Posted on

The Worst Possible Day: US Telecommunications and Huawei

Thomas Donahue is a Cipher Brief expert and former Senior Director for Cyber Operations on the U.S. National Security Council Staff.  His article was originally published by National Defense University Press PRISM. 

In case you missed it, you can read The Worst Possible Day: US Telecommunication and Huawei – Pt. 1 here 

Pt. 2

Options for the Nation

Given the shortfalls of a “just say no” policy, the United States will need to compete in the telecommunications equipment integration sector, both in terms of products and trade strategy. The U.S. Government typically seeks to use procurement for federal networks and research and development investment as the primary levers for influencing high technology. U.S. industry already leads in component and subsystem technologies (notably in optics); however, that advantage has not overcome the boom and bust cycles of the equipment integration market. Thus, a new element will be required that will involve some combination of direct investment, subsidies, loans, and tax incentives as has been done for other industries, either for national security purposes or to preserve national economic or industrial capabilities. In addition, the USG could include preferred telecommunications equipment manufacturers (no matter where they are from) in U.S. trade, defense, and foreign policy packages that the United States seeks to implement with other nations that are upgrading their telecommunications infrastructure.

Similar ideas have been raised before, including by this author and by James Lewis of the Center for Strategic and International Studies. Lewis cited three options: build networks from insecure components, build a national champion, or subsidize European producers. According to Lewis, the Obama Administration considered funding a national champion using the Defense Production Act, “but it could at most allocate 1 percent of what China spent. The discussion of how to respond to the telecom problem made it as far as a Deputies Committee meeting, but none of the major information technology companies wanted to reenter this field. Though a few medium-size companies could have been candidates for investment, the administration ultimately decided to rely on Google and Silicon Valley to innovate our way out of the problem without the need for the government to spend anything.”

The U.S. Defense Science Board’s June 2019 report on “Defense Applications of 5G Network Technology” notes that “the lack of a U.S. integrator and Radio Access Network vendor industrial base” creates challenges. The report recommends that the Department of Defense “should provide seed funding for western industrial base alternatives of key system components, e.g., Radio Access Networks.”

The scale of investment required—as can be seen from the size of the European companies—would require the U.S. Congress to appropriate additional funds, even if implemented under existing authorities, such as Title III of the Defense Production Act (annual appropriations typically range only in the 10s to 100s of millions of dollars). Ericsson and Nokia each employ about 100,000 or more workers (although not just for telecommunications integrated equipment manufacturing), and each as of 2018 had net equities in the range of $10-20 billion and net assets in the range of $25–45 billion. Nokia spent $16.6 billion acquiring Alcatel–Lucent in 2016.

Maintaining leadership requires huge research investments. Huawei is participating comprehensively in the international standards process and makes large investments in research and development, now increasing to $15–20 billion per year from levels of $13–15 billion in 2017–18. European firms lag significantly. Nokia has increased investment in research and development to about 20 percent of its revenue or roughly $5 billion per year after a significant decline during 2013–15. In addition, the European Investment Bank in August 2018 provided a $583 million five-year loan to Nokia in 2018, and Canada in January 2019 provided Nokia with a $40 million research grant. Ericsson in 2017 increased investments to at least 15 percent of its revenue—a bit more than $4 billion per year—despite concurrent net income losses.

The major U.S. telecommunications service providers with operations in the United States and abroad would need to be included at least in the planning process for such an investment policy given that they would be the ultimate customers for most of the equipment, have expertise on the markets and systems and, most likely, would serve as the final systems integrators and operators during implementation and deployment. Indeed, the service providers could be provided incentives to participate directly in the investment strategy; however, they are also burdened with high levels of debt from capital expenditures. Other operators of critical infrastructure (financial systems, electric power, oil and gas distribution, transportation, etc.) also might benefit by participating in the planning and investments.

The following three options are not mutually exclusive. 

Option 1: Champion the European and South Korean Companies

U.S. telecommunications infrastructure already depends on Ericsson and Nokia (and to a much lesser degree on Samsung), each of which have a significant economic presence through their U.S. subsidiaries. As noted previously, these companies include some of the residual capabilities that once belonged to now-defunct U.S. integrated telecommunications equipment companies. The USG, perhaps working primarily through the U.S. subsidiaries, might be able support these companies with stock investments, tax policies, debt guarantees, loans, and procurements, particularly to stabilize their finances and to boost their research and development investments that lag significantly behind those of Huawei. Both companies have undergone significant adjustments in management and business portfolios to stabilize their financial situation while investing for future growth. Both companies expect global demand to grow as most countries seek to take advantage of the benefits of 5G. In the unlikely event that the two Nordic companies merged to gain economies of scale relative to Huawei (despite potential EU, Chinese, and U.S. anti-monopoly concerns and challenges merging product lines), the USG could support the new merged entity in the same way.

As a sign of the Samsung’s commitment to diversifying its product line, press reports in July 2019 indicated that Samsung plans to invest more than $100 billion over the next 10 years to gain prominence in global chip processors. Samsung, however, in November 2019 announced the closure of its US-based research lab for mobile phone chips after failing to win market share from Qualcomm from external customers.

Option 2: U.S. Entities Acquire Either or Both European Companies

If the United States needs to have a home-based champion for 5G and beyond, the fastest approach might involve working with the private sector to acquire a controlling interest in parts of one of the existing European companies, possibly using authorities under the Defense Production Act Title III or else with a separate Congressional authorization. Nokia Networks would be the primary division of interest from Nokia along with Bell Labs, and Business Area Networks would be the key division within Ericsson. Samsung’s 5G segment may not be a good target for acquisition because it has much less market share and is part of a growth strategy for the otherwise very large vertically integrated South Korean conglomerate.

  • The USG could use past models of loan guarantees, tax incentives, and direct investment. Either of these companies would benefit from significant U.S.-based investment and more innovative and agile management to help them stabilize their finances and close the gap in research and development that these companies have with Huawei.
  • Both companies have significant presence in the United States and recently have sought to expand their U.S. research and production. For example, Ericsson plans to open a fully automated factory for advanced antenna systems in the United States by 2020 and previously set up a design center in Texas for 5G-related application specific integrated circuits (ASICs). Nokia is expanding its operations in Texas and operates the original Bell Labs facilities in New Jersey.
  • These companies, however, are major contributors to the economies of their home countries, suggesting a major acquisition might be resisted by those governments and the European Union.
  • For example, Nokia owns Alcatel Submarine (undersea cables) that competes with the U.S. company now known as Subcom, as well as the optical networking capabilities of Alcatel–Lucent, and is likely to be seen by the Europeans (particularly Paris) as an asset that needs to remain European. Meanwhile, Ericsson is not a major player in optical networks and depends more on microwave for backhaul communications.
  • In addition, these companies have facets unrelated to integrated telecommunications equipment manufacturing that are, in part, artifacts of prior mergers and acquisitions. Culling out the equipment manufacturing alone, however, might leave behind unsustainable business organizations. Also, as Lucent experienced, the equipment manufacturing by itself may not be sustainable through demand cycles. These companies also have existing business arrangements and obligations, in some cases with China, that may create complications for U.S. trade policy.

Option 3: Create a U.S.-Based Consortium

The USG could seek to create business conditions through a combination of procurement, investment, and financing to bring together the robust, diverse capabilities of existing U.S. private sector capabilities and patent rights that foreign integrated telecommunications equipment manufacturers already depend on under an integrated corporate management. Private equity could supplement USG funds, leading over time to an eventual reduction in the share of government investment while maintaining U.S. financial guarantees and trade support in the background.

Over time, this “consortium” could be led by a “prime” company comparable to the big integration companies that dominate U.S. defense contracting. Such an entity could add or even subtract “sub-prime” capabilities as needed in accordance with changes in technology, fluctuating demand, and maturation of national infrastructures. Again, the USG could use combinations of past strategies to drive the formation of this consortium, with the ultimate goal of leaving the private sector in control.

  • Rather than be treated as direct competitors, Nokia and Ericsson could contribute subsystems (particularly for radio access networks)—as might other companies from trusted international partners, notably the Five Eyes, Germany, France, Japan, and South Korea.
  • Such an approach could in effect create a single, trusted U.S.-based, international consortium with the financial backing of the USG for use by U.S. allies and any nation that would trust such an alliance more than Chinese providers.
  • Success would depend on a competitive pricing strategy in combination with U.S. and allied incentives to participate. Such a consortium also would benefit from strong relationships with the U.S. and allied defense departments and ministries.

A Bottom Line Comparison of Options

Each option involves positive and negative tradeoffs. All of them face potential resistance from overseas, including the Nordic countries, the EU (especially France), and possibly China. The resistance could be regulatory or through the WTO.

  • Support to an existing foreign firm would involve the least commitment from either the USG or private sector; however, this option offers the least influence or certainty of a useful result.
  • Buying one of the two Nordic firms would be easier than creating a new corporate entity and the fastest way back into the telecommunications equipment integration business but would require greater investment than simply supporting a firm with its current ownership. The United States would not have as much leverage on the outcome as would occur with the purchase of both firms.
  • Creating a new consortium would be the hardest to implement in terms of creating product lines, gaining market share, and licensing patents but would offer the greatest control of the outcome and thus the best opportunity to invest for longer-term technologies. As a result, this option potentially would require the greatest investment but also has the potential for the greatest return in terms of U.S. jobs and stimulating the U.S. high-technology sector.

Economic success of the strategy would depend on international trust of the equipment provider. In some parts of the world, U.S. ownership would provide comfort; however, in other parts of the world even some friendly countries might prefer “neutral” European products, a potentially useful outcome if the U.S. policy goals include not undermining a viable European competitor. In any case, western entities will need to persuade potential customers that the reliability and quality of products combined with transparent security policies is an attractive feature in comparison to what is offered by Chinese alternatives.

The final implementation of 5G will represent more than an upgrade to 4G technology components; the new systems over many years will evolve to a fundamentally different architecture and drive massive changes in the infrastructures and businesses that will benefit from 5G. With this longer perspective in mind, the best U.S. strategy might involve a combination of the options. In the near-term, the United States needs to “get in the game,” perhaps through options 1 or 2, to avoid surrendering future incumbent advantages to China and to gain experience in working with the new systems. For the long run, however, the United States as a second step might need to focus on the broader U.S. high-technology industry with Option 3 to drive innovation and to be in the best position for future generations.

The deployment of 5G technology across all of the infrastructure will take at least 10 years; however, discussion of 6G technology has already begun. In November 2018 a Chinese official claimed that the Ministry of Information and Industry Technology had already begun work on 6G with a view toward initial commercial deployments as early as 2030. Finland’s Oulu University’s 6Genesis Project seeks to develop communication networks with bandwidths over 1 terabit per second with a grant of more than $250 million. As the Finnish researchers note, 6G will build on 5G infrastructure and applications, and thus any investment in 6G will need to build on a prior investment in 5G.

Find a USG Champion

Justification for the amount of resources needed to reboot the nation’s supply chain for integrated telecommunications systems would need to be framed in terms of ongoing U.S. strategies for resilient global command and control systems for national security and for maintaining control of critical infrastructure functions under the most stressful circumstances of a war with a peer adversary, such as Russia or China. This level of demand is a unique national-level governmental requirement and thus must be met at least in part by the USG. The measure of success would be determined by whether U.S. defense and critical infrastructure planners could demonstrate greater resilience against the full spectrum of threats. The U.S. military already is seeking to improve the resilience of critical systems, including for nuclear command, control and communications (NC3).

The biggest player within the USG, and the most likely center point for a successful effort, would have to be DOD. This is the only department with the global reach and mission requirements, technical depth, procurement and large-scale integration experience, budgetary capacity, and existing authorities to handle such a large project. The Office of the Secretary of Defense would need to work with the Joint Chiefs of Staff to incorporate military strategic requirements and with the Department of Homeland Security and other government agencies that work with private sector critical infrastructure.

Conclusion: Resiliency Strategy Must Determine Way Forward

As noted by West Point authors Borghard and Lonergan, the United States needs to examine its policies toward the next generation of telecommunications in the context of strategic requirements for resilient global command and control of U.S. military forces and other U.S. interests, to include how the U.S. military depends on commercial communications.   This discussion must consider the worst possible day, not the routine day. The challenge is primarily one of availability on that worst day, not espionage. These requirements abroad and for critical infrastructure at home are uniquely the purview of government, and thus the government must step up and make the strategic investment in what is essentially the central nervous system of the nation. An effort of this magnitude will require a unified approach across the Executive Branch and broad bipartisan support from the U.S. Congress.

Trade policy alone, particularly one given to broader compromise, will not allow the United States to define how other nations choose to implement infrastructure that U.S. national security communications may need to pass through. The United States needs a unified vision of how to compete in terms of technology and closing deals for U.S. advantage. As with the defense industrial base, the USG in the long run should seek to have the private sector operate any new manufacturing capability and thus would need to work in partnership with the industries that best understand the technology and customer needs. The USG would need to stand behind industry efforts to gain deals with other nations—just as it has for other vital industries with national security implications, notably aviation.

The USG, as it has with most national security efforts abroad, would need assistance from traditional national security allies and countries located at what already are or should be key communications junctures. For example, new pathways might be needed that are less vulnerable to disruption as compared to the ones now passing where they are vulnerable to adversary disruption, through areas of dense commercial activities, or in regions of longstanding conflicts. As has been done for some military systems, the United States would need to work with trusted nations that can provide useful technology and manufacturing capacity, in part to gain their support for a new player in the integrated telecommunications marketplace.

It will not be enough for the private sector with government support just to create a company to manufacture and integrate telecommunications systems. The USG, in partnership with the private sector, will need to consider how it will remain competitive over the long term.

  • This may require financial support to help industry get through demand lulls, including if demand lags expectations, as occurred from 2000 to 2010, because of slower than expected implementation of applications elsewhere in U.S. infrastructure and businesses.
  • In addition, a long-term strategy would require reinvigoration of investment in the hardware elements all across the U.S. high-technology sector that have either moved to Asia or been too long dependent on investments made years ago. A telecommunications equipment integrator based in the United States would provide an anchor for investment in all of the component technologies and their associated supply chains, including future generations of semiconductors. The success of innovation in the U.S. high technology sector will depend on preserving homeland-based manufacturing and supply chain ecosystems.

Key challenges going forward include mobilizing the USG to act and then drawing in the right elements of the private sector as investors or participants in product development. Then the real work would begin with developing a product line that can compete in terms of the best combination of technology, pricing, and financing. Additional incentives from U.S. and allied governments might be needed to overcome incumbent advantages or to walk back some past infrastructure decisions in key, strategic locations.

This will be a “long march” (as China’s President Xi would say). But better to start now than repeat this conversation in 10 years.

In case you missed it, here’s part one of The Worst Possible Day: U.S. Communications and Huawei, by Cipher Brief expert and former Senior Director for Cyber Operations on the U.S. National Security Council Staff.  Thomas Donahue.

PRISM is the flagship professional journal published as a public educational service by National Defense University. In its 10th year of publication PRISM has a quarterly print run of 11,000 with recipients in 83 countries. A complimentary subscription is available to Cipher Brief members by request to [email protected]. Please provide an accurate postal mailing address and the preferred number of copies desired.

Read more national security news, insights and analysis in The Cipher Brief. 

If you’re interested in being a part of the conversations that lead to solutions, consider joining the Cyber Initiatives Group, chaired by principals including General Keith Alexander, General Michael Hayden, and FireEye CEO Kevin Mandia. Find out more.


Source link

Posted on

Tom Bossert’s Plan to Hijack the Hack

Tom Bossert spends a lot of time thinking about hacking.  The former Homeland Security Advisor to President Trump who also served as the country’s Chief Risk Officer and Senior Advisor on cyber, left his White House position in 2018.

It happened just after Bossert spoke at The Cipher Brief’s Annual Threat Conference.  He returned to Washington to find that under then-incoming National Security Advisor John Bolton, Bossert’s services were no longer needed.  So, he went private.

Over the past year plus, Bossert collaborated with other cyber experts, many of them with government experience who had also entered the private sector.  They wondered whether cyber experts focus primarily on end points alone as security targets, made sense.  They speculated about how it would change the cyber threat landscape if they could focus on a relatively small number of capable hackers as well.  How much of a difference would it make if they could disrupt the efforts of those hackers? 

The Cipher Brief’s Cyber Initiatives Group recently caught up with Bossert to talk about lessons learned from both his time in government and in the private sector and about his new plan to hijack the hack. 

Our conversation, which includes questions posed by Cyber Initiatives Group members has been slightly edited for length and clarity.

The Cipher Brief:  Welcome, Mr. Bossert.

Bossert:  Thank you. Since my last time talking to you formally was my last official public speaking opportunity while I was in my White House job, I am glad that my first public speaking opportunity now in my new startup is with you so, thank you for having me back.

The Cipher Brief:  We are very excited to have you. Let’s talk about lessons learned both from your time in government and in the private sector. Since leaving government, what are some of the most developments in cyber that concern you the most?

Bossert:  In the cyber security realm, I am struck by something in the existing cyber security strategy that came out shortly after I left, and that is a very small but very powerful sentence that suggests we still need to do work to determine the various roles and responsibilities – not only among and between different federal agencies – but among and between private actors, private sector and public sector, if you will.

For us to now be 15 or 20 years into this experiment and still not have a general sense for who should be held accountable for various forms of security in this space, really strikes me as a profound concession. I think at the technical level, most of your readers have a pretty deep understanding of what’s achievable, given the laws of physics and so forth, but the responsibilities for various investments and security standards at this stage are so spread and there are so many different opinions on them, that I am almost struck by a sense of impossible consensus building.  In my new private role, I’ve come across customers that range in their views in such a dramatic way that some value security and some take active steps and measures to make it almost impossible.

The Cipher Brief:  What about the more ‘aggressive’ approach that the U.S. government has taken when it comes to nation state threats in cyber? Will it make a difference?

Bossert:  I’m not sure what I’m being asked to support. If there’s a criticism in that answer it’s not meant to be direct or stinging. I’m not trying to make news, but I suspect that the questions that would have to be answered before I could tell you that I fully support or don’t support all of those assertions in that strategy would end up taking most of our time today. Let me explain what I mean.

Tom Bossert, Former Homeland Security Advisor to President Trump

A lot of attention has been brought to this increased muscular language of offensive, almost ‘first strike’ type of cyber effects operations that it seems to imply. I’m not entirely certain that’s what this strategy is meant to imply. Perhaps it is suggesting that we should be unapologetic about taking steps to defend ourselves. If that’s the case, I support it whole heartedly.

If perhaps it’s a little bit of rhetoric to indicate to our adversaries that we won’t be tolerant, if that’s the case I support it whole heartedly. But if it’s instead meant to suggest that the United States is going to change its value set or scheme in such a way that it would justify our first act or our first move or use of cyber capabilities to cause physical effects in foreign countries for the purpose of achieving some larger geopolitical objectives, then I’ve got deep reservations.

It’s not within the standard value set of America to disrupt the power grid or bring down the operations of some foreign government unless they deserve it and there’s a pretty well keeled set of discussions that go into use of force, justification, proportionality, and so forth. What I don’t know entirely, and I think there’s some legitimacy in not knowing, is how much strategic latitude or ambiguity was intended by our current strategy. As a result, what will be interesting to see – but I’m respectful of its classification levels – will be what they’ve replaced the Obama era policy with. We know that they’ve replaced some of those classified directives, we just don’t know what those replacements say.

The Cipher Brief:  What is your assessment of today’s cyber threat posed by China, and what will it take to manage that threat more effectively?

Bossert:  Vulnerabilities remain, and they abound. Various companies have various capabilities and they’re all in some ways incapable of keeping up with a determined, Chinese intelligence collection operation. What we’ve seen with the Chinese was something that still consumes a lot of the intelligence community in their debate.

The first thing we saw was what seemed to be a reduction in their state sponsored cyber operation against the United States in particular in the commercial realm after the Obama, Xi Head of State agreement that garnered so much bipartisan support. I think a lot of people were tempted, including myself, to believe that there was a causality there. There was a linkage between that agreement post OPM and the Chinese reduction, not their termination of, but their reduction in their cyber operations.  Subsequently though, we’ve seen that they used that time frame, whether by design or by opportunity, to re-organize, to improve their capabilities, and to streamline the approval process in the authority scheme inside their own government to make their current use of cyber effects operations more, effective.

There’s some beauty in the effectiveness of even the bad things that they do to us in some perverse way.  As a result, we’ve also seen the uptick of their bad behavior.  So, the question now remains, is it motive or was that their design all along? If it’s motive, is it because we’re now in some trade war?

Tom Bossert, Former Homeland Security Advisor to President Trump

I’ve often reminded people that cyber security is just an issue surrounding a tool and it’s not the entirety of the entire geopolitical risk management spectrum.  I think the Chinese are using this tool again against us because they’re frustrated. I think they’re using it against us in the commercial sense because they perceive themselves to be in a commercially motivated trade war.

I think President Trump, at times chooses to reinforce that belief and at other times chooses to frame his trade speak with them in different terminology. And because he’s inconsistent, I think they’ve taken that as a green light to hit us harder on the commercial gains side, meanwhile paradoxically they’re increasing their IP protections within their own country for things that they don’t care as much about that are not in their 2020 and 2030 outlook strategies.

What do we do about it? I think that takes me to the first question you asked me, I am pretty comfortable increasing our gray space, people use different colors here, but using our current offensive discussion more aggressively. I just want to stop short of cyber effects operations that makes us as bad as the bad guys that we’re criticizing.

The Cipher Brief:  You mentioned something about this recently at the World Economic Forum in Davos when you told the crowd that you wanted to introduce policies that would let the U.S. government get its hands around the necks of enemy hackers who cost the U.S. billions of dollars every year. What does that mean exactly, when it comes to hackers?

Bossert:  The vast percentage of really high-end intrusions – the code, the programming and the payloads that are used against U.S. companies and U.S. interests – are developed by a smaller set of highly advanced code writers, call them hackers in this case.  But there is a larger group of people than that who use those capabilities even within our own scheme of governance. The U.S. Cyber Command is made up of a large number of people that will use tools and elegant, exquisite capabilities developed by a smaller subset of essentially, weapons designers in this analogous world. What you have to do is figure out who are those people that really develop the cool and new capabilities against us, the exploitations that run against the vulnerabilities that we are constantly discovering? Then figure a way to either discourage them or to remove them from the game space.

I was perhaps, too lax in my terminology there and what I stated in Davos drew some criticism. What I was trying to do was explain that there is a lot of money being spent by the representatives and their companies in attendance at that royal economic event and that all that money was being spent in a defensive manner and that the government had a slightly different role and a larger remit and that the government could spend some of its authorities and money and resources on trying to actually get to the root of preventing or reducing some of these operations. I said colloquially, “We might be able to get our hands around the necks or the wallets of the smaller subset of these hackers.”

What I meant was the really smart ones that are developing the exploits as opposed to the larger pool of people that were using those exploits. Afterwards, the criticism was thoughtful. It came largely from the U.S. community and British community who said to me, “Are you suggesting that akin to the nuclear arms race, that we’re going to start seeing hackers killed in foreign use of force operations the way we’ve seen nuclear physicists killed in the Middle East? I suggested that that was not my intent and that I didn’t want to have all of our NSA Advanced Acquisitions hackers targeted for physical violence so, I had to pull that back a little bit.

Tom Bossert, Former Homeland Security Advisor to President Trump

My point was that the government could go after the root cause a little bit more easily and that private industry right now is left in a very costly defensive posture.

The Cipher Brief:  That’s exactly how a lot of private sector companies are feeling. Let’s explore that just a bit further. You have said publicly that you do not support hacking back, why not and what are the risks as you see them?

Bossert:  The hack back debate has been re-tread several times. Of course, the short answer to that is vigilante-ism never really pans out. You’ve got all the things that go into it. You’ve got potential miscalculations on attribution and then obviously our adversaries are fairly savvy and they look to obfuscate themselves and maybe even draw attention to third parties that they would enjoy putting the blame on, so our companies would get into an increasingly costly, increasingly risky, and increasingly disruptive practice of global or international vigilante-ism. I just don’t think it is a productive thing to engage in.

Every country is going to operate with their own set of rules and there are going to be mistakes made and tensions and escalations in the process. There are capabilities in the commercial sense, and I’ve joined a team of people that have found one of them, to improve the odds for the defenders in this case. For the companies that can’t hack the hacker and do something that would put them into this vigilante posture, they nevertheless need something that’s more effective, proactive, and that can allow them to increase the work factor on these bad guys, not increase the physical threat to the bad guys.

The Cipher Brief:  You now serve as Chief Strategy Officer for a company called Trinity Cyber. To the best of my understanding, you are trying to hack the hack itself, not necessarily the hacker, by implementing a number of strategies to do that. What are those strategies?

Bossert:  I can explain it this way – if you take the enormity of the problem, the increasingly large number of end points, users, and the complexity that goes into all of those things that make the internet easier for all of us to use – for example, when is the last time any of your readers has ever had to think about setting up a printer? That used to be a very complex task and we always valued our IT guy in the office who could do that.

Nowadays all of the complexity is obscured from the user. The number of end points are growing, the number of connectivity points are becoming different to manage, and of course, the Cloud has grown to consume not just data but all the compute power that goes into the online world in which we live and the enormity of that problem seems difficult.

What we did was ask a different question. What would it take for us to focus on that relatively small number of capable hackers that I alluded to earlier? What would it take for us to make their job, their mission, difficult? As opposed to focusing, not that we dismiss or don’t focus at all on the end points and the various applications and operating systems and so forth, but let’s not look at that.

Let’s make the math work in our favor and look at the relatively small group of advanced hackers, their tradecraft, and how we might disrupt it in a way that would induce into them, not a pain point, because that suggests some kind of hack back threat, but introduce some type of increased failure rate, work factor and frustration level for them?

Because remember, they’re bad guys to us because they’re good guys to the other foreign nations that pay their bills and they’re really just operating in a work environment where they have time and money like every other human being.  As Chris Inglis used to say, “Human beings are the coin of the realm, not really budget.”

The human beings on the other end of this problem are smaller in number, smaller in volume, and their tradecraft and their methodology for hiding each new exploit is really not that different than it was two, three, five, or even 10 years ago. The team of people that we’ve amassed here, I joke on our website but it’s true, are actual geniuses. They’ve all passed their aptitude tests, have really big brains and have developed the capability to literally interrupt, and the key to this is in ways that should remain invisible, adversarial tradecraft in transit.

The Cipher Brief:  We have a question from one of our members, who says ‘We hear a lot about business to government, government to business information sharing. We don’t hear as much about cooperation on offensive operations. Can you comment on what you see as the proper role for the private sector to interact with the government?

Bossert:  The premise of that is offensive, which could get me in trouble. If the private sector were to start providing a list of targets to the government, which is often the first response you get when you get into the vigilante question, they say, “Well if I’m not allowed to go and take matters into my own hands with the bad guy, I’m going to give you the name and number of the bad guy and you go take care of them.” If that’s the question, then I think the answer I will give might frustrate the questioner.

I think that it’s going to be a very difficult inflection point. I don’t think the U.S. government, at least at this stage, will entertain hacking back on behalf of the victims, they’ll first prefer to use other means and tools available to them from law enforcement, to information, intelligence, and diplomacy before they get into imposing a direct tit for tat consequence. Now that’s not to say though that they won’t take other – what I’ll call technical measures and steps – to try to interfere or influence or make harder the life of that bad guy that the private sector has identified.

I want to encourage the continuation of a reporting loop and I’d like to, and again I’m not being critical, but I’d like to motivate the current administration to develop means and methods of sharing that information without putting it behind the law enforcement cloud. A lot of companies, and I understand exactly where they’re coming from, have no interest whatsoever in calling a law enforcement entity because they’ve had some negative experiences in the past but they’d be more than happy to call a technical cyber security entity and report to them what they’ve experienced. The difference becomes what they will and won’t expose in their own networks to various authorities that might have some other law enforcement remit that could get them in trouble. The answer is we (USG) could do a lot better job on the receiving end of this reporting cycle. That goes for not only reporting threat information or sharing it back out, but also for reporting those larger tradecraft issues. If your questioner was asking about the, “Here’s the bad guy, well go do something about it,” I think the government can do more, in that it should find a better way of intake. I’m not knocking the FBI here, but I do know that there are limitations to how they receive information.

The Cipher Brief:  What about commenting on what you see as the proper role for the private sector to interact with the government? Is there a proper acceptable level of information sharing between the two that we should have achieved by now or we may be able to achieve in the foreseeable future?

Bossert:  Information sharing is almost an old cliché. It’s frustrating for those of us that have followed this for so long. Information sharing was encouraged, and it still should be, for the purpose of enabling a better collective defense if you will. Let’s think about how this works in the cyber world.

There are various ways companies subscribe to these different threat reporting services. Some of them come in through government services depending what sector your company might be in, and they take that information and they use it to essentially create a ticket that they put into their system that they then close. That’s a very simple way of saying that it’s a highly reactive response and remediation cycle that we’re in and we call that cyber security when it’s really a responsive form of resilience.

What we’re not doing is achieving that philosophical objective of sharing information so quickly that patient zero never becomes patient one or patient two. I’m not entirely sure we ever will. The better your system, the better your people are at ticket management, then the more advanced the technicians are that can look at the vulnerability and think through patches and solutions, then maybe the faster we’ll solve that problem. But there’s still the requirement that you have a person taking a ticket, managing it to some fruition, and then maybe a putting patch on.

I think that the information sharing game is important. It should continue, but I think that we need to start upping our game in a different way and that’s a little bit of what I was alluding to with the Trinity Cyber approach.

Tom Bossert, Former Homeland Security Advisor to President Trump

Looking at the methodology for hiding the new vulnerability instead of looking at that new vulnerability itself and then trying to take action on it in transit is a proactive approach, but it’s also a different methodology for detection. It’s to not focus on the algorithmic streaming, packing identification that might be bad, that might have a high false positive rate, and or relying on this better, perfect, efficiency point of information sharing under the notion on threat reduction. I think there’s a better way.

There are always efficiencies that can be gained if the government would intervene to help where information is concerned, but I also think we have to redefine what we mean by sharing and I’m glad that the reader asked about it in the context of offense. So, in other words, some of these high end SOC stats that we see, are really fun to work with in the position I’m in now. When I was in government, they were very different to work with. They would only provide that which they absolutely had to with their guard up. Now in this private solution space, we’re a vendor but we have a little bit of a different relationship with our customers.

The Cipher Brief:  You started off this conversation talking about sorting out roles and responsibilities between the government and the private sector and the new cyber security strategy. Are there other countries you could point to that are further along in this process than the U.S. or are all states equally struggling with this division on labor?

Bossert:  That’s a great question. All of these have been very good questions. I think the answer to that unfortunately is, I’d like to be full of bravado and say The United States of America is par excellence, number one, but in this case the British were out in front of us on the willingness to take gray space action, as long as it was sub-provocative I’ll call it, so that doesn’t constitute the level of annoyance that might start a war, but I think they were also ahead of us in their organizational concepts. Now they’ve got some different authorities there, they’re not quite suffering from the same federalism concerns that we are and there are pros and cons of course on a bigger analysis but, the British are probably just a little bit out in front of us in terms of how their staffed, organized, and resourced.

The Cipher Brief:  Give us an actionable item we can walk away with. When you’re sitting with your family at Thanksgiving dinner in a couple of weeks, what advice do you give them about their own personal cyber security?

Bossert:  My first advice is to not talk about cyber security at the Thanksgiving table.

My second advice, honestly, maybe I’ll take the first half of that question. The mistake being made by some pretty senior policy makers in this country is to complete this belief that we’re moving towards, and I believe we are, the return of what we call a major power conflict with a belief that cyber security is somehow an unrelated symmetric tool only used by small players. In fact, the cyber security vulnerability and the cyber security threat is increasing for the very purpose and for the very reason that the people that are most adept at using it are the people that are resourced within these major powers that are engaged in this conflict. The major power conflict that we’re returning to is a Cold War era struggle in which almost every other country is smaller and less capable than The United States and therefore motivated to use these asymmetric tools like cyber security to disrupt us.

I’ll give an anecdotal example of what I mean. The Iranians used to come after us with low level, not very sophisticated, denial of service type attacks, maybe in the 2010 to 2013, time frame. They went after some U.S. banks, notably, because they were very upset with our foreign policy and they thought they could influence change in it by doing so, but they were really, really unsophisticated. They then, post the JCPOA, the Iran Nuclear Deal, decided that they would change their behavior. They stopped coming after our U.S. companies, but they took their time like the Chinese did, to regroup and to increase their capabilities and their sophistication. They had that increased capability and sophistication and they didn’t use it against us during that relatively short period of time at the end of the Obama administration. Now they’re frustrated, rightly or wrongly.

I’m not defending the Iranians. I think they are a very destructive force. I think the President was right to call them out in a lot of regards, but post the JCPOA or this president’s decision on it, they had decided to take their capabilities, their highly advanced ones, and start coming back after us for saboteur purposes instead of the theft of intellectual property or some financial gain.

What terrifies me now is that their geopolitical motivations and their increased cyber capabilities are going to turn them loose on us in a way maybe just shy of an act of war but highly disruptive and costly. We’re starting to see them stuffing certificate requests and DNS requests and things that allow them to key harvest. That is a harbinger for bad things, and I am very hopeful that our U.S. capabilities are focused on it.

The Cipher Brief’s conversation with Tom Bossert included questions from members of The Cyber Initiatives Group.  Find out more about joining this public-private group of cyber professionals focused on sharing ideas, information and techniques to make cyber safer for everyone.

Source link