<div dir="ltr">Just want to chime in with this bit from politico this morning:<div><br></div><div><a href="http://www.politico.com/tipsheets/morning-cybersecurity">http://www.politico.com/tipsheets/morning-cybersecurity</a></div><div><br><div><p style="margin:0px;font-family:proxima-nova,"helvetica neue",helvetica,arial,sans-serif;font-size:16px;line-height:normal"><b style="box-sizing: border-box;">DEFINING DIGITAL ACTS OF WAR</b><span class="inbox-inbox-Apple-converted-space"> </span><b style="box-sizing: border-box;">—<span class="inbox-inbox-Apple-converted-space"> </span></b>Rep. Will Hurd fears ambiguity on international norms for acts of war in cyberspace could fuel escalation and deeper economic losses for the United States. So his House Oversight Information Technology Subcommittee is<span class="inbox-inbox-Apple-converted-space"> </span><a href="https://oversight.house.gov/hearing/digital-acts-of-war-evolving-the-cybersecurity-conversation/" target="_blank" style="text-decoration:none;color:rgb(10,124,196)"><u style="box-sizing: border-box;">holding</u></a><span class="inbox-inbox-Apple-converted-space"> </span>a hearing today with leading cybersecurity officials at the State Department, Defense Department and the Office of the Director of National Intelligence to figure out what to do about it.</p><p class="inbox-inbox-story-continued" style="margin:0px;font-family:proxima-nova,"helvetica neue",helvetica,arial,sans-serif;font-size:16px;line-height:normal">Story Continued Below</p><div class="inbox-inbox-story-interrupt inbox-inbox-format-s inbox-inbox-pos-alpha inbox-inbox-predetermined inbox-inbox-fixed-story-third-paragraph" style="clear:left;margin-bottom:1em;width:688.328px;float:left;margin-right:59px;font-family:proxima-nova,"helvetica neue",helvetica,arial,sans-serif;font-size:16px;line-height:normal"><div class="inbox-inbox-interrupt-item inbox-inbox-ad" style="box-sizing: border-box; z-index: 2;"></div></div><p style="margin:0px;font-family:proxima-nova,"helvetica neue",helvetica,arial,sans-serif;font-size:16px;line-height:normal"><b style="box-sizing: border-box;">“Historically — during the Cold War, for instance — we knew</b><span class="inbox-inbox-Apple-converted-space"> </span>and the Soviets knew that if you engaged in ‘X’ activity, then you were going to get ‘Y’ response,” Hurd is expected to say in his prepared opening statement. “We do not have similar clarity and understanding — formal or informal — when it comes to cyberspace.”</p><p style="margin:0px;font-family:proxima-nova,"helvetica neue",helvetica,arial,sans-serif;font-size:16px;line-height:normal"><b style="box-sizing: border-box;">But Hurd could get some contrary opinions from the administration<span class="inbox-inbox-Apple-converted-space"> </span></b>about that parallel. Christopher Painter, cybersecurity coordinator at State, will tell the panel: “It is worth emphasizing that a determination whether specific events constitute an actual or imminent armed attack sufficient to trigger a state’s inherent right of self-defense is necessarily a case-by-case, fact-specific inquiry,” according to written testimony. “This is the case whether the events occur in cyberspace or elsewhere. As a general matter, states have not sought to define precisely (or state conclusively) what situations would constitute armed attacks in other domains, and there is no reason cyberspace should be different.”</p><p style="margin:0px;font-family:proxima-nova,"helvetica neue",helvetica,arial,sans-serif;font-size:16px;line-height:normal"><br></p><p style="margin:0px;font-family:proxima-nova,"helvetica neue",helvetica,arial,sans-serif;font-size:16px;line-height:normal"><b style="box-sizing: border-box;">Sean Kanuck, the ODNI’s national intelligence officer for cyber issues,</b><span class="inbox-inbox-Apple-converted-space"> </span>will also offer that “fixation on defining the precise threshold for a digital act of war (beyond the de facto effects-based analysis to be applied in any actual scenario) distracts from the important question of how cyber operations are actually being used today.” The panel is also scheduled to hear additional testimony from Aaron Hughes, deputy assistant secretary for cyber policy at the Defense Department; former NSA chief Keith Alexander; and Peter Singer, a strategist at New America.</p><span style="font-family:proxima-nova,"helvetica neue",helvetica,arial,sans-serif;font-size:16px;line-height:normal"><br style="box-sizing: border-box;"></span>-dave</div></div></div><br><div class="gmail_quote"><div dir="ltr">On Wed, Jul 13, 2016 at 2:21 PM Mara Tam <<a href="mailto:marasawr@gmail.com">marasawr@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">1. ‘Critical infrastructure’ is contextually dependent. It encompasses the physical and non-physical systems and services whose damage, interruption, or destruction would deleteriously impact national or economic security, public health, or public safety. Because these systems and services are defined as critical by the consequences of their absence, one can expect a degree of variation from one society to another. That does not make the concept itself ridiculous.<div><br></div><div>2. The problems Dave identifies as unique to cyber are not. Real (i.e. binding / non-rhetorical) red lines are rare, and they are rare because they require extraordinary consensus and commitment to standards of behaviour which can be (more-or-less) objectively specified. This was difficult in the 19th century, it was difficult in the 20th century, and it is still difficult now. Avoiding, preventing the escalation of, and ending conflict are all hard; we are not a special snowflake this time.</div><div><br></div><div>3. Nuclear deterrence comparisons are thankfully on the decline,[1] but just because cyber is not analogous to nuclear does not mean it is without implications for nuclear. Topic for another day.</div><div><br></div><div>-Mara</div><div>_____</div><div>[1] If you’ve not, ready this excellent piece from the Bulletin of the Atomic Scientists on why cyber needs to get off nuclear's lawn. <a href="http://thebulletin.org/flawed-analogy-between-nuclear-and-cyber-deterrence9179" target="_blank">http://thebulletin.org/flawed-analogy-between-nuclear-and-cyber-deterrence9179</a></div></div><div style="word-wrap:break-word"><div><br></div><div><div><blockquote type="cite"><div>On 12 Jul 2016, at 17:24, Dave Aitel <<a href="mailto:dave.aitel@gmail.com" target="_blank">dave.aitel@gmail.com</a>> wrote:</div><br><div><div dir="ltr"><div><span style="line-height:1.5">I wrote a slightly longer piece on this today here: <a href="http://cybersecpolitics.blogspot.com/2016/07/when-is-cyber-attack-act-of-war.html" target="_blank">http://cybersecpolitics.blogspot.com/2016/07/when-is-cyber-attack-act-of-war.html</a></span><br></div><div><span style="line-height:1.5"><br></span></div><div><span style="line-height:1.5">But to address the CERT question directly, I will pose a few distinct arguments as to how Cyber is a special snowflake and CERTS are clearly legitimate targets.</span></div><div><span style="line-height:1.5"><br></span></div><div><span style="line-height:1.5">First, the things I've read coming out of the UN/Tallinn have made few inroads into defining the difference between CNE and CNA. From an espionage standpoint, CERTS are clear high priority targets because they collect information on your attacks, but also on other nation states who have been caught, which can be fed directly into your national intrusion response. </span></div><div><span style="line-height:1.5"><br></span></div><div><span style="line-height:1.5">Likewise, while it is annoying to have your CERT non-functional, a CNA attack on a CERT is not life-ending or otherwise special in any way - I'm not privy to whatever discussion at the UN/Tallinn drove them to the conclusion that a CERT was something special in the response fabric - one could as well label "Amazon AWS" as off limits. As much as I love the people on our CERTs, we have </span>duplicate<span style="line-height:1.5"> response effort in many different agencies (in particular, DHS/NSA/FBI/CIA/DOD). No sane country is going to take CNE against CERTs off the plate.</span></div><div><span style="line-height:1.5"><br></span></div><div><span style="line-height:1.5">If what you're saying is: There are some places you should not attack, I would point out that the translation into cyber world is "There are some effects on systems you should try not to have". For example: "Trojan anything you want, but don't actually damage the dam system near NY because we will respond to that as it could cause massive loss of life and clean water".</span></div><div><span style="line-height:1.5"><br></span></div><div><span style="line-height:1.5">The thing that makes Cyber special here is that there is no end to the thread when you pull on it - there is no red line you can draw around a hospital or dam system. </span></div><div><span style="line-height:1.5"><br></span></div><div><span style="line-height:1.5">-dave </span></div></div><br><div class="gmail_quote"><div dir="ltr">On Tue, Jul 12, 2016 at 3:04 PM Alex Grigsby <<a href="mailto:AGrigsby@cfr.org" target="_blank">AGrigsby@cfr.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I agree with most of the points you raise (esp. with respect to the vagueness of "critical infrastructure") but I'll push back a bit on your CERT point.<br>
<br>
You're right that a CERT would likely be a prime target during a conflict, but just because a country would want to pwn a CERT doesn't necessarily mean that it should. Over the last 100+ years, countries have agreed to not deliberately target certain installations in wartime even if it's in their strategic interest to do so. For example, the laws of war prohibit the targeting hospitals or anything with a red cross/red crescent (<a href="https://en.wikipedia.org/wiki/Protective_sign" rel="noreferrer" target="_blank">https://en.wikipedia.org/wiki/Protective_sign</a>) even if it would be militarily advantageous for a country to do so (i.e. less enemies on the battlefield). Same thing goes for restrictions on certain weapons (e.g. chemical weapons in the case of the Geneva protocol or booby traps in the case of the Conventional Weapons convention).<br>
<br>
Countries have agreed to these restrictions largely on the basis of reciprocity--we won't do it to you if you don't do it to us. It doesn't necessarily mean that all states will comply, but they create a strong norm in favor of their adherence.<br>
<br>
Based on the history of the laws of war, it doesn't seem completely ridiculous that countries could eventually come to some sort of understanding that CERTs are off limits.<br>
<br>
Alex<br>
<br>
-----Original Message-----<br>
From: <a href="mailto:dailydave-bounces@lists.immunityinc.com" target="_blank">dailydave-bounces@lists.immunityinc.com</a> [mailto:<a href="mailto:dailydave-bounces@lists.immunityinc.com" target="_blank">dailydave-bounces@lists.immunityinc.com</a>] On Behalf Of <a href="mailto:dailydave-request@lists.immunityinc.com" target="_blank">dailydave-request@lists.immunityinc.com</a><br>
Sent: Tuesday, July 12, 2016 12:00 PM<br>
To: <a href="mailto:dailydave@lists.immunityinc.com" target="_blank">dailydave@lists.immunityinc.com</a><br>
Subject: Dailydave Digest, Vol 56, Issue 1<br>
<br>
Send Dailydave mailing list submissions to<br>
<a href="mailto:dailydave@lists.immunityinc.com" target="_blank">dailydave@lists.immunityinc.com</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" rel="noreferrer" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:dailydave-request@lists.immunityinc.com" target="_blank">dailydave-request@lists.immunityinc.com</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:dailydave-owner@lists.immunityinc.com" target="_blank">dailydave-owner@lists.immunityinc.com</a><br>
<br>
When replying, please edit your Subject line so it is more specific than "Re: Contents of Dailydave digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. "I hunt Sys-Admins" (dave aitel)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Mon, 11 Jul 2016 15:15:12 -0400<br>
From: dave aitel <<a href="mailto:dave@immunityinc.com" target="_blank">dave@immunityinc.com</a>><br>
To: "<a href="mailto:dailydave@lists.immunityinc.com" target="_blank">dailydave@lists.immunityinc.com</a>"<br>
<<a href="mailto:dailydave@lists.immunityinc.com" target="_blank">dailydave@lists.immunityinc.com</a>><br>
Subject: [Dailydave] "I hunt Sys-Admins"<br>
Message-ID: <<a href="mailto:5fc94935-e035-6b70-5d55-7f16d7f25992@immunityinc.com" target="_blank">5fc94935-e035-6b70-5d55-7f16d7f25992@immunityinc.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Occasionally I like to reflect, as you all do, on the various things that have mis-shaped our understanding of cyber war.<br>
<br>
For example, take this Intercept article based on the Snowden leaks:<br>
<a href="https://theintercept.com/2014/03/20/inside-nsa-secret-efforts-hunt-hack-system-administrators/" rel="noreferrer" target="_blank">https://theintercept.com/2014/03/20/inside-nsa-secret-efforts-hunt-hack-system-administrators/</a><br>
<br>
Viewed in hindsight, this article points very closely at something I'm going to support in depth in an article coming out shortly, which is that *the term "Critical Infrastructure" does not apply in cyber the way defense strategists think it does*. I mention this, which may seem obvious to the readership of this list, because if you read policy papers they go on an on about how nations should avoid "attacking" each others "critical infrastructure" as a "norm". They don't, of course, consider defining a lot of terms in any specificity, but they do mention that under no circumstances should CERTs be attacked. Which clearly is ridiculous because in cyberwar the CERT is something you will have penetrated first so you know when you've been caught everywhere else.<br>
Likewise, CERTs are usually very easy to attack. Likewise, top on your list is <a href="mailto:secure@microsoft.com" target="_blank">secure@microsoft.com</a>, and every other security contact. And in order to claim those things as "off limits" we have to declare huge swaths of infrastructure (often unknown ahead of time) as off limits.<br>
<br>
Also visible in retrospect is that people love to focus on the catchy phrases. "I hunt sys-admins". Sure you do! But that means your strategic offensive efforts have already failed at least twice. In order to get to the point where "I hunt sys-admins" team is involved, you have to get through "I hunt developers", "I hunt other hackers", and "I hunt system integrators". And even above them is "I hunt standards developers and cryptographers" (aka, NIST :) ).<br>
<br>
-dave<br>
<br>
<br>
<br>
<br>
<br>
<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="https://lists.immunityinc.com/pipermail/dailydave/attachments/20160711/97fa7226/attachment-0001.html" rel="noreferrer" target="_blank">https://lists.immunityinc.com/pipermail/dailydave/attachments/20160711/97fa7226/attachment-0001.html</a>><br>
<br>
------------------------------<br>
<br>
_______________________________________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com" target="_blank">Dailydave@lists.immunityinc.com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" rel="noreferrer" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
<br>
<br>
End of Dailydave Digest, Vol 56, Issue 1<br>
****************************************<br>
<br>
_______________________________________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com" target="_blank">Dailydave@lists.immunityinc.com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" rel="noreferrer" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
</blockquote></div>
_______________________________________________<br>Dailydave mailing list<br><a href="mailto:Dailydave@lists.immunityinc.com" target="_blank">Dailydave@lists.immunityinc.com</a><br><a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br></div></blockquote></div><br></div></div></blockquote></div>