Can National Security Be Outsourced ?

_{Pic courtesy: Wikimedia.org}

As a taxpayer shouldn’t we pay the entire defence budget to the USA or Russia to defend our borders? Now that should save the national exchequer all the financial woes of OROP and in one fell swoop do away with corruption in arms sales. Can national security be outsourced ? Now this is a fundamental question which the western world learned decisively when the Roman empire collapsed. The Romans who had reached the zenith of human civilisation for that time became too indolent and started outsourcing the hard work of soldiering to the slaves. The result was a spectacular failure of an empire at its zenith which had taken centuries to buildup as the slaves took over.

The West had learned its lessons. All western countries are basically security states where all actions are dictated by supreme national interests. China too was a country built by a military genius Mao Zedong and all these countries pursue policies and take actions where their security is paramount. All policy initiatives are subservient to the security interests of the nation. India on the other hand had an elite who inherited freedom and truly believed in its initial years that it was a moral triumph of the freedom struggle wherein the British was forced to with draw. For those still believing in ‘Moral Triumph’, one need to look no further than the Apartheid regime in South Africa which was backed by the West till the early 90’s a good 4 and half decades after our Independence.

All actions of nations are dictated by their supreme national interests, and the Indian nation has slowly and painfully learned a lot of lessons and continue to learn the hard facts of the world that nuclear weapons and a 40 billion USD budget are not able to guarantee the security of its citizenry. Now I leave it to wiser minds and greyer hair than mine to evaluate the options in the physical world. The cyber domain is a field that needs younger minds and fresher ideas. I say this because other than being reactive and getting driven into a fait accompli our boffins have not done justice to this nation and its potential. I am pasting a para from the Wikipedia on safe harbour to elaborate:-

Safe Harbour
In 1980, the OECD issued recommendations for protection of personal data in the form of 7 principles. These were non-binding and in 1995, the European Union (EU) enacted a law to protect personal data privacy in form of the Data Protection Directive.

According to the Data Protection Directive, companies operating in the European Union are not permitted to send personal data to “third countries” outside the European Economic Area, unless they guarantee adequate levels of protection, “the data subject himself agrees to the transfer” or “if Binding corporate rules or Standard Contractual Clauses have been authorised.” The latter means that privacy protection can be at an organizational level, where a multinational organization produces and documents its internal controls on personal data or they can be at the level of a country if its laws are considered to offer protection equal to the EU.

The Safe Harbour Privacy Principles were developed between 1998-2000. They were designed to prevent private organizations within the European Union or United States which store customer data from accidentally disclosing or losing personal information. US companies could opt into a program and be certified if they adhered to seven principles and 15 frequently asked questions and answers per the Directive. In July 2000, the European Commission (EC) decided that US companies complying with the principles and registering their certification that they met the EU requirements, the so-called “safe harbour scheme”, were allowed to transfer data from the EU to the US. This is referred to as the Safe Harbour Decision.

On 6 October 2015, the European Court of Justice invalidated the EC’s Safe Harbour Decision, because “legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life”

Our cyber laws and lack of privacy laws, have they come about keeping national security and national interests in mind? With the present government determined and going full hog to ensure that we take advantage of Info Tech to deliver good governance and economic growth, where are our legislative and policy initiatives to secure our national interests. Stories like the one below I have appended are basically psychological operations of the pre eminent cyber power who controls cyber space by its MNC’s and alliance with other nations to fool the rest.

Cyber space can be defended only by indigenous technology the expertise for which lie in the private industry, all training, patches, updates have no meaning if the legal writ of the nation with the necessary military heft to back it up does not run in the domain. If all constitutional posts, armed forces and civil servants which make the nation run are not Indian citizens with absolute loyalty and interests in the nation these cannot be trusted and will undermine you, this is the precise reason the Constitution mandates these. The Snowden revelations are the proof. Confusing these by bringing in specious arguments like technology, competence, our outsourcing industry etc are missing the wood for the trees.

Frame the policies and the legislative initiatives now or be prepared for history to condemn you as having slept on your watch is the only message I can convey with due humility and respect to our political and security elite. The industry bodies whose commercial interests are aligned with American interests will kick and scream, lots of uninformed well intentioned citizens will protest, but can we write off the security and economic interests of this nation for such small discomforts ? The citizens of Syria who are now refugees in Europe would have never dreamt 10 years back that their women would be sold as slaves in the 21st century in a globalised world. Syria as a nation was much moreindustrialised in comparison to India.

To those that still don’t see any national security issues in present status quo, I can only quote another man Muhammed Shah Rangeela in another time who said ‘ Hanooz dilli door ast’..

NSA’s top hacking boss explains how to protect your network from his attack squads

Rare public appearance from Tailored Access Operations leader

28 Jan 2016 at 04:06, Iain Thomson
Usenix Enigma The United States National Security Agency (NSA) is a notoriously secretive organization, but the head of its elite Tailored Access Operations (TAO) hacking team has appeared at Usenix’s Enigma conference to tell the assembled security experts how to make his life difficult.

Rob Joyce has spent over a quarter of a century at No Such Agency and in 2013 he became head of TAO, with responsibility for breaking into non-US computer networks run by overseas companies and governments. Joyce’s presentation on network security at the event boiled down to one piece of advice.

“If you really want to protect your network you have to know your network, including all the devices and technology in it,” he said. “In many cases we know networks better than the people who designed and run them.”

NSA tiger teams follow a six-stage process when attempting to crack a target, he explained. These are reconnaissance, initial exploitation, establish persistence, install tools, move laterally, and then collect, exfiltrate and exploit the data.

During the reconnaissance phase agents examine a network electronically and, in some cases, physically. They work out who the key personnel are, what email accounts matter, how far the network extends, and maintain constant surveillance until they can find a way in.

“We need that first crack and we’ll look and look to find it,” he said. “There’s a reason its called and advanced persistent threat; we’ll poke and poke and wait and wait until we get in.”

The goal is to find weak points, whether they be within the network architecture, or in staff who maybe work from home or bring in unauthorized devices. There’s also areas where the target network interconnects with other computer systems, like heating and ventilation controllers, which can be useful for an attack.

Companies need to pay particular attention to cloud providers, he said. Once you use a cloud company you are essentially handing your data over to them and relying on their security, so he warned due diligence is even more important than usual.

For the initial exploitation phase the key attack vectors are malware attachments in email, injection attacks from websites, and removable media – the latter being particularly useful for penetrating air-gapped systems that aren’t even on the network; Iran found that out the hard way with Stuxnet.

Another common attack vector is common vulnerabilities and exposures (CVEs) that haven’t been patched, he said. Companies need to make automatic patching the norm to protect themselves against nation-state hackers he warned. As for zero-day flaws, he said they are overrated.

“A lot of people think that nation states are running their operations on zero days, but it’s not that common,” he said. “For big corporate networks persistence and focus will get you in without a zero day; there are so many more vectors that are easier, less risky, and more productive.”

As for the NSA’s own collection of zero-day exploits, Joyce said that in fact the agency had very few and each new one was discovered was evaluated by an outside committee to see when software manufacturers should be informed to build a patch. The NSA doesn’t have the final decision on this, he claimed.

To protect against this admins need to lock things down as far as possible; whitelisting apps, locking down permissions, and patching as soon as possible, and use reputation management. If a seemingly legitimate user is displaying abnormal behavior, like accessing network data for the first time, chances are they have been compromised, he said.

Reputation-based tools are particularly useful against malware, Joyce explained. Signature-based antivirus won’t protect you against a unique piece of attack code, but when used in conjunction with reputation databases it can be effective – if code or a domain hasn’t been seen before there’s a high chance it’s dodgy.

It’s amazing how often simple issues come up and allow access to target networks, he explained. Things like administrator credentials being left embedded in scripts, how many networks are unsegmented, and how often suspicious activity reported in network logs got missed.

He cited cases where NSA hackers have performed penetration testing, issued a report on vulnerabilities, and then when they go back two years later to test again found the same problems had not been fixed. When the NSA hacking squad comes back, he said, the first thing they do is investigate previously reported flaws and it’s amazing how many remain un-patched even after the earlier warning.

Once inside a network, the next stage is to establish persistence, primarily by establishing software run lines or subverting other applications. Application whitelisting is key to locking down this phase of an attack he said.

Next step: harvesting your data and sneaking it out of the building

Next the attacker needs to install tools to exploit the network and harvest its data. The first software in the attacker’s toolkit are beacon code that calls out for more hardcore tools. IT managers need to watch out for these in server logs and carefully scrutinise domains being visited and network traffic for warning signs.

With access and the tools to do the job the next stage is to move laterally within the network to get the target information. Admins can protect against this by locking down portions of the network holding sensitive data and by carefully managing who has access.

This includes not just making sure that individuals can’t get into certain network areas, but also considering where they are and what device they are using. A heavily protected network is useless if you’re allowing an employee to bring their insecure home laptop into work – bring-your-own-device firms need to beware he warned.

Finally a nation-state hacker needs to collect, exfiltrate and exploit the data without being spotted. Network segmentation is key here, as is constant monitoring and checking of network logs, to make sure an attacker can’t get anything out of a network without the loss being noticed, and hopefully blocked.

So too are off-site backups – Saudi Arabia’s Aramco and Sony found this out the hard way he said. Destruction of data is now something nation states are doing and regular backups should be considered a priority he said.

At the end of the day it all boils down to knowing your network, he said, and it’s vital that IT administrators pick up their game and get paranoid about attacks. Joyce’s previous job at the NSA was at the Information Assurance Directorate (IAD), protecting the US national infrastructure against attack and he admitted that thoughts of SCADA vulnerabilities kept him up at night.

+Comment

OK, I know what you’re thinking. This guy is the NSA’s chief hacker and so why should we believe what he’s saying? The agency hasn’t exactly covered itself in glory in the wake of the Snowden disclosures.

But Joyce deserves credit where it’s due: he came to a conference that’s full of people who aren’t exactly fans of the NSA, gave good advice, and stayed on to face sometimes hostile questions from the audience. Some of his talk may be self serving and missing crucial details but almost all of it was useful.

He even had the self awareness to take the piss out of himself. At the end of the presentation he displayed a QR code for attendees to scan for more information, joking that who’d really trust something like that from the NSA.

El Reg asked Joyce about the encryption backdoor question and he came out strongly against borking strong security by the police. It’s clear this guy really does care about security, at least as far as the US is concerned.

Coming to Enigma was a brave move, and his presentation thankfully lacked the bland hand of PR that has marred other NSA speakers at events at Black Hat, RSA, and DEFCON. Take it with a pinch of salt by all means, but there is useful information here, and Joyce comes across as someone who really does know what he’s talking about. ®