Defending a new domain 2

William J. Lynn III, in his Foreign Affairs essay (Defending a New Domain), says that this “previously classified incident was the most significant breach of U.S. military computers ever.”

Given the rather primitive exploit Mr. Lynn is writing about, a better way of saying that would be “…the most significant breach of U.S. military computers yet detected.”

In 2008, DOD was hammered by a variant of a Windows-only worm, Agent.btz, which uses Microsoft’s autorun functionality to spread. It’s a variant of Silly.FDC, which at the time was familiar, globally, to those interested in, or responsible for, network security. The concept of exploiting autorun goes back into the 90s. There was nothing new about the exploit and as far as I can tell from reports, the worm was not remarkably clever.

Agent.btz would be just another pedestrian Windows exploit if it hadn’t landed, probably by chance, in a very large and important network, perfectly suited to its simplistic technique for spreading itself.

Because Agent.btz spreads using Windows autorun, and because the military was disoriented and reeling in late 2008, DOD banned the use of thumb drives (a ban since moderated). The worm first got onto a DOD computer from a thumb drive, according to Mr. Lynn. But in a Windows-heavy network where sysadmins give autorun a blank check, mapped drives are far and away the primary vector for this kind of worm. One thumb drive infects one computer; one network share mapped by 1000 computers infects 1000 computers.

Although it didn’t spread on the network other than through drive mappings, Agent.btz did, apparently, attempt to download binaries from certain domains on the Internet, including a .cx domain (Christmas Island), and it’s possible those binaries had network-aware capabilities. About that, I don’t know. If the DOD security guys didn’t isolate and study a few instances of the worm, they also don’t know.

Mr. Lynn refers to this as a “significant compromise”. Let’s carefully parse out exactly what was significant:

1. The worm itself was NOT significant, but
2. DOD’s vulnerability to a garden variety Windows exploit was significant, and
3. DOD’s hysterical response was significant.

Mr. Lynn credits this “significant compromise” to the work of a foreign intelligence service, which on its face is unlikely. But in fairness to Mr. Lynn, we can assume that he himself honestly believes the statement he made. Perhaps he was shown evidence he found convincing.

If the chaps who gathered that evidence were the same Apple Dumpling Gang responsible for security on DOD networks at the time, the particulars of their evidence would warrant close inspection. The assertion that a foreign intelligence service was responsible is an interesting theory, but in the absence of evidence for or against that theory, I’m skeptical, albeit without a settled opinion. Mr. Lynn does believe the theory.

He was asked a pointed question about this foreign intelligence service connection by writers at Wired:

But what spy service would launch such a lame attack?

“It isn’t the most capable threat, I agree with that,” Lynn replies. “But that kind of makes the point. If you had something of the kind of capability you described and we suffered a compromise as the result of it, it clearly means that we need to have a new strategic approach and that’s what started a couple years ago. I’ve tried to lay out where we’re going going forward.” [Danger Room]

If you boil down the first paragraphs of his essay to the essence, Mr. Lynn is telling us that DOD got womped by a lame attack. It follows that DOD readiness and/or competence in the area of network security is the one issue needing attention.

Is DOD readiness and/or competence the focus of Mr. Lynn’s essay?

Unfortunately, not. Instead he wanders far and wide, across a landscape that becomes increasingly surreal: “the scale of cyberwarfare’s threat to U.S. National Security,” etc, “cyberwarfare is asymmetric,” so forth and so on, Cold War deterrence models don’t apply in cyberspace, “sophisticated intrusions into the networks that control critical civilian infrastructure…”, “…computer induced failures of U.S. power grids…”


Did he forget to take his meds?

I don’t think it’s that. It’s a style of thinking, and it’s a style of thinking not uncommon in government. To understand it, you have realize it has nothing to do with solving real-world problems. Any given “problem” is more analogous to a card drawn from the deck in a game of charades: You want your team to guess the word or phrase. What the phrase *is* doesn’t matter. Put a lamp shade over your head, hold your nose and hop on one foot, jump on a table and strike a muscle man pose… whatever you need to do. The idea is to inspire the right guess.

In government the idea is to get the right soundbites, get attention from the White House or from a key Senator, get funding for a project, get invitations to speak in the coolest venues, etc. The thing you start with is whatever was written on the card you drew. The thing on the card might, in fact, be a problem worth solving, but solving the problem and making headway in the game are two completely different and unrelated things.

Mr. Lynn’s Foreign Affairs essay is all about playing the game. If you read it expecting ideas for solving a problem worth solving — DOD’s backwardness in the area of network security — all you’ll see is a fantastic caricature of the Department of Defense.

But you need to know that the man spinning around on his back, kicking his feet in the air and flailing his arms, simply wants his team to shout out, “Beetle on its back!” He’s not trying to help all beetles or any particular beetle get to its feet. So, with that in mind, you can excuse Mr. Lynn for laying out “a new strategic approach” devoid of any strategy related to a real-world problem.


About pmbarry

One of these days a man's gonna walk up to you with a shoe on one foot and a boot on the other, and he's gonna tell you 'bout things you ain't never heard of.
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s