Saturday, April 12, 2014

Red Sky Weekly: What will the cyber of my grandchildren look like?

We started a project last summer, where we track the growth of government sponsored
offensive operations around the world. It's a work in progress. When we started, our first cut at our "GEOPOL Matrix" reported six countries with officially sponsored offensive cyber organizations. Our last cut? 22.
22 countries at the beginning of February sport the triad of Surveillance, Defense and Offensive cyber capabilities.  So, I suggest... If the growth chart of cyber as a means of influence were a hockey stick, I'd say we're starting to hit the curve. Cyber complexity is going to grow exponentially, and with it a proportional number of places it can be exploited. 

In 1999, I spoke on cyber espionage at a SANS conference. I'll never forget it. In one of the reviews someone said I was selling FUD (fear, uncertainty, and doubt). Another called my presentation snake oil. How did I know that cyber would become the principle location for future intelligence operations? Because I was, at the time, farming open source data on a daily basis looking for clues to subjects I'd been tasked with researching... nothing covert. Everything was in the open, but even back then I was amazed at the huge amount of data that companies and countries were putting on the internet --and what a massive advantage that gave me. The seeds were being planted in that garden -with such amazing dark soil, plenty of water, and the patch that EVERYBODY planted their best stuff. Now, 15 years later, cyber is probably the most exploited patch of dark land, that the corn is waist high and looking good. 

Also now 15 years later, on nearly a daily basis, someone looses a million credit cards, and intellectual property is lost. And to the credit cards? Who cares, right? The banks make it right. And the intellectual property? Well, this stuff doesn't make it into the news as often as millions of credit cards lost, and when it does, you'd think we'd be shocked, but frankly, it's the new normal. And Heartbleed? It's bad.. really bad.. but who cares. It's just another thing. 

So what about 15 years from now? Beyond the idea of data loss and beyond the espionage.. both will always be there --they have been forever, in and out of cyber space. 15 years from now, many governments (and companies) will have their own cyber programs --warfare, attack, surveillance and defense. Think about it. In every case, when a country prepares for conflict, there's a timeline that's followed. And even today, kinetic options include dropping bombs on communications nodes, power generation, and other targets critical to operations. So is a power plant an arm of the military? What about the telecom provider that runs the cell or satellite services? Of course not. But those stockholder owned private companies ARE military targets during conflict. And do you think the stockholders aren't going to demand that the companies fight back? My bet is they will. Disintermediation is real. Militaries can and do attack civilian targets. And I don't think it's going to be just militaries.. In the future, cyber is going to make is so very easy, that others will jump into the fight.. civilian on civilian, military on civilian, and civilian on military. Heck, we see it today. There are plenty of example so government sponsored cyber, and on the non-government side? The SEA, Anonymous, and others form behind causes taking patriotic and hactivism to the realm of cyber action.

If cyber could be used to effect change in behavior of an adversary (change in behavior is always the goal), and it could be accomplished without using kinetic options (dropping bombs, shooting at people, etc.), and the risk of human loss is minimized on both the attacker and defender side --if one could take power, food, water, transportation, command and control/communications, or whatever someone chooses to take down, simply by hacking a computer and turning it off --even if only for an hour or two... would it work? You bet.  

It's going to become really easy to do. How many times have you been asked to answer a 'security question'.."What is your mothers maiden name?" "What was your first car?" "What is your favorite movie?" Add to that, your car, the airplane you fly, the train you take to work, heck, your refrigerator and toaster all have things the communicate with the internet. The amount of intelligence that is stored by companies asking these questions, intelligence that can be collected, based only on personal questions, added to the devices and data in your everyday life, geo location services of GPS turned on in nearly every device, and the ability to target very specific people or things to effect change? Wow. The bits of information out there --even today, that will enable massive opportunities for cyber exploitation --and very personalized cyber exploitation. 

And now it appears countries are turning off their Internet gateways when the Internet is threatened. The risk of an espionage attack, or DDoS, or the likelihood of loss of integrity has overshadowed open communications across borders, and the ability to hear directly from journalists, citizens, the persecuted and the attackers during crisis is being slowly turned off. Isn't this where we came from? Let's not go back. 

What will the cyber of my grandchildren look like? 

I don't have an answer. 

BT BT

In the last few weeks I've been making the rounds, talking with Red Sky members face-to-face. We've grown a lot in the last two years, and in many cases, in areas we never thought we would. I'm looking for feedback from our customers as we head into normalization phase of moving from a bootstrapped, cash-flow company to small enterprise. We didn't take venture money when we started this two years ago. We built this ourselves with the idea that we could work with our membership and shape the offering to them.. and I believe we have. 

We're reshaping our message, and looking at how we currently deliver analysis. Some love the portal. In fact, many log in first thing in the morning and stay on all day. Others check it once a month or so. Some get a digest. Our bottom line? Wapack Labs looks for things to provide our members. We're looking for ways to innovate. And for our members who love the Red Sky portal, we'll continue to push information into it, participate in conversations, and rub antennas with the techies. For those members who need information delivered in other ways, and in other forms? We want to know that too. 

So I'm looking forward to seeing you all as I make the rounds. And I'm hoping to see many of you at our Threat Day in Tampa in June. 


For non members.. we're going to host an offsite following the Threat Day. Come meet the team! Have a cocktail on us. I'll post the time and place as we get closer.

Ok. It's a sunny day, and I've got work to get done.
Until next time,
Have a great weekend!
Jeff





No comments: