By Stuart Herrington

Best Defense guest columnist

Unless he was an asset of the Chinese or some other foreign intelligence service prior to "coming out" as he did, I don't think it's likely any foreign intel service is going to latch onto Edward Snowden.

If he were already a recruited asset, one would think that his case officers would have given him a better exfil plan than "fly to Hong Kong and hold a press interview." In fact, were he already on some service's payroll, the counsel would have been "stay right where you are, you can do us the most good in your current Booz Allen position." He is a "property," but don't think it likely that he would be picked up in such a short time by any country's service, China included.

To use jargon, Snowden is "blown" -- that is, he is a hot potato, with many downsides politically and from almost any perspective. My guess is that he realized after his flight to HK and going public that this was not a very swift move, and that he was in danger of being picked up by the authorities, acting on behalf of the local U.S. mission there (or, in his paranoid mind's eye, snatched and rendered by the hated CIA) -- and he was relentlessly besieged by media -- so he disappeared himself for the moment, which won't last in Hong Kong, a very well-organized society with a super security force. In short, any service that might like to contact him for a debriefing or other relationship would right now be appealing to its highers (the very top) with arguments as to just why they would wish to touch this guy at this time.

Based on what we know now, which could change in a flash, I would vote that no service, Chinese or otherwise, will touch this fellow; and, if they do, it would be a quiet interview, just to sniff out what, if anything, he might have that would merit undertaking political risks to touch him.

Stuart Herrington is a former commander of the U.S. Army Foreign Intelligence Command, INSCOM. He also is the author of several books about intelligence, including Traitors Among Us: Inside the Spy Catcher's World.   

In discussing my cranky comments about Twitter the other day, the always insightful Jim Gourley summarized how we have embraced the internet: "we decided to use that vast network as a giant repository of pornography and cat videos."

By John Scott

Best Defense guest columnist

It's Wednesday, and that means another story about the looming threat of cyberattack, how vulnerable the United States and its infrastructure is, how bad the Chinese are, how to retaliate, etc. But what seems to be left out of the discussion is what can practically be done about it (beyond scolding bad people). 

The first thing that should be done is to shrink surface area for attack. What does this mean? Right now the U.S. government and industry runs a pretty homogenous set of operating systems and applications that have shown to be a big part of the problem; specifically, Microsoft and Adobe are two companies whose wares have become amazing attack vectors. Why? For a few reasons: 1) if you want to create a virus/exploit weapon you tailor one for largest adoption, 2) attack large morphing code bases that give rise to known-unknown software vulnerabilities, and 3) updates don't always filter out in time once new vulnerabilities are detected and patched.

A great example is how Stuxnet is reported to have entered the Iranian nuclear program: 

The main (and initial) infection vector is the transmission of the Stuxnet malware via USB devices: if an infected USB device is inserted into a clean PC and later accessed with the Windows Explorer, then the infection of that PC is triggered. This is due to either a malicious ‘Autorun.inf' file present on the USB device (for the oldest variants of Stuxnet) or to the usage of the ‘LNK' Windows vulnerability (MS10-046,CERT-IST/AV-2010.313 advisory) for the variants found in June 2010.

The Iranians were probably running older versions of Microsoft operating system software that wasn't updated (and was probably pirated to boot). Further, the Iranians were a victim of Microsoft's business model of stitching together source code to lock-in users and conversely lock-out other software, which allowed the virus carte blanche access to anything. 

So what should we, the government, or private companies for that matter, do? First thing, we've got to get our own house in order to limit our vulnerabilities (or "know thyself," to paraphrase Sun Tzu).

• First, get rid of software for which we have to continually make excuses. Just as the U.S. military doesn't promote smugglers (Han Solo) and farm boys (Luke Skywalker) to general, stop deploying software that requires additional fixes and comes stitched together. Microsoft and Adobe might be less expensive software, but if it leaves a backdoor open, is it really "cheaper"?

• Second, only install operating systems and applications where the source code is available for widespread public inspection. Keeping source code secret increases its widespread vulnerability to exploitation when a defect is detected.

• Third, increase heterogeneity of operating systems and applications to create gaps so that a virus/exploit can't transverse between different systems.

• Fourth, fund research into more secure operating systems and make the fruits of that investment public: A rising tide lifts all (security) boats. A small investment in maturing source code can have a large impact. 

John Scott is a senior system engineer for Radiant Blue Technologies and was a co-author of Open Technology Development: Lessons Learned and Best Practices for Military Software (Department of Defense, 2011). He occasionally blogs at Powdermonkey.

By Irving Lachow

Best Defense cyberwar correspondent

Last week, a front page story in the Washington Post began: "Syria's civil war went offline Thursday as millions of people tracking the conflict over YouTube, Facebook and other high-tech services found themselves struggling against an unnerving national shutdown of the Internet." Despite denials from the Syrian government, there is strong evidence that they were in fact responsible for this attempt at isolating the country from the global information commons. This was most likely accomplished by the state-run Syrian Internet service provider called Telecommunications Establishment, which appeared to have altered its routing tables to prevent both incoming and outgoing traffic from reaching its desired destinations. Although the timing of this action may have been sudden, the fact that the Syrian government would attempt to control rebel access to the Internet is not surprising. Egypt and Libya took similar actions during recent conflicts and Syria has been controlling access to the Internet on and off for many months.

Much like traditional warfare, the kind of cyberwarfare being promulgated by Syria is being driven by attempts to dominate the information sphere. For example, one of the first actions taken by the United States in its wars with Iraq was to dismantle their command and control systems. This provided the United States with freedom of action and reduced the ability of Iraqi forces to obtain accurate and timely situation awareness of the battlefield. Syria is trying to accomplish similar objectives. Limiting the rebels' access to the Internet and mobile communications is akin to blinding their command and control systems. By forcing rebels to rely on local Internet services provided by Syrian companies, the Syrian government can closely monitor rebel communications to obtain intelligence and situation awareness. In addition, the Syrian government can use the Internet to plant false information and undermine trust within the ranks of rebel leadership -- a classic psychological operations tactic for creating fear, uncertainty, and distrust within enemy ranks.

In response to the Syrian government's actions, the Syrian rebels have been using satellite phones -- equipment supplied to them by supporters that include the United States -- to maintain their lines of communication and connectivity to the Internet. The rebels may also be able to tap into the wireless networks of neighboring countries when they operate close to the border -- a fact which shows how difficult it is to implement a full Internet blackout in a country, even one as small and centrally-controlled as Syria. They are also continuing their efforts to influence outside parties by using videos, pictures, and other social media tools to tell their side of the story. As in many conflicts, the battle here is not just over territory but over who controls the narrative.

Events in Syria, Libya, and Egypt have demonstrated that the Internet has become a critical tool for combatants engaged in civil wars and uprisings. It provides command and control, surveillance and reconnaissance, and serves as a means of influencing supporters, opponents, and neutral third parties alike. At the same time, the fact that the Syrian government reestablished Internet connectivity just a few days after implementing a nation-wide blackout makes it clear that national leaders cannot simply shut off access to the Internet without repercussions. The Internet has become a tool of influence and warfare, but it is also a driver of commerce and social connectivity. Internet service providers can function as businesses that enable economic and personal freedom and they can chose (or be forced to) repress free speech, monitor "enemies of the state," and disconnect an entire country from the global communications grid. The Internet may be the ultimate dual-use technology. We will be dealing with that fact for decades to come.

Dr. Irving Lachow is a senior fellow and director of the Program on Technology and National Security at the Center for a New American Security.

While Tom Ricks is away from his blog, he has selected a few of his favorite posts to re-run. We will be posting a few every day until he returns. This originally ran on September 19, 2011.

That might be the question a year from now, as Third World dictators arrest those identified in diplomatic cables as talking to representatives of the U.S. government. See Joshua Keating's summary of the state of play. He notes that two Zimbabwean generals and an Ethiopian journalist already are in the hot seat.

So yeah, I think Wikileaks has been wildly irresponsible. And people who helped it should probably be ashamed of themselves. Maybe tithe 10 percent of your income to Amnesty International as penance.  

Something, it looks like, but we are not going to be told about it, if a U.S. Court of Appeals ruling issued last Friday stands.

I wonder if Google and NSA will merge one day. 

On the other hand, something that discourages intelligence operatives in China from hacking into our e-mails is probably a good thing. Hmm -- maybe I am learning how to love Big Brother?

Quote of the day, from a very good article by Richard Falkenrath in the Financial Times:

Google, by gaining the consent of its users in the form of a quick tick, has secured the power to build an electronic surveillance apparatus that far exceeds anything the Bush administration tried to do.… The potential is vast. For instance, Gmail has a contact-tracking feature, which integrates with Picasa, its free product for managing digital photographs. Picasa has a tagging feature that can tell Google where and when photographs were taken, and an advanced facial recognition feature that allows Google to identify individuals it has seen in one photo in any photo in the user's digital library. Integrating just these three services with Google's core search function could allow Google to locate individuals in virtually any digital photograph on the internet, and so derive where each user has been, when, with whom and doing what. Add YouTube to the mix, or Android smartphones, or whatever other database Google develops or buys -- the implications are breathtaking.

To remedy this problem, Falkenrath advocates adding a new "right to be forgotten" to laws protecting privacy. He predicts that companies such as Facebook and Google that profit by monetizing data on people would fight this fiercely. Unfortunately, given their financial strength, plus the power of the California congressional delegation, I think they would succeed in putting down any such legislation.

That might be the question a year from now, as Third World dictators arrest those identified in diplomatic cables as talking to representatives of the U.S. government. See Joshua Keating's summary of the state of play. He notes that two Zimbabwean generals and an Ethiopian journalist already are in the hot seat.

So yeah, I think Wikileaks has been wildly irresponsible. And people who helped it should probably be ashamed of themselves. Maybe tithe 10 percent of your income to Amnesty International as penance.  

This here is one of the best studies I've ever read on the subject. I learned a lot. Also, I think, a model of what a think tank study should do.

Meanwhile, here is Monsieur Bruni's take. Personally, I think the French should stick to regulating champagne or impressionism. "French internet regulation" is a phrase that just don't work for me, kinda like "French rock music."  

I asked Jay Holcomb what he made of the big article about Stuxnet that ran in Sunday's New York Times. Here is his response.

By Jay Holcomb
Best Defense infowar article critic

I enjoyed reading the New York Times article, "Israeli Test on Worm Called Crucial in Iran Nuclear Delay" published Jan. 16. Everyone seems to agree that this was by far the most complex cyber event ever seen in the wild. By complex I'm referring to the number of technical features, such as zero-day exploits, industrial control system expertise, intelligence on target configurations, number of cyber exploits used on the target, such as root kits, botnet-type command and control, user view manipulation, etc.

I believe that the more media exposure we can generate from complex cyber events like this one, the better. However, I still believe we are missing the bigger picture with regard to these types of complex events. While I realize many folks really want to know where the Stuxnet package originated, I propose that we should be spending as much (or more) time looking around at what these events mean today, and in the near future, with regard to our cyber exposure -- federal/state/local government resources, critical infrastructure, civilian industries, and even our own personal exposure.

I agree with Mr. Langner's quote in the article, referring to the Stuxnet package, that, "It's like a playbook.... Anyone who looks at it carefully can build something like it." Langner makes an important statement that I have not seen many people outside the industrial control system and cybersecurity industries mention or highlight. We can assume it is not only nation-states that are looking at events like these; terrorists and common criminals are most likely very busy right now looking at this too!

Many of the items highlighted in the article potentially read like a fortuneteller's glass ball: "The vulnerability of the controller to cyberattack was an open secret. In July 2008, the Idaho lab and Siemens teamed up on a PowerPoint presentation on the controller's vulnerabilities that was made to a conference in Chicago at Navy Pier, a top tourist attraction." This is not unusual, as significant vulnerabilities in software will often be publicly known. The vulnerabilities often are not addressed until (what seems like) enough public pressure is applied for a fix/patch to be produced and/or applied. While I have no specific information on "Smart Meters," recent articles which point out potential security concerns related to the deployment of "Smart Meters" make me wonder whether we're not looking into a fortuneteller's glass ball. I'll include some reference links about this at the bottom of this note.

One final thought: While the Stuxnet event and associated reports have generated some public media exposure on complex cyber events, I find myself looking back on a report released by the U.S.-China Economic and Security Review Commission, dated Oct. 9, 2009, which does a great job explaining a very complex cyber intrusion -- I wonder if that was a cyber building block to our current Stuxnet discussion?

Read on

Tom R.: For a long time I thought "infowar" or "cyberwar" was nonsense, mainly a gambit to make money in the defense consulting complex. But expert comments like this one on Stuxnet have me reconsidering. 

By Jay Holcomb
Best Defense infowar columnist 

I believe this event should be looked at from a much wider view … the Stuxnet worm (threat vector) certainly should be considered a "game changer" … the folks who are conducting the forensics analysis have been somewhat successful in gaining high level public/government attention to this issue.

While most folks seem to unofficially agree this worm likely targeted Iranian facilities -- if we look wider -- this "attack" … or perhaps a better classification "sabotage" … contains so many complex cyber elements combined into one package that it is absolutely fascinating. I do not believe it is hyperbole to say the Stuxnet worm is "revolutionary" in terms of what we should be expecting to see in future high quality cyber threat vectors.

For example, a few of the well publicized items used by the Stuxnet worm include:

• At least four zero-day vulnerabilities were used. Remember, these were classified as "zero-days" once we found out about them back in June/July -- which means the folks that discovered the vulnerabilities could have been using them/testing them for 12-24 months(?) before we even knew they existed. Discovering a single previously unknown vulnerability and using it successfully against a target is impressive!
Read on

We had a formatting problem yesterday that inadvertently made it impossible to post comments on two items. I apologize for this. The problem has been fixed.

Here's a promising new blog on "lawfare" by three smart guys. All you LOAC freaks will love it, but the rest of you need to pay attention, even if it does get boring sometimes. ("The R-O-E/ Helps you and me.") I think these guys need a new graphics/photo editor, though -- I've seen livelier graphic presentation in constitutional law textbooks.

At any rate: Wittes, Goldsmith & Chesney -- don't go to war without them.

Ethan Guttman has a fascinating piece in World Affairs Journal about China's efforts to track and quash dissidents through computer surveillance. The centerpiece of the article is an interview with Hao Fengjun, a former Chinese government surveillance expert from the secret "6-10 Office" who defected and now lives in Australia.

When he joined that security office in 2000, Hao was surprised to find extensive files on Falun Gong members. "Every person's specific details -- including family member information, everything of everything, how many practitioners in each district, how many coordinators, et cetera... These things are not something that can be done and collected in just one or two years."

Following the 1999 official crackdown on Falun Gong, Guttman writes, its members

were isolated, fragmented, and searching for a way to organize and change government policy, they jumped online, employing code words, avoiding specifics, communicating in short bursts. But like a cat listening to mice squeak in a pitch-black house, the ‘Internet Spying' section of the 6-10 Office could find their exact location, having developed the ability to search and spy as a result of what Hao describes as a joint venture between the Shandong Province public security bureau and Cisco Systems.

The defector also tells Guttman that the "6-10 Office" also sent out false refugees to track overseas activity and undermine dissident organizations. These phonies were

young, trained to mimic Falun Gong behavior, and holding paperwork confirming time spent in laogai, China's penal system. ‘No matter how clever the Australian or the American government is,' Hao told me, ‘they have no way to distinguish the real [Falun Gong refugees] and the police officers.'

If you are going to read one magazine article today, let it be this one.

Meanwhile, the State Department is giving $1.5 million to an internet freedom group with ties to Falun Gong.