Home inFocus America's Global Reach (Summer 2013) Personal Privacy: Rest in Peace

Personal Privacy: Rest in Peace

Edward Masso Summer 2013

The recent daily deluge of news reports has shattered American’s confidence in the privacy of intensely personal information. The nation’s computers have been hacked by the Chinese, the United States government has been eavesdropping on private cell phone conversations, and many educational and industrial establishment computer networks have been hacked by unknown assailants. In short, it appears that every keystroke, screen, or document generated on personal and government computers is captured somewhere by someone, friend or foe, and there is nothing that can be done about it at this point. Welcome to the world of cyber-security and/or cyber warfare.

Assume that all personal, corporate, and military proprietary information has already been compromised in the cyber domain. Everything dear and personal is already available to those who have captured the information and hold it in repositories in the cloud, for use at any time the owner of the data deems it useful to advance their nefarious purposes.

Some of the risks of having private data compromised include: identity thieves who want to steal money or misrepresent identities for other purposes, insurance companies that want to assess the risk of injury or death based on lifestyle profiling, companies that want to predict buying habits, and others who just want to invade people’s privacy. Some clever hackers want to simulate that their network penetration attack came from a source such as another country, or network IP address, just to stir things up diplomatically or to mask their original identity.

Almost from the beginning of the matriculation of computers into the mainstream of American life, there have been those who want to invade people’s privacy through hacking. Viruses, Trojan horses, and other malicious software (malware) have corrupted computers. The symptoms could be denial of service, embarrassing attachments to personal emails from hacked accounts, or seriously degraded computer performance. The billion-dollar computer software security businesses have done little to protect consumers from many of these threats, as they find them only after a virus has been detected. Then their team of software engineers creates a workaround scheme and eventual download of a means to block what has already infected scores of computers. Tracking software such as “cookies”—which are placed into computers with the permission of the user as a condition to download free software applications—have developed into highly sophisticated profiling tools to monitor and record every keystroke of the user’s online activity. These entities then sell personal data to other entities that profile personal habits and buying preferences without anyone’s personal consent.

Companies that sell network and anti-virus protection promise ironclad defenses against all threats, but in fact, are hamstrung first by always being behind a threat, and second because consumers allow interlopers access to their private transactions, virtually by inviting them in with permission. The challenge of discovering and prosecuting these data pirates is daunting, as sophisticated hackers mask their IP address of origin through IP spoofing techniques that make tracking their identity and location nearly impossible. When hacking activity is discovered, little is done by authorities to conduct the police work one would expect from law enforcement in the cyber-crime domain. The norm is to blame users for not securing their data more responsibly.

From recent news reports, it is abundantly clear that the cyber “problem” is at crisis proportion. The three-letter code agencies and military services have coined terms such as Information Dominance—defined as “the ability to use information systems and capabilities to achieve an operational advantage in a conflict, or to control the situation in operations other than war, while denying those capabilities to an adversary. It is the combination of communications, intelligence, information operations, decision support and control of forces. It is the organizational vision of these agencies and services to ensure our warfighters are properly equipped to enable this dominance.”

In 2009, the U.S. Navy transformed itself and performed three actions to address the cyber threat. It aligned its intelligence and information technology functions into a single organization (OPNAV N2/N6), stood up the Fleet Cyber Command/United States 10th Fleet, and created the professional career path of the Information Dominance Corps. These alignments placed intelligence, surveillance, and reconnaissance functions, electronic warfare, information warfare, cyber, maritime domain awareness, networks, command, control, communications, and computers, space, unmanned capabilities and the oceanographer of the Navy into a single center of excellence for budgeting, resource sponsorship, and for manning, equipping, and training the corps of information dominance professionals. Their timing was propitious.

Operation Olympic Games

2010 was a banner year for the introduction of cyber warfare. Terms such as malware (malicious software), Stuxnet (computer worm), Flame (embedded mapping and monitoring computer network to gain intelligence), worms, and trojan horses rolled off the tongue of Americans as contemporary slang, thanks in part to the joint Israeli-United States Operation “Olympic Games,” where the Iranian Natanz nuclear centrifuge facility was effectively destroyed by cyber-attack. “Olympic Games” became the first known and widespread use of cyber-attack by one nation against another. It is worth exploring in greater detail. Note that the commentary below was all obtained from a careful analysis of open source and reliable news reporting data.

Since 2005, Iran has misrepresented to the International Atomic Energy Agency (IAEA) its nuclear intentions, constructing a plant in Natanz where it created a centrifuge facility. A centrifuge is equipment driven by electric motors that puts an object into rotation around a fixed axis applying a force perpendicular to the axis. In a nuclear application centrifuges separate isotopes. The heavier isotope of uranium 238 in the uranium hexafluoride gas concentrates at the walls of the centrifuge as it spins. The desired uranium 235 is extracted inside the centrifuge for the purpose of producing nuclear weapons. In May 2010, Iran reported to the IAEA that it had already produced 2.5 metric tons of low-enriched uranium, enough to produce two weapons. The Iranians showed little evidence that their intentions were consistent with using this low-enriched uranium for power-generation purposes.

The U.S.-Israel strategy was to destroy the centrifuges by means of cyber-attack. Using a combination of means including inserting malware, Flame, and Stuxnet viruses, the centrifuges issued commands to the hardware controlling the spin rate causing them to break apart. The indicating gauges showed either no change in rate of speed, or reduction in rate of speed, causing operators to increase the rate when in fact they should have reduced the speed or shut them down completely. By opening and closing valves that fed hydrogen hexafluoride gas into centrifuges, increasing rotating speeds, and by manipulating operator commands, the centrifuges self-destructed much the same as precision-guided missile strike, or air attack, would have accomplished. The Natanz nuclear plant suffered catastrophic damage via the joint effort of Israel and the United States, and “Olympic Games,” became a game-changer for everyone in terms of cyber warfare. It created the atmosphere of one-upmanship and more aggressive attempts at invading computer networks in the United States and throughout the world.

The Risk at Home

At risk to Americans at home in the cyber domain are attacks against critical infrastructure such as banking institutions, power grids, water supplies, FAA radar systems and commercial aviation, bridges and tunnels and roadways, public/official communication systems, and medical treatment facilities. In fact, the next 9/11-like event could be a cyber-9/11 event affecting the aforementioned critical infrastructures and disrupting life in ways previously unconsidered.

There would be widespread panic if the Federal Aviation Administration (FAA) radar systems went down or were rendered unreliable. The net effect to commerce and personal or business travel would be catastrophic. Banking transaction service interruption would create havoc in the U.S. economy and outrage in the public. Changes to cell phone communication behavior, text messaging, even the inability of modern automobile computers to operate would severely and negatively affect everyone. It’s not only a strong possibility; if things don’t change soon, it is very likely.

Trademark or patent infringement is another consequence of network hacking. The Chinese have publicly stated with great arrogance that they have the blueprints and system architectures of some of America’s most trusted industrial secrets in submarine technology, AEGIS combat systems, and even war plans and warfighter deployment processes and protocols. If they are to be believed, as many experts do, the U.S. government must reinvent the way in which it communicates between elements of the military-industrial complex, and even how civilians operate their computers at home will be affected.

Practicing Computer Security

The obvious measures at home include the basic rules of good computer security, which are too often disregarded as too cumbersome or time consuming:

  • Password protection should combine letters, symbols and numbers with large and small case letters and should be changed frequently.
  • Wifi, computer log-in, and anything that allows for the insertion of a password, such as cell phones, tablets, or other devices should be password protected.
  • Nothing should be downloaded from unreliable or unknown sources. E-mail should be treated like a phone—most people don’t answer a phone call from an unidentified source; if the source is unknown and the message contains an attachment, it should be deleted.
  • Anti-spam/network security software should be updated, scanned, and monitored bi-weekly or monthly at the latest. They cannot be effective if they are not current with the security company’s behind-the-scenes work.
  • Online financial business should only be transacted with reliable and known companies or agencies.
  • Personal or password information should never be given to anyone, ever; trustworthy companies wouldn’t ask.

For companies in the industrial base, it is important to treat network security as if it was protecting the most precious family assets. Rigorously vet IT leadership and only hire individuals who really know the business. This doesn’t necessarily mean a Doctorate in Computer Science. Consider finding the prodigy who knows every aspect of the applications of the computer’s functions rather than someone who looks good on paper; someone to address the future, not mired in the faulty past. Consider network protection systems that are end-point to end-point secure within the network infrastructure that only host those functions that are pertinent to your business and security requirements. Seek consultation with three-letter agency professionals and find out the extent to which they’ll discuss what they consider secure.

Issues with America’s Cyber Policies and Practices

While Americans can be very proud of the collaboration between the United States and Israel in operation “Olympic Games”, there exist many concerns in America’s cyber policies and practices.

  • Agency collaboration. Skeptics believe America’s cyber security professionals are not sharing with each other everything they know about threats, network protection, or the vast array of unique activities that are penetrating computer firewalls.

  • Banking networks are ripe for hacking, and the RSA ID compromise of 2011 reveals just how vulnerable banking networks have become. This area continues to be high risk for consumers as well as corporations.

  • The military services Information Dominance Corps. The services have behaved with this corps as if these specialists were traditional infantrymen, artillerymen, or unrestricted line officers. The successful career model does not apply to this career path. The true cyber, or computer expert should be hired for the domain knowledge and expertise needed by today’s military, not by the archaic model that applies to 99% of military service career paths.

  • Sovereignty and prosecution. If a cyber-attack is made from a hotel room in Tallinn, Estonia by three 18 year-old hackers who are smart enough to penetrate a computer system’s firewalls, how would the U.S. government really know who the sponsor is? It doesn’t. Were the hackers being mischievous, or did a nation state sponsor their work? What is the government doing to make this distinction?

  • Computer scientists who change allegiance to the U.S. and compromise data or national secrets with the press, other countries, or Wiki-leaks. This trend is widespread and increasing. The person who relayed the story about the NSA eavesdropping on private citizens through their cellphones fits into this category. Is he a whistle-blower, or traitor?

  • Treaties that govern our relations with NATO, with their Cold War-centric doctrine of “an attack against one country in NATO is an attack against us all,” are cumbersome in the cyber domain. Have there been sufficient and satisfactory cyber-protection mandates that make NATO (or other coalition partnership) nations nominally equal in network security? Will the U.S. government prosecute a hacker for another country’s failure to sufficiently protect itself? Are the standards satisfactory? Have there been minimum standards delineated for coalition partner network security?

  • Cyber-Offense/Cyber Attack. If a person violates the security fence around a military base or other guarded private property there will be swift and decisive consequences. When the aforementioned 18 year-olds in Tallinn, Estonia hacked into the wrong U.S. government computer system, there should have been cyber consequences—such as attacking them back. As Jim Malone told his protégé, Elliott Ness in The Untouchables, “If they send one of us to the hospital, we send one of theirs to the morgue.” In the absence of visible consequences against hackers, the environment continues to be ripe for more malicious activity.

Confidence in network protection and security by the public is low and Americans should demand more of critical infrastructure partners—such the banking and finance industry—and the government in protecting the country’s national secrets and personal privacy.

These are very volatile and disruptive times. Given the sad state of the world economy, the endless proliferation of hackers from countries including China and Russia, and organizations such as al-Qaeda and the Taliban, along with simple nuisance hackers, private information is no longer an entitlement of being an American. Who will demand that the U.S. be better at network and cyber security than it is today? If no one steps up, cyber security’s metaphoric epitaph will read, “Personal Privacy—Rest in Peace.”

Edward Masso is a retired Navy Rear Admiral and Senior Fellow in Cyber Security at the Potomac Institute for Policy Studies. He presently serves as the Chief Operating Officer for the State of North Carolina’s Department of Public Safety. His consulting firm is Flagship Connection.