Defense in the Age of Cyber-Warfare: the Cyber Security Forum Initiative

Amanda Fortner | EditorUnited States Cybersecurity Magazine

Paul de Souza was the Chief Security Engineer for AT&T when he started noticing that the cyber-attacks he saw out in the field were changing, transitioning from what we think of as “traditional” cybercrime – done for money, information, or just “the lulz” – to something far more potent: attacks that were political in nature, and sometimes even sponsored by domestic or foreign governments. Intrigued, de Souza went looking for more information, and found very little. The lack of available information on the topic, and the dearth of communication between the experts in the field, inspired him to start a public forum on LinkedIn – what would eventually become the Cyber Security Forum Initiative (CSFI), with nearly 50,000 members from more than 150 countries.

40 41United States Cybersecurity Magazine | www.uscybersecurity.netUnited States Cybersecurity Magazine | www.uscybersecurity.net

CSFI came about in a particularly interesting time for cybersecurity and hacking: the age of Stuxnet. Discovered in June 2010, the Stuxnet worm attacked and badly damaged the PLCs (programmable logic controllers) of many of Iran’s nuclear centrifuges, setting the country’s nuclear development program back heavily. Due to the Iranian government’s reticence, the extent of the damage has not been fully defined, but some estimates put the worm as having ruined nearly one fifth of the country’s centrifuges.1 Cybersecurity experts from dozens of countries worked together to figure out the worm’s provenance. While it has not been definitively proven, many concluded that the sophistication and scope of the attack, as well as its particularly targeted nature, pointed to the work of one or more governments, as few believed an independent hacker or group could have had the time, resources, skill, and motivation to create a worm that behaved as Stuxnet did.2

Experts like de Souza had been interested in the concept of state-sponsored hacking for some time, but the public nature and scope of the attack brought the issue forcefully into the public eye. Suddenly, hacking was not just something that lived on the Internet, a crime on the level of vandalism committed by “some high school or college-aged kid living in his mom’s basement who could deface the main webpage of the local community college,” as de Souza said. It had even gone beyond “more sophisticated threats to society like identity theft or financial fraud via insecure websites.” In forming CSFI, de Souza realized that “cyberspace had quickly become a war-fighting domain, just like land, air, space, and sea.”

The concept that hacking and cyber-attacks can have effects not just on computers and the Internet, but on physical spaces and infrastructure, has made cyber-warfare

a hot topic among not only cybersecurity professionals, but anyone who uses electricity, running water, and Bluetooth – which is to say, pretty much everyone. De Souza cautions that it’s more important than ever to focus on this topic, as “the way cyber can be used to cause real effect in the physical domain as a precise weapon system that can be acquired by any nation on earth at a very low investment” means we have, in effect, entered a new arms race: nations scramble to pick up exploits and zero-day vulnerabilities that can be held in reserve for strategic use – or retaliation. Given that attacks like Stuxnet can be used to affect industrial and public infrastructure, such as the power grid or manufacturing equipment, cyber-warfare can have far-reaching real-world consequences for even private citizens of the nations waging silent war in cyberspace.

The issue is not going away anytime soon: as de Souza cautions, “Asymmetric warfare will not stop growing; it is here to stay.” The growth and prevalence of the Internet of Things, and its increasing permeation into every aspect of our lives, means that attacks have the potential for more and more real-world consequences. In 2013, white-hat hackers Charlie Miller and Chris Valasek were able to control the speed and braking functions of a car using a computer connected to its On-Board Diagnostic System.3 Nearly two years later, many cars are so much more connected that Senator Edward Markey warned in a report to the Senate Commerce Committee in February that it was theoretically possible for not just speed and braking, but also steering and other critical functions to be remotely hijacked.4 It’s not hard to imagine the serious damage that could be done by determined, directed bad actors who can control the critical functions of millions of cars.

The shift from money- or achievement-motivated hacking to targeted, government-sponsored attacks is a real point of concern for de Souza and for his forum members, who

The concept that cyber-attacks can affect real-world spaces as well as the Internet has made cyber-warfare a hot topic among not just cybersecurity professionals, but pretty much everyone.

come from a wide variety of backgrounds: CSFI draws its members from the public and private sector, military and businesses large and small. Eventually the foundation grew so large that it was divided, at the request of some of its partners, into two divisions: CSFI-CWD (Cyber Warfare Division) and CSFI-LPD (Law and Policy Division). The divisions allowed members to focus on the projects and issues most important to them, sharing information, advice, and solutions among those in their own fields. Because both divisions are still under the umbrella of CSFI, however, the channels of communication stay open.

Communication in the age of cyber-warfare is another focus of CSFI's. Many cybersecurity professionals have decried the siloing of information that could prevent attacks from becoming massive affairs like the Sony and Target hacks, or keep them from happening at all. One of the pillars upon which CSFI stands is collaboration, the exchange of pertinent information between the public and private sector, and agencies and businesses within those sectors that have much to gain through that exchange. “Our collaboration efforts have helped to break down stovepipes and ‘closed networks’ that exist inside government and industry to enable greater information sharing and increased capabilities,” de Souza said. “We practice what we preach and have developed a capability to collaborate on special projects involving specialists and volunteers to break down, decompose, and better understand threats and security-related issues.” These efforts manifest themselves in the form of white papers and “the development of countermeasures for unique and sophisticated cyber-attacks, and the identification of not only problems, but solutions,” de Souza explained.

CSFI’s ability to provide a platform on which its members can share ideas, intelligence, and warnings across over 150 countries is something its founder sees as being invaluable

to the continued protection of the global cyber domain. “I am a firm believer in crowdsourcing and reaching out to the cyber community when looking for answers,” de Souza said. CSFI also enables its members to engage with other cybersecurity professionals through social media, conferences, workshops, and training.

One area on which de Souza is keen to focus his members’ minds is tabletop exercises, defined by Ready.Gov as “discussion-based scenarios where team members meet…to discuss their roles during an emergency and their responses to a particular emergency situation. A facilitator guides participants through a discussion of one or more scenarios.”5 One commenter characterized tabletop exercises as something like Dungeons and Dragons for disaster preparedness. A common tool for businesses and government agencies in developing emergency plans, CSFI has been working to popularize the use of the TTX in cybersecurity situations – after all, a serious data breach is its own form of emergency. In using the tabletop exercise, cybersecurity professionals and warfighters can develop plans to handle both previously-encountered scenarios and zero-day attacks: hacks exploiting vulnerabilities that have never been seen before in the wild. Having such plans already in place before attacks occur enables experts to be ready for whatever the new cyber-warfare domain can throw at them, and to minimize the damage that may occur.

Education is another of CSFI’s priorities. One of de Souza’s main concerns about today’s cybersecurity climate is the professionals in the field “who lack basic understanding of full-spectrum cyberspace operations and the complexities of the cyberspace environment, as well as planning, organizing, and integrating cyberspace operations.” In that wise, CSFI has launched several educational initiatives, aimed at various elements of the public and private sectors. These efforts draw inspiration from the words of Major

United States Cybersecurity Magazine | www.uscybersecurity.net United States Cybersecurity Magazine | www.uscybersecurity.net42 43

General Daniel O’Donohue, Commanding General for the U.S. Marine Corps Force Cyberspace (MARFORCYBER): “We believe the solutions to our shared problems in cyberspace revolve around our people, and not systems. However, we must provide our workforce the training, tools, and resources they need to defend our nation.”6

CSFI has also partnered with Capitol Technology University to increase professional awareness, proficiency, and certification. “There is a global demand for more qualified cyber security professionals,” said Dr. Michael T. Wood, President of the University. “To address this need, Capitol and the CSFI will work to educate and train individuals and award them credits towards certifications and masters and doctoral degrees in information assurance at Capitol.”7 Professionals and students can undertake ICWOD and DCOE training, providing them with transfer credits towards masters and doctoral-level courses in Information Assurance at the University.

CSFI develops its training efforts collaboratively with qualified members of the Initiative who possess relevant skills, education, and experience, both from the public and private sectors. In terms of cyber warfare, some of the training initiatives have included “cyberspace operations methodologies, the integration of cyberspace capabilities, the role of Information Assurance in cyberspace operations, training and developing the cyber workforce, and designing cyber-related organizations,” de Souza said. Each of these topics could be its own foundation; CSFI’s global reach and scope enables it to tackle these concepts, and others, and provide relevant information and training to all of its members and more.

From his experience both as a cybersecurity industry

professional and as CSFI’s founder, de Souza has taken the pulse of the cybersecurity landscape, a vision that he shares with his members and with anyone in the general public for whom cybersecurity is a necessity – which is to say, in today’s connected age, everyone. “Minimize the threat surface,” de Souza advises. “You cannot completely eliminate the threat, but you can minimize the risk. Be creative! Understand the environment, shape it to your advantage, and stay operational. Stay current, and never stop learning.” De Souza encourages sharing important information and collaborating with others in order to catch vulnerabilities before they become large-scale breaches, but he urges caution when doing so: “When sharing vulnerabilities, please make sure to also share the countermeasure or workaround. There are many ways of sharing information, from open-source to classified means, but no matter the medium, always be aware that no system is 100 percent secure. Practice good security standards for transmitting information and also maintaining data at rest.” A little bit of incaution from cybersecurity professionals, even with good intentions, can become a big problem for everyone from end users to entire governments.

From Stuxnet to Heartbleed, Target to Home Depot, the world is gradually waking up to the concept that cybersecurity is important for everyone. Organizations like CSFI work to enable the transfer of information in a trickle-down fashion: the more industrial sysadmins, white-hat hackers under government auspices, private security researchers, and others can communicate important information and collaborate on research and development, the more cybersecurity will become incorporated into our daily lives. The increased visibility and impact of cybersecurity incidents mean that private individuals are starting to realize that cybersecurity should be a priority

As we live more and more of our lives digitally, it becomes more important than ever to listen to what cybersecurity researchers have to say, and demand more information on how to protect ourselves in the future.

for them too: poor net hygiene or a successful phishing attempt can lead to public embarrassment, as in the case of the iCloud breach that led to the exposure of thousands of private celebrity photos, and financial ruin, as anyone who’s ever had their credit card information stolen can tell you. As we live more and more of our lives digitally, it becomes more important than ever to listen to what cybersecurity researchers have to say, and demand more information on how to protect ourselves in the future.

De Souza sees maintaining security as “a journey and not a destination. One of the main issues I see in the cyber domain is the illusion of many that cyber can offer people a quick shortcut to wealth and fame. There is a price to pay, and many want the cyber title but are not willing to do the work it takes to really make a difference in this operational domain we call cyber. We are our own main obstacle.” CSFI tackles this obstacle through collaboration, knowledge-sharing, training, and education. In a world where cybersecurity is more important than ever, CSFI is a leading light in guiding the global domain of cyberspace towards a place of greater safety and cooperation.

Sources

1 Kelly, Michael B: “The Stuxnet Attack On Iran’s Nuclear Plant Was ‘Far More Dangerous’ Than Previously Thought.” BusinessInsider.com, November 2013. <http://www.businessinsider.com/stuxnet-was-far-more-dangerous-than-previous- thought-2013-11>

2 Gross, Michael Joseph: “A Declaration of Cyber-War.” VanityFair.com, April 2011. <www.vanityfair.com/news/2011/04/stuxnet-201104>

3 Goodin, Dan: “Tampering with a car’s brakes and speed by hacking its computers: A new how-to.” ArsTechnica.com, July 2013. <arstechnica.com/security/2013/07/disabling-a-cars-brakes-and-speed-by-hacking- its-computers-a-new-how-to>

4 Goodin, Dan: “Senator: Car hacks that control steering or steal driver data way too easy.” ArsTechnica.com, February 2015. <arstechnica.com/security/2015/02/senator-car-hacks-that-control-steering-or-steal- driver-data-way-too-easy>

5 Ready.Gov: “Exercises.” <www.ready.gov/business/testing/exercises>

6 Major General Daniel O’Donohue: “Cyber Operations: Improving the Military Cyber Security Posture in an Uncertain Threat Environment.” Congressional Hearing Rayburn HOB-2118, March 2015. <www.csfi.us/?page=training>

7 Capitol Technology University: “Capitol Technology University Partners with the Cyber Security Forum Initiative (CSFI).” CapTech.edu, October 2014. <http://captechu.edu/news-events/news-headlines/1925>

Paul de Souza is the Founder and President of CSFI (Cyber Security Forum Initiative) and its Cyber Warfare and Law and Policy Divisions. Mr. de Souza has over 15 years of cyber security experience and has worked as the Chief Security Engineer for AT&T, where he designed and approved secure networks for MSS (Managed Security Services).

He serves as an advisor for the MCPA (Military Cyber Professionals Association), Federal Director of Training and Education for Norman Data Defense Systems, and as a CENTRIC (Centre of Excellence in Terrorism, Resilience, Intelligence & Organized Crime Research) Visiting Researcher at Sheffield Hallam University in the UK. Mr. de Souza is a recipient of the Order of Thor Medal and is a Visiting Research Fellow at the National Security Studies, Tel Aviv University, Israel (INSS) - Cyber Security and Military & Strategic Affairs Programs. He also teaches Cyber Defense Strategies at George Washington University. Mr. de Souza has consulted for several governments, military organizations, and private institutions on best network security practices. He is a co-author of the book Strategic Intelligence Management (National Cyber Defense Strategy).

Learn more about CSFI and how you can support their mission at www.csfi.us.

About Paul de Souza

United States Cybersecurity Magazine | www.uscybersecurity.net United States Cybersecurity Magazine | www.uscybersecurity.net44 45