Proactive Cyber Defence
© 2008 FrontLine Security (Vol 3, No 1)

Proactive Cyber Defence doctrine compels an ­enterprise to act by interdicting and disrupting an attack preemptively in self-defence to oppose an attack against their computer infrastructure.

The Perfect Storm is developing in cyberspace. The maelstrom has already hit landfall on the outermost reaches of the critical information infrastructures. The Canadian national ­information infrastructure is now decisively engaged in a cyber-war; the telecommunications and financial sectors are fighting on the front lines against trans-national crime and state-sponsored campaigns. The only effective national defence strategy is a proactive one.

Let’s talk about numbers: the national proactive cyber defensive matrix interdicts and disrupts over one-trillion inbound attacks per year in a pre-emptive fashion. That is 125 million attacks per hour inbound at 1 billion km/hr! Cyberspace is so toxic at its outer limits that any computer placed at the source would be instantaneously possessed and rendered useless or a threat.

Anonymously they lurk, interconnected by virtual networks; spying, compromising and exploiting. They can attack and withdraw back into the darkness at the speed of light. “They” are the hackers and crackers, telecommunications phreakers, precocious script kiddies, corporate espionage programs, cyber-terrorists, spies, competing nations and sophisticated trans-national organized criminal syndicates engaged in multibillion dollar heists.

Public and private sector executives in Canada are being targeted by organized crime and hostile intelligence agencies using spear phishing tactics, and consumers are being robbed of their identities. Then, just when you think you have identified the threat agent and understand the tradecraft, your organization is blind-sided by the actions of an insider with access to your most sensitive computer files, and a penchant for trouble. No system or organization is safe. If a chartered bank or a nuclear weapons lab can be hacked, where does that leave you?

People attribute sluggish computer networks or outages to chance, when the cause is most always deliberate.

In this age, the mouse has proved mightier than the missile in its ability to deliver multiple nuclear payloads, launched from Russia and China, incarnated by robot networks (botnets). The strikes rain onto Canada relentlessly; inflicting 1.5 million casualties daily and the laying waste to ­portions of our infrastructures. Deconta­min­ating the fall-out from one of these cyber bombs that hit your organization is a costly affair. The annual cost of foreign-launched cyber-attacks against Canada ­currently rivals our entire defence budget.

What if the current proactive defence matrix crashed? Simulations and models were run based on real threats and the prognosis is not good. The modeling predicts that a cyber maelstrom, beyond most organizations’ comprehension, released in the morning, would cascade through critical infra­structures, along risk conductors and interdependency vectors. Those most reliant on telecommunications would be affected first, and they would propagate ruinous effects to other sectors. The ­catastrophic impacts would ricochet throughout the fabric of the economy at velocities faster than a human’s ability to intercede. The government would fail in the first few minutes, financial markets and energy grids would collapse by noon and the remainder of sectors would see the end of business by early afternoon. Look no further than Estonia for a poignant recent example.

Ironically, most organizations have invested heavily in treating the symptoms and not the cause. Words like ‘react’, ‘respond’, ‘recover’, and ‘restore’ are expensive and ineffective alone. Recall that “an ounce of prevention is worth a pound of cure.”

Predicting and interdicting an attack before it occurs, provides far more and better options at lower cost, than detecting and reacting to an impact. Prior to every major cyber security incident in Canada there have been early warning signs and opportunities to act, however they have ended up costing Canadians billions owing to the subsequent measurable impacts.

“Preventing a threat event before it happens” is much more difficult. Scenes from the movie, Minority Report come to mind, where the ‘precogs’ foresee incidents and events with enough lead-time for authorities to intervene. The disturbing ramifications are that people are punished for crimes that they did not yet commit. Similarly, the ubiquitous surveillance in George Orwell’s 1984 is unnerving in this day and age, when it is engineeringly possible to intercept all communications all the time and install cameras everywhere to watch everyone.

No one is suggesting that we employ such intrusive surveillance – nor are we ­advocating, you will be happy to know, pre-cognitive enforcement and punishment.

What is promoted, is intelligence-led proactive defence that interdicts, disrupts, pre-empts and thus prevents emerging threat intent. Not only is this possible, but it is necessary today.

So how do we begin to act, rather than react, to emerging threats?

First we must acquire accurate intelligence upon which scarce resources can be deployed most efficiently against developing threat-vectors. Such situational awareness is developed from sciences, technological forecasting, social trending, environmental scanning, threat analysis and modeling. We need to take a serious look at the evolving world in which we live, and understand that the threat agent is subjected to the same trends as we are.

Deliberate threat agents adopt new technologies early. Consider the early and rapid spread of cell-phones and pager use among the youth. This was a strong ­indicator of the resulting illicit activities by that demographic.

The common trend is that criminals will own a technology legitimately, then use it to facilitate crime, and finally exploit the technology itself. By understanding the effect of introducing disruptive-technologies into society, and envisioning their ­criminalization, one can effectively predict the early development of a threat. Such accurate strategic forecasting buys police time and precision.

But how does one establish means, motives and marks in a target-rich and threat-heavy situation? Risk assessments that integrate the source and means of the threat (“threat-from”) and the recipient target of this threat (“threat to”) play a crucial role in ­’precognition.’ “Threat-vectors” can be established from source to recipient with greater degrees of certainly.

When John Dillinger was asked why he robbed banks, he answered “that is where the money is.” Often authorities are too busy chasing the bad guys, when guarding the cyber-gold could save a lot of time and money. This seemingly trivial analogy nevertheless clearly underlines the merit of a “threat to” risk analysis.

The “threats-to” approach begins by identifying potential targets of the threat; the intrinsic vulnerabilities of the asset and its potential exposure to these threats. It is complementary to a “threats-from” analysis and has the advantage of being a more selective examination of threats based upon a given target system.

The disadvantage of a “threats-to” approach is that it is reactionary and provides little warning of threat activities, intentions or trends. Nonetheless, if John Dillinger was robbing today, he would exploit cyberspace, because that is where the money is. Today, all money crime has a direct or ­indirect connection to cyberspace. Illicit micro-banking transactions are more likely to occur in a virtual gaming environment than on a street corner. Authorities need to be just as street-smart in cyberspace as they are on the traditional beat.

Threat events and agents can be examined without immediately linking them to an incident or victim. It is common practice for security and intelligence services to gather information on potential groups that have demonstrated potential to precipitate an attack. This analysis is useful from a security preparedness point-of-view, and to focus investigative efforts to head-off an incident. The analysis involves examining motives, means and methods of a threat agent surrounding a potential threat event. A “threats-from” analysis is performed from within the threat milieu as a proactive step to mitigate the risk by addressing the threat directly. The disadvantage of a “threats-from” approach is its focus on traditional threats-agents-events at the expense of emerging threats and new trends in targets.

A vector is a measurement of direction and magnitude. Direction requires both a start and end point. There is often a gap in the intelligence coverage linking “threats-to” and “threats-from” evidence – but a good investigator needs to connect the dots to deduce a threat vector.

Understanding the world of threat-agents is also important when forming a predictive analysis. A “risk-to” or “vulnerability weighted” perspective to threat analysis suggests static protective safeguards to mitigate perceived exposures. “Threats from” has a more significant bearing on the “predictive” risk analysis in contrast to the “historical or empirical testing.” It is a better indicator of what detection and response mechanisms should be added.

Risk assessments that do not examine threat agents and their victims cannot be predictive or proactive. They present but a snapshot in time. Without accurate threat agent information, an assessment cannot determine the magnitude of exposures particularly in this dynamic threat environment.

There is interdependency between a threat and its victim. Two entities are known to be interdependent when they exchange or share: goods, services, communications or geographic proximity. The interesting prospect is that all these metrics are measurable, and, if we can model it, then we can predict it. You have heard the aphorism “follow the money,” well, consider that, these days, the phenomenon of convergence converts paper cash into electronic funds transfers and places it over the Internet along-side communications. Monetary, communications and geospatial metrics lend themselves well to surveillance technologies. This allows authorities to regain the advantage over evolving cyber threats.

It is impractical to uniformly implement security safeguards and exercise all scenarios across large and complex systems at the highest levels. This is particularly pertinent when countering trans-national criminal organizations or state-sponsored information warfare. This would raise the business risk associated with the ­programme to unacceptable levels.

But these sciences are still reactive, albeit faster, to the threat’s intentions, and do little to shape a threat’s behaviour. What can authorities do to interdict, disrupt and pre-empt widespread identify theft, banking fraud, espionage and attacks against critical infrastructures when they are perpetrated by networks of robot-armies controlled by organized crime syndicates operating abroad with the duplicity of foreign states?

Home-grown terrorism, domestic extremism and radicalization of our youth manifest themselves over time on the Internet in manipulative relationships with undesirables. The only message that is being heard is that of the militants. Authorities are often called upon when things have gone dangerously wrong and the only option left is arrest. Early detection of burgeoning threat activities is required. The authorities must first understand the Internet-based landscape. Secondly, a strong communications and marketing plan can be used to counteract the toxic messaging to the victims. Thirdly, influence operations should be considered to shape the behaviour of the threat and the target.

We must be willing to conduct proactive, pre-emptive operations (P2O) in Cyberspace to shape behaviours and avert the development of malicious intent. Enforcement, when required as a final solution, will need to be global and coordinated across critical sectors and boundaries.

If one enters the proactive defence game, one should understand that it has a rich narrative upon which one’s enterprise can capitalize. From 500BC, proactive defence developed as a strategy, coming into the cyber hype-cycle peak of enlightenment in 1994 and reaching a highly mature cyber capability by 2005. Yet, there still exists great disparity in Canada between sectors that possess an indigenous capability of mature proactive cyber defence programmes and those that do not.

Establishing a common operating picture is central to the matter of discussing and deciding upon a proactive cyber defence strategy across Canadian critical infrastructures.

Neither technology nor costs have been the principal impediments to successful proactive cyber defence programmes thus far. The major challenges to a proactive national defence strategy appear to have been: a lack of an organizational behaviour model; mission ambiguity; legal and privacy speculation; and, perceived information sharing concerns.

The roll-out of commercial proactive defence capabilities, products, services and intelligence by the private sector has been further delayed by: intellectual property protection; cost recovery; and a nascent market demand.

A model enterprise proactive cyber defence strategy would likely include: level setting on the proactive cyber defence spectrum; establishing a governance structure that recognizes the autonomy of sectors while promoting collaboration; clarifying mandates, resolving legal and privacy issues in the context of proactive defence; promulgating explicit standards and technical guidelines; promoting existing programs; building proactive cyber defence into existing shared environments; and forming information sharing mechanisms within the larger community.

Meanwhile, proactive cyber defence initiatives will be taken unilaterally or through multiple exchanges where organizational missions and interests intersect. These programs may eventually reach a critical mass which would dominate and dictate the conduct of proactive cyber operations in the future. Ergo, join early.

David McMahon is a computer engineer from the Royal Military College of Canada. He spent 25 years with the military intelli­gence and security community in the public and private sectors. David was a founding member of the interdepart­mental committee on Information Warfare. He is a published author on the subject of the Cyberthreat, the Olympic threat risk assessment, critical infrastructure protection and proactive cyber defence. A former National Biathlon champion, Dave is currently the National Security Advisor for Bell Canada.
© FrontLine Security 2008