William J. Lynn III was asked a question by Wired writers about an alleged foreign intelligence connection to a run-of-the-mill Windows exploit that got loose on Department of Defense networks in 2008:
But what spy service would launch such a lame attack?
His response did not address the question:
“It isn’t the most capable threat, I agree with that,” Lynn replies. “But that kind of makes the point. If you had something of the kind of capability you described and we suffered a compromise as the result of it, it clearly means that we need to have a new strategic approach…”
Mr. Lynn’s answer is not about spy services, spy service motivations, spy service capabilities or anything else related to spy services. It’s about DOD strategic approach going forward. DOD strategic approach going forward might be fascinating, but to me, the original question is quite as interesting and merits a better answer: “What spy service would launch such a lame attack?”
Here are two theoretical approaches to an answer:
#1. A lame spy service, or lame non-state entity, would launch a lame attack. In this category would be Somalia, North Korea, feudal realms that show on the map as being part of Pakistan, Iraqi factions, etc. The idea here is that if it was an unsophisticated attack, it must be an unsophisticated attacker. The attacker was doing his best, but his best was lame.
But what if the attacker wasn’t doing his best? What if the “lameness” was calculated? If the attack were too sophisticated, DOD might not have noticed it, but if the attacker wanted DOD to notice that wouldn’t be so good.
#2. So, another possibility: It wasn’t a real “attack” at all; it was a probe, a sophisticated adversary’s investigation into readiness of the U.S. military, a way of getting some information about how the military might react to a real attack.
In the context of traditional combat a commander may send a small body of troops forward to probe the enemy. The objective isn’t to break through enemy lines or win a battle, but rather to get enough of a skirmish going to see what the strength of an opponent is, to learn something about the disposition of opposing forces and their agility in response.
Could Agent.btz have been a probe?
Personally, I doubt the worm had anything at all to do with an intelligence service, but setting aside that skepticism, if its source was a foreign spy service, and it was a probe, what did adversaries learn about DOD readiness?
1. DOD was unprepared for an exploit which was already familiar.
Windows autorun has been a known vector for worms since the 1990s. This suggests that DOD’s approach to network security is reactive rather than proactive. DOD is not looking around, is not surveying the landscape as it were; DOD isn’t analyzing known exploits with its own deployed software (and hardware) in mind.
2. DOD’s reaction was disproportionate and off target:
The Defense Department’s geeks are spooked by a rapidly spreading worm crawling across their networks. So they’ve suspended the use of so-called thumb drives, CDs, flash media cards, and all other removable data storage devices from their nets, to try to keep the worm from multiplying any further. [Wired Nov. 2008]
The Pentagon actually launched an “operation” to deal with the worm: Operation Buckshot Yankee.
But remember, this was just a Windows autorun worm. Why not turn off autorun on Windows boxes, then require that removable storage devices be checked before use? How to check a device? Turn off autorun on a Windows machine and that machine can now safely check for Agent.btz on a thumb drive. If you see it, delete AUTORUN.INF and executables that go with it (better: copy the files somewhere first; the more specimens the better).
3. DOD strategists went off on a snipe hunt.
This incident was “an important wake-up call,” according to Mr. Lynn. Two years later, his essay in Foreign Affairs suggests that after DOD woke up it invited a bunch of Hollywood script writers to start attending meetings with defense contractors and network security illiterate beaurocrats — to devise an expansive strategy that would include everyone and do everything.
First accomplishment of this team: slap a new label — “Cyber” — on everything that for more than a decade we’ve called “network security”. And jack up the price. Then, instead of doing things to improve existing network security operations, add on top of real network security work a thick layer of talkers, report writers, PowerPoint presenters and strategic thinkers. CyberExperts. Network security expertise: Not Required.
How would an adversary use knowledge gained by an Agent.btz probe? One thought:
If the Pentagon, and the U.S. Government in general, is prone to over-react to network intrusion events, an intrusion doesn’t need to be effective in itself; it might be as lame as Agent.btz, with most of its impact dependent on U.S. over-reaction.
Here’s what I see: People who should approach real network security problems with balanced, thoughtful analysis, instead defer to sci-fi obsessed story tellers — who can be depended on to propose super-cool, super-scarey cyber-problems, even cyber-catastrophes, like financial system collapse and power grid failures.
Is all the wacky talk of cyber-this and cyber-that preparing our military, and more broadly, the U.S. Government, to react with hysterical frenzy to network security incidents?
Take a picture of this:
A geeky attacker wearing a funny hat but without a weapon jumps out from around a corner and shouts, “Boo!” The American soldier is startled, and seconds later he blows himself up fumbling with radio, gas mask, rifle, bayonette and grenade pins all at once…
In the wake of Agent.btz and the introduction of DOD’s extravagantly off-target cyberdefense strategy, an adversary may be thinking…
“They over-react… hmm… very interesting.”