Delayed Thoughts From the Dept of Justice Cyber Security Conference

Last week I was able to attend the 2-day cyber security conference.  I have to say that it was more interesting than I thought it would be.  There was certainly the risk that there would be long boring talks about how inflexible, unforgiving and painful FISMA compliance is.  Or worse yet, a mentality that FISMA compliance = security.  This was not the message at the conference at all.

I'll be honest, I've worked on a lot of interesting security projects for a variety of clients, both in the public and private sector.  However, even the most interesting problems I've helped people tackle have never had a law enforcement focus.  For the clients I've worked for the focus is always on "we need to protect this asset because it's key to the service we deliver to a client."  At DoJ the focus is much more "we need to protect this asset because it is a national security issue, or we need to assist a portion of the private sector by investigating and responding to a computer-based attack."  So this was sort of a new perspective for me.

The other day . . actually, on the second day of the conference, Richard Bejtlich wrote about the national security briefing by Director of National Intelligence, Dennis Blair.  A good portion of the briefing called out the danger that cyber attacks posed to our national security.  This was something we heard a lot about at the conference.  There were presentations on cyber crime rings infiltrating banks, the main groups behind botnets, DDoS attacks (largely unsuccessful) against DoJ web sites, and other similar topics.  The main points that I'd like to make relate back to what Dennis Blair talked about, and what Richard has been writing about regarding China v. Google.  

Just eight years ago I think you'd find that the motive behind most virus or worm outbreaks was non-financial.  Nowadays though, organized criminals have been incredibly successful at monetizing these sorts of attacks.  Spam, worms, and viruses can all be used to build botnets which criminals are renting out for attacks. In addition to these organized crime elements, terrorists understand that there is a real potential to do noticeable, lasting damage to our financial system using cyber attacks.  Best off for them, these attacks are a lot lower risk and have a higher potential for success than ones where they're attempting to sneak bombs onto planes.

So when you read all these stories about a virus outbreak, a botnet, etc you have to consider that this is a very serious risk to national security.  Destabilization of our financial system would actually have much more significant impacts than the types of violent attacks we're used to out of terrorist groups.  So if you don't think they are active in this area right now- if Dennis Blair's testimony went unnoticed- think again.

DoJ is one of the organizations on the front lines defending and responding to this sort of criminal activity.  Given this perspective it was interesting to hear some of the response activities they've undertaken, and to learn how many talented security folks are actually in the organization.  Obviously there is a big focus on forensics and malware analysis.  The purpose of their forensics and malware analysis efforts is to identify the sources of attacks.  No one cares whether there was a bot on Grandma's computer.  What they want to do is crack open the malware to try to figure out who created the bot.  That is the enemy DoJ is going after, and they are doing it in an active manner.  Top forensics people are necessary to ensure that any prosecutions that become possible are supported by evidence that's been gathered in the right way and is admissible in court.

The most important issues, in my mind, for our national success in defending and combating these threats are:

  • The ability to integrate related efforts at different organizations within the government.  Just off the top of my head I know that DoJ is obviously doing this sort of work, and you need to remember that this is not a single organization.  It is a collection of organizations like the FBI, the National Security Division, DEA, the Executive Office for US Attorneys, and many others.  We also have the NSA, ODNI, and elements of DHS which are working on protecting, detecting, and responding to attacks to our national infrastructure.  There is a lot of information sharing and coordination that needs to take place in order to make sure these efforts are as effective and efficient as possible.
  • For most of this work, the human brain is our most potent weapon.  Having a "bigger stick" deterrent to these attacks means we have the minds that are able to understand cyber security issues and advance the field forward.  If the brightest minds are in China, then China is the superpower in this area.  I know that at the conference there was one speaker who mentioned that this is a concern for them, and they would like to see the US address this issue.  At a most basic level this means improving our educational system.
  • Our mentality regarding national self-defense needs to be focused on protecting our computer infrastructure.  I think that the people who are in the field understand this, but I doubt that the public really does.  The problem there is that public perception does have a real impact on where the government spends money.  As a result, I worry that we're more likely to spend billions on an advanced missile defense system to protect against nuclear holocaust than we are to spend the money necessary to bolster our computing infrastructure.
  • We need to be able to cross national borders in order to go after attackers based out of other countries.  Even though the other issues can be very challenging, this may be the long pole in the tent.  This is the largely unknown impact of diplomacy. Is a country where an attacker or group of attackers going to allow the FBI to work with their police forces to develop cyber crime capabilities and crack down on the perpetrators?  At this point it is hard to imagine China or Iran supporting this sort of cooperation.

In any case, there was a lot of good stuff to hear at the conference.  I'm hoping to post a few thoughts on topics that came up in presentations there in the coming days.  If you are in the government though, you are invited to this conference and I strongly recommend attending next year.

More from Our Cybersecurity Experts