Monday, December 22, 2014

"Cyberspace Intelligence Needs to be Militarized" - Ami Rojkes-Dombe



by Ami Rojkes-Dombe


Cyberspace intelligence specialists claim that the business and financial sector should adopt the military intelligence-oriented approach


Much has been said recently about the necessity and advantages of collecting intelligence in cyberspace, but a round of interviews and meetings with Israeli specialists in this field, including a former senior official of the Prime Minister’s Office, has uncovered a different truth. Apparently, the real situation in Israel is that clients do not want to spend money on the acquisition of intelligence and even those who acquire intelligence do not always utilize it. The solution, so it seems, is to be found in militarizing cyberspace defense in the business and financial sector.

“In the concepts of the commercial world we are talking about two activities: collection from open sources and collection from demilitarized zones (DMZ) or perimeter networks. In the physical world, you erect a fence and install sensors and remote surveillance resources to monitor it. It is the same in cyber warfare. You can derive certain indications from these activities,” says Amit Meltzer, a former senior official of the Prime Minister’s Office.

“Intelligence is intended to serve strategic goals. One goal is to stop an attack through foreknowledge. The other goal – to find out at the earliest possible stage about an evolving offensive incident, so as to have the ability to contain it and minimize the damage. Every intelligence move is made up of three elements: charting the objectives, accessing the objectives and the processing and analysis of the materials obtained. In cyber warfare there are several types of sources. There are hundreds of sources in the realm of technical intelligence. All major security companies concentrate such data, academic institutions research this information, and there are other sites where quality information may be obtained. This can provide you with effective early warning if you do things right.”

Along with the intelligence collection capabilities that are based on technological tools, cyber warfare, just like the physical world, also has HumInt – Human Intelligence. Unlike technological intelligence collection (for example, SigInt – Signals Intelligence), HumInt is highly focused. With SigInt, there are problems associated with access to the information and the volume of the information. Meltzer explains that in cyberspace, SigInt does not allow you to reach all of the intelligence available in order to obtain early warning. “In order to reach the hardcore circles of cyberspace, you need HumInt capabilities like those intelligence agencies possess. You need to actually send out agents. Most commercial cyberspace intelligence services to not have access to the attackers’ inner circles,” he says.

“Another aspect of intelligence collection involves internal threats. Equipment is maintained, people are handled, contractors – almost every organization has two things to which attention should be paid in terms of the severity of the threat: interaction between people and systems and relations with contractors. The challenge is coping with multi-stage advanced persistent threats, which constitute weaknesses,” explains Meltzer. “Today, the attacks focus on an individual or an organization, and should be addressed through HumInt.”

One of the companies established in Israel around cyberspace HumInt is Terrogence. The Company was established during the operations in Iraq and Afghanistan. Various countries, including Israel, needed focused intelligence regarding the terrorist organizations’ use of explosives. When those organizations turned to the Internet as a platform for conveying messages, an element capable of providing a solution to the new phenomenon became necessary.

“We use fake identities (Avatars), build a cover story for our character and insert it into the appropriate forums,” explain the people at Terrogence. “That is how we gain the trust and reputation that enable us to enter the circles of the knowledge specialists. Some of those places are immune to automatic scanning mechanisms or to the use of automatic bots. The methodology is based on an understanding of the language and familiarity with the content world of the terrorist organizations.”

Never be the Second Match

In the case of a new and unfamiliar attack, Meltzer explains that the first organization being attacked will always be damaged. The investment in cyberspace intelligence and protection is intended to help users avoid being the “second match”. “If you are the first, all of your defenses will be useless,” explains Meltzer. “After that, an alert and signature are issued, so if you have good intelligence you will not be the second victim. From the second match on, it is a matter of intelligence and performance.

“Zero Day attacks work on the time gap until the defenses are finalized. One dimension is the time it takes to develop a defense and another dimension is the time it takes to update the systems. This time gap ranges from a few hours to a few months. The attackers employ fast programmers, and within that time interval, they can attack several hundred or several thousand companies. The objective of cyberspace intelligence is to become aware of a published weakness at the earliest possible stage, but in many organizations, update management is not carried out properly.”

Meltzer, who’s thoroughly familiar with this issue, says that the majority of the business sector is at risk of being attacked by state-sponsored and criminal elements. At the same time, he says that the cyber threat issue has been taken out of proportion. “Cyberspace has entered the world through the encouragement of the various media channels, which amplify the severity of the threat. The number of stories and articles about cyber threats is higher than the number of stories regarding any other threat. This has gone so far as to evolve into a threat which is addressed at budget discussions, in Israel and abroad. That’s a little out of proportion. The discussion has evolved into a budget-oriented rather than a professional discussion. The ‘noise’ around the danger of cyber is greater than anything that has actually happened thus far and the potential damage of cyber warfare attacks.

Meltzer says that even at the state level "de-facto" deterrence exists between states that possess advanced capabilities. “It is not difficult to generate a scenario of a cyber warfare attack in which several thousand civilians will be killed. You can derail trains carrying hazardous materials, contaminate water sources and create power outages. A state can also decide to burn all of the routers in the communication network of an enemy state, leaving it with just a satellite and limited bandwidth. But then you will enter a mutual deterrence equation of total destruction. Fortunately, the states that possess such cyber warfare capabilities understand this. It is similar to deterrence in the realm of chemical warfare. Everyone has it – but no one uses it.”

One of the questions that arise in the context of cyberspace intelligence is to what extent should the state be responsible for this activity. In Israel, the intelligence agencies do not share information with the business sector. The National Cyber Bureau is not an intelligence gathering agency and that is not one of its duties. The solution may be found in the national CERT, a trial configuration of which commenced operations last August, or in the national cyber network that will be developed in the future. In any case, this calls for an intelligence gathering infrastructure. If such an infrastructure were to be established – it would take a long time to become operational.

“Why wouldn’t the state provide intelligence to the business sector? Israel currently does not have an organization capable of providing cyber defense to the business sector,” claims Meltzer. “The Israel Police is far behind the western world as far as cyberspace intelligence capabilities are concerned. The ISA’s National Information Security Authority does not provide intelligence to the business sector either. There is an initiative that calls for the establishment of a monitoring and intelligence center for the financial sector, but it is not yet operational. In the USA there is an element known as FS-ISAC (Financial Services – Information Sharing and Analysis Center). In the UK, the BBA (British Bankers’ Association) has recently established a cyberspace early warning system for the financial sector).

“This applies to all business categories – not just to banks. Public companies cannot rely on a government agency for protection. The National Information Security Authority is only a supervisory body, so those companies rely on their own resources. The state does not provide cyberspace intelligence to the business sector. Over time, the law may be revised, and in twenty years’ time cyber warfare damage may entitle the damaged parties to compensations just like in the case of regular hostilities. The state is not eager to expand its own authority regarding this issue.”

The intelligence gathering difficulties notwithstanding, Meltzer puts his finger, of all things, on the failure to assimilate the intelligence obtained in the organizational systems. “In systems designed for operations, like those of the security services, the process of assimilating intelligence runs like clockwork. In the business sector, the information security and IT people are not familiar with it. In order to succeed, they need to switch to an intelligence-oriented operational model. The operations center should be similar to a routine security center. In routine security operations, you do not deploy all of your forces at the border. You deploy a dynamic force and build obstacles to obtain intelligence. You need to be able to concentrate forces quickly in order to contain the incident. In cyber warfare, you do not have the resources to protect each server – it is too costly.

“In the world of cyberspace intelligence, everything is still unripe. To organizations that do not possess the ability to collect external and internal intelligence and implement it in their systems, I suggest not to buy intelligence. If you do not know how to receive intelligence, process it, understand it, implement it in your systems and create an operational process that would protect you more effectively, you will have nothing to do with that intelligence. Either you can do it yourself and you are prepared for it, or you should buy it through outsourcing. To a company that approaches you and wants to sell you a product, you should say that you do not want a solution that performs statistical analyses. Ask for a protective service that includes a monitoring center and a structured process of converting the intelligence into operative actions.”



Ami Rojkes-Dombe

Source: http://israeldefense.com/?CategoryID=483&ArticleID=3272

Copyright - Original materials copyright (c) by the authors.

No comments:

Post a Comment