Skip to content

Writings of Pukhraj Singh

Gluing cybersecurity with geopolitics

  • HOME
  • ARTICLES
  • TALKS
  • POETRY
Posted on 27th January 201918th March 2019 by Pukhraj Singh

What does a ‘national cyber shield’ look like?6 minutes read

“In IT security, offensive problems are technical – but most defensive problems are political and organisational.” — Halvar Flake AKA Thomas Dullien

“We do not have a cybersecurity problem. We have a nation state problem.” — Dmitry Alperovitch

“Our choice is no longer between government regulation and no government regulation, but between smart government regulation and ill-advised government regulation.” — Bruce Schneier

The first rule of a national cyber shield is that there’s no cyber shield. There are no borders, fortresses or moats to be breached. It actually works a bit like the immune system. National cyber shields are situational awareness platforms operating at scale, but with an explicit political mandate.

This is how I got reminded to write this post:

Don't see a correlation. Sure, to quote @thegrugq: the perimeter is not the boundary of your network but the boundary of your telemetry. He calls it the Shadow Internet. But that only means that we may need a political data sharing architecture. How would AI/ML augment that? 🤔

— Pukhraj Singh (@RungRage) January 23, 2019

National cyber shields have a political architecture. Let’s evaluate what some of the nation states are doing.

The US has had a well-established Active Defence strategy — re-purposing offence for defence — under the NSA programmes like Turbulence (Turmoil, QFire and QuantumTheory) and DefiantWarrior. The British GCHQ and other Five Eyes sisters, too, piggybacked on them.

But this outwardly approach left domestic cyberspace completely defenceless. So, since the 2000s, US-CERT and the DHS created an intrusion-detection-system-on-steroids called Einstein. Running over the .gov space, its third iteration is actually a situational awareness platform. Such platforms work on the following principle exposited by Dan Geer:

Before In-Q-Tel, I worked for a data protection company. Our product was, and I believe still is, the most thorough on the market. By”thorough” I mean the dictionary definition, “careful about doing something in an accurate and exact way.” To this end, installing our product instrumented every system call on the target machine.Data did not and could not move in any sense of the word “move”without detection. Every data operation was caught and monitored.It was total surveillance data protection. What made this product stick out was that very thoroughness, but here is the point: Unless you fully instrument your data handling, it is not possible for you to say what did not happen. With total surveillance, and total surveillance alone, it is possible to treat the absence of evidence as the evidence of absence. Only when you know everything that did happen with your data can you say what did not happen with your data.

After the damning OPM breach, Obama also hastened the passing of the Cybersecurity Information Sharing Act and the Executive Order 13691 in 2015. These initiatives aimed to create a standard taxonomy for vendor-agnostic, machine-to-machine and cross-organisational sharing of cyber threat instrumentation metadata across critical sectors.

The government of a radically free-market economy thumbing its nose to create a data sharing regime was a pretty big deal, but that may be the only way to carve a ‘homeland cyberspace.’

At the taxonomic-level, these efforts translated to languages like STIX-TAXII, a structured threat intelligence sharing protocol, and OpenC2, an autonomic, interoperable cyber response orchestration protocol proposed by the NSA. Naturally, the openness of such frameworks (at least in theory) faced a lot of resistance from the cybersecurity industry — which tells you that the siloed commercial-grade enterprise security architecture and national cyber defence are in conflict with each other.

Let’s look at the initiatives of other governments.

Israel could afford running a cyber shield due to its tiny national footprint. Till recently, it was most likely a Deep Packet Inspection platform. Yigal Unna, Israel’s cyberczar, hinted at a major upgrade to its shield in 2018, which may transform it into a public-private metadata orchestration regime. Former cyberczar David Primor also gave a nice overview of Israel’s 20 minute detection-to-response strategy at Borderless Cyber 2017.

In 2016, France’s former head of technical intelligence Bernard Barbier got too excited while visiting his alma mater, spilling the beans on its cyber defence programme. He boasted:

In 2012, we had more resources and technical capacity to work on metadata. I came to the conclusion that this could only be the United States.

Instrumentation metadata is at play here again:

With the help of a new metadata capability the French obtained in 2012 and Edward Snowden’s revelation of the NSA’s QUANTUM capability in 2013, Barbier’s staff concluded that the attack on the Élysée was the work of the United States.

Germany, too, dropped a hint about its .gov-scale instrumentation layer once, which I avidly took note of. On April 28, 2017, Wikileaks started uploading stolen documents related to the CIA’s cyber offence directorate. As some of the technical indicators related to the CIA’s toolchain got exposed, Germany’s domestic intelligence agency BfV swung into action. In just a matter of weeks, it was able map the command-and-control of the CIA’s implants that had compromised Germany’s networks, and list it in a public dossier. Now, that requires a solid instrumentation capability working across time and scale (despite the GDPR in place).

The UK, too, has recently built a mechanism to declassify top-secret cyber intelligence and convert it into actionable defence downstream under the NCSC’s Active Cyber Defence project. Its single, anycast ‘public sector DNS’ server handling all the queries from the .gov.uk space (lovingly called Turing) went operational last year. Dr Ian Levy, the head of the NCSC, commented:

That is a game changer. That’s how you start to use top-secret intelligence to protect a country

Turing is orchestrated via Threat-O-Matic : an all-in-one threat intelligence fusion and orchestration framework.

Russia’s nationwide SORM takes Geer’s maxim “evidence of absence” all too seriously. I am not going to talk about China’s Great Firewall and the Great Cannon, because they’re not even on the internet but on a fully balkanised cyberspace.

With the appointment of its first cyberczar under the current government, India also planned to embark on such an ambitious mission. The National Cyber Coordination Centre was earlier deemed as a SOC-of-SOCs but was later re-branded as a situational awareness platform. As the former deputy national security advisor Dr Arvind Gupta himself pointed out, the effort has produced zero results and is to be marked as a failure.

PS: Japan and South Korea’s cyber shields are detailed in the following tweets:

Repeating this since 2015: 3 steps for India’s cyber shield

INSTITUTIONALISE sectoral metadata sharing

FORMALISE structured standards like STIX-TAXII & OpenC2

ACTUALISE the interfaces for National Response Network

🇮🇱 https://t.co/5e4ph4rMmo

🇬🇧https://t.co/1ZoB0TPF1K https://t.co/bc10ZraxFH

— Pukhraj Singh (@RungRage) March 8, 2019

Japan’s own version of STIX-TAXII-like machine-to-machine threat intel protocol https://t.co/TKtzq9G4Vk

Here’s the South Korean national adaptive response system https://t.co/mZbxjTsUET

And Israel’s 20-minute detection-to-response strategy https://t.co/5e4ph4JnKY

— Pukhraj Singh (@RungRage) March 9, 2019

Update: China’s first cyber threat intelligence sharing platform expected to further upgrade nation’s cyber defense, http://en.people.cn/n3/2019/0118/c90000-9539303.html.

Update 2: India is launching its own public sector DNS: https://www.thehindu.com/business/india-to-have-own-dns-for-safe-browsing/article26344226.ece.

Categoriescyber Tagscyber shield, gulshan rai, instrumentation, machine-to-machine, metadata, national cyber coordination centre, openc2, situational awareness, stix, stix-taxii, taxii

Post navigation

Previous PostPrevious CIS’s Coordinated Vulnerability Disclosure paper is a load of bull
Next PostNext Nations should strive for cognitive security – The Tribune


Pukhraj Singh is a cyber threat intelligence analyst with 14 years of experience. He has worked with the Indian government and security response teams of global companies.

Pukhraj's brief bio can be accessed here.

Cyber geo-strategy does not exist as a formal discipline in India. This blog takes a shot at it.

It also curates Pukhraj's publications on cybersecurity spanning a decade.

His writings have been published by the US Military Academy, Indian Army, The Indian Express, Hindustan Times, The Tribune, Infosecurity Mag, SC Magazine, Outlook, Deccan Herald, The Print, Huffington Post, BW BusinessWorld, The Quint, Jindal Journal of International Affairs and Seminar.

Pukhraj has guest lectured senior commanders at the College of Air Warfare, Indian National Defense University and the Headquarters of the Integrated Defence Staff. He has also spoken at international security conferences.

Pukhraj is a member of the Australian Institute of Professional Intelligence Officers.

He was also recognised as a social activist while running Abroo, a now defunct lobbying initiative for the welfare of Dalits of Punjab.
Twitter
LinkedIn

Recent Posts

  • My litany on the Cyberspace Solarium Commission 2nd February 2021
  • The Competition Continuum and noncontact operations in cyberspace 30th December 2020
  • SolarWinds: Cyber strategists are back to the drawing board – Hindustan Times 28th December 2020
  • MITRE ATT&CK has always been a risk management framework, and now it’s official 21st December 2020
  • (Telemetry & toolchains) vs. tradecraft: The SolarWinds hack from a strategic lens 20th December 2020
  • Deconstructing Ciaran Martin’s speech in 18 tweets 13th November 2020
  • Congratulations, it’s a cyber norm! 17th October 2020
  • It has nothing to do with Facebook – The Quint 15th October 2020
  • An observation on the Debbins affair 24th August 2020
  • The chimera of cyber offence 20th August 2020
Web Statistics
  • HOME
  • ARTICLES
  • TALKS
  • POETRY
Proudly powered by WordPress