This week I am attending the RSA Conference, a global convention bringing together government and business approaches to secure the digital channels people depend on every day. To catch up on what has been buzzing in the public presentations and private corridors of this year’s RSA Conference, check out my previous dispatches from Day 1, Day 2, and Day 3.
This year’s RSA Conference has covered a lot of ground. Topics of discussion at this annual global event brought together the most innovative solutions in cybersecurity, ranging from technological approaches to privacy, future expectations in cyber policy, international law enforcement cooperation in addressing global cybercrime, all the way to cyber warfare and the varying tradecraft of espionage groups.
As RSA draws to a close, it’s clear that while private industry and government have made significant strides in securing the networks people depend on everyday, many challenges remain. Some of these challenges may have technical solutions, but many stem from broader issues of geopolitical relationships – exemplifying how digital technology is simply an extension of our long-standing problems in society.
Yesterday, Cipher Brief expert Matt Olsen, the president of business development at IronNet Cybersecurity and former director of the National Counterterrorism Center, spoke on the evolution of cyber activities among terrorist groups. Olsen points out that cyber attacks could evolve from disruptive attacks to actual destruction – whereby terrorist groups use cyberspace to sabotage the operations of major institutions, similar to the 2012 Saudi Aramco attack, and the 2014 breach of Sony Pictures.
At this time, however, terrorist groups largely use the Internet for the dissemination of recruitment messaging and how-to-manuals such as the ISIS publication Dabiq. ISIS has also incorporated encrypted communications into their command and control frameworks when conducting terrorist operations on European soil.
Olsen noted that the evolution of ISIS offensive cyber capabilities began in 2014, when a group calling itself the CyberCaliphate commandeered the Twitter accounts of U.S. Central Command and Newsweek magazine. The hacker behind the incident, Junaid Hussain, a British national, served six months in prison, only to flee to Syria once released, where he established the Islamic State Hacking Division.
While most incidents involve rudimentary hacking for the defacement of websites with provocative messaging, the tie between the virtual and physical space can be exemplified by the case of Ardit Ferizi. After breaching the network of a contracting company, Ferizi was able to access the personally identifiable information of 1300 U.S. government personnel, including their names and addresses. The information was then released as “hit list,” encouraging others to commit acts of violence against these people and their families. While Ferizi currently is serving 20 years in a U.S. prison, ISIS maintains that that “the electronic war has not yet begun” and have consolidated its cyber operations under the name United Cyber Caliphate. Olsen warns that while the cyber operations of terrorist groups today have been relatively unsophisticated, there is will on their part to conduct destructive operations in cyberspace, possibly even with physical consequences, by targeting critical infrastructure such as water treatment plants, dams, and power stations.
Next, I met with Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, to talk about the role of trust in machine-on-machine communications. Bocek described this issue of trust as being central to relationships among people, but not perceived as such in the way machines speak with each other.
Much of the Internet’s traffic travels through encrypted tunnels that cannot be looked inside unless one has the decryption keys, known as a digital certificate. But who manages these keys? Kevin used the example of the 2011 breach of DigiNotar, a Dutch company that issues certificates telling machines which Internet infrastructure to trust. However once breached, and the certificates stolen, it was possible for attackers to decrypt Internet traffic reliant on those digital certificates—hiding the activity of the attackers under a veneer of legitimacy.
The DigiNotar case seemed not only to have facilitated domestic surveillance in Iran, but the practice of stealing digital certificates also appears to be fairly common among intelligence agencies when conducting cyber espionage and was a central component of the infamous Stuxnet worm allegedly deployed by the United States to sabotage Iran’s nuclear program.
I then spoke with Omri Illuz, CEO of PerimeterX, who commented on the threat eminating from bots, or machines impersonating people online. Illuz described the problem as one of scale—if a million bots on social media post articles and like each other, it can gain a lot of traction. This is a tactic seen in Russian interference in European and U.S. elections, whereby bots amplified the reach of information campaigns. Another malicious utility of bots is to enhance the disruptive effects of distributed denial of service attacks by using Mirai-based malware to infect a host of everyday Internet-connected devices as routers and webcams and flood companies with false traffic. Attribution in cyberspace is already difficult, but the scale and dispersed nature of bot traffic makes it even more so, often making the ability to separate bot traffic from human traffic through behavioral analysis the only mitigation strategy left for organizations.
Stay tuned for a recap of my week at the 2017 annual RSA Conference discussing major challenges and trends discussed front and center – and in the corridors – of the cybersecurity industry.
Levi Maxey is the cyber and technology producer at The Cipher Brief. Follow him on Twitter @lemax13.
