Stories‎ > ‎

Healey Untweeted

posted May 14, 2016, 4:42 AM by Michael Lenart   [ updated May 21, 2016, 7:36 PM ]

Introduction by Cyber Editor-in-Chief, Michael Lenart

Jason Healey, a world-renowned cyber expert, is a member of the Military Cyber Professionals Association’s Board of Advisors and is the President of the Cyber Conflict Studies Association. He’s a Senior Research Scholar at Columbia University's School of International and Public Affairs and is also a Nonresident Senior Fellow at the Atlantic Council. He is the editor of A Fierce Domain: Conflict in Cyberspace, 1986 to 2012, the first-ever history of cyber conflict. He has published over a hundred articles and essays in various publications. These accomplishments only begin to capture his full body of work and experience.  Perhaps most importantly for readers of this magazine, in 1998 he became a plankholder of the first joint cyber command, the Joint Task Force-Computer Network Defense.

Mr. Healey has agreed to an interview of sorts for Cyber magazine. But in tribute to the magazine’s cherished domain, rather than using a standard Q&A format, the “interviewer” will serve up recent tweets from Jason, and ask him to elaborate beyond 140 characters what he had in mind when he posted each tweet.


Without further ado…


 

@Jason_Healey tweets:

“Ukraine power attack: goo.gl/ucTpRI (1/2)

1) Phishing drops BlackEnergy3

2) 6 months recce

3) Log into ICS w/ stolen VPN creds”

and 

“Ukraine power attack: (2/2)

4) Pull breakers from HMI

5) Disconnect UPS & DDoS phones to slow restoration

6) KillDisk to wipe traces”


One of the great military cyber professionals, Rob Lee (@RobertMLee), was extensively quoted in this article at Dark Reading. [1]  What really struck me about the explanation in the piece was how clearly it walked the reader through the exact steps the attackers used to take down the Ukrainian power grid late in 2015.  We rarely get the details of such an attack described in enough detail.  The piece was written so well, I guessed that if I could compress those six steps into a tweet or two it’d be a hit.



@Jason_Healey tweets:

“US indicting state-backed Iranians for accessing, not disrupting, infrastructure. Puts TAO & IOC operators at risk for similar indictments?”

Generally, I’ve been a fan of sanctions and indictments which have actually had far more effect than we’d have guessed beforehand.  Indicted entities will likely never see the inside of a US courtroom, but that isn’t the only reason to use them as a national security lever. They do seem to influence behavior of nations, organizations and individuals.  Certainly not enough to lead to victory on their own, but also certainly more than expected.  Indictments and sanctions against those involved in commercial espionage against the United States or disrupting critical infrastructure makes good sense and align with the norms proposed by Secretary of State Kerry. 

The United States went too far, though, when they indicted Iranians not just for conducting DDoS attacks on US banks, but also for intruding into the Bowman dam in New York.  The indictment does not even allege that the Iranian operator tried to cause any damage, just that he gained illegal access to the dam.  

This is not against any norms, and is in fact what US cyber operators conduct all the time under names like “operational preparation of the environment” or “intelligence preparation of the battlespace.”  This is how you conduct reconnaissance, construct a target folder, gain prolonged access, and be sure the target is at risk.  The United States should not have criminalized what is essentially intelligence or military activity.  

We have so far been lucky that, after the indictment of PLA cyber officers, no pioneering European judge issued an indictment against General Keith Alexander or other senior intelligence official.  If it becomes normal for criminal cases to be built against cyber operators for simply gaining access to a target, then all military cyber professionals have reasons to be nervous.

 

@Jason_Healey tweets:

"Diplomacy is analog not digital. US still wins in cyber deal if China commercial espionage is 'less but not zero'" [2]

Chest-pound and complain all you want, but the espionage deal between President Xi and President Obama is a win-win.  If it reduces Chinese espionage by only 5% it will be probably the single most effective countermeasure we’ve ever taken.  It cost us almost literally nothing compared to the tens of billions of dollars we dropped as part of the Comprehensive National Cybersecurity Initiative and other measures with not too many successes to show for that money. 

If Xi doesn’t live up to the deal at all- that is, no drop or even an increase in digital espionage- the United States can still win.  We now have the public and personal assurance from Xi (made not just to Obama but also Prime Minister Cameron, Chancellor Merkel, and all the other heads of the G-20 nations) to forego commercial spying.  Already leaders and citizens around the world are increasingly horrified by Chinese military operations in the South China Sea, mercantile and arrogant commercial deals, and bullying diplomats.  Even if we as cyber defenders get little reprieve, US diplomats can use Xi’s lies and distortions, if that’s what they indeed were, to continue to improve America’s overall diplomatic and national security ties with these countries. 

All the US administration agreed to do was to hold off on sanctions.  That ammo is still in the magazine and can readily be re-chambered if need be.  This deal was a smart one for the United States – if we live up to its potential.


@Jason_Healey tweets:

"In Cold War, we knew US capabilities better than adversary's. Reversed in cyber. W/ private sector intel, you & I know them better than US"

First, a comment on tweeting and the creative process.  This was a bit tougher than a normal tweet and it took me awhile to get it to this form, which I’m still not sure of yet.  Twitter is a great way to write as concisely as possible to see if your idea is actually worthy enough to stand behind.  The discipline of taking the time to craft non-ranting tweets, to refine and communicate your ideas is a great practice, especially if you’d like to get something published. 

The idea for this tweet struck me as I was unpacking and shelving some old books, including my old “Soviet Military Power” books from the 1980s.  These were an influential set of annual publications with about all the information you could really get on the Soviet military. By contrast the Pentagon was more than happy to tout their new B-1 bombers, M-X missiles, and other then-new kit, through concepts like AirLand Battle.  At the Air Force Academy in those days it was mandatory to read Red Storm Rising by Tom Clancy to understand how this all was supposed to come together. 

In some ways we’re in the reverse situation now in cyber.  Because of the threat intelligence companies, we know an extensive amount about Chinese, Russian, and Iranian cyber operations and capabilities.  Take a look at, for example, the reporting from Crowdstrike or Mandiant and learn about countless different cyber operations groups: their skills, toolsets, modus operandi, target sets, and even photos of the operators. 

True, we do know a fair amount about broad US organizations (Cyber Command, 10th Fleet and such) but we hardly know a thing of how these organizations train or equip, how they operate today or might in wartime, their past or current operations. There is far more secrecy about us than about them! 

One particular reason why this is true is implied in another tweet: 


@Jason_Healey tweets:

"Too often, when US takes inbound cyber attacks, govt testifies on horror & escalation. Then classify & dissemble our own, outbound attacks"

How well could we understand the Cuban missile crisis if we’d never learned that the United States had put medium-range missiles in Turkey, which helped spark the incident? Knowing the full set of facts allows us to not just see a dangerous Soviet move, but understand the dynamics of escalation early on in the nuclear age.

Unfortunately this is extremely difficult in an age of cyber competition between the big powers.  Any time you hear senior officials or officers talk about how our country is under constant cyber attack, remember they are leaving out what we’re doing to our adversaries.  They almost always scream about how horrid are the attacks we face but whisper, at best, that we’re giving just as much as we’re getting.  Possibly they just don’t know, because of classification; possibly they are trying to make us angry or afraid, seeking higher budgets, or decreased thresholds for shooting back. 

Have no doubt, the United States has often thrown the first punch in cyber conflict and has been every bit as active in cyber espionage as other nations.  Don’t believe me?  Just look at the contortions trying to talk about Stuxnet.  CYBERCOM Commander Admiral Michael Rogers had to sidestep a question about Stuxnet as the game-changer it clearly was, to emphasize the horror of the Iranians launching Shamoon.  He did not mention, because US officials never do, that the Iranians had suffered a nearly identical Wiper attack (probably from Israel) on their own energy industry just weeks before.  Shamoon, rather than a game-changing and escalatory attack, seems to have been a relatively proportional response to an earlier escalatory affront to their own systems.

Until we analyze both our actions and our adversaries – just as we had to in the nuclear age – we will not get our arms around cyber escalation, deterrence, and other key dynamics.


[1] "Lessons From The Ukraine Electric Grid Hack," K.J. Higgins, darkreading.com
[2] “Even if flawed, cybertheft deal with China a win for Obama,” J. Healey, CSM Passcode



On behalf of Cyber magazine, I'd like to thank Mr. Healey for taking time out of his extremely busy schedule to share his thoughts with us. His expertise, candor, and inimitable style do much to advance an informed dialogue that benefits all cyber professionals.
M. Lenart
Editor-in-Chief