Thursday, July 26, 2012

Internet Monitoring, Attribution, and Governance in the age of Global Digital Convergence and Persistent Connectivity

This is a controversial topic; I expect disagreement but ask that you think about these issues as objectively as possible.  Conversations about government monitoring of public communications and governance of the Internet bring about very strong if not volatile reactions, but these questions need to be raised and discussed as rationally as possible.  It is my position that some manner of monitoring, attribution, and governance is inevitable, arguably essential.  It is extremely dangerous for a society to put so much of its critical infrastructure connected to a technology and not develop the mechanisms to protect it.   Whether we should have moved so rapidly into adopting Internet based technologies in these areas of society is another discussion but for the purposes here doesn't matter - it is.  This leaves the important questions, how much is enough, or too much, and what do we require of our government as far as protection?  The answers to these questions can not be static for a society but need to evolve as the society evolves.  I personally find myself in an awkward position, as I would normally support strong personal privacy and civil liberty constraints in physical space but find myself thinking about the ideas of digital privacy and digital civil liberty very differently.  The source of this lies in the concept of privacy within publicly controlled and available spaces and the capabilities of the technology to affect the greater commons public safety.  I believe it is precisely the conflict between these two concepts that is changing the direction of governments interpretations around what should and should not be monitored or governed and shaping the reaction of individual citizens to the governments changes in policy.


In todays more advanced digital societies, more and more of public communications and information are moving to platforms being run by commercial companies that are not just looking to provide a service to its users and primarily concerned with how beneficial the service is to those users.  Within social media platforms the users are not just the consumers but are also the product; product for the advertising and marketing firms that are looking to harvest user activities for information that will allow them to better target advertisements.  Internet companies, especially social media companies are working feverishly to own the consumption chain, from eyeballs to register.  This requires having access to enormous repositories of information on the personal details of its consumers to be effective.  This isn’t a malicious objective per se, it’s a matter of efficiency as they see it.  Objectively, if companies can discern consumption preferences and boundaries the better they will be at marketing products to consumers.  In consumption-based societies to consider this not a good thing seems a bit psychotic.  This of course requires some deeper knowledge of the consumer’s habits, associations, etc.  At a high level this is just inevitable efficiency built into an evolving system.  But an environment is being created that encourages all of us to share, connect, participate online and through this activity many benefits will be bestowed upon us.  Unfortunately problems that arise from this level of connectivity not just for individuals but also for organizations, for nations, are significant.  These problems are significant enough, they create enough opportunity for malicious activity that some governance and monitoring seems required, like police patrolling the streets, shouldn’t laws and governance adapt to patrol the digital streets of cyberspace to keep the commons safe?  If the answer is no then why is it tolerable that police patrol our neighborhoods?  If the answer is no then those that use the Internet should not have any sense of entitled security when they use the Internet.  This said the opportunities for over reach are also significant.  Access to this data with the right set of tools can be extremely powerful for any organization to use, and abuse.

This is by no means a simple conclusion.  The issues are complex and after much analysis I have determined are unresolvable.  Take one example, but one of the most controversial, the efforts of US Intelligence agencies, who’s responsibilities are to monitor information sources for intelligence on foreign threats.  Now there are long standing laws that stipulate their authorities stop with domestic activities, which falls under the responsibility of the FBI and now DHS and other domestic federal agencies.  Intelligence disciplines have been developed in signals intelligence, imagery intelligence, emitter intelligence, etc to monitor foreign electronic emissions for intelligence that help to defend US interests.  The rise of the Internet and more specifically social media globally for communications, even amongst groups the US would consider foreign threats really complicate intelligence missions.  After all, how do you tell the difference between a US person and an Iranian person on Facebook?  How can you discern whether or not the Anwar al-Awlaki profile on Twitter belongs to the real person or is a fake?  Maybe we should require 100% online accountability, then at least of a crime is committed it will be easier to identify the culprits.  This of course has its own challenges as the Internet is not a geographically bounded technology and is used frequently by people around the world to communicate freely about civil rights and other social abuses by oppressive governments and other organizations.  Blanket attribution would put many people at risk.

All of this activity is occurring on services mostly operated by US commercial companies.  It is well documented that organizations that pose a threat to national security or US interests abroad use social media for distributed communications and collaboration, even recruiting.  But there isn’t a middle of the road here.  US Intelligence organizations either develop capabilities and initiatives to monitor social media which requires that they monitor all of it and then separate out data based on their authorities on the back end, or they turn away from it which means the US will have a growing blind spot in its ability to identify threat activity that falls under their mission requirements.  Now US social media companies such as Facebook and Twitter with an international consumer base are not going to police this themselves, nor will they just let the US intelligence apparatus in, it would destroy their international market.  The US Telco and ISPs seem to be the next likely point of entry to gain access to these communications as most of them have a much more geographically defined client base.  But there seems to be no rational public dialogue about the activities of law enforcement or the US intelligence agencies in these matters.  The public response seems only to be stay out, way out.  Yet at the same time, when disasters strike the first place people will point to is the government.  This seems evident with the recent tragedy in Colorado where James Holmes was able to buy significant amounts of weaponry and personal armor online to stage a lethal assault against US citizens in a movie theater.  Comments seemed to come almost immediately questioning why he was able to acquire so much ammo.  Why was this activity not flagged?

Now the other issue surrounds what is and what is not private?  Prior to social media, prior to consolidated purchasing records, travel databases, value club cards, etc. this what not an issue.  There were no centralized places to harvest such detailed personal information.  Not that we are being forced to use these conveniences, we use them voluntarily.  Now that these databases exist there is a great temptation to plug in to them and develop complex rule sets to look for anomalies that can provide early indications of future threats.  But what of this data should or should not be accessible?  Should public posts made on public platforms such as Twitter be monitored?  How about publicly accessible data from Facebook pages?  Isn’t the use of either one of these platforms public capabilities just like talking in the town square?  Do we have a right to privacy to these communications?  What about purchasing history collected by credit card companies?  Buying 6000 rounds of ammunition before Internet shopping required the individual to at least show up in a store somewhere.  Now that same person can sit in his basement and order 100 rounds from 60 different shops.  The same person can communicate from a private location with a group of individuals and organize every detail of an offensive operation.  As a society are we ok with firmly stating that no one should monitor or protect against growing online capabilities.  If we are not, if we think someone should, then who?  The ease and accessibility of these services creates new societal vulnerabilities.  How to protect the commons given these new vulnerabilities requires a tough conversation, but unfortunately like most things today seems to only be covered when highly opposed politicized organizations want to assert there righteous positions.


How do we have a rational dialogue about an issue that carries with it such negative connotations and visceral reactions.  I am a skeptic, I don't think we will.  I think this will continue to be a majorly divisive issue made more complicated by societies distrust and simultaneous reliance on its government for basic necessities.

Monday, February 27, 2012

WIKILEAKS AND THE STRATFOR DEBACLE

I am amazed, although I shouldn't be, at the level to which Wikileaks is stooping to make hay from the theft and release of Stratfor internal emails.  So far none of the emails exhibit any wrong doing but only a well plugged in company with competent analysts doing the job of open source analysis.  In the process of open source analysis you get information where it is available.  Sometimes that means reading local newspapers and watching local television programs, sometimes that might be taking polls or using poll data, and sometimes it might mean paying people for information.  As long as you are paying for information that doesn't break any confidentiality agreements or classification issues (and even then thats on the source not Stratfor) there are no issues.  Wikileaks of all organizations it seems laughable to me they have an issue with this.  It is not a crime to make money.  There is zero illegal or immoral surrounding a company that has developed a business model around collecting, compiling, and selling insights to information.  If Wikileaks wants their information they just have to subscribe like everyone else.

The idea there is something nefarious with Stratfor looking to develop an investment capability based on the information it collects is ludicrous.  Any decent investment institution does the exact same thing but they probably don't have as robust of information sources.  You don't make investments without conducting analysis on the prodcutcts, companies and environment in which you are going to make the investment.  Since Stratfor had what appears to be ZERO insider trading connections but a host of people and connections that had a strong pulse on the political, social, and economic climates globally, I can see absolutely nothing wrong with this endeavor.

I will post more thoughts here on this release and the emails and analysis to follow but so far I am very disappointed and I will be even more disappointed if the discerning public and MSM buys in to this sensationalism to the point they will dispense rational thought and feed the biggest troll on the Internet - Wikileaks.

As for the relationship now solidified between Anonymous and Wikileaks, it was always there now just public.  I think this partnership illustrates an organization taxed by legal battles, lack of funding, and lack of continued relevancy.  Its a hail mary, the dying breaths of an organization that has lost its way and given in to the ego of a grade-A Narcissist.

Saturday, February 25, 2012

ANONYMOUS DECONSTRUCTED

There is much debate on what is and what is not Anonymous.  Are they freedom fighters holding a sword to the tyranny of governments and corporations who desire to control and wield the Internet for their own power and profit?  Are they terrorists, striking fear into individuals and organizations through the use of violent digital attacks and intimidation tactics?  Are they a loose band of leaderless, faceless individuals fighting for a set of common ideals of freedom and equality for everyone?  Are they anarchists that seek to use the movement to force the system into a violent conflict that in the end will destroy the system itself?  Are they just mobs of youth with axes to grind, way to much free time, and a fundamental lack of understanding and respect for authority or even their fellow man?  The answer to all of these questions - yes.  I am not writing to add my words to the effort to dissect the group.  I have my opinions and likely some or all of them will come out in later pieces.  My intent here is to write about the actions of the organization and their effects in the context of current events.

Let me make one thing perfectly clear, I am not particularly enamored with Anonymous activities as a whole.  I hold this view not because I am in favor of the current system and those that manage it, I am not.  Whether you are discussing the state of IT security today or the current economic and political systems - I believe we are broken and I do not believe it is in the interest of those that maintain the current system to fix it.  I also don't believe its in the interest of the masses to fix it, because that will require real effort and sacrifice, something as a society we seem to have in short supply.  So someone or some group has to shake some things up, get people out of their comfort zones and think and act for the betterment of society and our communities rather than for themselves.  This requires real cooperative activitism and positive reinforcement of a more productive and healthy path for everyone rather than the collective wining and polarity coming from all of the current popular activist groups.  In the end I believe the actions of Anonymous will do more harm than good.  As a whole their actions leave a pile of reasons why the system needs more control and oversight, not less.   What they fail to realize is while they may be legion within their circle they represent a small, albeit very vocal,  percentage of society and the fact that they can destroy something doesn't at all demonstrate power only carelessness.  Anyone can destroy, few can create.  What they also fail to realize is while freedom is a right, it take responsibility, accountability, and cooperation to maintain a free society.  These are qualities the Anonymous movement distinctly lacks.


But there is no doubt their actions have altered the state of things.  They have been successful at bringing attention to causes of their interest through DDOS,  defacement, and disclosure of sensitive information obtained through theft.  These same actions have been shown to be crippling to some brick and mortar organizations that have no real effective means of response to these types of targeted and very public attacks.  This doesn't infer guilt or weakness on the part of these organizations only that they have equities and responsibilities that are of first consideration.  We can be sure their success in garnering attention with these tactics are being watched carefully by others and will be incorporated into other groups future operational planning.  A good piece was written on this by Scot Terban, The Shifting Digital Sands of Online Jihad.


Speaking of Islamic extremists, one controversial label has been discussed in regard to Anonymous - terrorism.  Can some of the actions of Anonymous be considered acts of terrorism.  I believe the answer is yes.  Not the strap a bomb to your chest and blow yourself up in a crowded market place type of Terrorism but psychological terrorism created by extreme uses of threats and intimidation for the purpose of instilling fear.  When a group is using non-kinetic violence sustained against a system or set of organizations to achieve some level of coercion in those organizations I believe that can be considered an act of terror.  Unfortunately the word terrorism has been hijacked over the last decade and means something much more specific to most people.  The Wikipedia definition is, "The systematic use of terror, especially as a means of coercion".  There is also a definition for Paper Terrorism which describes a non physically violent means of coercion and intimidation.  So when I say parts of Anonymous have used terrorism tactics against governments, agencies, and other organizations I am using these definitions to come to that conclusion.  There are some good points that are made in a recent post on Infosec Island by Robin Jackson that address some of these issues, also examples here, here, and here.


Can and is Anonymous being used or being considered as a possible conduit by other organizations, including Al Qaeda, Foreign Intelligence Services, or other criminal organizations to hide/mask operations.  The simple answer is why the hell would they not.  Given the structure of Anonymous it would not be difficult to conduct a cyber exploitation or attack operation under the umbrella of Anonymous, which in turn would complicate a formal investigation or response given the current climate.  It wouldn't even be that difficult to get some of the more influential members co-opted for certain operations if the right arguments and incentives were made for the cause.  There have been a few references to this made by some islamic extremist groups such as the Indonesian islamic extremist group ar Rahmah which openly approved of the Anonymous operations against Israel.  Also numerous posts in support of Anonymous on islamic extremists forums such as the continual posting of Anonymous exploits on the Islamic ansar1.info forum, here.

The most recent controversy surrounding Anonymous is a briefing by Gen. Keith Alexander, currently Director of NSA and Commander of US Cyber Command, given at the white house where he expressed concern that Anonymous may eventually obtain and possibly use the capability to disrupt the power grid.  Some of the more influential members of Anonymous came back swiftly in criticism of his comments and defending their actions.  I have heard many discussions within the security community that also are of the impression that the idea of Anonymous taking down the power grid is going a bit too far.  I disagree.  It is a highly collaborative decentralized group that has demonstrated there is little they won't do digitally when compelled by the right offenses to their ideology.  We have also witnessed Anonymous members that have gained access to SCADA systems as was written about here.  I believe all it will take to bring about this type of an attack is the right set of circumstances, and given things are going to get a lot more combative before they get better, I don't think it is wise from a planning perspective to discount this possibility entirely.  What I believe Gen. Alexander was saying was given the state of SCADA security, the history of the group and the likely future conflicts to come, it is possible that someone in the organization will acquire and use the capability to down a SCADA system.


So I will end this first piece with an attempt to say something positive.  And that is a reflection on the question is there anything positive that is coming from the actions of Anonymous.  There is a great piece written by Josh Corman and Jerico on whether or not it is possible to build a better Anonymous that is worth the read.  The short answer to both of these questions is no,  But I think there are many within the group that believe they are doing good (thats the positive).  There seems to be two main thrusts of activity within the movement.  One is to expose poor security practices and charlatan security companies, the other is to expose and oppose government and corporate corruption and oppression of citizens.  I think Anonymous as a group has a poor understanding of the complexities of these issues and how we are all complicit in their existence.  We all seem to work in a frenzy to adopt new technologies into our lives without much regard to the problems they create.  Those of us that work in the IT industry or have grown up with these technologies all around us also fail to recognize there are much larger portions of the population that interface with technology with discomfort and anxiety.  One such issue that gets a lot of attention is weak and rampantly re-used passwords.  This unfortuntaely is not an easily solved problem as some might believe.  It is easy and humorous to poke fun at the person(s) that uses the password 123456 on all their most frequented websites, but its not constructive in dealing with the issue that passwords are a failed mechanism for security.  Anonymous would like everyone to think they are doing us a favor by exposing the poor security practices within all these companies, yet they don't address at all how complicit they are in adding to the #1 reason why most systems are compromised, which is some crafty person puts together an email that compels the user to click a link or open an attachment.   By exposing masses amounts of email addresses and passwords Anonymous is making it easier for phishing attacks to be effective.


To the last issue of the opposition to governments and corporations I am not in complete opposition.  There are a lot of nasty regimes and government practices that need to be opposed and I believe we need an increase in scrutiny and pressure on government organizations to do more to make continued oppressive practices difficult. That said, Anonymous and other groups fail in many cases to understand or recognize the complexity of foreign diplomacy and cultural tensions.  It is a reality that sometimes the devil you know is better than the devil you don't.  We will likely see cases of this as we watch the outcomes of the Arab Spring, removing agreeably ruthless leaders such as Khadafi and Mubarak in the short term are a success but if not followed through by committed and organized democratic movements will likely be replaced by the likes of the Muslim Brotherhood or worse groups that will likely instill a rule of law that will set back personal freedoms, especially for women, by decades.  It's easy to stand in opposition to something, its far more difficult to work cooperatively to build a better tomorrow.