Counterintelligence and Cyber Security
06/21/15 Category: Thoughts
Cyber security could learn some tricks by using counterintelligence techniques used against terrorism.
I recently read a book from Blake Mobley titled: "Terrorism and Counterintelligence: How Terrorist Groups Elude Detection (Columbia Studies in Terrorism and Irregular Warfare)" available from Amazon.
What struck me as interesting was how the lessons learned from fighting terrorism aren't being applied to dealing with threats in the cyber security field. In the book Blake introduces concepts like:
- Controlled territory
- The adversary's counterterrorism capabilities
- The common practice of compartmentation (segmentation in the digital networking world)
- Covert manipulation
- He also mentions the impact of popular support
Blake defines counterintelligence as the process or constellation of activities, analysis and decision-making that a group engages in to prevent adversaries from acquiring accurate information about its actions, personnel and plans. Counterintelligence has three subprocesses: basic denial, adaptive denial and covert manipulation.
Basic denial consists of activities that prevent the passage of information, intentionally or unintentionally from the group to the adversary. Adaptive denial activities include investigation and interrogation of suspected spies. Covert manipulation consists of activities that provide an adversary with false information
Rather than relying on the government to do all these tasks, we should carve it up and take some responsibility in industry.
Lets start with the easiest one-controlled territory, or so it appears. Let me start with the appalling job we've done within corporate networks concerning this simple task. Almost every single breach is a result of not controlling territory in terms of cyber defense and cyber detection. Today it consists of hard edges (perimeter firewalls) and almost nothing within the borders. The NSA seems to be taking a flawed approach by using metadata to track communication and wants to extend their control territory into private corporate networks. I think NOT! We need to control our private networks. The technology exists to know within our logical networks exactly what devices and people (as defined by logins) are at each location, yet few companies can answer the most basic questions:
- How many devices are on your network right now?
- What devices are they?
- Where are they?
- Who is using them?
- How secure (compliant) is each one?
- What programs is each device running?
- What IP addresses are they communicating with?
Blake mentions that controlling territory is the most important item and I have to agree. If we know all the above, we'll have a great head start. However, the other important item is our ability to detect and respond quickly. That alone should be a reason we can't have the government being the first line of defense. Fast, nimble, responsive, effective and persistent are not tasks ideally suited for the government. We can and ought to do that within our industries. We have the technology, but we have to make controlling territory a top priority. It's simple for us to use compartmentation as well, but we need to understand the importance of more granular compartmentation besides just untrust and trust.
In reality, we haven't controlled territory within company networks and the emphasis on metadata collection by the government has lead to a lack of popular support for our government. This in turn leads to our cyber enemies having superior communications security, physical security and counterintelligence vetting.
Furthermore within industry we need to focus on basic denial.
Our government should focus their resources on adaptive denial activities. It's unfortunate really that the NSA has chosen to rely so heavily on passive tapping techniques versus good old spycraft and instilling mistrust and paranoia in our adversaries. Yet due to invasive data collection, we are losing popular support not to mention harming US businesses from providing trusted solutions to the rest of the world. It's an age old lesson of relying on technology versus human assets and spycraft.
I believe government and industry both need to tackle covert manipulation including activities that cost our adversaries time and get them to show their presence. We can do that quite well within corporate networks, somewhat like a reverse social engineering approach and government could actually play a role on the larger networks along with Service Providers.
I look forward to the day when we use good old spycraft versus sheer technological prowess to combat our digital enemies.