FBI Warns How to Keep Hackers From Causing Chaos at the Gas Pumps

The Federal Bureau of Investigation seems to be trying to get ahead of the so-called cyber attack business, and has issued some warnings about how to keep hackers from causing chaos at the gas pump and other similar tips:

The Defense Advanced Research Projects Agency in 2011 launched a program to help make “the code behind the physical control systems of an airplane or self-driving car,” for instance, “become mathematically, provably unhackable,” Carter said at a future technology forum hosted by the agency.

“DARPA’s already made some of that source code openly available online – it can give the Internet of Things a critical foundation of cybersecurity, which it’s going to need,” he said.

By 2020 there will be 250 million Internet-connected vehicles on the road, according to Gartner. A Wired journalist a few months ago had private researchers remotely kill the transmission of a Jeep on a St. Louis highway — while he was sitting in the driver’s seat.

Intel Establishes Automotive Security Review Board Possibly in Response to Recent Jeep Attack

Intel is attempting to take the industry lead in Internet of Things (IoT) cyber security, and as part of that effort has established a new automotive security review board:

The ASRB researchers will perform ongoing security tests and audits intended to codify best practices and design recommendations for advanced cyber-security solutions and products to benefit the automobile industry and drivers.

Gartner predicts there will be a 150 billion connected vehicles on the road by 2020. The transition to a more connected world is exciting and requires that cyber security be addressed.

“Just like with any connected system, there’s no perfect security. But we can raise the bar against cyber-attacks in automobiles,” said Chris Young, senior vice president and general manager of Intel Security. “With the help of the ASRB, Intel can establish security best practices and encourage that cyber-security is an essential ingredient in the design of every connected car. Together we can manage the complexity more quickly and deliver solid cyber-security solutions.”

Disclosure: I work for Intel Security.

OPM Response to Massive Breach Is Being Challenged by the Inspector General

The Office of Personnel Management’s response to their recent massive breach is once again being challenged by the Inspector General, who warns OPM is not doing enough corrective action to prevent future

It said that as a result, the process to identify existing systems, evaluate their technical specifications, determine requirements, and estimate costs of moving the data into a more secure environment still has not been completed. Nor is there support for OPM’s belief that some the cost of moving the data can be funded through discontinuing obsolete software, it said, calling OPM’s plan to find the rest of the funding from other accounts “inadequate and inappropriate.”

“Without this rigorous effort, we continue to believe that there is a high risk of project failure,” it said.

OPM also had rejected the IG’s recommendation to adopt industry best practices for planning such a project, saying it was following its own policies based on government standards. But the IG said that “based on documentation we have reviewed, we have determined that OPM is not in compliance with either best practices or its own policy.”

It noted that since the first report, former OPM director Katherine Archuleta had resigned under pressure and a Senate committee rejected a bid to add funding for the project even while backing extending the services to the victims. “In such a turbulent environment, there is an even greater need for a disciplined project management approach to promote the best possibility of a successful outcome,” it said.

Knowing how the government responds in these types of situations, I cannot say I am surprised. This sounds like business as usual.

DNI Suggests Conducting Cyber Attacks Leads to Little to No Penalties for the Perpetrators

US Director of National Intelligence James Clapper suggests the current global norms around conducting cyber attacks leads to little to no penalties for the perpetrators:

James Clapper (pictured), the nation’s top intelligence official, told the House intelligence committee that a muted response to most cyberattacks has created a permissive environment in which hacking can be used as a tool short of war to benefit adversaries and inflict damage on the United States.

“Until such time as we do create both the substance and the mindset of deterrence, this sort of thing is going to continue,” Clapper said, speaking specifically about the recently revealed hack of federal personnel information linked to China in which personal data Relevant Products/Services on some 22 million current and former U.S. government employees, contractors, job applicants and relatives was stolen. “We will continue to see this until we create both the substance and the psychology of deterrence.”

The administration has yet to act in response to the OPM hack.

Last May, the Justice Department issued criminal indictments against five Chinese military hackers it accused of cyberespionage against U.S. corporations for economic advantage. FBI director James Comey said at the time the spying was to benefit Chinese companies, but he neither named the companies nor took formal action against them.

Sounds like more deterrence talk, which as I discussed, is really pointless in cyber.

Likelihood of Cyber Norms Making a Difference During a Cyber Conflict Is Infinitesimal

Even though the United States hopes to make a case for them, the likelihood of cyber norms making a difference during a cyber conflict is infinitesimal (emphasis added):

As a general rule, states develop norms to promote their interests and a norm will only spread if other states perceive it to be in their interest to abide by it. Historical examples of this are plentiful. In the late 19th century, Russia pursued constraining norms against the possession and use of chemical and biological weapons as well as strategic bombing at the First Hague Conference. Russia had failed to master these new weapons and wanted to constrain potential adversaries. Britain, on the other hand, opposed a norm restricting strategic bombing because it saw bombing as a tool to offset the relatively small size of its ground forces. As a result, the conference agreed to prohibit the “discharge of projectiles and explosives from balloons or by other new analogous methods” for a temporary period of five years while prohibiting chemical and biological weapons indefinitely. These bans lasted until the powers of the day determined it was not in their self-interest to maintain them. Britain and Germany both used chemical weapons in World War I and strategic bombing was used throughout World War II by all parties.

The requirement that states perceive a norm to be in their self-interest means that norms containing offensive cyber activity are unlikely to work. Unlike other forms of weaponry, cyber weapons are stealthy, making it difficult for planners to determine whether cyber weapons will be useful in the future. Furthermore, some states rely more on cyberspace than others, making states that are less dependent on the Internet less vulnerable to an attack. These relatively immune states will struggle to determine if constraining norms are in their interest as many states did with strategic bombing and will want to keep their options open.

It is the same thing with cyber deterrence – it just does not work. There is no way to project cyber power in cyberspace in the same capacity as can be done with conventional kinetic warfare in the other war-fighting domains. Surely the threat of a kinetic response to a cyber attack can be a deterrent but I am talking specifically about deterrence via cyber capabilities. The possibilities exist but do not have the same affect.

US and China Doing a Lot of Cyber Attack Political Posturing

The US and China sure are doing a lot of political posturing over cyber attacks lately, especially within the US and a call for sanctions in retaliation for the OPM breach (emphasis added):

The idea that the U.S. would unleash sanctions on top Chinese officials or companies in the lead-up to a presidential summit was always a long shot, despite scattered administration leaks that the sanctions were under consideration. The advance meetings suggest the U.S. is still pushing for a diplomatic resolution to Chinese hacking, but the White House was tight-lipped in its statement about whether the advance meeting yielded any tangible results — a key indication of whether diplomacy may be working or if both sides have hit another brick wall. Publicly, President Barack Obama was still talking tough on cyber as the meetings went on.

State Department Cyber Coordinator Chris Painter rushed out of an international cyber cooperation conference in New York, hosted by the East West Institute, shortly after a panel he was speaking on concluded Sept. 9 — possibly to attend meetings with Meng. He also seemed to downplay the likelihood of cyber sanctions before departing, noting during his panel that “despite what you may read in the press, the sanctions have not been used.” He also noted the sanctions will be “used in the future to address significant cyber conduct … [when] other tools really just aren’t adequate.”

The consensus among other attendees at the East West conference? Sanctions are unlikely in advance of the Obama-Xi summit at the end of this month, a dozen or so experts opined to Joe, but that doesn’t mean they’re off the table.

There will be no sanctions against China. Doing so is like the pot calling the kettle black.

US Health Insurer Excellus BlueCross BlueShield Has Been Breached and 10 Million Records Exposed to Malicious Actors

Another week, another hack. This time US health insurer Excellus BlueCross BlueShield has been breached and 10 million records exposed to the malicious actors:

The initial attack occurred in December 2013, but the company did not learn about it until Aug. 5. Since then it has been working with the FBI and cybersecurity firm Mandiant to investigate the breach.

The hackers may have had access to customer records which include names, addresses, telephone numbers, dates of birth, Social Security numbers, member identification numbers, financial accounts and medical claims information.

Records may contain all or just some of that information, depending on the customer’s relationship with the company. The breach doesn’t affect just Excellus members, but also members of other Blue Cross Blue Shield plans who sought medical treatment in the upstate New York area serviced by the company.

The information was encrypted, but the attackers gained administrative privileges to the IT systems, allowing them to potentially access it, the company said on a website that was set up to provide information about the incident.

No evidence has been found yet that the data was copied or misused by the attackers.

Excellus will send breach notification letters via mail to all affected persons throughout the month and is offering free credit monitoring and identity protection services for two years through a partner.

Admiral Mike Rogers Believes the Cyber Security Danger Is Continuing to Grow and Will Only Get Worse

According to Director of National Security Agency, Admiral Mike Rogers believes the cyber security danger is continuing to grow and will only get worse before we start to see things begin to subside:

“Our nation is being challenged as never before to defend its interests and values in cyberspace,” Adm. Rogers said in a report made public this week. “Adversaries increasingly seek to magnify their impact and extend their reach through cyber exploitation, disruption and destruction.”

The four-star admiral is intent on moving quickly “to build our military capabilities” as the key element of “the nation’s war fighting arm in cyberspace,” according to the report, “Beyond the Build: Delivering Outcomes through Cyberspace.”

The Fort Meade, Maryland-based command, co-located with the National Security Agency that Adm. Rogers also directs, is integrating cyberwarfare capabilities into other war-fighting commands for use “when significant cyber attacks against the nation require DoD support,” Adm. Rogers stated in an introduction to the report.

The report says the United States is losing its technology edge to adversaries and competitors in cyberspace. Defense Secretary Ashton Carter confirmed the problem in a speech in St. Louis Wednesday.

“Nations like Russia and China are modernizing their militaries to try to close the technology gap and erode our superiority in every domain — air, land, sea, space and cyberspace,” Mr. Carter said in a speech. “And at the same time, our reliance on things like satellites and the Internet has led to real vulnerabilities that our adversaries are eager to exploit.”

Are we really supposed to believe the US is falling behind technologically? Surely this is propaganda designed to scare Congress into increasing NSA and USCC budgets?

US Department of Energy Successfully Compromised Over 150 Times Between 2010-2014

US Department of Energy, the agency overseeing the US power grid, nuclear arsenal, and national science labs, has been successfully compromised over 150 times between October 2010 and October 2014:

USA Today reports that 53 of the successful attacks were root compromises, meaning the attackers had administrator privileges on compromised DOE computer systems.

Of the 159 successful intrusions, 90 compromised the DOE Office of Science, which conducts energy research, and another 19 attacks compromised the National Nuclear Security Administration – the agency in charge of securing the nation’s stockpile of nuclear weapons.

The DOE disclosed a breach in July 2013 that compromised personal records of 104,000 past and current federal workers, contractors and their dependents.

But the DOE isn’t saying what data or systems may have been compromised in the other 158 breaches – that information has been redacted from the records.

A DOE spokesperson told USA Today that the agency can’t comment on investigations into the compromises or who might have been behind them.

But it’s quite possible that other nation states could be the culprits, as the US’s top cybersecurity official alluded to in a speech in Washington, DC this week.

US & Chinese Officials Meet to Discuss Cyber Security Issues

The US and China are playing cyber security politics in an attempt to solve the cyber attack issues currently plaguing both countries:

U.S. national security adviser Susan Rice had a “frank and open exchange about cyber issues” in her meeting this week with Meng Jianzhu, secretary of the Central Political and Legal Affairs Commission of the Chinese Communist Party, the White House said in a statement.

The Chinese delegation also had meetings with Federal Bureau of Investigation Director James Comey and representatives from the Justice, State and Treasury departments and the intelligence community, the statement said.

President Barack Obama said last month he would raise concerns about China’s cyber security behavior when he meets with Xi in Washington.

The Obama administration is considering targeted sanctions against Chinese individuals and companies for cyber attacks against U.S. commercial targets, several U.S. officials have said.