“In IT security, offensive problems are technical – but most defensive problems are political and organisational.” — Halvar Flake AKA Thomas Dullien
“We do not have a cybersecurity problem. We have a nation state problem.” — Dmitry Alperovitch
“Our choice is no longer between government regulation and no government regulation, but between smart government regulation and ill-advised government regulation.” — Bruce Schneier
The first rule of a national cyber shield is that there’s no cyber shield. There are no borders, fortresses or moats to be breached. It actually works a bit like the immune system. National cyber shields are situational awareness platforms operating at scale, but with an explicit political mandate.
This is how I got reminded to write this post:
Don't see a correlation. Sure, to quote @thegrugq: the perimeter is not the boundary of your network but the boundary of your telemetry. He calls it the Shadow Internet. But that only means that we may need a political data sharing architecture. How would AI/ML augment that? 🤔
— Pukhraj Singh (@RungRage) January 23, 2019
National cyber shields have a political architecture. Let’s evaluate what some of the nation states are doing.
The US has had a well-established Active Defence strategy — re-purposing offence for defence — under the NSA programmes like Turbulence (Turmoil, QFire and QuantumTheory) and DefiantWarrior. The British GCHQ and other Five Eyes sisters, too, piggybacked on them.
But this outwardly approach left domestic cyberspace completely defenceless. So, since the 2000s, US-CERT and the DHS created an intrusion-detection-system-on-steroids called Einstein. Running over the .gov space, its third iteration is actually a situational awareness platform. Such platforms work on the following principle exposited by Dan Geer:
Before In-Q-Tel, I worked for a data protection company. Our product was, and I believe still is, the most thorough on the market. By”thorough” I mean the dictionary definition, “careful about doing something in an accurate and exact way.” To this end, installing our product instrumented every system call on the target machine.Data did not and could not move in any sense of the word “move”without detection. Every data operation was caught and monitored.It was total surveillance data protection. What made this product stick out was that very thoroughness, but here is the point: Unless you fully instrument your data handling, it is not possible for you to say what did not happen. With total surveillance, and total surveillance alone, it is possible to treat the absence of evidence as the evidence of absence. Only when you know everything that did happen with your data can you say what did not happen with your data.
After the damning OPM breach, Obama also hastened the passing of the Cybersecurity Information Sharing Act and the Executive Order 13691 in 2015. These initiatives aimed to create a standard taxonomy for vendor-agnostic, machine-to-machine and cross-organisational sharing of cyber threat instrumentation metadata across critical sectors.
The government of a radically free-market economy thumbing its nose to create a data sharing regime was a pretty big deal, but that may be the only way to carve a ‘homeland cyberspace.’
At the taxonomic-level, these efforts translated to languages like STIX-TAXII, a structured threat intelligence sharing protocol, and OpenC2, an autonomic, interoperable cyber response orchestration protocol proposed by the NSA. Naturally, the openness of such frameworks (at least in theory) faced a lot of resistance from the cybersecurity industry — which tells you that the siloed commercial-grade enterprise security architecture and national cyber defence are in conflict with each other.
Let’s look at the initiatives of other governments.
Israel could afford running a cyber shield due to its tiny national footprint. Till recently, it was most likely a Deep Packet Inspection platform. Yigal Unna, Israel’s cyberczar, hinted at a major upgrade to its shield in 2018, which may transform it into a public-private metadata orchestration regime. Former cyberczar David Primor also gave a nice overview of Israel’s 20 minute detection-to-response strategy at Borderless Cyber 2017.
In 2016, France’s former head of technical intelligence Bernard Barbier got too excited while visiting his alma mater, spilling the beans on its cyber defence programme. He boasted:
In 2012, we had more resources and technical capacity to work on metadata. I came to the conclusion that this could only be the United States.
Instrumentation metadata is at play here again:
With the help of a new metadata capability the French obtained in 2012 and Edward Snowden’s revelation of the NSA’s QUANTUM capability in 2013, Barbier’s staff concluded that the attack on the Élysée was the work of the United States.
Germany, too, dropped a hint about its .gov-scale instrumentation layer once, which I avidly took note of. On April 28, 2017, Wikileaks started uploading stolen documents related to the CIA’s cyber offence directorate. As some of the technical indicators related to the CIA’s toolchain got exposed, Germany’s domestic intelligence agency BfV swung into action. In just a matter of weeks, it was able map the command-and-control of the CIA’s implants that had compromised Germany’s networks, and list it in a public dossier. Now, that requires a solid instrumentation capability working across time and scale (despite the GDPR in place).
The UK, too, has recently built a mechanism to declassify top-secret cyber intelligence and convert it into actionable defence downstream under the NCSC’s Active Cyber Defence project. Its single, anycast ‘public sector DNS’ server handling all the queries from the .gov.uk space (lovingly called Turing) went operational last year. Dr Ian Levy, the head of the NCSC, commented:
That is a game changer. That’s how you start to use top-secret intelligence to protect a country
Turing is orchestrated via Threat-O-Matic : an all-in-one threat intelligence fusion and orchestration framework.
Russia’s nationwide SORM takes Geer’s maxim “evidence of absence” all too seriously. I am not going to talk about China’s Great Firewall and the Great Cannon, because they’re not even on the internet but on a fully balkanised cyberspace.
With the appointment of its first cyberczar under the current government, India also planned to embark on such an ambitious mission. The National Cyber Coordination Centre was earlier deemed as a SOC-of-SOCs but was later re-branded as a situational awareness platform. As the former deputy national security advisor Dr Arvind Gupta himself pointed out, the effort has produced zero results and is to be marked as a failure.
PS: Japan and South Korea’s cyber shields are detailed in the following tweets:
Repeating this since 2015: 3 steps for India’s cyber shield
INSTITUTIONALISE sectoral metadata sharing
FORMALISE structured standards like STIX-TAXII & OpenC2
ACTUALISE the interfaces for National Response Network
🇮🇱 https://t.co/5e4ph4rMmo
🇬🇧https://t.co/1ZoB0TPF1K https://t.co/bc10ZraxFH
— Pukhraj Singh (@RungRage) March 8, 2019
Japan’s own version of STIX-TAXII-like machine-to-machine threat intel protocol https://t.co/TKtzq9G4Vk
Here’s the South Korean national adaptive response system https://t.co/mZbxjTsUET
And Israel’s 20-minute detection-to-response strategy https://t.co/5e4ph4JnKY
— Pukhraj Singh (@RungRage) March 9, 2019
Update: China’s first cyber threat intelligence sharing platform expected to further upgrade nation’s cyber defense, http://en.people.cn/n3/2019/0118/c90000-9539303.html.
Update 2: India is launching its own public sector DNS: https://www.thehindu.com/business/india-to-have-own-dns-for-safe-browsing/article26344226.ece.