Subscribe via RSS

Archives by Date
April 2009
March 2009
February 2009

See all Archives
Archives by Date
Afghan Update
Ammo and Munitions
Around the Globe
Av Week Extra
Axe in Iraq (and Elsewhere)
Blog Bidness
Body Armor Blues
Bomb Squad
Brownshoes in Action
Bubbleheads, etc.
Cammo Green
Catch the "Buzz"
Civilian Apps
Cloak and Dagger
Contingency Ops
Cops and Robbers
Data Diving
Defense Tech Poll
Defense Tech Radio
Dissent Tech
Door Kickers
DT Administrivia
Eat DT's Dust
Extra! Extra!
Eye on China
Fast Movers
FCS Watch
Fire for Effect
FOS Files
Friday Funnies
Gadgets and Gear
Going Green
Grand Ole Osprey
Ground Vehicles
Homeland Security
In the Weeds with Eric
Info War
Iraq Diary
Jarhead Jazz
JSF Watch
Just War Theories
Lasers and Ray Guns
Los Alamos and Labs
M4 Monopoly
Money Money Money
Most Wanted
Old Skool
Our Shrinking Planet
Planes, Copters, Blimps
Polmar's Perspective
Popular Mechanics
Rapid Fire
Raptor Watch
Red Team
Roll Your Own
Sabra Tech
Ships and Subs
Soldier Systems
Special Ops
Star Wars
Stray Trons
Tactical Development
Terror Tech
The Deadlies
The Defense Biz
The Peoples' Site
The Sunday Paper
The Tanker Tango
The View from Av Week
Those Nutty Norks
Training and Sims
Trimble on the Case
Video Lounge
War Update
Ward'z Wonderz
You can run...

See all Archives
Related Links
News and Intel News
From The Front: Christian Lowe
Aviation Week
Natl Defense Mag
Strategy Page
Global Security Newswire
Soldiers for the Truth
Security News
Defense Review
Fed Comp Week

Security Sources
Fed of American Scientists
Ctr for Strategic & Intl Studies
Ctr for Defense Info
Defense and the National Interest
Instit for Sci & Intl Security
Secrecy News
The Memory Hole
Natl Security Archive

Geeks and Mad Scientists
Wired News
Security Focus
The Register
Geek Press
Cosmic Log
Space Daily
New Scientist
Technology Review
Near Near Future

Bloggers and Buddies
Phil Carter
Global Guerillas
Jeffrey Lewis
Belmont Club
Back to Iraq
Laura Rozen
Juan Cole
Ryan Singel
Josh Marshall
Boing Boing
Winds of Change
Steve Gilliard
Brad DeLong
Max Sawicky
Gene Healy
Clive Thompson
Greg Djerejian
Jim Henley
Kathryn Cramer
Sensors blog
Tom Shachtman

Official Dispatches
AF Research Lab
Marine War Lab
Soldier Systems Ctr
Naval Research
Army Research Lab
UK Def Sci Lab
DoJ Cybercrime

Military Network
Military Benefits
Veteran Employment
GI Bill Express
Personnel Locator
The Few
Fred's Place
Army Insider
Navy Insider
Air Force Insider
Marine Corps Insider
Coast Guard Insider

Edited by Christian Lowe | Contact

Two Against One


We're following the story that AP released today on a recent cyber attack on U.S. power grids by Russian and Chinese cyber attackers. Several months ago, acts of cyber aggression against the United States morphed and took on strange new characteristics when looked at from a high level.

More and more the investigation and analysis of these aggressive cyber attacks are becoming laser focused on the "how they did it" and less and less on an equally important examination segment that I refer to as Strategic Intent (SI). Strategic Intent is the process of understanding a derivative of Digital DNA components. The objective of SI is to gain insight into the motivations and strategic intentions of those behind the acts of cyber aggression. This must be done at a level that places each individual act in context with all the other acts launched by a single cyber adversary.

Back in 1989, an article by Gary Hamel and C.K. Prahalad called "Strategic Intent" was published in the Harvard Business Review. Hamel and Prahalad argued that in order to achieve success, an organization must align its end result to its means through the process of Strategic Intent. We have taken this fundamental construct and modified it for direct application to the analysis of acts of cyber aggression. This approach was designed to provide insight and foresight into an adversary's strategic architecture (a high-level blueprint for the deployment of new cyber warfare capabilities), the acquisition of new cyber warfare competencies and the migration of existing competencies to the cyber warfare domain.

The following represent the top three attributes of strategic intent:

  1. Direction

  2. Discovery

  3. Destiny

Applying strategic intent to acts of cyber aggression results in a particular point of view about the long-term intent that a cyber adversary hopes to build over the near term. It is a view of the future that conveys the unified sense of direction. In addition, it implies what a cyber adversary perceives as inherently worthwhile. Our approach and methodology reverse engineers the intent thru scenario based intelligence analysis (SBIA) and trans-disciplinary intelligence engineering (TIE). Using these two techniques we create a plan that an adversary might establish to realize their strategic objectives.

Using this approach we examined a microcosm of cyber events that has taken place in the past twenty-four months. Going down this path we came face to face with a very concerning scenario that seems to be supported by several disparate acts of cyber aggression and general events. Could China and Russia be collaborating on acts of cyber aggression against the United States?

A more troubling version around the same theme was Russia and China teaming up to create a systematic action plan of cyber reconnaissance, cyber intelligence collection and ultimately acts of cyber aggression. If this is indeed reality, the resulting risks would be severe.

As far back as 2005, China and Russia embarked on an unprecedented military collaboration. Nothing creates a bond between two organizations than a common adversary. In fact, a joint military exercise took place that had analysts sounding an alarm. It appeared that the exercises were directed toward a specific third party, the United States.

So tell us what you think. Are Russia and China working together and launching or supporting acts of cyber aggression against the United States? Are the cyber infiltrations on the power grid a real time example of a collaborative effort between China and Russia?

-- Kevin Coleman

Proposed Cyber Security Legislation


Amid calls for a comprehensive national strategy on cyber security, as well as stronger government leadership to ensure that security initiatives are implemented effectively, Sen. John D. Rockefeller IV and Sen. Olympia Snowe proposed a sweeping piece of legislation to address this significant and growing threat to the United States. This legislation comes in the wake of attacks on the Pentagon late last year and in the shadow of recent news of massive cyber espionage efforts spanning over 100 countries.

The following represent the major provisions of the proposed legislation at this time. Everyone should expect changes to be made as it works its way through the legislative process.

  1. Legislation proposed by Senator John D. Rockefeller IV and Senator Olympia Snowe calls for the establishment of an Office of the National Cyber Security Advisor that would take the lead on Internet security matters and coordinate with the Defense Department, intelligence community and the private sector.

  2. The proposed legislation calls for the creation of a Cyber Security Advisory Panel that is composed of outside experts from industry, academia, and nonprofit groups that would advise the president on related matters.

  3. The proposed legislation calls for the creation of a public/private clearinghouse for cyber threats and vulnerability information sharing, establishment of measurable and auditable cyber security standards from the National Institute of Standards and Technology.

  4. The proposed legislation would also require that cyber security professionals be licensed and certified.
    Provision: The proposed legislation would also require that the Cyber Security Adviser conduct a review of the U.S. cyber security program every four years and require officials to complete a number of reviews and reports.

  5. The proposed legislation calls for the creation of state and regional cyber security centers to help small and midsize businesses adopt security measures.

  6. The proposed legislation would establish a Secure Products and Services Acquisitions Board that would to review and approve the security and integrity of products purchased by the federal government.

  7. The proposed legislation would require government and private sector networks that control the critical infrastructure to comply with a set of cyber security standards established by the National Institute of Standards and Technology (NIST).

This legislation is past due! Report after report has highlighted the increased complexity and frequency of cyber attacks on business, government and our critical infrastructure. Delays in pushing this legislation through could have serious consequences. So time is of the essence in preparing for the passage and enactment of this legislation.

I offer the following recommendation for consideration in order to strengthen the proposed legislation. The legislation as it stands does not address mandatory reporting requirements of cyber security breaches, data and information theft and other cyber security related issues. If we are to track our progress, learn from these events and rapidly identify new cyber threats, mandatory reporting within 24 hours of discovery is critical. Another area of concern is training. While the proposed legislation touches on training, it does not specifically address continuing education. Cyber attack techniques and criminal scams are highly dynamic and rapidly evolving.

These factors combine to make continuing education necessary to stay aware of the latest developments in cyber security. A third concern rests in the area of testing, validation and verification of hardware and software. While this is not specifically addressed, it may be bundled into support and funding for research and development of new validation and verification capabilities that are needed to mitigate this threat. The visibility of this issue has risen significantly after Alex Allan, Chairman of the British Joint Intelligence Committee, expressed his growing concern because government departments, the intelligence services and the military were all exposed to threats from computer and network hardware that came from foreign (citing the new BT Telecom network).
Finally, I was disappointed the legislation did not address an appointee to coordinate and push for an international accord that establishes open cooperation during investigations of cyber attacks and crime and also to stem the development of strategic cyber weapons.

While the devil is in the details, I think the proposed legislation modified to include the four areas identified above is a huge step in securing our nation against cyber threats. And while the proposed legislation is mainly reactive, proactive measures can go a long way to reducing risks.

-- Kevin Coleman

The Dragon in the Phone Line


Back in January of this year Alex Allan, Chairman of the British Joint Intelligence Committee, briefed a ministerial committee on the rapidly growing threat of cyber attacks and espionage from China. In that briefing, Allan expressed his growing concern because government departments, the intelligence services and the military were all exposed to the threat from computer and network hardware that came from foreign suppliers -- he specifically mentioned China.

British Telecom's new communications network has been installed by Chinese telecom giant Huawei, which is allegedly funded by Beijing and has links to the People's Liberation Army. The ministerial committee on national security was told that Huawei components that form key parts of BT's new 10 billion pound network might be constructed with compromised hardware that contains malicious elements waiting to be activated by China. The Times Online quoted intelligence officials, as saying, "In case of a war like situation, China could use BT to halt critical services such as communications, power, and water supplies." Security experts supported the intelligence chiefs' concerns and warning. They said if an adversary were able to gain control of the communications equipment, the network's mode of operation could be altered. This would give them the ability to basically turn the network off!

Another real possibility is that traffic could be rerouted to network nodes that are controlled by the attacker. While British Telecom has taken preventive security measures to reduce this risk, the government is said to believe that the enhanced security measures would not be effective against deliberate attack by China. It is widely believed that China is already equipped to make "covert network modifications" or to "compromise equipment in ways that are very hard to detect" and that might later "remotely disrupt or even permanently disable the network." It is unknown if British security experts have hard evidence of network hardware espionage or they are just being cautions.

These words of warning came on the heels of multiple reports of the discovery of a vast cyber espionage network (GhostNet) that is controlled from China which has infiltrated government and private 1,295 computers in 103 countries.

INTEL: The British intelligence services and their military all use the new British Telecom network.

INTEL: A Huawei's head executive is Ren Zhengfei, the former director of an arm of the three million-strong People's Liberation Army who was responsible for telecommunications research.

-- Kevin Coleman

Chicom Cyber Bomb Thrown at Capitol Hill


Chinese hackers attacked the office computers of Senator Bill Nelson recently sparking a push at recent hearings for more to be done about cyber intrusions, our friend Josh Rogin reports at Congressional Quarterly.

The enterprising reporter heard a seemingly throw away line in a hearing last week and dove into the story, uncovering a focused push by hackers with IP addresses originating in China to penetrate the Senator's computer.

In three separate attacks, two in March and one in February, cyberhackers targeted the work stations of Nelson’s foreign policy aide, his deputy legislative director, and “a former Nelson NASA adviser,” Nelson’s office said in a statement.

The hackers did not steal any classified information, which is not stored on office computers, the statement said.

A Nelson aide said the attacks were traced to China through Internet Protocol (IP) information, which could have been masked. The Office of Senate Security and the Senate Sergeant at Arms Information Technology Security Branch responded to the attacks, the aide said, by wiping clean malicious code from the affected systems.

Nelson first disclosed the attacks March 19 at an Armed Services Committee hearing that featured testimony by senior military officials with domain over cyberwarfare.

“I have had my office computers invaded three times in the last month, and one of them we think is very serious,” Nelson said at the hearing.

At another hearing the same day, this time held by the Commerce, Science and Transportation Committee, Nelson said his computer seemed to be “talking to a computer in some international arena.”

We've been writing for months here at DT that the cyber warfare battlefield should be taken more seriously. A lot of our readers feel like this is the Internet equivalent of a North Korean nuke -- a glorified firecracker that will sputter to a halt in boost phase over Pyongyang, raining radiation from derelict X-Ray machines all over the three cars driving past the world's largest Kim Jong Il statue.

But our own Kevin Coleman warns in private conversations with me that the cyber threat is very real and is being taken seriously by more and more government officials -- the DoD, intel community, White House and Congress. There's movement afoot to create a cabinet level cyber warfare Czar which would clearly elevate the issue to the highest levels.

Poo poo it all you want, but as the Nelson cyber attack from Chinese IPs points out, there's some serious probing going on here. And as you know, once the reactionary sleeping giant of Capitol Hill is awakened to the threat, it's only a matter of time before resources are thrown at the problem.

-- Christian

Building a New Cyber Warfare Infrastructure

Recently, I prepared a presentation that presented concepts and technology needed in a Cyber Warfare Infrastructure (CWI). While researching and developing the content it became clear this was what Defense Tech had been addressing for some time. The numerous comments and suggestions that readers of this blog have provided via comment postings and emails over the last fifteen months provided additional insight that was reflected in the document. In addition, the recent poll about who should head-up America's cyber security was incorporated in an updated version of the document. Since the bog contributed I thought it would be appropriate to at least provide a summary posting. The following is a high level summary (with sensitive information removed) of that whitepaper:

The United States reliance on computers and networks significantly increases the risks associated with cyber based attacks. This makes the role the Department of Homeland Security has in defending our information assets and infrastructure critical; however, they are just one of more than two dozen key stakeholders for the CWI. The cyber warfare infrastructure must create a Command, Control, Communications, Intelligence, Surveillance and Reconnaissance (C4ISR) and Information Operation Support infrastructure. This would be the first-of-its-kind cyber system that would require integrated collaboration with other C4ISR systems supporting traditional warfare.

Numerous technologies must come together to deliver the offensive/defensive as well as the intelligence/counter-intelligence capabilities. Also required are significant advances in three specific areas of technology. A high level definition of the three core technologies required to create a highly effective cyber warfare infrastructure is provided below:

  1. Intelligence Fusion and Collaboration (IFC) Technology -- IFC uses techniques that combine intelligence from multiple sources in order to achieve inferences, which will be more efficient and potentially more accurate than if decisions were based on a single source. Integrated into the intelligence repository is geospatial (GIS) information about the cyber aggressions discovered and analyzed.

  2. Adaptive Cyber Countermeasure (AC2M) Technology -- A countermeasure is a military system specifically designed to prevent cyber weapons from disrupting or destroying a target computer system. The CWI has the capability to counter attack an incoming threat thereby destroying/altering its ability in such a way that the intended effect on the target is majorly impeded.

  3. Cyber Surveillance and Target Acquisition (CSTA) Technology -- Clearly when one government agency reported that the frequency of successful cyber attacks (that were uncovered after the fact) were up nearly 40% in 2008 there is a clear need for advances in this area. New techniques and methods were identified that provides an exponential gain in the ability to detect systems compromise and assist in determining who was behind the attack. Both of these capabilities have been the greatest challenge in designing and delivering advanced systems to the Defense and Intelligence communities.

The integrated cyber weapons system inherent in the CWI stands to alter the "defense focused" initiatives currently used to guard against cyber aggression. With multiple offensive and intelligence capabilities, the United States would be well positions to defend against and respond to the millions of cyber attacks we see annually. A distributed cyber warfare infrastructure will create the ability to allocate specific cyber mission components across the various branches of the Department of Defense (DoD -Army, Navy, Air Force and Marines) as well as the Office of the Director of National Intelligence (ODNI) and the entire U.S. intelligence community.

A data warehouse and dashboard would focus on affecting the perceptions and behaviors of military and government leaders as well as decisions around responding to acts of cyber aggression. The insight and capabilities provided by the cyber warfare infrastructure will surely influence operations, employ new capabilities to affect behaviors, protect our forces and the nation, and rapidly communicate acts of cyber aggression to commanders with the intent to project accurate quantities information to achieve desired effects across the cyber space domain. Only after this infrastructure is in place will the United States be mission ready to defend against cyber aggressions.

While some may say developing this CWI could be seen as an aggressive action, it is important to remember that since 2004 we have been in a cyber arms race and we should the lessons learned from the last arms race (Cold War).

-- Kevin Coleman

The Neck and Neck Cyber Arms Race


A "dead heat" is a race, campaign or other contest that is so close that it is impossible to predict the winner.

That's what it looks like when it comes to the continuing race for cyber warfare supremacy, and experts agree this will be the case for the foreseeable future. With images of the Cold War and its associated arms race, as cyber warfare, cyber espionage, cyber attacks and cyber terrorism continues to evolve the top three leaders (US, Russia and China) are jockeying for position.

Leading economists have warned that the growing education gap between the U.S. and other industrialized countries will threaten our economic status and growth. I would add that this gap has a direct link to our national security. President Obama's economic stimulus plan has billions of dollars for schools that adopt new plans to boost teacher quality, hike test scores and come up with innovative ideas. If successful, this will help in about 15 years, but by then we may be ranked second, third or fourth in the global scientific and technical research and development space that drives our offensive and defensive military capabilities -- particularly cyber security. This would have catastrophic consequences with respect to our national security.

In any contest there is an outside chance a long-shot could come from behind and win. The race for cyber warfare dominance is no different. In the recently updated "Cyber Warfare Capabilities Estimate" (2009 version) those who could break out of the pack and come from behind and take a leadership position for cyber dominance are listed below.

1. Iran
2. India
3. North Korea

The development of cyber capabilities is directly dependent on two factors. The first factor is determination and the second is smart people. While testifying before the U.S. Congress I was asked how many people in the world could do what I did -- referring to a hacking demonstration I had just performed. My answer remains the same: tens of thousands if not hundreds of thousands. The bad news is this that number is growing as countries, extremist groups and terrorists support people developing skills in this area.

This is an arms race that we cannot afford to lose. That is the feeling of all three of the current leaders in the contest to dominate the cyber warfare domain. One thing we all must remember is that in this arms race, science and technology advances will continue to push the finish line further out so we will not get there any time soon.

It is important to remember: this is Cyber Warfare 1.0. The next iterative release is on the whiteboards of think-tanks right now.

-- Kevin Coleman

A Ship Without a Captain


We have been covering cyber now for several months and my work in cyber defense and security has been going on for over a decade. In that period of time the U.S. government has failed to establish the command authority needed to protect the nation. Critical questions have gone unanswered for months or even years. One of those questions deals with where the cyber command operation headquarters will be located. The physical location for cyber command is not yet decided. This has been a hot topic now for the last ten months and multiple states are jockeying for position.

If that is not bad enough, the government has failed to establish a command and control structure and authorities for offensive cyber capabilities, defensive cyber capabilities and cyber intelligence. With billions of dollars of budget at stake, the amount of political posturing and verbal war has risen to heights not seen before. The level of infighting became un-tolerable for Rod Beckström, Director of the National Cyber Security Center (NCSC) at the Department of Homeland Security. This past weekend he resigned. So what should we do?

I have given this much thought over the past decade and occasionally been asked by those looking into this what I would do. So here it is...


1. Department of Defense (DoD) Secretary Robert Gates owns the offensive capabilities to fight a cyber war and defenses against cyber attack that originate outside the United States.

2. Homeland Defense (DHS) Secretary Janet Napolitano owns offensive and defensive cyber capabilities for activities within the United States. (Remember a significant number of compromised computers within the U.S. were used in the DDoS attacks against Estonia and Georgia and the uniformed military cannot be used against it own citizens!) U.S. Strategic Command would include cyber in their unified command structure. In addition, DoD must appoint a liason/coordinator to NATO given their role in cyber peace keeping and response to cyber attacks.

3. The National Security Agency (NSA) Director LTG Keith B. Alexander owns cyber intelligence and espionage activities both inside and outside the United States. They continue to collect, analyze and disseminate cyber intelligence as well as any and all counter cyber intelligence activities.

4. A National Cyber Security Executive is added to the Presidential Staff and coordinates all the efforts of DoD, DHS and NSA. Given the civilian, government, business, education interrelationship that cyber has, this matrixed organizational structure is necessary to fully protect and defend our nation (internally and externally).

5. A National Cyber Attaché would be appointed by President Obama and serve as special liaison to the United Nations and other countries in pursuit of international cyber relations.

Until the leadership is established and these questions, and other, are answered cyber defense is like a ship without a captain! That is the current situation when it comes to cyber defense in the United States. As long as these questions linger without answers, our nation remains at great risk!

-- Kevin Coleman

Counter Cyber Intelligence


Professional spies in the service of nation states, businesses, organized crime and terrorist organizations target and steal secret information from the public and private sectors to use and sell. Traditional foreign espionage efforts attack the heart of national security and any country's well-being. Non-traditional espionage efforts attack the competitiveness and prosperity of our businesses. When you add the recent increases in cyber intelligence collection efforts, the threat has risen to unprecedented levels and triggered numerous warnings from experts around the globe. To put this threat in perspective, in the 2008 Top Ten Cyber Security Menaces by the SANS Institute, cyber espionage ranked number three. In order to counter this threat, you need to understand counter intelligence and counter cyber intelligence.

Counter Intelligence (CI) is defined as the efforts made by intelligence organizations to prevent adversaries or enemy intelligence organizations from gathering and collecting sensitive information or intelligence about them. Many governments create counter intelligence organizations separate and distinct from their intelligence collection counterparts.

Counter Cyber Intelligence (CCI) is defined as all efforts made by one intelligence organization to prevent adversaries, enemy intelligence organizations or criminal organizations from gathering and collecting sensitive digital information or intelligence about them via computers, networks and associated equipment. CCI are measures to identify, penetrate, or neutralize computer operations that use cyber weapons as a means and mechanism to collect information.

Tracking, analyzing, and countering cyber intelligence collection efforts are increasingly difficult challenges as the growth of state sponsored cyber espionage, terrorist groups and criminal empires in the increasingly global marketplace combine to compound and obscure these growing threats to the United States and our allies. Washington is coming to grips with the challenge of cyber intelligence and counter cyber intelligence. Within the Office of the Director of National Intelligence you will find the Office of the National Counter intelligence Executive (ONCIX). ONCIX is headed by Dr. Brenner, the National Counter intelligence Executive and staffed by senior counter intelligence (CI) and other specialists from across the national intelligence and security communities. Dr. Brenner said, there is growing acceptance that we face a cyber counter intelligence problem, not a security problem. He has also stated that about 140 foreign intelligence surveillance organizations currently target the United States. As you may recall we reported earlier that Spy-Ops has estimated that there are currently 140 countries with active cyber warfare programs in place.

Successful cyber espionage attacks are impacting our politics, military and economy. The nature of the cyber threat is both complex and constantly changing. With the recent congressional testimony putting information espionage and data theft at $1 trillion worldwide, the magnitude of this threat needs much more attention than it is getting. In a conversation with a Federal CI/CCI Investigator he stated the most of the time when we talk to corporate executives and security professionals, their eyes just glaze over.

This is a reaction I have personally experienced as well. With the up-tick in the frequency of attacks coupled with recent adversarial cyber activity that includes network reconnaissance, scanning and outright assaults along all of the thirty-two cyber attack vectors the demand for counter cyber intelligence is clear. The United States remains the prime target for foreign economic collection and cyber espionage efforts by virtue of its global technological leadership, innovation and heavy reliance on computer systems. Foreign collection efforts continue to target a wide variety of sensitive security and competitive information and technologies in virtually every sector around the world.

INTEL: The Bundesamt für Verfassungsschutz (BfV), the German equivalent of the CIA in the U.S. and MI5 in the UK, is taking the role of coordinating corporate and industrial espionage and fighting cyber-attacks from foreign secret services.
INTEL: Nearly 1 million computers belonging to German companies are believed to be infected with malicious software that covertly steals and forwards sensitive information to foreign controlled computers -- including machines belonging to competitors. Several reports have surfaced stating that computers in the German Chancellor's office have reportedly been infected.

INTEL: According to its latest research by Intelomics, cyber espionage efforts that are funded by criminal organizations and both government-backed and private efforts is expected to accelerate significantly during the next decade.
INTEL: One of the most common cyber espionage scenarios involves the use of hackers to break into a competitor's IT systems and gather competitive information in order to gain a sales advantage and as a benefit at the bargaining table.

INTEL: The global intelligence community refers to cyber espionage as the "Unrelenting Threat."

-- Kevin Coleman

Confronting UnRestricted Warfare


When you examine UnRestricted Warfare (URW) a work published by Qiao Liang and Wang Xiangsui of the Peoples Liberation Army, you will find that there are multiple modalities that can be used in this type of conflict. We have examined this concept and identified 15 modalities of UnRestriced warfare. Examining the URW construct, we found that cyber warfare is directly related to three of the fifteen modalities -- information & media warfare, telecommunications & network warfare and technology warfare and is supportive of ever other modality.

The concept of URW brings to light alternative methods of attack that can be launched by a small group of individuals on anyone from anywhere in the world against a stronger and more powerful nation. There are no declarations of war; no uniforms -- just inflicted damage on an adversary. The blind, sucker-punch attacks are not designed to control areas but rather to influence public opinion, political policies and the opinions of the mass population. When contemplating URW, it is important not to fall victim to singularity. It is uncommon for only one modality to be used in an assault or an attack. Multi-modal attacks will become the modus operandi of URW warriors.

The nature and characteristics of the threat that UnRestricted Warfare poses continues to raise concerns for military leaders, law enforcement and security experts around the world. The angst has grown to the point where subject matter experts will assemble on March 24-25 at the Johns Hopkins University Applied Physics Laboratory (JHU/APL) to discuss the strategic imperatives and identify integrated strategy, analysis, and technology options that enhance interagency cooperation to respond to four distinct modalities of attack-cyber, resource, economic and financial and terrorist threats.

UnRestricted Warfare represents the tactics of choice in the age of globalization. In URW domain there are no rule, no limits and nothing is forbidden. We can expect our adversaries to employ these modalities to wage integrated URW attacks that exploit their targets diverse areas of vulnerability. Nations must rapidly retool, retrain and reevaluate their defenses against each of these fifteen modalities.

-- Kevin Coleman

International Cyber Policy


The FBI announced recently it considers cyber attacks to be the third greatest threat to the security of the United States. The only two preceding it are nuclear war and weapons of mass destruction (WMD). This was recently stated by Shawn Henry, assistant director of the FBI's cyber division. A cyber attack is typically inexpensive and can be easily developed in clandestine operations. The creation of a Cyber Weapon requires only a few things. The first is a means and vulnerability and there are plenty of those. The rest are software developers, development tools, the intent and a way to get the weapon to an adversary's computer system or network.

Since they talked about cyber along side of WMD attacks, I thought it would be interesting to look at spending on the two. This comparison is in no way meant to minimize or overlook the catastrophic loss of life that is sure to occur in a nuclear war or use of WMD. It is just to look at the threat and the attention and dollars being given to each. The United States spent a reported $52 billion plus on nuclear weapons and related programs in fiscal year 2008. Based on our research, the classified Presidential Directives signed in 2008 combined with other programs are estimated at around $40 billion in total. That is close -- so one might draw the conclusion that the government feels this threat is very real and the implications of such an attack warrant the significant spending. However, there is more to managing the risk of cyber attack than research, hardware, software and services! The policy side of cyber attacks and cyber weapons is perhaps more important.

Recommended Policies:
In government speak a policy is the basic principle by which a government is guided. These policies also declared objectives which a government seeks to achieve and preserve in its self interest. The first of this year I sent a document to the United Nations and the Security Council outlining the threat, the trends, and recommendations to address this critical risk to world peace. In February 2009, while speaking at the United Nations in New York, I called upon the UN to take a much more pragmatic and prominent role in protecting against the imminent threat of cyber attacks, cyber terrorism and cyber warfare. I went on to state that without immediate action it is just a matter of time before the world experiences a new global threat -- the threat of a massive cyber attack or war! What I was talking about is the development of policies surrounding the cyber attack issue.

On February 18th,2009 UN Secretary-General Ban Ki-moon stated that this year the Board will be considering cyber warfare and its impact on international security, as well as the equally critical issue of verification. His words were part of a discussion about the need for the international community to advance beyond the stalemate that continues to hinder our work for disarmament and nuclear proliferation. Below are what I think the first steps should be.

First Five Steps:

1. The United Nations needs to define what constitutes a cyber attack, what constitutes an act of cyber war is and define what constitutes an act of cyber terrorism and as well as a uniformly accepted definition of a cyber weapon.

2. The United Nations must create an accord that addresses the threat of cyber attacks and set forth corrective measures that will be taken for those who chose to violate the terms and conditions it sets forth. The agreement must also require cooperation of all member countries with the investigation and prosecutions attackers.

3. Require all countries to report in a uniform fashion all acts and events that meet the criteria set for cyber attacks, cyber war, and cyber terrorism on a quarterly basis.

4. The United Nations must submit a classified, independently audited, annual accounting of all cyber related activities including programs, defenses, spending and acts or events of cyber attacks, cyber war, and cyber terrorism to the Secretary of the UN and the UN Security Council.

5. Develop better cyber intelligence collection and measures to explain the current and potential threat environment to member nations. In addition this intelligence will be used to monitor and take action against those who violate the accord.

We live in dangerous time and it appears many areas of the world are becoming more and more unstable. The global nature of the Internet demands that the United Nations take a lead role and a proactive approach for dealing with the cyber threats that appear to be escalating at an accelerating pace. Failure for the United Nations to accelerate their efforts could further intensify friction caused by these cyber skirmishes and increase international tensions.

-- Kevin Coleman

Intelligence Community Raises Concern Over Cyber Threats


Early in February, the Intelligence Community released its "Annual Threat Assessment of the Director of National Intelligence" for the Senate Select Committee on Intelligence. In it, the IC stated that our nation's information infrastructure -- that includes the internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries -- are increasingly being targeted for exploitation and potentially for disruption or destruction, by a growing array of state and non-state adversaries.

That should be no surprise to anyone who has read this blog. The report also stated that "Over the past year, cyber exploitation activity has grown more sophisticated, more targeted, and more serious and that the Intelligence Community expects these trends to continue in the coming year." In addition they discussed the cyber threat assessment they conducted and that Russia and China, have the technical capabilities to target and disrupt elements of the US information infrastructure and for intelligence collection (spying).

They also acknowledged that al-Qaida, HAMAS, and Hezbollah have all expressed their desires to use cyber means to target the United States. If that is not a bleak enough picture they went on to describe criminal elements that continue to show growing sophistication in technical capability and targeting, and today operate a pervasive, mature on-line service economy in illicit cyber attack and exploitation capabilities and services available to anyone willing to pay.

In addition they asserted that "we must take proactive measures to detect and prevent intrusions from whatever source, as they happen, and before they can do significant damage."

High tech is a critical driver of the U.S. economy. That raises the question: why the stimulus package had so little money directed at cyber defense research and development efforts as well as hardening of our critical information infrastructure? That would have given twice the bang for the buck!

-- Kevin Coleman

Melissa Hathaway Challenged by Cyber Security


As part of President Obama’s cyber security plan, the White House is planning on announcing that Melissa Hathaway, the current top cyber security adviser, will oversee a 60-day review of federal cyber security efforts. Insiders have stated that after this assignment, she will likely be offered the position of cyber czar. Hathaway serves as the cyber coordination executive at the office of the Director of National Intelligence (DNI) and was senior adviser to former Director of National Intelligence Mike McConnell. She is also as chair on the National Cyber Study Group, as well as a senior-level interagency body that played a lead role in the development of President Bush's Comprehensive National Cyber security Initiative.

Hathaway has her work cut out for her. Researchers recently concluded the average number of unique new infected sites grew from 100,000-200,000 a day to 200,000-300,000 a day and this trend is expected to continue for the foreseeable future. In addition, the world recently witnessed the third cyber attack against a country (Kyrgyzstan). Many cyber security experts have stated that the threat of attack by traditional artillery and nuclear warfare has been replaced by cyber attacks aimed at Internet targets for gathering intelligence and disrupting communications. "We are in a new age of warfare," stated one cyber Intelligence analyst I talked with on the subject. She went on to say that "cyber attacks are likely to proceed any conventional attack or at least done in coordination with a conventional or nuclear attack."

Can the United States defend our networks against cyber-attack? That was just one of the many questions President Obama's pick for CIA Director Leon Panetta was asked in his confirmation hearings. It is clear Hathaway will have her hands full. The United States is by far the most reliant on computer technology and the internet, as such it faces so many challenges securing cyber space and defend and protect the country against cyber attacks. Hathaway is a firm believer that government and the private sector must join together to address this national security threat. She is well aware that threats to government systems stem from both technology and from the policies, practices and procedures that govern how people use that technology.

-- Kevin Coleman

Russia Now 3 and 0 in Cyber Warfare


In January of 2009 the world witnessed the third successful cyber attack against a country. The target was the small country of Kyrgyzstan. The country is only about 77,000 square miles in size with a population of just over 5 million. The attackers focused on the three of the four Internet service providers. They launched a distributed denial of service attack traffic and quickly overwhelmed the three and disrupting all Internet communications. The IP traffic was traced back to Russian-based servers primarily known for cyber crime activity. Multiple sources have blamed the cyber attack on the Russian cyber militia and/or the Russian Business Network (RBN). RBN is thought to control the world's largest botnet with between 150 and 180 million nodes. These reports go on to say that Russian Officials hired the technically capable group to do this. It is widely believed that this group also played a substantial role in the Estonia Attack in 2007 and the attack on Georgia in 2008. The mechanism of attack was a fairly large botnet with nodes distributed in countries around the world. (DefenseTech Enemy among Us) One significant difference in the Kyrgyzstan attack is that most of the DDoS traffic was generated in Russia.

INTEL: One source reports that this attack was commercial -- insinuating the civilian organization (attackers) may have been paid to carry this out.

ANALYSIS: The commercial sourcing of the cyber attack is believed to have been done to put the Russian government an arms length away from the hostile act.

The attack seems to be politically motivated and is the latest example of geopolitical disputes being fought with cyber weapons. Cyber Intelligence Analysts stated that attacks were launched to disrupt demands that leaders halt plans to prohibit access to an airbase for the US military in its war in Afghanistan. The analysts went on to say the Russian officials want nothing more than the base closed as soon as possible. (This is said to be one of the terms of a $2 billion investment deal that Russia is trying to negotiate with Kyrgyzstan.)
-- Kevin Coleman

UK Cyber Attack Reported


The UK Ministry of Defense (MoD), the DoD equivalent in Britain, has begun to investigate what has been called the most significant cyber security breach after information and evidence surfaces that all emails sent from multiple Royal Air Force stations were sent to IP addresses traced back to Russia.

A hybrid computer virus/worm was able to penetrate MoD system security nearly two weeks ago. An MoD spokesman reportedly said that "action was immediately taken to isolate the infected systems and commence virus-cleansing procedures to protect from re-infection."

This security event resulted in the need to bring down systems and halting email communication across most, if not all, of the military. These reports were just confirmed by British media. Reports that the Royal Air Force had some of their systems impacted as well remain unconfirmed at this point.

The allegations have been made that the MoD has failed to take the necessary steps to secure their systems and to respond to the growing threat of cyber attacks. Digital DNA analysis of the sophisticated virus suggest that it originated somewhere in the former eastern bloc. The impact of the computer virus attack was significant. The MoD stated that the performance of its IT systems had been affected by the computer attack but would not elaborate further.

Other reports suggest that over 24 RAF bases and 75% of Royal Navy ships -- including the aircraft carrier Ark Royal -- systems were infected/impacted. Unconfirmed reports implied that the stations attacked by the worm were ones that would be used to scramble aircraft for Russian bomber intercept. Sources inside the MoD have stated they are investigating the computer virus/worm. However, they firmly denied any knowledge of any e-mails being sent to a Russian.

This attack came on the heels of a similar attack on the Pentagon in the United States. Could this be the same bug? Cyber security experts say they appear to be similar but are not willing to say they were identical. The computer virus caused the Pentagon to ban the use of USB memory sticks or flash drives.

Although the US Department of Defense has not provided any official comment on the attack on their UK ally, one thing is clear, cyber attacks have accelerated and many believe we are on the verge of an all-out cyber war.

-- Kevin Coleman

Israel's Looking for a Few Good Cybermen



A fairly active cyber militia within Israel wants you! These cyber activists (Help Israel Win) are actively recruiting pro-Israeli computer users to aide in their cyber attacks against Hamas websites. These efforts appear to date back to the very early days of the latest conflict in Gaza. The militia developed and is distributing a cyber weapon called "Patriot" that once installed turns the volunteer computer to be remotely controlled and used in a Distributed Denial of Service (DDoS) attack against targeted Hamas websites.

As of late last week, the cyber militia said there were about 8,000 downloads of the cyber weapon. This is not just a hack package. The software includes the ability to remotely update the cyber weapon as well as an uninstaller that will remove the program once the conflict has ended.

This is just one aspect of the growing cyber war. The DDoS coupled with a significant propaganda (PSYOPS) offensive has continued to intensify in the Israel/Gaza conflict. PSYOPS is commonly used to induce and/or reinforce attitudes and behaviors favorable to the desired objectives of those launching the psychological operations. There have been reports that the Israeli military is also using the good old phone system in their PSYOPS initiatives. There have been multiple reports that Palestinians have been receiving phone calls from the Israeli army warning them against dealing with or assisting Hamas. Numerous reports of web site defacement have echoed throughout the online world for weeks now. In fact, the Israeli military launched its own PSYOPS and became the first national army to set up an official YouTube channel featuring its own military videos.

This is just the latest indicator of the new hybrid conflict engagement that combines bombs and bullets with bits and bytes. One thing is sure; the cyber war is heating up with multiple other countries getting involved.

A cautionary note. Can someone else use the installed Patriot program? Yes - potentially. That being said, millions of computers have the same issue that are part of BotNets and the owners are totally unaware of that fact. Anyone who grants any type of remote access for maintenance, this type of activism or who knows what are placing themselves at risk.

-- Kevin Coleman

Peeking into Private Data


Cyber espionage is a relatively new type of intelligence gathering capability with various strategies, tactics and tools.Cyber espionage is defined as the intentional use of computers or digital communications activities in an effort to gain access to sensitive information about an adversary or competitor for the purpose of gaining an advantage or selling the sensitive information for monetary reward. This widely accepted definition was originally crafted by Spy-Ops in their cyber warfare analysis program back in 2004.

Cyber espionage blasted on the scene in the mid 90s and has grown at a steady pace along side the adoption and use of the internet by business, government and industry. Even though cyber espionage is relatively new, countries like China have already invested a lot into building large and well trained cyber-espionage forces. By the first of 2009, Spy-Ops estimates about 140 countries and over 50 terrorist and criminal/extremist groups will be developing cyber weapons and espionage capabilities.

In conventional espionage you rely on deep cover covert operatives to conduct espionage and gain intelligence. In cyber espionage you use computer systems and data coupled with conventional techniques to gain intelligence and sensitive information. Events like the ones at ClearanceJobs and the Oakridge National Labs seem to indicate that the U.S. science and engineering community is being targeted. Let's look at these two incidents a bit closer.

Incident #1 is an online jobs board that specifically addresses the needs of individuals with security clearances and those who hire them. They only focus on active or current security clearances. As such those who apply to job postings on the ClearanceJobs site are ready to work on sensitive /classified projects. sent out an email to all those who registered at the web site on Monday, November 19th disclosing a security and systems breach. The hackers did not obtain resume information; however, they did gain access to names, emails and contact information according to the company. The company currently has approximately 3,700 job postings that attract a significant number of candidates seeking a new positions. To illustrate the sensitive nature of many of these posted opportunities, a search on Top Secret SCI resulted in a return of 2,660 listings with that as a requirement. Top Secret is applied to information or materials that the unauthorized disclosure of which would be expected to cause exceptionally grave damage to the national security. SCI is the abbreviation for Sensitive Compartmented Information, the term given to a method for handling specific types of classified information that relates to national security topics or programs whose existence is not publicly acknowledged.

The cyber attack used a SQL injection to gain access to information. This attack is thought to have originated in Russia.

Incident #2 Oakridge National Labs

Oak Ridge National Laboratory (ORNL) is a multi-program science and technology laboratory operated by the U.S. Department of Energy. Scientists and engineers at ORNL conduct basic and applied research and development to create scientific knowledge and technological solutions that strengthen the nation's leadership in key areas of science; increase the availability of clean, abundant energy; restore and protect the environment; and contribute to national security.

A cyber attack targeted the lab by using phishing emails which opened the door for hackers to glean the sensitive information of up to 12,000 visitors to the facility. This was just one part of cyber battle plan that attempted to gain access to computer networks at numerous laboratories and other institutions across the country. A spokesperson for the lab publicly stated that it is possible the hackers may have gained access to a database of names, birth dates, and social security numbers of every lab visitor between 1990 and 2004. It is unknown how many of these individuals held security clearances and worked on classified programs. While ORNL's management doesn't believe that the attackers managed to get access to classified data on their system, there may be an arterial motive for accessing this data.

It should be noted that Oakridge was just one of multiple national labs that were targeted by this coordinated phishing attack, thought to originate in China. Additional reports that the 10 most prominent U.S. defense contractors that included Raytheon, Lockheed Martin, Boeing and Northrop Grumman have been the victims of the same sort of cyber espionage.

Scenario-Based Intelligence Analysis (SBIA)

SBIA is a technique pioneered by Technolytics, Intelomics and Spy-Ops. It creates a framework that allows scenarios to be examined and attempts to answer the "so what does this mean" with respect to events under analysis. Using this technique we looked at both of these events. The following was the result.

Specified target: Information about persons who have access to sensitive or proprietary information.

So how could this information be used? Think about this scenario. The foreign intelligence service contacts these individuals using the information they obtained. Armed with that data, they present a great job opportunity to a specific individual and set up a bogus phone interview for the made-up position. The potential target is wooed by the position, salary, benefits or other enticements. During the upfront interview process, the individual becomes comfortable and less guarded when discussing the details of the work they are doing or have previously done. Answering these seemingly harmless questions about strategies, plans, programs, practices, people or even technologies can lead to derivative intelligence. Derivative Intelligence (DI) is synthesized out of the lower level data, facts, timelines and events that may be disclosed during a casual conversation or on a professional's resume. The information collected using this technique could compromise national security by unintentionally disclosing classified programs, projects or systems.

One recruiting professional, who asked not to be identified, said this tactic has been and still is used in Silicon Valley where the competitive environment is extremely intense among technology companies. One interesting fact is that the Defense Security Services did not identify this method in their latest Technology Collection Trends 2005 report.

An internet search turned up multiple resumes of individuals with Top Secret/SCI clearance that listed their home addresses and past and current projects for major defense contractors. One resume listed projects at Ft. Meade, home of the National Security Agency. While the information contained on the resume may or may not provide any useful intelligence, it at least creates a security risk for the individuals who provided their home address and a potential for recruitment by adversaries or worse.

Espionage is the act of obtaining non-public or secret information from rivals or enemies for military, political, or economic advantage. Espionage activities such as these are thought to be related to the theft of government secrets are a real threat to national security. Covert operations and espionage are often precursor events to conventional or in this case cyber conflicts. You would want to believe individuals who have security clearance and work in sensitive areas would not be doped by the common hacker practices. The reality is we are all susceptible to lapses in our security awareness. This is not just a problem for the security and defense industry, it can also be directed against corporations as well. Currently, corporate espionage alone is estimated at costing companies over $1.5 trillion annually.

A security strategy must include an ongoing effort to educate users and developers about these common exploits and to achieve a high level of awareness. P. Cordaro a security training specialist at Spy-Ops said, "The dynamics of cyber warfare and system security are such that we all need a continuous update of our skills and knowledge." With nearly 6,500 cyber attacks being reported in the last minute, we can not afford to let down our guard for one second.

-- Kevin Coleman

The Rule of Thumbs


No one would dispute how convenient thumb drives are, or how they’ve made the transfer of files form one machine to another so easy. These drives offer numerous advantages over other portable storage devices. They are more compact, and operate much faster. The new thumb drives using USB 2.0 operate faster than an optical disc drive, while storing a larger amount of data in a much smaller space.

They also have no moving parts, making them more robust than mechanical hard drives. These types of drives use the USB mass storage standard, supported by modern operating systems such as Windows, Mac OS X, Linux, and other Unix-like systems. However, that convenience comes with risk.

FACT: The flash-memory market was until recently one of the fastest-growing segments of the global semiconductor industry. The total worldwide revenue of the market in 2008 is estimated to be about $12 billion.

The recent news of this significant cyber incident at the Pentagon has called into question the use of thumb drives. According to one report, senior military leaders said the malware infection incident affected the U.S. Central Command networks. This incident included systems both in the headquarters and in the combat zones. Thumb drives are reportedly banned within the U.S. Department of Defense. The ban comes after they were identified as the most likely point of compromise that transferred what has been termed a “global virus” according to Pentagon spokesman Bryan Whitman. Inside sources leaked a message distributed to employees saying that all flash drives, whether purchased or provided by the Department of Defense, would be confiscated.

This is a problem not just for DoD, but for all computer users, so tell us about your use of thumb drives.

-- Kevin Coleman

Cyber Product Liability


Recently, I was consulting on the development of cyber strategies that would lead the way in developing guidance on this rapidly emerging threat.

The objective of this work was to articulate new cyber concepts, doctrine, strategies and technology solutions. While using scenario-based intelligence analysis and trans-disciplinary intelligence engineering to advance current corpus of knowledge to apply toward the development of cyber attack strategies that manage this emerging risk and several interesting observations were made. A review intelligence surrounding the cyber attackers Modus Operandi (MO) lead to an interesting question

The question was: What liability should hardware and software vendors bare for vulnerabilities in their products

Our discussions brought up the legal aspect of this issue in the context of product liability. Product liability is the area of law in which manufacturers, distributors, suppliers, retailers and others who make products available to the public are held responsible for the harm those products cause.

The claims most commonly associated with product liability are that of negligence, strict liability and breach of warranty. A product's liability claim is usually based on one or more of the following causes of action.

  • Design Defects

  • Manufacturing Defects

  • Failure to Warn

A software vulnerability would clearly fall under the product defect cause of action

In the mid year report by IBM X-Force it stated that the overall number of vulnerabilities continued to rise as did the overall percentage of high risk vulnerabilities. Approximately 3500 software vulnerabilities were announced in the first six months of 2008 and on track to exceed the total number reported in 2007.

Given our critical infrastructure, our national security and our economy is dependent on generally available hardware and software.

Take the poll below to tell us what you think: Should hardware and software vendors be held accountable for flaws in their products that are exploited and used to gain access to and exploit the system?

[EDITOR: First answer should read software AND hardware...]

-- Kevin Coleman

Mumbai terrorist attacks-C4I


C4I stands for Command, Control, Communications, Computers and Intelligence. The ability to have full C4I integration is unarguably the singular element needed to significantly improve tactical, operational and strategic effectiveness. History has proven C4I to be a critical aspect of military and law enforcement actions.

But these lessons have been studied by terrorists who have now integrated C4I into their operational plans. This has become even more evident since Indian authorities announce they discovered five BlackBerry cell phones that forensic experts have discovered were used during the two day siege.

Experts tell us that integrated command, control, communications, computers and intelligence capabilities within the multiple terrorist groups that luanched the Mumbai operation significantly enhanced their abilities and allowed the terrorists to coordinate their sinister efforts. The terrorist used the live TV streams and news broadcasts from Indian and foreign media to their advantage during the two day siege. By monitoring these broadcasts, they were able to have near real time surveillance of what was going on the thwart their attacks. According to Brian at Spy-Ops, "The terrorists had information superiority and that was achieved by simply using a commercial off-the-shelf product, including BlackBerry smart phones."

The terrorists also had access to satellite imagery during the preparatory stages of the attack. Evidence shows that satellite imagery from Google Earth was downloaded and used in the attack. This is yet another case of COTS products being used to aide in the planning and execution of the attacks. If that's not bad enough, investigators learned that the terrorists also relied on satellite phones and GPS -- two more COTS products -- to navigate their way and coordinate timing to their targets.

We live in a high-tech society with capabilities previously only available to the military now in the hands of the general public. This group of terrorists was technologically sophisticated. One thing is a given and that is that law enforcement and military leaders are rethinking their policies surrounding media access to ongoing events. One sure bet would be that the media parameter will be pushed out and away from direct line-of-site visual access to the scene of the event. It is also possible that cell phone jammers will be used to disrupt communications "5"among the actors at similar events. The availability of high tech COTS products creates an enhanced challenge to counter-terrorist efforts around the world. Counter-terrorist units must be equipped with the latest technology in order to combat the action of terrorists.

There are over 154 known terrorist groups in 56 countries throughout the world.

International and domestic terrorist events totaled 14,499 in 2007.

INTEL: The average dollars required to fund a terrorist attack are in the hundreds or low thousands, not hundreds of thousands.

INTEL: Indian investigators suspect the terrorists that carried out the Mumbai attacks may have British links after examining BlackBerry phones they used to monitor news reports.

INTEL: The captured terrorist -- Azam Amir Kasab told police that he was shown video footage of the targets and Google Earth images before the attacks.

INTEL: Robot drones, mine detectors and sensing devices are now common on battlefields abroad and at the scene of terrorist attacks.

INTEL: The Indian security forces, including the elite special-forces unit known as "Black Cats," had little access to high tech equipment including night-vision goggles or thermal-imaging capability

-- Kevin Coleman

Cyber Attacks & Warfare - Rules of Engagement


The rapid advancement of cyber attacks and the emergence of cyber warfare have caught government and military leaders around the world off guard. Decision making in time requiring defensive measures or military crisis is guided by doctrine and rules of engagement, but in the case of cyber attacks and cyber warfare they do not currently exist. The complexities and unique characteristics of cyber warfare mandate establishing Cyber Attack and Warfare Rules of Engagement (CAWRoE).

Cyber warfare is different than the conventional war in many ways. It is this difference that will challenge the minds of experts around the world when they attempt to create cyber warfare doctrine and ROE. To frame this discussion, below you will find two definitions that put this challenge in context.

Definition - Cyber Warfare & Terrorism - "The premeditated use of disruptive activities, or the threat thereof, against computers and/or networks, with the intention to cause harm or further social, ideological, religious, political or similar objectives. Or to intimidate any person in furtherance of such objectives." Source: This definition was published in the U.S. Army Cyber Operations and Cyber Terrorism Handbook 1.02. This definition was written by Kevin Coleman back in 2004 for an online article.

Definition - Rules of Engagement - Rules of engagement date at least to the Middle Ages in Europe. In military terms this refers to a directive issued by a military authority controlling the use and degree of force, esp. specifying circumstances and limitations for engaging in combat. The directive delineates the limitations and circumstances under which forces will initiate and prosecute combat engagement with other forces encountered. Source: This definition is based on multiple authorities' sources and combined to clearly articulate ROE.

NOTE-- After months of research, we will soon publish a paper that addresses the question: "What constitutes an act of cyber war?"

History has shown that ROE are often over controlled and regulated by politicians and military leaders. It is anticipated that this will also be the case as it relates to cyber attacks and warfare. In addition, commanders and government leaders at all levels must understand the situation, complexities and uncertainty they face.

The increase in complexity, technical aspects and difficulty in tracing the cyber attacks back to the aggressor will combine to increase the difficulty of creating the ROE for cyber. Careful crafting of cyber ROE is required to diminish ambiguities that could caused delays in actions when the use of force is required and will surely lead to increased implication on the United States.

Cyber attack and warfare rules of engagement will undoubtedly require hundreds of pages to establish a decision framework. That being said, there are a few critical areas that will pose the most significant challenge to policy makers. One of these areas will be the level of confidence in the identification of the entity behind an attack on a nation. Tracing and tracking cyber attacks back to those responsible is not an easy task. Usually this takes months or years not minutes and hours. Current intelligence and surveillance capabilities will provide only minimal assistance in this effort. Although promising research on tracking and tracing cyber attacks is currently underway and advances are occurring on a regular basis, we are far from being able to rapidly identify the party or parties behind the attack with the high degree of confidence and hard evidence necessary to launch an offensive cyber response. At the present time, the newness of cyber attacks and weapons coupled with their potential, but unproven power and the uncertainty about how they might be used, have pushed the decision around the response to cyber attacks all the way to the top and in the hands of the President of the United States.

Over 140 countries around the world have cyber weapons development efforts underway but lack a comprehensive doctrine and legal framework for responding to cyber attacks as well as using offensive cyber weapons against attackers and adversaries. President-elect Barack Obama's national security team will have to rapidly establish the rules of engagement as they relate to cyber attacks and all out cyber warfare. His national security team is said to include: Sarah Sewall, Tom Donilon, Wendy R. Sherman, Michèle A. Flournoy, John P. White, Robert R. Beers, Clark Kent Ervin, Gayle E. Smith, Aaron Williams, John O. Brennan and Judith A. ("Jami") Miscik.

The United States Military has an expansive arsenal of sophisticated cyber weapons at its disposal, policy makers have yet to define the rules of engagement that govern when and how to use them. In a briefing earlier this year I said: "This is totally uncharted territory for policy makers. The characteristics of cyber attacks coupled with the operational aspects of cyber weapons make this a unique challenge."

This remains the case and time is growing short before the next significant cyber attack is launched. Cyber warfare requires new rules of engagement.

-- Kevin Coleman

Pentagon Slammed by Cyber Attack


The Pentagon has suffered a direct hit from a cyber attack. The weapon used is said to be a hybrid computer worm/virus. Insiders say the hybrid rapidly spread through the thousands of interconnected defense computer networks. A computer worm is different from a computer virus. A worm is thought to be more dangerous because it can run itself where as a virus needs a host program to run. The DoD responded quickly and has taken steps to slow the advancement of the worm/virus by quarantining networks and systems until the worm/virus can be removed.

Cyber investigators have not pinpointed the entry point for the worm/virus, but insider sources point to removable storage devices as the most likely point of infection. This seems to be supported by the fact that U.S. Strategic Command has banned the use of removable media (thumb drives, CDRs/DVDRs, floppy disks) on all DoD networks and computers effective immediately. This incident has been deemed so severe that unprecedented defensive measures have been instituted to protect the military systems.

Oddly enough, all Internet users are being warned to stay vigilant by security experts who believe that Monday, Nov. 24 is poised to be the worst day of the year for computer attacks.

Security experts at Spy-Ops I spoke with said, "If this can happen to the Department of Defense it can happened to any organization." They went on to say that the cost of this attack could easily reach into the billions of dollars if the worm/virus destroys data. If that's not bad enough, one expert went on to say that the nightmare scenario is if the malicious code alters data rather than deleting it -- a much more difficult problem to resolve.

News of the cyber attack came on the heels of today's release of the "Global Trends 2025: A Transformed World" document by the Office of the Director of National Intelligence. The document stated that non-military means of warfare, such as cyber, economic, resource, psychological and information-based forms of conflict will become more prevalent in conflicts over the next two decades.

While the source of the attack remains classified, the usual cast of characters comes to mind. At the head of the list are of course China and the RBN -- Russian Business Network. If the attack is found to be sponsored by another country, could this be considered an act of cyber war?

-- Kevin Coleman

Legal Risk of Cyber Outage


New analysis indicates that critical infrastructure operators are ill prepared to deal with cyber attacks. That reinforced the Government Accountability Office (GAO) report earlier this year that found Tennessee Valley Authority, the nation's largest public power company serving over 8.7 million people, is vulnerable to cyber attacks. One just released study asked respondents to indicate the state of readiness to defend against IT threats in eight different industries. The results showed that 50 percent of respondents said that utilities, oil and gas, transportation, telecommunications, chemical, emergency services and postal/shipping industries were not prepared. The energy sector emerged as the most vulnerable target. So it is no wonder the Department of Homeland Security (DHS) is once again moving to address the threat to our nation's critical infrastructure.

DHS is looking for public input as it prepares for next year's release of a revised version of the National Infrastructure Protection Plan (NIPP), thus updating the 2006 version of the plan. The federal government has sought to actively engage the private sector in a number of industries to address the threat of cyber attacks. Originally, the federal government identified seventeen critical infrastructure areas and designated federal agencies to be in charge of creating plans as well as overseeing collaborative efforts to protect those areas. It should be noted that earlier this year DHS announced that it also had designated critical manufacturing as an additional sector.

One industry insider speaking to me on the promise of anonymity said: "Utility executives are not going to spend money on defending their systems against cyber attacks. When they do, they decrease the financial performance of the company and that subtracts from the executives bonuses." So is this yet another group of businesses that are going to the Federal Government looking for a hand out?

Cyber attacks against utilities are just not theoretical, they are real. Earlier this year there were dozens of reports that stated CIA senior analyst Tom Donohue told a gathering of 300 US, UK, Swedish and Dutch government officials, engineers and security managers from electric, water, oil & gas and other critical industry asset owners that "Cyber Attack Caused Multi-City Power Outage." Cyber attacks against utilities are now a foreseeable risk.

Foreseeable Risk and Threats - (a legal term) - A danger which a reasonable person should anticipate. Foreseeable risk is a common affirmative complaint put up in lawsuits for negligence (a tort).

We sought out a legal opinion and got one.

"The significant media attention being given to the threat of cyber attacks, as well as the fact that a number of high ranking government officials have warned about this threat, suggest that corporations have a duty to assess their exposure to this risk and create a cyber risk mitigation strategy. Failure to do so could constitute negligence due to the fact that in this day and age, cyber attacks are reasonably foreseeable," said Attorney Fred Rice specializing in corporate legal issues.

FACT: Tort litigation costs have reach nearly $300 billion annually.

But how far could the legal action go? I posed the following scenario to Edward Maggio, professor of criminal justice at the New York Institute of Technology. Scenario: A cyber attack directed against an electrical utility causes a power spike and outage. The spike and outages damage a piece of life support equipment resulting in the death of a patient relying on the device.

Given the above scenario, if the electrical utility did not take appropriate action to protect against such attacks, could the utility be held accountable?

"While culpability for the impact resulting from cyber attacks is a somewhat uncharted area of law, legal action against a power utility will be based on negligence. It is likely that hackers who engage in successful cyber attack against a power utility have likely made previous attempts against a chosen target. Such previous attempts would serve as evidence that a power utility had a duty to mitigate and protect itself from cyber attacks," Maggio said.

It is clear that any utility that fails to appropriately plan for or respond to the increased threat of cyber attacks are failing in their duty to protect the general public. Anyone harmed as a result of a cyber attack against a utility may have cause of action (lawsuit) when they were harmed due to the power utility's failure to increase its cyber security he went on to explain.

Will it take a major cyber attack with litigation before the necessary steps are taken to protect our critical infrastructure? It sure looks that way.

-- Kevin Coleman

China Hacks White House Email?


Multiple sources are reporting that hackers have penetrated the email system of the White House.

People described as "US government cyber experts" are said to suspect the cyber raids were sponsored by the Chinese government. These sophisticated, targeted attacks repeatedly penetrated the unclassified network's defenses. The breaches seem to closely follow the "Grain of Sands" technique used by Chinese intelligence agencies.

The "Grain of Sands" is a methodology used to derive intelligence from disparate pieces of data no matter how seemingly trivial, as each data point might just be the final little piece that completes the puzzle. It is important to note that inside sources tell us that the classified network and system was NOT compromised.

This comes just days after Newsweek reported that both the Obama and McCain campaigns had their security breached by overseas hackers. Reportedly a significant amount of data had been exfiltrated. Intelligence Analysts at Spy-Ops believe that the hacks and data transfers were a concerted effort to track the candidates' policy positions which could aide in future negotiations with the United States. The FBI and U.S. Secret Service had notified both campaigns of the security breach in late August.

At first, the campaign security thought it was just another "phishing" attack, using common methods. One source said the FBI told them: "You have a problem way bigger than what you understand. You have been compromised, and a serious amount of files have been loaded off your system." Unofficial sources tell us that the attacks were traced back to Russia, China and an un-named third country.

This is at least cyber espionage or is it an act of cyber war? Are we at Cyber DefCom 1? A clear-cut cyber warfare doctrine is needed to answer these questions.

-- Kevin Coleman

[EDITOR: Please be sure to take a look at the transcript of last week's interview with Kevin on the DT Live Q&A;]

Live With Cyber Security Expert Kevin Coleman

Don't Forget Today's Cyber Security Q&A;

Please be sure to join Kevin Coleman on a live online Q&A; this afternoon.

-- Christian

The Enemy Among Us


In the past few months, organization after organization and expert after expert have come out and warned of the imminent threat posed by cyber attacks. There can be little doubt left about the increasing threat of cyber attacks on businesses, government and critical infrastructure. At this point cyber attacks pose an unprecedented threat to the computer systems and networks that have become so integral to virtually every aspect of our live. The top two questions that are on many peoples' minds are -- where are these attacks coming from and how are these attacks done? Well, to answer these two questions we must first examine one of the most common types of attack and the components that make up the cyber weapon that is used in the attack.


A Zombie refers to any computer that has been compromised and has malicious code installed that puts it under the control of hackers without the knowledge of the computer owner. Zombies are widely used as the weapon of choice when launching DoS attacks.

INTEL: Research has indicated that an improperly protected computer connected to the internet is compromised and turned into a zombie in about one minute.


Criminal elements and rogue nation states have created more active zombie networks in the last month than ever before. At any given moment there are approximately 1,000 active botnets. In total, experts estimate that there are nearly 300,000 botnets in place today. The largest botnet is thought to control between 150 and 180 million computers and is operated by the Russian Business Network (RBN). Detecting and disrupting botnets is a particularly difficult challenge. An already bad situation is getting worse!

A study using Scenario-Based Intelligence Analysis (SBIA), a strategic threat modeling methodology by Technolytics, determined that we can expect to see hackers attempting to inject malware into cell phones to turn them into remote-controlled bots as well. These Cellbots can then be used much in the same way as computers. This includes their use in launching distributed denial-of-service attacks that can cripple cell phone networks in addition to computer networks and systems that they target.

INTEL: Tools are already available for crafting exploits for the multiple smart phones.


Denial-of-Service attacks aim to bring a site down by bombarding it with fake requests for a web page or image. A denial-of-service (DoS) refers to a cyber attack technique that a multitude of compromised computers attack a single target by flooding the attack target with incoming traffic until the target is forced to shut down, thereby denying access to the system to legitimate users. BotNets are the primary cyber weapon used to carry out such attacks.

INTEL: Experts have estimated that on any given day there are about 1,300 Denial of Service attacks.

On the 27th of August at approximately 16:18 a DoS attack against the Georgian websites was launched. The main target was the Georgian Ministry of Foreign Affairs. The attacks peaked at approx 0.5 million network packets per second, and up to 200-250 Mbits per second. So who was the enemy where all this attack traffic originate? The startling fact is that the enemy lives among us! Multiple reports point to the U.S. as the largest source of this malicious traffic. Estimates of 17% to around 30% of the DoS traffic that targeted Estonia and the Republic of Georgia came from compromised computers within the borders of the United States. In a separate study it was determined that 20.6 million attempted attacks originated from computers within the U.S., and only 7.7 million attempted attacks emanating from computers within China's borders (a distant second).

The threat that botnets pose to businesses and national security has never been higher. The U.S. government and American businesses have yet to take the steps necessary to secure their networks and systems. Should escalation in cyber attacks continue, targeted attacks against the private sector (commercial entities) will rapidly become more prevalent. Therefore, organization need to create a response plan now.

Any computer connected to the Net can be compromised and turned into a cyber weapon. Are your computers part of the problem? Could they be? Chances are they are! Could you be held liable? Chances are you can! Carol Baroudi, research director of security at the Aberdeen Group has stated she thinks regulations are coming.

"Ultimately I think there's going to be some liability there," she said, likening the situation to merchants being held culpable for data loss. "Why wouldn't the organization with infected machines be held accountable for DoS attacks?" This problem is growing and the impact of attacks is increasing. One report by the Congressional Research Services suggests that cyber attacks cost businesses some $226 billion annually.

-- Kevin Coleman

The Cyber Attack Danger


Many nations are under constant cyber attack. The United States seems to be ground zero for the vast majority of the cyber attacks launched be their digital enemies around the world. A former CIA official provided the following statistics. In 2007 there were 37,000 reported breaches of government and private systems. In addition, there were nearly 13,000 direct assaults on federal agencies and 80,000 attempted computer network attacks on Defense Department systems.

In addition who could forget the U.S. Air Force commercial showing a picture of the pentagon and saying this building gets 6 million cyber attacks a day.

Cyber attacks are now expected to cause maximum damage because of the professional tools being used by the attackers. According to the cyber threat report released by Intelomics, the following list identifies the cyber attack techniques that have seen a significant increase in their level of sophistication.

  • Internet social engineering attacks

  • Wireless and wired network sniffers

  • Packet spoofing

  • Hijacking sessions

  • Automated probes and scans

  • GUI intruder tools

  • Automated widespread attacks

  • Widespread denial-of-service attacks

  • Executable code attacks (against browsers)

  • Techniques to analyze code to identify vulnerabilities

  • Widespread attacks on DNS infrastructure

  • Widespread attacks using NNTP to distribute attack

  • "Stealth" and other advanced scanning techniques

  • Windows-based remote controllable Trojans (Back Orifice)

  • Email propagation of malicious code

  • Wide-scale Trojan distribution

  • Distributed attack tools

  • Distributed denial of service attacks

  • BotNets and Zombies

  • Anti-forensic techniques

  • Wide-scale use of worms

  • Man-in-the Middle plus Man-in-the-Browser exploitation

Cyber threats are now demanding immediate attention because of the increased dangers they pose to commercial and government entities and national security. The Congressional Research Service study found the economic impact of cyber attacks on businesses has grown to over $226 billion annually. Despite the significant impact, there is no clear framework for business executives to assess the financial impact of their cyber risks. According to two new surveys, the threat to corporate computer systems from cyber attacks is getting worse, despite stronger corporate defenses. Some cyber security measures might include more restrictive hiring practices, restricting remote working arrangements, increasing monitoring of flexible work hours and telecommuting as well as restriction on access by trading partners, vendors and consultants. In addition, organizations must also increase computer security awareness training for information technology workers as well as the general systems/computer user community.

A cyber attack special investigator at Intelomics said, "the reports of attacks, breaches and system compromises that make the news are only the tip of the iceberg. The vast majority of these attacks go undisclosed and thus are not covered by the media."

Most nations do not have adequate IT security to protect against targeted cyber attacks. Technolytics have warned before that these cyber attackers are well financed and have an arsenal of highly sophisticated weapons that not only circumvent current security controls, but leverage anti-forensic techniques that remove evidence of their attacks. The United States, European Union, United Nations and NATO must act and act now. In view of the current situation I would like to suggest they seriously consider the following actions and move immediately to adopt and implement these measures.
1. Establish a cyber threat operating committee under the United Nations Security Council.
a. This cyber threat operating committee must be closely linked in a collaborative relationship with the Counter-Terrorism Committee.
2. Create a framework to determine what constitutes an act of cyber war and create a legal framework that addresses international criminal cyber acts.
3. Proactively create a framework of actions that can quickly be levied against cyber aggressors.
a. These actions must include both economic and military sanctions as well as suspension of connectivity to the Internet backbone by both physical communications cables and via satellite.
4. Create a cyber peacekeeping force that is a rapid response asset to assist in repelling any offensive cyber-based aggression.

In the interest of global peace, economic integrity and stability, I believe that the United States, European Union, United Nations and NATO must proactively send a stern warning to those who choose to use cyber weapons against other nations, that there will be severe consequences of such actions.

-- Kevin Coleman

A Cyber Attack on the Poor's Wallet


Last week's blog posting "Offshore and Cyber Security" rang true as cyber security and financial security were rudely awakened by word of what was being dubbed the largest security breach in history. This incident began over a year ago, but federal authorities and bank officials were able to keep this under wraps until Thursday October 9th. The data breach at the World Bank (WB) was discovered in mid 2007. After receiving a tip from the FBI, the World Bank moved quickly to investigate. This investigation continues today and like the vast majority of cyber events I have been involved with, it is highly dynamic and there is a great deal of contradictory information.

Here is what we know at this point. There were cyber security events at World Bank. I discussed the event with Carl Hanlon of World Bank and he stated that many of the news stories are fraught with errors and called some of the reporting out right irresponsible. Our discussion went on and he said, "Like other public and private institutions, the World Bank has repeatedly experienced cyber attacks." He emphatically stated that "At no point have we uncovered evidence the cyber attackers' accessed sensitive information in the World Bank's Treasury, procurement, anti-corruption or human resources departments."

World Bank issued the following statement:
"The Fox News story is wrong and is riddled with falsehoods and errors. The story cites misinformation from unattributed sources and leaked emails that are taken out of context."

In my conversation with Mr. Hanlon, a conversation I had just this past week at a U.S. StratCom meeting was repeated.

"We do not have the context framework necessary to intelligently discuss cyber attacks. We do not have a standard definition of what actually constitutes a breach, a cyber attack or an act of cyber war."

I have called for such a cyber attack framework and cyber warfare doctrine for some time now and this is clearly evidence that we need it now.

I also contacted Satyam (a company alleged to be involved with the attack) and this is what they sent me via email:

"There have been reports in a section of the press allegedly linking Satyam to possible security breaches at the World Bank (WB). These accounts are based on a single speculative story that appeared on Friday evening IST, in the US. Satyam is unaware of any facts that substantiate this allegation. ... Satyam takes this matter very seriously. We hold ourselves to the highest standards in the industry, and we take extraordinary care to develop secure networks and IT infrastructure for all our clients."

I posed the following question to Satyam: Was anyone associated with Satyam fired, asked to resign or put on leave pending an investigation of the security events that did occur at World Bank? Here is what I got as a reply: "As a matter of policy, Satyam does not comment on individual client contracts."

Like every other security breach it takes a long time to determine what the implications are and what the true impact is for a cyber event like this. In a piece by Fox News, they have a quote stating "They had the keys to every room at the bank. And we can't say whether they still do or don't until we fully and openly address what's happening here."

While the email seems to support that statement, it is still not known how much information was compromised or stolen.

Satyam is a global business and information technology company that provides consulting, systems integration, and outsourcing solutions to clients in over 20 industries. Satyam Computer is publically traded under the symbol SAY on the ADR and NYSE, their site says. As such, they need to formally address the allegations of information espionage because it could have a material impact on the company's performance and stock price. While they have stated that "the story has no validity," they seem to be just quoting/referring over and over to the World Bank's statement.

Were any of their employees/contractors involved or not, and if so, to what extent? Oddly enough, a five-year contract with the World Bank and Satyam lapsed in September. Failure to get in front of these allegations with a full disclosure could expose the company to shareholder litigation and possible investigation by other authorities including the Securities and Exchange Commission. Note: After being up by 1.29% at the market close on Friday, after hours saw the stock drop by 6.45% to 11.50.

The only thing for sure is that we will not know the extent of the information espionage if any and who was behind it. While I would have loved to point to the articles and say see I told you so, it would be totally irresponsible of me. These digital forensics and cyber attack DNA analysis are very complex undertakings and take years, not hours, days or months. Could new evidence be uncovered in the future that cause both of these organizations to change their current statements? Yes.

What bothers me is this. During these investigations, it is critical for all information that is going to be made public be vetted by all those authorities involved and get their approval so not to compromise the investigation. An ill timed leak can compromise an investigation and derail the efforts to bring the cyber attackers to justice. There are at least two lessons to be learned from all of this and that is communication, internally and externally, must be carefully controlled and prudently crafted before release. So free advice to every one who may experience a data breach, here is what to say if the media calls you about a breach:

We are aware of the claims of a security breach and take them very seriously. We are actively investigating and the situation is quite fluid. At this point we will not confirm nor deny anything in regards to this matter. We are working with authorities and as facts are uncovered and cleared for release to the public, so that they do not compromise the ongoing investigation, we will provide that information to you.

The second lesson is handling a security breach or any event involving information espionage requires a significant amount of coordination and security intelligence. Organizations would be well advised to plan for this coordination and obtain sources for security intelligence.

On a more philosophical note. How despicable this act was -- attacking an organization like the World Bank that does nothing but good. This comes close to rivaling the nasty hacking of web sites that contained information about photo sensitive epilepsy and implanting swirling, flashing images in an effort to trigger elliptic seizures. Clearly nothing is beyond the reach of cyber attackers and they will attack whomever and whereever they like. It is past the time for industry to stand up to this threat. Now governments around the world as well as the United Nations (UN) must address the global threat of cyber terrorism, cyber crime and cyber warfare.

-- Kevin Coleman

Offshore and Cyber Security


The 'Offshore' IT services market has grown extraordinarily fast in the global market in the past few years. Since the 1980's, offshore outsourcing has become a major facet of the business world. An increasing number of organizations have turned to offshore outsourcing of application development and maintenance as a means to reduce the cost of information technology.

Definition: Offshore IT outsourcing is the practice of sub-contracting to a third-party company the performance of certain application development, maintenance and support function to a country other than the one where the primary organization resides.
In a report issued by Datamonitor, the current market is estimated at more than $10 billion USD annually. Some industry analyst estimate worldwide spending on IT services delivered by offshore companies will exceed $75 billion USD within three to five years.
According to Gartner, the leading offshore outsourcing countries by region are listed below.

Americas: Argentina, Brazil, Canada, Chile, Costa Rica, Mexico and Uruguay

Asia/Pacific: Australia, China, India, Malaysia, New Zealand, Pakistan, the Philippines, Singapore, Sri Lanka and Vietnam

Europe, the Middle East and Africa: The Czech Republic, Hungary, Ireland, Israel, Northern Ireland, Poland, Romania, Russia, Slovakia, South Africa, Spain, Turkey and Ukraine

Large organizations see this as a huge opportunity for costs savings. Many experts view IT offshore outsourcing as a potential threat to the domestic job market in the technical world and have asked the government for protective measures or at least closer scrutiny of existing trade practices. There is another threat that IT offshore outsourcing poses, the threat of covert espionage, backdoors and remotely accessible exploits.

Security and privacy concerns are now the biggest issue for companies considering outsourcing their IT projects to companies offshore. These concerns included, but are not limited to -- fraud, backdoors, data theft, extortion and espionage and are the major components of offshore security risks that are now a major area of concern for outsourcers and our national security alike. Moreover, the unauthorized use of proprietary technology is another facet of security concern. Most clients and outsourcers come together to integrate safeguards into their systems. New laws are being enacted regularly with regards to IT security and data theft. These laws have given some degree of protection to outsourcing software development. Many organizations find comfort now that these laws have been enacted. That being said, security loopholes exist and are addressed when they are identified. Not only that, but in the world of cyber conflict, terrorists, extremist groups, hackers in general and rogue nation states do not make a habit of following the law.

In a random survey of technology professionals with a combined 250+ years of experience, the following insight was gleaned.

1. The current approach to code reviews, walk-thrus, testing, validation and acceptance reviews of software development that was outsourced would be extremely unlikely to detect the existence of back doors, trap doors or any other type of exploit.

2. The detailed testing, code review and walk-thrus required for a high degree of confidence that no malicious code has been embedded within the application

Below are the major influencing factors that came up during the data collection discussion.

1.Organizations that outsource application development have little if any control or oversight of the personnel assigned and working on the software development.

2. The size and complexity of current applications do not allow code reviews and analysis to a granular level that would ensure there are no back-doors or exploits.

3. The current state of automated testing and validation tools has very limited capabilities for detecting back-doors or exploits.
Below are some interesting facts and figures that were discovered during this analysis.

Fact: The software and services revenues of India are expected to hit $50 billion USD by the end of 2008

Fact: The three most common offshore outsourcing functions are software development, software maintenance and help desk support.

Given the current cyber threat environment, extra security measures must be taken to protect the information infrastructure of the nation, our government and our corporations. Failure to take such measures and address this threat results in a huge risk and liability. According to Ed Maggio, Professor of Criminal Justice at the New York Institute of Technology and an Advisor to Spy-Ops, "Organizations can outsource the work, but they cannot outsource their liability to ensure the integrity of the software produced." Even with the added security testing and validation, you cannot be 100% sure the delivered software contains no malicious code.

So the only question that remains is, given the added cost of security testing and validation coupled with the remaining risk of undetected malicious code, do you really save anything by using offshore outsourcing for software development? Finally, for those skeptics out there, to think that our enemies have not thought of and may have actually placed covert assets in major development centers around the globe is short sighted and endangers our national security and the economic health and prosperity of our country and businesses.

-- Kevin Coleman

Find the Cyberweapons Complex


Many countries have now assessed their vulnerability and overall risk of being the target of a cyber attack. Inside sources have leaked information to the media stating the heightened state of concern they now have after being briefed on the results of the vulnerability and risk assessments. These results have put pressure on the military and intelligence leaders to address the growing threat. Military and intelligence leaders around the world are struggling with the new reality of cyber warfare. While there are a few hot spots where conventional conflict might erupt, there is growing concern among this group about the new reality of cyber war.

One foreign Intelligence analyst told me that "we face only a remote chance of major conventional military threat involving his country through 2025." She went on to say "Asymmetric capabilities like cyber warfare might threaten the security we have gained over the past two decades."

The cyber intelligence challenge for Intel agencies manifests themselves in the fundamental characteristics of cyber weapons. A cruise missile costs between $1 and $2 million and requires a large manufacturing facility and a substantial amount of infrastructure. A cyber weapon on the other hand costs between a few hundred dollars up to $50,000 and next to no infrastructure. The only infrastructure is a computer and an Internet connection. A cyber weapons manufacturing facility can be located in a single family home.

The challenge for the intelligence community is significant. Perhaps even the greatest challenge in history. While cyber intelligence is rather new, there is some information sources in this area that are actively being used to collect information about attacks that have or are taking place as well as those that are planned. Intel agencies often times are unable to share information they have about planned or current cyber attacks against companies. This is primarily due to the very real possibility that the disclosure would or could jeopardize the source of the intelligence. Many argue what good is the intelligence if we do not use it. This is a very sticky situation that must be evaluated on a case-by-case basis.

Cyber weapons proliferation requires all countries to rethink intelligence collection from the ground up. New sources of intelligence and data are required along with augmentation of our human intelligence sources if we are to reduce the risk of cyber attacks as well as a cyber war.

-- Kevin Coleman

Bring in the CPP


Multiple countries are now discussing the need to establish a comprehensive cyber protection program given the continued increase in the threat of cyber attacks and cyber warfare. The attack on Estonia and the more recent attack on Georgia are being viewed as the harbinger of what is to come. I was recently asked what might a comprehensive Cyber Protection Program (CPP) look like. So I thought I would put down my top ten areas that I think would be critical to include in a CPP.

1. Mandatory requirement to have up-to-date protection software on any device connecting to the Internet that includes:

  • a. Anti-Virus

  • b. Anti-Spyware

  • c. Anti-Malwared.

  • d. Anti-Adware

This software will automatically upload attack data to a central reporting center.

2. Mandatory isolating capability on every system with high processing capabilities and a firewall on every device connecting to the Internet with the following functionality.

  • a. Cannot be disabled other than for a few seconds

  • b. Has pre-configuration for mandatory protection

  • c. Automatically uploads attack data to a central reporting center

  • d. Automatic disconnection when massive outbound DDoS traffic from compromised computer systems is detected

3. Legislation mandating software vendors comply with the following:

a. Report to authorities within 24 hours of discovery malware software vulnerabilities
b. Minimum security testing requirements that must be met prior to release of any software program.

4. Criminal laws specifically addressing the unique characteristics of cyber attacks, malicious code and system compromise including language that addresses the threat of DDos attacks.

5. Criminal laws specifically addressing the development and sale of cyber weapons.

6. Criminal and civil laws that address organizations who fail to immediately report cyber attacks or data breaches that include those who destroy evidence of cyber attacks, systems compromise and data theft.

7. Establishment of a quasi government/business entity that coordinates defensive and protective capabilities of the information infrastructure. This would also include a cyber attack and threat alerting system.

8. Establishing an Intelligence Center that is charged with cyber intelligence collection, analysis, trend reporting as well as collaboration across the other intelligence agencies.

9. A federal cyber attack investigation unit that is the center of excellence and develops tools and techniques as well as works with all other agencies and law enforcement to dissect cyber attacks and malicious code and assist with investigations.

10. Implement within the federal cyber attack investigation unit a division that provides sufficient audit and control measures to ensure the laws are being followed. The private sector has already proven self governance is unreliable to ensure adherence to the protection necessary for cyber defense.

Now I know there will be many comments about "big brother" and "big government," but given what has taken place thus far, I am not sure we have any other choice. It is deeply concerning that 85 percent of organizations have admitted they have had systems and data breaches. A significantly smaller number have actually reported them in accordance with the 40 data breach notification laws that are currently in place.

An improperly protected computer or other device connected to the Internet is a cyber weapon waiting to be loaded and used.

-- Kevin Coleman

Iranian Cyber Warfare Threat Assessment


The Iranian military consists of the Army, Air Force, Navy, and a Revolutionary Guard force. Iran's total active duty armed forces numbers 513,000, while reserves add another 350,000. The army is divided into 3 army headquarters with 4 armored divisions and 7 infantry divisions, 1 airborne brigade, 1 Special Forces division and now 1 cyber division. Their budget equates to between $95 and $100 per capita. This figure is lower than other Persian Gulf nations, and lower as a percentage of gross national product than all other Gulf States except the United Arab Emirates.

Education is considered a top priority in the development plans of the country, the authorities have endeavored to increase the primary education enrolment rate. In 2008 Iran had over 3.5 million students enrolled in universities. In the past two decades the education system and curricula have been reformed multiple times. Application of modern educational equipment and technologies such as information and communication technologies is developing considerably. The increased attention to higher education is producing the computer scientists and technology engineers necessary to have an advanced cyber weapons program.

Iran's Software Capability

Iran has the capacity to meet the large domestic demand for software and at the same time to become internationally competitive. The software sector itself, although strong in some areas, is not internationally competitive. The Iranian High Council of Informatics has categorized 543 informatics companies, and the software sector output is around $50 million although, once again, statistics are educated guesses rather than based on hard statistical evidence.

Iran's Asymmetric Capabilities

Iran has significant asymmetric warfare capabilities and poses an additional threat of proliferation. Iran's economic growth last year surpassed 7%. The expansion of their economy is funding research, development and acquisition of strategic military capabilities. They are intensely focused on developing their other means of military and asymmetrical weapons and tactics. Iran's military buildup poses direct threats to U.S. interests. It is believed that Iran has fairly advanced cyber-warfare weapons and offensive plans that include cyber attacks against a specific government web sites and infrastructure. Iran's cyber ambitions are ambitious and troubling. The following section represents and estimation of Iran's cyber warfare capabilities.

Estimated Cyber Capabilities

Iran Islamic Revolution Guards Corps (IRGC)

  • Military Budget: $11.5 Billion USD

  • Global Rating in Cyber Capabilities: Top 5

  • Cyber Warfare Budget: $76 Million USD

  • Offensive Cyber Capabilities: 4.0 (1 = Low, 3 = Moderate and 5 = Significant)

Cyber Weapons Arsenal (In Order of Threat)

  1. Electromagnetic pulse weapons (non-nuclear)

  2. Compromised counterfeit computer software

  3. Wireless data communications jammers

  4. Computer viruses and worms

  5. Cyber data collection exploits

  6. Computer and networks reconnaissance tools

  7. Embedded Trojan time bombs (suspected)

Cyber Weapons Capabilities Rating Moderate to Advanced

Cyber Force Size 2,400

  • Reserves and Militia: Reserve with an estimated at 1,200

  • Broadband Connections: Less than 100,000

  • Hacker Community: Hackers have demonstrated their capabilities by successfully attacking numerous Israeli Web site and others. Cyber activists are common in Iran and very active.

Many world leaders as well as U.S. President Bush has publicly vowed that he would never "tolerate" a nuclear Iran. The question now is what about a cyber Iran?

-- Kevin Coleman

Where will you be when the lights go out?


Nearly eight months ago the Defense Tech contributors from Technolytics and Spy Ops covered a CIA presentation that disclosed to 300 U.S. and foreign government officials, engineers and security managers from the critical infrastructure sectors (gas, oil and electricity asset owners) that they had intelligence from multiple regions outside the United States of cyber intrusions into utilities followed by extortion demands.

On the heels of this announcement, the Federal Energy Regulatory Commission (FERC) approved a final set of security standards designed to protect the United States electric grid against a cyber attack.

The eight security standards include:

1. Critical cyber asset identification
2. Security management controls
3. Personnel and training
4. Electronic security perimeters
5. Physical security of critical cyber assets
6. System security management
7. Incident reporting and response planning
8. Recovery plans for critical cyber assets

Back in May the Government Accountability Office's assessment and report found that the Tennessee Valley Authority is vulnerable to cyber attacks that could sabotage critical systems. TVA is the nation's largest public power company that provides electricity to 159 local distributors that serve 8.8 million people and 650,000 businesses and industries in a seven-state area. The 62 page report cited one reason for the concern is that TVA had not consistently implemented significant elements of its information security program. The report was requested by a House Homeland Security panel on cyber security.

The potential for cyber security attacks on our nation's electric power grid has spurred politicians to consider legislation to broaden federal authority over electric companies. The steadily increasing risks have caused Congress to consult with federal agencies and industry associations on how to craft such legislation. Just recently, legislators sought further input at a hearing before the House Energy and Commerce's subcommittee on energy and air quality.

It has been eight months since this risk was openly disclosed to the public along with evidence that cyber attacks caused power outages in at least three countries. One would think that something as critical as the power grid's security and integrity demands would receive much more expedient attention. It is only a matter of time until a successful cyber attack on our infrastructure occurs and time is running out. With every tick of the clock we get that much closer to a significant cyber attack incident.

-- Kevin Coleman

Cyber Soldier of Fortune


Private organizations and for that matter individuals that provide military-style security have been in existence for thousands of years. Their origins can be traced back to the medieval times. Many refer to the individuals who make up these groups as Soldiers of Fortune. A Soldier of Fortune is a person hired to fight for a cause in a country other than their own. Many times they are referred to as mercenaries, but that term carries negative connotations. These professional soldiers go where conflicts break out and where their skills are needed. Now Cyber Soldiers of Fortune are beginning to appear as are cyber arms dealers.

We have entered a new age of conflict. The new era of conflict is one that does not operate in the physical worlds and is not defined by physical boundaries. Cyber warfare, conflicts and attacks are now a reality and a reality that every nation in the world must address. Given that this type of warfare is relatively new, there is a severe shortage of resources. The three hottest positions emerging are cyber conflict resolution specialists (CCRS) and cyber operational support technicians (COST). CCRS create cyber attack strategies, plans and direct offensive strategies against specific targets. The COST provides the hands-on development, customization and deployment of cyber weapons as directed by the commanding CCRS. The third hot resource is the cyber espionage operative (CEO) –- the spy.

More and more attention is being given to cyber attacks. They have become an all too frequent a topic in the media today. Metrics collected by Spy-Ops clearly indicate the rapid growth in coverage of these incidents. The chart to the right tracks cyber threat awareness. As the number and significance of incident increase the media coverage and threat awareness increase. The spike that occurred in April is sure to increase the demand for these resources. Patty Luther, a security recruiting specialist said, “There is an ever increasing demand for highly skilled cyber security resources. When you add the demand for Cyber Soldiers of Fortune, resources are in short supply.” It's no secret that there are fewer students majoring in computer science today. The Computing Research Association's statistics show that the number of freshman who list computer science as a probable major has fallen by 70 percent since 2000.

New national data shows that what has been a traumatic decade for computer science departments is finally starting to turn around. For the first time since 2000, the number of newly declared undergraduate majors at doctoral-granting computer science departments is now on the increase.

As the cyber warfare threat environment continues to evolve new opportunities will be created. This threat is in its infancy and will continue to grow for the foreseeable future. While Cyber Soldiers of Fortune are now a new entity, they will soon become old news and common place. In the past two months I have received emails and phone messages asking if I would be interested in joining/leading a cyber militia. This is a very dangerous proposition. It is difficult to determine who really is in controls of these organizations and how the cyber capabilities of the militia would be used. I would urge any of our readers on here to resist the temptation to join or support such groups.

-- Kevin Coleman

Protecting the Information Infrastructure of the United States


The security of the United States depends on secure, reliable and resilient information systems. In light of this need the national security community came together to address traditional and emerging information security issues. Increasing security in cyber space is a very complex undertaking. Cyber security cuts across so many lines in the executive branch of government it creates a maze that is difficult to navigate. When you look at responding to and investigating cyber attacks, the Department of Homeland Security oversees protection of government networks.

What we need is a holistic approach that focuses on securing the physical and information infrastructure that is critical for our nation to function. In order for this to happen the government must form a tighter relationship with the private sector. This is primarily due to the fact that most of the Internet's infrastructure is owned and operated by private business. This is not a new issue. For nearly a decade now, the government has called for greater cooperation between the public and private sectors on this issue. So far the response from the private sector has been a cold shoulder. Increasing security around our information infrastructure to the level now required due to the threats by cyber war and organized criminal activity requires a huge and ambitious initiative. Cyber security has to become a top issue for the 44th president of the United States. Both candidates have very little to say about cyber security thus far. This month, the McCain campaign released a document that outlines his technology policy vision. A review of the document yielded very little insight into the issue of cyber security. In fact, it was barely mentioned. Obama's position is not much different. That being said, Obama has stated his intention to create a new White House position of the Federal Chief Technology Officer.

It is clear that the next president must focus on achieving our strategic security policy and doctrine as they relate to the issue of cyber crime, attacks and cyber warfare. Real-time security management, threat response and situational awareness activities coupled with fortification of the information infrastructure are critical capabilities to ensure that our information communications capabilities are not disrupted and continue to function under a seemingly endless variety of adverse conditions. The threats against our information assets in the public and private sectors have risen to a level that the risks now demand the immediate attention by the White House.

-- Kevin Coleman

NORTHCOM's comments on cyber threats analyzed.


Back in April 17, 2002, DoD executives established U.S. Northern Command (NORTHCOM) as part of the changes brought about by the Unified Command Plan. NORTHCOM is responsible for homeland defense and also serves as head of the North American Aerospace Defense Command (NORAD), a U.S.-Canada command. Last week I heard NORTHCOM's Commander -- General Victor Renaut's address at the Atlantic Council meeting. In his remarks and in the questions that followed he addressed the threat of cyber attacks.

The most important point of his remarks came when he stated the United States must move in "anticipation of the threat" rather than reacting to cyber attacks as we are today. Secondly, he acknowledged how difficult it is to determine whether an attack on a nation's cyber infrastructure is an act of war. He went on to say: "We have not yet defined what that (referring an act of cyber war) is and he noted "That's a policy decision that has to be made."

This clearly articulated the need to develop a "Cyber Warfare Doctrine" that is used beyond the United States and agreed upon by the United Nations and NATO. Earlier this year I authored such a doctrine and was able to publish a redacted summary version in issue #56 of International Intelligence Magazine. An extended summary with sensitive security information can be viewed here.

As efforts continue to pull together all the pieces of President Bush's classified cyber security program, (now estimated at $30 billion) the greatest challenges may be the multi-nation approach and the fact that the U.S. government and the high tech industry have to work together to address this growing threat. The tenets for cyber warfare must be developed and integrated into a flexible framework for decision making about this new method of warfare that military leaders have called the most significant threat of the 21st century.

-- Kevin Coleman

Defining the Cyber Battlespace


The physical world battle-space is well known and the parameters defined. Similarly an act of aggression or act of war in the physical sense is just as well defined and accepted. That is not the case when it comes to the cyber battlespace. Federal officials, military leaders, policy scholars and security experts are all looking at this issue and struggling to answer the question -- what constitutes an act of cyber war?

Back in 1994 I was asked to define cyber warfare and cyber terrorism. My response happened to end up in the U.S. Army Cyber Operations and Cyber Terrorism Handbook 1.02. Here is what I wrote.

Cyber Warfare & Terrorism is defined as -the premeditated use of disruptive activities, or the threat thereof, against computers and/or networks, with the intention to cause harm or further social, ideological, religious, political or similar objectives. Or to intimidate any person in furtherance of such objectives.

With that in mind we used real world events from the recent Georgian conflict to frame this issue and get your opinion.


The Georgian government relocated their President's website to a sever on U.S soil (in Atlanta Georgia) and connected to the U.S. Internet backbone. Would an attack on the Georgian President's web site (hosted within the U.S.) be considered an act of aggression against the United States and ultimately an act of cyber war?

Yes - is one point of view supported by the fact that the attack is against components of the internet infrastructure owned by a U.S. company and located on U.S. soil.

No - is one point of view supported by the fact that the attack is against the web site that represents an individual/leader of a foreign government.

This is a great opportunity for you the reader to voice your opinion and possibly even influence policy makers in Washington. I would encourage the full review of openly available information that may help you formulate your answer.

-- Kevin Coleman

Inside the Cyber Command Turf Battle


Reports by the Associated Press who obtained a memo on the subject said this week the Pentagon delayed and may even kill the Air Force's planned Cyberspace Command. Why exactly is up for speculation, but according to one insider who absolutely did not want to be identified - "It's a dollar Grab".

The insider went on to say that "with an estimated $30 billion being spent on cyber capabilities, who can blame them?"

As I tally it, the Army, Air Force, CIA, NSA, DIA, DHS, StratCom and two unidentified black-ops units have already begun developing cyber warfare capabilities. Anyone with an ounce of sense would not want to get in the middle of that group! The Pentagon has to be thinking it would be better to have one unified cyber command rather than all these dispirit efforts.

Cyber warfare is a highly desirable command area -- it is new, it's exciting, it's a real threat and arguably the hottest topic in military circles. Multiple security experts, including myself, have warned that significant and very special resources and expertise are required to execute the core elements of the Bush administration's cyber security plan.

Earlier this year I wrote an article titled "The Department of Cyber Defense" that was published by International Intelligence Magazine. It looked at this exact issue. The article was based on rumors back then that the Executive Branch was considering establishing a new department and cabinet level appointment responsible for our country's cyber offensive and defensive capabilities. By establishing a new department and cabinet level position, one entity can focus on developing cyber warfare technologies needed to support both defense and civilian agencies.

Remember we even created a new patch for the organization.

Richard Clarke has warned how significant a threat cyber attacks pose to the United States and our allies. Turf battles and infighting are slowing the United States' efforts to mitigate this threat and develop the necessary offensive cyber warfare capabilities. We cannot and should not tolerate the inaction and lack of progress this squabbling is causing.

-- Kevin Coleman

Cyber War 2.0 -- Russia v. Georgia


The second real cyber was has broken out. On August 8th, Russian troops crossed into South Ossetia vowing to defend what they called "Russian compatriots". As this was taking place, a multi-faceted cyber attack began against the Georgian infrastructure and key government web sites. The attack modalities included: Defacing of Web Sites (Hacktivism), Web-based Psychological Operations (Psyc-Ops), a fierce propaganda campaign (PC) and of course a Distributed Denial of Service Attacks (DDoS).

Shortly after noon east coast time in the United States, CNN's Wolf Blitzer attempted to interview Georgian President Mikhail Saakashvili by phone on his live news program. The first attempt was unsuccessful and the second attempt took place about ten minutes later was able to successfully connect to President Saakashvili. President Saakashvili immediately apologized for the missed connection earlier blaming the problem on a "cyber attack" against the Georgian VoIP phone system. Another causality of the cyber attack was the Georgian Ministry of Foreign Affairs (MFA) website. At one point in time the MFA's web site had an image of Adolf Hitler beside the image of President Saakashvili.

At one point(used in the sentence above), multiple government websites were down or inaccessible for hours. This led them to make perhaps the most strategic move to date in cyber warfare. This impressive move came when the Georgian Government decided to relocate President Mikhail Saakashvili's web site to a web site hosting service in Atlanta, Georgia in the United States. The strategic thinking surrounding this move was twofold. First, the Russian cyber attackers would surely think twice about attacking a web site hosted on servers located in the United States. Secondly, if the Russian cyber attackers were to go after the President's web site hosted on U.S. soil, that action might bring the United States into the conflict.

I was told by a Georgian insider that "We were not prepared for the use of computer weapons against our communications infrastructure." Other sources in the Estonian military also told me that they had offered their assistance to the Georgian Government early on in the cyber attack. She said that they (Estonia) had gained valuable knowledge from the forensic analysis of the cyber artifacts left behind after they were attacked in April/May of 2007.

I used SBIA and TIE techniques to analyze the cyber attack against Georgia. Based on all open source intelligence, the cyber attack on Georgia analysis resulted in the following information [on a scale of 1-5 with 5 being high].

Scale of the attack = 3.3
Complexity of the attack = 3.1
Impact of the attack = 3.5

No longer can we ignore cyber weapons. This is the second minor cyber war that has broken out in the last two years. "Security experts and military leaders have been warning of the potential use of cyber weapons against government and civilian targets both as a stand-alone threat and coordinated military tactical modality," said Brian from Spy-Ops. Cyber attacks and warfare have entered into the arsenal of modern warfare. Where and when the next attack will be launched is anyone's question. The only thing for sure is there will be more.

-- Kevin Coleman

Russia takes the fight to cyberspace

Hack attack --

The Georgian embassy in the U.K. has accused forces within Russia of launching a coordinated cyberattack against Georgian Web sites, to coincide with military operations in the breakaway region of South Ossetia.

Speaking to ZDNet UK on Monday, a Georgian embassy spokesperson said that Web sites had been unavailable over the weekend, claiming this was due to Russian denial-of-service attacks.

"All Georgian Web sites have been blocked," said the spokesperson. "Georgia is working on redirecting Web traffic."

Looks like Google's blogspot is picking up the slack.

Georgia's military isn't exactly net-centric, so it's looking like these attacks are more public-relations related than military. Both Georgia and Russia have been furiously conducting PR ops, spinning the conflict to make it seem like the other guy's fault. World opinion tends to gravitate towards the underdog, so neutralizing Georgia's most convenient and easily accessible communications medium might be Ivan's way of evening the playing field.

Then again, it might be a couple of Russian teenagers trying to do their part...



--John Noonan

The Importance of Cyber Fusion Centers


Fusion Centers have been fairly successful since their inception back in the 1980s. The FC is a critical node in the collection and processing of intelligence from various sources. The actual operations of these centers are somewhat cloaked in secrecy. For that reason, fusion centers are somewhat controversial and mysterious. A fusion center is a physical location for interagency collaboration and intelligence synthesis based on disparate pieces of information obtained by one of the numerous agencies participating in the center.

Naturally, technology is a critical component but the human assets from the various agencies, departments, industries and businesses are the critical lynch-pin. The cyber threat fusion center will require all 15 members of the U.S. intelligence community plus many others. In total, about 25 entities from the government and representative from 6 industries as well as part-time contributions from up to 100 specifically identified businesses would make up the participants in the cyber threat fusion center.

Feeding the center with the latest cyber threat analysis is a critical aspect of pulling together a big picture of the threat environment. All Source Intelligence (ASI) is defined as a collection of intelligence products and/or organizations and/or activities that incorporate all sources of information, including, most frequently human resources intelligence, imagery intelligence, measurement and signature intelligence, signals intelligence, and open source data, in the production of finished intelligence. This is the organized collection and linking of intel from multiple sources in multiple forms about a specific subject matter under analysis. This is not an easy task. "Too much information can be just as big a problem as too little," says Spy-Ops. "We use scenario-based intelligence analysis (SBIA) coupled with trans-disciplinary intelligence engineering (TIE) to fuse the all source intelligence. By combining these two techniques we are able to capture the context with which the intelligence was collected and that directly impacts the resulting knowledge we extrapolate."

Over the past few years the experience and results gained from using these techniques warrant creating one to specifically address cyber threats. The Cyber Threat Fusion Center (CTFC) would bring together the various entities within the defense department, groups within Homeland Security, industry expertise as well as facilitate bi-directions threat intelligence information sharing with the business community.

While I have only participated twice in FC operations, both were an eye opening experience and the results were significant. Could the same results have been achieved without the use of a fusion center -- yes. However, the question is how much more time would be required to have come to the same conclusion. The difficulty will be getting all the parties to openly share the information they have. All too often the parties needed to participate in the fusion center see themselves in competition with each other. Given the severity of the threat against our nation's information infrastructure, establishing this center is time critical. When the massive intelligence community from the government is tightly coupled to and collaborates with the front line defense intelligence from the business community and both are supported by the high tech industry the output of this center will surely provide valuable insight into defending against the crowing threat of cyber attacks.

-- Kevin Coleman

What do you Think...?

Over the past several months, this blog has carried a number of posts on the efforts of the United States to prepare for and defend against a cyber attack or war. In addition, we have posted profiles of other nations and groups who are adversaries of the U.S. and are building cyber attack capabilities. In May, U.S. Strategic Command referenced one of our posts in its testimony before Congress. The hearing was about the security and economic situation as it relates to China.

All this is based on open source intelligence coupled with input from contacts throughout the global security and intelligence communities. Given the vast readership this blog has seen, we thought it prudent to assess your feelings on the state of readiness of the United States for a cyber conflict. You will be able to view the results as you vote.

-- Kevin Coleman

Where's That SECRET Laptop?


Has anyone seen our 747 laptops? That is the question the Ministry of Defense (MoD) is asking. On Friday July 18th, 2008 the British Defense Ministry acknowledged that since 2004 they have had 658 computers stolen. If that is not bad enough, MoD revealed that 89 laptops were lost since 2004.

What is bad is that previously there were 347 laptops thought to be gone since then. If you expand the timeframe to five years, the number grows to more than 830 laptops lost or stolen. Of which nine contained information classified as top secret or secret. To date of the 747 lost or stolen laptops in the past four years only 32 had been recovered.

Has anyone seen my desktop? This is not a joke. Where is building security when people are walking out the door with desktop computers? It is not like they fit in your pocket! In the past ten years, 23 desktops had been stolen. It even gets better.

Has anyone seen my 121 USB memory sticks? That's right 121 portable USB memory sticks (thumb drives) were lost or stolen in that same period of time. Looking at the memory sticks, 26 of those lost occurred in 2008. But the picture gets a bit worse - three of the lost USB drives contained information said to be "secret" with 19 additional ones containing information said to be "restricted."

Has anyone seen my file folders? Did you know that top secret intelligence documents were recently left on a London train by a staff member of the Cabinet Office? In one instance a 46 page file that was "restricted" was taken from a car parked in a supermarket parking lot. This file outlined the army's procedures for responding to a terror attack. One report stated that it contained a list of the military's most important figures and their phone numbers as well as details of how SAS troops would be deployed.

Authorities are concerned that Britain's security may have been compromised. May have???? Duuuh - of course security was compromised. Security experts have stated that 90 per cent of stolen laptops are probably accessible within 10 minutes and many of those with more sophisticated levels of encryption can still are accessed within three hours.

While encryption of all sensitive data was ordered back in January 2007, at least one computer was lost/stolen that contained personal information about 600,000 individuals that was not encrypted. Couple that to the loss of physical documents and one would have to ask who is responsible and take immediate action against those individuals. I wonder how big this problem is in the United States?

-- Kevin Coleman

China Threatens Olympic Cyber Attacks


Multiple sources have confirmed that China has openly threatened anyone who reuses or rebroadcasts the Beijing Olympics. Chinese officials publicly stated they will “punish” Internet Web sites, Re-broadcasters and other “new media” that replay the 2008 Olympic Games and related events without the authorization of state-run China Central Television.

Xu Chao, deputy director of the Copyright Management Division in the State Copyright Bureau said “during the Olympic Games, many unauthorized broadcasts will flood into the market. We should initiate an “attack” against broadcast piracy.” Xu went on to discuss some of their anti-piracy measures including a public hotline for reporting illegal broadcasting through the State Copyright Bureau website or by dialing the "12390" anti-piracy hotline to collaborate with the government. People involved will be rewarded for the reports once the report is found to be true.

The International Olympic Committee granted CCTV the new media broadcast rights for the summer games exclusively. We were unable to obtain their exact definition of “new media broadcast.” However, in a statement by the State Administration of Radio, Film and Television, the National Copyright Administration and the Ministry of Industry and Information Technology, they said Web sites and mobile platforms using Olympic broadcast signals without getting permission from the CCTV will be punished.

They went on to say that “Web sites may be shut down if they carry the events illegally.” Olympics coverage is big business. The 2008 Summer Games in Beijing will mark the arrival of streaming content as a viable alternative to the Olympics’ television broadcast. Online video streaming is attracting an increasing share of ad spending and many believe is the future of advertising. will offer 4,400 hours of on-demand streaming content plus 2,200 hours of live programming, making the Beijing Olympics the largest streaming media project to date. There is little doubt that carbon copies of the streamed media will be available from numerous sources on the web and in the physical world. So it appears China has a big challenge ahead.

Are they really threatening cyber attacks on public companies, private industry and individuals? That is the way one Cyber Security Expert we spoke to interpreted it. Only time will tell. What if a company in the United States, or any other country, is attacked? How will the government respond? One thing for sure, this is a sign of things to come.


The Olympics have become a very, very big business. Worldwide media rights to the 2008 Summer Olympics in Beijing sold for $1.7 billion, with NBC Universal paying $894 million for the U.S. media rights alone.

China Central Television (CCTV) said that “Web sites may be “shut down” if they carry the events illegally.” In addition, a Chinese Government spokesperson said “Any individual without authorization who uploads recorded Olympic events or pirated Olympics video broadcasting websites will face up to 100,000 RMB in penalties.”
The statement in its entirety can be found here.

-- Kevin Coleman

IC Sees Major Hole in Cyber Security


In the 2008 Annual Threat Assessment of the Intelligence Community for the Senate Armed Services Committee for the first time the threat of cyber attacks were addressed. (This is the first time the report available to the public).

The intelligence community listed "the vulnerabilities of the US information infrastructure to increasing cyber attacks by foreign governments, nonstate actors and criminal elements" as the fourth major bullet of the fourth page of the opening in the forty-five page report. The report goes on to state that due to the significance of computer and telecommunications to our country's security defense and economy, threats to our IT infrastructure are an important focus of the Intelligence Community. Also stated were the trends seen over the past year, which included cyber exploitation activity that grew more sophisticated, more targeted, and more serious. Finally, DNI stated that the Intelligence Community expects these trends to continue in the coming year.

Most concerning was the following statement excerpted from the report.

"We assess that nations, including Russia and China, have the technical capabilities to target and disrupt elements of the US information infrastructure and for intelligence collection." Nation states and criminals target our government and private sector information networks to gain competitive advantage in the commercial sector. The report went on to state that terrorist groups, including al-Qaeda, HAMAS, and Hezbollah have expressed the desire to use cyber means to target the United States.

The information contained in the report represents the cumulative views of highly skilled professionals working on this critical issue. All the warning signs are there.

You may not have caught this but, the Intelligence Operations Center of Spy-Ops reported on June 18th the Palestinian Islamist movement, Islamic Jihad, said it has a new division of its armed Al-Quds Brigades: a cyber war unit that claims it has hacked into the websites of several Israeli media outlets. I am not sure how I missed it but when did terrorist organizations start making press releases?

It seems like everyone is beginning to get into the cyber war capabilities. This now included cyber arms dealers and organizations that lease attack capacity on their BotNets. Not to be left out, criminal elements continue to show growing sophistication in technical capability and targeting, and today operate a pervasive, mature, online service economy in illicit cyber capabilities and services available to anyone willing to pay. Cyber weapons can be purchased for as little as $300 and some have been reported to sell for $50,000.

-- Kevin Coleman

Covering Up Cyber Assaults


Cyber attacks from individuals, organized crime, extremist groups, terrorists as well as nation states pose a significant threat to the national security of the United States. While many believe that this is a government issue, closer analysis of the problem suggests otherwise. Any computer that is not properly protected can be compromised and used as a weapon against the system owner, businesses and our economy, the nation's infrastructure or in some rare cases our defenses. Personal, business and government systems are constantly under attack and the frequency and sophistication of the attacks is rapidly increasing.

The number of new computer systems threat skyrocketed nearly 570 percent from those identified in 2006. According to one 2007 computer security study, the average annual loss reported by U.S. companies increased by nearly 210 percent to $350,424 (per occurence) in 2007. The top three primary sources of loss were financial fraud, losses due to computer virus and system penetration by outsiders. About 20 percent of the companies reporting security incidents said they have fallen victim to targeted malware attacks. Nearly 1.2 million different pieces of malware have been identified and reside in the malware repository. Malware is software designed to infiltrate or damage a computer system without the owner's informed consent. The term is a combination of the words malicious and software. The expression is a general term used by computer professionals to mean a variety of forms of hostile, destructive, intrusive, or annoying software. The bad news is malware is just one of the many threats to computers, systems and networks.

A reader of the blog asked me "Why with all the U.S. technological expertise are we so vulnerable to these threats?" That is a great question. Considering a recent report suggested that around 90 percent of breaches could have been prevented, why are our computer systems so at risk?

After giving this a fair amount of thought I came to the following realization. It is our attitude! For some reason there is an abundance of "I know more than they do" types in information security. If that is not bad enough, the second most prominent attitude is "It can't happen here" followed closely by "I will address it when it happens to me."

Example 1 - A $13 billion publically traded corporation has five full time staff assigned to information security. When I asked the Director how he spent his time he said by far most was in the Human Resources Department and with corporate lawyers.

Example 2 - A systems design and development organization that services part of our nation's infrastructure was briefed on the issues and threats of cyber attack. Numerous examples were provided to that organization that showed their industry had already experienced cyber attacks. In addition, a high level overview of their operational procedures resulted in the identification of two critical vulnerabilities that exposed the systems to compromise. The organization addressed one of those issues and decided to take a wait and see approach to addressing the other.

Example 3 - A security consulting firm contacted me as an advisor. They were brought in to review security and recommend changes of a publically traded company. During their work they discovered the company had been breached. They had found a "bot" attached to an Oracle database. The "bot" collected information about the manufacturing cost of the company's products. They approached the CIO with the facts and the Sarbanes-Oxley issues, he refused to communicate the issue to the senior executives and then cancelled their contract.

Well, we don't know more than all the hackers do. This is a highly dynamic threat environment that even the top security professional say is "challenging." The "it can't happen here" attitude is insane. One veteran US Special Agent in cybercrime investigation publically stated how companies do their best to cover up corporate espionage and insider theft. He went on to say he had seen entire corporate networks of over 100,000 systems completely compromised and hundreds of thousands of files exfiltrated and not disclosed. The fact is, if all system breaches were reported the security metrics would be much worse that the ones reported earlier here. So it not only can happen here, it probably already did and got covered up.

-- Kevin Coleman

Identifying the Cyber Attacker


Computers and networks have blurred the boundaries when you look at cyber warfare, cyber crime, and cyber terrorism. There is no doubt that future conflicts will involve cyber warfare between nations. Distinguishing between military and criminal and civilian attacks is tough and could create a dangerous problem in determining who is behind a cyber attack. It's very difficult to trace cyber attacks back the responsible parties. It is rarely the case that the computer forensic analysis conducted as a result of a cyber attack yields enough hard evidence that would meet the "beyond a reasonable doubt" standard we apply in non-civil court actions.

There are millions of pieces of malicious code available today along with a significant number of vulnerabilities that can be exploited by cyber soldiers, hackers and others who wish to compromise computers and networks. Websites now provide both novice and expert level computer attackers with the latest, up-to-date programs and support needed to plan, design, develop and initiate cyber attacks. In fact, these websites provide services to parties that are interested in hacker computer systems and networks.

When you use the Internet, you leave the equivalent of digital footprints and attacks leave digital fingerprints as well as digital DNA. Every message a computer sends to a different computer travels in a series of hops from one router or server to another leaving behind logs and addresses of the route. Even after the message is received, the record of its path of travel remains behind. There are also a number of ways that attackers use to obscure their location and identity. Intelligence around cyber weapons development and cyber attacks is very limited. In our vast sources of intelligence gathering capabilities only electronic intercepts and human intelligence have the ability to provide the primary sources for our intelligence helping to defend our nation against cyber attacks. The tools and technologies available to law enforcement and the Defense Department are not keeping pace with the rapid advances being made in cyber weapons used by attackers. The current state of the practice and available tools regarding the technical ability to track and trace cyber attacks remains very primitive. The advanced level of sophisticated cyber attacks make it close to impossible to trace to their true source and have the hard evidence that would pass the court of public opinion. In addition, the technical nature of the investigation would make it difficult to effectively communicate to those serving on a jury. Advanced tools for tracing complex attacks are among the research topics that are currently under development by multiple organizations and agencies, but we need them now.

We have seen the harbingers of cyber warfare and the image they present instills fear in our military and technical professionals. Dozens of nation states currently have highly sophisticated cyber attack capabilities and many others are in the process of developing cyber weapons of mass disruption. Advances are needed now to defend our systems against such attacks. Likewise, advances tools, techniques and trained staff are needed now to conduct the investigations into the rash of cyber attacks we are experiencing. Finally, international laws and doctrine must rapidly be developed and implemented as part of our overall cyber defense activities.

-- Kevin Coleman

What Constitutes an Act of Cyber War?


Throughout history wars have been triggered by events. Being at war is a state or condition. To be legal, a war must be declared by a branch of the government entrusted by the Constitution with this power. In the Constitution of the United States, Article I provides Congress the power to declare war. War is defined as a contention by force; or the art of paralyzing the forces of an enemy. An act of war is typically defined as an aggressive act that constitutes a serious challenge or threat to national security, armed conflict, whether or not war has been declared, between two or more nations; or armed conflict between military forces of any origin. This frames the discussions around traditional war. In the physical sense it is easy to define such infractions; enemy troops crossing another countries border, military strikes by missiles or bombs, basically you know it when you see it. What constitutes a serious challenge and a threat to our national security in cyber space? That is much more difficult to define.

In the U.S. Army's Cyber Operations and Cyber Terrorism Handbook 1.02 I found the following reference to the definition of Cyber Warfare & Terrorism: "the premeditated use of disruptive activities, or the threat thereof, against computers and/or networks, with the intention to cause harm or to further social, ideological, religious, political or similar objectives or to intimidate any person in furtherance of such objectives." This was an excerpt from an article I wrote back in 2003 when the issue of cyber war was in its infancy. While this frames acts of cyber war, in retrospect it does not address a measure of the disruptive acts or provide guidance assess if individual acts, or a collection of acts rise to the level to be considered an act of cyber war.

If a foreign government hacks a sensitive system of another government and accesses security and defense information, is that an act of cyber war? If so, that has already occurred. If a foreign government hacks a sensitive system of another government and places software on the system that collects data and sends it back, is that an act of war? If military personal from a foreign government infiltrates another nation's networks or systems through the use of counterfeit hardware and monitors communications, is that an act of cyber war? Both are certainly acts of espionage and have already taken place. The factor that will determine if an act or acts of cyber attack rise to the level of an act of war rests in the magnitude of disruption that accompany the acts. Adding to the complexity is the fact that much of our critical infrastructure that are prime targets for cyber attacks are owned or operated by the private sector not the government. This infrastructure in some cases carries military communications, supports civilian emergency services as well business and consumer services. An attack on the infrastructure impacts multiple segments. The question of what constitutes an act of cyber war remains unanswered.

Given that we are in relatively new territory, each individual attack must be examined and the forensic evidence weighed to determine the source of attack. Little physical evidence will ever exist that you can hold up and point to or take a picture of and say "they did this." Much debate is currently taking place over the legality of cyber warfare tactics and their use. Is a cyber attack on our networks and systems an act of war? Are acts of cyber espionage a violation of international law? It is better we investigate and answer these questions now rather than reacting to cyber events in the heat of the moment when they occur.

-- Kevin Coleman

A Big Pot of Money


Recently much attention is being given to the topic of cyber warfare and rightfully so. Our computers and networks are under continuous attack from all over the world. The level of sophistication of these attacks and the quality of the code written to perform these attacks both have raised significantly in the past year. Experts agree we have entered a new era of warfare and are transitioning from bombs and bullets to bits and bytes.

In January two classified presidential directives were signed related to defending the country against cyber attacks. At that time the price tag was estimated at $6 billion. In mid May the price tag was revised and believed to be $17 billion. Now, the price has risen again to be $30 billion. That is a big pot of money by anyone's standards. So the question is, where will this money be spent? Increasing cyber defense will require investment in Research and Development as well as in existing technology and services. The first and most critical activity will be to fortify current systems against known cyber threats.

Spending Allocation:

  • Hardware 18% $5.4 Billion USD

  • Software 25% $7.5 Billion USD

  • Consulting 29% $8.7 Billion USD

  • Services 24% $7.2 Billion USD

  • R&D 4% $1.2 Billion USD

The R&D efforts will focus on near term delivery of advanced defensive capabilities (like behavioral modeling) of software processes and transaction to evaluate if they pose a threat to the system. Additionally, advanced modeling capabilities are required for evolving defenses and investigative activities. Advanced modeling will be used to certify and authenticate chips, hardware and software to be authentic and free of malicious code. One of the most promising capabilities centers on the development of a "Digital DNA" database repository. The ultimate goal of this work is the same as with current DNA forensics - to identify the perpetrators of the assault. Most cyber attacks leave behind forensic evidence that can be used to assess the capabilities of the attacker, understand the implications of the attack and to create defensive measure to guard against this type attack in the future. With all the attacks that have taken place, there is significant intelligence out there about techniques, cyber weapons, and strategies that have been used in these cyber assaults. Analysis of this evidence can create Digital DNA which could also help to identify the source of the malicious code and potentially lead to the attacker.

ASDF represents the four Digital DNA characteristic sets.
A = attributes, abilities, abstraction, architecture, assembly, adaptation
S = style, signatures, syntax, structure, source, specification, scope
D = demographics, delivery, development, discipline, data, design
F = functions, features, faults, formidability, fields, forms, factors

There are currently over a million pieces of malware. On average there are approximately 200 new computer viruses released monthly, so the raw cyber DNA materials are not in short supply. The potential use and value of the Digital DNA repository will increase with every single entry and the analysis of attacks. According to a source close to the Digital DNA project, the repository is currently in its infancy, it continues to grow and mature with the knowledge gained from each cyber attack. John Foley, CEO of Defcomm1 and former CEO of Vigilant Minds a leading managed security services provider said, "Much like the human genome project, Digital DNA will basically fingerprint the technical and human factors behind the malicious software and attacks." Security experts believe that Digital DNA type data is a critical component and required to fight cyber attacks and defend systems.

-- Kevin Coleman

How Do You Take Your COFEE?


A powerful set of tools specifically designed to circumvent security on computers running the Microsoft Windows operating systems was released to law enforcement and military intelligence staff in the U.S and other foreign countries by Microsoft in the summer of 2007.

The USB device was dubbed COFEE which stands for Computer Online Forensic Evidence Extractor. COFEE is said to contain over 100 software programs that allow the holder to quickly discover passwords, decrypt files and folders, view recent Internet activity and a great deal more. On piece of functionality allows evidence to be gathered while the computer is still connected to the Internet or other network. All you have to do is plug COFEE into a USB port of a running computer and the data extraction begins with the click of a mouse. Some security professionals and privacy advocates are concerned that Microsoft has created a secret back door within Windows. This is a concern the Microsoft has denied.

Nearly 400 people from more than 80 agencies in 35 countries attended the conference where Microsoft provided training on this tool. COFEE seems to be an easy to use, automated computer forensic tool that can be used by investigators in the field. However, one has to wonder how fast one of these devices will find their way to the darks side and in the hands of criminals. I would bet within hours of the initial distribution of this device, a bounty was established payable to the first person to deliver COFEE into the hands of the bad guys.

The attendees were shown how to use the device and other technologies that can help them fight cybercrime as well as help them investigate traditional crime with an online component. They were also instructed on topics that covered how to collect evidence from PDAs running Windows CE and how to gather evidence from Microsoft's online services and products like Hotmail and Windows.

Distribution: More than 2,000 law enforcement and intelligence officers in 15 countries, including Poland, the Philippines, Germany, New Zealand and the United States have received the device.

Development: COFEE is said to have been developed by a former Hong Kong police officer who now works for Microsoft.

Professional hackers and cyber weapons designers are smarter than you think. They have their own versions of COFEE and in all likelihood they are much better than the Microsoft tool. In fact, one professional hacker said, "If it works as good as other Microsoft applications - no one has anything to worry about." I bet they get the old "Blue Screen of Death as well."

The risk of tools like this being used by criminals and our enemies is very real. So is the potential misuse of these capabilities and the threat that it poses to privacy. That being said, given the current state of cyber crime and the threat of cyber terrorism and the looming risk of cyber war, the military, intelligence organizations and law enforcement needs all the help they can get. As I have said many times before, one person's tool is another's weapon.

-- Kevin Coleman

Computer Hack Could Lead to JDAM Strike


It's just like blowing up a building, or is it?

Type up some nefarious code, hack into a government system and "boom" you bring down the whole network without even firing a shot, right?

Well that's not how the Air Force's cyber warriors see it. To them, dropping a "logic bomb" into a computer network is the same as launching a 2,000-pound JDAM from a B-2 bomber at 20,000 feet -- you've done the same kind of damage but with different means.

So take cover from incoming.

You can use standard combat terminology in cyber warfare as you can with traditional warfare, said Col. Tony Buntyn, vice commander of Air Force Cyber Command, during a June 3 interview with military bloggers.

"You can find, fix, target, and engage an enemy," he said. "A target could be a [computer] network ... or it could be physical, with a [geographical] location. But we need the capabilities, just like we have in kinetic warfare, to engage targets when necessary."

Cyber warfare -- the use of computers and digital code to penetrate information systems and damage or infiltrate a foreign network -- is becoming an increasingly critical capability to the U.S. military. Because of the ease of access to powerful hardware and the ubiquity of hacker software, more countries and non-state actors are getting into the game, Pentagon and government officials say.

Countries like China, Russia and North Korea have quietly entered the cyber-warfare arena, already scoring significant hits against U.S. and other government computer and communications networks.

To computer warriors like Buntyn and his fellow Airmen, sometimes your defense is only as good as your offense.

"It could be either a kinetic or non-kinetic effect you want to achieve. And we need the ability to provide either," Buntyn said.

But when and how to use either method is based on the kind of conflict you're in.

"It depends on our target; it depends on our rules of engagement -- are we conducting open warfare with an adversary?" Buntyn explained. "If that's the case, then we don't really need to be discreet about it. When we drop a JDAM and leave a big smoking hole, that's not very discreet."

"If I can [locate] it and I can take it out with a kinetic attack ... and it meets the rules of engagement, then that might be the preferred method."

That works if you're targeting terrorist nodes and communication relays during an open conflict. But what about malicious network infiltration originating from a country with whom the U.S. is not at war?

"If it's an [Internet]-based target that's accessible to us and we can take it out electronically, reliably, then that may be the preferred method," Buntyn added.

Though China has become "cyber-enemy-number-one" recently, with stories of DoD network hacking attacks and millions spent by the PLA on its computer warfare capabilities, the Air Force isn't looking too hard over its shoulder at the rising cyber power in the Pacific -- despite Pentagon warnings.

"In the past year, numerous computer networks around the world, including those owned by the U.S. Government, were subject to intrusions that appear to have originated within the PRC. These intrusions require many of the skills and capabilities that would also be required for computer network attack," according to this year's Pentagon report on Chinese military power. "Although it is unclear if these intrusions were conducted by or with the endorsement of the PLA or other elements of the PRC government, developing capabilities for cyber warfare is consistent with authoritative PLA writings on this subject."

But to Buntyn, the threat is more diffuse, accessible to all and is proliferating more than on a simple state-to-state basis.

"The entry into this warfighting domain is very cheap. A 12 year old with a laptop can spend a couple hours on the Internet and achieve a pretty good capability," he said. "It's not limited to nation states. There are plenty of criminal organizations that are out there just trying to make a buck and they're using the same offensive tools that a nation-state would use."

-- Christian

Hezbollah's Cyber Warfare Program


Last week, Homeland Security Secretary Michael Chertoff warned that the Hezbollah resistance movement is the greatest threat to US national security. Hezbollah is known or suspected to have been involved in numerous terror attacks against the U.S., Israel or other Western targets, and includes the 1983 suicide truck bombings in Beirut that killed 241 U.S. Marines at their barracks and 58 at the French military barracks. Intelligence officials in the U.S. and Britain believe Hezbollah cells may use their computer expertise and capabilities to launch cyber attacks.

A 2002 CIA report warned a number of terrorist groups are beginning to plan attacks on western computer networks. The report went on to say that al-Qaeda and Hezbollah were becoming more adept at using the internet and computer technologies. In more recent reports they name Sunni extremists Hezbollah and Aleph as groups believed to be developing cyber terrorism plans. For terrorist groups, cyber weapons are cheap, easy to acquire and difficult to detect or track and are quickly becoming a common weapon in their arsenal.

While Hezbollah's capabilities to launch such an attack are questionable, the intelligence community in U.S., Britain and Israeli are taking the threat seriously. Why, because Hezbollah showed its increasing technological sophistication and capabilities during its war with Israel back in 2006. Once Israel began bombing Hezbollah targets, the intelligence sources say cyber space began. While intelligence analysts are convinced conventional terror remains Hezbollah's main strategy and weapon, some believe that it could activate sleeper cells in order to open a second front in cyber space. Intelligence sources know that terrorist groups including Hezbollah, the Abu Nidal Organization, and UBL's Al-Qeida Organization are using computerized files, email, and encryption to support their operations.

Hezbollah Profile (AKA Hizbollah, Hizbu'llah)
Established In the 1980s
Home Base: Lebanon, but it also has cells in North/South America, Asia, Europe and Africa.
Support: Iran and Syria provide substantial organizational, training and financing.
Orientation: Hezbollah is a radical Iranian-backed Lebanese Islamic Shiite group
Funding: estimated at $60 million annually
Size: Hezbollah's core consists of several thousand militants and activists
Equipment: Hezbollah possesses up-to-date information technologies - broadband wireless networks and computers.
Cyber Capabilities: Global Rating in Cyber Capabilities -- Tied at Number 37

Hezbollah has been able to engage in fiber optic cable tapping, enabling data interception and the hijacking of Internet and communication connections.
Cyber Warfare Budget: $935,000 USD
Offensive Cyber Capabilities: 3.1 (1 = Low, 3 = Moderate and 5 = Significant)
Cyber Weapons Rating: Basic -- but developing intermediate capabilities
Web Site: or
Ties: Hezbollah has close ties with Iran. Many believe that Hezbollah is a surrogate for the Iranian army
Fact: Hezbollah leader Hassan Nasrallah declared May 8, 2008 that the Shiite militant group's communications network is its most important weapon, and that the government's decision to target the network was tantamount to a declaration of war. In Hezbollah's view, its communications technology is just as essential for the group's survival as its missiles.

Hezbollah is on the U.S. State Department's list of terrorist organizations. The FBI says it now considers Hezbollah operatives more capable and robust than even Al Qaeda terrorists. With Hezbollah's interest in developing advanced cyber weapons, their capabilities will continue to increase. As we have seen, the proliferation of cyber weapons is rapidly expanding and no longer limited to nation states and organized criminal groups. The cyber arms club now includes terrorist groups. Using new hacking techniques, taking advantage of security vulnerabilities and using simple proven cyber attack methods, terrorists have the capability to attack us in way not seen before. Key infrastructure systems that include utilities, banking, media/TV systems, telecommunications and air traffic control systems have already been compromised. No one knows if cyber terrorists created trap doors and left logic bombs allowing them to easily bypass security systems and disrupt our critical infrastructure in coordination with traditional style attacks.

-- Kevin Coleman

Russia's Cyber Forces


Russia is well known for its military mentality. Remember the cold war? It has taken nearly a decade for the world to realize the true threat of cyber war. Today, the world is dependent on computers and networks much more than we were eight years ago when we experienced the NATO-Serbia cyber war. Russia opened the eyes of the world to the looming threat of cyber warfare after the Estonia incident. Just last week Russia's State Sponsored cyber forces opened up a new front in cyber war.

Reports indicate that Russian Cyber Forces unleashed a large scale cyber attack on Radio Free Europe. In addition, there is some evidence of the use of BotNets in politically motivated distributed denial-of-service (DDoS) attacks. With all this demonstrated ability, should we be concerned? What are Russia's true cyber warfare ambitions? Russia's Cyber Warfare Doctrine is designed to be a force multiplier along with more traditionary military actions including WMD attacks. A “force multiplier” is a military term that describes a weapon or tactic that, when added to and employed along with other combat forces, significantly increases the combat potential of that force.

Like all offensive cyber strategies it includes the capability to disruption the information infrastructure of their enemies. This doctrine includes strategies that would disrupt financial markets, military and civilian communications capabilities as well as other parts of the enemy's critical infrastructure prior to the initiation of traditional military operations. They also address weaken the economy of their adversary to further decrease their ability to respond to the combined threat. Offensive cyber weapons receive great attention in the Russian Cyber Warfare Doctrine. This coupled with advanced R&D puts them on the leader board in cyber warfare.

Cyber attacks and cyber weapons are strategic arms and in effect are real offensive weapons. Cyber-attacks can harm or even paralyze a country and therefore have equivalent implications as that of physical military attacks. Most cyber attacks leave behind forensic evidence that can be used to assess the capabilities of the attacker. With all the attacks attributed to Russia, there has to be significant intelligence out there about techniques, cyber weapons, and strategies that have been used in these cyber assaults. An interesting point is that NATO's Defensive Treaty drawn up in 1949 does not deal with cyber weapons as the Internet did not yet exist and there were very few computers at the time.

Once again, warfare capabilities have outpaced our legal and political systems. Former Russian President Vladimir Putin has blasted the US for its militaristic approach to foreign policy, saying its actions were "nourishing an arms race." Need some more evidence? In 1998, Russia's defense budget was less than $3 billion. Since that time, the Russian defense budget has been soaring, funded by substantial increases in their petroleum income, the budget jumped 23 percent in 2007 to $32.4 billion.

An interesting point to keep in mind is that Moscow does the arms business with over 70 countries, including China, Iran, and Venezuela, and in 2006 exported $6 billion worth of arms. Russian intelligence services have a history of employing hackers against the United States. In 1985 the KGB hired Markus Hess, an East German hacker, to attack U.S. defense agencies in the infamous case of the “Cuckoo's Egg”.

The following is an estimate of Russia's cyber capabilities.
Russia's 5th-Dimension Cyber Army:
Military Budget: $40 Billion USD
Global Rating in Cyber Capabilities: Tied at Number 4
Cyber Warfare Budget: $127 Million USD Offensive Cyber Capabilities: 4.1 (1 = Low, 3 = Moderate and 5 = Significant)
Cyber Weapons Arsenal in Order of Threat:

  • Large, advanced BotNet for DDoS and espionage

  • Electromagnetic pulse weapons (non-nuclear)

  • Compromised counterfeit computer software

  • Advanced dynamic exploitation capabilities

  • Wireless data communications jammers

  • Cyber Logic Bombs Computer viruses and worms

  • Cyber data collection exploits Computer and networks reconnaissance tools

  • Embedded Trojan time bombs (suspected)

Cyber Weapons Capabilities Rating: Advanced
Cyber force Size: 7,300 +
Reserves and Militia: None
Broadband Connections: 23.8 Million +

Close ties with Russian Business Network (RBN), who is thought to own and operate the second largest BotNet in the world. Intelligence suggests there are organized groups of hackers tied to the Federal Security Bureau (FSB).

The FSB is the internal counter intelligence agency of the Russian Federation and successor to the Soviet KGB. Russia is often overlooked as a significant player in the global software industry. Russia produces 200,000 scientific and technology graduates each year. This is as many as India, which has five times the population. This is hard to believe since their software industry can be traced back to the 1950s.

A study by the World Bank stated that more than one million people are involved in software research and development. Russia has the potential to become one of the largest IT markets in Europe. The Russian hacker attack on Estonia in 2007 rang the alarm bell. Nations around the world can no longer ignore the advanced threat that Russia's cyber warfare capabilities have today and the ones they aspire to have in the near future.

From this information, one can only conclude that Russia has advanced capabilities and the intent and technological capabilities necessary to carry out a cyber attack anywhere in the world at any time.

-- Kevin Coleman

Better late than never to the cyber arms race


The U.S. Air Force announced it plans to construct a large botnet. The term Botnet is jargon for a collection of software robots, referred to as bots, that take over and run autonomously or by remote control on infected computers. These bots present a serious security threat to the computer owner. Cyber militaries and hackers leverage the combined power of hundreds of thousands or even hundreds of millions of computers that have been compromised to pump out spam e-mail or disable targeted servers by overwhelming them with Internet traffic.

There are over 100 million computers that have been compromised and are now part of botnets. The largest botnet is thought to owned and operated by the RBN -- Russian Business Network. They lease capacity of their botnet for spamming and other more sinister purposes. The second largest botnet is owned and operated by the Chinese military. The estimated size of their botnet is put at 85 million and growing fast.

Military Applications

Espionage - collecting information from the network of computers that have been infected with the malicious code. Collecting keystroke information that contains log-ins, IDs and sensitive information or actually capturing screen shots of what the user is doing.

DDoS - the network of computers can be remotely commanded to start flooding a target system with transaction, overwhelming it until it shuts down

A bit late to the game, the U.S. Air Force has to rapidly construct their botnet. In the May edition of the Armed Forces Journal, Col. Charles Williamson III outlined the cyber warfare strategy being hashed out by the U.S. military. There are reports that the plan calls for using the publics’ computers to create this offensive cyber weapon. There is no question in the minds of many who are working in the cyber warfare field that the U.S. must create cyber weapons and that a botnet is just one of the many that need to be in our arsenal. But the devil is in the details!

-- Kevin Coleman

China's Cyber Forces


China is well known for its global cyber espionage efforts. And while the United States has received most of the media attention given to cyber attacks, we are not the only ones dealing with this issue. India is now pointing the finger at China, claiming they have systematically launched a series of attacks on sensitive information systems and networks of Indian agencies. India rapidly responded and now has cyber-security forces down to the division-level to guard against cyber wars. But is that really enough given China's stated ambitions?

China's Cyber Warfare Doctrine is designed to achieve global "electronic dominance" by 2050 which would include the capability of disruption of the information infrastructure of their enemies. This doctrine includes strategies that would disrupt financial markets, military and civilian communications capabilities as well as other parts of the enemy's critical infrastructure prior to the initiation of traditional military operations. With all the attacks that have been attributed to China, there has to be significant intelligence out there about techniques, cyber weapons and strategies that have been used in these cyber assaults. The proliferation of China's cyber capabilities will be the topic of a Congressional hearing in DC on May 20th. This hearing will examine "China's Proliferation Practices and the Development of its Cyber and Space Warfare Capabilities."
Military and intelligence sources have known that Chinese cyber forces have developed these detailed plans for cyber attacks against the United States and others. It is believed that the plans for such an attack were drawn under the direction of the People's Liberation Army (PLA).

China has a significant cyber weapons and intelligence infrastructure in place today. What is alarming is not only do they have the intent, but they have the money. Beijing has the world's second or third largest defense budget depending on where you look for the numbers. Their military budget has been on the rise at 10 percent or more a year for over a decade. This, as well as the attacks, are evidenced by their cyber operational ability to scan, acquire nodes for their growing botnet as well as the continued sophisticated assaults on defense information systems in the US, Germany, UK and India. In addition, in April 2007, Sami Saydjari, who has worked on cyber defense systems for the Pentagon since the 1980s, told Congress: "The situation is grave, with nation-states such as China developing serious offensive capabilities."

Recent attacks on the United States and India have brought this threat to the forefront. While diplomatic efforts to address these attacks have been initiated, virtually no progress has been made, according to individuals close to the issue. The following information has been provided by Spy-Ops and represents their assessment of China's current cyber capabilities.

China People's Liberation Army (PLA)
Military Budget: $62 Billion USD
Global Rating in Cyber Capabilities: Number Two
Cyber Warfare Budget: $55 Million USD
Offensive Cyber Capabilities: 4.2 (1 = Low, 3 = Moderate and 5 = Significant)
Cyber Weapons Arsenal:
In Order of Threat -- Large, advanced BotNet for DDos and espionage
Electromagnetic pulse weapons (non-nuclear)
Compromised counterfeit computer hardware
Compromised computer peripheral devices
Compromised counterfeit computer software
Zero-day exploitation development framework
Advanced dynamic exploitation capabilities
Wireless data communications jammers
Computer viruses and worms
Cyber data collection exploits
Computer and networks reconnaissance tools
Embedded Trojan time bombs (suspected)
Compromised microprocessors & other chips (suspected)
Cyber Weapons Capabilities Rating: Advanced
Cyber force Size: 10,000 +
Broadband Connections: More than 55 million
China's Hacker Community: Honker Union, Red Hackers Alliance (The 5th largest hacking organization in the world.)
China's Software Industry: In Q1 2007, the software industry RMB 96.7 billion with a year-on-year increase of 26.9%.
In Q1 2008, China recorded RMB 144.36 billion in software industry sales revenue, up sharply year-on-year.

From all this information one can only conclude that China has the intent and technological capabilities necessary to carry out a cyber attack anywhere in the world at any time. Nations around the world can no longer ignore the advanced threat that China's cyber warfare capabilities may have today and the ones they aspire to have in the near future. Just recently Belgian justice minister, Jo Vandeurzen, claimed that attacks against the Belgian Federal Government originated from China and are most likely sanctioned by Beijing. The Belgian minister of foreign affairs, Karel De Gucht, told their parliament that his ministry is the subject of cyber-espionage by Chinese cyber agents. This is just the tip of the iceberg. Spy-Ops believes that an estimated 140 countries will be working on their cyber weapons by the end of 2008 and that in the next five years we will see countries and extremist groups jockeying for cyber supremacy.

-- Kevin Coleman

Professional Cyber Arms Dealers


Software used for years by hackers and criminals have now become mainstream and, as we have mentioned before, hacking and cyber crime have been professionalized. As such, tool kits that enable these activities have been packaged for sale and wide dispersion across the Internet. These cyber attack tool kits make it possible to automate hacking, espionage, fraud, and much more. These top hacking tools are now being sold for prices ranging from less than $100 and up to $50,000.

And you won’t believe this: The most advanced packages come with customer service/support. In at least one case the package includes 12 months of technical support and updates to ensure the kits stay up to date on the latest web vulnerabilities.

Arguably the most advanced hacker tool kit is MPack. According to Intelomics, MPack is a PHP-based malware kit with high quality key-logging capabilities that sells for between $500 to $1,000 USD and the first version was released in December of 2006. It is believed to have been produced by RBN, a multi-faceted cybercrime organization and appears to come with support and monthly updates.

RBN and their support units provide scripts and executables to make MPack undetectable by antivirus software. Every time MPack is generated it looks different to the anti-virus engines and it often goes undetected. The modularization of delivery platform and malicious instructions is a growing design in cyber weapons. MPack is very popular and powerful. In June 2007, it was used by a single person to attack and compromise over 10,000 websites in a single assault.

FACT: In 2007 a new piece of malware was identified every 45 seconds.

These tools have become common place and are quite affordable. Paul Henry, VP at Secure Computing, estimates there are currently about 68,000 cyber attack tools available for download and the number is growing fast. In some cases these tool kits are sold under the heading of "Penetration Testing Products," a legitimate and useful product.

However, the automation that enables multi-site scanning and intrusion would have very little applicability in the real security testing world. Experts have estimated that the underground market for cyber attack tools is in the hundreds of millions of dollars worldwide.

Note: MPack should not be confused with mpack, which is a harmless command-line utility.

Common Cyber Weapons and Attack Tools:
MPack, SQLNinja
Shark 2, WFuzz
Nuclear, ProxyStrike
WebAttacker, Wireshark
IcePack, httpRecon
John the Ripper, Exploit-Me
USB thief, Burp
Kismet, Metasploit

Cyber Attack Tool Web Sites

-- Kevin Coleman

Cyber-Holes in Your Software


New software vulnerabilities are announced all the time. In fact, according to the NITS database, last year a new software vulnerability was announced every 57 minutes.

A software vulnerability is defined as a flaw in a software program which may allow a third party or program to gain unauthorized access. Some experts say that over 70% of the nearly 7,000 vulnerabilities discovered last year were exploitable remotely. This remote capability makes them valuable assets for cyber attackers.

The ability to rapidly respond to and mitigate the risks posed by these vulnerabilities is one of the most important parts of computer and network security. Vendors rapidly respond to the reports of newly discovered vulnerabilities in their products. But wouldn't we all be better off if the vulnerabilities did not exist in the first place?

I consulted a 25 year veteran of the software industry that hails from one of the icons of the software industry and posed the following question to him: Based on your experience, how often do software vendors investigate the root cause of reported vulnerabilities? He said, "They Don't -- they jump in and try to create a patch."

I followed up and asked so you are saying they do not look to see if the vulnerability was purposefully programmed? After a significant pause he said, "We never considered that possibility, we only worked to respond to the vulnerability."
If that's not bad enough think about the amount of software being developed offshore. Product liability exists in virtually every other category except software. How would you react if every 57 minutes your car dealer called you and said there is a problem with your car? We have been conditioned to accept software products with these problems and have allowed organizations to protect themselves by hiding behind the armor of the "Software License."

If software vendors, whose products run our critical infrastructure, do not investigate if these vulnerabilities are actually acts of espionage, that would seem to be a critical flaw in our efforts to protect ourselves against cyber attack.

-- Kevin Coleman

Cover Your Computer Mics and WebCams


The NSA is not the only agency with advanced eavesdropping capabilities.

Cyber espionage is getting renewed attention as fresh evidence emerges of computer spying against corporations and government agencies here and abroad. Late last year MI5 warned British companies of Chinese espionage activities. Computer Security Professionals have stated there is growing evidence of attacks from China and other countries. Zhao Shangse, an official from the Chinese embassy in London, has denied the allegations. This is not new. Way back in 2001 when we were preparing for my congressional testimony and demonstration we considered hacking the computer and using the webcam and built-in PC microphone to look and listen in. We had to scrap that plan when we found out that we had to use a dial up modem to connect in the hearing room.

Now many more people have caught on to our tricks. Numerous news stories report the use of Trojans and Worms using webcams to spy on users. In one case it was college students spying on female students.

Other stories report that similar malicious code is in use by corporate and government spies alike. With the growth of VoIP this takes on a new and more significant risk. In November of 2007, CISCO Systems confirmed it is possible to eavesdrop on remote conversations using Cisco VoIP phones.

Multiple computer manufacturers admitted that microphones attached to their workstations can be used to eavesdrop on conversations near the computer. I discussed cyber spying with the experts at Spy-Ops and they strongly recommended microphones on systems in sensitive areas be either physically switched off or totally disconnected from the system. In addition, they told me that last year the global cost of industrial espionage topped $1.5 trillion dollars.

-- Kevin Coleman

Your Credit Card Could be Funding Terrorism


It is hard to pick up a tech publication without finding a story about another security breach that has compromised credit card information. According to Identity Theft Resource Center there were 167 data breaches in the first three months of this year. At least 8.3 million records containing sensitive information were potentially compromised in the same time period.

One Recent Event: Data from 4 Million credit cards stolen. Recently, Hannaford announced what security experts call a sophisticated attack on their computer network that resulted in the theft of credit and debit card account information.

When we think of credit card data theft and fraud you don't think about terrorism - but that is indeed the case. Al Qaeda is a skilled practitioner at using the Internet for a multitude of reasons. According to FBI Director Robert Mueller, "The Internet has been used by the likes of Al Qaeda to recruit, to train, to communicate." The arrest of Al Qaeda's top cyber terrorist provided hard evidence of their use of stolen credit card data for funding. In one case, terrorist groups use the stolen credit card information to purchase $3 million of materials to carry out terrorist attacks. Al Qaeda's top cyber terrorist 23 year old Younes Tsouli (online name - Irhaby007), recently admitted conspiring to defraud banks, credit card companies and charge card companies.

For additional information about terrorist cyber attack capabilities you may want to download this CRS Report to Congress titled: Terrorist Capabilities for Cyber Attack.

Overview and Policy Issues:

The game has changed! Information security as it relates to sensitive data, like credit card information, has now risen because of the link to terrorist financing. Imagine the psychological impact if you were to find your credit card was used to finance a terrorist attack that resulted in the death of innocent civilians. Imagine the damage to a corporation's brand and possible backlash from their customers. Significant improvement in all aspects of security is needed to cut off this funding source.

-- Kevin Coleman

Cyber-Sabotage in Counterfeit Hardware


Recent events have raised the concerns about hidden backdoors and malicious code inside of counterfeit hardware -- all the way down to the integrated circuit level.

In fact, a 2005 report by the Pentagon's Defense Science Board addresses this issue. While this report assessed the problem, recent events have now raised the anxiety over cyber sabotage in bogus hardware. In fact, many consider the use of compromised counterfeit hardware as a strategic tactic in cyber warfare.

In January of 2008, a joint task force seized $78 million of counterfeit Cisco networking hardware. This international effort resulted in over 400 seizures of counterfeit networking hardware that was shipped between China, Canada and the United States. This international effort between the Federal Bureau of Investigations (FBI), U.S. Immigration and Customs Enforcement (ICE), US Customs and Border Protection (CBP), the Royal Canadian Mounted Police (RCMP) and supported by other agencies within the Department of Homeland Security (DHS) clearly shows the criminal efforts that are underway.

This investigation has been underway for the last two years and has shown great results.

The Numbers:

  • 36 search warrants

  • 115 seizures by ICE

  • 373 seizures by RCMP

  • 74,000 total counterfeit components confiscated

While there has been no public disclosure of counterfeit hardware sabotage/espionage on America by foreign countries or rogue groups, the threat is there. Supply-Chain threats have now moved into the spotlight and many organizations are moving to address the threat of purchasing counterfeit computer related equipment. Sources at Spy-Ops told me that in 2008 they estimate counterfeit computer hardware will exceed $1.25 billion and that current security measures such as holographic labels on integrated circuits and printed circuit boards are no longer adequate means to identify authentic equipment.

Michelle Kalnas, a supply-chain subject matter expert working with me on this issue pointed out that refurbished computer equipment poses the same threat and is more difficult to control. She went on to say that, "Close coordination between the security department and purchasing with external critical equipment vendors is necessary to resolve this issue. But at this time it is the exception not the rule."

-- Kevin Coleman

DCD Logo


Our boy Kevin Coleman had some fun designing the seal of the new Department of Cyber Defense...

Have a happy and hacker free Easter!

-- Christian

Inside the Cyber Defense Group


The rumor is that there will be two or three new presidential directives that will put structure around cyber defense this month. These directives will become the fundamental constructs to operate the interagency group.

A presidential directive is a form of executive order issued by the President of the United States with the advice and consent/buy-in of the National Security Council. When issued, a Presidential Directive has the full force and effect of law. One of the most notable directives is Homeland Security Presidential Directives (HSPD). HSPD-1 followed Executive Order 13228 and established the Department of Homeland Security (DHS). There is little doubt that these directives will be classified.

That being said, I thought I would post what I believe will be representative of the directives that should be put in place this week.

Directive #1: This directive will establish the entity being charged with cyber defense. It is believed this order will define the make-up of the organization and establish eleven functional areas of operation. (Listing withheld for security reasons) It is believed that the organization will have defensive and intelligence gathering responsibilities as they relate to cyber defense. Additionally, oversight and reporting requirements will be defined.

Directive #2: This directive will concentrate of the offensive cyber capabilities. It is believed that the military will have the responsibility for offensive cyber warfare and be charged with the responsibility of extending current military doctrine covering information warfare and the requirement to align and integrate these operations with the new organization.

Directive #3: This directive will concentrate on the private sector responsibility for cyber security. It is widely accepted that unless businesses, particularly those included as part of our critical infrastructure, enhance their security in light of the growing threat of cyber attacks and cyber terrorism, the country will not be adequately protected. This directive will establish the coordination and integration of the private sector into the operational modalities of the new entity charged with cyber defense. It is also though to include the establishment of minimum security standards for private sector organizations.

There is a large amount of funding that is being budgeted for this effort. Inside sources believe in this current year the budget is $6 billion. You can be sure the competition for these funds is significant and there is a lot at stake. Hopefully, everyone has learned from establishing the Department of Homeland Security and this will go much smoother.

-- Kevin Coleman

More Gov Agencies to Defend Cyberspace


We've sort of debated this a bit over the last few months, but I thought I'd forward you all a breaking news item that indicates the formation of a joint cyberdefense initiative for the U.S.

From today's Washington Post:

New Interagency Group to Oversee Cyberattack Defense -- By Brian Krebs

The Bush administration is planning to tap a Silicon Valley entrepreneur to head a new interagency group that will coordinate the government's efforts to protect its computer networks from organized cyberattacks.

Sources in the government contracting community said the White House is expected to announce as early as today the selection of Rod A. Beckstrom as a top-level adviser to be based in the Department of Homeland Security. Beckstrom is an author and entrepreneur best known for starting, a company that provides collaboration software for businesses.

The new interagency group, which will coordinate information sharing about cyberattacks aimed at government networks, is being created as part of a government-wide "cyber initiative" spelled out in a national security directive that President Bush signed in January, according to the sources, who spoke on the condition of anonymity because they did not have permission to discuss the information.

The presidential directive expanded the intelligence community's role in monitoring Internet traffic to protect against a rising number of attacks on federal agencies' computer systems. According to the sources, the new group will gather information about cyberattacks and vulnerabilities from a wide range of federal agencies, including the FBI, the National Security Agency and the Defense Department. Beckstrom will report directly to Homeland Security Secretary Michael Chertoff.

-- Christian

Cyber Weapons and e-Bombs


Recently NATO's Chief of Cyber Defense stated that cyber terrorism/cyber attack poses as great a threat to national security as a missile attack. Strong words for sure.

Most people do not equate cyber war with explosives, but that is short sighted. Ever heard of TEDs or EPFCs? If you haven’t, you are not alone. In a recent briefing of 85 individuals responsible for business continuity in a major U.S. city, no one had ever heard of the two terms either.

TEDs and EPFCs are two weapons that create an EMP - electromagnetic pulse (similar to that nuclear explosion but less powerful) that destroy electronic circuitry. Both of these devices use conventional explosives to push an armature through and electromagnetic field.

The resulting pulse generated by a van size device could destroy electronics in an area up to a couple city blocks.

  • TEDs – Transient electromagnetic devices

  • EPFCs – Explosively pumped flux compressor

  • Development Assessment Cost = Low between $500 and $1,000

  • Design = Multiple websites had fairly detailed design plans

  • Skill Set = Moderate – basic wiring and mechanical skills. (High School Shop Class)

  • Detection = Low due to the minimal amount of special needs required to build a device. The only special material required are conventional explosives.

  • Defense = Building data centers underground and metal shielding as well as utilities isolation would be required to defend against such an attack. EMP weapons attack our computers and communications infrastructure. The development of TEDs and EPFCs now makes the threat of an EMP attack much more likely. These EMP weapons pose a unique threat to the electronic society and our national security and economy.

Can you imagine the stock market reaction in one such device was detonated on Wall Street?

-- Kevin Coleman

Cyber Command Strategic Vision Released


Air Force Cyber Command's Strategic Vision spells out the command's operational scope and postures. Controlling cyber space is key to national security. This was clearly articulated in the 2008 National Threat Assessment delivered by the Director of National Intelligence to the Congressional Armed Services Committee last week. Major General William T. Lord heads up the command that is provisionally located at Barksdale Air Force Base. The command is slated to begin operations in this fall and become fully operational in 2009.

Supremacy in cyber space is critical across all strategic and operations domains. This new command is currently in the process of acquiring a suite of capabilities that will create the flexible options for military and governmental decision makers. These capabilities sought be Cyber Command include but are not limited to the following:

The ability to deter adversaries
The ability to deny access and operations to adversaries
The ability to disrupt adversaries
The ability to deceive adversaries
The ability to dissuade adversaries
The ability to defeat adversaries

This will be accomplished through a variety of offensive and defensive, destructive and non-destructive, and lethal and non-lethal capabilities being developed and deployed within Cyber Command.

The cyber threat environment faced by the U.S. and our allies represents a new challenge. Cyber command has chosen a holistic approach to meeting this challenge that includes science and technology, research and development, systems acquisition, operations, education, training, and a new operational doctrine. The challenges of standing up a new command are daunting. When you compound those challenges with addressing the complexities of cyber warfare, they multiply and become huge.

The battle being fought by the Air Force is not limited to cyber space. You may have seen the slick new commercials airing on television. This is an offensive move by the Air Force to try and secure the lead position in cyber warfare and defense. The Army and the National Security Agency are also vying for the top spot.

One insider believes that the NSA has already been given the nod. Well, at least unofficially. However, this battle rages on.

This is a critical time for the United States. Our nation, our society, our economy and our businesses are all heavily dependent on Internet connectivity. Failure is not an option and the White House and Congress know it. We must address the threats coming from cyber space. Earlier this year I wrote an article for Eye Spy magazine titled, "The Department of Cyber Defense." I believe the best way to address this new threat to create a new organization and staff it with a cross functional team for NSA, DoD, DHS as well as the Army, Navy and Air Force. Using this approach, the country gets the best and brightest assembled from all these organizations and stands up a new entity that comes without baggage that is inherent in all organizations.

Completely new, new hybrid, or assign the responsibility to and existing entity - what is your opinion?

-- Kevin Coleman

Intel Community Recognizes Cyber Threat


In the 2008 Annual Threat Assessment of the Intelligence Community for the Senate Armed Services Committee for the first time the threat of cyber attacks were addressed (well, the first time in the report available to the public). [EDITOR: The threat assessment was delivered by Director of National Intelligence Mike McConnell and Defense Intelligence Agency chief, Army Lt. Gen. Michael Maples, in testimony before the Senate Armed Services Committee Feb. 27]

The intelligence community listed "the vulnerabilities of the US information infrastructure to increasing cyber attacks by foreign governments, non-state actors and criminal elements" as the fourth major bullet of the fourth page in the opening of the forty-five page testimony delivered to the Senate by DNI McConnell. The testimony goes on to state that due to the significance of computers and telecommunications to our country's security, defense and economy, threats to our IT infrastructure are an important focus of the Intelligence Community.

Also stated were the trends seen over the past year, which included cyber exploitation activities that grew more sophisticated, more targeted and more serious. Finally, McConnell stated that the Intelligence Community expects these trends to continue in the coming year. Most concerning was the following statement excerpted from the report.

"We assess that nations, including Russia and China, have the technical capabilities to target and disrupt elements of the US information infrastructure and for intelligence collection. Nation states and criminals target our government and private sector information networks to gain competitive advantage in the commercial sector." The report went on to state that terrorist groups, including al-Qaeda, HAMAS, and Hezbollah have expressed the desire to use cyber means to target the United States.

Criminal elements continue to show growing sophistication in technical capability and targeting, and today operate a pervasive, mature online service economy in illicit cyber capabilities and services available to anyone willing to pay.

The information contained in the testimony represents the cumulative views of highly skilled professionals working on this critical issue. All the warning signs are there.

The intelligence community has confirmed our fears. The "Cyber Arms Race" has begun.

-- Kevin Coleman

Analyzing the Threat of Cyber Attack


Did you know that the Bush administration is pushing to spend $6 billion on cyber security in 2008? (Wall Street Journal)

Would you like to know why? If so read the facts below.

Did you know that AL QAEDA'S top cyber terrorist used phishing schemes and other cyber attacks to steal credit card accounts and buy $3 million worth of terrorist equipment? (FBI)

Did you realize that in the past minute over 5,000 significant incidents were reported to (

Did you realize that the financial impact of computer viruses in 2005 was over $14 billion and continues to grow? (Computer Economics)

Did you know the busiest day of the week for vulnerability disclosures continued to be Tuesday with 1,361 new vulnerabilities disclosed on this day of the week in 2007? (IBM)

Did you know that nearly 90 percent of all the 2007 vulnerabilities could be remotely exploited? (IBM)

Did you know there was a new software vulnerability reported every 82 minutes? (CERT)

Did you know that Symantec recorded an average of 5,213 denial of service (DoS) attacks per day in the second half of 2006? (Symantec)

Did you know that in 2006 of the individuals who reported hard dollar losses the largest median losses were from the Nigerian letter fraud ($5,100) followed by check fraud ($3,744) and other investment fraud ($2,695). (Internet Computer Complaint Center)

Did you know that only about 1% of users follow corporate data and computer security policies? (Absolute Software Research Survey)

Did you know that 27% believe their company has experienced a data security breach? (Absolute Software Research Survey)

Did you know that so far this year there have been 44 corporate and governmental data breaches (reported)? That is about 1 per day when I collected this data. (Privacy Clearing House)

Did you know that all three branches of the military have cyber warfare /information warfare units, including: Navy – Network Warfare Command; Air Force – U.S. Cyber Command; Army - TRADOC G2.

Did you know that in a two week period five cables were severed in various parts of the Mediterranean Sea, leading to large scale disruption of the Internet and telecom services in the Middle East and parts of Southeast Asia. Two of the five cables were cut in two different places. (Reuters)

Did you know that organized crime has used the internet for criminal activity for some time. Recently, (2 years ago) there has been a huge increase in mob based attack sophistication that has moved organized crime over the internet from an irritation to a serious problem. (IT Security)

After reading the above information, how could anyone dismiss the threats we face in cyberspace? Yet some do, and some on here think I am overstating the threat. It has been my experience the one of the biggest security threats to an organization is the attitude of their Chief Security Officer. Most of the individuals I work with wake up every morning and ask themselves three questions.

1. What has happened that I don’t know about?
2. What do I need to know that I don’t?
3. Who are my new adversaries today?

The “I know everything” attitude of many of these individuals, increase the risk of a successful attack significantly. I was in one such meeting in the DC area where the CSO actually stated, “I have it all under control” yet they have lost three laptops in about a year and none of the hard drives were encrypted. And they contained sensitive data.

Consider this point: if the information provided here is publically available, what do you think the threat looks like to those of us with security clearances and who work in the area of international cyber warfare and attacks? You can be sure it is not better looking.

-- Kevin Coleman

Cyber Attack: Online Bank Heist


If someone enters a bank and hand the teller a note, demanding money, it is on the evening news. If someone does the same thing in five banks, it hits the national news. If someone does it to 400 banks online – NOT A WORD. This is not a hypothesis it is a fact.

The cyber weapon used in the 400 bank robberies is called SilentBanker. Security professionals are concerned over the discovery of a banking Trojan which steals user data that impact more than 400 banks worldwide. The information that SilentBanker collects gives it the ability to reroute money to another account owned by the attackers or who they represent. This is done without the user's knowledge until he receives his bank statement.

Trojan: (short for Trojan Horse) is a piece of malicious software which appears to perform a certain action but in fact performs another. In addition, trojan horses are notorious for installing backdoor programs.

This appears to be just the beginning of the attack. The Trojan first appeared in December 2007 and continues to spread around the world. SilentBanker is more powerful that originally thought. The malicious code is so smart that if it is missing information needed to complete the transaction, the trojan enables the attackers to add extra code to the authorization page asking the user for that missing data. The rapid increase in sophistication and complexity of the latest cyber attack tools is a clear trend that is challenging the cyber security industry to stay ahead of the criminals and terrorists.

No one knows who is collecting the money, nor how they intend to use it. Could it be for drugs, terrorist attacks, purchasing of weapons or just very sophisticated bank robbers? One thing is for sure, this is just another example of our vulnerability.

PROTECTION: Make sure your anti-virus software is updated and operational. Vigilance is also a powerful defense. Check your bank statements and balances regularly and report any suspicious activity to your bank immediately.

-- Kevin Coleman

Resilience Engineering


If a cyber attack occurred tomorrow, could your organization continue to function? Odds are the answer is no.

In a survey by Spy-Ops, less than 1% of organizations have planned for a cyber attack. What is even more shocking is that less than 1% has business continuity plans that address the threat of a terrorist attack. Both of these events are now foreseeable threats and as such require all organizations to create strategies to minimize these risks. Failure to prepare for these events could bring charges of negligence from all of those who are negatively impacted.

“For companies in America, the issue of liability for cyber-attacks is a significant risk,” said Edward Maggio of Spy-Ops.

Many business organizations are waiting for specific regulations to require action before they implement procedures and safeguards to a cyber-attack. The reality is that with so many publications like this one and other like news article, academic journals or material from a conference available to the public now puts an organization on notice that a cyber-attack is foreseeable.

“Since cyber-attacks are now foreseeable acts that can cripple a business organization, the failure to mitigate an attack can rise to the level of negligence in U.S. civil courts,” Maggio stated. He then went on to say: “The ‘we didn't know’ defense is no longer working in the realm of liability for cyber-attacks.”

Resilience engineering is a relatively recent term given to a collection of activities designed to create the ability for organizations to continue to operate under extremely adverse conditions such as a cyber attack. These activities are rapidly evolving into what is sure to become industry “Best Practices” and some security experts believe it will soon become a regulatory requirement.

Technolytics estimates that a one day interruption of eBusiness could easily exceed $35 billion. If a cyber attack were to occur now or in the near future, it would surely send the already shaky economy into a tail-spin. This is considered Economic Warfare that is just one of the fifteen modalities of UnRestricted Warfare (URW).

Business, Government and Industry need to build resiliency into their systems and operations if we are to be secure.

-- Kevin Coleman

Cyber Sabotage


Cyber Sabotage is yet another new wrinkle in the emerging threats from cyber space. Whether delivered over the internet or purposefully installed during the manufacturing process, contaminated hardware or software is now a concern. Sabotage is defined as deliberate and malicious acts that result in the disruption of the normal processes and functions or the destruction or damage of equipment or information.

The Department of Defense operates and estimated 3.5 million PCs and 100,000 local-area networks at 1,500 sites in 65 countries. In one study a common piece of network equipment sold by a US company was found to have nearly 70 percent of the components produced by foreign suppliers. This equipment is critical to our security as well as our economy. If we cannot trust the computer equipment out of the box, then where are we? At this point it would be impractical to validate each and every computer before we place it into operations.

In the commercial sector cyber sabotage could be used to attack competition and steal market share. In 2007 there were an estimated 269 million PCs shipped worldwide. Just imagine the backlash if a saboteur was able to contaminate the master software file used to image all the computers produced by the huge computer manufacturer HP. The millions of computers they ship each month could pose a significant threat to the business customers, and consumers and could even pose a national security threat. If that is not bad enough, can you imagine the impact of HP’s stock if such an event were ever to happen. Now it should be noted that computer manufactures all have security controls in place to guard against such malicious acts. But then again, I am sure Seagate and Insignia would have said the same thing.

Offshore manufacturing diminishes our ability to control and monitor the manufacturing process for computers and related equipment. However, these malicious acts can occur even if all manufacturing is done in the United States. Insiders are thought to be involved in nearly 80 percent of security breaches that occur each year and who knows what percentage of the $1.5 trillion a year in corporate espionage. The fact is no matter what you do, what technology you use and how careful you are, you cannot be 100 percent sure you have managed all your risks.

Here are a couple of recent examples:

January 2008 — Digital picture frames were one of the hot items for this holiday season. However, some of them came with an unexpected surprise. Insignia NS-DPF10A digital picture frames connect to computers via the standard USB port. The digital picture frames were contaminated with a computer virus during the manufacturing process according to a notice posted on the company's website.

November 2007 — Seagate Maxtor Basics Personal Storage 3200 hard drives were infected with a Trojan Horse virus. The hard drive has been temporarily pulled off the shelves and is no longer available for purchase. Intelligence reports that the Trojan was designed to copy information on the computer and send it to a Beijing web sites without the user's knowledge.

July 2007 — A space program worker deliberately damaged a computer that was supposed to fly aboard the shuttle Endeavour in less than two weeks. This was an act of sabotage that was caught before the equipment was loaded onto the spacecraft.

-- Kevin Coleman

Cyber Assassination


“Cyber assassination” is when an individual is unaware that he or she is the subject of a cyber attack designed to discredit them and to call into question his or her credibility or loyalty.

Here's a possible scenario: A senior person in the CIA is working on a case and is disrupting the enemy’s activities or getting closer to uncover covert enemy operatives. A smart enemy might attack the leader or others involved in the investigation in an effort to slow down or derail the efforts to expose them. They may choose to hack the individual’s laptop and place damaging emails that allude to a pay-off on their hard drive. Then all that is required is a subtle leak that gets back to the CIA and you can imagine the rest.

A second example could be a politician who is pushing for sanctions against a country and they hack their computer and put pornography on the hard drive. A covert leak of this information results in an investigation and public disclosure of the porn on the hard drive. This individual’s ability to gain or maintain support for their interest in sanctions would be undoubtedly damaged.

You can prove a computer has been compromised (hacked). However, it is virtually impossible to say definitively that a computer has not been hacked. Our ability to defend against this type of assault on individuals in the political, academic, business or industrial spotlight is very limited. For whatever reason people believe the bad and explaining how the compromising materials unknowingly got on their computer hard drive would be almost impossible. Who knows, many of these individuals may have already been set-up and their computers hacked and the damaging evidence planted. Now the enemy patiently waits for the time they need to leak this information to further their cause. Who will be their target now?

-- Kevin Coleman

al Qaeda's Top Cyber Terrorist

Younis Tsouli.jpg

The Internet has long been a critical domain of terrorist and extremist groups around the world. Perhaps the most notorious cyber terrorist was an individual know as "Irhabi 007." He was later identified as Younes Tsouli is a 23-year-old son of a Moroccan diplomat.

For nearly two years, Younes Tsouli was sought by global intelligence sources. The online terrorist communities Tsouli created trained terrorists who congregated in those cyber communities. The training included hacking, programming, executing online attacks and mastering digital and media design. He suddenly went underground in September 2007 after Scotland Yard arrested a 23-year-old West Londoner believed to be tied to Younis Tsouli.

Scotland Yard believed that Tsouli participated in an alleged bomb plot they were investigating. British counter-terror agents and investigators stormed Tsouli's top floor flat and discovered stolen credit card information which is believed to have funded much of his activities. They also found that the cards were used to pay American Internet providers on whose servers he had posted jihadi propaganda.

In addition, Tsouli Irhabi used countless other web sites as free hosts for material that the jihadists needed to upload and share. The true extent of his material distribution network is still not known. He is credited with the large scale distribution of a film produced by Zarqawi called "All Is for Allah's Religion."

His arrest struck a significant blow to al Qaeda’s cyber terrorism weaponry.

With cyber weaponry only requiring widely available knowledge and skills and the only equipment required a computer that can be purchased anywhere, cyber weapons proliferation cannot be controlled. These facts coupled with the recent cyber attacks on utilities that blackout cities and regions show this is a serious threat.

Spy-Ops profile on Irhabi 007:

Younes Tsouli is a 23-year-old male and studied computers at a London college. Tsouli is a computer nerd from Shepherd's Bush, West London. He is the son of a Moroccan diplomat and arrived in London in 2001. He was recruited by al Qaeda in 2002 when he began his cyber campaign of propaganda and terrorist training. is online legend (cover name) was "Irhabi 007" derived from combining the James Bond reference with the Arabic word for terrorist. He published a manual on computer hacking on one of the many al Qaeda's web sites. He joined the closed message forum known as Muntada al-Ansar al-Islami that provided military instructions, propaganda and recruitment.

He became the web master for al-Ansat, a forum used by 4,500 extremists to communicate. He rose to become the top cyber jihadi expert and directed all Internet-related activities. He also posted a 20 page website hacking manual called "Seminar on Hacking Websites," on the Ekhlas forum.

Tsouli used stolen credit card information on 37,000 cards to pay American Internet providers on whose servers he had posted jihadi propaganda. He was apprehended as he was in the process of building and deploying a new website called “YouBombIt.”

Captured in his London top floor flat was a PowerPoint-style presentation on how to build a car bomb. His capture led to the arrest of several Islamic terrorists around the world, including 17 men in Canada and two in the US.

His hacking skills are categorized as moderate to advanced compared to today’s standards. In December of 2007 his sentence was increased from 10 years to sixteen years in prison.

-- Kevin Coleman

More Cyber War Gouge


Cyber attacks on critical infrastructure targets. On Wednesday the Central Intelligence Agency (CIA) told an international gathering of government officials, engineers and security managers from electric, water, oil & gas and other critical industry asset owners that the CIA has information that cyber intrusions into utilities was responsible for at least three blackouts and then followed up with extortion demands.

The CIA went on to say they suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. The very next day the Federal Energy Regulatory Commission (FERC) approved eight mandatory cyber security standards that extend to all entities connected to the nation's power grid. The following are the eight areas addressed by these standards:

1. Critical cyber asset identification
2. Security management controls
3. Personnel and training
4. Electronic security perimeters
5. Physical security of critical cyber assets
6. System security management
7. Incident reporting and response planning
8. Recovery plans for critical cyber assets

These eight standards were created to increase the security of our CIP and reduce the risk of a successful attack. Disruption of a county’s critical infrastructure would have significant direct and indirect damages. Most of these damages would be psychological, economic and financial. Analysis of a cyber attack on critical infrastructure targets resulted in the following data:

Target value: High
Impact analysis: Elevated
Required skills: Moderate
Attack costs: Low
Current defenses: Moderate (elevated for nuclear sites)


- Utilities across the world are being hit by an estimated 500 to 1,000 attacks from hackers and malicious code every year.
- Technolytics analysis found insider threats now account for over 80 percent of security breaches.
- The Spy-Ops Cyber Warfare CIP training program stated the two areas of greatest critical infrastructure cyber threat is equipment, hardware and software vendor management and human resource management.
- Technolytics analysis found physical and information security responsibilities must merge to improve security.
- Critical Infrastructure targets are on the top targets for terrorists and military cyber warfare units.

(Reference link here.)

-- Kevin Coleman

The Impact of a Cyber War

cyber war.jpg

The nation's top spy, Michael McConnell, Director of National Intelligence, thinks the threat of cyberarmageddon! is so great that the U.S. government should have unfettered and warrantless access to U.S. citizens' Google search histories, private e-mails and file transfers, in order to spot the cyberterrorists in our midst.

Like DNI, many believe we are either in the early stages of a cyber arms race or a global cyber war. Given the number of attacks we have seen this year, it would be difficult to argue with either statement. If indeed we are headed into a global cyber conflict, what would be the implications for the United States?

A cyber conflict differs greatly from what we typically associate with a war. There are no bombs bursting or gun fire. It is a silent conflict that is hard to notice until you try an electronic transaction. When we evaluate the progress of a war today we measure death and physical destruction. While there can be minor physical destruction in a cyber war, the political economic and financial implications are the primary measures of success.

The political fallout of a cyber attack will certainly be high, but this will pale in comparison to the financial and economic implication. The results of research on this topic conducted by Spy-Ops are listed below.

Physical Impact 1.2 Very Limited
Social Impact 4.3 Very High
Political Impact 4.0 High
Financial Impact 4.3 Very High

The financial and economic impact of a one day cyber war that disrupts U.S. credit and debit card transactions is estimated at being about $35 billion USD.

The United States is one of, if not the country most dependent on computers. Computers control our financial system, the traffic on streets, rail and in the air, and have become an integral part of our every day lives. In an all out cyber assault against the United States, the financial and economic, social and political implications could be greater that that felt by the 9/11 terrorist attacks.

-- Kevin Coleman

Hacking the Dreamliner?


Along with the standard spiels about exit rows and seat belts, flight attendents of the future might add this to their repetoires: "The captain has requested that all passengers close their browsers until he regains control of the aircraft."

Recently the AP reported on a possible unintended consequence of offering Internet access to all passengers on Boeing's 787 Dreamliner. Here's an except:

Before Boeing Co.'s new 787 jetliner gets the green light to fly passengers, the aircraft maker will have to prove that offering Internet access in the cabin won't leave the flight controls vulnerable to hackers and hijackers.

Boeing claims it has engineered safeguards to shut out unauthorized users, but some security analysts worry navigation and communications systems could be vulnerable.

"The odds of this being perfect are zero," said Bruce Schneier, chief technology officer at the security services firm BT Counterpane. "It's possible Boeing can make their connection to the Internet secure. If they do, it will be the first time in mankind anyone's done that."

But Boeing spokeswoman Lori Gunter said 787's aviation electronics "are not connected in any way to the Internet."

Boeing has designed the 787 to allow airlines to offer passengers more in-flight entertainment and Internet options than previous planes have allowed.

Those new features and other aspects of 787's computer network go beyond the scope of existing regulations, so the Federal Aviation Administration is requiring Boeing to show the new technology won't pose a safety threat.

In a "special condition" the FAA has ordered Boeing to satisfy, the agency notes that the 787 "allows new kinds of passenger connectivity to previously isolated data networks connected to systems that perform functions required for the safe operation of the airplane.

"Because of this new passenger connectivity, the proposed data network design and integration may result in security vulnerabilities from intentional or unintentional corruption of data and systems critical to the safety and maintenance of the airplane."

Read the entire AP report here.

-- Ward

The New Cyber General


During a media conference on November 2, 2007, Secretary of the Air Force Michael W. Wynne said the 8th Air Force would become the new Air Force Cyber Command. Now this statement has become reality. A three-star general, Lt. Gen. Robert Elder Jr. is the commander and will lead the Air Force's (AFCYBER) Cyber Command. AFCYBER will have over 20,000 personnel, and the Air Force is recruiting officers and airmen from all over for careers in Cyber War. Thousands of existing air force electronic warfare specialists will be assigned, or offered, jobs in AFCYBER. This will include units operating in the full spectrum of electronics and the electromagnetic spectrum to store, modify, and exchange data via networked systems and associated physical infrastructures.

Compliment of high tech equipment includes the following:
U2 - strategic reconnaissance aircraft
EC-135 electronic-eavesdropping aircraft
EC-130E Commando Solo radio/TV broadcasting aircraft
EC-130H Compass Call radio-jamming aircraft

A cyber attack can be launched from anywhere and at anytime. A cyber weapon attack requires no physical access (land or air) to the target or targets or significant skill. Basic cyber weapons are openly shared via the internet today. Technolytics conducted analysis of the evolution of cyber weapons and determined we are currently moving from basic weapons like vulnerability exploits and traditional viruses to more advanced classes of weapons such as self-morphing malicious code.

The U.S. Air Force is currently training 40,000 Cyber Warriors that make up this unique force. The cyber war training program will take from six to 15 months to complete. The first Undergraduate Network Warfare Training Class graduated Dec. 7, 2007. They are representing the Air Force's expansion into the lead role in cyberspace threat management. It is estimated that it will take over seven years to get the full complement of staff trained. The training coupled with experience will combine to give them what they need to perform their critical mission. Not all of the people trained as Cyber Warriors will be in the 8th Air Force. Many will be assigned throughout the Air Force to take care of Cyber War needs of their units. We are developing a new breed of soldier- cyber soldiers are ones who engage in cyber conflicts, wars, or espionage. They are armed with hackers' skill and knowledge and newly developed cyber weapons and stand ready to defend our nation against cyber threats.

Construction of a Cyber Innovation Center (CIC), which would serve as the civilian counterpart to the AFCYBER, began in the fourth quarter of 2007. The CIC will be built on a 58-acre site, near Barksdale Air Force Base. Bossier City, LA has allotted $50 million USD for the construction, while the state of Louisiana has matched the financing and approved another $50 million. While many believe that Barksdale Air Force Base will be the HQ for AFCYBER, other are not so sure.

Officials from six states are competing over the headquarters location of the Air Force’s Cyberspace Command, which promises thousands of jobs and millions in revenue. Lobby efforts have turned into an all out war between several Air Force towns in recent weeks. This coupled with rumors that the Capital Hill is discussing establishing a new department or agency to deal with cyber threats. The final decision about the location of AFCYBER should be made by the end of February 2008. The new command is expected to meet its initial operational late in 2008 and become fully operational by October 2009.

While location of and reporting responsibility seem a bit uncertain, what is certain is the threat we face from the build up of cyber weapons by more that 120 countries is very real.

-- Kevin Coleman

Inside DPRK's Unit 121


Military planners and security experts have intensified their shouts of concern about the development of cyber weapons and the distinct possibility of a cyber war. Cyber warfare is not new. It has been in modern military doctrine for the past decade not to mention the number of terrorist groups who have threatened the use of cyber weapons against the west. However, what has changed is the number of countries that posess these capabilities today.

The North Korean military created a new unit that focuses solely on cyber warfare. The unit, dubbed Unit 121, was first created in 1998 and has steadily grown in size and capability since then. Interest in establishing cyber war forces shouldn't come as a surprise to anyone, but North Korea’s intense effort stands out among the top ten nations developing cyber weapons.

Unit 121 Capabilities Assessment:

Force Size: Originally 1,000 - Current Estimate:17,000
Budget: Total military budget $6 billion USD. Cyber Budget $70+ million. North Korea’s military budget is estimated to be the 25th largest in the world.
Goal: To increase their military standing by advancing their asymmetric and cyber warfare.
Ambition: To dominate their enemy’s information infrastructure, create social unrest and inflict monetary damage.
Strategy: Integrate their cyber forces into an overall battle strategy as part of a combined arms campaign. Additionally they wish to use cyber weapons as a limited non-war time method to project their power and influence.
Experience: Hacked into the South Korea and caused substantial damage; hacked into the U.S. Defense Department Systems.
Threat Rating: North Korea is ranked 8th on the Spy-Ops cyber capabilities threat matrix developed in August of 2007.

Cyber Intelligence/Espionage: Basic to moderately advanced
weapons with significant ongoing development into cyber intelligence.
Offensive Cyber Weapons: Moderately advanced distributed
denial of service (DDoS) capabilities with moderate virus and malicious code capabilities.

North Korea now has the technical capability to construct and deploy an array of cyber weapons as well as battery-driven EMP (electro magnetic pulse) devices that could disrupt electronics and computers at a limited range.

In the late spring of 2007, North Korea conducted another test of one of the cyber weapons in their current arsenal. In October, the North Koreans tested its first logic bomb. A logic bomb is a computer program that contains a piece of malicious code that is designed to execute or be triggered should certain events occur or at a predetermined point of time. Once triggered, the logic bomb can take the computer down, delete data of trigger a denial of service attack by generating bogus transactions.

For example, a programmer might write some software for his employer that includes a logic bomb to disable the software if his contract is terminated.

The N Korean test led to a UN Security Council resolution banning sales of mainframe computers and laptop PCs to the East Asian nation. The action of the United Nations has had little impact and has not deterred the North Korean military for continuing their cyber weapons development program.

Keeping dangerous cyber weapons out of the hands of terrorists or outlaw regimes is next to impossible. As far back as 2002, White House technology adviser Richard Clarke told a congressional panel that North Korea, Iraq and Iran were training people for internet warfare. Most information security experts believe that it is just a matter of time before the world sees a significant cyber attack targeted at one specific country. Many suggest the danger posed by cyber weapons rank along side of nuclear weapons, but without the physical damage. The signs are there. We need to take action and prepare for the impact of a cyber war.

-- Kevin Coleman

Cyber Threat Matrix


With 120 countries now in the cyber arms race, intelligence agencies around the world are working to assess their offensive and defensive cyber capabilities. Developing cyber weapons does not require the massive infrastructure usually associated with conventional arms. A couple of PCs and a couple of smart programmers and you have all you need to create a cyber weapon.

Advanced Data Weapons have unique capabilities that make their detection and elimination much more difficult than conventional viruses and trojans.

 Self morphing malicious code applications
 Electronic circuitry destruction capabilities
 Self encrypting / decrypting of malicious code
 External disruption capacity of wireless networks
 Exploitation of unreported vulnerabilities in common commmercial software

Working with Intelomics and Spy-Ops, two international cyber security companies, we were able to collect enough data to construct the high level cyber threat matrix featured above.

As with the conventional arms race, countries with significant defense spending have taken the lead in the cyber arms race. But that trend is rapidly changing. In the past few years malicious code with advanced features has been created for under $3,500 USD. We are beginning to see the emergence of cyber arms dealers. The cost of cyber weapons are in range of poor and developing countries.

Question: who is more dangerous in the cyber weapons race – nation states of a single rogue hacker?

-- Kevin Coleman

Inside a Cyber Attack


The global military community witnessed the first cyber war earlier this year.

While many consider the three week attack on Estonia a non-event, others point to it as a sign of things to come.

One of the most common cyber attack strategies is the network effect on the weakest link theory. The strategy requires the aggressor to identify and attack the weakest link on the network, and then use it as a cover to give the appearance of legitimacy and rapidly propagate the malicious code throughout the rest of the network.

The weakest link could be a system missing one of its security patches or an ill configured firewall. DoD networks withstood an estimated 80,000 attacks in 2007 so they are fairly well hardened and fortified.

That is not the case with many private sector systems. Cyber defense requires a much tighter cooperative relationship between defense organizations and the private sector. At this time there are NO minimum security requirements for computer systems. In the private sector system protection goes from next to nothing to as hardened as DoD systems. Addressing the weakest link will be the greatest challenge and threat to protection our nation’s Information Infrastructure.

-- Kevin Coleman

[Editor's Note:DT contributor Kevin Coleman is a strategic advisor and certified management consultant with technolytics and the former Chief Strategist of Netscape.

Chinese Cyberwar Alert!


The Air Force has been tracking aggressive cyber incursions by computer technicians in China, primarily focused toward gathering information on military network infrastructure and American trade secrets, the Air Force's cyber warfare commander said this week.

"China has put a lot of resources into this business," said Lt. Gen. Robert Elder, commander of Air Force Cyberspace Command. "China, at this point, is not interested so much in attack as they are in using the Internet to pull [industrial] data."

"They're interested in doing this in a way that they can be dominant without even having a fight," he added.

A recently-released Pentagon report on Chinese military development said Beijing is crafting an aggressive computer network operations strategy that the People's Liberation Army "sees as critical to achieving 'electromagnetic dominance' early in a conflict."

While his newly-established command is focused primarily on the defense of military information networks, communications nodes and command and control systems by "peer competitors" such as China, Russia and Iran, Elder told reporters during a June 13 breakfast meeting in Washington his cyber warriors don't see much of a threat from terrorist-initiated attacks.

"If you have a terrorist operating on their own they're going to have less capability than if they had nation-state sponsorship," Elder explained. "To seriously disrupt us, you're not going to be able to do this with a 'teenage hacker' capability."

Aside from the defense of Air Force cyberspace from would-be attackers, Elder said his command is focused on developing tactics to render adversaries' computer systems inoperable, dropping cyber bombs on enemy sensors, databases and battle management systems.

"Everything I talk about we're trying to do to an adversary we're trying to defend for ourselves," Elder said.

"We want to go in and knock them out in the first round," he added.

The Air Force formally established Cyberspace Command in November after the Pentagon-crafted Quadrennial Defense Review designated cyberspace as an emerging battlefield where American forces increasingly will have to fight in the future.

The vulnerability of networks and the disruption computer hackers can cause to a country's infrastructure was demonstrated in early May after cyber attacks on a wide range of civilian and government networks in Estonia crippled state-run banks, telecommunications companies and news organizations for weeks.

Estonian government officials allege the attacks were launched from state-owned networks in Russia, though the Kremlin denies they had anything to do with the computer assault. But the accusation raises questions about how Elder's command should respond to similar attacks against Air Force cyber infrastructure.

The service is working to develop doctrine on how to defend - and counter-attack - cyber adversaries who can potentially shield their identities or seek cover in networks that have no knowledge of the attack.

"We are looking to provide very precise effects - you want to minimize collateral damage," Elder said. "Would a civilian target be a legitimate target? Generally ... you don't go after civilian targets."

The Air Force has instituted security procedures to ensure individual workstations can't serve as gateways for an adversary into military networks, an effort Elder hopes will prompt Airmen to "recognize that this is not a safe neighborhood."

The Cyberspace Command has already begun to build its cadre of cyber warriors, drawing upon the nearly 45,000 Airmen already tasked with information technology-related duties in the service.

Air Force instructors will keep an eye out during initial training for potential cyber warriors to fill out the ranks, and Elder intends to establish a viable career path for his Airmen in hopes of keeping Cyberspace Command strong in the future.

"We're trying to get someone trained who can work on a production line who's an expert on doing their part, and over time you expand that," Elder said. "It's going to be really critical for us to be able to retain these people into continuing in the force."

-- Christian