Suits, Spooks and Cyber Space – CNN Security Clearance
By Suzanne Kelly, CNN
There's a war going on in cyberspace. Its vast, complicated, and the foot soldiers are not exactly your usual suspects.
To understand just one of the ways in which this war is waged, consider the far-ranging impact of social media, and a story recently put forward by a government employee who works for a U.S. defense agency.
The story was about a Special Forces raid in 2009 that involved U.S. troops freeing a hostage in what was deemed a "successful" rescue operation at an undisclosed location overseas. The problem, said the program manager, who can't be named because of the sensitivity of his work, came after the troops left.
Within about 45 minutes, the "bad guys" moved in, rearranged the bodies of the hostage-takers that had been killed, took photographs, wrote a press release and posted it on a social media website.
It took the United States three days to respond.
"The damage had been done," said the manager.
Whether its information manipulation, or information theft, understanding the battlefield in cyberspace is key to safeguarding information, whether its the personal information kind, or the broader national security kind, or the kind that has government employees nervous about protecting critical infrastructure, from water filtration systems to air traffic control systems that operate via computers.
The program manager's message when it comes to winning the social media warfare is simple, and a philosophy that spans the cyber-battlefield: something needs to be done.
"When it comes to these issues, everybody's basically full of s-," he vented. "Our psy-ops guys (psychological operations), 80% of the coursework they get is learning what they can't legally do," he said, implying that the rules governing what U.S. agencies can do in cyberspace are way too strict.
"While we have our hands tied, our adversaries have completely free hands, while we at the U.S. government sit with our hands up our a–."
Its tough to get more blunt than that, but such raw honesty and frustration was almost expected at a recent gathering called "Suits & Spooks" in Arlington, Virginia. It billed itself as "the Anti-Conference."
"I start off with the premise that everybody recognizes is true, which is that we are not secure," said conference organizer Jeffrey Carr, who is also author of the book, "Inside Cyber Warfare."
"The security framework is completely broken."
To pull the conference together, Carr reached out to everyone he knows, and it turns out he knows some rather interesting and diverse people.
The guest list included a 25-year-old hacker who prefers the title "Independent Security Researcher," an actress who plays on a popular vampire drama and is interested in actors protecting their image online; a former intelligence officer who teaches international law at Georgetown University; and an online entrepreneur who started an online payment company and was included in Forbes magazine's "30 Under 30."
One of the conference's corporate sponsors was a company that takes its name, Palantir, from the movie "Lord of the Rings." Getting the picture yet?
"It's completely broken," said Carr.
"How do we fix it? What I hope is that progress will be made and many of the people here are from either a government agency a large corporation, so if they can take this back and start to plug in some of what they're learning from today's work, that will begin the ball rolling towards reshaping a revolution in security affairs, which is the point of the event."
Hacking Into the Problem
Twenty-five-year-old hacker Travis Goodspeed is easy to spot. His hair sprawls down his back. He says it's because his father, who had read a book by L. Ron Hubbard, told him when he was just a kid, that the barber would cut his ears off, just to see if he would believe it. He knows better now, but it proves that sometimes, even the absurd things stick with you. He now makes a living by consulting for companies that might prefer for their clients to believe they are doing business safely in cyberspace, but they know the real risks, which is why they hire people like Goodspeed.
"A couple of the smart grid companies have hired me to show them how I would cheat on my electric bill, so that they can fix it before people do cheat on their electric bills in that way," says Goodspeed, who admits he's "on the circuit," traveling the world attending hacking conferences and offering detailed explanations on his successes.
"My specialty is attacking small computers or building strange things out of them. There's a pink children's toy and I write new software into it which allows it to do all sorts of weird things. You can make a spectrum analyzer out of it, you can attack a smart meter with it, you can record what other sorts of radios are transmitting."
It was using similar self-adapted technology that he says helped him on a project he was recently hired to hack that involved penetrating the security measures around a radio communication system. The system was being considered by the government to address communications issues that could arise among first-responders after a terror attack or other catastrophic incident.
Goodspeed's skills are slightly different from another conference speaker, Ben Milne. As an online entrepreneur and CEO of online payment company Dwolla, Milne was happy to come and share an explitive-filled lecture to the audience that numbered in the dozens, many of them wearing suits.
"It's extremely unique," Milne said of the conference, adding that the reason he comes is because of the shared concerns between national security and online business.
"You all kind of want to be able to recognize the bad person. Everything from identity theft to identity protection to data protection to anybody who deals in critical data has to deal with all of those problems and then they have to figure out how they analyze it, respond to it and report on it. So there's a pretty complex flow but everybody who handles every point of that flow is obviously in the room."
Throughout the day, a computer engineer sat in the back row, listening to the speakers, fingers flying on the keyboard as a screen at the front of the room shared what he was seeing on computer screen. As the speakers mentioned projects, or weaknesses in security structures, or even the names of groups that had known involvement in security breaches, Scott Stevson, a forward-deployed engineer with government contractor Palantir, began creating links.
It soon became obvious that what this man could do with a search engine was downright scary.
"In this case I'm actually using Google as my primary search interface because this instance of Palantir that I'm using isn't tied into what we would call an enterprise data set, meaning I don't have a feed of data that a customer has provided. I'm actually going out and using Google and using the help of an interface that we built that allows me to call a url and import into Palantir to create a document on the fly," said Stevson.
"You see me highlight people, relationships between them, and then I'm constantly publishing those results so if I was working with a team of other analysts, they could pull up that information as well."
The message at the end of the day was just how interconnected we all are on the Internet, and just how vulnerable anyone or anything is to cyber-bad guys. Most of the smart people tackling this issue agree on one thing however: there are no easy answers to keeping systems fully secure.
There are currently dozens of bits of cyber-legislation making their way through the process, prompting some to say we need to look at the problem differently if we are to find a viable and effective solution.
Jeffrey Carr is looking at the problem differently. He's just hoping someone is listening.
