Nine Things That Are Poised To Impact Cybersecurity

One important step every business should take to protect their sensitive customer data is invest in the latest security solutions. This means staying educated and up to date on what technology is available and what it does to keep you safe.

According to members of Forbes Technology Council, here are the next big trends in encryption and cybersecurity that businesses should pay attention to.

1. Biometrics

Biometrics will become a critical part of cybersecurity and encryption going forward because it’s nearly impossible to replicate. – Chalmers Brown, Due

2. IoT Device Security

The next wave of cybersecurity attacks will come from the internet-of-things (IoT) devices like appliances, lights and cameras. These types of devices are cheap, easy to hack, can be found in large numbers and are geographically distributed, making them ideal targets for a hacker to commandeer and launch a distributed-denial-of-service (DDoS) attack on an unsuspecting enterprise. – Mark Benson, Exosite

3. Multi-Factor Authentication And SSO Technologies

Utilize multi-factor authentication and SSO technologies to get a handle on authentication. Integrating this with Hashicorp Vault or an HSM solution can bring about encryption key management, encryption key rotation and administration of all your data. For sensitive information within databases, consider field-level encryption so that even with the breach, any data that is leaked is encrypted. – Venkat Rangan, Clari

4. Decentralization Of Data

Decentralizing data used for authentication is here and doing it for more PII is next. Firms are abandoning storage of biometrics, PINs, and passwords and now secure them on endpoints like mobile devices. Users authenticate on-device and swap public keys with their service provider. This reduces the attack surface, lowers IT costs and gives firms more control than legacy centralized systems. – Bojan Simic, HYPR Corp.

5. Increased Monitoring And Visibility

Highly publicized cyberattacks of the past few years have all had a common thread — no one noticed the issue until it was far too late. From private files left in public cloud storage to intrusions into legacy systems, lack of visibility has been a killer. Attacks are unavoidable, but detailed monitoring and proactive exfiltration scanning can prevent an unnoticed breach from making the news. – Jason Gill, The HOTH

6. Multi-Layered Approaches To Encryption 

In many cases, encryption may be augmented with blockchain technology, which is harder to compromise. The model of distributed data storage, cryptographic security and synchronized validation provides multiple layers of protection that are more secure than simple encryption. Data and storage architectures will need to be re-architected to provide the same levels of usability we have today. – Brian NeSmith, Arctic Wolf

7. Automated Breach Detection

Right now, many companies do penetration testing on their own, and they have logs and may have internal tools to detect breaches. That said, given the frequency of breaches occurring and the amount of time and energy it requires to be on top of them, it’s likely that there are many vendors that will enter this space to offer automated solutions for companies to get help both in finding and preventing breaches. – David Murray,

8. Simplified And Integrated Security Models

Layering reactive, signature-based tools still leaves security gaps. Encryption helps, but it does not solve this problem. First, a new, simplified, integrated model is needed and should focus on internal network, communications and endpoint monitoring. Second, defenders need to move away from the known signatures and IOCs to focus on the core network behaviors that all adversaries engage in. – Joseph Polverari, Versive

9. Blockchain And Mesh Networking

With the rise in popularity of blockchain and decentralized networking, security concerns need to be rethought. It’s true that these technologies decrease centralized attacks, like DDoS. They also essentially eliminate data tampering. That said, the next big security task is protecting data in decentralized environments. The enterprise will no longer own the hardware layer. – Tom Roberto, Core Technology Solutions


  • 0

APAC is becoming a hotspot for DDoS attacks

The region’s largest and most-connected economies are most vulnerable to distributed denial-of-service attacks, according to CenturyLink.

Some of Asia’s largest and most connected economies are fast-becoming hotspots for botnets that have been used to launch distributed denial-of-service (DDoS) attacks across the region in 2017.

According to CenturyLink’s latest cyber threat report, China, South Korea, Japan, India and Hong Kong were the top economies in the region that hosted the most command and control (C2) servers used to amass and control botnets.

The botnets were then used to launch attacks in those places, as well as others such as United States, Germany, Russia and the United Kingdom.

Centurylink, which tracked an average of 195,000 threats per day impacting an average of 104 million unique targets due to the work of botnets, said geographies with strong or rapidly growing IT networks and infrastructure continue to be the primary source for cyber criminal activity.

“Botnets are one of the foundational tools bad actors rely on to steal sensitive data and launch DDoS attacks,” said Mike Benjamin, head of CenturyLink’s Threat Research Labs. “By analysing global botnet attack trends and methods, we’re better able to anticipate and respond to emerging threats in defence of our own network and those of our customers.”

In April 2017, a cyber crime operation led by Interpol had uncovered nearly 9,000 C2 servers in Southeast Asia that were used to compromise some 270 websites, including several government portals that could contain citizens’ personal data. The websites were infected with malware that exploited a loophole in web design applications.

“Today, almost every type of online service is at risk for cyber attacks,” said Steve Miller-Jones, senior director of product management at Limelight Networks. “At best, a DDoS attack will cause inconvenience – at worst it can bring down an entire business.”

Low and slow tactics

According to A10 Networks, tactics for DDoS attacks are moving beyond just using request floods designed to bombard and overwhelm infrastructure to include low-bandwidth attacks that target the network or application layer of service provider services and their subscribers.

These “low and slow” tactics are generally not detected until well into the attack progression and often enable threat actors to successfully disrupt the targeted service, it added.

A recent Verisign report estimated that 82% of DDoS attacks in the fourth quarter of 2017 were also multi-vector as opposed to using a single vector of attack. At the same time, volumetric attacks are becoming larger, exceeding peaks 1.7 terabits per second.

“The DDoS landscape has changed and continues to evolve in potency and sophistication,” said Jonathan Tan, A10 Networks’ regional vice president for ASEAN and Pakistan, adding that enterprises must move beyond just flow detection to be able to detect and defend against all types of attacks.


  • 0

DDoS attacks costing UK firms £35,000 per attack

New research highlights the financial and reputational cost of DDoS attacks.

New research has revealed that DDoS attacks can cost enterprises £35,000 per attack though lost revenue is only the fourth most damaging consequence of falling victim to this kind of cyber attack.

Corero Network Security surveyed over 300 security professionals across a range of industries such as financial services, cloud, government and more to shed light on the damage that DDoS attacks are causing to organisations worldwide.

Of those surveyed, 91 per cent said that a single DDoS attack can cost their organisation up to $50,000 in terms of lost business, productivity and the cost of mitigating an attack.  Additionally, 69 per cent noted that their organisation experiences anywhere from 20 to 50 DDoS attack attempts per month which equivalent to roughly one attack per day.

Despite the high cost of dealing with an attack, a vast majority of respondents (78%) cited loss of customer trust and confidence as the single most damaging effect on businesses that have suffered a DDoS attack.  The second highest threat was the risk of intellectual property theft followed by the threat of malware infection associated with a DDoS attack, making lost revenue the fourth most damaging consequence.

Corero Network Security’s CEO, Ashley Stephenson offered further insight on the research, saying:

“DDoS attacks can have an immediate and damaging impact on a company’s bottom line, both in terms of lost revenue and the costs incurred in terms of manpower required to mitigate attacks. Not all DDoS attacks will cost an organisation $50,000, but having your website taken offline can damage customer trust and confidence. It will also impact the ability of sales teams to acquire new customers in increasingly competitive markets. These attacks cause lasting damage to a company’s reputation and could have negative consequences for customer loyalty, churn and corporate profits.”

The organisation’s research also pointed out that cybercriminals have begun to use DDoS attacks as a distraction for more serious network incursions with 85 per cent of those surveyed of the belief that DDoS attacks are often used by attackers as a precursor for data breach activity.


  • 0

Botnets present 195,000 security threats every day

Botnets, networks of infected machines that are used by cybercriminals everywhere to do their sinister bidding, are still a huge threat, and everyone should be paying much more attention to it.

The latest research from the CenturyLInk Threat Research Lab says last year, there were roughly 195,000 threats every day, impacting more than 100 million unique targets.

The US, Russia, China, Brazil and Ukraine are the countries most mentioned in the report, from different perspectives. These are the countries with strong, or rapidly growing IT networks and infrastructure. This makes them both the source, and the target of most of cybercriminal activity. Most victims are located in these countries, as well as most command and control servers.

The report also says that the Mirai botnet was unfairly being treated in the media as the most dangerous one – it’s actually Gafgyt that affected more victims and had “noticeably” longer attack durations.

“Botnets are one of the foundational tools bad actors rely on to steal sensitive data and launch DDoS attacks,” said Mike Benjamin, head of CenturyLink’s Threat Research Labs. “By analysing global botnet attack trends and methods, we’re better able to anticipate and respond to emerging threats in defence of our own network and those of our customers.”


  • 0

What Security Risks Should MSPs Expect in 2018

As IT operations are becoming more complex and require both advanced infrastructure and security expertise to increase the overall security posture of the organization, the managed service provider (MSP) industry is gaining more traction and popularity.

Estimated to grow from USD $152.45 billion in 2017 to USD $257.84 billion by 2022, at a CAGR of 11.1%, the MSP industry offers greater scalability and agility to organizations that have budget constraints and opt for a cloud-based IT deployment model.

“The cloud-based technology is the fastest-growing deployment type in the managed services market and is expected to grow at the highest CAGR during the forecast period from 2017 to 2022,” according to ResearchandMarkets. “IT budget constraints for installation and implementation of required hardware and software, limited IT support to manage and support managed services, and need for greater scalability are major factors that are likely to drive the adoption of cloud managed services in the coming years. The cloud-based deployment model offers higher agility than the on-premises deployment model.”

However, MSPs are expected to also become more targeted by threat actors than in the past. Supply chain attacks are becoming a common practice, as large organizations have stronger perimeter defenses that increase the cost of attack, turning MSPs into “low-hanging fruit”
that could provide access into infrastructures belonging to more than one victim. In other words, MSPs hold the keys to the kingdom.

Since MSPs are expected to provide around-the-clock security monitoring, evaluation, and response to security alters, they also need to triage and only escalate resources when dealing with advanced threats.

1. Wormable military-grade cyber weapons

Leveraging leaked, zero-day vulnerabilities in either operating systems or commonly deployed applications, threat actors could make the WannaCry incident a common occurrence. As similarly-behaving threats spread across infrastructures around internet-connected endpoints – both physical and virtual – MSPs need to quickly react with adequate countermeasures to defend organizations.
While MSPs may not be directly targeted, their role in protecting organizations will become far more important as they’ll need to reduce reaction time to new critical threats to a bare minimum, on an ongoing basis. Consequently, network security and threat mitigation will become commonplace services for MSPs.

2. Next-Level Ransomware

The rise of polymorphism-as-a-service (PaaS) will trigger a new wave of ransomware samples that will make it even more difficult for security solutions to detect. Coupled with new encryption techniques, such as leveraging GPU power to expedite file encryption, ransomware will continue to plague organizations everywhere. Backup management and incident response that provides full data redundancy need to be at the core of MSP offerings when dealing with these new ransomware variants.

While traditional ransomware will cause serious incidents, threat actors might also hold companies at gunpoint by threatening to disrupt services with massive distributed-denial-of-service (DDoS) attacks performed by huge armies of IoT botnets.

3. OSX Malware

The popular belief that Apple’s operating system is immune to malware was recently put to the test by incidents such as the ransomware disseminating Transmission app and advanced remote access Trojans (RATs) that have been spying on victims for years. With Apple devices making their way into corporate infrastructures onto C-level’s desks, managing and securing them is no longer optional, but mandatory.

Security experts have started finding more advanced threats gunning for organizations that have specific MacOS components, meaning that during 2018 threat actors will continue down this alley. Regardless of company size, vertical, or infrastructure, MSPs need to factor in MacOS malware proliferation and prepare adequate security measures.

4. Virtualization-Aware Threats

Advanced malware has been endowed with virtualization-aware capabilities, making it not just difficult to identify and spot by traditional endpoint security solutions, but also highly effective when performing lateral movement in virtual infrastructures. MSPs need to identify and plan to deploy key security technologies that are not just designed from the ground up to defend virtual infrastructures, but also hypervisor-agnostic, offer complete visibility across infrastructures, and detect zero-day vulnerabilities.

Focusing on proactive security technologies for protecting virtual workloads against sophisticated attacks will help MSPs offer unique value to their services.

5. Supply Chain Attacks

MSPs could also become the target of attack for threat actors, which is why deploying strong perimeter defense on their end should also be a top priority. Having access and managing security aspects to remote infrastructures turns MSPs into likely candidates for advanced attacks. Either by directly targeting their infrastructure or by “poisoning” commonly-deployed tools, MSPs should treat the security of their own infrastructure with the utmost scrutiny.


  • 0

Website security firm Sucuri hit by large scale volumetric DDoS attacks

Another day, another series of DDoS attacks – This time Sucuri and its customers have been hit by a series of attacks worldwide.

The California based website security provider Sucuri has suffered a series of massive DDoS attacks (distributed denial-of-service) causing service outage in West Europe, South America and parts of Eastern United States.

The attacks began on April 12th, 2018 at approximately 11 pm (PST) when Sucuri network came under non-stop DDoS attacks. The company then worked with Tier 1 providers to mitigate the attacks.

In an email to HackRead, Sucuri spokesperson said that “The attack was big enough that caused some of our ports to be pretty close to capacity, causing very high latency and packet loss. In some other regions, it caused temporary latency and packet loss.”

The company’s Status page also kept the customers updated revealing that Sucuri “worked with its upstream providers, our NOC and partners to help mitigate the attack and re-route the affected regions. Unfortunately, due to the size of the attack, it took a lot longer than expected to get it fully handled.”

image 1

The exact size of DDoS attacks is still unknown, the same goes for its culprits and their motives, however, lately, there has been a surge in large-scale DDoS attacks. Last month, malicious hackers used Memcached vulnerability to carry out world’s largest ever DDoS attacks of 1.7 Tbps on an American firm and 1.35 Tbps attack on Github.

The vulnerability was also used to hit Amazon, Google, NRA, Play Station, and several other high-profile targets.

As for Sucuri, the good news is that the attacks have been successfully mitigated and at the time of publishing this article Sucuri services and customer websites were back online.


  • 0

Is Blockchain Causing More Cybersecurity Attacks in the Financial Industry?

There’s a lot of misunderstanding about blockchain. A recent study by HSBC, for example, found that 59 percent of customers around the world had never heard of it. Yet, while that alone is quite telling, it’s probably more alarming to consider the fact that very same poll revealed that 80 percent of people who had hard of blockchain did not understand what it is.

This level of confusion isn’t confined to the general population either. Politicians in charge of setting the law around this sort of technology and some traders who are perfectly at home with currency futures are equally in the dark about what this technology is and what it means for the financial industry.

There are some who fear that this technology – a digital transaction ledger in which each block is protected by cryptography – poses a security risk. That hasn’t been helped, it has to be said, by a number of scams in this market which have caused some to associate blockchain with risk.

CoinDesk, for example, demonstrates seven key incidents that attracted attention in 2017 alone. The incidents it highlights — including wallet hacks, ICO fraud and software bugs — cost investors nearly $490 million.

But, while it’s understandable that these sorts of incidents cause alarm, the general fear around blockchain is misplaced, probably not helped by the fact that this technology is proving ‘disruptive’ to the old order, promising drastic change to the speed and ease of money transfers.

Far from being the cause of problems for the financial industry, this technology might well offer a solution to make the industry safer.

Medium writer Redactor demonstrates four key ways in which blockchain technology is improving cybersecurity. These are:

  • Mitigating attacks such as DDoS with a decentralized structure and by not having a single point of failure
  • Protection for IoT devices, which can communicate with enterprise-defined ledgers based on blockchain
  • Providing transparency with permanent records that cannot be altered without creating a data trail (in order for transactions to be finalized they need to be approved more than half of the systems in a network and, when this occurs, the block is given a time stamp and is immutable)
  • Allowing for digital identities, greater encryption and more robust authentication

It’s fair to say that blockchain is here to stay. It isn’t ‘just’ the technology that underpins Bitcoin and other cryptocurrencies — although this is probably what its most known for — but it is a form of technology that has much wider potential for use in the finance sector and beyond.

Rather than ignore it — or treat it as a security threat — the industry needs to identify the potential of blockchain and set to work to use this as a way to add security. This, increasingly, is the case, with banks and big tech firms working on ways to harness blockchain to shelter the data of financial firms and customers alike.

Clearly scams shouldn’t be ignored — and work needs to be done to crack down on these — but nor should the positive potential of blockchain as a force for security.


  • 0

How To Secure The Internet Of Things

We’re all connected. That’s not just some warm and fuzzy expression of sentiment, it’s the reality of the digital world we inhabit. That connection provides great benefits, but can also leave us vulnerable to those who would prey on any exposed weakness. Hackers and other bad actors are targeting unprotected networks to attack and hijack our personal devices for use in criminal activity.

Consider that experts are saying that attacks using the Internet of Things (IoT) jumped by 280%, as hackers become ever-savvier. The problem has become pervasive enough that the U.S. Department of Commerce has moved to set standards for security.

Do you know how to protect your safety and security online when you’re connected to smart devices? First, recognize that our personal and professional environments include the use of technology in nearly every area, and we have entered an era in which all of those devices are designed to connect to the internet. By now, most of us are aware of the risks in connecting online and have taken precautions to secure our computers and mobile devices. That’s an important step, but it’s only the beginning.

Many continue to overlook the risks of using other internet connected devices without taking proper security measures. If you think that this doesn’t necessarily apply to you yet, consider that you likely already have smart devices designed to connect to the internet throughout your home.

There are dozens of different IoT devices, and owners may not even be aware that they have them. These devices include digital media players — such as internet-enabled television sets and Blu-ray players — gaming consoles, home security monitoring devices, smart baby monitors, internet-enabled appliances and temperature control systems.

What are the risks of having these devices? When unsecured, hackers and other bad actors are capable of exploiting vulnerabilities to attack individual devices. These attacks can be designed to install ransomware, invade your privacy or take control of the device to launch secondary attacks on organizations through command and control denial-of-services (DDoS) attacks.

So, what can you do to protect yourself when using smart devices? Here are some strategies to consider.

Protecting Yourself From Cyberattacks Launched Through The Internet Of Things

1. Secure your devices, when possible. Keep your software updated, use proper filters and firewalls, practice good internet habits, avoid phishing scams and watch out for spoof sites. Be sure to also use a second layer of password protection.

2. Choose reputable vendors when buying smart devices. If you’re buying a digital media player or baby monitor, purchase the device from a vendor that has an established reputation. That corporation is more likely to have the latest security in place. The price might be a little bit higher to purchase from a name brand corporation, but you’ll save in security and peace of mind.

3. Upgrade the security to your home network. Make sure your network is configured so as to not send out data without your permission. Keep your passwords protected, and don’t give them out.

4. Consider whether you’ll be using the public or private cloud, and get educated about the risks of each. Do you want your baby monitor video going to the cloud? Consider what level of privacy you need when making decisions about which devices to use.

5. To prevent attacks that penetrate your network, use a virtual private network (VPN) on your router to add a firewall to incoming traffic.

Whatever you do, you must not ignore the risk. As we move into an increasingly connected world, we must all take the responsibility to protect ourselves and our networks from attacks.


  • 0

Over 65,000 Home Routers Are Proxying Bad Traffic for Botnets, APTs

Botnet operators and cyber-espionage groups (APTs) are abusing the Universal Plug and Play (UPnP) protocol that comes with all modern routers to proxy bad traffic and hide their real location from investigators.

In a report published on Monday, Akamai revealed that it detected bad actors abusing at least 65,000 routers to create proxy networks for various types of secret or illegal activities.

Bad actors are abusing UPnP

According to Akamai, attackers are abusing the UPnP protocol, a feature that makes it easier to interconnect local WiFi-enabled devices and forward ports and services to the Internet.

UPnP is a crucial service for most of today’s routers, but the protocol has been proven to be insecure more than a decade ago, and malware authors have abused various UPnP flaws ever since.

Akamai says it detected a new way through which bad actors have been recently abusing UPnP. Experts say that bad actors have discovered that some routers expose UPnP services meant for inter-device discovery via their WAN (external Internet) interface.

Attackers leverage UPnP for NAT injections

Hackers have been abusing these misconfigured UPnP services to inject malicious routes inside the router’s NAT (Network Address Translation) tables, a set of rules that controls how IPs and ports from the router’s internal network are mapped to the network above (usually the Internet).

These custom NAT rules allow an attacker to connect to the router’s public IP on a specific port, but get redirected automatically to another IP:port combination.

In other words, this flaw allows attackers to use routers with misconfigured UPnP services as proxy servers for their operations —hence the reason Akamai codenamed this issue UPnProxy.

Hackers can exploit UPnProxy to bypass firewalls and access internal IP addresses…

UPnProxy flaw used to relay traffic into internal networks

… or use the router to redirect the request to an entirely new IP address or domain name.

UPnProxy flaw used to bounce traffic to an external IP

UPnProxy is a serious flaw because it allows an attacker to access the login panel of routers that do not usually expose their backend on the Internet. UPnProxy would redirect a request for [public_IP]:[custom_port] to the router’s backend panel hosted on an internal, restricted IP address.

Such routers, despite having weak credentials, weren’t previously susceptible to brute-force attacks because their admin panel is harder (and sometimes impossible) to reach by an Internet attacker. UPnProxy now lets attackers carry out brute-force attacks against the backend panels of any device on an internal network.

UPnProxy abused by at least one APT

In addition, because UPnProxy can be abused to bounce traffic to any other IP address, the flaw can be used to create an entwined network of proxies that redirect traffic through tens or hundreds of IPs before reaching a final destination.

Such a feature could be abused to mask the location of spam campaigns, phishing pages, advertising click fraud, and for DDoS attacks. Because of this, UPnProxy is ideal for botnet operators, cybercrime-related activity, but also for cyber-espionage as well.

In a separate report, Symantec reported seeing a nation-state-backed actor codenamed “Inception Framework” utilizing the UPnProxy technique to hide their real location behind a cloud of proxies.

APT using UPnProxy flaw to disguise its location

Over 4.8 million routers potentially vulnerable

Akamai says it detected over 4.8 million routers that expose various UPnP services via the WAN interface. Of these, Akamai experts say they’ve identified active NAT injections on over 65,000 of these devices, meaning these routers have already been compromised and are actively being used to reroute traffic without the device owner’s consent or knowledge.

Identifying compromised or vulnerable routers is not a trivial operation unless the device owner can find and audit the router’s NAT tables, a task that’s out of the reach of almost 99.99% of all SOHO router owners.

To help users, Akamai has compiled a list of 400 router models from 73 vendors that they identified as exposing UPnP services via the WAN interface, and which they suspect may be vulnerable to UPnProxy attacks.

Mitigating UPnProxy attacks would require a massive effort from all affected vendors. This would imply releasing firmware updates that correct UPnP configs to stop exposing UPnP services via WAN interfaces. In the meantime, the only advice Akamai was able to provide was that users replace existing router models with one not found on their list.

In addition, the company also provided a Bash script that can identify vulnerable or actively exploited routers, albeit this script won’t be useful unless users know how to connect to their router’s terminal via SSH, run and interpret the results of a Bash script.


  • 0

Command and control: A fight for the future of government hacking

Following years of effort and billions of dollars’ worth of research and planning, the nation finally has a fully operational force of cyberwarriors at U.S. Cyber Command. Yet, as those troops confront adversaries around the world, there’s uncertainty across government about how to best make use of them.

While lawmakers push the Trump administration to exact revenge for years of cyberattacks on U.S. targets, a quiet but constant tug of war is raging between the intelligence community and the military over the future of government-backed hacking operations.

Congress, the White House and the nation’s spy agencies all have something at stake, but the tension is perhaps most intensely felt at the National Security Agency, which serves as a partner agency to U.S. Cyber Command. The NSA is not the only intel agency challenged by the warfare unit’s increasingly influential role: The CIA, the FBI and the Pentagon’s other intelligence agencies are also trying to shape Cyber Command’s future. Each agency understands offensive hacking in its own way, and that dissonance only intensifies the debate, according to current and former U.S. officials.

CyberScoop spoke with 13 current and former U.S. intelligence officials, three lawmakers and dozens of congressional aides for this story. Some chose to speak only on condition of anonymity to discuss the opinions circulating in government about who should be managing covert offensive cyber-operations that cross the line of everyday digital espionage.

The chief question is: If the U.S. is going to strike back at foreign targets in cyberspace, when should the soldiers or the spies lead the charge? Things may now finally be leaning in favor of the military after the intelligence community dominated for more than a decade, sources say. The U.S. has engaged in cyber-espionage since at least the 1990s, and there are historic cases of allied intelligence agencies launching offensive, destructive-style cyberattacks dating back to at least 2011.

Since then, both the Obama and Trump administrations have made decisions allowing Cyber Command to escape NSA’s shadow. And yet at the same time, the government appears to be desperately avoiding an all out cyber conflict with Russia or any other entity aside from ISIS.

An analyst for the U.S. government described the changing dynamic by saying: “NSA went into this thinking that they were going to be the top dog. Now they are paranoid that they may have eaten a massive tapeworm instead.”

Pressure to use Cyber Command’s full capabilities only increases as more stories surface of interference in U.S. networks by Russian, Chinese and other foreign hacking groups. Any decision to expand the military’s use of cyberwarriors will be a pivotal point in the relationship between the nation’s spies and the Pentagon, further drawing the bureaucratic boundary that separates stealthy digital espionage activities from more overt cyberwarfare operations.

The rise of the ‘gray zone’

Founded in 2009, the Fort Meade, Maryland-based Cyber Command was created through the leadership of then-NSA Director Gen. Keith Alexander. Some of its architects believe it was supposed to be a collaborative extension of NSA, but it has gained stature and influence far beyond what Alexander might have intended, insiders say.

Alexander, through a spokesperson, declined to comment for this story.

Today, U.S. Cyber Command is currently in the process of becoming a unified combatant command on par with the likes of Strategic Command (STRATCOM), which handles the nuclear program, or Special Operations Command (SOCOM), which handles high-profile combat operations. In less than a year, Cyber Command could also gain additional power through a separation from NSA that would call for a new and separate leadership structure, ending the current “dual hat” arrangement for the NSA director.

The elevation process and potential formal split from NSA could eventually give Cyber Command more leeway to plan and recommend cyberattacks, with a direct line to the White House. Launching these types of cyberattacks usually requires direct presidential approval, and the authority flows through NSA leadership. But that may too change.

In a congressional hearing Feb. 27, the current head of NSA and Cyber Command, Adm. Mike Rogers, acknowledged that there’s an ongoing “policy discussion” about giving Cyber Command more authority. Lawmakers needled him over the Trump’s administration’s lackluster response to Russian meddling in the 2016 presidential election. His responses were cagey, but he had a reason.

Cyber Command is quite limited in what operations it can pursue because, among other reasons, it is designated as a combat force that operates under Title 10 of the U.S. Code. That law dictates that such a unit can only operate within the confines of a declared war zone — a statue complicated by the internet’s global reach. The intelligence community, like the NSA and CIA, operate under Title 50, which permits them to conduct espionage in nearly any foreign country, a condition that’s especially advantageous when exploiting computers spread around the world.

How Title 10 exactly applies to cyberspace remains an open-ended question, former U.S. intelligence officials say. Some academics have described the current situation where military-backed cyberattacks occur as a sort of legal “gray zone.” That description is driven by the fact that the international Rules of Engagement for cyberwarfare remains largely undefined.

Even so, Secretary of Defense James Mattis has become a leading voice lobbying the White House to at least give Cyber Command more flexibility.

“[Mattis] has been very aggressive in articulating this concerns him, that there’s an ongoing discussion at the moment, that I hope is going to come to a way ahead in the near term,” Rogers recently told lawmakers.

It’s unclear exactly which additional authorities Mattis is seeking.

Cyber Command was recently granted the ability to foward deploy its forces to combatant commands across the world, sources told CyberScoop. Previously, so-called Cyber Mission Force teams would only be assigned to U.S. bases, like Fort Meade. Now they can be located within other combatant commands like U.S. Central Command, integrating with the military on physical front lines. This follows in line with the SOCOM model, which allows elite military personnel to be quickly grouped and deployed rapidly to accomplish very specific objectives.
That decision could open the door for new opportunities to hack enemy networks, but it does not necessarily provide Cyber Command with any additional license to independently launch attacks.
When military leaders push to do more with hackers, they usually meet some form of resistance from Pentagon lawyers.
A recent operation underscores the complexities surrounding Cyber Command’s ability to run offensive operations in the gray zone.
According to prior reporting by the Washington Post, the Obama administration angered the German government when Cyber Command hacked into a server hosting ISIS propaganda that was located in Germany. Though the terrorist group is most active in the Middle East, the group’s digital content is sometimes hosted by shared systems located inside allied countries and not war zones. The Pentagon reportedly notified its German counterparts of the counterterrorism mission to remove ISIS material, but the hacking still upset a wary ally.
The debate about what checks and balances should exist to control the use of offensive cyber operations is especially important due to the fragile nature of the internet. With militaries looking to disrupt each other through the world wide web, innocent users will inevitably be caught up in the chaos.
In 2016, a single distributed denial of service (DDoS) attack against Dyn, a internet gateway company, knocked out dozens of major internet retailers; leading to millions of dollars in lost revenue. That attack was later attributed to several American university students; a group obviously far less equipped than a conventional army.
New spin on an old fight
While ambiguity may surround the legal framework for military-led cyberattacks, how these missions affect the intelligence community’s own computer spying efforts poses another difficult proposition.
It’s not one that’s been easily handled in the past.

“This tug of war is not a new one,” described Rhea Siers, a 30-year NSA veteran who during her time at the agency worked in multiple administrative roles. “Collecting intelligence versus taking out the target has been a key tactical and strategic discussion between the military and intelligence agencies for decades — first about SIGINT [Signal Intelligence], now about cyber-operations as well.”

With Cyber Command in the spotlight, some military leaders have pushed for permission to “engage the enemy” online more often, a U.S. official told CyberScoop. But there are U.S. intelligence officials who still worry about what Cyber Command’s rise will mean for espionage missions.

In short, spies fear that their more covert digital intrusions will be negatively impacted by a spike in “louder,” purposefully disruptive cyberattacks from military operators, who are usually more interested in immediate outcomes. The concern stems from the issue of parallel discovery — where both a spy agency and military unit are hiding in the same compromised network, allowing the detection of one attacker to expose the other.

“There is an inherent conflict between military-like cyber operations and clandestine espionage operations,” explained Jason Kichen, a former intelligence officer who was focused on computer hacking strategy. “Sometimes the military’s needs to gain their own access can put the already present espionage-focused access at risk.”

Historically, NSA’s relationship to Cyber Command has generally tended to be collaborative. The partnership is complicated because each organization is responsible for a unique mission that’s sometimes drastically different yet requires nearly identical tools and talent — both of which are finite. 

The clashes can be over which hacking tools are used, who should be handling them and whom they should be used against.

At the moment, the NSA is the government’s primary collector of information about software vulnerabilities that can be exploited by hackers. That title is held closely and with pride.

“A lot of what we ran into during the Obama administration involved the IC bucking at plans strung up by Cyber Command because they worried about intel gain-loss,” said Eric Rosenbach, former Pentagon chief of staff to Defense Secretary Ashton Carter. “The missions of Cyber Command and NSA should be complimentary, but too often they are competitive and collide with one another.”

Nearly everyone who spoke to CyberScoop said that the unified combatant command’s rise under the Trump administration will inevitably challenge the NSA’s franchise on software vulnerabilities and other hacking tools. Until recently, the intelligence community usually has taken the lead in helping decide whether to deploy some of the government’s elite hacking capabilities, according to two former U.S. senior defense officials. 

But that hegemony is now increasingly challenged by a younger, military-minded Cyber Command that’s pushing for changes to the status quo.

“NSA has had a major role in this space since at least 1997, when [then-Secretary of Defense William] Cohen assigned them the mission to develop offensive techniques,” said Jason Healey, a former director for Cyber Infrastructure Protection at the White House from 2003 to 2005. “Twenty years on, they’re used to ruling the roost, especially since they’ve been not just developing but using offensive capabilities since 2005. Losing [some] of those responsibilities was always going to sting and meet bureaucratic resistance.”

Untangling the policy knot

Empowering Cyber Command appears to have bipartisan support. Multiple current and former defense officials are pushing for a win after years of apparent stagnation. And multiple former officials who worked in past administrations told CyberScoop, in general terms, that they welcomed changes that could help Cyber Command contribute to national security.

Creating the tools and policies that give Cyber Command independence from other U.S. intelligence or defense agencies has helped solve some bureaucratic issues. But not all of them.

In recent months, aides for the House Armed Services Committee and Senate Armed Services Committee have been meeting with government “working groups” to stop the military and intelligence community from butting heads. With people in the room representing both sides’ interests, lawmakers hope to quell any problems that have come with impending changes to the hierarchy.

Several aides told CyberScoop that the people representing Cyber Command have grown increasingly frustrated in these recent meetings. The representatives told the committees that the unit’s growth has been curbed by a reluctant bureaucracy that’s continuing to voice skepticism about scaling up hacking operations beyond the intelligence community.

In one meeting held in mid-February, Rogers’ Combined Action Group (CAG) held a meeting with congressional staffers, military academics and other officials from Fort Meade to discuss some of the issues. The gathering’s purpose was not necessarily to come up with immediate solutions, but to flesh out each side’s concerns that have come with Cyber Command’s maturation. Insights from the nearly eight-hour-long meeting were later provided to Rogers, who used them to prepare for a congressional hearing.

In that Capitol Hill appearance, Rogers maintained that Cyber Command should eventually be split from NSA, which would give it more autonomy.

The peacemaker?

President Donald Trump recently nominated Army Cyber Commander Gen. Paul Nakasone to be the combined leader of NSA and Cyber Command. Nakasone is a well-respected military leader with a history of working in cybersecurity-focused positions. However, he is not a career intelligence official.

Nakasone has been heralded for his time in service by former superiors, including Rosenbach and Alexander. He is widely considered one of the most experienced generals in managing military-led hacking operations.

The congressmen with perhaps the most experience dealing with NSA told CyberScoop that managing some of the conflicting equities between the two brotherly organizations will almost entirely fall on Nakasone.

“It’s really going to be up to leadership, they’re responsible for making sure it goes right,” said Rep. Dutch Ruppersberger, D-Md. “You need to have the right leader to negotiate these things, to listen to both sides and figure it out … If we don’t have good leadership for this position then it can be bad.”

Managing the tug of war in government represents just one of many challenges for the NSA director.

“That’s a very, very tough job,” he continued. “With everything that’s gone on recently, maybe one of the most difficult [jobs] in government.”

Michael Sulmeyer, a former cybersecurity policy adviser in the Office of the Secretary of Defense, said he believed Nakasone would make it a “fair fight.” Sulmeyer told CyberScoop that Cyber Command’s development may have been stunted by the dual-hat leadership arrangement, which he contends had benefited the intelligence community more.

“In the past, the IC would usually win these internal arguments … the resolution process requires consulting with the leaders of each organization. So it was a really circular, you could efficient way of dealing with it. But certainly slanted,” Rosenbach explained.

Nakasone recently told lawmakers that he planned to provide a recommendation within 90 days of being confirmed to Mattis about whether or not to split Cyber Command from NSA. Rogers, his predecessor, has said a split is inevitable. CyberScoop previously reported that Director of National Intelligence Dan Coats preferred keeping the dual hat in place for the immediate future.

In a brief interview with CyberScoop following a public speaking appearance in D.C., current White House Cybersecurity Coordinator Rob Joyce said he believed Cyber Command should be separated from NSA as it becomes more capable. He provided no timeline, but said that some predictable “friction” would likely follow a split as the two organization readjust to a new relationship. “That’s only normal,” Joyce described.

Fighting into the future

Lawmakers are generally unsure by how Cyber Command’s evolution will pan out. But several expect a bumpy road forward.

“There’s always going to be that rub between the operators and the intel collectors. I think that’s very true right now just because probably NSA is much more mature organization and certainly CIA also weighs in as well and they want to err towards protecting their capabilities,” said Congressman Jim Langevin, D-R.I.. “I certainly get that. But sometimes they can be over-protective and it slows things down. Maybe we’re missing out on opportunities to make a [cyberwarfare] operation more effective.”

Sen. Mike Rounds, R-S.D., the chairman of the Senate Armed Services cybersecurity subcommittee, told CyberScoop that he has also been involved in helping to ensure that Cyber Command’s elevation to a unified combatant command happens quickly and in a well-managed fashion.

“After listening to a lot of discussion internally, I think we’re moving in the right direction by separating the hats,” Rounds, said in an interview with CyberScoop following a congressional hearing. “Those folks operating under Title 50 really want to be deep in and not be discovered. At the same time, under Title 10 and what we would want in terms of persistence, you have to be able to show ourselves every once in awhile and that we are actually doing things in cyber to deter those who are causing the problems. It may easier to do using two hats rather than a dual hat.”

Whether the current system disproportionately handicaps Cyber Command remains a tough question to answer.

“The benefit of having a dual-hat between NSA and U.S. Cyber Command is clear — you have one person who can make a fully informed decision about the tradeoffs between the potential capability loss associated with using an intelligence asset to conduct an offensive cyber-operation,” explained Jamil Jaffer, former senior counsel to the House Intelligence Committee.

With Nakasone set to take the helm of both Cyber Command and NSA later this month following his expected confirmation, the debate will be immediately in front of him.

“Many have raised concerns that such an arrangement is a one-way ratchet and doesn’t full account for all equities,” Jaffer said. “What can be said for certain is that if you split the current dual-hat arrangement, you’re going to be teeing up a lot more debates for the National Security Council to have on individual operations and that is likely to be its own can of worms. After all, fighting a war by committee is hardly a good way to go.”


  • 0