Results of the Cyber Storm Exercise

The Cyber Storm exercise conducted in January "simulated a sophisticated cyber attack campaign through a series of scenarios directed at several critical infrastructure sectors. The intent of these scenarios was to highlight the interconnectedness of cyber systems with physical infrastructure and to exercise coordination and communication between the public and private sectors. Each scenario was developed with the assistance of industry experts and was executed in a closed and secure environment. Cyber Storm scenarios had three major adversarial objectives:

- To disrupt specifically targeted critical infrastructure through cyber attacks
- To hinder the governments' ability to respond to the cyber attacks
- To undermine public confidence in the governments' ability to provide and protect services"

Seems like the results from the exercise are already available and among the major findings are related to :

- Interagency Coordination
- Contingency Planning, Risk Assessment, and Roles and Responsibilities
- Correlation of Multiple Incidents between Public and Private Sectors
- Training and Exercise Program
- Coordination Between Entities of Cyber Incidents
- Common Framework for Response and Information Access
- Strategic Communications and Public Relations Plan
- Improvement of Processes, Tools and Technology

Frontal attacks could rarely occur, as cyberterrorism by itself wouldn't need to interact with the critical infrastructure, it would abuse it, use it as platform. However, building confidence within the departments involved is as important as making them actually communicate with each other.

Go through a previous post on the Biggest Military Hacks of All Time in case you're interested in knowing more on specific cases related to both, direct and indirect attacks.

Examining Internet Privacy Policies

Accountability, public commitment, or copywriters charging per word, privacy policies are often taken for fully enforced ones, whereas the truth is that actually no one is reading, bothering to assess them. And why would you, as by the time you've finished you'll again have no other choice but to accept them in order to use the service in question -- too much personal and sensitive identifying information is what I hear ticking. That's of course the privacy conscious perspective, and to me security is a matter of viewpoint, the way you perceive it going beyond the basics, the very same way you're going to implement it -- Identity 2.0 as a single sign on Web is slowly emerging as the real beast. The marketing perspective, offers unprecedented and fresh data whose value may be the next big project, balance is the key.

Here's an interesting research on "Examining Internet Privacy Policies Within the Context of Use Privacy Values" :

"In this paper, we present research bridging the gap between management and software requirements engineering. We address three research questions. 1) What are the most stringently regulated organizations (health care related organizations including health insurance, pharmaceutical, and drugstores) saying in their privacy policy statements? 2) What do consumers value regarding information privacy? 3) Do the privacy policy statements provide the information that consumers want to know?

Results from this study can help managers determine the kinds of policies needed to both satisfy user values and ensure privacyaware website development efforts. This paper is organized as follows. First, we discuss relevant research on privacy, policy analysis, and software requirements engineering. Next, we cover the research methodologies of content analysis and survey development, and then the survey results. Finally, we discuss the results and implications of this work for privacy managers and software project managers."

The only time privacy policies get read is whenever a leak like AOL's one happens, and mostly for historical purposes, where's the real value, not the perceived one? Don't responsibly generate privacy policies, consider preemptively appointing chief privacy officers, thus commiting yourself to valuing your users's privacy and having a strategy in mind.

Related resources:
Privacy
Snooping on Historical Click Streams
A Comparison of US and European Privacy Practices

Cyber Intelligence - CYBERINT

HUMINT, SIGINT, TECHINT, all concepts for gathering intelligence and supporting decision makers on emerging trends are invaluable by their own definitions, yet useless if not coordinated for achieving the ultimate objective. Cyberspace is so much more than a social phenomenon or the playground of countless pseudo personalities. Info-warriors and analysts are realizing that Cyberspace is becoming so disperse and versatile, that a seperate practice of Cyber Intelligence is necessary to proactively respond -- and always be a step ahead of developing new capabilities -- of emerging players, threats, and tactics. Virtual situational awareness is as important to intelligence analysts, as it is important to security professionals wanting to remain competitive.

What's Cyber Intelligence, or Intelligence analysis for Internet security, can we model it, how long would the model survive before what used to static turns into a sneaky variable knowing its practices has been exposed? What would the ultimate goal of CYBERINT be? To map the bad neighborhoods and keep an eye on them, to profile the think-tanks and assess their capabilities, background motivations for possible recruitment? Or to secure Cyberspace, no matter how megalomanic it may sound, or to basically acquire know-how to be used in future real-life or cyber conflicts?

Intelligence Analysis for Internet Security proposes an intelligence model for the development of an overall systems security model, here's an excerpt :

"Obtaining prior knowledge of both threats and vulnerabilities – as well as sensitivity to possible opportunities to exploit the vulnerabilities - is essential. Intelligence analysis, of course, operates at different levels, ranging from the specific to the general, and from short-term incidents and operations to long term patterns and challenges. Each form or level of analysis is crucial, and complements and supplements the others. Nevertheless, it is important to distinguish them from one another and to be clear at which level the activities are taking place. It is also important to recognize that the most critical insights will be obtained from fusion efforts that combine these different levels. The several complementary levels of intelligence analysis are strategic analysis, tactical analysis and operational analysis. In practice, these categories shade into each other and are not always sharply differentiated, and differing definitions for these terms exist in the intelligence community. Nevertheless, they offer a useful framework within which intelligence tasks and requirements can initially be delineated."

A very informative and relevant research emphasizing on strategic intelligence analysis, tactical intelligence analysis, operational intelligenec analysis, and how cyber intelligence intersects with traditional approaches.

What's the core of CYBERINT?

- the maturing concept of cyberterrorism, propaganda and communications online, thus huge amounts of data to be aggregated and analyzed
- an early warning system for new attack tools, their easy of use, availability, ability to be tracked down, and level of sophistication
- offensive CYBERINT is perhaps the most interesting and aggresive approach I consider fully realistic nowadays. Operational initiatives such as nation-wide pen testing, OS and IP space mapping for instant exploitation, segmented economic espionage attacks -- ip theft worms achieving efficiency -- passive google hacking and reconnaissance, tensions engineering, zero day vulnerabilities arms race

Outsourcing to objective providers of intelligence and threats data should also be considered, but then again it's just a tiny portion of what can actually be achieved if a cross-functional team is acting upon a common goal - to be a step ahead of tomorrow's events, and pleasently going through threat analysis conducted year ago predicting and responding to them.

If you don't have enemies, it means you're living in a world of idleness, the more they are, the more important is what you're up to.

Related resources and posts:
Information Warfare
Cyberterrorism
Intelligence
Benefits of Open Source Intelligence - OSINT

Leaked Unmanned Aerial Vehicle Photo of Taliban Militants

Missed shot from a predator drone due to moral concerns, remarkable move and one visionary enought not to provoke another media fiasco of killed civilians for the sake of killing alleged militants. "U.S. Military Investigates Leaked Photo"

"The grainy black and white photo shows what NBC says are some 190 Taliban militants standing in several rows near a vehicle in an open area of land. Gunsight-like brackets were positioned over the group in the photo. NBC quoted one Army officer who was involved with the spy mission as saying "we were so excited" that the group had been spotted and was in the sights of a U.S. drone. But the network quoted the officer, who was not identified, as saying that frustration soon set in after the officers realized they couldn't bomb the funeral under the military's rules of engagement."

Hezbollah are also known to be able of operating drones, as well as their "window-shopping" purchasing capabilities for night vision gear but how come? Politically independent parties whose revenues get generated by their ability to be totally neutral and, of course, tactics for bypassing gear embargoes.

However, it would be naive to assume everyone is as rational as you are, as it's a rather common practice for various military forces to build up their foundations near highly populated areas, schools and hospitals. Insider leaks like these show certain weaknesses, namely operatives with access to information whose significance slightly devaluated, so why not generate some buzz on the findings.

Naturally, the Pentagon is taking measures to limit the potential of yet another media fiasco, taking into consideration the growing use of gadgets in the military. Moreover, successfully realizing the power of OSINT, an information security/web site alert was issued during August on what can't be posted at .mil sites.

Predator UAV image of Serbian fighters surrendering in Kosovo, courtesy of Military Intelligence Satellites.

Internet PSYOPS - Psychological Operations

Psychological operations or PSYOPS is an indirect use of information warfare methods to deceive, shape and influence the behavior and attitude of the targeted audience -- military marketers with greater access to resources and know-how. The Internet acting as a global-reaching, cost-effective platform for dissemination of a message, rumor, lie, inside information is directly influencing the evolution of the concept.

You may find this research conducted back in 2001, still relevant on the basics of psychological operations and propaganda online. A brief summary of The Internet and Psychological Operations :

"As an information medium and vehicle of influence, the Internet is a powerful tool, in both open societies as well as in those whose only glimpse of the outside world is increasingly viewed and shaped through webpages, E-mail, and electronic chat rooms. Moreover, the sword cuts both ways, as unconstrained (legally, socially, politically) adversaries find the Internet an effective vehicle for influencing popular support for their cause or inciting the opposite against the U.S. or its interests. Consequently, the realm of military psychological operations (PSYOP) must be expanded to include the Internet. Just as obvious is the need for action to remove or update current policy and legal constraints on the use of the Internet by military PSYOP forces, allowing them to embrace the full range of media, so that the U.S. will not be placed at a disadvantage. Although current international law restricts many aspects of PSYOP either through ambiguity or noncurrency, there is ample legal room for both the U.S. and others to conduct PSYOP using modern technology and media such as the Internet. Existing policy and legal restrictions, however, must be changed, allowing military PSYOP forces to both defend and counter adversarial disinformation and propaganda attacks which impact on the achievement of military objectives. By examining this issue, I hope to highlight the importance of the Internet for PSYOP and foment further discussion."

Undoubtedly, Abu Ghraib's fiasco is among the most relevant cases of unintentional PSYOPS in reverse, where the leak's echo effect would continue to spell sskepticism towards what democracy really is. And while there're indeed legal issues to consider when using such operations, what is legal and illegal in times of war is questionable.

Some basic examples:
- your web sites spread messages of your enemies
- sms messages and your voice mail say you're about to lose the war
- your fancy military email account is inaccessible due to info-warriors utilizing the power of the masses, thus script kiddies to distract the attention
- you gain participation, thus support
- you feel like Johnny Mnemonic taking the elevator to pick up the 320 GB of R&D data when a guerilla info-warrior appears on the screen and wakes you up on your current stage of brainwashing
- starting from the basics that the only way to ruin a socialist type of government is to introduce its citizens to the joys of capitalism -- it always works
- hacktivism - traffic acquisition plus undermining confidence
- propaganda - North Korea is quite experienced
- self-serving news items, commissioned ones
- achieving Internet echo as a primary objective
- introducing biased exclusiveness
- stating primary objectives as facts that have already happened
- impersonation

The evolution of online PSYOPS is on its way and is actively utilized by both adversaries, and everyone in between, it's entirely up to you to be either objective, or painfully subjective.

Prosecuting Defectors and Appointing Insiders

In the year 2006, those who control Russia's energy reserves control a huge portion of the world's energy market -- renewable energy is the future. And as you can imagine they're for sure not controlled by some newly born Russian millionaires -- a great benchmark for how vibrant a country's economy or level of corruption really is. Seems like the long-term effects of a planned economy are still a political doctrine, and the invisible hand of the market is still short enough to feel the Russian energy sector as Russian intelligence chief's son has been named adviser to oil company chairman :

"A son of the head of Russia's main intelligence agency has been named an adviser to the chairman of state oil company OAO Rosneft, the daily newspaper Kommersant reported Wednesday, citing an unidentified source on Rosneft's board of directors. Andrei Patrushev, the 25-year-old son of Federal Security Service (FSB) director Nikolai Patrushev, had previously been an FSB official himself, working in the department that keeps tabs on the Russian oil industry, according to Kommersant."

The courage to rise above shown by Mikhail Khodorkovsky has its own butterfly effect, and it's so easily predictable one. Here's a Google bomb for you -- it means enemy of the people. Here's another. Враг народа or a vivid protectionist?