Presentation on cyber warfare, recent examples, current capabilities of the major players, and issues relating to the advancement of cyber warfare and cyber security in the United States. The Cyber War Forum Initiative is promoted for its role in solving many elements of the issues facing the US.

1. The Cyber Warfare Initiative the Good, the Bad, and the Ugly LiveSquare Security www.LiveSquare.com

3. Cyber what?

4. A recent example

5. The Players

7. The Bad

8. The Ugly

9. What next?

10. Resources

12. ” Titan Rain” - started 2003 Titan Rain hackers gained access to many U.S. computer networks, including those at Lockheed Martin, Sandia National Laboratories, Redstone Arsenal, and NASA. China.

13. Estonia – March 2007, Ukrain – November 2007

14. Lithuania – June 2008, Georgia – November 2008, Kyrgistan 2008

15. ” GhostNet” – 2008 to present – China, KyLin OS (BSD or ???)

16. DOD, White House, Congress, Lockheed Martin (F35 fighter)

17. Dali Lama, Germany, France, India, Australia

18. Iran

21. ” Everyone is attacking everyone.”

23. Political / Military – strategic asset identification. Intelligence, Target optimization. Economic pressure and articulation. Revenge. Combined kinetic and info attack to paralyze enemy, disinform, weaken, force them to expend resources.

24. Social – why are you targeted? Why did/does Isreal socially map US phone calls? If you own a business, are in IT, or especially if you operate a security consulting practice why does your web site get visited daily by folks in China? Why is Identity Theft so huge? Do you facilitate money laundering?

27. Cause enemy to expend resources and time on futile tasks

28. Create crisis of confidence in enemy's currency, leadership, perceived stability, etc

29. Modify / Destroy information sources, infrastructure, systems – change reality / history

31. Twitter – stopped regular maintenance to aid coordination of dissent in Iran. Aided by State Dept. and a few others.

33. The monitoring capability was provided, at least in part, by a joint venture of Siemens AG, the German conglomerate, and Nokia Corp., the Finnish cellphone company, in the second half of 2008, Ben Roome, a spokesman for the joint venture, confirmed. Source WSJ

34. Iran uses kinetic attack to stop university students from communicating to the outside world. Students killed.

35. Iran plays whack-a-mole with phones, sat phones, ”rogue” Internet connections

36. Bans all foreign media, blocks farsi news sites outside Iran, etc.

37. Iran declares an ”official end” to freedom of expression, people reject this...

38. Using a phone, if you mention the wrong keyword, your line goes dead

39. Pro-iran regime “hacktivists” breach the U of Oregon and leave a message...

41. ” Turning off the Internet” does as much damage as good

44. China – National network configuration enhancing cyber defense, KyLin, ”green dam”, email trojans – known to have penetrated 103 countries, especially email systems. - military value

45. RBN – email malware, identity theft, BOTnets

46. The Brits, Israel (info and kinetic e.g. Gaza), Palestinians, Islamic Jihad, Al Qaeda, Russia to Uzbekistan relating to American Base.

47. Anyone who wants to play

49. The Cyber Warfare Forum Initiative – US and allies

51. Formal and excellent training in hacking / cracking systems

52. Financial funding and rewards for success to anyone

53. Russian Business Network and other organized crime

54. The East has a plan is is doing well

58. Building secure microprocessors with a secure operating system that runs on those chips

59. National connectivity is designed to move through ”gateways”

62. National communications infrastructure a disadvantage – nearly 100% privately owned

63. Capabilities largely from large US security firms that will not cooperate well

64. Successes: Trojan hardware, communications intercept

66. The security industry in general sees an opportunity to resolve long standing issues.

67. Members of the security industry got together to form a ”community” driven effort to cross contaminate and share information to induce improvements and knowledge sharing.

69. Debate rages on who should be the top dog: person, agency, budget authority: lots of dialogue and posturing

70. Security vendors see wash of funds and line up with their suits on

71. The security community suddenly sees the need to help people to understand where we are and what is going on.

73. we may have ”the capabilities” we need, but can we mobilize and utilize them? In time?

74. it should be ”self-evident” that we both need and want to improve our footings

75. The US faces a more difficult task in cyber defense than others due to network design, laws, and other issues.

77. Who does what?

79. Can we define the problems?

82. When can the military ”shut down” domestic ISPs?

83. Does the Constitution allow for the government to ”take control” of the cyber security issue for everyone or just itself?

86. When will I be safe?

89. OWASP - Open Web Application Security Project

90. NIST.gov / Mitre.org

91. iBlocklist.com

92. OpenDNS for small business and consumers

93. Numerous web sites with links to resources... the pieces of the puzzle are out there

94. We are the most innovative people on the planet...

97. China's new wall has limited ex-filtration from the country and therefore, sources of attacks cannot easily be determined as they are aliased. Infiltration is shut down by shutting down the gateways. A comprehensive strategy exists in China. The US, not so much.

98. US law and constitutional issues should prevent the ”solution” from being a government owned and operated entity. However, all seem to be looking to the government for ”the solution”.

99. If the business community / private sector is the solution...

101. The big security companies actively suppress the smaller companies via a multitude of means. This harms innovation. They are also not buying innovation from the smaller companies so they are simply shutting the other guys out.

102. Not Invented Here (NIH) - Anybody else's products are crap.

103. Turtle Complex - all issues within an organization must be concealed to prevent embarrassment or worse... questions.

104. Hollywood Simplex I - if you are a security vendor at a client, you are the only one doing anything of value. The others are there to try to steal your spotlight.

105. The Kids Clubhouse - if you are not a part of the *con speakers and/or attendees club then obviously you know nothing about security. Only people that attend or speak at conferences know anything worth while.

106. Power User Macho - even if you really have little understanding about what is going on: be aggressive. Ignorance is best concealed behind a good offense.

107. Megalomania - with this security product / concept / method - I shall rule the world. All others shall bow to me. Ah ha ha ha ha ha.

109. Little collaboration combined with the stiffling of innovation = bad day for US.

111. If people find out our problems I might lose my job... "So we are fine."

112. We don't do anything with jet fighters, therefore our problems are much smaller and very different.

113. We can't solve every problem, so we will focus on responding to the stuff that hits us. We will react to issues as they come up.

114. We don't want to work with other companies. We want attackers to leave us alone and attack them. Our strategy is displacement.

115. Alphabet-soup - even though the letters and credentials have no track record of success. It is still mandatory. Letters are cool.

116. Job-dutious-abandoness - the more security stuff I/we do, the more likely it is to catch someone's eye and embarrass me/us. Wait for something bad, jump in and be a hero. Leaders are often shot in the back.

118. Most programmers do not know how to secure code.

119. Most companies don't allocate resources to security testing

120. Most ”outsourced and off-shored” projects are never reviewed for security. That ends up biting us in the... e.g. FBI, RNC

121. Controversial Assertion by me: ”Trusted Computing” is a fallacy

122. Public Key / Private Key: PKI failed and has multiple defeats (SHA1)

124. Our enemies are more patient than we are

126. Our business' can see only one year at a time. This limits real or focused results.

127. Cloud computing companies offer outstanding local attack centers.

128. No such thing as an objective measurement or standard.

129. Folks in government ”have to spend to much time and money” to test any new technology. Slows adoption or even sensible change.

130. Breaches are so frequent, coupled with the very real problem of lingering infections from prior breaches, that quantifying and eradication of threats is nearly impossible.

131. The sophistication of the attackers vs. our ability to defend is definitely a knife to a gunfight scenario.

133. Political football

134. More of the same

135. US becomes a distant third, 4th?

137. Better co-operation in the security industry

138. Large coalitions of collaborators (geocentric?)

139. A ”caustic cauldron” for security testing (community based)

142. Needs to be able to order ISP shutdowns, blocking of aggressors, and real time intelligent identification of aggressors in times of emergency / crisis

143. May regulate by sector

146. Small players – collaborate, continue your innovation, evangelize

147. Big players – innovate or buy, stop the stifle, sub-contract

148. Government – national testing labs (caustic cauldron) , don't go to the dark side, open up the gene pool

150. White House Cyberspace Policy Review - http://www.cwfi.us/index.php?option=com_docman&task=doc_download&gid=2&Itemid=92

151. Cyber Attacks Against Georgia: Legal Lessons Identified - http://www.carlisle.army.mil/DIME/documents/Georgia%201%200.pdf

152. OWASP - http://www.owasp.org

153. Dark Reading - http://www.darkreading.com

154. Packet Storm - http://packetstormsecurity.org/

155. Security Lists - http://www.seclists.org

156. Sickurity - http://www.sickurity.com/

157. SANS TOP 25 Most Dangerous Programming Errors - http://www.sans.org/top25errors/

159. 2001 – Report to Congress on Cyber warfare - http://www.fas.org/irp/crs/RL30735.pdf

160. Estonia Cyber Defense Center of Excellence - http://www.ccdcoe.org

161. Searchable NIST Common Vulnerability Enumeration Database - http://www.livesquare.com/portal/cve.asp - FREE

162. Common Attack Pattern Enumeration and Classification - http://capec.mitre.org - FREE

163. LiveSquare's Daily Security Bulletin - http://www.livesquare.com/portal/dsb.asp – FREE to you!

165. Thank you Arizona Security Practitioners Forum

166. Thank you for coming!

167. I thank those of you who have decided to participate moving forward and look forward to your contributions.