4. âCyberspace is [a] continuously contested territory in which we can control memory &
operating capabilities some of the time but cannot be assured of complete control all
of the time or even of any control at any particular timeâ
-- Richard Danzig, adviser to President Obama
A Contested Territory
5. âPossession, ownership & control [of data & assets in cyberspace] do not overlapâ
-- Thomas Dullien, Google Security
A Contested Territory
6. â[Cyber] offence & defence is the wrong dichotomy: it should be control & non-controlâ
-- Dave Aitel, former NSA cyber operative
A Contested Territory
7. âThink about it for a moment - we share the same network with our adversariesâ
-- George Tenet, former CIA director (exactly 20 years ago)
A Contested Territory
8. This anxiety around the paradox of control, or the lack of it, in cyberspace has not waned
even a bit
A Contested Territory
9. âNSAâs aim: mass compromise & expansion of compromise boundariesâ
-- Morgan Marquis-Boire, former writer with The Intercept
(Possibly inspired by Dullienâs work)
Try replacing âboundariesâ with âterritoriesââŚ
A Contested Territory
10. âIf we were to score cyber the way we score soccer, the tally would be 462-456 twenty
minutes into the game, i.e., all offenceâ
-- Chris Inglis, former deputy director with the NSA
Structural Dominance of Offence via Politics
11. âIf we were to score cyber the way we score soccer, the tally would be 462-456 twenty
minutes into the game, i.e., all offenceâ
-- Chris Inglis, former deputy director with the NSA
Structural Dominance of Offence via Politics
12. Cyber offensive A-teams rely more on political subterfuge than technical
⢠NSAâs TAO, SCS, etc., are hybrid & interdisciplinary teams
⢠âInsert vulnerabilities into commercial encryption systems, IT systems, networks, & endpoint
communications devices used by targetsâ â 2012 budget document of the NSA
⢠Traditional cryptanalysis & hacking gave way to clandestine intelligence activities or black-bag
jobs of TAO via the CIA, DIA, FBI, State Deptt., NSF & NIST
⢠â[S]ecret efforts by the U.S. intelligence community to interdict the shipment of advanced
encryption technology to America's enemies around the world & insert âback doorsâ into
commercially available computer, communications, and encryption technologiesâ â Matthew
Aid, Foreign Policy
Structural Dominance of Offence via Politics
13. Cyber offensive A-teams rely more on political subterfuge than technical
â[T]he NSA reviewed National Science Foundation grantâŚthe agency appeared to use this
process to exercise control over nongovernmental cryptography researchâ
â[T]he NSA reviewed & approved an NSF grant application from Ron RivestâŚAn internal
NSA history suggests that the agency would have tried to derail Rivest's grant
application if the reviewers had understood what Rivest would do with the moneyâ
-- Henry Corrigan-Gibbs, Stanford Magazine
Structural Dominance of Offence via Politics
14. Cyber offensive A-teams rely more on political subterfuge than technical
âThe [EuroCryptâ92] conference again offered an interesting view into the thought
processes of the worldâs leading âcryptologists.â It is indeed remarkable how far the
Agency has strayed from the True Pathâ
-- An anonymous NSA cryptologist writing for CryptoLog, an agency newsletter
declassified in 2014
Structural Dominance of Offence via Politics
15. But why political?
âInvestment in a high end "Man on the Side" technology stack can run you into the
billions. You'd better hope the meta doesn't change until your investment pays off. And
what are the strategic differences between TAO-style organizations and the
Russian/Chinese way? It's possible to LOSE if you don't understand & adapt to the
current up-to-date Meta of the domain you are in, no matter what your other
advantages areâ
-- Dave Aitel
To rewrite the physics of the domain at will
Structural Dominance of Offence via Politics
16. Cyber Meta has a political architecture
⢠TURMOIL/QUANTUM: âRelies on its secret partnerships with US telecoms companiesâ
⢠BULLRUN: âThere will be NO 'need to knowââ
Structural Dominance of Offence via Politics
17. Cyber offensive A-teams rely more on political subterfuge than technical
Structural Dominance of Offence via Politics
Dave Aitel
⢠The SuperMicro story, even if partially true, follows
the same political template of A-team operations
⢠Were the Chinese using political leverage to tackle
attribution?
18. Political bureaucracy as the technical signature of a cyber operation
Lineage & Mathematics
Verner von Braun et al. > US space programme
⢠Nazi rocket scientists
Helmut GrĂśttrup et al. > Soviet space programme
⢠CV Raman > Homi Bhabha > Vikram Sarabhai > Indian space programme
Structural Dominance of Offence via Politics
19. Political bureaucracy as the technical signature of a cyber operation
⢠âYour adversary has a boss and a budgetâ â The Grugq
⢠It defines operational tooling, tactics & tempo of the offensive team
⢠Is code reuse a technical thing or an expression of political semantics?
⢠Exploitation is a technology tree & targeting is limited by policy restrictions -- Aitel
⢠Did Metasploit originate in the public from the exploitation Meta of pre-2004 TAO toolchains?
Structural Dominance of Offence via Politics
20. Political bureaucracy as the technical signature of a cyber operation
Code Reuse: Opcodes & Ontology
⢠2006: Thomas Dullien ran a âphylogenetic clustering algorithmâ on a genus of
malware, finding that âalthough we have ~200 samples, we only have two large
families, three small families, two pairs of siblings, & a few isolated samplesâ
⢠2011: Google acquires Zynamics
⢠2012: Google acquires VirusTotal
⢠2017:
Structural Dominance of Offence via Politics
21. Political bureaucracy as the technical signature of a cyber operation
Code Reuse: Opcodes & Ontology
⢠2018:
Structural Dominance of Offence via Politics
22. Political bureaucracy as the technical signature of a cyber operation
Code Reuse: Opcodes & Ontology
⢠Exploitation is a technology tree
⢠Operation Aurora -> Barium/Winnti/APT17/Axiom
⢠Winnti >>> Hashing subroutine <<< ShadowPad/NetSarang
⢠Winnti >>> base64 <<< CCleaner Stage 1
⢠Winnti >>> String obfuscation <<< CCleaner Stage 2
(Sources: Costin Raiu, Kaspersky & Intezer)
Structural Dominance of Offence via Politics
23. Politics influences industry choices & dynamics
⢠The ciphers you use
⢠The processors, routers & antivirus you run
⢠The defensive âinnovationsâ in the security industry
⢠The unjustifiable persistence of centralized architectures like DNS, SSL & BGP, etc.
⢠Bug classes like Spectre & Meltdown
⢠What hackers say, or do not say
Structural Dominance of Offence via Politics
24. The political choice for markets like India is whether to choose Kaspersky or FireEye
⢠Cybersecurity vendors become foot soldiers
⢠Malware used by the U.S. in offensive cyber-operations plays âniceââŚâWe see guardrails on
malware from nations like the U.S.â -- Kevin Mandia, CEO, FireEye
⢠CyberScoop recently reported that FireEye had drawn a red line around exposing certain
activities by so-called âfriendliesâ
Structural Dominance of Offence via Politics
25. Politics severely degrades the defensive architecture
Structural Dominance of Offence via Politics
Imagine this for commercial-grade enterprise security?
26. Cybersecurity as A Function of Power
â[C]ybersecurity is all about power & only powerâ
-- Dan Geer, CISO, In-Q-Tel
27. Cybersecurity as A Function of Power
âCyberweapons are power projection toolsâ
-- Gen. Michael Hayden, former director of the CIA & NSA
28. Cybersecurity as A Function of Power
The Declaratory Model: 1995-2014
Aitel labelled Stuxnet as the âannouncement of a teamâ more than anything else, which
could take out any factory, any time
The current structures of offence are biased towards declaratory dominance
29. Cybersecurity as A Function of Power
The Escalatory Puzzle
Look, weâre moving into a new era here where a number of countries have significant
capacitiesâŚBut our goal is not to suddenly, in the cyber arena, duplicate a cycle of
escalation that we saw when it comes to other arms races in the past, but rather to
start instituting some norms so everybodyâs acting responsibly
-- Barack Obama, 2016