Platt Perspective on Business and Technology

From stuxnet to heartbleed – the operational side of national cybersecurity and its issues 2

Posted in business and convergent technologies, in the News by Timothy Platt on August 27, 2014

This is my 17th installment in an occasional series on international cyber-security and the changing nature of threats faced and responses offered to them (see Ubiquitous Computing and Communications, postings 58 and loosely following for Parts 1-15 and Ubiquitous Computing and Communications – everywhere all the time 2, posting 296 for Part 16.) And this posting is also a direct continuation of Part 16, where I began to focus on the operational side to cyber-security in the United States’ War on Terror (see my series: Learnable Lessons from Manning, Snowden and Inevitable Others, as can be found at Ubiquitous Computing and Communications – everywhere all the time 2, postings 227 and following for its Parts 1-27.)

I restarted this series after a lengthy pause with Part 16, as a shift in focus and orientation from what I had been presenting in my Learnable Lessons series, which takes a more strategic approach to this complex of topics and issues. And in the course of writing that posting, I offered a partial list of some of the issues that I plan on addressing here, in this series and beginning with this posting, which I reorganize a bit here as:

• I am going to discuss the issues of sources and methods, and why it is so important to safeguard them.
• And then I will discuss the use of zero-day attack vulnerabilities as closely held national intelligence secrets.
• And in that, I will discuss both stuxnet with its four until then publically unknown zero-day attack vulnerabilities, and heartbleed as a newly publicized zero-day vulnerability.
• And in this collective context, I will explicitly discuss the impact that the surveillance programs outed by Edward Snowden have had on telecommunications companies and on online businesses in general for their being publically disclosed.

I begin here with the first of those four bullet points, but with what might be considered a somewhat ironic digression: a brief acknowledgment and discussion of two articles that came out together, in the Monday, July 7, 2014 issue of the New York Times:

• The first of them that I would mention was an obituary to David Truong, a Vietnamese antiwar protester. He was arrested and charged for committing espionage in the United States and was convicted of that on the basis of wiretaps carried out without court order or warrant. My intent here is not to delve into the details of what he did or how or why he did it, simply noting that much of the key evidence that was used against him by the prosecution in his trial was obtained without court order and in direct violation of ongoing law as written, and of case law as legal statute is interpreted in practice. Alarms raised by the US government’s use of warrantless surveillance in this and similar cases led directly to the drafting and passage of the US Foreign Intelligence Surveillance Act of 1978 (FISA). This very explicitly made wiretaps and by extension other, similarly directed surveillance without explicit warrant from a court of law illegal, and any evidence so obtained tainted and inadmissible in court. This appeared in the July 7, 2014 issue of the Times on page B-6.
• The second of these two articles is titled: Officials Defend N.S.A. After New Privacy Details. And the thrust of this article is that the Obama Administration and its Homeland Security leadership are actively defending the open-ended telephonic and online surveillance of members of the general public without probable cause with regard to people individually tracked and monitored, as an acceptable, necessary cost of national security. The court that oversees these open-ended surveillance programs: the Foreign Intelligence Surveillance Court operates essentially entirely in secret and without standard appeals court oversight as would apply for any court organized and run within the US Department of Justice. So the Obama administration and its spokespersons can cite a foundation of letter-of-the-law compliance with the FISA act by taking recourse to a special court set up to address its surveillance restrictions – that was set up in implementing the FISA act in the first place. But this is still indiscriminant, open-ended surveillance without probably cause for doing so with regard to essentially anyone who is caught up in these surveillance sweeps.

My point here is that what can be done, and even what in fact is being done can be a matter of interpretation, and I add of intense debate. And this brings me specifically and directly to the issues of methods and sources and to what has to be considered the fundamental rule for national intelligence gathering and use:

• Always protect your sources and methods. Always protect who you gain sensitive information from; do not burn your sources. And always strive to keep secret how you communicate with your sources where human intelligence (HUMINT) is involved, and what tools, methods and approaches you use throughout the intelligence gathering process and regardless of type of source. If you lose control here, the governments and organizations that you seek to and need to gather information about, will change their systems and processes to insure those methods no longer work and that those sources are no longer available.

And this brings me to one of the central paradoxes of intelligence gathering:

• The more sensitive and the more secretly held the information that you gather (and consequentially, the more timely and valuable that it potentially could be for you), the less likely it is that you can use it, and any use that you do make will require elaborate misdirection so as to safeguard your sources and methods.

As an only slightly made-up example, if an intelligence agency develops a model of troop strength and deployment by assembling data on the sales levels of toothpaste and other grooming items that soldiers purchase at base stores, that can offer real strategic and operational insight. But this is a type of information that could be assembled through any of a very wide range of sources and routes and in many different ways. So if you assemble an intelligence estimate based on this type of data and word of that fact gets out no particular potential source is likely to be singled out by that foreign government for punitive action and they are unlikely to find a ready security gap filling fix to stop you from doing this again.

If, on the other hand, you have an informant with direct access to their senior leadership’s internal deliberations (e.g., as an entirely made-up example if a senior staff person for a member of that government’s senior leadership where to pass on meeting minutes to your government), any use of that information and even when it is immediately critically important information could only be used with the utmost care, if at all – or that critically placed informant will no longer be available and this inside-view channel would be lost.)

That is the line of reasoning that the Obama administration and the US Justice Department use in pursuing a leaker like Edward Snowden. They claim their response is as severe and as relentless as it has been because he has divulged and compromised sources and methods. And at 1,100+ words into this posting this observation brings me to the core points that I would offer here.

• This line of argument applies very strongly and with real, robust validity when this striving for and protection of secrecy means maintaining necessary sources of national intelligence information and insight, and with a goal of securing ongoing critical information availability while protecting sources at genuine risk.
• But it becomes more problematical when sources and methods protection are carried out more to forestall and prevent government administration embarrassment. In the case of open-ended surveillance programs such as PRISM and XKeyscore, and a growing host of others, by far the most of those sources are completely innocent and uninvolved members of the general public. If any true terrorists get caught up in surveillance programs of this type, they are added into the vast data pools so accumulating as proverbial needles in a vast haystack, and most probably as unidentified individuals whose records are simply mixed in with the terabytes of data flowing through already bloated systems.
• And this brings me back to those two news stories that were reported in the Times on July 7 and particularly to the method of those warrantless wiretaps. If a method is organized and used in such a way that it is either already expressly illegal or if it is so marginally acceptable and so questionable that if word of it were to get out it, there would be a groundswell of public pressure to have it rendered illegal by passage of new legislation, by new case law determination of meaning of already existing law, or both, what is actually being protected here?

I am going to conclude this posting with that question. I will turn to consider the second bullet point at the top of this posting in a next series installment, where I will directly address the point raised in the title to Part 16 of this series, as repeated in this title to this installment too: stuxnet and heartbleed and

• The use of zero-day attack vulnerabilities as closely held national intelligence secrets.

Meanwhile, you can find this posting and related at Ubiquitous Computing and Communications – everywhere all the time and at its Page 2 continuation.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: