Monday, March 26, 2012

Air Force Electronic Attack and Cyber

Good article on Aviation Space and Week a few days ago I had to share. Not surprisingly, it was written by David Fulghum, who wrote several other articles in the past I've referenced in the IW area. He does a great job finding interesting, unclassified stuff to write about in the DoD and IO/IW/EW community activities, although it is not always easy to substantiate.

The article quotes several senior AF executives describing aircraft-oriented attack technologies by the USAF and other countries (namely China and Russia). I'll quote them below:
The Air Force is pursuing “cyber-methods to defeat aircraft,” Gen. Norton Schwartz, the service’s chief of staff, told attendees at the 2012 Credit Suisse and McAleese Associates Defense Programs conference in Washington March 8. But Lt. Gen. Herbert Carlisle, the deputy chief of staff for operations, says the same threat to U.S. aircraft already is “out there.”
Ashton Carter, deputy secretary of defense, is pushing both offensive and defensive network-attack skills and technology. “I’m not remotely satisfied” with the Pentagon’s cyber-capabilities, Carter says.
“The Russians and the Chinese have designed specific electronic warfare platforms to go after all our high-value assets,” Carlisle says. “Electronic attack can be the method of penetrating a system to implant viruses. You’ve got to find a way into the workings of that [target] system, and generally that’s through some sort of emitted signal.”
The Chinese have electronic attack means — both ground-based and aircraft-mounted — specifically designed to attack E-3 AWACS, E-8 Joint Stars and P-8 maritime patrol aircraft, he says.
Interesting comments. First, if they are really interested in "cyber methods to defeat aircraft". Second, that he would think stating that goal at the Credit Suisse and co. conference was a good idea. Third, that Ash Carter's not "remotely satisfied" with our cyber capabilities. And fourth, that Herbert Carlisle claims the Russians and Chinese have already designed platforms to attack "all our high value assets".

The article goes on to rehash earlier claims regarding USAF airborne attack capabilities. Wikipedia summarizes those using the three previously mentioned articles from Aviation Space and Week, and two others here. There are two even more detailed articles on the topic, mostly expanding the events in Syria in Air Force Technology that I'd not seen before. You can find part one here and two here.  

While reading Fulghum's article I also read a couple of new ones he wrote on NGJ, including a focus on autonomous platforms and info on weapons/AESA radars. I updated my Navy Airborne Electronic Attack post accordingly.

It all reminds me of that saying, "May you live in interesting times." I'd say that's accurate and only accelerating!

Thursday, March 15, 2012

Army Cyberwarfare R&D

Just ran across this interesting article from August of 2011 with Georgio Bertoli, the Army's I2WD Offensive Information Operations Branch Chief. Some highlights:
There are few specifics Bertoli can provide about his work because so much of it is classified. But the primary goal of cyber warfare, he explains, is to provide warfighters with a non-kinetic means of striking enemies without permanently destroying infrastructure. The second goal is to disrupt, deny and degrade enemy operations and prevent them from strategizing and communicating.
His team, which consists of 20 government engineers and support contractors, uses software-defined radio, electronic warfare, signals intelligence and other technologies to help build what the Army refers to as its future force.
"Just like a handgun versus a Howitzer," he says, "there's a whole spectrum of tools."
 To give an example of some of those approaches, here's a good presentation he gave at the C4ISR conference that's worth a review. In it, he highlights the differences between CNO (Computer Network Operations) and EW (Electronic Warfare) and the pros and cons of each.

Some other comments from the article:
Unlike kinetic warfare, in which one weapon potentially can thwart multiple enemies — "a bullet is a bullet," Bertoli notes — cyber-warfare typically requires a family of tools. For instance, what works on one particular waveform or network may not work on another.
"So now you have this huge toolbox. How do you manage that? How do you train somebody to be proficient in them?" Bertoli asks. It would be akin to teaching soldiers to use a different gun for each enemy. His team at CERDEC is working to create a common look and feel for cyber tools so they're easy to learn, and to develop a common framework so developers don't have to start from scratch with each weapon.
That reminded me of a solicitation hit the Internet that his group put out that solicited technologies from industry back in 2009. I went online to see what they were asking industry to provide for ideas and found as of Feb 2012 it's the same BAA from 2009. The document is available on the Army site here, and has lots of fun stuff for all the hackers out there. I won't include all of it for brevity, but here's what is listed under Computer Network Operations:
CNE and CNA support shall include but not be limited to:
    • Network discovery and mapping tools capable of operating in a relatively low bandwidth tactical environment and avoid or circumvent network/host-based IDS 
    • Destroy, disrupt, deny, deceive, degrade, delay, target, neutralize, or influence threat information system networks and their components, and Threat C4-ISR systems and nodes and other battlefield communications and non-communications systems
    • Understand various types of tactics, technologies, and tools used to perform CNO.
    • Vulnerability identifications and testing of both wired and wireless networks 
    • Techniques that can be used to find and route communications data through predefined path (accessible route) or to a particular location (cooperative nodes)
    • Methods for performing both distributed and coordinated CNO missions
    • Non-Access dependent CNO technique R&D 
    • Identification, capture and manipulation techniques for data in transit. 
    • Stealthy, real time, precise (within one meter) geographic location and mapping of Threat/adversary logical networks and their components. This includes, but is not limited to the following:
    Ø Individual work stations, terminals, and/or PCs, either networked or stand alone
    Ø Computer networks of any scale (both wired and wireless)
    Ø Virtual Private Networks (VPNs) (both wired and wireless)
    Ø Computer network components (local and/or backbone)
    Ø Displays
    Ø PCS and other commercially available wireless device types
    Ø Government owned or managed private communications networks (military or non-military)
    Ø Trunked Mobile systems or other networked commercially available communications systems
    Ø Telecommunications equipment (e.g., Private Branch Exchange (PBXs), corded and cordless phones)
    Ø Cryptographic components
    Ø Other peripheral components
    • Stealthy, non-cooperative access to logical networks and their components, that overcome threat/adversary best attempts to protect such networks and components. Proposals submitted under this sub-topic shall specify both hardware and software protection measures forming the basis of the target network environment
    • Stealthy, non-cooperative access to RF devices, communications networks and their network components, non-communications networks and their components, and other RF-centric networks and their components, to develop revolutionary TTPs that overcome threat/ adversary best attempts to protect such networks and components. Proposals submitted under this sub-topic shall specify both the hardware and software protection measures forming the basis of the target network environment
    • Stealthy, non-cooperative network discovery software tools, countermeasure capabilities and TTPs that overcome threat/adversary best information assurance/protect measures. Proposals submitted under this sub-topic shall specify both hardware and software protection measures forming the basis of the target network environment
    • Stealthy, non-cooperative network characterization tools and TTPs that overcome threat/adversary best information assurance and protection measures. Proposals submitted under this sub-topic shall specify both hardware, software, and protocol or transmission protection measures forming the basis of the target network environment
    • Stealthy logical network exploitation and/or countermeasure software schemes and TTPs capable of surgically inserting intelligent software agents into threat/ adversary logical networks, regardless of protocols in use or available
    • Stealthy intelligent software agents and TTPs for exploitation and countermeasures of threat/adversary logical networks, and other network-centric networks and their components, and/or Command and Control networks and their components.
    • Stealthy component mapping of logical networks and location data correlation and deconfliction with other all-source intelligence data 
                TTP is Tactics, Techniques, and Procedures for the uninitiated. They also have sections talking about their interest in a CNO framework, software agents,  and EW/IW techniques.

                If anyone has ideas in those areas they have submission information on their acquisition page. Not anywhere near as user-friendly as DARPA's Cyber Fast Track (CFT), and I'm confident they won't be as quick either. It's not been as well advertised though, so I'm sure they'd love to hear from some innovative people out there interested in building cyber tools. Sounds like fun!

                Thursday, February 16, 2012

                0-days and cowboys

                (I post most of the stuff I see on Twitter now, it's such a seamless way to share information. But I just wrote a long post and thought this article was funny/worth mentioning)

                In February 2012, Chris Soghoian called for "reining in" the 0-day researchers and adding regulations or other mechanisms to prevent people from buying/selling "weaponized exploits". He also calls people cowboys and a "ticking bomb" which I think is a bit FUD-oriented. His basic theme that there's a large, opaque market that could go wrong some day is generally a legitimate point (I was surprised how fast/loose people could be there) but I'm not sure how on earth legal restrictions would be constructed to do that effectively. The biggest problem out there now is the lack of transparency and trust between buyers and sellers... if it was brought to light buyers like Google and Facebook could continue to improve their products, commercial vendors can get what they are looking for and researchers could be paid for their work. Hard to picture some senator effectively putting that into legislation or some regulation...

                Some questions that come to mind:
                • Who would define what an exploit is? Does it matter if it's "weaponized" or not? What, exactly, is he proposing to ban/regulate?
                • Who defines what is legitimate or not? If the FBI wanted to buy one to compromise some mafia machine, is that OK with him? Or it was a government? 
                • Is Metasploit/Rapid7 bad? Isn't that what Metasploit is, a "weaponized exploit" framework? What about Canvas and all the other penetration testing tools?
                • If Congress can't even figure out how to regulate copyright violations without breaking the Internet, who on earth would even dream of suggesting they wade into a domain that's significantly more complex? 
                • His concern that Anonymous was going to hack some organization that bought an exploit, and use it is just a little silly. If they are able to hack into the organization that's buying "weaponized exploits" in the first place, it's pretty likely they don't need much help to wreck havoc. 
                Can't spend too much time on silly suggestions or poorly thought out ideas in our community as you'd have a new full time job, but some deserve to be called out! Doesn't mean thoughtful dialog on how to improve the situation isn't useful (one could argue, necessary!) but adding FUD to the mix isn't helpful.

                [Sep 2016 Update] Sounds like the US State Department and the Wassenaar Agreement folks agreed with his argument and proposed some disastrous rules making penetration testing and research tools export controlled. (So if you go to Blackhat and present on some new vulnerability with a POC and foreigners are in the audience you could be fined or go to jail!) Rapid7 has a politically correct writeup about some of the issues.  And of course Dave Aitel was writing about it non stop through the process on his mailing list and cyber security policy blog.  Fortunately the Wassenaar rules died, although I'm sure it will return again in some other form, just like Internet regulations have.

                Starting a defense-focused cyber technology company


                My posting frequency seems to have declined precipitously, both due to busyness and the usefulness of Twitter to share interesting technical news/articles. (If you're not already on you should be!)


                Thought I'd write an article about what I've learned while starting Siege Technologies. I started the company in 2009 with my friend Sam Corbitt who I'd known since I was a rookie engineer. 2011 was another successful year and we continue to grow at a great pace. That growth has been exciting but definitely limits my ability to write up interesting stuff as much as I'd like but the experience might be interesting to read about for those contemplating a similar move (you know who you are!), or who  started down the path recently (Hello Digital Operatives, Apogee Research, Exception Technologies, and Trail of Bits!)


                One of the principals behind the company was to implement what Jim Collins calls the Hedgehog Concept. That is, to figure out what you are passionate about, what can you be the best at, and is there a market for that skill? Find the intersection of those factors and focus exclusively on that. So many times when I was at DARPA I would be approached by business development types from companies (who I will leave nameless to protect the guilty!) and I would ask them that question, "What are you the best at?", or "When I think of x, I should think of you guys." Far too frequently they either couldn't answer or would smile coyly and say "We're good at whatever you want us to be good at!"

                At the same time, I saw (mostly small) companies that focus on excellence getting snapped up. SI Government Solutions got bought by Raytheon. Crucial Security was snapped up by Harris. I'd already watched Ravenwing bought by Boeing and saw first hand Alphatech acquired by BAE SYSTEMS. And there were many others. Most of the big companies wanted more "cyber" in their lives and often didn't really know how to build it from a technical perspective (or, what to do when you had it on your hands!) Some tried hiring people with "cyber" on their resume or buying any company that had computer & security somewhere in their capabilities description. (Raytheon dominated the acquisition field though, going from practically no real capability to owning SI Govs, Pikewerks, BBN, Tek Associates all in a couple of years, an impressive run! Unfortunately they scattered them across competing business units, a problem that big firms encountered - not unique to them!)


                Simultaneously, these and other companies were bought and integrated while new, innovative firms were birthed and the natural corporate life cycle continued. Siege was formed to concentrate on innovative technology development to solve cyber/CNO/computer security problems. We would aspire to be the best in the country at low level computer security technologies. To build those, we'd integrate hacker type software engineers/researchers with PhD-style researchers who can still implement technical solutions. Our team would focus on supporting government and commercial customers looking for advanced technical solutions.


                To be the best, we had to have some unique advantage or combination of advantages that were unique. I decided to combine a focus on talent (and provide a corporate culture to enable recruitment and retention of said talent) with a focus on idea generation/innovation, customer support and corporate flexibility. We were originally going to be in two places, Boston (actually the nice and much less crowded suburb of Manchester, NH!) and DC but also opened up an office in Rome, NY because of a really talented guy I really respected who wanted to join but didn't want to move.

                We put a lot of stuff in place (benefits, bonuses, recruitment avenues, etc.) to support bringing in great engineers and scientists. We turned down lots of work that wasn't centered around R&D (IT security, software development, etc.) to maintain our focus on innovation and high end talent. We turned down work that was R&D, but out of our "swim lane" to maintain our focus on cyber security. We really encourage new idea creation, both as a culture and as a business and have dozens of ideas we've generated. That allows us to pursue only the ones that have impact or capture a partners attention and treat ideas as commodities to be utilized and explored, rather than a few precious gems to hide from the world lest it be stolen or compromised in some way.


                Another approach that has been key has been building relationships through the process. I asked CEOs of companies I admired to serve as advisors and whenever they were permitted they agreed to do so. Also, we built informal relationships with people who provided great advice. One of the best pieces of advice came from Chris Ramming, who advised us to focus on bringing in work first and not getting lost in the details of starting the firm/infrastructure. Build the base first, and the rest will get figured out later... but there will be nothing without customers.

                We built strong relationships at bigger firms (including Boeing, Lockheed Martin, Northrop Grumman, Raytheon, and others) that looked to cultivate small, innovative firms in a mutually beneficial arrangement and had some great partnerships with other small/medium sized firms as well. And we interacted with the larger business/support community, receiving help from the ABI Innovation Center, to our local bank and even Senator Shaheen early in our development to resolve a major government paperwork mix-up that threatened to sink the firm. We tried using the SBA, the SBDC, and various other small business/entrepreneurial support groups to no avail (although the SBDC gave a little feedback on an early business plan and has a nice filter to find government opportunities off the terrible FBO site.)


                Doing all of that, while maintaining my priority (my family) and maintaining healthy growth was not easy but it's actually gone pretty well.  The credit goes to the people outside of Siege who've helped us along the way and especially the people who decided to join Siege, build the tech and make it the company it is now. And most all, the graciousness of God, who allowed market trends/career movements/people to coincide perfectly and made it all come together. I'm just along for the ride, my job is to try to make sure I don't screw up a good thing while it's going!

                I'll probably include some more stories in the future with the normal cyber stuff. Would like to highlight some of the cool people/organizations that've been part of the process.