Tara Maller: Enhancing the Cyberdiplomacy Arsenal

tramillersquare Tara Maller: Enhancing the Cyberdiplomacy ArsenalTara Maller is a research fellow in the National Security Studies Program at the New America Foundation. Her current areas of focus include sanctions, diplomacy, intelligence, cybersecurity, terrorism and women in security. Previously, she worked at BrightWire Inc., a NY-based startup, where she served as the managing editor and managing director of Operations, Americas. In 2011, she received her Ph.D. in political science at MIT, where her dissertation focused on information collection, diplomacy and sanctions. During this time, she was an affiliate of MIT’s Security Studies Program and she served as research fellow in the International Security Program at the Belfer Center for Science & International Affairs at Harvard’s Kennedy School of Government. Previously, Maller worked as a military analyst at the Central Intelligence Agency, focusing on the Iraq insurgency. She has published articles in The Washington Quarterly, Studies in Conflict and Terrorism and PS: Political Science and Politics. She has also written for foreignpolicy.com, CNN.com and The Huffington Post and has appeared on CNN’s Erin Burnett OutFront and Bloomberg’s Bottom Line. She graduated with a B.A. in government from Dartmouth College and received a M.A. in international relations from the University of Chicago. You can follow her on Twitter at @TaraMaller

This working paper was written for the conference on “China-US Cooperation & Disagreement Management with a Vision of a New Type of Relations.” The conference was hosted by the China Institute of International Studies and took place August 18-25, 2013 in Changchun and Beijing. The paper was presented as part of a panel on cybersecurity.

A few months ago, the Syrian Electronic Army hacked an AP Twitter account and posted a tweet that read, “Breaking: Two Explosions in the White House and Barack Obama is injured.” It was quickly remedied with the AP locking down the site and individuals indicating this was not true, but the tweet had a short-term impact on the market with the Dow dropping more than 140 points in response to the initial tweet (and then rebounding). Early this month, the same group took over the blog account of a British journalist with a message stating, “Nuclear strikes on Syria: the genie is already out of the bottle.” While these attacks did not cause physical damage to infrastructure or loss of life, these examples illustrate how easily the cyber realm allows non-state actors and individuals to employ an asymmetric tactic to pose potential economic or military harm to larger countries like both the United States and China. This can be done through various types of attacks including ones that put out false information, steal information or deny and disrupt services. While both the US and China have bilateral grievances and legitimate disagreements with each other in the cyber domain, cybersecurity is an issue that goes beyond the US and China. Both countries ought to be able to work together to recognize that they share a mutual interest in cooperating on cybersecurity because a variety of actors in the international system can pose a threat to the prosperity and well-being of both countries over the longer-term.

The purpose of this conference working paper is to emphasize the importance of diplomacy in the realm of cybersecurity, point out some of the obstacles to diplomatic progress and suggest some ways to start moving forward on the cyberdiplomacy agenda.

While we’ve seen cybersecurity rise to the top of the United States’ foreign policy agenda, we haven’t yet seen the full-fledged diplomatic effort that is needed to address associated issues; nor have we seen concrete results. Nevertheless, we can identify promising signs that both the US and China are ramping up efforts to engage in dialogue on these issues. Just this week, Christopher Painter, the US State Department Coordinator for Cyber Issues, acknowledged the depth of cooperation on the issue by saying, “I know I’ve been to China more than any other country since I’ve taken this job.” In June, China’s Ministry of Foreign Affairs announced it had set up a cyber affairs office “to coordinate deal diplomatic activities related to cyber affairs.”

To date, we’ve seen some incremental steps that are promising, but more can be done to overcome barriers to cyberdiplomacy and enhance the cyberdiplomacy arsenal. Both the US and China play critical roles in ensuring that a diplomatic strategy lies at the core of joint US-Sino efforts to resolve cybersecurity issues. Both countries must work together to establish concrete frameworks, mechanisms and communication channels for working through these difficult and complex cyber issues.

While we have not yet seen a cyber attack lead to a military conflict, nor have we seen a cyber attack carried out as an act of war or in the form of a deadly terrorist attack, these remain serious and real threats to both countries. In the interconnected and globally interdependent world we live in, a large-scale cyber attack on either the United States or China – whether it be economic or kinetic in nature – would have ripple effects felt beyond the borders of both countries. The US and China share incentives to cooperate to secure cyberspace even if they have bilateral disagreements about the norms governing their own cyber activities. Having said that, the divergent viewpoints between the United States and China on matters related to economic espionage and intellectually property need to be directly addressed on a continual basis and need to be taken seriously or they have the potential to heighten tensions between the two nations and undermine progress and cooperation in other foreign policy areas. However, patience is definitely needed by both sides, as diplomacy should not be expected to resolve all differences between the United States and China overnight.

My doctoral dissertation focused on the role of US diplomacy in the context of US sanctions episodes, so I come to this discussion as someone who has studied the value of diplomacy in the context of a wide range of difficult and complex issues. Many of these lessons from my work can be taken and applied to the challenges of cybersecurity. In this paper, I’ll set forth some of the challenges to cyberdiplomacy and suggest some mechanisms for overcoming these challenges. I’ll also address some concrete measures the US and China could take going forward in the realm of cyberdiplomacy.

Prioritizing the Cybersecurity Threat

Clearly, cybersecurity has become one of the primary areas of focus on the US national security agenda. In the March 2013 Intelligence Community’s Worldwide Threat assessment, the Director of National Intelligence, James Clapper, recently named the cyber threat as the number one threat to the United States. In a speech this fall, then U.S. Secretary of Defense Leon Panetta warned of the potential for a “cyber Pearl Harbor.” The possibility of a large-scale cyberattack on American soil with physical ramifications and loss of American lives is a real one. According to U.S. military officials, cyberattacks on critical U.S. infrastructure have increased 17-fold from 2007 to 2009. In 2011 alone, cyberattacks increased 40%. In the 2013 defense budget, cybersecurity is one of the few areas of defense spending projected to increase. The United States is concerned about cyber threats from a broad landscape of international actors – both state and non-state. According to a recent July 2013 report by the Congressional Research Service (CRS), “National Security Advisor Tom Donilon said in a speech on March 11 that concerns about cyber threats, not ordinary cyber crime or hacking, moved to the forefront of the agenda with China (up to the level of the President)…” The CRS report also notes that President Obama raised the issue of cyber threats as a “shared challenge” with President XI Jinping in a call on March 14, 2013.

In response to the growing concerns over the cyber threat, the U.S. Department of Homeland Security (DHS) and other Washington, D.C. professional organizations and universities have ramped up recruiting and hiring for cybersecurity jobs and educational programs. The Cyber Command at the Pentagon has also fortified its workforce and resources. Earlier this year, the Washington Post cited the dramatic growth of the US Cyber Command from 900-4000. However, we have not seen the same degree of proliferation of offices and roles dealing with cyber at the State Department. There is the Office of the Coordinator for Cyber issues and others who deal with internet-related topics at the State Department. In his Foreign Policy piece on this issue, Tim Maurer notes that, “the number of diplomats clearly pales in comparison to the number of warriors at Cybercom and other arms of the Pentagon, to say nothing of the cybersecurity elements at the Department of Homeland Security.” In June, China’s Ministry of Foreign Affairs announced it has set up a cyber affairs office “to coordinate deal diplomatic activities related to cyber affairs.” Globally, other countries also need to start ramping up the attention and focus on cyber-related issues. In a recent interview just last week with Christopher Painter, US State Department’s Coordinator for Cyber issues, he notes that, “There are probably now 10 counterparts to me around the world, which is a good thing because that elevates the discussion and policy issue, and grounds it in the reality that it’s not just this technical issue, it’s a policy area.” While these are all steps in the right direction, more needs to be done in the realm of cyberdiplomacy.

Obstacles to Diplomatic Progress on the Cyber Front

There are a number of challenges and obstacles to cyberdiplomacy – some of which are specific to cyber issues and others which generally plague diplomatic efforts on complex areas of disagreement.

The many components of cybersecurity: When we speak of cybersecurity one of the problems is that it encompasses a diverse set of areas that probably ought to be broken out into four categories as they require different types of discussions, norms and solutions. 1) cyberwarfare 2) economic espionage 3) cybercrime 4) cyber terrorism. The US and China have a vested interest in addressing the cyber landscape across all of these dimensions – in terms of bilateral relations and in dealing with the threat posed to both states from non-state actors (such as terrorist organizations and criminal groups).

The scope of the problem in terms of areas of vulnerability and perpetrators: Cybersecurity issues truly permeate through all aspects of our societies. From the individual user’s computer to electrical infrastructure to nuclear facilities, the vulnerable targets are vast, as are the potential perpetrators. Different areas of the cyber realm may require different solutions. Whether dealing with infrastructure targets or business computers or nuclear facilities, there may need to be different solutions to making sure these targets remain safe and that the international community understands the norms and penalties associated with different types of attacks on different types of targets. In addition, both state and non-state actors can carry out cyber attacks, so diplomatic efforts must address both of these areas.

The confusion over applying security paradigms: When dealing with cyber in the state to state realm, do traditional security paradigms and structures apply to the realm of cyber or is it something new in the context of international conflict? There seems to be confusion as to what international law applies with regard to concepts like deterrence or laws of war. The field is not nearly as mature as other areas of conflict, so diplomatic efforts are taking place outside an existing governing structure.

Mutual suspicions and tensions taint diplomatic processes: In addition, political leaders may face more general barriers to strong diplomatic outreach with regard to complex areas where tensions may be high or there maybe be areas of disagreement – China/US cybersecurity is no exception. Unfortunately, when mutual suspicions and hostilities are present, leaders tend to resist diplomatic outreach and it makes cooperation more difficult. It might also be more difficult to find In the United States, historically, we’ve seen US leaders criticized for wanting to adopt policies predicated on strong diplomatic engagement with adversaries or states with which we have disagreements. In Anatomy of Mistrust, Deborah Larson argues that mutual mistrust may actually create self-fulfilling prophecies between states and failures in cooperation. She argues that officials who fear and distrust one another are likely to take actions which essentially fuel more fear and distrust, which works to perpetuate a cycle by worsening the dynamic that already existed at the outset.

Political pressures and challenges to diplomacy: In general, political leaders may also worry about appearing weak to domestic or international audiences if they make diplomatic overtures or express a willingness to negotiate with certain actors or states. These concerns can be even more salient if they are thinking about reversing their position. In other words, leaders may worry that their previous strategies will be perceived as failures if they modify their positions and they may also fear losing credibility.

Diplomacy Matters

Diplomacy is not just symbolic. It provides a window into both sides’ decision-making processes and motivations – and increases trust between the parties involved. Increased diplomatic interaction also helps clarify the nature of the demands and resolve ambiguity or misperceptions that exist. All of this is necessary in the context of cybersecurity disagreements between the United States and China.

The United States and China both have legitimate concerns and grievances. However, these issues can only be resolved by maintaining open lines of communication and making a strong and concerted effort to cooperate on this very difficult issue and work to institutionalize this cooperation both bilaterally and multilaterally.

My dissertation research focused on the value of diplomatic engagement – not cybersecurity – but many of the overarching lessons regarding the concrete value of diplomacy can be applied to the cyber realm. In fact, my research looked specifically at diplomacy in the context of US sanctions across a wide range of difficult issue areas. So, these were all cases with their own sets of tensions as punitive policies were in place. In my research, I looked at more than 100 episodes in which the US imposed sanctions on other countries. When controlling for other variables, simply increasing the economic costs imposed on the target state did not lead to desired outcomes.

Diplomacy was critical to progress and diplomatic disengagement hindered efforts to attain desired outcomes. For example, in the most extreme cases, when the US completely disengaged with a country and closed its embassy in a targeted country, for instance, the rate of failure in attaining desired outcomes rose to 73 percent from 42 percent.

The Atlantic Council’s expert on cybersecurity, Jason Healey, writes in a recent article, “The cyber age has barely begun. But already cyberspace is so dangerous, and with so few norms, it has been called the new Wild West. Its future is still a jump ball, however, and there is no way of knowing how sensitive that future could be to the wrong decisions today.”

Both the US and China need to work to attain mutually agreed upon norms and rules governing the cyber realm. As with the traditional realm of war –without a set of international norms and structure in place, misperception may become increasingly likely with unintended escalation and negative outcomes for both sides. We can see the classic security dilemma at work in the realm of cyber – particularly since offensive and defensive measures can at times be indistinguishable from one another.

However, if the US and China don’t take strong diplomatic measures now to sort out disagreements and cooperate, we risk cybersecurity conflict becoming more and more entrenched over time – making it increasingly difficult to engage in diplomacy or engage one another to resolve differences, establish norms and work together. In addition, we run the risk of cyber attacks or cybersecurity disagreements polluting US-Sino relations in other areas or, in a worst-case scenario, unintentionally catalyzing conflict.

General Recommendations for Overcoming Diplomatic Barriers

In light of the previous barriers discussed, there are a number of recommendations that may help ameliorate barriers to diplomacy and help leaders opt for diplomatic engagement.

Emphasize that diplomacy does mean equal concessions, but it a process of communication, learning and even expressing disapproval: Diplomacy is a mechanism of communication between states. It does not need to convey an attitude of acceptance or approval of another state’s behavior. In fact, diplomacy can be used to convey harsh messages of condemnation, criticism, and even articulate threats to another state. Opponents of diplomacy often frame diplomatic endeavors as signals of acceptance of the other side, so framing diplomatic engagement as a way to apply positive and negative pressures can help overcome this limited view of diplomacy.

Engage in both public and private diplomacy: Concerns about reputation or credibility can be ameliorated by starting talks in private. While public displays of diplomacy, like the recent summit in California are critical, behind-the-scenes talks allow diplomatic foundations to be put in place. The US and China should be engaging in both forms of diplomacy on cybersecurity.

Highlight the many advantages of diplomacy beyond just attaining political outcomes: Diplomacy can yield a number of advantages beyond immediate attainment of desired outcomes Diplomatic negotiations can work to transform the nature of relationships between parties, build trust and lead to personal relationships between leaders in both states. There can be spillover effects into other areas and on other issues beyond cybersecurity.

Emphasize that diplomatic progress in one area, such as cybersecurity, can impact positive outcomes in other realms of foreign policy for both countries: Diplomacy can serve as a way to link a broad set of issues together and negotiate differences across these issues areas. Working to resolve differences in cybersecurity can also assist US-China relations and help with progress in other areas that serve both states’ interests.

Breaking down the cyber issues: Given that the areas of agreement and disagreement in the cyber realm span across different types of activities, it makes sense to try to work on these areas separately and establish frameworks, norms and international law treating these areas separately. In other words, breaking down the cyber issue into dimensions mentioned earlier (cyber-terrorism, cybercrime, economic espionage, cyberwar) and dealing with these as separate issues might make it easier to make progress faster on areas of agreement.

Start with small victories: Related to the point above, start with areas of cyber that the US and Chinese agree on and then address some of the more difficult areas of disagreement. Sometimes small mutual victories can work to help in fostering cooperation in later negotiations.

Moving Forward on Cyberdiplomacy

Both the US and China ought to embrace a strong push for cyberdiplomacy and work together to create a comprehensive international framework or treaty. A parallel effort should include the ongoing diplomatic meetings that have started –and continued high-level meetings on this issue.

While ideally an official agreement or framework will be put in place over time, the US and China ought to work on confidence-building measures and communicating redlines. The Strategic and Economic Dialogue meetings and the new Cyber Working Group, which first met on July 8 will be key to these efforts. In July, both sides agreed to talk more about the norms governing cyber activities and Defense Secretary Hagel emphasized the importance of US-Chinese cooperation.

Ramp up on cyber diplomats:The US should devote more resources to the diplomatic side of the cyber equation, namely at the State Department. The China-US Strategic Security Dialogue, State’s Cyber Coordinator and the newly announced Chinese cyber affairs office are all positive steps in the right direction. Both President Obama and Secretary Kerry ought to be having frequent meetings with Chinese leadership on cyber issues and other areas of importance to US-Sino relations. In his Foreign Policy piece Maurer suggests “Let’s start by growing our cyber diplomatic effort by at least a factor of five.”

Increase high-level cyber summits: Diplomatic summits and high-level meetings between leaders, like the recent meeting between both countries leaders at the Sunnylands Estate in California are critical and should be continued. Personal relationships are important. Larger summits, conferences and exchanges, such as this conference, are important for promoting a shared vision and for understanding the zones of disagreement.

Increase track two cyberdiplomacy efforts: In addition, track two diplomacy efforts like this conference are critical. Academics, journalists and researchers conversing and brainstorming about ways to find areas of agreement in the cyber domain are helpful in trying to find new and innovative paths that may not be on policymakers’ agendas. For example, the Center for Strategic and International Studies has been helping to organize bilateral talks with key Chinese leaders.

Create cyber milestones: The US and China should work to develop cyber milestones. This could take the form of symbolic goals or a timeline for certain small steps to be accomplished. Look historically to how norms developed around chemical, biological and nuclear weapons and determine if shared norms could create pillars for a new cyber weapons convention or cybercrime convention.

Define which current laws are applicable to cyber realm and define areas where international cooperation may be required to create new frameworks: In the Chris Painter interview mentioned earlier, he notes that the UN Group of Government Experts (which includes both the US and China), are issuing a final report that notes that existing international law included in frameworks like the UN Charter and the Law of Armed Conflict apply to the cyberspace domain. However, while existing frameworks may be applicable in some areas, there is definitely a need for additional new frameworks to govern cyberspace.

Establish a cyber hotline: The US and China should establish a cyber hotline like the one that was recently established between the US and Russia in June. This type of communication channel is valuable particularly in the event of any sort of cyber crisis between states.

Joint study on impact of attacks: In a 2012 paper by Greg Austen and Franz Stefan-Gady and published by the East West Institute, the authors propose that a joint study be carried out by the United States and China. The study would examine the “interdependence of their respective critical information infrastructure in terms of likely economic effects of criminal attacks with strategic impacts.” Joint studies looking at the impact of various types of cyber attacks are useful in highlighting the shared consequences and also help foster greater communication, cooperation and transparency between the US and China.

Make red lines clear: Both the US and China need to make red lines clear by clearly articulating its responses if certain lines are crossed and the types of penalties being considered in response to certain types of attacks with regard to non-state actors and states.

Devote significant time and resources to working through disagreements relating to intellectual property/economic espionage: Disagreements over intellectual property/economic espionage are at the heart of US-China differences of opinion in the realm of cyberspace. While hopefully both sides can be brought closer together in terms of their position on these issues, this will undoubtedly take time. This will most likely be the most difficult issue area on the cyberdiplomacy agenda. The East West Institute report suggests establishing a legal foundation to allow both countries to share information and work on joint assessments pertaining to intellectual property-related cases. It may also be worthwhile to try to separate this particular issue out from the other cybersecurity issues on the cyberdiplomacy agenda through separate working groups or officials specifically dedicated to bilateral discussions on these types of attacks. This may help prevent the issues of deepest disagreement from undermining progress being made on other aspects of cybersecurity.


While this paper emphasizes the important role of diplomacy in the realm of cybersecurity, the progress made via diplomacy must be carefully tracked and gauged over time. It is in the best interest of both China and the United States to find areas of agreement on these complex issues or the interests of both nations will be undermined in the long run. If the US, China and other countries can’t work together to govern cyberspace, we are going to see private companies start taking matters into their own hands by attacking back while individual countries start adopting punitive policies like sanctions to address such attacks. We will also see a rapid deterioration in relations between countries due to these attacks and spillover effects into other foreign policy areas of cooperation. This is not in the best interest of either the United States or China – and so both countries should devote significant time and resources to enhancing the cyberdiplomacy arsenal. Back in 2011, Henry Kissinger and Jon Huntsman called for a US-China cyber détente and that is exactly what both countries need to work on attaining right now.

Interview: Ali-Reza Anghaie and Scot Terban on InfoSec, Hackers, China, and Cyber Hype

terbali2 Interview: Ali Reza Anghaie and Scot Terban on InfoSec, Hackers, China, and Cyber Hype

Ali-Reza Anghaie (Right) is a Consulting Security Engineer and Senior Analyst with Wikistrat. His varied work in engineering and security has taken him to numerous universities and Fortune 500 companies in the Defense, Energy, Entertainment, and Medical fields. You can follow Ali-Reza on Twitter and Quora. Scot Terban (Left), AKA the gonzo INFOSEC blogger Krypt3ia, blogs at http://krypt3ia.wordpress.com. You can also find him on Twitter. Both host the weekly Cloak & Swagger: Security Unhinged podcast.

John Little: Let’s start off with a Skyfall-esque word association game. Ready? “Cyber Pearl Harbor

Ali-Reza Anghaie: Geraldo. (Yes, that’s my answer. Say `Cyber Pearl Harbor` in his voice and you’ll want to strangle yourself too.)

Scot Terban: Expletive.

John Little: Alright, so what is it about “Cyber Pearl Harbor” that sets you two, and many other infosec professionals, off? What are Panetta, Lieberman, and other Beltway types getting wrong about the legitimate threats we face in the digital domain?

Ali-Reza Anghaie: Lets clarify “getting wrong” – as professionals we encounter `wrong` all the time. ~Intentionally~ exaggerating and obfuscating threats is what has been happening in DC. However, it’s also politics – you never hear a politician talk about any issue in a way that satisfies the wider professional community of that issue. That’s quite intentional – as the people who really know are absolutely the people that politicians need to play ~against~ to centralize and pull power toward their own spheres of influence.

And that’s really the part that burns me – the echo chamber they’ve built is designed to accomodate just those that will work within the confines of the existing DC dynamic. And so much energy is exhausted in just that posturing that by the time you get to actual technical working groups – you’re already on the tail end of resource availability. So, if you’re lucky, you’ll get through one or two iterations of actual policy driven work before the next manufactured crises hoovers priority elsewhere.

Since this is the inevitable cycle, I suggest we move straight to the end – private industry needs to step to the plate as a competitive matter because Government, as Government always does, will punish you using whatever laws do or don’t exist as soon as it’s politically tenable. And won’t provide any solutions along the way. Why not just get it over with?

You know – I’d probably be less cynical and in a better mood if you stopped saying “Cyber Pearl Harbor”..

Scot Terban: It’s jingoism at its best. It is propaganda and a tool to get people to react in a knee jerk way.

What are Panetta, Lieberman, and other Beltway types getting wrong about the legitimate threats we face in the digital domain? Everything. They do not comprehend the technologies involved nor the complexities of what they are advocating as the end of the world. They need to let the professionals who deal with this technology and space give the answers. It’s akin to telling a five year old to go on to Meet The Press and explain quantum mechanics.

John Little: There are countless layers to this problem and many of them are not “technical”. There are human factors and physical security issues for example. In most cases there are no paths to 100% security. So where, from a national security perspective, should we focus or efforts and dollars? What would get us the most bang for the buck?

Scot Terban: Well, contrary to what a Dave Aitel or lately Schneier might posit, more security awareness for the general populace to start I think. This is more so for companies that are within the sights of an APT adversary but also look at what goes on with crimeware to start right? How much of this could be stopped just with making sure people understand the technology that they own and should be managing? We are all supposed to have training to drive a car and a license so why not at least have a better grasp on the PC and how things work right?

*wait’s for Ali’s head to explode*

But really, knowledge is power and unfortunately I don’t think this will happen either really. The money will all go into offensive campaigns within the CyberComm and we will lag behind on defense. Look at the EO and how the corps responded to it. “hey yeah, we would like to do less” I know Ali thinks that is all about letting the gubment take over and that is what they want but I disagree here. I think they do not want the government dictating to them nor do they want to be responsible for the security of their environments at the level of mandate because they would be held to it by assessment.

I think in the end your question is moot because nothing will be done that will help us.

Ali-Reza Anghaie: The pounding of the `do the basics` drums needs to be louder than the `sexy` drums..

However, I think the biggest things we can do at a national security lever are:

1) Admit defeat at the Government level. Make it clear – CLEAR – that if you’re waiting for Government to combat your hacking problem, you’re going to die.

2) You. Must. Compete. There is a concept called “Intellectual Property Obesity” that has ravaged the American innovators for some time. They spent too much time on Copyright, Patent, and IP theft and not enough on risk analysis, business development, existing means of competition.. concentrate on ~everything else~ that has made America less competitive on a global scale.

In the end, if we’re to suffer a `death by a thousand cuts`, it’s not because of cyber espionage from the Chinese or anyone else. That’s but a small part of the bigger picture.

Now – that speaks to national security at the economic level, which I think is most important – but some conflate this as all purely defense/military in nature. The solutions to that problem set as a bit different and, in part, require actually letting people fail. Not retroactively but put a pretty solid post in the ground that says: `Hey, if you get hacked and all the IP is stolen. Your program funding is going to take a BIG hit. We don’t want to tell you how to fix it – we (Government) doesn’t know how. Likewise, if the data gets stolen while with us (again, Government), you’re going to get a bit of automatica business helping us or influencing our direct means of securing it`.. something along those lines without the tin-foil gaps.

John Little: Although I know and respect many security professionals the ones that I encounter professionally seem to be bureaucrats rather than technical professionals. They are just lords of a massive fixed documentation process that must be completed whether I’m building a simple web page with public data or a massive mission critical enterprise system. The problem is that I can answer 500 questions about my application and get it approved but at the end of the day there’s nothing about the process that really enhances security. What are your thoughts about how the private sector utilizes InfoSec professionals?

Ali-Reza Anghaie: Firstly – I’m sorry. Really really sorry. You’ll have to file a RC269B exception to ask me this question. It’ll be rejected of course because everyone knows of the `Great RC268T Debacle` of 2012. I have my big red stamp ready to reject your request because email isn’t secure enough and the ColdFusion workflow app we had developed in Bangalore was, of course, developed by non-US Citizens so we can’t really use it. I have spoken.

There is this inherit fear of InfoSec that comes with the noise around incidents right now – similar to how auditors were perceived just after SOX went into effect. Nobody knows what to do with InfoSec except to not piss InfoSec off. Along with that come a lot of non-technical professionals or entry-level professionals enabled with copious amounts of authority and confidence over – well – nothing in particular. So, much like politics, you do exactly what you can get away with without punishment.

This is a cynical view – as my answers have trended so far – but it’s quite normal and recent trends leave me very optimistic.

We’re at the tail end of this trend and, as an industry, we’re going through it a fair bit quicker than many of our predecessors. Somewhat due to economic constraints but I sincerely believe the best of the best in InfoSec have taken more responsibility recently for knocking down their own echo chambers. They’ve seen the charlatans flourish and they know “we” created room for them with ambiguity and hand-waiving. “We” want our industry back..

So – to answer your question – I think a huge majority of the private sector is very confused in how to apply InfoSec. And it’s our fault…for now.

Scot Terban: I think we need to differentiate between the INFOSEC folks like an archaeological dig here to start. First off, not all INFOSEC’ers are built the same. I come from the pentesting side AND the policy as well. I performed many assessments that had a combination of both and understand them both well enough to see where the rubber meets the road to so speak. Unfortunately not everyone has the skill sets to see both sides of coin and to work efficiently in the space. So we have people who get into INFOSEC primarily from a “legislative or paper” side of the issue. They understand that security is necessary and there are rules that need to be in place and that is about it. They follow their checklists and once they have checked the boxes they are good. This is bad but all too often the real aegis of many folks in corporations who perform audit from SOX to other government audit standpoints.

Then there are the people who perform just pentest and who many often think that rules are just useless. Why? Because the hackers/adversary does not follow the rules and all too often rules get mired in minutiae that doesn’t matter to their attacks. I have heard way too many times, and rightly so, that SOX and other check box security measures are useless. I too have felt the same thing but, too often the pentest crowd is just dismissive of it because they are broken and not workable in their present state much of the time. So you can develop an app as you say, the “Bob’s” can come in with their checklists but in the end they have not made the product more secure because they lack the dimension of the attacker perspective.

So we have two camps.. Both out to secure things and neither really can because of a third camp.. Let’s call this camp the “Corporation” The corp all too often is motivated not by an innate desire to protect their data, their clients etc.. Their driver is to make as much money as possible and in doing so security spend is even today, not what it should be because it is a cost center. When looking at the options and the legal drivers we can see how it is so easy for a company to go for the check box security approach mainly because that is what the government and the laws are mandating. It is the “due diligence” mentality and in that, the only due diligence we have primarily is to have the boxes checked to insure that they can say that once they get sued or after an incident. THIS is to minimize the legal remunerations that they may incur to law suits and that’s the extent of it. Rarely have I seen a company throughout my career that was proactive about their security enough to engage true red teaming and effective policies, procedures, and audit to insure a modicum of security.

It’s mostly set and forget as well as get drones who check SOX boxes every year. Aye, there’s the rub huh? This is where you have the paper CISSP’s and others who really do not have a grasp of adversarial INFOSEC that needs to be in place to protect yourselves and this is where the engine of popularity and money have made a glut of people who don’t really have the chops to be in the business doing business. So yeah, you could create an application and the SOX types come along and ask questions but they really aren’t coders nor understand application code security right? They do their bit but they don’t see the whole picture and you, you could totally hoodwink them that your application is up to standard because this is the only appsec that they are carrying out.. Asking questions and not validating code?

To me, that says that the system is broken. What we need is a middle road where true application security people are involved in your case. In other cases I would like to see people who have a good grasp of security (defense as well as offense) in the roles of audit. Will this happen? Probably not and that is because as was lamented recently “Defense isn’t sexy” add to that the corp’s aren’t looking to do anything but be “risk averse” and you have a broken system.

John Little: So we have a system that is broken and seems bound to stay that way. With the increasing complexity and distributed nature of data and applications, the vast number of application users (a good portion of the planet now), the rapid advancement of technology, and the challenges involved in building and maintaining an even barely adequate cadre of INFOSEC professionals how will the future not become even more of a hacker’s playground?

Ali-Reza Anghaie: The problem space is going to continue to grow at an accelerating pace. We will drown in more data and we won’t ever have enough bodies to throw at the problem. Government “regulation” will likely further exasperate the staffing problems. Generally we’ve shown ourselves incapable of effective security automation. Woe is me?

There is a difference between a hacker’s playground and an unmanageable risk. Like any other type of crime, society will compensate in some areas and not in others. Some regions will do better with the same `door locks` and other regions will need `burglar bars` on all windows. So the question isn’t if the attack surface will continue to outpace us – it certainly will – the question is how will we compensate, as an industry and society, elsewhere?

This goes to the very root of competition – and we’re stuck with this idea that InfoSec is absolute. You’re either not using computers or your pwned. In no other aspect of life or society do we so readily say that to customers, through Governments, and in our daily routines.

So I would say that hackers will hack and that’s OK. If you aren’t viable and complete even under hacker fire – I’d say you were never actually viable or complete.

Scot Terban: It shall be just as it is now. The only answer is to become a new age Luddite and live in a bunker awaiting the end…

John Little: A significant portion of the cyber-chatter inside the Beltway and in the media is focused on China. How would you characterize the threat Chinese hackers (official or not) pose to the U.S. and how should we be talking about it?

Ali-Reza Anghaie: Lets be clear – the Chinese threat is real and it’s aggressive. It is also entirely irrelevant.

We’re at such an early stage of secure architecture and software that concentrating on a given foe is foolish for all but a small core of defense and intelligence agencies. Along those lines, Government emphasizing a given nation-state threat also leaves people with the false impression that these threats ~require~ a nation-state to execute. And…. wait for it… a nation-state level response.

About now big red spinning alarms should be going off in your head. THAT is the problem with “the Chinese threat” – it’s become a political football that has turned into a lobby interest that has turned into a disadvantage to an already painfully broken field. It creates whole classes of C-levels looking at the wrong problems, wrong solutions, and wrong people to deliver those solutions.

Scot Terban: How would I characterize the Chinese threat… Well, they are a threat because they are just persistent and mostly sneaky. Not all of the teams are uber ninja’s like portrayed in the news media or in a Mandiant self propaganda piece but they are pretty good (some of them) What the question really should be though is how would I characterize the attacked.. Not the attacker. We are on the whole not prepared to deal with attacks either in the MIL space or the private whatsoever. Companies are reticent to fix their infrastructures because it would cause loss of productivity, they hold on to old technologies like XP and IE6 for way too long, and they generally are not as a whole, security savvy.

So.. How hard is it for the average Chinese hacker to get someone to click on a link, pwn a machine, enter a poorly managed network, and steal them blind? Furthermore, how hard is it then to keep persistence?


John Little: You both raise a very important point. While the debates over terminology, doctrine, and threats rage on the assets are going unprotected. We hear case after case of hackers having an easy time with their targets because of laziness, ignorance, and irresponsibility on the behalf of individual users, software developers, and network owners. It seems like we could eliminate most threats by shifting the focus away from “external” threats and back to our own behavior and business practices.

Ali-Reza Anghaie: Some years ago various groups started referring to de-perimeterisation as an inherit system design goal – that is to say that every system’s functions should act like it’s facing the “outside” world. From the outset I thought that should be the data protection goal as well – trust no one, period. Everything should have a forensic trail, least-privilege model, etc. Insiders can become your outsiders – prepare as such.

Now, that was naive of me – cost applies. So I think it comes down to appropriate risk assessments in the complete context of your business, legal, and technical resources – which is non-trivial for multinationals and small business alike.

So – the “right” answer to your question is – we still have an accountability problem period. Internally or externally the risk assessments, valuations, and models just aren’t being done appropriately on a reliable basis for most organizations. The good news is that the body of work on these topics are increasingly reliable – we can fix the overall scheme of things. Where fixing doesn’t always mean absolute security as the goal.

I’d like to thank Blogs of War for taking the time to put together this interview. It’s been great and I really enjoy your various feeds.

Scot Terban: The answer is “yes” but I would also hasten to say that it’s not just accountability but a more encompassing problem of OPSEC altogether. The point being that many people today lack understanding of the need never mind the practice of OPSEC. So we have all these private and public entities that really have no concept of the security landscape in the first place and why it is important to protect their data so how do you expect them to be aware of internal or external threats? While in the military and government space they have an idea they too suffer from lackadaisical attitudes and lack of comprehension of the technologies that they are using to manipulate, store, and use data. I tend to think of it as a human nature issue in general that we need to tackle just to bring people to the security table in the first place before we can make them aware enough to think about and secure their assets. Once people are on the same page with the technologies (not just the tech folks we all work with but the end users) then we will have a discussion over the internal versus the external threats posed.

Blurring the Lines Between Hacktivism and Terrorism

Dr. Clint Arizmendi is a Research & Analysis Officer at the Land Warfare Studies Centre. The views expressed are his own and do not reflect those of the Australian Department of Defence or the Australian Government.

As the IDF and Hamas conflict unfolded, observers witnessed more than the world’s first ‘Twitter war’, they witnessed the widening of the conflict to include the participation of unsanctioned non-state cyber actors (UNCAs), who not only aided, but also interfered with – and obstructed – Israeli and Hamas operations in the name of hactivism. Are such hacktivists performing a public service, committing a crime, or have they crossed a cyber line into terrorism?

Aside from the traditional method of using kinetic force to shape the battlespace by way of precision strikes, the IDF also used a variety of social media platforms to simultaneously deter Hamas and reassure the global audience that terrorists were the only target. Techniques used range from live video of the killing of a high-ranking Hamas official to realtime tweeting of events as they unfolded. Likewise, Hamas disseminated video of a downed Israeli drone and evidence of their Iranian-made long-range rockets reaching Tel Aviv, thus highlighting the importance and significance of establishing – and sustaining – a ‘positive’ social presence.

The use of social media as a key element of information operations (IO) is not new – the US run Sabahi website in the Horn of Africa and the now controversial attempt by the US embassy in Cairo to de-escalate tension via Twitter during the attack in Libya serve as prime examples. For the IDF, presumably, the use of social media was a calculated strategy to prevent a repeat of the negative global press after their 2006 campaign.

As the conflict in Gaza shifted back-and-forth from the conventional and information realm to the cyber realm, the opportunity for UNCAs to influence the digital battlespace increased significantly, making it a particularly risky venture for both Israelis and Hamas. Here, UNCAs had a realtime effect on conflict, notably with regard to hacktivists such as The J35st3r and Anonymous – the former supporting Israel by disrupting Hamas websites and the latter supporting the Palestinians, having declared cyber-war on Israel.

While Israeli officials claim that only one of the 44 million cyber attacks on its government websites was successful during Operation Pillar of Defense against Hamas, Anonymous claimed more than 600 successful cyber attacks against both public and private Israeli websites. As an unintended consequence of its attempt to use social media to shape the battlespace, Israel’s campaign against terrorism became more complex; they were simultaneously fighting a physical and IO war against Hamas and a cyber war against Anonymous.

Although Anonymous – as an UNCA collective – chose to support Hamas as an expression of humanitarian concern, Hamas is considered a terrorist organisation by not only Israel, but also the EU, the USA, Canada, Japan and Jordan. Australia considers the military wing as such. The question now is whether Anonymous is also a terrorist organisation – or a supporter of a terrorist organisation – by association.

If Anonymous members who engaged in the ‘war’ against Israel reside in one of the countries listed above, then there is domestic terrorism legislation that can be brought to bear to regulate such behaviour. If however, they reside in a country such as Turkey, Norway or Russia, none of whom classify Hamas a terrorist organisation, then – at best – they are engaging in cyber crime.

The status of hacktivists engaging in such attacks can be considered analogous to the legal confusion surrounding the ‘combatant’ status of many Guantanamo Bay detainees. Are the Anonymous collective hacktivists, cyber combatants or criminals? Arguably, it depends from where they conduct their activities (assuming, of course, that this information can be determined).

Further complicating the matter is the potential for these ostensibly unsanctioned non-state cyber actors to be sponsored by the party that benefits from their activities. It is by no means beyond the realms of possibility for elements operating within the Anonymous collective to have received financial or technical support from Hamas or its supporters. Likewise, is it too much of a stretch that The J35st3r might be this century’s answer to the state-sponsored, deniable ‘black’ operatives of the Cold War?

Anonymous has formally recognised the Gaza ceasefire and declared mission success in Operation Israel, while Hamas has declared a national holiday of victory. Whether there is a way to actually measure the affect that Anonymous and The J35st3r had upon the conflict remains to be seen; however, one thing is for certain: the use of social media and the cyber realm for war represents the risk of direct external influence – if not obstruction – from UNCAs as they blur the lines between hactivism and terrorism.

Update from Blogs of War
@th3j35t3r, who describes himself as a “Hacktivist for good. Obstructing the lines of communication for terrorists, sympathizers, fixers, facilitators, oppressive regimes and other general bad guys” contacted Blogs of War on Twitter after this post was published. I am posting screenshots of his private feedback with his permission:

jester Blurring the Lines Between Hacktivism and Terrorism

You can learn more on his blog.