Cybersecurity Cause and Effect: Motivations, Vision and Options

On Friday, 25 January 2013, the hacktivist group Anonymous hacked and defaced the website of the United States Sentencing Commission (USSC), the agency responsible for articulating the sentencing guidelines for the US federal courts.  According to Anonymous, the attack was a response to the 11 January 2013 suicide of activist Aaron Swartz, which some allege to have been motivated by Swartz’s prosecution by the US Department of Justice.  The hack replaced the homepage with a video condemning the prosecution, claiming to have distributed encrypted government files and threatening to release the encryption keys if the government failed to reform cybercrime legislation.

Two days later, on 27 January 2013, Anonymous hacked the USSC website again, turning it into a playable version of the classic video game “Asteroids, ” and tweeted that the game could be played on a “backup” site – the website for the federal probation office in Michigan. Once the player erases the USSC web site while playing the game, Anonymous’ trademark Guy Fawkes mask is revealed.  The mask is made of white text on a black background reading “We do not forgive.  We do not forget.”  As of 1 February 2013, the USSC website is listed as “under construction.”

At the same time (27 January 2013) the US Department of Defense (DoD) that the American cybersecurity force, US Cyber Command, would be dramatically expanded over approximately three years, growing from 900 to about 4,900 personnel.  The expansion’s goal?  To transform an agency that has been focused on security and defense into a 21^st century force capable of offensive, defensive and effects based operations.  The objective Cyber Command will consist of national mission forces, whose mission will be to defend critical national infrastructure; combat mission forces, who will integrate and work with deployed combat forces to add a cyber weapon to a combatant commander’s arsenal; and cyber protection forces charged with defending the DoD’s networks.

Coincidental timing?  Maybe.  It’s more likely that that the DoD is finally waking up to 21^st century reality.  In 2010, DoD systems were probed six million times a day.  In 2013, it's estimated that DoD systems will be probed by unauthorized users over eight million times a day.  That’s in excess of 300,000 probes an hour.  This, however, is only the tip of the iceberg.  The hostility of the international cyber-environment makes Io’s (one of Jupiter’s moons) volcanic surface, sulfur dioxide atmosphere and continuous exposure to lethal ionizing radiation seem warm and inviting by comparison.  Secondary, and, increasingly, primary schools in both Russia and China feature state sponsored hacking clubs.  These aren’t just modern alternatives to chess and math clubs.  They’re state sponsored militias that combine a powerful offensive cyber capability with plausible deniability. 

The might of these quasi-state organizations was demonstrated in 2008 when Russia and Georgia went to war.  Within hours of the commencement of hostilities, the Georgian internetinfrastructure was paralyzed.  Who was behind the attacks?  A shadowy, and mostly illegal, organization known as the Russian Business Network (RBN) and a collection of hacktivists focused on the stopgeorgia.ru website.  (Interestingly, the stopgeorgia.ru website was hosted on servers located in Texas.)  The fact that the cyber attacks coincided neatly with attacks by Russian air and ground forces was lost on nobody.  Russian protestations that the attacks were the work of overzealous nationalists were at best unconvincing. 

The Chinese have taken the concept of a “people’s cyber war” a step further by creating “cyber warfare militias.”  Cyber militias are People’s Liberation Army (PLA) civilian unitscomposed of workers with high tech day jobs.  Militia members channel their professional expertise into PLA efforts on military communications, electronic warfare and network operations.  At the same time, the Chinese are investing heavily in augmenting the regular PLA’s ability to manage and exploit cyber technology as well as advanced weapon systems.

And so, the DoD is making a very timely decision. More importantly, the decision is supported by official DoD policy.  The DoD Information Enterprise Architecture (IEA) version 2.0 calls out very specific rules and principles with respect to system and information security, including:

Authoritative data assets, services, and applications shall be accessible to all authorized users in the Department of Defense, including Joint, interagency, inter-governmental, and multinational partners, and accessible except where limited by law, policy, security classification, or operational necessity;

•  The globalization of information technology, particularly the international nature of hardware and software (including supply chain) development and the rise of global providers of Information Technology (IT) and communications services presents a very new and unique security challenge. Global Information Grid (GIG) resources must be designed, managed, protected, and defended to meet this challenge;
•  All DoD information services and applications must uniquely and persistently digitally identify and authenticate users and devices. These services, applications, and networks shall enforce authorized access to information and other services or devices according to specified access control rules and quality of protection requirements for all individuals, organizations, COIs, automated services, and devices;
•  A comprehensive security policy will be developed that addresses all aspects of Identity Management and Authentication (Id&A) and provides for realistic opportunities to enforce the greater Information Assurance (IA) policy requirements;
• Design and implement a single authentication mechanism that is usable across the IE regardless of Service affiliation, role, and/or deployment status; and
• Implement a digital attribute based approach for granting access to information integrated with an overall IA policy and single authentication mechanism approach.

The decision (as well as its rationale and execution methodologies) to improve the DoD’s defensive and offensive cyber capabilities is well understood and has commitments from the highest levels, including the DoD Chief Information Officer’s (CIO) office, the office of the Director of the Defense Information Systems Agency (DISA) and the secretaries’ offices for the service components.  Unfortunately, this decision has yet to be widely reflected in the systems currently fielded by the DoD and the intelligence community (IC). 

Many of these systems rely on a security perimeter guaranteed by ever-changing passwords, trusted digital certificates or both, coupled with role-based access control (RBAC) mechanisms.  Unfortunately, the administrative overhead associated with managing large numbers of RBAC roles results in very few being implemented in practice.  A typical fielded instantiation will have only two or three roles such as user, supervisor and system administrator.  This means that once an attacker (either an external hacker belonging to a cyber-warfare militia, or worse, a disgruntled insider) is past the perimeter security, there is virtually no system resource that is safe.  Attribute-based access control (ABAC) mechanisms reduce this vulnerability by compartmentalizing system resources.  Each resource request is evaluated against stored user characteristics and access control policies for the requested resource.  If the user characteristics don’t match the policy, access is denied.  When using advanced interface definition languages such as Apache Thrift to support ABAC transactions, the additional system overhead incurred by the increased security is surprisingly small.

It isn’t that the advantages of single sign on (SSO) and ABAC aren’t understood by the acquisitions community.  Modernization and sustainment are bread and butter activities.  The problem is that until comparatively recently, open-standards based tools to implement ABAC-enhanced security were either unavailable or prohibitively expensive.  (A good idea stops being a good idea if it costs more than living with a bad idea!)  Fortunately this is no longer the case and there are a number of off the shelf toolkits that can improve the security posture of existing systems in a manner consistent with industry best practices and guidance such as the IEA.

Examples of these security frameworks include:

Product	Vendor	License Type
WSO2 Identity Server	WSO2, Inc.	Open Source; Apache
Oracle Identity Manager	Oracle Corporation	Proprietary
OpenAM	ForgeRock	Open Source; CDDL

It’s worth a quick look at what capabilities these types of products provide.  The WSO2 Identity Server, for example, is a comprehensive identity and access  management (IdAM) solution.  It provides support for system and user identity management, access and entitlement management for both RBAC and ABAC, access control policy management in both versions 2.0 and 3.0 of the eXtensible Access Control Markup Language (XACML), and management and monitoring activities.   It is designed to offer the maximum of implementation flexibility; program and system architects can specify as much or as little of the tool’s functionality for implementation as desired.

So how do these tools fit into a defense or IC programmatic roadmap?  For starters, support for flexible implementation is critical.  Defense and intelligence programs have neither the fiscal nor scheduling luxury of completely re-engineering a system over single version change.  As a result, any improvements at an architectural level have to be implemented incrementally.  Tools that offer an all or nothing approach simply aren’t suitable.  This is where the current generation of IdAM solutions shine.  They allow for a one for one replacement of existing solutions while maintaining legacy security mechanisms and supporting the migration path to an objective access control capability.  Also, software licensing costs are no longer a dispositive factor.  There is little, if any, capability that proprietary IdAM packages offer that is not matched or exceeded by open source offerings.  Open source IdAM packages in general, and quite a few of the proprietary offerings, are based on open standards, helping to avoid vendor lock-in.

In sum, the modern cyber environment is hostile and dangerous.  This fact is not lost on visionaries and policy makers at the highest levels of the defense and intelligence communities, who have not only promulgated doctrine and guidance on the matter, but have also worked to expand boots-on-the-ground cyber-defense capabilities significantly.  Just as importantly, the acquisitions community now has options and a technical approach for markedly improving the security of existing defense and intelligence systems.