Incident Response as "Hand-to-Hand Combat"

NSA Deputy Director Richard Ledgett described a 2014 Russian cyberattack against the US State Department as “hand-to-hand” combat:

“It was hand-to-hand combat,” said NSA Deputy Director Richard Ledgett, who described the incident at a recent cyber forum, but did not name the nation behind it. The culprit was identified by other current and former officials. Ledgett said the attackers’ thrust-and-parry moves inside the network while defenders were trying to kick them out amounted to “a new level of interaction between a cyber attacker and a defender.”

[…]

Fortunately, Ledgett said, the NSA, whose hackers penetrate foreign adversaries’ systems to glean intelligence, was able to spy on the attackers’ tools and tactics. “So we were able to see them teeing up new things to do,” Ledgett said. “That’s a really useful capability to have.”

I think this is the first public admission that we spy on foreign governments’ cyberwarriors for defensive purposes. He’s right: being able to spy on the attackers’ networks and see what they’re doing before they do it is a very useful capability. It’s something that was first exposed by the Snowden documents: that the NSA spies on enemy networks for defensive purposes.

Interesting is that another country first found out about the intrusion, and that they also have offensive capabilities inside Russia’s cyberattack units:

The NSA was alerted to the compromises by a Western intelligence agency. The ally had managed to hack not only the Russians’ computers, but also the surveillance cameras inside their workspace, according to the former officials. They monitored the hackers as they maneuvered inside the U.S. systems and as they walked in and out of the workspace, and were able to see faces, the officials said.

There’s a myth that it’s hard for the US to attribute these sorts of cyberattacks. It used to be, but for the US—and other countries with this kind of intelligence gathering capabilities—attribution is not hard. It’s not fast, which is its own problem, and of course it’s not perfect: but it’s not hard.

Tags: , , , ,

Posted on April 7, 2017 at 8:06 AM44 Comments

Comments

Rob1 April 7, 2017 9:12 AM

“I think this is the first public admission that we spy on foreign governments’ cyber warriors for defensive purposes.”

Actually former NSA director Michael Hayden had already described this defensive use of offensive spying in his book, Playing to the Edge : “If it hadn’t been at NSA, the NTOC [NSA Threat Operations Center] would have been just another CIRT … But NTOC was at NSA, so it was hot-wired into a vast global SIGINT system that could send digital scouts out beyond the perimeter to identify activity and threats long before they hit the local firewall.”

Gustin April 7, 2017 9:27 AM

“There’s a myth that it’s hard for the US to attribute these sorts of cyberattacks. It used to be, but for the US — and other countries with this kind of intelligence gathering capabilities — attribution is not hard. It’s not fast, which is its own problem, but it’s not hard.”

This is dangerous. Even if attribution maybe not be a problem any longer for those privy to the intelligence, proving attribution to the public remains basically impossible unless one is willing to burn one’s methods and sources.

Sooner or later a crippling cyberattack will hit civilian or military infrastructure in some country. Think big, something with a real hit to the population. An aggressor will be named. Would people accept to go to war over the claim by their government (or the government of an allied country) that Country X was responsible?

False flag actions have always happened, ‘we have intelligence showing Saddam has weapons mass destruction’ is history, but at least those have a chance of being debunked after the fact. The attribution of cyberattacks is purely ‘trust us’.

Thom April 7, 2017 9:35 AM

“Is GOD usually awake at this time of night?” – quote from the hackers movie.

Brilliant film tbh.

Jarrod Frates April 7, 2017 10:03 AM

I wonder how often we’ve watched attacks unfold in other nations’ networks that we’ve infiltrated (Germany, Spain, China, Russia, etc.) and did nothing but see how it happens.

vas pup April 7, 2017 10:08 AM

@Gustin: ” proving attribution to the public remains basically impossible unless one is willing to burn one’s methods and sources.” And it is very possible that sources are just moles (HUMINT sources)within foreign country IC/government/cyber attack units. I have such weird feeling that all those strong claims of interference with recent POTUS election were based on strong HUMINT source, not technical attribution which could NOT be disclosed for sure.
Recent discloser of CIA technical tools to divert/hide attribution of attack make final word for HUMINT source.

You may had different attitudes towards Mr. Obama, but he has cool head and logically based actions, and as soon as he applied sanctions toward RF, US IC provided him with strong evidence (see above).

Duane Ramsdell Clarridge April 7, 2017 10:32 AM

Willing Part of the Deep State

Is it a shock that Schneier is a cheerleader for the NSA, that they always get attribution correct? He’s more than happy to mug for the camera with drone strike war criminals like Mike Rogers:

https://twitter.com/ArmyCyberInst/status/598904040655826944

Oh, and the NSA would never fabricate an attack and present it as justification for military action.

The entire establishment, Schneier included, goes into a tailspin about alleged Russian hacking while the United States has been overthrowing entire countries for decades. Hello? “ASSAD MUST GO” Does that sound familiar?

Of course, Schneier doesn’t touch these facts. He’s a cheerleader.

Elliot April 7, 2017 10:59 AM

Gustin: All knowledge of everything, not just hacking attribution, is predicated on trusting the source.

Bruce Schneier April 7, 2017 11:02 AM

“Sooner or later a crippling cyberattack will hit civilian or military infrastructure in some country. Think big, something with a real hit to the population. An aggressor will be named. Would people accept to go to war over the claim by their government (or the government of an allied country) that Country X was responsible?”

This is important. There is a big difference between being able to attribute a cyberattack and being able to publicly attribute a cyberattack. Again and again, attribution is based on secret evidence. How to you convince the public of an attribution when you can’t present the evidence?

Bruce Schneier April 7, 2017 11:03 AM

“I wonder how often we’ve watched attacks unfold in other nations’ networks that we’ve infiltrated (Germany, Spain, China, Russia, etc.) and did nothing but see how it happens.”

It’s an interesting question. My guess is that we regularly alert friendly countries, and watch and learn otherwise.

Bruce Schneier April 7, 2017 11:06 AM

“Bruce often posts anti-TLA agency stuff.”

I assure you that it’s particularly bizarre to be called “a cheerleader for the NSA.” Best to ignore the posts, though, since they’re from people who haven’t read my stuff. I’ll delete them if they get offensive.

albert April 7, 2017 12:00 PM

Beating the Attribution Drum again, eh?

Stuxnet was a serious infrastructure attack on a sovereign nation. If the tables were turned, Iran would be a smoldering wasteland by now.

Where was the criticism of Sony? Their ‘cyber-security’ wasn’t even worthy of the name. Why has the US avoided -any- attempts at mitigation of threats to private organizations? Or even governmental ones?

We’re witnessing an artificial buildup of perceived expertise in the TLAs capabilities. As long as the attacks keep coming, the attribution system gets stronger.

Political decisions have always been based on wants and needs (mostly economic), but soon military decisions will be made on the basis of alleged ‘attributions’. Then the s–t will hit the fan.

Computer security begins at home. If the US is serious about computer security, they have a funny way of showing it.

Right now, it looks like a tool in the politicians toolbox.

@Bruce,
“…How to[do] you convince the public of an attribution when you can’t present the evidence?…”

A better question might be, “Why convince the public of an attribution?”

What purpose does it serve?

. .. . .. — ….

Curious April 7, 2017 12:16 PM

@Bruce writes, This is important. There is a big difference between being able to attribute a cyberattack and being able to publicly attribute a cyberattack. Again and again, attribution is based on secret evidence. How to you convince the public of an attribution when you can’t present the evidence?

It is important distinction in theory but I don’t know that it is an important distinction in practice. Two words: yellow cake. The justification for going to war with Iraq wasn’t based on secret evidence, it was based upon publicly presented evidence that was either (a) mistaken or (b) knowingly false. (depending on whether one thinks of Colin Powell as gullible or evil.) In other words, I don’t think that information which is publicly disclosed is inherently more trustworthy in the public’s mind than information which is kept secret–in both cases it boils down not to whether something is said but whether one trusts the source. To be sure, public information has a better chance of being vetted for accuracy than information which is secret but that vetting is rarely done by neutral parties and that even when it is done by neutral parties their voices are a tiny, unpersuasive voice.

So the way one convinces the public of an attribution is the same why it has always been done: lie, dissemble, make up unverifiable claims, label a stranger as an enemy and call anyone who questions that label a troublemaker engaged in sedition.

vas pup April 7, 2017 12:22 PM

@Albert:
“A better question might be, “Why convince the public of an attribution?”

What purpose does it serve?”
I guess to justify your retaliation kind of actions for image needed for the next election (inside the country) and outside the country: you are not aggressor – just defender.

ab praeceptis April 7, 2017 12:29 PM

Frankly, as far as the united states of a part of a part or America (aka “usa”) is concerned that whole discussion is moot.

Simple reason: This discussion is based on a false premise, namely on assuming that correct attribution was necessary for a punitive response.

That is not the case. That may be true for law-abiding states but not for washington.

And we have proof. Just today the us-american war machine attacked Syria based on utter lies – well noted, lies that were already proven (it was proven that the Assad government did not use poisonous gas; even more it was proven that there was no gas attack at all and that the “attack” was staged – and with highly probable support by cia).

As for the rest the whole problem is a non-problem insofar as both the protocols (particularly udp) and the infrastructure have been designed in way to allow spoofing.

John Galt April 7, 2017 12:29 PM

@ Schneier

I think this is the first public admission that we spy on foreign governments’ cyberwarriors for defensive purposes. He’s right: being able to spy on the attackers’ networks and see what they’re doing before they do it is a very useful capability. It’s something that was first exposed by the Snowden documents: that the NSA spies on enemy networks for defensive purposes.

Gee… I wonder who sends all those Viagra spam emails????

(Symbolism of “viagra” is “phallus”… a classic taunt in ancient warcraft. Remember the movie Braveheart when everyone raised their kilts?)

Reinstate the Posse Comitatus Act.

They are practicings on us!! That’s treason (including state governments). If they are attacking YOU (not the state)… technically, I guess it’s not treason. It’s treachery.

Maybe we should just disband the CIA and NSA. Let them go back to looking like Inspector Clouseau … a form of spying that will actually result in better intel.)

Today, they rob banks… Arm police with tanks and flamethrowers… and grant licenses to TSA perverts to fondle your phallus at the airport.

Dirk Praet April 7, 2017 1:01 PM

@ Bruce

How do you convince the public of an attribution when you can’t present the evidence?

You may wish to revisit some of the past exchanges about attribution @Clive and myself had with @Skeptical and some other people. Like @Gustin said above: “The (public) attribution of cyberattacks is purely ‘trust us'”.

@Clive and myself maintain that attribution can be manipulated – and for which there is ample proof – and that we have simply no reason to believe known liars who in the past already have led nations to war based on false evidence. For better or for worse, the credibility of the US IC and its paymasters on today’s international stage is zero.

While @Skeptical makes a valid point that private companies like Crowdstrike and Fireeye have little reason to stake their reputations on false attributions, they are known for their ties to government and IC, and neither are they infallible.

To cut a long story short: nobody in his right mind expects governments to burn sources and methods by going public with attribution evidence. The only acceptable compromise from where I’m sitting is to take any evidence to a UN or similar international body, present it behind closed doors, and then I’ll consider going with their informed opinion.

John Galt April 7, 2017 3:38 PM

@ Dirk

While @Skeptical makes a valid point that private companies like Crowdstrike and Fireeye have little reason to stake their reputations on false attributions, they are known for their ties to government and IC, and neither are they infallible.

The intel community is full of born liars. And, then, they get training.

C-strike and F-eye aren’t worried about their reputations.

Why?

They get paid whatever the market will bear when someone needs them to lie.

SOLD!

My Info April 7, 2017 3:59 PM

“Hand-to-hand” combat …

… as opposed to just another automated attack converting the target’s system into a drone for a Bitcoin-mining botnet.

John Galt April 7, 2017 5:22 PM

@ My info

[[[ “Hand-to-hand” combat …
… as opposed to just another automated attack converting the target’s system into a drone for a Bitcoin-mining botnet.]]]

“Hand to Hand combat….”

NSA statements remind me of Hannity and other regurgitating the like that the NSA and CIA “risk their lives to keep our country safe.”

LOL

The rogue hackers featured on Wikileaks have never fired a weapon and sit in front of computer screens and keyboards all day. The other half of them play video games while sending drones after anything that moves on the ground.

gordo April 7, 2017 7:13 PM

In the “Hand-to-Hand” article cited/linked-to above:

Ledgett said he is concerned that the private sector will not be able to defend itself without greater intelligence being shared from places like the NSA. “We need to figure out, how do we leverage the private sector in a way that equips them with information that we have to make that a fair fight between them and the attacker?” he said.

Mr. Ledgett seems to be describing a VEP for TTP’s. I think the better question, as with the VEP, is not necessarily how, but when.

Then again, … https://www.schneier.com/blog/archives/2017/03/security_orches.html

David Henderson April 7, 2017 9:17 PM

@ab praeceptis
“it was proven that there was no gas attack at all ”

The proof is the photo of responders handling the dead children (sabin victims?) with their bare hands.

Whomever published these photo’s as “proof” did not use much expertise. Sabin will penetrate bare skin.

ab praeceptis April 7, 2017 10:21 PM

David Henderson

Indeed. And one of the “dead” children, a girl, even opened her eyes again.

Miracles all over the place …

Bf skinner April 8, 2017 9:10 AM

So…ALLIES are good to have and an US first screw everyone else policy makes us weaker.

XCX April 8, 2017 10:54 AM

ab praeceptis:

“..even more it was proven that there was no gas attack at all and that the ‘attack’ was staged – and with highly probable support by cia).”

At least in respect to the Ghouta attack, there are serious doubts about the the responsibility of the Syrian government. The skeptics include Puliter Prize winning journalist Seymor Hersh.

“In 2014, investigative journalist Seymour Hersh reported on opposition forces’ ability to use chemical weapons. In an article for the ‘London Review of Books,’ Hersh obtained documents from the Defense Intelligence Agency (DIA), the Pentagon’s own spy organization. They suggested that the Nusra Front, a Syrian offshoot of al Qaeda, had access to the sarin nerve agent. A chemical weapons attack on the Damascus suburb of Ghouta in August 2013, which was blamed on Assad, was carried out by rebels, according to Hersh’s article. They wanted Washington to presume Assad had crossed Obama’s ‘red line’ and draw the US into a war. […]
Obama’s Director of National Intelligence at the time, James Clapper, was able to dissuade Obama from ordering a cruise missile strike, according to a newly-published book by Mideast expert Michael Lüders. Presumably, a deciding factor was an analysis of the chemical weapons used in Ghouta, conducted by a British military lab, which found the gas to be of a different composition than the Syrian army possessed.”
http://www.dw.com/en/is-assad-to-blame-for-the-chemical-weapons-attack-in-syria/a-38330217

I don’t know if that’s true, but it seems to be possible at least. And if it is actually true, it implies that western governments are lying again in order to legitimize another war.

ab praeceptis April 8, 2017 1:14 PM

XCX

That’s not even the question. After all, it is not the accused who has to prove innocence but it is the accuser who has to prove guilt.

Of course, since the powell show at the un, anything and everything any politician in washington utters has to be assumed being a lie.

The decisive point is simple: Can the us of a prove the alleged gas attack as well as Assads troups being the guilty party?

No, they did not and they can not.

Ergo the attack on Syria is simply an illegal criminal act of war (i.e. yet another point in a series of crimes).

XCX April 8, 2017 4:50 PM

“He is however a Google cheerleader…Bruce will never criticize Google because that will be the end of his Google invites.”

Are you sure you’re doing full justice to Bruce?

I remember that he has posted, quoted and linked several rather critical articles about Google. For example, have a look here:

https://www.schneier.com/blog/archives/2014/05/fearing_google.html
https://www.schneier.com/blog/archives/2016/11/google_linking_.html
https://www.schneier.com/blog/archives/2014/04/is_google_too_b.html
https://www.schneier.com/blog/archives/2014/05/correspondence_.html

“Now, for those of us who are digital privacy minded, does it really matter whether it is Google retaining our most private information -even if you don’t have a Google account- or the NSA doing the same?”

I guess it’s easier to hide from Google than from NSA. You can do this:

  • Always use a dynamic IP or change your IP very often (if ou can).
  • Delete all your browsing cookies routinely, or even better: Always browse in private mode.
  • Have a tracking blocker.
  • Use a VPN or, for very sensitive information, TOR (or a combination).
  • If you mistrust Google deeply, use an anonymous search engine like Ixquick or DuckDuckGo (to my knowledge, they are based on Google search, but respect your privacy).

If you do all that (and it’s not too hard to do it), Google will probably have a hard time to track you down. Personally, I’m clearly more concerned about governments than about Google.

Moderator April 8, 2017 5:07 PM

@What about Google’s cheerleader? Please leave and don’t come back, under this handle or any other.

Dave April 9, 2017 11:23 AM

Just a few observations from this aged brain:
There is a marked inflation of trust in parallel with inflation of money.
I think that we are in serious hyperinflation of trust.
The panopticon model being foisted on us everywhere assumes the absence of trust, except in the overseer to higher-ups, whereupon the panopticon breaks, presumeably. A hierarchy of panopticons would be ridiculously unstable, and a federation of them equally so.
Trust, after all, is security.
The blind leading the blind make better rulers than the untrustable leading the untrusted.

-. .- …-. .

Mark April 9, 2017 6:06 PM

“hand-to-hand” combat. What a joke. Does anyone take anything seriously that comes out of the US government?

The NSA nerds? Yeah, right.

Nick P April 9, 2017 9:03 PM

@ Mark

Yeah, it’s more like a chess, poker, or RTS game. Nothing like hand-to-hand where you mind and body go through pain and take damage with each event that can shut it down. They probably don’t do kickboxing or Krav lol…

My Info April 9, 2017 9:51 PM

@Mark

“hand-to-hand” combat. What a joke. Does anyone take anything seriously that comes out of the US government?

The NSA nerds? Yeah, right.

Oh, please don’t pick on the government nerds and affirmative action quota queens 😉

Just wait till you find the guy who hacked your wife’s smartphone for LOVEINT.

TM April 10, 2017 4:21 AM

I find both the post and the comment section troubling. “Hand to hand combat”, really? Isn’t it obvious this is just self-congratulatory propaganda? Or to put it differently, what actual information content is in that article? I’d say practically none. Btw even the date of the alleged incident seems to be in dispute – Ledgett says it was in 2015 but it was “clarified” to have been in 2014.

John Kelsey April 10, 2017 3:04 PM

Assuming the claims are correct, describing how NSA got attribution on this attack completely burned their methods of doing it next time. That’s the sort of thing they can’t afford to do very often. And even so, there’s no way for me or any other outsider to know for sure that they’re telling the truth, or what information is being omitted that might change the picture.

There’s probably no other way for this to work w.r.t. the public–lying is a pretty fundamental part of spying, just like it is for diplomacy, war, and politics

mostly harmful April 11, 2017 5:51 AM

@Dirk Praet

To cut a long story short: nobody in his right mind expects governments to burn sources and methods by going public with attribution evidence.

This assertion of yours has rankled in me for a few days. What sort of accounting method are you endorsing, which requires that such assets must never be spent?

Can you explain why it is that you feel so strongly that such an accounting method is one that “nobody in his right mind” could question?

As a counterpoint, I think Yasha Levine’s thoughts on the matter in this interview are as well-expressed as any: Russian Hacking: Is The Cyber-Attribution Industry A Racket? With Yasha Levine (interviewed by Michael Tracey) [1 hour 15 minutes] https://www.youtube.com/watch?v=Ry5y1AVMpXI

[Transcribed below, the portion from 1:10:48 to 1:15:00]

YASHA LEVINE: […]If we’re going to accuse Russia or any other country of hacking American elections and throwing an election in favor of some candidate… I mean this is a really serious allegation; it basically undermines the entire democratic system on which America is built.

I mean, this is an extraordinary accusation that requires extraordinary openness of evidence, right? And [it calls for] a public airing of everything–of all the evidence that our law enforcement agencies and intelligence agencies have, and it needs to be public, it needs to be discussed in an open manner, with the people of America, with Americans.

You can’t just, it can’t be decided by a couple of private cybersecurity firms and it can’t be—

MICHAEL TRACEY: They essentially privatised the evidence right? because it’s not even clear that Crowdstrike turned over the forensic evidence to the FBI, so if they’re in sole possession of it, it’s not available to be examined in an open forum.

YL: Clapper said that he cannot provide more evidence because it will endanger lives. And the thing is, well you know what? if it endangers lives, then it’s gotta endanger lives. Because lives are endangered every day, right? And they’re taken every day.

Now, but the claim here is that another country interfered in the electoral process of America, and basically changed the course of an election to benefit its own interests. So the president, the sitting president, is an illegitimate president. It’s basically a coup, a soft coup, is what they’re saying Russia pulled off.

And if a soft coup is not enough of a reason to endanger some lives—because you might have some sources that are well-placed in Russian intelligence, or wherever, that are well placed and that are feeding you information, and if you expose them, expose the information [they provided you with], they’ll probably be killed or whatever,…

I mean…

MT: What *would* be the grounds for doing that, you know?

YL: There are no grounds, then. It means you can never endanger lives. I mean only, I guess, maybe if there’s an alien attack on Earth and we’re all at risk of being polarised by some kind of alien weapon then maybe we can disclose our sources. I mean, it’s insane, and so this makes me think that it’s all bullshit.

I started out actually giving these claims the benefit of the doubt, six months ago, when some of this stuff started surfacing. And with every day that passes, I believe it less and less and less, to the point where now I don’t believe it at all.

Because there has not been a shred of evidence that I have seen that shows Russia interfered and hacked anything. In fact, all the evidence that has been shown has been very… It’s not hard evidence.

It only convinces people who want to be convinced, and aren’t really reading deeply into the actual evidence, who aren’t looking closely at what is actually being offered to support these claims.

MT: So you’re at a point now where you view the entire narrative as bullshit. You don’t believe in the prevailing theory.

But we have now in the US, politicians just by rote, it seems, just state now as if its uncontested truth, that Russia hacked the election. It’s being presented as if there is no longer any doubt, and to harbor doubt is [itself] discrediting.

YL: Well, yeah. To harbor doubt is to be a useful idiot, to be essentially an unwitting Kremlin dupe, and an agent. […]

Levine then goes on to discuss Thomas Rid’s recent US Senate testimony, which he characterises as featuring the brazen assertion that journalists who do their jobs faithfully, and inform the public about documents on Wikileaks, are “Kremlin dupes”.

Dirk Praet April 11, 2017 9:46 AM

@ mostly harmful

Can you explain why it is that you feel so strongly that such an accounting method is one that “nobody in his right mind” could question?

Because it is a method that would inevitably compromise assets and resources that may also have quite legitimate purposes, and in the case of human operatives may put people (and their families) in harm’s way. Quite frankly, I do not think of IC operatives or military personnel as disposable assets you just throw away when for some political reason it is convenient. That’s not what they signed up for, however questionable sometimes the motives of their paymasters or the actions they participated in. The average field operator is a person who is genuinely convinced he or she is serving his/her country, and as such deserves a high level of protection.

Such practices would be the exact opposite of the “just take our word for it” method we are getting today from known liars, directly implicated folks or entities with known ties to implicated parties. Neither works. Which is why my personal preference goes to a middle way in which any evidence can be investigated indoors by a trusted commission of politicians and independent subject matter experts. If it is no longer possible to set up such a commission that has broad popular trust and support, then you no longer have a functional democracy, and a much bigger problem to deal with.

mostly harmful April 11, 2017 5:44 PM

@Dirk Praet

Thank you for the lucid explanation of your position.

Quite frankly, I do not think of IC operatives or military personnel as disposable assets you just throw away when for some political reason it is convenient.

Of course you don’t. Neither do I.

But, for one thing, I notice that you talk about whether it is good to “throw away” assets. This sidesteps a question I meant to direct attention towards: whether it might not be worth spending valuable assets to (re)gain something else, perhaps something of even greater value which is manifestly in short supply. Namely, public trust.

Also, I expect you will agree that a certain degree of public trust in governing institutions is not merely a “convenience”, but rather a necessity. Which reminds me of something I read once:

It is wisdom to recognize necessity, when all other courses have been weighed, though as folly it may appear to those who cling to false hope.

Anyways, you continue:

[Laying out the evidence on the table in the open] would be the exact opposite of the “just take our word for it” method we are getting today from known liars, directly implicated folks or entities with known ties to implicated parties. Neither works.

Speaking of things that don’t work, you forgot to mention torturers, and advocates for torture. Hence, war criminals. (I’m looking directly at you, John O. Brennan.)

But yeah, we both agree that “just take our word for it” does not work.

Transparency, on the other hand… Why do you assert transparency doesn’t “work”? It is not free of cost, but saying it doesn’t “work” is so odd and seemingly unsupportable, I wonder if I have here severely misunderstood you somehow.

Which is why my personal preference goes to a middle way in which any evidence can be investigated indoors by a trusted commission of politicians and independent subject matter experts. If it is no longer possible to set up such a commission that has broad popular trust and support, then you no longer have a functional democracy, and a much bigger problem to deal with.

Indeed. Good thing the US has a functioning democracy.

Whoa, hold on a minute. This just in:

http://www.spiegel.de/politik/ausland/nsa-affaere-jimmy-carter-kritisiert-usa-a-911589.html

Der ehemalige US-Präsident Jimmy Carter hat im Nachgang des NSA-Spähskandals das amerikanische politische System heftig kritisiert. “Amerika hat derzeit keine funktionierende Demokratie”, sagte Carter am Dienstag bei einer Veranstaltung der “Atlantik-Brücke” in Atlanta.

My German is terrible. But that doesn’t sound good. If I’m not mistaken, it quotes former-president-of-the-US Jimmy Carter as saying “America has no functioning democracy nowadays.”

But, you know, that’s just, like, his opinion, man.

Testing Theories of American Politics: Elites, Interest Groups, and Average Citizens | Perspectives on Politics | Cambridge Core https://www.cambridge.org/core/journals/perspectives-on-politics/article/testing-theories-of-american-politics-elites-interest-groups-and-average-citizens/62327F513959D0A304D4893B382B992B

What do our findings say about democracy in America? They certainly constitute troubling news for advocates of “populistic” democracy, who want governments to respond primarily or exclusively to the policy preferences of their citizens. In the United States, our findings indicate, the majority does not rule—at least not in the causal sense of actually determining policy outcomes. When a majority of citizens disagrees with economic elites or with organized interests, they generally lose. Moreover, because of the strong status quo bias built into the U.S. political system, even when fairly large majorities of Americans favor policy change, they generally do not get it.

Clive Robinson April 11, 2017 9:57 PM

@ mostly harmful,

… whether it might not be worth spending valuable assets to (re)gain something else, perhaps something of even greater value which is manifestly in short supply.

How do you value what an asset is worth?

For instance lets say you “burn” an asset for what most would regard as “political posturing” (think the second “underpants bomber” wgo was a UK asset the US burnt for exactly that reason). What as an asset handling officer in the IC do you say to your other existing assets and how do you expect to get future assets?

The US has since the time of Ike for mainly political reasons not fostered human assets / agents / boots on the ground, instead prefering to go down the technical inteligence route via satellites and the likes of “rivet joint” and Signals Intelligence ships.

There is a price to be payed for this in that “technical” solutions have a number of limitations in that your targets of interest need to be visable from space, or have a discernable electronic footprint. One problem with the latter is hellfire missiles as uninvited guests at weddings etc causing target unrelated death, destruction and carnage, that end up as “recruting tools” to swell the ranks of the target or those of similar disposition.

It has also been indicated that one of the reasons Osama Bin Laden stayed at large for so long is that after an opponent to Russia had a retuned anti-radar missile fly “down the beam” of the satellite phone they were using Osama rapidly ditched his electronic footprint.

Human intelligence however gives a lot that technical intelligence gathering methods can not this became clear with the capture of Sadam Hussein, who likewise had adopted a reduced/no electronic footprint after the invasion of Iraq.

To run human assets needs boots on the ground which involves political risk not just abroad but at home as well. There are still quite a few politicos that lived through the late 60’s and 70’s when the nightly news footage from Vietnam caused so many issues, which made the problems of the downing of a U2 seem almost negligable.

Clive Robinson April 11, 2017 11:34 PM

@ Bruce,

… being able to spy on the attackers’ networks and see what they’re doing before they do it is a very useful capability.

This is not a “defensive” but “offensive” capability.

You have to take a good look at the elephant in the room, of how they identified those networks and got into them prior to the attacks happening.

Whilst it was GCHQ not the NSA that were “looking in” originaly you have to bear in mind the principle of “the fruit of the poisoned vine”. If more than one SigInt agency was already in, you have to ask yourself were there any others, and how can you be certain?

Put simply you “Can not prove a negative” but it’s a little less esoteric. It’s been said for some time now that in the real world only three numbers have meaning and they are zero, one and infinity.

In this case that is for any network there can be zero intruders, just one intruder or any number of intruders.

Thus if you know of one intruder then from an evidentiary point of view you have to assume there is always atleast another one you have to account for and this is a game of “turtles all the way down”.

Abother problem is with the way the Internet and lower –layer 0– protocols work you have no way of knowing if what you are seeing is what is actually happening. Because of the “next node” issue which is yet again a game of “turtles all the way down”.

Further is the issue of “ducks and geese”, “just because something looks like a duck, waddles like a duck and quacks like a duck, it is not wise to assume it’s a duck and not a goose”. The fact you think you are in a computer of type XXX belonging to YYY is a case of quacking and waddling, not DNA level verification.

And this is the main point people either don’t know, or forget or don’t wish to acknowledge about the difference between tangible physical objects and intangible information objects. With physical things you can with sufficient testing verify something is unique thus suitable for consideration as evidence, you can in no way show information is unique, even though it may be impressed/modulated onto a physical object.

Whilst information is the target for espionage, and can be used for the producing of intelligence reports, it’s never treated as evidence in the judicial sense of “beyond reasonable doubt” because of the duplication and verification issues. At best information is a “balance of probability” but would still fail on the “heresay” principle again due to the issues of duplication and verification.

Currently the law turns a blind eye to the information issue in a couple of ways. Firstly by showing that a suspect had the information on a physical object that was now held as evidence. Secondly by the sworn statment of a person present at the location when the audio/video/etc information was recorded and had first hand knowledge. Part of this is the demonstration that the suspect or the witness not a third party was responsible for the information under consideration.

None of the supposed evidence of the hacking above passes any of the requirments. Because there is no physical object which was in the alleged suspects possession, nor was a witness present at the location to testify to it’s veracity, nor is there any way to show that a third party was not producing the information.

These are fundemental problems with information as it is contextless and intangible, thus compleatly unsuitable as evidence as we currently understand it.

Further we now know from the recent wikileaks dumps of information that someone presumed to be working for a US IC has at some point in the past developed tools to obfuscate or fabricate misleading or false information for the purposes of misleading others who might treat the information as evidence. Which raises two questions, firstly when did they start making such tools, and more importantly what are their capabilities at generating false evidence currently.

I know people say “attribution is hard” but that is in it’s self a false statment, because at any evidentiary level currently “attribution is impossible”.

I know this is not what most people want to hear as they are in “golden goose egg” thinking mode. But unless people start facing up to the reality of the situation things will potentially go from saber rattling to full on kinetic. Which as we have seen with information in the form of “meta data” and resulting drone strikes is going to get a lot of innocent people hurt or dead, which will have blowback.

Dirk Praet April 12, 2017 2:38 AM

@ mostly harmful

Transparency, on the other hand… Why do you assert transparency doesn’t “work”?

I do believe in transparency, just not the extreme kind you end up shooting yourself or others in the foot with. It’s not any different than in responsible disclosure of software vulnerabilities, or Wikileaks and other parties redacting and anonymizing large parts of leaked documents. Or keeping the door to the bathroom and the bedroom closed while everybody actually knows what you’re doing there.

Which is not to say that sometimes it might become necessary when trust has been eroded to the point that no one is believing you anymore. I’m quite aware of Carter’s statements on the state of US democracy. The question is to which point a decisive part of the American people have recently voted for folks who are willing and able to change that.

Sancho_P April 12, 2017 5:51 PM

@Clive Robinson, re @Bruce’s ”attribution is not hard”

Thank you!
(although I’m afraid it’s lost, for whatever reason)

He probably wanted to say: To blame someone isn’t hard 😉

gordo April 21, 2017 7:55 PM

From the “hand-to-hand” quote that started off this thread:

Ledgett said the attackers’ thrust-and-parry moves inside the network while defenders were trying to kick them out amounted to “a new level of interaction between a cyber attacker and a defender.”

NSA wants to hire hackers
NSA Director Keith Alexander came to hacker gathering DefCon for the first time to recruit from the show’s ranks.
By Stacy Cowley | CNN Money | July 29, 2012

The NSA is especially keen to draw in people like those holed up in a conference room just 20 feet away from Alexander’s presentation, hunched over laptops and takeout cartons. They’re competitors in Defcon’s “Capture the Flag” battle, a kind of geek Olympics.

http://money.cnn.com/2012/07/27/technology/defcon-nsa/index.htm

Speaking of offense, the following seems a reasonable description:

[T]he nature of the cyber domain is that attackers have shaky positions on constantly changing networks. So in order to “persist” in any given cyber system, they have to penetrate it quite deeply and in many diverse ways. In a sense, they must create “offense in depth” in order to stay in position, because getting that first foothold is the most expensive and difficult part. The result is that no team worth its salt ever wants to get kicked out because they were too tentative with where they placed their implants. – Dave Aitel

https://www.lawfareblog.com/decreasing-systemic-risk

That may explain Mr. Ledgett describing “a new level of interaction” he recollected as having occurred in 2015:

https://www.theregister.co.uk/2015/02/20/state_department_hackers_still_inside_after_three_months_report/

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.