Henry Dalziel | Hacker Hotshots, Latest InfoSec News, Resources and Tutorials | October 18, 2013
We had a brilliant Web Show today (Friday October 18th 2013) with two of the world’s leading InfoSec Cyber War Experts: Winn Schwartau and Matt G Devost.
The title was “Infowar 1994 vs. 2014. Has our national defense improved or faltered?”
Keep reading for the Q&A or follow this link to watch the video.
The questions were: (answers transcribed to the best of our ability!)
Winn Schwartau: No! I mean, let’s go back again, what InfoWarCon was framed for – the concept was to get disparate groups together that had conventionally never talked. We actually put some of the first Five Star Generals next to hackers and getting them into intellectual discussions over drinks; it had never been done before. Also, it was done internationally and we had frameworks for discussions on a United Nations Cyber Arms treaty. We proposed this back in the early 1990’s and people now are beginning to say that ‘we should think about it’, so no – this is an International issue, there are no conventional borders which is why Sweden, Lebanon, England, Germany and France etc are in this together one way or another. There are good guys in some places and bad guys in other places but it’s not unilateral.
Bypassing traditional concepts of borders is absolutely essential because the interest of the nation state could be different from the perspective on a NGO located within the traditional borders of that nation state. The rules are completely different and we have lost twenty years of opportunity to really frame it on a global basis and now the Russians are proposed it and making us look jerks.
Matthew G. Devost: Sweden is a perfect example. How many people that spoke at InfoWarCon went on to speak in Sweden and influence their approaches to how they were dealing with these issues. It has definitely been an international community engagement from the start.
Winn Schwartau: I want to pull Obamacare out of the discussion because this back in the early 1990’s and was framed very early. ‘Should we criminalize bad engineering’ is really the question here. Is it the company’s fault for misconfiguration, or is it the vendors fault for having a flaw built into it that the company should not be expected to find. How do you lay blame on technology when the only difference between an attack and bad coding is intent? I like to keep everything out of Congress if I can for a while. Every time they touch anything technologically orientated they screw it up, they turn it into a binary function and we are living on a spectrum; a big spectrum that is not defined, and for us to lock ourselves into and ‘yes or no’ answer is really going to restrict our present and future capabilities and ‘political will’ in terms of defending ourselves.
Matthew G. Devost: We do criminalize bad engineering and we sign indemnification that say that we won’t hold them [the organization with the bad code/ application etc] liable. So, you are never going to solve it through legislation. I have been a firm believer, even though we haven’t seen it yet, that the courts will resolve this – not form a regulation perspective but from a due diligence, negligence, shareholder and lawsuit perspective. I think we will reach a point in time when we are going to have standards of care that are dictated on liability to shareholders and customers that emerge.
We saw hints of that at the Department of Interior where a Federal Judge order them to disconnect from the Internet because they could not secure the information that was entrusted to them, i.e. the individual’s information. I think that as we start to see the catastrophic attacks where a company loses their entirety of their IP that impacts their stock price, you’ll start seeing that standard for care and due diligence emerge because the lawyers will get involved.
Winn Schwartau: You know where I think it will come first? In SCADA and ICS (Industrial Control Systems). There is a connect effect that touches the physical world that pure cyber stuff doesn’t.
Matthew G. Devost: Absolutely, I am sure you will see some of that. If a power grid goes down for 15 days because someone didn’t appropriately maintain or manage their SCADA network or didn’t ‘air gap it’ and somebody got in there, there will be some significant liability.
Matthew G. Devost: Not in the context that I am talking about. The Silk Road was a billion dollars of transactions that went through [the site]. A majority of them [the users] focused around drugs that are legalized in some entities so that is a law enforcement type action that is taking place to pursue national policy associated with counter-drug policies. We throw in assassinations and the hacking and all that stuff because it is sexy when we talk about Silk Road but let’s be honest, it was facilitating relationships between consenting adults to purchase drugs. You can do the same thing on Craigslist.
That’s not what I am talking about; you are going to continue seeing these political actions going after things in Cyber Space. Really what I am talking about, from a ‘strike-back’ perspective is [for example] is there is a major Command and Control Node that gets noticed against a Fortune 1,000 company, and there is a new piece of malware that exploits a zero day that goes across the wore and you see that it is reporting in. Before that bot net [can spread malware] somebody from the US government says, ‘where is that command and control node’ let’s verify the fact that we are not getting misled and go in and take it over. You stem the whole cascading process of what happens with that bot net.
What’s a better corollary is the activity that Microsoft has been involved with in dismantling some of these bot nets by sending commands to their terminals to uninstall the malware. The problem is that it takes Microsoft and the legal system three to five years to go through the process to actual get those bot nets down. I want to do it in three to five hours or three to five minutes. That should be the metric, not something which is a historical attack against the bot net but that it is a pro-active attack to take them down.
Winn Schwartau: Two comments, one: time-based security, absolutely correct and hopefully I’m going to be able to re-introduce some of this at InfoWarCon as well because warfare has always been about time-based security. The thing that is really important and what Matt is talking about is, if I walk down the streets of New York, and Matt tries to mug me with a knife, I can remove his weapon system and if he keeps coming at me I can stab him in self-defense legally. In Cyber space it is illegal for me remove my adversary’s weapon system, and that is what needs to be changed. If the lawyers can figure out a way to say ‘no’ they can also a figure out a way to say ‘yes’ to have proportional response to at least remove my adversary’s weapons so then I can take appropriate other actions.
Winn Schwartau: I am glad that question came up. This is one of my pet peeves and how I accidentally got involved with this whole thing 25 years ago. I was a security guy, just a low-level guy doing security stuff and I had this idea about turning things offensive. I started making crap up just out of my head, ‘what if I did this and did this’ and what we are doing now is ignoring every bit of the past. Before I wrote my first book I studied a tremendous amount of history. I knew nothing about military history and I read 50 books, stuff I liked and stuff I didn’t to get a flavor to what warfare was about and realized that Cyber Conflict in the early 1990’s was effectively warfare just kind of turn on its’ head a little bit. What we are neglecting today is to teach history. I have met guys coming out of CS’s with 4.0’s, and I run by them simple concepts of reference monitor – kinds of interrupts that were traditional backbones of security. They don’t know any of this, we are not teaching them history and we are not teaching context and how conflict is waged or the psychological aspects of it.
Our educational system is absolutely horrendous when it comes to preparing for Cyber Warriors, whether it is going to be on the government side or the corporate side and we are our own worst enemy with this.
Matthew G. Devost: I would agree, with the exception of my class at George Town! The problem is that I only impact 25 students per semester and they go on to do great things. I’ll put a plug in there for Jason Healey here is going to be also speaking at InfoWarCon. I would make required reading his latest book that he did at the Atlantic Council, ‘A Fierce Domain’ that talks about how we have had these Cyber Conflicts in all sorts of variations going back to the Cuckoo’s Egg so that you have some sense of history. One of my greatest frustrations is and I rant about this on Face Book is that you have these emerging security solutions and things being proposed, and saying that they ‘are new.’ They are not new and some of them have been around for ten or twenty years. Your approach to the topic will be so much stronger if you can use as a base everything that has happened in the last ten to fifteen years and then advance the bar.
So that is a key issue, saying ‘let’s stop re-inventing the past and quit having wake-up calls’. Bob Orley has a great presentation he gives about how many times we have had a High US Official in the military look at something and say ‘that was a wake-up call’. It is not a wake-up call or hitting the snooze button, what we really need to do is get out of bed and put one foot in front of the other and advance the bar in some of these issues. Want to talk about ‘Active Defense?’ Then build on everything that has talked about for the past twenty years and then how do we move it forward for the next ten years. Don’t recreate what we created fifteen years ago. That is one of the greatest frustrations was getting people that sense of history and move the dialogue forward.
We can get a discount coupon for people taht are attending this. [The URL] is events.cyberfed.com is where you can find out all the information. There are contact details there and if you are listening to this show prior to registering send us a note or email to the email address and tell us that you were listening and we will mail you back a discount code.
Matthew G. Devost: I would argue with that. I would say that Cyber Space does have borders. If we look at what happens in China and Syria and some of these other places. We have borders, they are called: ‘rules on routers’ and egress and ingress points. But that is changing and I think that is one of the things that we need to talk about at InfoWarCon which is, ‘how does our concept of managing traffic in Cyber Space change in a world where you are going to have everything connected and everything capable of building its’ own mesh network!’
Winn Schwartau: I think the answer to that is that we need to route all the traffic through Fort Meade and let them parse it out!
Matthew G. Devost: Anybody ordering a pepperoni pizza should have to go through the Schwartau house!
What are your thoughts regarding Cyber Warfare? Do you agree with the above? Are we in a worse situation than we were in 1994 or a better one?