Vulnerabilities / Threats //

Advanced Threats

2/17/2015
09:30 AM
Mike Walls
Mike Walls
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

Why The USA Hacks

The U.S. government views cyberspace as just another theater of war akin to air, land and sea, and it operates in the domain for one basic reason: national defense.

Last in a six-part series on the motivations that compel nation-states to hack.

The United States operates in the cyber domain as a national entity for a simple reason -- to protect its citizens. Like traditional notions of national defense, cyber operations extend across political, economic and military pillars of national power. But cyber operations are, in a sense, more complex, because they affect the pillars of power more profoundly, due to the speed at which they occur.

Consider how quickly the Allied Forces moved across Europe during World War II following the D-Day invasion on June 6, 1944. Within about a year, the allies coordinated a multi-pronged campaign attacking the German military on the ground, the economy from aerial bombardment of German industry, and politically by strengthening the Allies while simultaneously dismantling the Axis forces. Now consider the speed at which a modern aggressor nation could attack another nation’s military, economy and political establishment through cyber warfare. With the right planning, a well-coordinated cyber campaign could be executed with an immediate impact and with the same devastating effects.

In spite of the insight into NSA operations provided to us by Edward Snowden, I am steadfast in my belief that U.S. cyber operations are focused solely on national defense and that those operations do not include the exploitation of information for economic or financial gain. Moreover, the U.S. government imposes strict limits on cyber espionage through statutes and regulations, and holds agencies accountable for violations of those statutes and regulations through comprehensive political oversight.

Flag Map by Lokal_Profil via Wiki-media Commons
Flag Map by Lokal_Profil via Wiki-media Commons

This is not to say that there isn’t potential for abuse of power of agencies in the cyber national defense community and the political establishment. That potential certainly exists and could manifest itself, should the wrong people ascend to leadership roles in government at the wrong time. For skeptical readers, I can only emphasize that my assessment is based upon personal observations made during my recent tenure in the Department of Defense cyber community. For this discussion, I’ll focus on the three organizations that contribute to the national security effort by confronting threats from aggressor nations: CIA, NSA, and United States Cyber Command.

CIA Mission Statement
Preempt threats and further US national security objectives by collecting intelligence that matters, producing objective all-source analysis, conducting effective covert action as directed by the President, and safeguarding the secrets that help keep our nation safe.

Cyber operations in a nation-state context map directly to every aspect of the CIA mission statement. By collecting intelligence and producing analytical reports, the CIA plays an important role in building the threat picture for the intelligence community. But CIA cyber operations are bounded by the guidelines of Executive Order 12333 and Title 50 of the U.S. Code. EO 12333 restricts CIA operations involving U.S. citizens in the United States, and Title 50 refers to intelligence agencies, intelligence activities, and covert operations. Because CIA operations are clandestine, there isn’t a broad body of knowledge available to the public that demonstrates how the agency operates in the cyber domain. But most recently, we did learn that the CIA was allegedly involved in Operation Olympic Games, a cyber campaign directed at denying Iran nuclear weapons capability.

NSA Mission Statement
The National Security Agency/Central Security Service (NSA/CSS) leads the U.S. Government in cryptology that encompasses both Signals Intelligence (SIGINT) and Information Assurance (IA) products and services, and enables Computer Network Operations (CNO) in order to gain a decision advantage for the Nation and our allies under all circumstances.

Although the reputation of the NSA, courtesy of Snowden, has been tarnished both inside and outside of the U.S., it’s important to realize that this agency has a long and storied history of protecting the United States from the full spectrum of adversaries, by leveraging superior technology throughout the electromagnetic spectrum. Prior to the age of cyber, NSA operated in the spectrum to collect and analyze signals intelligence across the globe. Although information related to NSA operations is limited, because of security concerns, many operations find their way to the media, but the stories are often based more upon speculation than hard facts.

Clearly written in the NSA mission statement is the task of enabling computer network operations, implying both offensive and defensive capability. From a practical standpoint, the NSA is the functional leader of U.S. computer network ops across government, including the Department of Defense. There is a deep symbiotic relationship between NSA and the uniformed services, particularly the Navy. That link was formalized through CSS, the component of NSA responsible for providing cryptologic support to the Armed Services.

[Read the latest news about how a Newly Discovered 'Master' Cyber Espionage Group Trumps Stuxnet.]

Like the CIA, NSA operations are highly classified, and when aspects of an operation end up in the public forum, they are typically subjected to a tremendous amount of speculation. The end result is usually an interesting story loosely based upon opinion. But some accounts of NSA operations are compelling and simply make sense. Ronald Reagan’s decision to launch air strikes against Libya (Operation Eldorado Canyon) following the 1986 German disco bombing which, unfortunately, took the lives of at least two U.S servicemen, was believed to be based upon critical signals intelligence provided by NSA.

United States Cyber Command (USCC) Mission Statement
USCYBERCOM plans, coordinates, integrates, synchronizes, and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries.

In the information age, military operations are completely dependent upon information systems for myriad reasons, ranging from command and control of operational forces in the battle space, to weapons systems, to everyday business of running the Navy, Army, Air Force, and Marine Corps. That dependence was the motivation behind the establishment of the United States Cyber Command in 2009.

As Director of NSA, General Keith Alexander was the driving force behind the creation of an organization dedicated to supporting U.S. combatant commanders in the field. General Alexander knew that the U.S. military needed a unified force of cyber operators, which could operate with the warfighters in the uniformed services, as well as with agencies like NSA. The connection already existed from an administrative standpoint, but there was no operational link with NSA. The distinction between operations and administration is significant because the U.S. government, particularly DoD, correctly views cyber space as another warfighting domain, akin to air, land, and sea. The bond between NSA and USCC was solidified with the dual responsibility of the Director NSA and Commander USCC.

The cyber army that General Alexander envisioned is taking the form of a Cyber National Mission Force of roughly 6,000 military personnel. The force, which will be distributed across 133 teams and is on track to be fully functional by 2016, will focus on three areas: providing support to combatant commanders across the globe, defense of the DoD information network, and protection of the nation's critical infrastructure and key resources.

Why we hack
When we look at all of the nations which we have discussed in this series, it isn’t surprising that the common answer to the question of “Why They Hack” is national defense. But to assume that national defense has the same meaning to different governments is overly simplistic. While we understand, intuitively, what a literal defense of a nation commonly means, the behavior of some nations in the name of national defense is difficult to explain.

We see China and Russia engaging in exploitation of intellectual property for economic and financial gain. We see Iran and China conducting cyber operations in an effort to expand their spheres of influence. We see North Korea lashing out in an effort to demonstrate its relevance in the geo-political community. Finally we see Israel and the United States conducting cyber operations to protect their national security.

Does this mean that the United States and Israel maintain higher ethical standards of cyber conduct? I believe the United States does, but I admit that the point is arguable. We know that the United States has made mistakes; the Snowden data suggests that it did. But in the end, US cyber operations are bounded by laws, regulations, and accountability, and that’s the only way to maintain order in an environment rooted in disorder.

More on this topic:

Mike Walls is the Managing Director of Security Operations at EdgeWave. During his time as a captain with the US Navy, he was commander of Task Force 1030 and was directly responsible for the cyberreadiness of more than 300 ships, 4,000 aircraft, and 400,000 Navy personnel. ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/19/2015 | 9:56:53 AM
Re: We are far better off with these organizations
"who's overseeing the people who are charged with oversight."

That would be both our elected and unelected leaders including the press (The Fourth Estate) and even whisteblowers like Edward Snowden, whether you believe him to be a hero or traitor. Democracy is messy, but transparency is key to making our leaders and decision-makers accountable..
mwallsedgewave
50%
50%
mwallsedgewave,
User Rank: Author
2/18/2015 | 12:34:12 PM
Re: We are far better off with these organizations
Excellent points.  So the key is the right amount of oversight, at the right time.  Historically we see Congressional committees or commissions investigating overreach after something egregious ends up in the media.  We need to stay ahead of potential problems through proactive Congressional involvement.  But there's a catch, what happens if the oversight committees in Congress allow an overreach...who's overseeing the people who are charged with oversight.
BertrandW414
50%
50%
BertrandW414,
User Rank: Strategist
2/18/2015 | 10:55:54 AM
We are far better off with these organizations
We are far better off with these organizations doing what they do, and I believe that the vast majority of their work is honorable, but as they say, power corrupts, and we run into problems when they overreach and justify their actions in the name of National Security - I don't need to produce for you a list of S. American, Central American, and African leaders who were assasinated by the CIA (or those working on behalf of the CIA) to make to wonder if the CIA has ever overreached. Yes, foreign policy can be terribly complex and we now also have the the great advantage of hindsight, and the Americans involved in these projects surely believed that what they were doing was what was best for our country.

As for the CIA not collecting information about U.S. citizens, here is something from a CIA website... "Take, for instance, CIA's Operation CHAOS. The CIA collected substantial amounts of information on domestic dissidents from 1967 to 1973. The Rockefeller Commission deemed the program a violation of the CIA statutory charter."
www.cia.gov/library/center-for-the-study-of-intelligence/kent-csi/vol20no2/html/v20i2a01p_0001.htm
GonzSTL
0%
100%
GonzSTL,
User Rank: Ninja
2/17/2015 | 2:44:06 PM
Re: Distrust
@Whoopty: Excellent points, especially in the trust/distrust area. It is very disconcerting to citizens when the government takes on the Big Brother role, specifically with respect to information gathering. The potential for misuse and abuse is simply too great, as we have seen in many not so distant events. Human nature dictates that there will always be people who abuse the information gathered, or the powers bestowed upon them by whatever authority the organization has, with respect to their activities. I would argue that no model is perfect, but in spite of the absence of perfection, we simply cannot do without this operation in place. If one were to apply simple metrics to gauge the effectiveness of this operation, then surely the publicized results will appear to show it as ineffective, as you have pointed out. However, one should also ponder the possibility that positive results may, by their very nature, lend themselves to secrecy, in cases where the perceived threats do not yet realize that they have been already exposed to the operation, thereby rendering the simple metric test relatively invalid. As with any intelligence operation, this particular one evolves with the situation. One can only hope that the evolution is in the right direction, and (ironically) place trust in the administration to lay that proper course.
mwallsedgewave
0%
100%
mwallsedgewave,
User Rank: Author
2/17/2015 | 12:58:33 PM
Re: Distrust
Your points are well taken Whoopty.  

You touched on bad behavior by some of the employees of Government agencies and I agree with the inference that there isnt enough oversight and accountability, particularly with regard to the cases you identified at NSA (I include Mr Snowden in the badly behaving employee category).  Oversight is especially important in organizations that can potentially abuse the public trust.  

To your point about the success of NSA programs, the value of these operations conducted is greater than the specific wins identified by DRNSA.  Presumably, these programs provide enough aggregated data for the US Government to maintain the highest levels of situational awareness across the global cyber environment.  So while the numbers on the scoreboard may not be compelling today, information gathered yesterday may be helping to build a picture that will help stop an event that is planned for tomorrow.

Finally, I completely agree that trust and distrust swing both ways, and the US Government is beginning to understand that concept given the allegations of spying on allies.

Thanks again for the great thoughts!
Whoopty
100%
0%
Whoopty,
User Rank: Ninja
2/17/2015 | 12:32:34 PM
Distrust
I don't think anyone in the public is bothered with the NSA, CIA and other organisations taking part in national defence or even hacking other countries (though it's debateable whether many would agree with hacking allies, like Angela Merkel's phone), the problem comes from the catchall nature of many of the intelligence agencies' schemes and their seeming disinterest in how ineffective it is.

Despite collecting all of the metadata and in many cases the content of conversations, emails and text interactions, the head of the NSA claimed maybe 1-2 terrorist plots had been stopped and even then, that was when combined with traditional policing. 

Surely then this is an ineffective way to combat it? 

On top of that, there's proven instances of it being abused and NSA staffers looking up information on lovers and ex partners. 

Heck, Edward Snowden, a contractor, was able to steal all of this information. How secure can the information the NSA collects on everyone, really be? 

Treating everyone as if they're the enemy engenders distrust and that now swings both ways, because people don't trust their government not to spy on them. 
swreynolds92
100%
0%
swreynolds92,
User Rank: Strategist
2/17/2015 | 12:22:51 PM
Equation Group & the NSA
Give the current revelation of possible ties between the "Equation Group" and the NSA, does your view of why the US hacks change at all?
Cybersecurity's 'Broken' Hiring Process
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/11/2017
How Systematic Lying Can Improve Your Security
Lance Cottrell, Chief Scientist, Ntrepid,  10/11/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Search Cybersecuruty and you will get unicorn.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.