Recently I have been gettin dropped into conversations on cyber security. It is an interesting conundrum that is only going to get thornier as Agencies begin to embrace and implement the web 2.0, new media, and transparency agenda of the new administration.
As the notion of cyber war has gained traction people have been looking to the conventional DoD conflict spectrum. Some issues fall into the domain of conventional state to state conflicts. The PLA and Russian capabilities are well covered in the public sphere. Others are approached through the lens of counter insurgency for dealing with the non state and nominally affiliated groups (which Russia in particular has made huge use of). Both of these assume the USG cyber community as a single state actor. But what if we are the insurgents?
While US offensive cyber operations are coordinated, from a defensive perspective I don’t think anyone can really look at the current state of things and call us a coordinated actor on the civilian side. There is a growing body of high level policy aimed at installing some basic safeguards. But operational control in most Departments remains at the Agency and even sub component level. And, like most transnational terrorist networks, the preferred method of increasing community wide effectiveness has been the boom of informal technical and policy working groups that aim to build best practices and communities of practice but ultimately operate on trust, not hard enforcement.
Wired’s Danger Room has an interesting post today about dealing with terrorist affiliated web sites. They make a great suggestion of setting honeypots (fake sites that masquerade as legitimate and utilize social engineering techniques for intelligence gathering on visitors) as a more effective strategy to leverage compromised web assets. This is particular effective because there is no consolidated identity, security, and content management across the jihadist community – someone just shot you a link and it had the work jihad in the name so you figured “hey, I should check it out.”
And guess what, it is exactly what people are doing against USG assets (for instance the USAJobs hack). More importantly, it is something that I suspect will be on the rise as the amount of USG content outside the .gov domain increases and people become more used to accessing interactive official content from sites with .com or .org addresses.
I also think a great area for some cyber research would be looking at the successes of online insurgents and seeing if there is anything we can learn from them for application in our cyber environment, and identifying systemic gaps that require OMB/NIST directions.