On Friday, 25 January 2013, the hacktivist group Anonymous hacked and defaced the website of the United States Sentencing Commission (USSC), the
agency responsible for articulating the sentencing guidelines for the US
federal courts. According to Anonymous,
the attack was a response to the 11 January 2013 suicide of activist Aaron
Swartz, which some allege to have been motivated by Swartz’s prosecution by the
US Department of Justice. The hack
replaced the homepage with a video condemning the prosecution, claiming to have
distributed encrypted government files and threatening to release the
encryption keys if the government failed to reform cybercrime legislation.
Two days later, on 27 January 2013, Anonymous hacked the USSC website again, turning it into a playable
version of the classic video game “Asteroids, ” and tweeted that the game could
be played on a “backup” site – the website for the federal probation office in
Michigan. Once the player erases the USSC web site while playing the game,
Anonymous’ trademark Guy Fawkes mask is revealed. The mask is made of white text on a black
background reading “We do not forgive.
We do not forget.” As of 1 February
2013, the USSC website is listed as “under construction.”
At the same time (27 January 2013) the US Department of Defense (DoD) that
the American cybersecurity force, US Cyber Command, would be dramatically expanded over approximately three years, growing from 900 to about 4,900
personnel. The expansion’s goal? To transform an agency that has been focused
on security and defense into a 21st century force capable of
offensive, defensive and effects based operations. The objective Cyber Command will consist of
national mission forces, whose mission will be to defend critical national
infrastructure; combat mission forces, who will integrate and work with deployed
combat forces to add a cyber weapon to a combatant commander’s arsenal; and
cyber protection forces charged with defending the DoD’s networks.
Coincidental timing? Maybe. It’s more likely that that the DoD is finally
waking up to 21st century reality.
In 2010, DoD systems were probed six million times a day. In 2013, it's estimated that DoD systems will be probed by unauthorized users over eight million times a
day. That’s in excess of 300,000 probes
an hour. This, however, is only the tip
of the iceberg. The hostility of the international
cyber-environment makes Io’s (one of Jupiter’s moons) volcanic surface, sulfur dioxide atmosphere and continuous exposure to lethal ionizing radiation seem warm and inviting by comparison.
Secondary, and, increasingly, primary schools in both Russia and China feature
state sponsored hacking clubs. These
aren’t just modern alternatives to chess and math clubs. They’re state sponsored militias that combine
a powerful offensive cyber capability with plausible deniability.
The might of these quasi-state organizations was demonstrated in 2008
when Russia and Georgia went to war.
Within hours of the commencement of hostilities, the Georgian internetinfrastructure was paralyzed. Who was
behind the attacks? A shadowy, and
mostly illegal, organization known as the Russian Business Network (RBN) and a
collection of hacktivists focused on the stopgeorgia.ru
website. (Interestingly, the stopgeorgia.ru website was hosted on
servers located in Texas.) The fact that
the cyber attacks coincided neatly with attacks by Russian air and ground
forces was lost on nobody. Russian
protestations that the attacks were the work of overzealous nationalists were
at best unconvincing.
The Chinese have taken the concept of a “people’s cyber war” a step
further by creating “cyber warfare militias.”
Cyber militias are People’s Liberation Army (PLA) civilian unitscomposed of workers with high tech day jobs.
Militia members channel their professional expertise into PLA efforts on
military communications, electronic warfare and network operations. At the same time, the Chinese are investing
heavily in augmenting the regular PLA’s ability to manage and exploit cyber
technology as well as advanced weapon systems.
And so, the DoD is making a very timely decision. More importantly, the
decision is supported by official DoD policy.
The DoD Information Enterprise Architecture (IEA) version 2.0 calls out
very specific rules and principles with respect to system and information security,
including:
Authoritative
data assets, services, and applications shall be accessible to all authorized
users in the Department of Defense, including Joint, interagency,
inter-governmental, and multinational partners, and accessible except where
limited by law, policy, security classification, or operational necessity;
- The globalization of information technology, particularly the international nature of hardware and software (including supply chain) development and the rise of global providers of Information Technology (IT) and communications services presents a very new and unique security challenge. Global Information Grid (GIG) resources must be designed, managed, protected, and defended to meet this challenge;
- All DoD information services and applications must uniquely and persistently digitally identify and authenticate users and devices. These services, applications, and networks shall enforce authorized access to information and other services or devices according to specified access control rules and quality of protection requirements for all individuals, organizations, COIs, automated services, and devices;
- A comprehensive security policy will be developed that addresses all aspects of Identity Management and Authentication (Id&A) and provides for realistic opportunities to enforce the greater Information Assurance (IA) policy requirements;
- Design and implement a single authentication mechanism that is usable across the IE regardless of Service affiliation, role, and/or deployment status; and
- Implement a digital attribute based approach for granting access to information integrated with an overall IA policy and single authentication mechanism approach.
The decision (as well as its rationale and execution methodologies) to
improve the DoD’s defensive and offensive cyber capabilities is well understood
and has commitments from the highest levels, including the DoD Chief
Information Officer’s (CIO) office, the office of the Director of the Defense
Information Systems Agency (DISA) and the secretaries’ offices for the service
components. Unfortunately, this decision
has yet to be widely reflected in the systems currently fielded by the DoD and
the intelligence community (IC).
Many of these systems rely on a security perimeter guaranteed by ever-changing
passwords, trusted digital certificates or both, coupled with role-based access
control (RBAC) mechanisms.
Unfortunately, the administrative overhead associated with managing
large numbers of RBAC roles results in very few being implemented in
practice. A typical fielded
instantiation will have only two or three roles such as user, supervisor and
system administrator. This means that
once an attacker (either an external hacker belonging to a cyber-warfare
militia, or worse, a disgruntled insider) is past the perimeter security, there
is virtually no system resource that is safe.
Attribute-based access control (ABAC) mechanisms reduce this
vulnerability by compartmentalizing system resources. Each resource request is evaluated against stored
user characteristics and access control policies for the requested
resource. If the user characteristics don’t
match the policy, access is denied. When
using advanced interface definition languages such as Apache Thrift to support
ABAC transactions, the additional system overhead incurred by the increased
security is surprisingly small.
It isn’t that the advantages of single sign on (SSO) and ABAC aren’t understood
by the acquisitions community.
Modernization and sustainment are bread and butter activities. The problem is that until comparatively
recently, open-standards based tools to implement ABAC-enhanced security were
either unavailable or prohibitively expensive.
(A good idea stops being a good idea if it costs more than living with a
bad idea!) Fortunately this is no longer
the case and there are a number of off the shelf toolkits that can improve the
security posture of existing systems in a manner consistent with industry best
practices and guidance such as the IEA.
Examples of these security frameworks include:
Product
|
Vendor
|
License Type
|
WSO2, Inc.
|
Open Source;
Apache
|
|
Oracle
Identity Manager
|
Oracle
Corporation
|
Proprietary
|
OpenAM
|
ForgeRock
|
Open Source;
CDDL
|
It’s worth a quick look at what capabilities these types of products
provide. The WSO2 Identity Server, for
example, is a comprehensive identity and access
management (IdAM) solution. It
provides support for system and user identity management, access and
entitlement management for both RBAC and ABAC, access control policy management
in both versions 2.0 and 3.0 of the eXtensible Access Control Markup Language
(XACML), and management and monitoring activities. It is designed to offer the maximum of
implementation flexibility; program and system architects can specify as much
or as little of the tool’s functionality for implementation as desired.
So how do these tools fit into a defense or IC programmatic
roadmap? For starters, support for
flexible implementation is critical.
Defense and intelligence programs have neither the fiscal nor scheduling
luxury of completely re-engineering a system over single version change. As a result, any improvements at an
architectural level have to be implemented incrementally. Tools that offer an all or nothing approach
simply aren’t suitable. This is where
the current generation of IdAM solutions shine.
They allow for a one for one replacement of existing solutions while maintaining
legacy security mechanisms and supporting the migration path to an objective
access control capability. Also, software
licensing costs are no longer a dispositive factor. There is little, if any, capability that proprietary
IdAM packages offer that is not matched or exceeded by open source
offerings. Open source IdAM packages in
general, and quite a few of the proprietary offerings, are based on open
standards, helping to avoid vendor lock-in.
In sum, the modern cyber environment is hostile and dangerous. This fact is not lost on visionaries and
policy makers at the highest levels of the defense and intelligence
communities, who have not only promulgated doctrine and guidance on the matter,
but have also worked to expand boots-on-the-ground cyber-defense capabilities
significantly. Just as importantly, the
acquisitions community now has options and a technical approach for markedly
improving the security of existing defense and intelligence systems.
Those hacks were not that surprising. There will always come a time when someone more intelligent can do that thing, they have such motivation too. It'll be exciting to see how the government will respond to this one.
ReplyDelete