Last week, I attend MIRcon, Mandiant’s conference on Advanced Persistent Threats. One of the keynote addresses was given by Keith Alexander, the former head of the NSA. I enjoyed his talk, it was a good one.
What Others Are Saying
Here is Kelly Jackson Higgins’ take on his talk, from an article on DarkReading. Everything in the article is accurate:
* Former NSA Director reflects on Snowden Leaks
http://www.darkreading.com/analytics/threat-intelligence/former-nsa-director-reflects-on-snowden-leaks/d/d-id/1316466
Higgins’ main talking point is that Alexander and the NSA were trying to bring to the public attention the fact although that the United States is under constant attack from advanced persistent threats, the Snowden leaks ended up overshadowing any of the good work that the NSA was doing. The NSA is a professional organization and 3rd party auditing showed that what they did:
- Was authorized by Congress
- Was within the law
- Was 100% audited
- Even though they were audited afterwards, no violations ever came up that were not already self-reported
- The NSA is highly professional
That’s all I have to say about that, go ahead and check out the article.
My Impression of Others’ Impressions of the NSA
While I was in Washington, D.C., I noticed that there was more of “pro-America” feel, that is (and I am badly paraphrasing) “we understand that the NSA had to do what they did” perspective compared to where I live. Whereas on the left coast, Microsoft’s own top lawyer identified the American government as an advanced persistent threat [1], and you can read other technical blogs that are very critical of the US government’s actions (Google, Yahoo and Apple are all moving to encrypt their data in response to this), I didn’t find any of the anti-government sentiment at MIRcon.
I see this as either the attendees at MIRcon genuinely understand that what the NSA did is more nuanced, and a position of “The government should not collect any data” is too narrow a viewpoint; OR, representatives from these companies work with government and therefore their perspective is skewed; OR, I didn’t sample enough people to get a broader perspective.
In any case, that’s what I experienced.
My raw notes of Keith Alexander’s Keynote
I don’t have time to type this up into a more nuanced blog post, but here are my raw notes from the session.
---------------
2014.10.07 - Keynote Keith Alexander
- Keith Alexander - cyber security people are underpaid (he's a funny guy)
- CyberCommand was created based upon intrusion into DoD in 2008 (later believed to be the Russians), wake up call
- Now Target, eBay, Home Depot, JPM; attributed to eastern Europe/Russia
- Did you know 2014 (website, talks about rapid change in technology)
- Top 10 in-demand jobs in 2013 did not exist in 2004. Half of college newbs tech knowledge will be out of date by the time they get to junior year. People being trained for a job that doesn't exist today.
- Talked about how using Watson, they can get cancer treatments figured out in 9 minutes rather than 30 days (important because that 30-days results in cancers metastasizing)
- Within a decade, some diseases will be solved thanks to advances in technology
- We created the Internet, we can secure it.
- But what we have created, today, isn't secure.
- Pre-2007, Internet was used as a way of going out and exploiting (everyone was doing it)
- Then in 2007 changed from exploitation to disruption (Estonia attacks), had to disconnect from Internet
- Aug 2008 Georgia was hit with cyberattacks (coincided with attacks by Russia govt ground offensive), DDOS attacks
- Tells of issue on DOD networks one Friday afternoon in 2008, some people found 1500 pieces of malware on classified network
- Built a system to mitigate the problem at network speed.
- NSA built the system in 22 hours (!!!)
- In 2011, NSA took a look at DOD networks, 15,000 in all, discovered they have an indefensible architecture (opened up that bag... of fertilizer... can we give this back to the DOD? Nope.)
- Created Cyber Command as a result. Our defense must be as good as their offense
- Fast forward, actions in 2012 were timed to problems in the middle east
- August: Attack on Saudi Aramco (DDOS coupled with a virus - destroyed data on 30k systems)
- Over 350 DDOS attacks on Wall Street in the intervening one year. 2013: attacks on South Korea
- Goes from stealing data to using the networks as an element of national power.
- People attack cyberspace because that's where the money and IP and secrets are
- Cyber command
- Joint taskforce to defend the DOD networks but when it came over decided to defend everything within the nation
1. Need a defensible architecture - Too difficult to draw a picture of network without any situational awareness
2. Training - Need to train at a classified threat, offense and defense need to be the same
3. Command and control - How do we work together with govt and industry? There's more industry by orders of magnitude, and exploitation surface is hundreds of time larger. Nothing prevents industry from working with govt for a common cause
4. Cyber legislation - Didn't really discuss this
5. Signature based AV systems good for certain things but not for where we want to go. Need to have real time consumable threat intelligence; detect mitigate report at network speed; within and among networks. These are not technical challenges, it is culture and competitiveness. Just think if we were to work together. It will take several companies and a consortium to figure it out.
- Q&A's - Are we in a cyber war? When did it start? --> No, not yet but because of his definition
- 22 cryptologists were killed in Iraq and Afghanistan (doing some cyber stuff to change intelligence collection)
Someone asked a question - what does the NSA collect on me? Metadata goes into business data FISA program - gave example (2009) of stopping an Al Qaeda operative in the Pakistan area who was talking to someone in the Colorado area (by email, gave phone number in email to FBI). FBI can take that and get the phone number from the phone and email provider. Talked about bouncing around from Colorado to New York and North Carolina, who were also in contact with other known terrorists outside (?) the US.
- Q&A’s (Did Angela Merkel have anything interesting to say?)
- If you talk to known high risk contacts, there is a good chance you will be flagged. But otherwise you are probably not going to be looked at. These programs help connect the dots. Everything in the program is audited 100%. Not one person was found doing anything wrong that hadn't already been reported before.
- ACLU did a review of the NSA (Jeff Stone), found NSA helped to thwart plots, operates a high degree of integrity and deep commitment to the rule of law
- People who touch special data have to go through 400 hours of training (more than pilots)
Those are all of my notes.
[1] “Like many others, we are especially alarmed by recent allegations in the press of a broader and concerted effort by some governments to circumvent online security measures – and in our view, legal processes and protections – in order to surreptitiously collect private customer data.
…
If true, these efforts threaten to seriously undermine confidence in the security and privacy of online communications. Indeed, government snooping potentially now constitutes an “advanced persistent threat,” alongside sophisticated malware and cyber attacks.”
Brad Smith on the Official Microsoft blog
http://blogs.microsoft.com/blog/2013/12/04/protecting-customer-data-from-government-snooping/