Category Archives: Publications

One of Cyber’s Greats – Dr. John Arquilla

Here is a write-up for one of cyber security’s most important contributors, Dr. John Arquilla.

Dr. John Arquilla is professor of defense analysis at the U.S. Naval Postgraduate School, author of Insurgents, Raiders, and Bandits: How Masters of Irregular Warfare Have Shaped Our World, and co-editor of Afghan Endgames: Strategy and Policy Choices for America’s Longest War. 

Dr. Arquilla’s work focuses primarily on the implications of the information revolution for military organization and doctrine. At the organizational level, his research identifies the network as the form most empowered by advances in information technology and explores the potential for redesigning hierarchies along more networked lines.

The policy relevance of this work can be seen in the growing emphasis on “network-centric” operations over the past decade, and in the emergence of two NETWARCOM entities, one within the Navy, the other a part of STRATCOM. At the doctrinal level, Arquilla’s research has identified the possibility of moving from more traditional forms of frontal and/or flanking attacks to omnidirectional assaults — i. e., “swarming.” A network comprised of many small cells and nodes is seen as being ideally suited to this doctrine — thus the connection between doctrinal innovation along these lines and organizational redesign.

Far from being limited to theory, swarming has been appearing in practice as a dominant doctrine in many conflicts over the past fifteen years — e.g., from the insurgent uses of swarms in the Russo-Chechen War of 1994-1996 to Iraq (especially in the 2004-2006 period), and in commando-style terrorist assaults like the one in Mumbai in the fall of 2008 and the more recent swarming attacks mounted in Kabul by Taliban teams.

Needless to say, both networks and swarming tactics have emerged in the virtual world as well, being on particular display in Estonia in 2007 and Georgia in 2008 — both cases apparently showcasing growing Russian expertise in cyberspace-based operations. In sum, Arquilla’s research invites and encourages careful reflection on the potential of“swarm networks” to become ever more salient in military and security affairs.

Selected list of Dr. Arquilla’s published articles:

You can follow Dr. Arquilla’s Foregin Policy “Voice” on FP online.

Chronology of Major Works:

- by Ben Volcsko, Research Assistant

Highlands Group Recommended Reading List

Just in time for your holiday shopping, we are pleased to announce the Highlands Group 2013 Reading List.

Each year the Highlands Group present a list of books that we would like to call to your attention as being noteworthy.  We hope that you will find a book on this list to enjoy and spend time with over the holidays or when you are on travel.  This year we have a robust stocking full of twenty-one books, including two works of fiction, covering a wide range of topics.

Our panel of distinguished guest reviewers for 2013 includes Lawrence Wright, Pulitzer Prize-winning author for his book, The Looming Tower; Peter Ho, the former Singaporean Secretary of Defence and Secretary of Foreign Affairs; Melanie Greenberg, CEO of the Alliance for Peacebuilding; George Dyson, author and historian of technology; Richard Bookstaber, economist and author;  Bob Belden, Grammy-winning jazz composer, arranger and musician; and Ann Pendleton-Jullian, author, architect, and designer.

Understanding How the Feds Handle Incident Response

Ever wondered how DHS, CYBERCOM and other federal cyber security agencies handle specific incident response? Well, you are in luck. Jason Healey, author of Above My Pay Grade – Incident Response at the National Level, explains the challenges and successes in tackling cyber incidents from the federal government’s perspective. Healey, director of the Cyber Statecraft Initiative of the Atlantic Council and creator of the first Computer Emergency Response Team that coordinated the response to incidents affecting the finance sector, provides an outstanding written account of the obstacles for today’s incident response handlers.

- by Ben Volcsko, Research Assistant

Cyber Threats to the Global Oil Supply Chain

The Federation of American Scientists has published a paper detailing threats to the global oil supply chain. Rounding out a list of major regional and geopolitical threats to the global oil infrastructure, the risks of SCADA and other attacks on pipelines, tanker ships, and refineries does seem substantial. The author is a little off base in suggesting that STUXNET type weapons could be used to attack oil systems- the sophistication of oil systems is much less than that seen in the Iranian nuclear enrichment program, and as such a STUXNET level weapon would probably be overkill. Even still, Despite significant vulnerabilities of the often unprotected systems to the internet and other venues of attack, major SCADA attacks have not yet become prevalent. The author is also somewhat mistaken in assessing that groups such as the Syrian Electronic Army could have the capabilities to conduct major SCADA infrastructure attacks. SEA capabilities are simply not on that level, and they have concentrated primarily on hacking email accounts by abusing password resets and other social engineering methods, rather than the technical expertise that would be necessary to deploy custom attack tools on SCADA. These technical quibbles aside, the author is entirely correct in his assessment that the complexity of the logistics operations involved in global oil systems provides a major avenue of attack, and I must agree that these sorts of attacks are waiting over the horizon.

Dan Gifford – MCySec Media Manager


The Sunshop Digital Quartermaster – a State Cyber-Espionage Armory?

Cyber-security research firm FireEye has published a new report alleging that there may be a single actor providing important code development resources to as many as 11 separate APT campaigns. All of the tools have been written using a Chinese language character set, pointing to the likely national origin of this tool provider. FireEye alleges that this “Quartermaster” may be something of a digital arms dealer, enabling various APT teams to construct attack tools using point and click interfaces rather than advanced coding skills.

FireEye first discovered the digital breadcrumbs leading to their conclusion while examining the Sunshop water-holing attack which took over legitimate websites and used them to redirect browsers to malware sites. The 11 APT groups that they connected through their investigation were found to share resources in various combinations, among them: Portable executable resources, Pilfered Digital Certificates, API import tables, Compile times, and C2 (Command and Control) Infrastructure. FireEye’s highest confidence assessment is that a “Sunshop Digital Quartermaster” (SDQ) exists which supports a variety of separate APT campaigns as part of a “formal offensive apparatus”. While some of the APT campaigns are also using malware obtained from the digital black market, most of them are heavily reliant on tools which are not available on the criminal internet underground and almost certainly originated with a single source, this “SDQ”.  FireEye does acknowledge that it is still possible that the APT groups simply share these programs informally, but there is substantial evidence that there is a single originating source of the tools within the code examples they have analyzed in the report.

Dan Gifford – MCySec Media Manager

Troubles with TOR

The Onion Router has long been thought to be one of the best methods for maintaining anonymity of internet traffic, and has even been assailed by the NSA as a hard problem, leading them to use workarounds to circumvent the network and attack specific users However, new research presented by a team from the US Naval Research Lab and Georgetown University has found that with specific methods they designed:

“Tor faces even greater risks from traffic correlation than previous studies suggested. An adversary that provides no more bandwidth than some volunteers do today can deanonymize any given user within three months of regular Tor use with over 50% probability and within six months with over 80% probability.”

Traffic correlation and nodes controlled by malicious actors have both been considered as a major risk to TOR  for a significant amount of time. This new research quantifies the problem and the danger to users of the service, and with any luck may lead to changes in the system to mitigate said risks.

Admiral Stavridis Advocates for a Leadership Separation of the NSA and Cyber Command

Admiral (USN ret.) Stavridis has written an article in Foreign Affairs assailing the current leadership structure for US Cyber Command. Under the current regime, General Keith Alexander is the head of both the NSA and the DoD’s Cyber Command. Stavridis argues that in the coming months after General Alexander’s planned retirement it would be good for both organizations if there were separate leadership. Given the substantial operational overlap between the two groups, and their shared location at Ft. Meade the decision was made to have both of them headed by the same individual. However, given the rise of importance of cyber issues in government national security policy-making, it may well be a good idea to head off bureaucratic problems by bringing in separate leadership.


Dan Gifford MCySec Media Manager

Taiwan’s Citizen Smart Card Plan Compromised by Bad RNGs

In a recent paper compiling a few years of ongoing research, an international team has described the methods they used to find the cryptographic keys of 184 out of 2 million smart card certificates issued to the Taiwanese public by their government. More than a hundred of the keys shared prime numbers used in their generation with at least one other key,  While this may seem like a trivial number of failures for a program of this size, the algorithm used to generate the keys, 1024 bit RSA, can randomly choose between more than 2^502 different prime numbers when building a key. Even in a sample size as large as 2 million, any prime sharing indicates deep seated failure in the employment of the cryptographic system. The researchers used regular desktop computers to find the keys, in operations that should have taken millions of years of processing time had the cryptosystems been implemented correctly.

The cards were issued by the Taiwanese government to enable citizens to authenticate themselves to the government when using online services, such as paying taxes. The vulnerable cards were all using RSA 1024, while most of the cards issued now use RSA 2048. The government has also attempted to reach out to the citizens whose cards are cryptographically compromised in order to replace them.

Problematically, the system and the smart cards had been certified as cryptographically safe by a number of agencies. This failure will certainly raise more doubt about the current effectiveness of certification agencies for cryptography. In the wake of the remaining questions regarding the DUAL_EC_DRBG fiasco at the US’s NIST (National Institute of Science and Technology), the old question of “Quis custodiet ipsos custodes?” or “Who watches the watchmen?” still stands.

Dan Gifford – MCySec Media Manager 

Adm. Stavridis Advocates for US Cyber Force

Former Commander of NATO (and current Dean of the Fletcher School) Admiral (USN Ret.) James Stavridis has published an Op-Ed in the Boston Globe advocating for the creation of a US Military “Cyber Force” in parallel to the Army, Navy, Air Force and Coast Guard. He makes a potent analogy to the evolving state of US Government policy towards the commercial and military use of air power, and pointedly claims that the policy community on cyber is still on the level that the FAA was at Kitty Hawk.

Now, given that computing technology has had a good fifty years to develop, I would object somewhat on the kitty hawk analogy; we are much further along than that. However, the use of “cyber” as a budget padding measure by each armed service and government agency has certainly resulted in a system that could hardly be described as functional. Without any guiding vision or overarching command structure, military cyber operations will continue to be disjointed and poorly articulated. I would counter with an analogy of my own, the position of Billy Mitchell after the First World War in attempting to get the established military command structure to respond to the changes that were bearing down on them. Let us hope there is not a Pearl Harbor event to vindicate our views.

Dan Gifford – MCySec Media Manager