At the SecureAsia@Manila convention held at the Makati Shangri-La Hotel last September, W. Hord Tipton, Executive Director of the International Information Security Systems Certification Consortium, or (ISC)2, had figured in several talks debating whether we are in a state of cyber war.
“My position is: you need to wake up,” says Tipton. “When I see nations—[and] the U.S. is a leader in this—actually do auctions of discovered vulnerabilities, paying the highest dollar to gather vulnerabilities … I don’t know how anyone could read this and other supporting documents they have … and not actually say that this is war.” Titpon was referring to The New York Times story from July, Nations Buying as Hackers Sell Flaws in Computer Code, which reports that nation states are the biggest buyers of so-called zero-day exploits that can be turned into cyber weapons.
New Super Weapons
Exploits reveal vulnerabilities in software, from the operating system layer all the way up to applications. Think of exploits as wedges driven into cracks in the code, the vulnerabilities, making these visible and demonstrating the potential for even more sophisticated exploitation. Further exploitation could be done both for delivery methods and for the actual payload of cyber attacks.
Zero-days are so named because the vulnerabilities they exploit have not yet been discovered, much less fixed, by software publishers. The name optimistically implies eventual discovery and a fix, but only after the exploit has already spread online. Though The New York Times pegs the number at 312 days—an average of 312 days will go by before a new threat is discovered and fixed—there have been exploits like the Red Storm worm that have been discovered only after they’d been lurking for as long as half a decade.
This trend of nation states buying up exploits renders moot the distinction between organized crime and state-sponsored threats. Exploits can be developed by mobs for their own use or for sale to the highest bidder, and highest among the bidders are the super powers—the U.S. National Security Agency (NSA), is reported as one of the biggest buyers.
Cold War Parallels
“You hear a lot of fussing about China, and even Russia, being dangerous characters in the world of espionage. China has a super cyber weapon? They probably do, we do too,” Tipton says, referring to weapons for bringing down critical infrastructure such as power-grids, communication lines, and air traffic control systems. “It’s like nuclear war … there’s that deterrent thing. If I launch this there’s going to be retaliation.”
Tipton has intimate knowledge of what retaliation could’ve looked like during the Cold War. When he worked for Union Carbide, the contractor that operated the Oak Ridge National Laboratory to produce weapons-grade nuclear material, Tipton had worked on the warhead for the 3,000 nuclear-tipped cruise missiles that Ronald Reagan would eventually brandish to put a whole new dimension on the Cold War arms race. After witnessing a test detonation of the compact but powerful 150-kiloton warhead (about ten times the destructive power of the bomb dropped on Hiroshima in World War II), Tipton had what he described as a crisis of conscience, and left Union Carbide in 1980.
Asked to comment on Edward Snowden, the former employee of NSA contractor Booz Allen Hamilton who leaked national secrets and evaded prosecution by the U.S. government, Tipton says that Snowden is neither whistleblower nor hacker. Snowden can’t claim to have blown the whistle on the NSA since he didn’t come out and say that the agency’s activities are illegal, only that they are “inappropriate”. And Snowden acquired the secrets not by skillfully defeating safeguards but rather by exploiting lapses in security at Booz Allen Hamilton and the NSA—he was given access, he didn’t have to hack it. No, Tipton says, at the end of the day Snowden is just a guy who broke his oath of secrecy and did not stand his ground to face the consequences of his actions.
Tipton doesn’t say it but Snowden’s circumstances call to mind another term from Cold War jargon. Snowden, with his treasure trove of secrets harvested with NSA cyber tools, has found sanctuary in Russia, a state with interests that not necessarily oppose but at the very least compete with those of his native U.S. The one word that could have described Snowden back in the 1980’s would be defector.
The Arms Race
Tipton says that weaponized cyber threats in nations’ arsenals are not what concern him. What does bother him is “when these tools, serious cyber tools that can launch at the touch of a button, get into the hands of an unstable state, you don’t really have the comfort level that they would use these prudently.”
Now, the U.S., China, and Russia—former opponents in the Cold War when they campaigned for decades to maintain a status quo of mutually assured destruction—are compelled to keep bidding up the prices on zero-day exploits. If not for their own use, they would at least be getting these away from the hands of traditional as well as emerging adversaries.
Case in point: On August 27, just a month after it came out with the report on nations buying hacked software flaws, the website of The New York Times was attacked and taken offline by persons wanting to appear to be the Syrian Electronic Army (S.E.A). The S.E.A. emerged in 2011 during the first uprisings in Syria and in support of President Bashar al-Assad. And this new attack came after trouble brewed anew in Syria over the alleged use of chemical weapons.
The denial-of-service attack was relatively unsophisticated, with the newspaper’s domain name settings hacked and made to point to an entirely different site. But the incident showed that motives and opportunities for attack, if not the costly and sophisticated cyber weapons to inflict more damage, are rife online.
Snowden’s leak on the NSA Prism program—the U.S. government’s systematic mining of its citizens’ private personal data—underscores the ubiquity of threats. Security professionals have to defend against threats not only from hostile organizations and states but also from their own country’s government.
Information security, or more correctly the information assurance system that protects the knowledge assets of an organization, requires disciplines and resources that go far beyond the technologies that both enable and threaten modern enterprise. Structures both hard and soft need to be built, managed, and actively enforced to defend against threats, and to mitigate the damage when some of these eventually make it across the threshold.
Information security demands blended executives with firm technical as well as business foundations, and with the savvy for intelligence gathering and even counter-intelligence tactics. In the 2013 (ISC)2 Global Information Security Workforce Study (GISWS) prepared by Frost & Sullivan in partnership with Booz Allen Hamilton, survey respondents from across industries and sectors identified the nine following skills as critical for security practitioners:
- Broad understanding of the security field
- Communication skills
- Technical knowledge
- Awareness and understanding of the latest security threats
- Security policy formulation and application
- Leadership skills
- Business management skills
- Project management skills
- Legal knowledge
All these qualities are focused on what traditionally has been described in the information security profession as Governance, Risk Management, and Compliance. But the reality is simpler. Given the unpredictability of threats and their instigators, there is a credo among security professionals to suspect everything outside their virtual borders. This, while actively seeking alliances with other practitioners, from other non-rival organizations, to widen their intelligence net and better detect threats, triangulate their location, and predict their trajectory. What Chief Information Security Officers (CISOs) and their teams must now do, in a word, is govern.
With rapidly changing threats from all sides, there is now a widening gap in the ranks of security personnel. Tipton says, “I do not believe that we will ever produce what we would consider an adequate security profile without addressing the people problem. We have noted that we are 300,000 short for security people—professionals, technicians, people who have a role in security.”
Pay scales for security professionals reflect their value. Salaries surveyed for the 2013 (ISC)2 GISWS report show them earning an average of US$92,835 annually, with those working security in government or defence earning an average of US$101,246.
But advancement in a valued security role is not enough to counter the draw of astronomical pay-offs for less work in cyber attacks. Pay alone will not attract talent to the good guy side of the defenders. “Our job becomes more difficult because of the high rate of return on criminal activity,” Tipton admits. “You’re not going to win them over by giving them a pocketful of money because the bad guys can double that.”
In the middle of all these, (ISC)2 is looking to promote, and to harness, a recruit’s propensity for legitimacy. Tipton uses simpler terms: “To put ethics in them, that’s the cornerstone.”
(ISC)2 represents the interests of the defenders. Individuals who have earned (ISC)2 certification also gain membership in the consortium’s community of certified professionals, and those members now number over 90,000 worldwide—12,000 of whom are from the Asia-Pacific region. And all those members have vested interest both in increasing their numbers and keeping talent away from the opposition.
“I call them our … ambassadors, and these are people who can write for us, develop our exams,” says Tipton. “Having 90,000 volunteers at our disposal—all fully trained and pretty darned expert in a number of things—is a very valuable asset,” Tipton says. “So we’re giving back. We’re giving their talents back so we also formed our foundation.”
The organization has evolved from a certification consortium to an active education proponent. The (ISC)2 Foundation has partnered with schools in Asia, Europe and North America from college down to elementary levels “to go as low down as we can in order to reach them,” says Tipton.
Drawing from the organization’s Common Body of Knowledge (CBK) on information security for material, (ISC)2 has been giving: (1) seminars to college students based on their standard Certified Information Security Systems Professional (CISSP) curriculum, (2) lectures for college and high school students based on their entry-level Security Systems Certified Practitioner (SSCP) certification, and (3) talks on basic online security and safety for all levels including grade-schoolers and their teachers. Over and above warnings about the dangers of the Internet, Tipton says that these programs communicate how fulfilling, and lucrative, a career in information security can be.
And to veterans who, by their military service, have demonstrated both the inclination and the aptitude for careers in security, (ISC)2 is looking to offer full scholarships for earning their all-important certifications. “We’ve been trying to bring veterans around the world—not just the U.S. now—to this program,” says Tipton. “But the U.S., particularly because they start a lot of wars, have a lot of veterans coming back now and the jobless rate in the U.S. is still over 7% … the vets are having a difficult time getting jobs coming back.”
This year, the (ISC)2 Foundation has partnered with Booz Allen Hamilton to present the U.S.A. Cyber Warrior Scholarship Program. “U.S. military veterans who are returning to the civilian workforce provide a viable pool of motivated, intelligent professionals with a solid work ethic,” the program’s literature explains. “However, this talent pool needs training and placement assistance to ease their transition into the civilian workforce.”
Tipton himself explains, “the veterans are just another component of [us] trying to show social responsibility in giving back from something that’s been good to us as an organization. We struggled a lot of years to grow the membership and to sustain ourselves as a non-profit.”
But despite this underscoring of other, more altruistic motives, it remains extremely practical to recruit military veterans for security work in the threat landscape of cyber war. And the downplaying of this aspect may be in deference to the private, non-profit nature of (ISC)2. After all, the organization is neutral and non-partisan with 143 chapters in the Americas, Europe, and the Asia-Pacific region, including an official chapter in Hong Kong and petitioned chapters in mainland China.
Nevertheless, on the face of it, it still makes eminent sense to prepare for a cyber war by raising armies filled with veterans from another, more conventional war.