Amrit Williams, BigFix CTO, discusses the differences between cyber-crime, cyber-warfare, and cyber-expionage with Will Gragido and John Pirc of Cassandra Security.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome! This is Amrit Williams, your host on Beyond the Perimeter, and I am back with Will Gragido and John Pirc. Guys, thanks for joining me back.

I want to switch gears a little bit. Since both of you guys have a background in DOD and Intel, one of the things I have been struggling with a lot in how we communicate inside of security industry and then how that’s adopted by the media, I think has been troubling me lately.

And the trouble that I am having is this concept of cyber warfare versus cyber crime versus cyber espionage. The first thing that I would suggest is that, really, there is nothing new going on here, the only thing that’s new is that there is a new medium that’s being used to basically execute some of these things.

So criminal activity isn’t new, organized crime isn’t new, sophisticated organized crime is not new at all, it’s just, here is a new medium that they are using to basically further their gains.

Espionage is not new. Espionage has been going on for a long time. And John, if you spent some time in the CIA, I am sure that you may have heard of what we were doing in Nepal and India during the Cold War, because China and India are pretty close to each other, and I know the U.S. government was very concerned about that in the 50s and 60s, but we will never hear about it. So there is definitely a lot of espionage that occurs, there is just a new medium that’s being used here.

Warfare, obviously, is not new. It’s been around since the beginning of time. But it really is the distinction between these things that I think the media is having a very difficult time grappling.

I also think the U.S. government and probably every other government is struggling with these two. We have already segmented and created agencies to deal with each of these things independently. If you are talking about criminal activity, well, we have the Department of Justice, they deal with those activities. If you are talking about warfare, well, we have the DOD, whose charter is to support the war fighter. And if you are talking about espionage or intelligence, well, we have got several intelligence agencies that deal with those things specifically.

But what I see happening right now is a convergence of all these terms into one thing, and then you have very scary responses from people in the U.S. government, Congressmen and Senators, that say things like, we have just had a DDoS attack from North Korea, it deserves a kinetic response. And you look at this and you go, are you ridiculous, are you kidding me? I mean, this hasn’t even reached the level of cyber espionage, this is like kid stuff.

So I want to get you guys’ take, since you have that background, on how we help folks better understand the differences here, because when we start saying things like China attacked the U.S., this Google thing, you get very close to having people in the DOD say things like, then we need to respond kinetically to that. And that is a very, very inappropriate response for what we just saw.

Will Gragido: Yeah. I think — you bring up a good point, right, points of confluence within — and largely because of the economy or the Internet, it’s an interesting time we live in.

John and I spend a lot of time researching this obviously, and we also have our collective backgrounds to pull from, which suggests that there have been fundamental changes. The world, as Thomas Friedman said years ago, has become flat, either the flattening from a global vision perspective and the rapid adoption of technology, it’s a foregone conclusion that more people, good and bad, will have access to more advanced technology.

You touched on a very interesting point from the segregation of what is traditionally considered criminal activity versus — that was just considered the realm of warfare, which is — and then of course what is considered to be the realm of intelligence. In traditional terminology, those are nothing new, and I think anyone with any kind of experience on pedigree, pulling from background such as our own and environment such as our own, would say that, yeah, those have been ongoing, and they continue to be ongoing, and that it’s just a natural progression that we are seeing today.

I think where the difference becomes is really the rapid fire adoption, and certain historical events that triggered the economic ecosystem developments, which saw the rapid fire arms race, if you will, or the creation of the cyber arms dealer, coming to fruition.

And I think that, to your point about response, it’s an educational process. There is a lot of fear, uncertainty, and doubt, and it is inappropriate to suggest that one should retaliate against something when we don’t have all the facts.

In 2007, for example, to your point about organized crimes, here in the United States, three members of the Lucchese crime family in New York were indicted by the Department of Justice for SEC violations, and trying to manipulate via cyber criminology and manipulate the markets, so that’s an example of cyber crime, and in a very sophisticated format.

Why are people doing that? Why do we see an evolution of organized criminals as well as less organized criminals? Because the risk to reward proposition is greater and it’s in their favor. It’s a lot less risky to, from their perception, to become involved in cyber criminal activity as it is to say traffic invoices, which is a traditional area in which those organizations grew from and derived profitability from in the past.

The same can be said of organizations in Central and South America and in Asia and in Europe, right?

(00:05:09)

Amrit Williams: Absolutely.

Will Gragido: I think that we are seeing a lot of this going on, and it is becoming a bit of a — we are throwing the baby out with the bathwater in some senses, and that needs to change.

John Pirc: Yeah Amrit, I mean, to expand on what Will said and to your point, I mean, distributed denial-of-service attacks, do they require a response because they knocked a website offline? I mean, I think that’s ridiculous from my point of view.

I think when you start looking at the severity of the attack. So for instance, let’s just say, someone took over our power grid and shut that down. I mean, something that is more catastrophic, where there could be human loss based upon a certain technology that they are shutting down or taking advantage of, I would say in maybe some instances those would — because there is some sort of retaliation back.

But the whole notion of DDoS attacks that we are seeing, shutting down social media websites for a little time, I mean, that’s more of a nuisance, and to your point before, it’s child play. I mean, those type of tools are easy, readily available. I mean, I have a 12-year-old daughter who could probably run those tools.

But when you get into things that do cause catastrophic damage, I think that’s when we need to start worrying or start doing the retaliation. But furthermore, this is where we really start — where we really need to start showing up our defenses and critical infrastructure so we don’t see anything like that.

Amrit Williams: I agree with you completely. I would just say that we have to be careful if we are only looking at the measure of an attack as an indicator of how we should respond, because in many cases a criminal organization could use what appears to be a state-sponsored national attack to create an economic  windfall for themselves, depending on what type of investments they were making.

And if you think about it, and the best way to deal with criminal activity is to change the risk/reward equation. So the best answer to deal with cyber criminals is to look at the economic situation. The best way to deter a war is with deterrence. And it has been proven in the Cold War, for example.

So it’s not an economic situation necessarily, but it is one of deterrence, and we need to look at that in terms of cyber warfare, if it’s state-sponsored.

And in terms of cyber espionage, well, the best deterrent for that is misdirection, it’s propaganda. And the intelligence communities know how to do that quite well in the physical world.

But I always get a little bit nervous when you look at just — if you only look at the attack type, because it is really, as you guys know, extremely difficult to prove that somebody, state-sponsored, was behind anything.

And quite honestly, I would bet you anything, and I know the Chinese government says this, but whether it’s true or not who knows, I bet the Chinese government is under much more attack than the U.S. government, because their infrastructure is far more less technologically advanced than ours. They are using, in many cases, U.S. made infrastructure and U.S. made computing devices and U.S. made software, so I would guess, if you had the U.S. and China sitting at a table talking about cyber security, China would be far more fearful of what could happen than the U.S. would, with one small caveat, which is obviously the U.S. is far more reliant on critical infrastructure in terms of digital assets than they are. But that is changing.

Will Gragido: Yeah, I would agree with you Amrit. I think the burden of proof is ultimately speaking most important than any type of analysis activity. And understanding the psychological motivations behind any given instance or event of interest is equally as important. And it is irresponsible to suggest that an event of interest mandates or requires a response without having done the due diligence to unequivocally ascertain that party A is responsible for events D and E, right? So it’s really — and I think the media, being the media, has a tendency to gravitate towards the sensational, and that doesn’t help anyone.

Amrit Williams: On the one side — I mean, you are absolutely right, and I wasn’t suggesting that you guys were suggesting that either. But warfare has changed as well. And I remember right after 9/11, you guys read ‘The Onion’, fake news?

Will Gragido: Oh yeah.

Amrit Williams: I thought — and as — it was very difficult to find humor and just get back to day-to-day life after 9/11. But ‘The Onion’ ran an article which basically said, U.S. government, wishing it had somebody to bomb. And it just sort of speaks to what’s going on in global dynamics anyway, which is, it is no longer large armies facing off with each other, we are talking about very small coordinated guerrilla warfare. That’s in the physical world today, and that’s definitely being transpired and being executed in the cyber realm, so it becomes very difficult to find borders, to find nation states to face off with.

(00:10:00)

And it could very well be that a small guerrilla organization inside of China, or inside of the United States, does not represent the feelings of the state that they are in, and then they spark off something pretty devastating, and that’s really scary.

John Pirc: Asymmetric warfare. I mean, you bring up a good point. I mean, the technology and tools that are available today, like you said, I mean, it’s kind of like finding a needle in the haystack. I mean, you can find out the points of origin, where some of the attacks are coming from sometimes, but those can be hidden as well. But I think that’s quite possible for a small group to entice a lot of activity hoping for some countermeasures to come back on the other side.

I mean, to your point earlier, I mean do we go back and hurry up and bomb whatever country that’s — or retaliate via electronic news to the other country, you just have to have that data, and like we all know on the phone, that’s very hard to pull together.

Will Gragido: Right. I would say that there has been quite a large body of knowledge and data put together over the last ten years. A great example of that is ‘Black Ice’ by Dan Verton, which was released in 2003, which — Dan Verton was a former United States Marine Corps intelligence officer and he is a journalist. You are probably familiar with him. He wrote the book ‘Black Ice’, specifically as it related to exercises that were conducted by the Department of Energy out of the Idaho National Laboratory and Pacific Northwest Power conglomeracy to test infrastructural capabilities in the event of a cataclysmic failure or event, whether they were naturally caused or whether it was unnaturally caused 11:38, in order to test and see what the potential ramifications would be in the event in which it occurred, and an unknown variable such cyber warfare or cyber activity was introduced.

‘Black Ice’ led you to ‘Blue Cascade’ three years later, which was interesting, because the exercises yielded that over the span of time between the two individualized exercises that nothing had changed fundamentally from a posture perspective.

Verton hit on some very, very good points, and he took that data and extrapolated the information that he gleaned, and pulling off of his own background and talking to folks like Robert Clark and other folks that the probability of cyber-based attacks, and he was focusing specifically on subnational attacks, specifically al-Qaeda being a primary focus, because at the time that was a very hot ticket item, and we know that in early 2001, prior to 9/11, al-Qaeda had been operating pretty heavily, from a cyber perspective, hopping from Pakistan to Saudi Arabia and into the United States, doing things like enumeration and network mapping and things of this nature.

So the reality is that — again, just like we talked earlier, these are not new activities or occurrences, but the burden of proof is required, and in order to curtail unnecessary levels of alarm and fear, we need to have that. We need to be — we need to exercise discipline, and we need to exercise due diligence in order to really ascertain what is occurring and who is responsible.

Amrit Williams: I completely agree. You said something very important that I want to make sure doesn’t get missed in those who are listening, when you said, whether it was from a cataclysmic or a cyber event, at the end of the day organizations should be very, very focused on how they return their infrastructure to homeostasis regardless of the method of attack or exploitation, whether it is malicious, intentional or unintentional, whether it’s created through a digital asset or whether it’s just an operational failure of the infrastructure that happens all the time.

I think people forget that, because of what’s going on, they lose sight of, at the end of the day it’s about availability and survivability for a lot of organizations. It becomes extremely critical for returning services back, regardless of the method that puts them down. So I thought that was a nice observation.

Guys, I really appreciate you joining me today. I want to make sure that the folks listening have an opportunity to reach out to you guys, so if you could, Will, if you could state how they get to Cassandra, and then if you could both sort of state how folks can find you on the Net and reach out and talk with you if they would like to get more information?

Will Gragido: Sure. Well, we are available at www.cassandrasecurity.com, and they can reach me directly at will@cassandrasecurity.com.

John Pirc: This is John. You can reach me at john@cassandrasecurity.com. You can follow me on Twitter as well, so just search for jopirc, and you can follow me. Again, thank you so much for having us today.

Amrit Williams: Oh, you guys were great, so I am really glad that you guys were on. Thanks very much. I will have you back on again, hopefully you guys will join.

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix Inc. Views expressed on this Podcast are the personal opinions of Podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening.