• The cloud provider is not responsible for securing its customers’ data.
• Attacking a cloud-based service provides an economy of scale to the attacker.
• Mining the cloud provides a treasure trove of information for domestic and foreign intelligence services.

No security provisions

A Ponemon Institute study (pdf) on cloud security revealed that 69% of cloud users surveyed said that the providers are responsible, and the providers seemed to agree. However, when you review the terms of service for the world’s largest cloud providers, responsibility for a breach of customer data lies exclusively with the customer.

For example:

• From Amazon: “Amazon has no liability for …. (D) any unauthorized access to, alteration of, or the deletion, destruction, damage, loss or failure to store any of your content or other data.”
• From Google: “Customer will indemnify, defend, and hold harmless Google from and against all liabilities, damages, and costs (including settlement costs and reasonable attorneys’ fees) arising out of a third-party claim: (i) regarding Customer Data…”
• From Microsoft: “Microsoft will not be liable for any loss that you may incur as a result of someone else using your password or account, either with or without your knowledge. However, you could be held liable for losses incurred by Microsoft or another party due to someone else using your account or password.”

Not only do none of the three top cloud providers assume any responsibility for data security, Microsoft goes one step further and places a legal burden upon its customers that it refuses to accept for itself.

An economy of scale

NASDAQ’s Directors Desk is an electronic boardroom cloud service that stores critical information for more than 10,000 board members of several hundred Fortune 500 corporations. In February 2011, an un-named federal official revealed to the Wall Street Journal’s Devlin Barrett that the system had been breached for more than a year. It’s unknown how much information was compromised as well as how or when it will be used.

From an adversary’s perspective, this type of breach offers an economy of scale that has never been seen before. In the past, several hundred Fortune 500 companies would have to be attacked, one company at a time, which costs the adversary time and money — not to mention risk. Now, one attack can yield the same amount of valuable data with a significant reduction in resources expended as well as risk of exposure.

An intelligence goldmine

China’s national champion firm Huawei is moving from selling telecommunications network equipment toward developing Infrastructure-as-a-Service software (IaaS) needed to provide a highly scalable public cloud like Microsoft’s Azure or Amazon’s EC2. If it sells IaaS with the same strategy that it uses in selling routers and switches, Amazon, Google, and Microsoft can expect to begin losing a lot of enterprise business to Huawei, which will cut pricing by 15% or more against its nearest competitor. Cloud customers can expect their data to reside in giant state-of-the-art server farms located in Beijing’s “Cloud Valley” — a dedicated 7,800-square-meter industrial area that is home to 10 companies focusing on various aspects of cloud technology, such as distributed data centers, cloud servers, thin terminals, cloud storage, cloud operating systems, intelligent knowledge bases, data mining systems, and cloud system integration.

Cloud computing has been designated a strategic technology by the People’s Republic of China’s State Council in its 12th Five-Year Plan and placed under the control of the Ministry of Industry and Information Technology (MIIT). MIIT will be funding research and development for SaaS (Software as a Service), PaaS (Platform as a Service), and IaaS (Infrastructure as a Service) models as well as virtualization technology, distributed storage technology, massive data management technology, and other unidentified core technologies. Orient Securities LLC has predicted that by 2015, cloud computing in China will be a 1 trillion yuan market.

According to the U.S.-China Council website, MIIT was created in 2008 and absorbed some functions from other departments, including the Commission of Science, Technology, and Industry for National Defense (COSTIND):

From COSTIND, MIIT will inherit functions relating to the management of the defense industry, with a scope that covers the national defense department, the China National Space Administration, and certain administrative responsibilities of other major defense-oriented state companies, such as the China North Industries Co. and China State Shipbuilding Corp. MIIT will also control weapons research and production in both military establishments and dual-role corporations as well as R&D and production relating to “defense conversion” — the conversion of military facilities to non-military use.

Clearly, the PRC has made a serious commitment to cloud computing for the long term. This doesn’t portend well for today’s private cloud service providers like NetApp or public cloud providers like Amazon, Google, and Microsoft — especially if buying decisions are based on price.

What to consider

The move to the cloud is both inevitable and filled with risk for high-value government employees, corporate executives, and companies engaged in key market sectors like energy, banking, defense, nanotechnology, advanced aircraft design, and mobile wireless communications, among others.

To make matters more complicated, cloud providers may move data to different server farms around the world rather than keep it in the same country as the corporation or individual that owns it. That could potentially put the customer’s data at risk for being legally compromised under foreign laws that would apply to the host company doing business there. For example, Microsoft UK’s managing director Gordon Frazier was recently asked at the Office 365 launch, “Can Microsoft guarantee that EU-stored data, held in EU-based datacenters, will not leave the European Economic Area under any circumstances — even under a request by the Patriot Act?” Frazier replied, “Microsoft cannot provide those guarantees. Neither can any other company.”

The best advice for individuals and companies at this time is to insist that cloud providers build a measurably secure infrastructure while providing legal guarantees and without the use of foreign data farms. Until that occurs, and it’s highly unlikely to happen without strong consumer pressure, there are significant and escalating risks in hosting valuable data with any cloud provider.

Inside Cyber Warfare, 2nd Edition — Jeffrey Carr’s second edition of “Inside Cyber Warfare” goes beyond the headlines of attention-grabbing DDoS attacks and takes a deep look inside recent cyber-conflicts, including the use of Stuxnet.

Associated photo on home and category pages: Dark Cloud, Blue Sky 2 by shouldbecleaning, on Flickr.

Related:

• 5 cloud computing conundrums
• Trend to watch: Formal relationships between governments and hackers
• Cyber warfare: don’t inflate it, don’t underestimate it
• How to prepare for a cyber attack

Here’s an updated version of an old Trickster tale that I
think is particularly relevant to the topic of this post–the national security
risks associated with a more open Government in general and social software in
particular.

Loki, the Norse God of mischief and mayhem, had taken to the
mountains for refuge after angering the other Gods with his latest antics. The
first thing he did was build a house with four doors; one on every side so that
he could see in all directions. With his Intrusion Detection System in place,
Loki spent the rest of his time playing in the water as a salmon, leaping
waterfalls and negotiating mountain streams.

One morning, Loki sat by a fire and considered how the gods
might capture him. Since he spent much of his time as a fish, Loki grabbed some
linen string and fashioned a fishing net of a size and weight sufficient to
snare him. Unfortunately, just as he finished, the other Gods rushed in. Loki
threw the net into the fire, transformed into a salmon, and swam away. Acting
quickly, the Gods extracted the ashes of the net from the fire and, from the
remnants, rebuilt Loki’s net, eventually ensnaring him in it.

Like Loki, we construct through our Twitter posts, Facebook
Wall entries and LinkedIn profiles our own unique “net” that sets us up for a
social engineering exploit, a financial crime, or an act of espionage.

The Trickster archetype aptly frames this discussion about
the risks and benefits of bringing Government into a Web 2.0 world because the
classic Trickster is neither good nor bad, but encompasses elements of both.
Too often, the debate surrounding Gov 2.0 becomes polarizing. Critics are
frequently grouped together as Gov 1.0 thinkers struggling against a 2.0 world,
while advocates sometimes embrace Gov 2.0 as a holy quest, refusing to
acknowledge any significant risks whatsoever.

I cannot emphasize enough that the surest way to slow our
progress toward a more technologically open Government is to try to craft this
debate in dualistic terms. Indigenous Trickster tales teach us that a more
valuable approach is to substitute utility for morality. Loki and Coyote (a
famous Trickster in Native American lore) both understand how to trap a fish
because they have swum as fish. Hyde writes in his book <a href="http://www.lewishyde.com/publications.html"Trickster Makes This
World that “nothing counters cunning like more cunning. Coyote’s wits are sharp
precisely because he has met other wits.”

There are serious and significant risks associated with
Government 2.0 and the use of Social Software from a national security
perspective that need to be talked about and addressed. It is a topic that is
both complex and far-ranging and deserves much more coverage than I can provide
in this post, although I hope to at least start the conversation at a new and
edgier level. To give some perspective to the problem, there are 22,000,000
employed by the U.S. government, not counting government contractors. That fact
alone makes Gov 2.0 a very significant technological evolution.

There is ample evidence that state and non-state actors are
engaged in finding ways to exploit vulnerabilities in the U.S.’s critical
infrastructure as well as the Department of Defense’s secure (SIPRNET) and
non-secure (NIPRNET) networks. Many of these attacks have been well-documented
by Inspectors General (IG) and Government Accountability Office (GAO)
investigations as well as through Congressional committee testimony by experts.
One of the easiest ways for an attacker to gain access to those protected
networks is not through the firewall, but through the user. In any secure
system, the human element is always the weakest link. As Tim Thomas wrote in
his excellent "Cyber-Skepticism" article
for IO Sphere, the mind has no firewall but skepticism. The attack vector that best takes advantage of that vulnerability is known as social engineering.

Do you recall how Matthew Broderick’s character cracked the
password for the DOD computer Joshua in the 1983 movie “War Games?" He
studied details about the life of its creator. That’s the same strategy that
David Kernell used when he allegedly hacked into Governor Palin’s Yahoo
account, except he had the benefit of a Web 2.0 invention known as Wikipedia.

How did the individuals behind the GhostNet espionage ring
manage to entice so many people (1300 computers in 103 countries) to open an
infected document which loaded a Chinese trojan named ghostRAT onto their
system? They crafted an enticing email and document that was tailor-made for
their audience — supporters and/or employees of the Office of His Holiness the
Dalai Lama. It was such an effective social engineering campaign that 30% of
the infected computers were in sensitive government offices. And to make
matters worse, most anti-virus programs failed to identify the Trojan.

In Cyber Warfare terms, these types of hacks are a part of
Computer Network Operations (CNO) known as Computer Network Exploitation (CNE).
Today, over 130 countries are developing a cyber warfare capability with CNE as
one component.

Social media like Twitter, Facebook, MySpace, LinkedIn,
GovLoop, and many others are very attractive venues for CNE by our adversaries
because they are easily accessible, target-rich environments that can be
exploited with little to no risk under cover of anonymity.

According to a recent study conducted for one of the U.S.
Armed Services, 60% of the service members involved in the study have posted
enough information on MySpace to make themselves vulnerable to adversary
targeting. And these weren’t only young recruits making bad Operations Security
(OPSEC) decisions. The 60% group included officers and enlisted troops from Intelligence and Security postings as well as other sensitive positions posting such things as units they have deployed with, new duty stations, personal medical data, job duties, information about training, and pictures of
themselves at deployed locations.

In their paper “Social Software and National Security,"
Mark Drapeau and Linton Wells discuss the use of Twitter by Colleen Graffy, formerly Deputy Assistant Secretary of State for
Public Diplomacy, to “impress her
personality and message on foreign media prior to arriving in their countries,
and after leaving.” As the authors point
out, there are positives and negatives to Graffy’s method of using Twitter. One
of the negatives that they do not address is that Graffy’s Twitter usage can
become a vector for a non-state hacker to exploit with a @colleen_graffy tweet
containing a malicious link disguised as a tiny URL. All of a sudden, Graffy‘s
public diplomacy 2.0 effort could result in a State Department computer
becoming a zombie.

The Open APIs on Twitter and Facebook provide a virtually
unlimited resource for building target profiles on employees of sensitive
government agencies like the Departments of Defense, State, Justice, Energy,
Transportation, and Homeland Security. The Twitter stream, for example, adds a
timeline for tracking when you’re at work, where you’re going after work, and
what you are doing right now.

Another risk category is disinformation. Twitter received a
lot of coverage during the Mumbai terror attacks of November, 2008 for its role
in covering the events in real time. Part of what emerged was the potential for
terrorists to use Twitter to propagate disinformation about their whereabouts;
i.e., to announce a new attack occurring at a wrong address, thus adding chaos
and confusion to an already chaotic situation.

Finally, there is the phenomenon of online trust. If you
work in a targeted industry, you will be approached, sooner or later, by
someone who isn’t who she claims to be for the purpose of gaining and
exploiting your trust to further her own nation’s intelligence mission. One of
the quickest ways to establish trust online is by finding things you both hold
in common. Both Twitter and Facebook postings excel at that discovery effort.

How do you mitigate the risks while enjoying the benefits of
Gov 2.0 and the social web? You do it by thinking like your opponent; or like
the Trickster. Read your post twice before you hit send; once as you and once
as your adversary who is looking to exploit you. If you work for the DOD or a
government contractor, start by re-reading your employer’s OPSEC guidelines and
edit your profile and your posts accordingly. If your office hasn’t created any
OPSEC guidelines for social media yet, please let me know. My company GreyLogic is
creating training for precisely that purpose. In the meantime, here are five
things that you can do right now to reduce your risk profile:

1. Involve your family members. They should understand that
by virtue of your employment with a department, agency, or service, their posts
are prime fodder for CNE. You can start by having them read this article.

2. Make OPSEC fun by making a game of it. For example, trade
Twitter or Facebook aliases among your coworkers and see how much information
you can learn about each other by using publicly available search tools. Then
draft two or three email topics that would entice that person to take your bait
if you were an adversary running a Spear Phishing operation. I promise that
you’ll be amazed at the results. In fact, you should do this same exercise with
your family members.

3. Be more skeptical about anyone who contacts you as a
result of your posting on a social network. See if you can find their Internet
footprint by searching on their name and email address. An alias with no
Internet history should immediately raise a red flag.

4. Anyone can start a DOJ, DHS, DOE or other government
agency community on Ning, LiveJournal, Facebook, etc. Don’t affiliate yourself
with any community that you don’t know for sure is an officially sponsored and
sanctioned one. Talk about shooting fish in a barrel.

5. Facebook recently reported that 70% of its traffic comes
from overseas. Become more cautious about who you friend and who is privy to
reading your posts.

In myth, like in life, the Trickster relies on the instincts
and appetites of his prey to spring his trap. For those of us in Government or
affiliated with Government, we would do well to remember that as we engage with
Gov 2.0 on the social web.

About three weeks before the start of the Russia-Georgia war last August, the Office of the Director of National Intelligence issued a directive entitled “Analytic Outreach”. In it, DNI McConnell authorized members of the 16 agencies that comprise the U.S. Intelligence Community (IC) to reach out to people outside the IC, “to explore ideas and alternate perspectives, gain new insights, generate new knowledge, or obtain new information.”

As someone who writes about Intelligence and National Security matters, particularly in the area of Cyber Warfare, this Directive was pretty inspiring to me. I had long held the opinion that Web technologists and researchers had an important role to play in Government. Unfortunately, I had no way of communicating that vision to anyone who mattered so I just decided to act on my own and launched an Open Source Intelligence gathering effort called Project Grey Goose, which brought together an eclectic mix of hackers, spooks, and techies from inside and outside the Intelligence Community.

Imagine how happy I was six months later to hear about a formalized and much easier way to bring outside expertise into the IC thanks to the dedicated efforts of a few intelligence professionals and the Deputy Director of National Intelligence for Analysis. Appropriately enough, this project is named BRIDGE.

According to its creator, Dan Doney, BRIDGE hopes to do for Public-Private collaboration what the iPhone Apps Store has done for the iPhone and its customers–produce a mind-boggling explosion of innovative applications for use by the Intelligence Community. We aren’t at the mind-boggling stage yet because BRIDGE is still in its infancy, but there are some pretty cool apps which I’ll describe in a moment.

In addition to being a development sandbox, BRIDGE also allows intelligence analysts to interact with outside experts whether they be in industry, academia, or other government agencies at the Federal, State, Local or Tribal level. Alternative analysis has long been a recommended approach to avoid myopic thinking by specialists. BRIDGE provides a platform for debating alternative viewpoints and comparing evidence across agencies, specialties, and borders of all kinds.

Since BRIDGE is Dan’s brainchild, I’ve asked him to convey its purpose and function:

BRIDGE is designed to enable crowd-sourcing of intelligence applications–following the iPhone AppStore model–by providing a low barrier-to-entry platform to stimulate innovation and enable analysts to discover next generation capabilities that have value to their mission.

BRIDGE takes the Wiki model which enabled end users to easily contribute textual content en masse, and extends it to technology providers, enabling them to contribute technologies that enhance the intelligence mission in a matter of days. It is important to emphasize BRIDGE is not a Web2.0 tool, it is a low barrier to entry environment where promising Web2.0 tools can be placed – and analysts can use them to uncover their value prior to acquisition.

Since BRIDGE exposes key web services that emulate the mission environment, promising tools can be plucked from BRIDGE and quickly integrated into classified environments. This enables providers to develop against these endpoints in an unclassified setting, get feedback from users enabling shorter development spirals, mash-up new combinations of services, and dramatically reduce the time it takes to transition software to the mission setting. BRIDGE uses a “perpetual beta” model giving users an EARLY look at technologies–and a chance to provide feedback while they are still maturing.

Another unique characteristic of BRIDGE is that it provides an environment for Analytic Outreach–a place where IC analysts can reach out to expertise elsewhere in federal, state, and local government, in academia, and industry. New communities of interest can form quickly in BRIDGE through the “web of trust” access control model–access to minds outside the intelligence community creates an analytic force multiplier.

Here are three of the six applications currently in use on BRIDGE. Dan tells me that dozens more are on the way.

Collaborative Analysis of Competing Hypotheses

• Web-based Analysis of Competing Hypotheses enables analysts to gather evidence collaboratively and think more critically about the plausible scenarios, mitigating bias
• Collaborative views enable analysts to hone in on differences, making debate more constructive and encouraging deeper reasoning

Hot Grinds

• HotGrinds serves as an evidence-based structured discourse forum at the crossroads of a wiki, a collaboration platform and social network
• Semantic search, expertise identification, and management overviews of debate provide greater collective awareness and enhanced collaboration

Visually Structured Analytic Software

• Organize ideas from many sources and many analysts into 2D conversation maps, significantly improving efficiency and situational awareness.
• Identify the strongest evidence on all sides of an issue by tracking individual user credibility and the wisdom of the crowd

One of the new applications coming up will be a Web-based version of Palantir Technologies‘ Analytic Platform, loaded with real data collected by myself and some Grey Goose colleagues during the Russia-Georgia cyber war.

If you’re interested in joining BRIDGE, the process is pretty simple.

1. Register at the BRIDGE portal.
2. Send Dan an email with a short description of your interest in BRIDGE.
3. Your request will be reviewed and if it’s deemed that there’s a match between your project or expertise and BRIDGE’s mission, you’ll be sponsored as a new member.