Hired Guns: What's in the name CyberPMC or CyberPSC?cyberwarfare has become pretty hot. Comments through the social network about our two recent stories reverberated with several themes I thought best to address in a post today. (One Twitter hash used for the first time: #CyberPMC)
One question was whether cybersecurity firms fit under PSC or PMC. PMC means private military company and PSC is private security contractor. That's exactly the point I thought we should debate and discuss, my perspective as one who has personal friends who have worked at Blackwater, is that as far as the cyber realm goes, those terms are interchangeable.
With the adoption (albeit resistant to the end) of cyberwarfare from conceptual to actual in 2010, much has changed. So let's look at what's at risk.
Threatscape: Cyber attacks and vectors
When we look at the current threatscape of cyberwarfare, which such experts as Winn Schwartau and Gary Miliefsky have been immersed within for the past 20 years, there is a cold realization that the public sector cannot immediately address all the threats with their current personnel and technology.
Based on my research, 2011 is going to be both an explosive year – both in cybercrime and cyberwar. It's going to get very ugly. Network security professionals will be in great demand and have their jobs cut out for them next year," said Gary S. Miliefsky, founder & CTO, NetClarity.
Knowing that most of this SCADA equipment has been moving to (i.e., upgrading to) internet-based protocols for device access and control, these TCP/IP based interfaces with managed switches, firewalls and routers were barely designed to pass FCC guidance – they will most likely be the first to fail, causing a critical 'intranet' outage that would in turn cause problems in managing or controlling the power grid infrastructure and may result in a brown-out.
Cyberwar is real. Each major government has launched teams for offensive and defensive countermeasures. Many terrorist cells have learned that the internet is a powerful vehicle for launching terror attacks.
Imagine a terrorist wishes to take down a power grid – they could EMP or HERF pulse the equipment, shorting out all the electronics at the headquarters.
Three of 10 cybercrime and cyberwar predictions for 2011: Gary Miliefsky
Some of these should sound familiar: We've discussed EMP, HILFs and custom malware (Stuxnet) at length in SC Magazine. HILFs, coined by NERC, are specific combinations of natural or intentional phenomena which would disrupt the power grid.
Exponential growth of more intelligent zero-day malware both for cybercrime and cyberwar
More creative social engineering for cyber Crime projects will take place. [Cybersecurity Mythbusting]
Source: Gary S. Miliefsky, Hakin9 Magazine (http://www.hakin9.org), January, 2011
When we look back over what the Cybercrime Corner has covered in the first six months, there are considerable articles to choose from.
Let's dive deeper into some of the attack types, which include cyber attacks.
From Gary Miliefsky's press release, with our Cybercrime Corner research hyperlinked:
They may begin to deploy the following methods more intensely:
- Using energy to disrupt electronics
- Electromagnetic pulse (EMP)
- High energy radio frequency (HERF)
- Eavesdropping on networks [counterintelligence]
- Cracking W-Fi (Kismet, Wepcrack, Back-track, etc) [cyber threat intelligence]
- Man-in-the-middle attacks
- Compromising electronic emanations (CEE) [industrial espionage]
- Custom malware (Stuxnet worm which allegedly targeted Iran's nuclear facilities was just the beginning) [Stuxnet]
Clearly, these attacks aren't all meant to hit dotgov resources. The dotcom world is increasingly under attack. Remember recently when Iran blocked Twitter?
Vectors of cyber attacks: Social media
Social media has become the command and control nexus in 2011 as well, as the Operation Payback has shown this past month. Here's one viewpoint which talks about social media and cyber attacks:
"Attacks will follow the people. As social media and mobile computing continue to play a larger role in our networked environment, problems seen in these areas will continue to rise.
We should expect to see more vulnerabilities in both areas, and we should expect to see hackers take advantage of those vulnerabilities. We will see dedicated attacks making their way across social media, including unpleasant software, and improper "click-throughs."
We will see more fake people, fake profiles and falsified ratings, but probably not enough to shake faith in the trust of social media."
– Jon-Louis Heimerl, director of strategic security for Solutionary
With these invisible methods of cyber attack available, the hard questions start piling up. The first one is, how do we wrangle all of this information warfare? Recently we talked about one Navy veteran, Shawn Carpenter, and his winning the struggle with Sandia in New Mexico. Shawn's extracurricular activities could be deemed counter-intelligence, a critical component of any warfare, but in this instance directly related to cyberwarfare.
The open debate on whether software can be classified as a weapon, or weaponized, is one that still rages. Personally, I think that until legal challenges have made precedence, we're all in a bit of a grey area. Like Shawn Carpenter, we'll have to use our consciences to determine the best route through the darkness.
Recommendation for CIOs: Tread carefully and retain a legal advisory team with military law background as this battlefield develops.
Accountability for cyberwarfare by PMC/PSCs
In the military, the Uniform Code of Military Justice rules the enlisted and officer ranks. Federal law regulates civilians who are accused of crimes overseas. The Statute of Forces agreements are different in each country, so rendition of a suspect are negotiated differently as well.
The civilian and security contractor doesn't necessarily have the backing of the federal government to the same extent a soldier, airman or Marine might. You don't have a long chain of command reaching ultimately back to President Obama like every servicemember does. Therefore, what rules apply to misconduct?
Taking a solid look at the defensive cyberwarfare duties may also include existing cyber-consultants or contractors for the military. This means that if cyberwarfare is now a reality, the category of PMC or PSC logically should apply to those responsible for both physical and cybersecurity in the first decade of the 21st century.
The #cyberpmc twitter tag I mentioned earlier, referred to a very detailed article written by David Isenberg: Narrowing PMC Legal Ambiguity, where he quotes a paper about accountability called "War Contexts: The Criminal Responsibility of Private Security Personnel."
I'll quote David quoting the paper:
The propriety of the current national and international regulation applying to the criminal responsibility of PSC personnel can be questioned from the viewpoint of both equity and completeness.
In theory, it affords multiple means for trying PSC personnel responsible for war crimes or direct participation in hostilities.
In practice, the unwillingness or incapacity of States to prosecute proves a major obstacle for the efficiency of the system. By overcoming the frame of State sovereignty, the ICC [International Criminal Court] provides appropriate mechanisms for implementing the existing rules, but its jurisdiction is limited by the founding Treaty.
In other words, since physical security companies (PMC or PSC) have free reign, it might be worth watching the Watchmen when it comes to cyberPMCs. For lack of a better terminology, I'm using PMC interchangeably with PSC – at least until I get schooled by those who know better – all of you who care, post in the comments your preference. :)