Day 3: Dispatch from RSA Conference

Photo: The Cipher Brief/Levi Maxey

This week I am attending the RSA Conference, a global convention bringing together government and business approaches to secure the digital channels people depend on every day. To catch up on what has been buzzing in the public presentations and private corridors of this year’s RSA Conference, check out my previous dispatches from Day 1 and Day 2 of the conference.

Yesterday kicked off at the crack of dawn with a heavy dose of cyber warfare and weapons beyond the infamous Stuxnet worm that was found crippling Iran’s nuclear program in 2010. Gary Brown, a cybersecurity professor at Marine Corps University and former legal counsel for U.S. Cyber Command, began with the terms “warfare” and “weapons,” suggesting that to be described by such language, a cyber capability must damage or destroy property, or directly cause death.  Most cyber attacks, he suggested, would be more accurately described as espionage.

So how have offensive cyber tools evolved since Stuxnet? Oren Falkowitz, CEO and co-founder of Area 1 Security and a former member of the National Security Agency’s Tailored Access Operations (TAO) hacking team, argues that the real advantage for attackers is not the evolution of their technical skill, but rather having the imagination and creativity to open up previously unimagined doors, adding that what makes attacks sophisticated is for them to be full-spectrum; what matters is not the hack itself but rather what is done with it. Falkowitz cited the increase of information operations following breaches to exemplify how the technical hack itself is merely a small aspect of a larger effort.

Next, Dmitri Alperovitch, the co-founder and Chief Technology Officer of Crowdstrike, hosted a mock Academy Awards show for the best hacking groups by contrasting the tradecraft between Russian and Chinese hacking groups. After comparing Chinese, or “Panda,” hacking groups to Hollywood actors who have reached the pinnacle of their careers and are now on their way down, Alperovitch described Russian hackers as deploying the most sophisticated infection methods, primacy in privilege escalation once inside networks, the longest persistence time within those networks, and the most advanced exfiltration techniques.

I then met with Steve McGregory at Ixia to discuss the record-breaking distributed denial of service attacks that flooded the servers of Dyn last year, taking large swaths of the East Coast’s Internet services offline for hours at a time. McGregory points to Mirai-based botnets of infected Internet-connected devices like webcams and routers as the amplifying source of these attacks, suggesting that now that the Mirai source code is available online, hackers are adapting it to fit their own disruptive goals.

John Lynch, the section chief of the U.S. Department of Justice’s Criminal Division for computer crime, cited the main areas of cooperation during a panel on international law enforcement cooperation to address cybercrime’s global scope. The first, and most common such area is traditional information sharing among police departments, sometimes followed by mutual legal assistance agreements for handling evidence and court proceedings. While this kind of cooperation has been preserved in the Convention on Cybercrime, also known as the Budapest Convention, many barriers to international cooperation remain. For example, criminal safe havens in countries that do not have extradition or mutual judicial treaties make fugitive apprehension difficult. Without physical consequences for cybercriminals operating beyond law enforcement’s reach of their target countries, there is little hope for any level of criminal deterrence. However, Steve Wilson, the head of business at the European Cybercrime Centre, notes that one area where international law enforcement has made significant strides—even with countries otherwise uncooperative—is in dealing with criminals who engage in child sexual exploitation.

To close out the day, I had a candid discussion with Cris Thomas, a strategist at Tenable, on the much-needed modernization of government IT systems. Thomas argues that such efforts should be a constantly evolving process dependent on flexible and efficient acquisition, rather than just a one-time revamp. The modernization process must also be comprehensive, as antiquated systems that remain will provide a weak point that hackers could breach and then move laterally across federal networks. This modernization should be accompanied by other efforts, most importantly an infusion of technical capabilities into the government workforce. Although the modernization ought to be undertaken as soon as possible, it should be done deliberatively and with caution taken with the incorporation of globally sourced hardware and software—which entails risks of built-in vulnerabilities that could be exploited by foreign states and criminals.

Tomorrow, you can expect in-depth analysis on terrorism in the cyber domain from The Cipher Brief’s Matt Olsen, president of consulting at IronNet Cybersecurity and former director of the National Counterterrorism Center. Tune in for more from the leading thinkers at RSA on all things cybersecurity.

Levi Maxey is the cyber and technology producer at The Cipher Brief. Follow him on Twitter @lemax13.