First – some background and character development here leading to the big reveal at the end…
Two years ago, this month, I was interviewing for a direct commission officer as a second lieutenant in US Cybercom for the Army Reserve as a 25 alpha. This is not a typo.
I was one of 11 interviewed after 500 applied, and sadly was not chosen. At the same time, I was also interviewing for an IP officer in the Navy Reserve as an Ensign, which seemed a better fit for my skillset. I’m 45 now, and began those processes when I was 41/42. I had stopped trying at the age of 29 as I had been too big and all they seemed to be looking for 16 years ago was infantry – that’s all I knew.
Now, they had changed the laws so those who were older could join in the realm of IT and Cyber? Sign me up!
I had just completed my first sprint triathlon and was in the best shape of my life. Had 2 masters degrees (cyber security and an MBA) with a bachelor’s in IT. 11 IT certifications. Led a team of 80 at the time in IT. It had been a dream of mine to serve in the military my whole life, but unfortunately my love for carbohydrates, coupled with carbohydrates love of me, that kept me out of service. Both of my grandfathers served in World War 2, with one of them being in the Navy as part of the island hopping campaign in the Pacific.
I was applying to these programs through recent changes in legislation which allowed older civilians to apply for these positions. What they don’t tell you is:
- That everyone in the service more or less hates DC, and you get a lot of push back from anyone who did active service as you are not a real person, but a caricature. Little did they realize I wanted to do it my whole life but had a waistline issue I could not solve to do this at 18 or 22. Doesn’t matter. If you didn’t do OCS in your 20s, you are thought less of, by a lot. This is something you needed to have a thick skin over and realize why you were doing it and give zero @#%$% what people think of you. You absolutely need to give zero @#%@#% about what people think. Really. Check.
- Your civilian friends think you’re an idiot and want to discourage you at all costs. You might get hurt. No shit? You don’t say? What about deployments? That’s too hard. Then I think of my grandfather sleeping in muddy ditches with a rifle in Guam prepared to shoot anything that walks over years of hell island hopping. I might get hurt. Check.
- The same program that says it is open to civilians is kind of bullshit, in that they have questions specifically geared towards those who were previous active duty that I could not possibly have prepared for. Imagine someone who did a 4 year enlistment at 18, went to college on the GI program, graduated with a bachelors at 26, then had a stellar cyber career and at 40 wanted to apply for this. That’s who they are looking for. They don’t want me either. Check.
- The docs say O-1 through O-5, but the reality is there’s zero chance you get anything other than an outside shot at an O-1 unless you are a cyber company CEO that is former military. Try discussing this concept with the recruiters and you literally get laughed at, despite what the web page says. So the program is there to recruit me, but they don’t want me. Check.
Still, being the contrarian, you push ahead. It’s worth it to try. A few weeks later, my wife was pregnant, a few months after that my mother died, and a few months after that COVID and the COVID 40 hit me.
Time to turn the page. My ideas of how to help protect the nation will have to stay in my blog then!
It was not destined to be, although I might give it one last shot next year until they laugh me out of the room again. My kid will be over 2, I’ll have the COVID 40 off, and perhaps they might be needing me then? Remember what I said about giving zero !#$!@@#$$@#$? Follow your dreams. I just saw a video of a 59 year old going through Army Basic. He’s a former marine, so it’s not like he was unskilled. Just….age is a number. If you have the background and determination, you might have a shot.
I bring up all of that because if you look at my linkedin profile, you might get an understanding of my day job and why I may be suited to comment on the idea. My day job never comes in to these pages, as it should be. However, I can speak in generalities about things. Items I learned in graduated school (and wrote about) and security principles that are industry standard – and keep it extremely high level.
All of the above also speaks to some of my background in the idea I came up with at the bottom when I was in grad school.
“Immunize the internet”
What I did for a lot of years is something called SCCM (System Center Configuration Manager), which is a fancy tool to build/deliver operating systems, software, and updates to software and operating systems. I also worked with something called Group Policy – long story short, I worked on the defensive side of cyber security. This is the team that tries to button down the hatches and “reduce attack vectors” and “attack surface”. Meaning, I have a lot of experience in cyber defense – but what many don’t understand is that there’s a LOT of different types of job in cyber. Mine was just one area of the entire spectrum.
Specifically, I believe Mr. Schwab is referring to “immunizing” the internet sort of like you would immunize a patient. Provide a vaccine of sorts. The concept is interesting, but it’s the wrong way to address this. IMHO.
Computer viruses act in the same way traditional viruses work. They inject code into the host and replicate. In a sense. In order to replicate, it must traverse a space, then attach to a host who is vulnerable to the attack. There are a few ways in IT you can address this:
- Harden systems from attack (kind of what I did)
- Deny code from traversing and replicating. Think network segmentation and firewalls.
The issue with the first bullet there is that code that is written is written quickly to get out to meet deadlines, then updates come later. If you were to try and harden code 100%, you’d probably never get to 100% and it would be cost prohibitive and you’d miss all deadlines. This is why updating software and operating systems as a home owner is so important, but many of you try and turn this off or ignore. Anti-virus software is out there, but you cannot identify all items out there with definitions of sort, so you also have tools like heuristics which look at how items work to identify if something is behaving outside of normal behavior.
The second part can be denial of transmission – where you perhaps segment your networks out, place firewalls everywhere, and build rules to allow certain types of traffic and deny others. You then may have NIDs/NIPs – network intrusion detection/prevention like a SNORT to do packet inspection, but the problem more recently is that when things are encrypted, you cannot inspect the contents of the packet.
So – what Mr. Schwab is referring to isn’t really possible, more than what is being done today. What is potentially interesting is that maybe IF you can identify a virus, perhaps AI can re-write the code to make it inert – but it’s easier to flag and delete something, honestly. Some of these viruses and malware, when they replicate, unpack encrypted code and re-write themselves.
“Let’s just do counter-viruses!”
I heard this one and I think much of this has to do with people not understanding the game that is afoot. When people talk about botnets, these are not warehouses of computers that are attacking things at the behest of a villain. This is your grandmother’s Windows 7 (or Vista) machine she never upgraded that is 10 years old that she uses to see pictures of cats. It is compromised because MS no longer patches for it, and with that, every 12 year old on the planet has downloaded kits of how to compromise it. Your grandmom’s machine probably is compromised 800 ways from Saturday. It won’t really show up in anti-virus stuff, as coders got pretty good ay avoiding that stuff.
Your grandmom’s machine then perhaps is a “zombie” that reports back to a machine somewhere. Maybe this machine is some other grandmom’s machine. You then have these “botnet armies” of “zombie” machines that can do bidding of someone malicious. You can even rent these botnet armies to do bad things, like perhaps you are a nature lover and hate big oil – you can do a denial of service on Exxon’s website. Or far worse.
I did this drawing a bunch of years ago to show how you are actually attacked with botnets…it was based off of what I saw in books, so my Visio drawing should be similar to what was in them.
So to do a “counter virus”, you are essentially identifying grandma’s machine as infected, then attacking a civilian’s machine with a virus. This is a no-no. Furthermore, where is that machine? The U.S.? OK, maybe the NSA can get a warrant to do that, but is the NSA then attacking machines in 200 countries? That might not go over so well.
Likewise, these botnets can be millions of machines. You getting a warrant for each machine? Good luck with that.
So we cannot do counter-viruses.
Even IF you can identify grandma’s machine, she has no idea she’s compromised. How do you get in touch with her? How do you direct her to fix it? Your bigger problem is identifying the source machines of the issues, which perhaps are controlled by machines with spoofed IPs or connected through an onion network or VPN (virtual private network).
Even if you then DO identify a machine in an internet cafe in Ukraine, it could be weeks or months to determine that was the root machine – as many countries don’t have treaties with the US to provide such information. So maybe Ukraine gives is the internet cafe, but Russia tells us to pound sand under the same request. Once we identify that cafe, they may have no record of the person sitting at that computer weeks ago, no video, and no record of payment. Even so, what if that was a Chinese national who is now in China? Even if you somehow identified that person, then you cannot compel extradition.
So now you are faced with not being able to force grandma’s machines worldwide to update, and even if you do somehow find the bad actor, somehow, you may not be able to do anything about it.
This has forced our country to do what they can – protect their own machines. But you might be really interested to know how much of an island you are on.
Umbrella of protection?
My first real experience with cyber security was being at a place for a few weeks in 2004 ish, and they had hired a PEN tester (white hat hacker) to run all kinds of tests on the network to find issues. Most people don’t realize that the good guys and the bad guys more or less have the same tools – it’s what you do with them that matters. For example, as a “white hat”, I’d scan a network with a Nessus or the like to find vulnerabilities. I’d then use SCCM to patch them (I’d actually be doing this proactively, but you get the point). As a black hat, I’d scan a network to find those same vulnerabilities but then use toolkits or exploits from something like metasploit to take control of the machines.
I watched our Exchange server light up with thousands of issues. We had a bunch of NT 4.0 machines, and our firewall had to be rebooted 5 times a day (some old raptor firewall) that would be hacked – it was so out of date that known exploits were hitting it all the time. The PEN tester had all of these machines up displaying these issues, and he’s like, “I’m done here”. I’m like, “aren’t you going to fix it?”. And he’s like, “that’s your job”.
What you then find out the hard way is that no one is protecting you. When you work for a government agency, the DHS got your back. When you work in the DoD, the DoD has your back. When you are running Pete and Nick’s ice cream shop, no one has your back. Literally, no one. So…good luck with that.
In 2011 or so, I wrote a lot about Operation Shady RAT, which demonstrated how a Remote Access Trojan, or RAT, had been put in place all over the place potentially by a nation-state I won’t list here. All of these companies and even county, town, and state governments were compromised. This country was then getting all kinds of secrets. You have a secret formula for your product? Nope. Not anymore.
Two issues you run into with a lot of these organizations are:
- Lack of funding provides you an incomplete picture on your cyber posture
With the above, if you work for a medium sized company that manufactures a new petroleum technology, perhaps you don’t have the budget for 5 people in cyber. You hire Steve who is fresh out of a 2 year IT school. Steve is sharp. He knows about all of the latest tools. He is smart.
As an example, Steve is now trying to defend against 700 Chinese nationals working for the military who are trying to crack this company’s security. Many of these were educated at the finest schools and grad schools in the world. Steve stands no chance. In a matter of weeks, China now has the latest tech. Don’t take my word for it, this unit was detailed in Richard A. Clarke’s book “Cyber War” from 2009. He was our cyber czar under 2 admins and he detailed how each country has elite outfits that are incredible. His book outlines a lot of the dangers out there, but also talks why countries just don’t attack each other in broad daylight using Cyber – the concept is MAD – or mutually assured destruction. At the moment, Biden is attempting to tell Putin to cut it out, but in Clarke’s book he mentions how a lot of this is Russian gangs – sort of semi-approved to operate under Putin, but report to powerful bosses that may have influence. So this is not a nation state doing this, technically.
Most nations have elite units who can do damage, if provoked. But with the MAD concept, there’s mostly cloak and dagger stuff going on. One of the first cyber attacks rumored had to do with the US messing with a computer that regulated an oil pipeline in 1984, which led to a pipeline explosion. Unclear how true that is, but you can see how a nation-state can affect another country.
The same isn’t to be said about businesses. You can have a nation-state extract what they want from a lot of businesses without them even knowing.
Steve has no idea it was even taken.
Anyway – 3 years later, the company files bankruptcy. It seemed a Chinese-owned tech company beat them to the market with this tech and underbid them by 63%. 2,000 people then become unemployed.
This is ultimately the dangers of cybersecurity on a nation-state level. Many want to see the pipeline issue resolved or perhaps the power grid secured, but there’s a lot of problems that can be seen over the next 10-20 years, especially with proprietary information. You have a pharm company that spends billions on research and needs to charge $1,000 a dose for a drug. The Chinese elite unit steals the information, gives it to a state-owned company, then sells it to the rest of the world for $5 a dose because they didn’t have to research it. No other country buys our product, and our country has to enable laws that prevent our people from buying life saving drugs from other countries. Not because they are horrible, but probably because it’s a knock off that stole from the company that created it. If we allow our people to buy the $5 drug, in the short term it makes our people happy, but in the long term it collapses the research of our pharm industry.
IF that pharm company detects an issue, they can call the FBI. Problem is, by the time they detect a breach in their logs, the damage was probably done days or weeks ago. Not real time. Probably done after hours when the admin was asleep. The extraction happened, and the files were sent to a computer in South Africa. That machine in South Africa goes back to someone’s grandmom. That then points to potentially an onion network and no one really knows who compromised the machine. Again, problems with attribution.
The point is, many companies might think our military is protecting their data somehow. No. Not at all. You need to hire more than Steve, it turns out. But do you know how many you have to hire? How expensive it might be?
I like to talk about securing a baseball glove. How do you protect it? Well, it was worth $60 when I bought it. It’s 20 years old. It has some sentimental value. Maybe I throw it in a closet and lock my front door at night. OK. Maybe I insure it for $60 in case it is stolen.
But what if this was Mickey Mantle’s glove worth $20,000? Maybe I have a big safe to have a layer of protection. Maybe I also pay to insure it, and that premium is more expensive. What if it turns out that it is one of a kind, and it could go for $50 million at an auction? Wow…now you have to really think about vaulting it for thousands a year. The vaults would also have insurance.
The more valuable the resource, the more you need to pay to protect mitigate or transfer (insurance) the risk.
Here is the same idea for protection – what are you trying to protect? Steve and Nick’s ice cream shop may only need to protect POS transactions, so they buy a system that is fully encrypted which they don’t have to mess with. No one cares about how many scoops of chocolate or vanilla they scoop. But what if it was Ben and Jerry’s and their secret recipe is on their servers? If the world knew the recipe, could it put them out of business?
With cyber, you are looking for the triad – Confidentiality, Integrity, and Availability. Typically, you then secure this stuff with a risk-based approach (the value of your glove) using ATM – Avoid, Transfer, or Mitigate. You may mitigate things using a concept called GGG – Gates, Guns, and Guards. Imagine a giant warehouse filled with your company’s products. You have gates around the perimeter, cameras, guards, and guns to protect the goods. Now, how do you secure your company’s intellectual property?
That’s the crash course.
Now, what about securing this thing?
The internet was built for sharing. There was no security in mind in the design. We are trying to retrofit security into this. I had an idea in one of my grad school papers. Essentially, in concept, it was like a toll road you see today in the United States. To get on to this toll road, you needed an EZ Pass and a licensed vehicle. This road is a secured internet. You can drive a LOT of places without the toll road, but maybe there’s only places you can visit once on this toll road.
How this works is you have an ISP, like a Comcast. You are issued a digital identity to sign in to this internet. When you go to sign in, your system is scanned for compliance to patching using something called a System Health Validator. This is used in 802.1x port authentication. If you are compliant, you are allowed to use the toll road. If you are not compliant, you are put on a “service road” which allows you only to get to patching tools to update your system for compliance, or to run tools from this provider to clean your system. Once you are clean, you are permitted on the toll road.
Your car traverses this road with a digital identity. Every packet sent has your identity put into it, and hashing algorithms are used for communications. Meaning, you sign into the provider, they issue you a clean bill of health, and encapsulate the traffic. Your digital ID is all over your encrypted traffic.
In theory, your websites could then only allow traffic from their secured ISP. Everything else is tossed. So only traffic from verified identities can even get to your website.
At first, this would take awhile to adopt, but companies could announce when they would cut over. Perhaps first might be military and government services, then infrastructure and financial. Maybe later sites like Amazon come into it.
You might also choose to not go through the toll road to websites so you can be anonymous. You may have certain sites you want to visit but not have your license plate tracked while going there. This is the flaw with the toll road system. Lots of people love their anonymity. That is absolutely fine to do! Then, you want to go to your banking website or sign in to your credit card company to pay a bill, you need to have your machine then go on to the toll road. Your machine is scanned, then you are allowed in.
Meaning, if you want to clean up the internet, you need to ensure that:
- You need a more secure super highway with identity verification for access to sites that want more protection. This is essentially locking them in a secure vault to get access to.
- Attribution needs to be tied to user/machine behavior for accountability
- Those traversing the highway are clean machines and given a clean bill of health. Grandma’s machine will not be allowed on to this super highway as the system health validator will kick it off to the service road.
- Malware attempts made would have attribution at the ISP provider level. You could black hole the ISP if they do not black hole that user’s credentials.
- Law enforcement would have all the information they needed for action as your identity is tied to an address from your ISP.
- A US-based company could have their ISP black hole all non-ISP verified information or all non-US based traffic. Meaning, these ISPs would need to trust each other, perhaps by country. My local water company would not need traffic from South Africa hitting it. The only people they need are potential customers and those trying to pay their bills. To expose their outward facing websites to the entire internet is silly and invites all kinds of probes and attacks.
The applications of this higher level of security for an internet help out a LOT of companies secure their data behind a vault wall.
This can be done in parallel to the existing internet, and doesn’t need you to tear down what is already there. A company like a Comcast had the resources to stand this up next year and offer it to all kinds of US-based companies. Other ISPs could then operate in tandem with Comcast to provide the trust relationships needed.
How does it work? You buy a smart card from Comcast, and get a keyboard or laptop that can use a smart card. Install middleware, and you’re done. If you need to get on a website that requires this level of authentication, you activate the VPN to your ISP, and you get signed in. While you are signed in there, you cannot get to non-verified items. Essentially, most people might use this when paying bills or accessing items on their cloud. They can unplug the secure connection and then peruse wherever they want that is not secured.
So – Mr. Schwab is correct that actions need to be taken, but right now it is more of a design issue than anything. They need to stand up a more secure layer that ties attribution to a person and machine, licensed by an ISP. Only they can you reduce these types of attacks. The only reason most of this happens is due to anonymity. Remove that, and voila!