yourself and counterattacking in cyber.

And rule 11 says that it goes to the rule of force, when it's actually equivalent to something they had physically destroyed. So if we think about something like Stuxnet that results in physical destruction of the centrifuges that were connected to the Siemmens controllers, under Rule 11, it's proposed that would technically represent a use of force in a cyber operation.

I thought Rule 26 was rather interesting because it points out the combatant status under the Geneva Convention. It basically says that if you are a uniformed combatant in a conflict, and you're fighting the war according to the quote/unquote the rules, you are not a criminal.

So if your grandfather, who had been in World War II, goes over to visit Germany and they're going to arrest him in 2012 and when you were 19 years old then, no, that's not considered something that happened under those circumstances. But if you were a civilian, as a mass murderer killing people, you could still be held guilty.

Now, what's interesting is that militia and volunteer corps that are organized and have be considered to be a particular category. But if the organization does not have, a specific commander, then you get no protection under the Geneva Convention, you're not considered an unlawful combatant, and you have no immunity.

And I point that out because it's interesting that anonymous past structure has chosen a structure, probably not in view of this particular definition, but under international treaties their actions would be outside the law. And if this were to be an international treaty, you would say that you can't really justify that. I'm not here to say it's good or bad, I'm just here to say the way it is.

If you look at Dr. Thomas Adams, who wrote the army war column in 2001, 2002, that warfare has begun to leave human space. What that means is that the time and the complexity are too great for a human to go ahead and decide in the time required. It's going to be a war fought by computers. And we will only pretend to be in complete control.

As we depart from the ability to control our systems, we wonder who's going to be actually operating it? And are we really going to be victims of a computer war? Or are we going to be able to inserting a human into the loop to potentially disconnect it from going ahead and going off the deep end.

It's unlawful in my opinion to take down the Internet because if that's the platform that you attack with - it's also the platform to defend with. It's also going to be a key component of your ability to regain your confidence from the government. But then again, people do blow themselves up. So you can't be certain they might just take everything with them.

The attacks are going to get faster. They're going to be more precise. They're going to have greater effects. But the concern I have is, are we preparing for the worst? So the bottom line and I certainly hope not, is that we might have to get stir punched before we recognize the emergence of a new threat.

I made a statement on September 11 2001, when I was speaking in Washington D.C. The next day I started work at Ernst & Young in Manhattan. Eight in the morning, of course, 46 minutes later the whole world changed. If you want look for my name on YouTube, you can get more information on that. But it wasn't that I knew something that nobody else knew. I could see what everybody else could see. And as a result, this looks like something that was a particular issue.

So Hacking an Act of War as a financial problem; we have to make sure that we're thinking about it, that we have ways of defending it. We've seen some legislative action. We're seeing some presidential action. We're seeing some military action. And let's just hope that we're getting enough action in the right amount of time.


Questions and answers

Max, Concise Courses:
Amazing. Very, very well put together. A lot of information there. G. Mark, what is the U.S. government after? I know they're actually trying to recruit professionals who can help with their cyber strategy, but what skills - do you have a handle on the skills the government is looking for in particular? [For those interested in this question - look at our Hacker Hotshot with Winn Schwartau]

G Mark Hardy:
They're going to probably look for a number of skills, obviously, computer network defense, computer network attacks, someone who can go ahead and run those things; but also just general network knowledge and the ability to build effective systems the way they should be.

The concern is an awful lot of attacks are successful because of misconfigurations, unpatched software and vulnerabilities that could have been avoided and things had been done correctly. So there's a combination of a preemptive way of how do we make this right, as well as, we need people who could potentially engage in the cyber back and forth.

So I would say, go look at the some of the recruiting. A lot of contractors that support some of the three letter agencies will have job openings. The best way to find out the skill sets you're looking for are to go look at a help wanted list.


Max, Concise Courses:
Does the U.S government use any non U.S. software to protect their assets? In other words, is there a risk? Would you suggest that people only use U.S. manufactured solutions?

G Mark Hardy:
Yes this is the open source versus proprietary debate.


Max, Concise Courses:
Or more the non U.S. versus U.S. developed solutions.

G Mark Hardy:
If you have access to the source code and the ability review it, it doesn't matter who wrote it - you just have to review the code.


Max, Concise Courses:
What are your predictions? Where are the future threats that really need to be focused on?

G Mark Hardy:
Big threats? Targets continue to be data systems - they continue to be attacked. Critical infrastructure that can be used to disable or disrupt target nations. Obviously, if you can blind the control networks then proceed to roll the tanks in as we saw in 2008, that's going to be one particular factor.

So there's constantly going to be this low level, if you will, spying as well as the extraction of information from one company, or one country to another due to lack of cyber security.

And again the problem is if we spend a tremendous amount of money developing a particular product or capability, and then somebody else can build exact the same for zero R&D costs then you're at a disadvantage right off the bat.


Max, Concise Courses:
Just one last question. Are you satisfied with the recruitment efforts that the U.S. government is making right now or do you think they need to ramp it up?

G Mark Hardy:
We don't have enough qualified people. I've been a director of Cyber Watch for the last seven years. It's a consortium of colleges, universities, government agencies and what we try to provide is a pathway for students to get a 2 year associates degree, transfer 100 percent of the credits on to the university, perhaps even get a 2 year full scholarship under the government scholarship for service. In exchange, [the student would] agree to a 2 year tour with government as a civilian.

It's a great honor for people who want to do this, but might not have the financial resources to do so. I think that many people that take advantage of that opportunity are going to find that a government career may be exactly what they want. And it gives us the opportunity to get the people in there. But right now the hard part is that the supply is less than the demand.


Max, Concise Courses:
G. Mark, that was terrific. Thank you very much. Hopefully, we can do a follow up with you in the next couple of months and maybe there's a Cyber Security Act that's being signed for when we next get online. Thank you very much, sir. I really appreciate your time. Have a great rest of your day.

G Mark Hardy:
Sounds good, thanks and good bye.


Leave a comment!

comments powered by Disqus

I just wanted to say a very big thank you for arranging/ organizing the course. I thoroughly enjoyed it. I learned so much from it!! - although unfortunately I had to leave before the end. I will have to find away to build upon what I have learnt so far (may be a bit difficult though).

Dominic Assurance & Security BetterImprint UK Limited

(November 2013: How To Hack & Defend Website Course)

"This is the leanest, most effective security class you need to take to get up to speed on open source tools. The completely self-contained virtual lab (an ingenious fully functional multi-tier pentesting environment built around BackTrack) combined with Jeremy Faircloth's expert tutelage are an impressive combination for successful learning!"

John Marosi CEO John Marosi Consulting

Student: Applied Penetration Testing Level 1

The course was very good and the support that I have received was excellent and really appreciated.

Renjith Venugopal Head of IT Infrastructure and Security, Centena

Student: Applied Penetration Testing Level 1

The Web portal with training materials, slides, etc. is VERY nicely laid out, full of valuable and helpful information, and easy to navigate so I can recreate these exercises easily and continue learning on my own.

Brian J

(November 2013: How To Hack & Defend Website Course)