From traditional hackers to PacCERT

I thought that I would post this piece that formed part of my half-day workshop on information security at PacINET 2008 in the Cook Islands. My slides were almost the same set that I used last year in Honiara.

Historically speaking, information security is not new. There is evidence of people protecting and of course attacking information in all cultures as far back as there is a historical record. If we take early missionary accounts in Fiji, for example, as containing at least a kernel of truth, we find that access to spiritual information was a closely protected monopoly of a priestly class. The confidentiality, integrity, and availability of information from the world beyond – which was extremely valuable information about the weather, the future, the correct course of action, and many other things – was strictly limited to established priests who seem to have been kept under close control by the chiefs.

However, even pre-European contact Fiji had its hackers. Living at the fringes of Vitian society were (and still are in remote areas) medicine men and witches who could also tap into spiritual information. Their status as relative social outsiders made them either an enemy or a counter-balance to the priestly information monopoly. Some witches and medicine men could even hack (I mean, influence) the spiritual world and alter the confidentiality, integrity, or availability of information to priests.

Even the technology focused information security that jumps to mind when we hear terms like infosec, has very old and mostly military roots going back in Europe to before the time of Christ. One perspective that is used in military, governmental, and business circles today is that information security forms the defensive aspect of information warfare – that is the part of information warfare that is concerned with protecting information assets. For example, information security was something that the USA knew that Iraq was lacking in the first Gulf War in 1991 when they disabled Iraqi air defense computers with a virus smuggled in on dot matrix printers (see Dorothy Denning, Information Warfare and Security, 1991).

Of course, with the rise of the personal computer and the Internet in recent history, information security has become much more than a military concern. With the growth of the so-called information economy has come an equal and predicable growth of information crime, leading to some staggering statistics including a 2005 estimate that the cost of computer crime in the USA exceeded the size of the combined economies of all the nations in the South Pacific.

I have been quoted in the past as saying that despite all of the fascinating mathematics and technology that underly modern infosec, information security is fundamentally a very human discipline. Certainly, no one likes to have money stolen from them, but increasingly information security is focusing on our privacy, our public personae, our collective identity, our fundamental rights, and even our legal identity.

Fiji's anti-government bloggers, who are only able to voice their (all too often slanderous) opinions due to technology which assures their anonymity, are playing a role in shaping the future of Fiji and the region. Only time will tell how significant that role is. However, anonymous political activists everywhere should be wary of the behavior of America's Internet giants in repressive regimes, as they are not always on your side. The most striking example is the case of the activist Shi Tao who was essentially handed over to Chinese authorities by US-based Yahoo. Yahoo, and other international firms, have agreed to work with Chinese authorities in order to gain access to the immense Chinese market.

Information security even has a role in protecting the function of entire nations. Take the case of Estonia, a small former Soviet republic on the coast of the Baltic Sea with a population of around 1.3 million people. In May this year, Estonia moved a certain Russian war memorial to a location more desirable to Estonians but less desirable to Russian nationals living both in and out of Estonia. Soon, various blogs were posting instructions on how to wage a denial of service attack against Estonian institutions, and a little while later, this attack was in full swing bringing down government and financial sector systems across the tiny maritime nation. Should this story concern other, perhaps more tropical, small maritime nations who are rushing to get their institutions online? The answer is a resounding, "Yes".

Still, one of the largest challenges facing information security today is the heady combination of social engineering and user ignorance. Many computer criminals have discovered that hacking just does not pay off as well as simply fooling people into giving up either their money (to help move funds out of Nigeria to help a poor window, for example) or enough information to get to their money. To give a somewhat trivial example, I have never received so many chain emails from people I know since I came to Fiji – and I was part of the first wave of Internet users in Canada. It goes without saying that nations with large populations of new Internet users are more at risk.

Technology policy makers in the South Pacific should indeed be worried by all of this. By joining the global information economy, the region is embarking on an enterprise that is as fraught with danger and as ripe with rewards as the great Melanesian and Polynesian migrations of days past. Fortunately, it is not necessary to sail the seas blind – technology policy navigators need only to look across the ocean to the experiences of other nations to see what problems to expect and which solutions are effective.

ICT, information warfare, and the RFMF

Note to RFMF readers: I would be very interested in hearing your comments on this post.

The Royal Fiji Military Force (RFMF) recently posted a document entitled Commander's Intent 2008 on the their website. This statement of intent forms sort of a strategic plan for the RFMF for 2008 and beyond. It is broken up into three main sections:

• One section dealing with "Good Governance in the RFMF", including issues such as policy and legal compliance, formal planning, and budgetary restraint;
  
• One section that is a kind of environmental scan of the current internal and external situation in Fiji, including social and economic pressures, race relations, regional security, and a survey of the RFMF's "competition" within Fiji, "there had been a move to replace the RFMF with a reinvigorated and robust police force," and in the region including Commonwealth forces recruiting soldiers away from the RFMF; and
• A large section outlining the Commander's strategic ideas for the coming year.

I was curious to see what this document would say, if anything, about ICT in general and information warfare in particular. In the environmental scan section the document makes the following optimistic statement about Fiji's ICT potential, "Technologically, Fiji can be the Singapore of the region." Only to burst that bubble in the very next sentence, "Unfortunately we continue to lag behind badly and this has affected our ability to grow like Singapore." No additional information is provided about who we are lagging behind, what is the cause of the lag, nor how said lag can be overcome.

ICT is referred to explicitly three additional times in the list of actions that the RFMF is considering in 2008.

• "Improve logistic support system,"
• "Develop a modern reliable and secure communications system," and
• "Develop a computerization and IT system for the RFMF."

While these seem valuable strategic activities, it should be understood that these three are nearly lost in a lengthy list of 50 actions that are under consideration for the 2008 budget. Clearly, ICT is not high on the military priority list. Let's examine each of these in turn.

LSS
While I do know a thing or two about electronic procurement, I am the first to admit that I know nothing about logistics support systems (LSS); and I am not familiar with what the RFMF currently has deployed. Certainly they will need to equip their logistics personnel with computers, wireless equipment, and assorted electronic inventory management apparatus - not to mention training - in order to take full advantage of a modern LSS.

Secure Communications
My informal survey of civilians who have had email contact with RFMF officers revealed two facts. First, RFMF officers use free email accounts from US vendors (i.e. Hotmail, Yahoo, etc.), at least to communicate with civvies. Using these American services makes spying on RFMF communication quite simple for US intelligence services, not to mention the risk due to the notorious insecurity of these services. Still, these are not a problems as long as these free accounts are limited to use for unclassified communications only. There is a mail exchanger (MX) registered for RFMF email addresses pointing to a server operated by Connect. Could this be the military's current/future secure mail server?

Second, my survey revealed that RFMF officers do not have Internet access in RFMF facilities and that officers must leave their bases in order to access the net. However, this cannot be entirely true. For one thing, there is a webmaster's Unwired email address posted at the bottom of the RFMF home page. This indicates that there is at least one wireless modem in RFMF facilities around the country. For another, according to an issue of the RFMF newsletter, there is an Internet Cafe located at QEB.

Our soldiers are so fortunate to be given this opportunity especially the Other Ranks and they will no longer go to town because we now have our own, and I would urge them to make good use of it," said the Commander Land Forces.
[Internet cafe to boost troops' interoperability, Mataivalu News, Feb. 2007, p13]

The newsletter states that soldiers can purchase Internet access cards in $5, $10, and $15 denominations.

Of course, there is a lot more to digital military communications than email, but one must walk before one can run.

IT
In terms of establishing a state of the art military ICT infrastructure, the RFMF clearly has some challenges to overcome and room to grow. It will be difficult to establish such an infrastructure when the organization seems much more focused on the purely physical side of soldering. While the Commander's intent does mention the "changing nature of warfare", a phrase that evokes the increasing importance of information warfare and asymmetric conflict, the bulk of the 50 potential action items listed in this document involve enhancing the RFMF's physical operational capabilities. Of course, military forces often conceal their information warfare capabilities in terms of signals intelligence, cryptology, and system and network attack and defense - could there be more beneath the surface?

Absent?
In terms of ICT, what is missing from the Commanders statement of intent? There is no mention of plans to develop the RFMF's capacity to wage offensive or defensive information warfare. There is no mention of how the RFMF plans to compensate for the high-tech support and training that they used to receive from the Australian and New Zealand forces. There is no mention of plans to use private contractors to shore up RFMF's high-tech expertise, such as the Indian hackers rumored to have been employed last year or the consultations with FINTEL experts over anti-government bloggers. There is no mention of investing in media and public affairs training for officers.

As I have written about before, Fiji's current crisis is not a traditional military conflict, but rather a battle for the supremacy of ideas - the new ideas of the interim regime vs. the old ideas of the Qarase government. Fiji's current crisis is a 4th generation warfare (4GWF) conflict, where the focus is not on physically outmaneuvering one's opponent, but rather on winning the battle for public opinion. To quote Kim Taipale,

4GWF is political war -- superior political will, when properly employed, can defeat greater economic and military power... In 4GWF conflicts, nonmilitary instruments of power (information) trump military solutions (warfare, technology, and firepower). Information constrains the exercise of kinetic power but kinetic power cannot constrain information power.
[Seeking Symmetry in Fourth Generation Warfare: Information Operations in the War of Ideas. March 2006]

The possibility that political will could overcome the RFMF's monopoly on military power in Fiji should be a concern. Yet most of the activities under consideration, other than winning "the hearts and minds of the local population through professionalism," are purely 3GWF considerations - that is focused on informed, flexible, and rapid physical deployment of military force.

To be successful with its cleanup campaign, the RFMF needs to win a conflict where the battlespace is bounded by communications technologies (including Fiji's ineffable but very effective coconut wireless) and the content of the stories that these technologies communicate. To be successful, it is in this battlespace, the informationspace, that the RFMF needs to increase its operational capacity. [Note: This morning's Fiji Times reports that the interim government is reviving the National Security Council and the Fiji Intelligence Services. Does this signal a change in focus or are these purely civilian initiatives?]

By way of conclusion I offer two quotations - one from a Russian Major-General and one from the most wanted man in the world - both of whom understand 4GWF better than anyone in the Pacific.

We are approaching a stage of development when no one is a soldier anymore but everyone is a participant in combat action. The task now is not to inflict losses in men and material but to thwart an enemy's plans, demoralize it, undermine its worldview, and destroy its intrinsic values."
[Maj. Gen. G.A. Berezkin, Deputy Head of the Russian Federation Defense Ministry Center of Military-Technical Information Studies, in Lessons from the war in Iraq, Military Thought (May 1, 2003). Quoted in Taipale.]

It is obvious that the media war in this century is one of the strongest methods; in fact, its ratio may reach 90% of the total preparation for the battles.
[Osama bin Laden, 2002. Quoted in Taipale.

Photos by: soldiersmediacenter

Security and Pacific technology policy

The following is derived from my workshop on Information Security at PacINET 2007. My slides are available on SlideShare.

Historically speaking, information security is not new. There is evidence of people protecting and, of course, attacking information, information systems, and the flow of information in all cultures as far back as there is a written record. If we take early missionary accounts in Fiji, for example, we find that access to spiritual information was a closely protected monopoly of a priestly class. The confidentiality, integrity, and availability of information from the world beyond – which included extremely valuable information about the weather, the future, the correct course of action, the afterlife, and many other things – was strictly limited to established priests who held a close relationship with the local chief.

However, even pre-European-contact Fiji had its hackers. Living at the fringes of Vitian society were (and still are in remote areas) medicine men and witches who could also tap into spiritual information. Their status as relative social outsiders made them either an enemy or a counter-balance to the priestly information monopoly. Some witches and medicine men could even hack (I mean, influence) the spiritual world and alter the confidentiality, integrity, or availability of information available to priests by counteracting the priestly influence on the divine or by uttering counter-prophecies.

In European culture, information security has a solidly military origin dating back, at least, to Julius Caesar's encrypted military communications. What is commonly termed information security today is really the defensive aspect of information warfare – that is, the part of information warfare that is concerned with protecting information assets.

Of course, with the rise of the personal computer and the Internet in more recent history, information security has become much more than a military concern. With the growth of the so-called information economy has come an equal and predicable growth of information crime, leading to some staggering statistics including a 2005 estimate that the cost of computer crime in the USA exceeded the size of the combined economies of all the nations in the South Pacific.

I have been quoted in the past as saying that despite all of the fascinating mathematics and technology that underly modern infosec, information security is fundamentally about people. Certainly no one likes to have money stolen from them, but increasingly information security is about our privacy, our public personae, our collective identities, and even our fundamental rights. Fiji's anti-government bloggers are only able to voice their opinions due to the security mechanisms provided by their blog hosts which assure their anonymity. Whatever you think of their opinions, they are one of the few voices of opposition to Fiji's interim regime and are undoubtedly playing a role in shaping the future of Fiji and the region. Only time will tell how large or small that role is.

Still, anonymous political activists everywhere should carefully follow the recent behavior of America's Internet giants, as they are not always on your side. The most striking example is the case of the activist Shi Tao who was essentially handed over to Chinese authorities by US-based Yahoo. Yahoo, and many other international firms, have agreed to cooperate with Chinese authorities – even at the expense of their individual customers – in order to gain access to the immense Chinese market.

Information security even has a role in protecting the function of entire nations. Take the case of Estonia, a small former Soviet republic on the coast of the Baltic Sea with a population of around 1.3 million people. In May this year, Estonia moved a certain Russian war memorial to a location more desirable to Estonians, which enraged many Russian nationals living both in and out of Estonia. Soon, blogs were posting instructions on how to wage a denial of service attack against Estonian institutions, and a little while later, this attack was in full swing. Numerous government and financial sector systems across the tiny maritime nation were brought to a stand still and international experts had to be flown in to curb what some described as an Internet riot. Should this story concern other, perhaps more tropical, small maritime nations who are rushing to get their citizens and institutions online? The answer is absolutely “yes”.

Still, one of the largest challenges facing information security today is the heady combination of social engineering and user ignorance. Many computer criminals have discovered that hacking just does not pay off as well as simply fooling people into giving up either their money (to help move funds out of Nigeria to help a poor window, for example) or enough information to get to their money. Wide spread user naiveté is widespread in the South Pacific. I have never received so many chain emails from friends and acquaintances since I came to Fiji – and I was part of the first wave of naive Internet users in Canada!

Technology policy makers in the South Pacific should indeed be worried by all of this. By joining the global information economy, the region is embarking on an enterprise that is as fraught with danger and as ripe with rewards as the great Pacific migrations of days past. Fortunately, it is not necessary to sail the seas blind – technology policy navigators need only look across the ocean to the experiences of other more wired nations to see what problems to expect and which solutions will be effective.

Photo by: bhikku