NATO mulls ‘offensive defense’ with cyber warfare rules

NATO mulls 'offensive defense' with cyber warfare rules

By Robin Emmott

TARTU, Estonia (Reuters) – A group of NATO allies are considering a more muscular response to state-sponsored computer hackers that could involve using cyber attacks to bring down enemy networks, officials said.

The United States, Britain, Germany, Norway, Spain, Denmark and the Netherlands are drawing up cyber warfare principles to guide their militaries on what justifies deploying cyber attack weapons more broadly, aiming for agreement by early 2019.

The doctrine could shift NATO’s approach from being defensive to confronting hackers that officials say Russia, China and North Korea use to try to undermine Western governments and steal technology.

“There’s a change in the (NATO) mindset to accept that computers, just like aircraft and ships, have an offensive capability,” said U.S. Navy Commander Michael Widmann at the NATO Cooperative Cyber Defence Centre of Excellence, a research center affiliated to NATO that is coordinating doctrine writing.

Washington already has cyber weapons, such as computer code to take down websites or shut down IT systems, and in 2011 declared that it would respond to hostile cyber acts.

The United States, and possibly Israel, are widely believed to have been behind “Stuxnet”, a computer virus that destroyed nuclear centrifuges in Iran in 2010. Neither has confirmed it.

Some NATO allies believe shutting down an enemy power plant through a cyber attack could be more effective than air strikes.

“I need to do a certain mission and I have an air asset, I also have a cyber asset. What fits best for the me to get the effect I want?” Widmann said.

The 29-nation NATO alliance recognized cyber as a domain of warfare, along with land, air and sea, in 2014, but has not outlined in detail what that entails.

In Europe, the issue of deploying malware is sensitive because democratic governments do not want to be seen to be using the same tactics as an authoritarian regime. Commanders and experts have focused on defending their networks and blocking attempts at malicious manipulation of data.

Senior Baltic and British security officials say they have intelligence showing persistent Russian cyber hacks to try to bring down European energy and telecommunications networks, coupled with Internet disinformation campaigns.

They believe Russia is trying to break Western unity over economic sanctions imposed over Moscow’s 2014 annexation of Crimea and its support for separatists in eastern Ukraine.

“They (Russia) are seeking to attack the cohesion of NATO,” said a senior British security official, who said the balance between war and peace was becoming blurred in the virtual world. “It looks quite strategic.”

Moscow has repeatedly denied any such cyber attacks.

ESTONIAN ‘CYBER COMMAND’

The United States, Britain, the Netherlands, Germany and France have “cyber commands” — special headquarters to combat cyber espionage and hacks of critical infrastructure.

Estonia, which was hit by one of the world’s first large-scale cyber attacks a decade ago, aims to open a cyber command next year and make it fully operational by 2020, with offensive cyber weapons.

“You cannot only defend in cyberspace,” said Erki Kodar, Estonia’s undersecretary for legal and administrative affairs who oversees cyber policy at the defense ministry.

Across the globe this year computer hackers have disrupted multinational firms, ports and public services on an unprecedented scale, raising awareness of the issue.

NATO held its biggest ever cyber exercise this week at a military base in southern Estonia, testing 25 NATO allies against a fictional state-sponsored hacker group seeking to infiltrate NATO air defense and communication networks.

“The fictional scenarios are based on real threats,” said Estonian army Lieutenant-Colonel Anders Kuusk, who ran the exercise.

NATO’s commanders will not develop cyber weapons but allied defense ministers agreed last month that NATO commanders can request nations to allow them use of their weapons if requested.

(Reporting by Robin Emmott; Editing by Peter Graff)

Exclusive: U.S. Homeland Security found SEC had ‘critical’ cyber weaknesses in January

Exclusive: U.S. Homeland Security found SEC had 'critical' cyber weaknesses in January

By Sarah N. Lynch

WASHINGTON (Reuters) – The U.S. Department of Homeland Security detected five “critical” cyber security weaknesses on the Securities and Exchange Commission’s computers as of January 23, 2017, according to a confidential weekly report reviewed by Reuters.

The report’s findings raise fresh questions about a 2016 cyber breach into the U.S. market regulator’s corporate filing system known as “EDGAR.” SEC Chairman Jay Clayton disclosed late Wednesday that the agency learned in August 2017 that hackers may have exploited the 2016 incident for illegal insider-trading.

The January DHS report, which shows its weekly findings after scanning computers for cyber weaknesses across most of the federal civilian government agencies, revealed that the SEC at the time had the fourth most “critical” vulnerabilities.

It was not clear if the vulnerabilities detected by DHS are directly related to the cyber breach disclosed by the SEC. But it shows that even after the SEC says it patched “promptly” the software vulnerability after the 2016 hack, critical vulnerabilities still plagued the regulator’s systems.

The hack, two weeks after credit-reporting company Equifax <EFX.N> said hackers had stolen data on more than 143 million U.S. customers, has sent shockwaves through the U.S. financial sector.

An SEC spokesman did not have any comment on the report’s findings.

It is unclear if any of those critical vulnerabilities, detected after a scan of 114 SEC computers and devices, still pose a threat.

During the Obama administration, such scans were done on a weekly basis.

“I absolutely think any critical vulnerability like that should be acted on immediately,” said Tony Scott, the former federal chief information officer during the Obama administration who now runs his own cybersecurity consulting firm.

“This is what was at the root of the Equifax hack. There was a critical vulnerability that went unpatched for some long period of time. And if you’re a hacker, you are going to … try to see if you can exploit it in some fashion or another. So there is a race against the clock.”

For the past several years, the Department of Homeland Security has been producing a report known as the “Federal Cyber Exposure Scorecard.” It provides a weekly snapshot to more than 80 civilian government agencies about potential outstanding cyber weaknesses and how long they have persisted without being patched.

A directive by Homeland Security requires agencies to address critical vulnerabilities within 30 days, though sometimes that deadline can be difficult to meet if it might disrupt a government system.

The January snapshot shows improvements have been made across the government since May 2015, when there were a total of 363 critical vulnerabilities on devices across all of the civilian agencies, according to the report.

As of January 23, by contrast, there were a total of 40 critical vulnerabilities across the agencies reviewed by DHS and another 280 weaknesses categorized as “active high,” which is the second more severe category.

The top four agencies with the most “critical” vulnerabilities as of January 23 included the Environmental Protection Agency, the Department of Health and Human Services, the General Services Administration and the SEC.

However, more vulnerabilities do not necessarily mean one agency is worse than another because things depend on how many computers or devices known as “hosts” were scanned and what kinds of information could potentially be exposed.

“All it takes is one,” Scott said. “You can have one host and one vulnerability and your risk might be 10 times as high as someone who has 10 hosts and ten vulnerabilities.”

(Reporting by Sarah N. Lynch; Editing by Nick Zieminski)

Trump lifts Cyber Command status to boost cyber defense

Trump lifts Cyber Command status to boost cyber defense

WASHINGTON (Reuters) – President Donald Trump said on Friday he was elevating the status of the Pentagon’s U.S. Cyber Command to help spur development of cyber weapons to deter attacks and punish intruders.

In a statement, Trump said the unit would be ranked at the level of Unified Combatant Command focused on cyberspace operations.

Cyber Command’s elevation reflects a push to strengthen U.S. capabilities to interfere with the military programs of adversaries such as North Korea’s nuclear and missile development and Islamic State’s ability to recruit, inspire and direct attacks, three U.S. intelligence officials said this month, speaking on the condition of anonymity.

Cyber Command had been subordinate to the U.S. Strategic Command, which is also responsible for military space operations, nuclear weapons and missile defense.

Once elevated, Cyber Command would have the same status as U.S. Strategic Command and eight other unified commands that control U.s. military forces and are composed of personnel from multiple branches of the armed services.

The Pentagon did not specify how long the elevation process would take.

Current and former officials said a leading candidate to head U.S. Cyber Command was Army Lt. Gen. William Mayville, currently director of the Pentagon’s Joint Staff.

Trump also said the defense secretary was also considering separating the U.S. Cyber Command from the National Security Agency (NSA). Cyber Command’s mission is to shut down and, when ordered, counter cyber attacks. The NSA’s role is to gather intelligence and generally favors monitoring enemies’ cyber activities.

Republican Senators John McCain and Lindsey Graham, both strong voices on security matters, praised the move and said it would boost the command’s abilities.

Still, McCain, chairman of the Senate Armed Services Committee, said more steps were needed to meet the nation’s cyber security challenges.

“We must develop a clear policy and strategy for deterring and responding to cyber threats. We must also develop an integrated, whole-of-government approach to protect and defend the United States from cyberattacks,” he said in a statement.

The new combatant command will improve U.S. capabilities to punish foreign cyberattacks and discourage attempts to disrupt critical U.S. infrastructure such as financial networks, electric grids, and medical systems. It will establish a cyber version of the nuclear doctrine of “mutual assured destruction” between the United States and the former Soviet Union, the three U.S. officials said

The U.S. is more vulnerable to cyber intrusions than its most capable adversaries, including China, Russia, and North Korea, because its economy is more dependent on the internet, two of the officials said. As other nations improve their communications networks, their vulnerability will grow, they added.

(Reporting by Makini Brice and Susan Heavey. Additional reporting by Idrees Ali, John Walcott and Warren Strobel.; Editing by Franklin Paul and Andrew Hay)

China draft cyber law mandates security assessment for outbound data

BEIJING (Reuters) – China’s top cyber authority on Tuesday released a draft law that would require firms exporting data to undergo an annual security assessment, in the latest of several recent safeguards against threats such as hacking and terrorism.

Any business transferring data of over 1000 gigabytes or affecting over 500,000 users will be assessed on its security measures and on the potential of the data to harm national interests, showed the draft from the Cyberspace Administration of China (CAC).

The law would ban the export of any economic, technological or scientific data whose transfer would pose a threat to security or public interests. It would also require firms to obtain the consent of users before transmitting data abroad.

The proposed law, which focuses on personal information security, comes just a day after state media reported government rewards of $1,500 to $73,000 for citizens who report suspected spies.

It is also an extension of legislation passed in November formalizing a range of controls over firms that handle data in industries the government deems critical to national interests.

Business groups have criticized the November law, which is effective from June, calling rules “vague” and claiming they unfairly target foreign companies with stringent requirements.

Chinese officials denied that the November law targets foreign firms.

Under the rules released on Tuesday, sensitive geographic data such as information on marine environments would also be subject to scrutiny. Destination countries and the likelihood of oversees tampering would also be factored in to any assessments.

The draft is open for public comment until May 11.

(Reporting by Cate Cadell; Editing by Christopher Cushing)

German military to unveil new cyber command as threats grow

BERLIN (Reuters) – Germany’s military will launch a cyber command next week as part of an effort to beef up online defenses at a time when German spy agencies are warning of increasing cyber attacks by Russia.

The German military remains a high-value target for hackers, with some 284,000 complex and professional would-be attacks registered in the first nine weeks of 2017, a ministry spokesman said. No damage had been reported thus far, he added.

Cyber attacks on militaries are rising worldwide, with many now creating separate commands to tackle the issue.

NATO, which says it has seen a five-fold increase in suspicious events on its networks in the past three years, agreed last June to designate cyber as an official operational domain of warfare, along with air, land and sea.

The new German command will based in Bonn with an initial staff of 260, growing to around 13,500 in July when the military’s current strategic reconnaissance command and centers for operational communication and geo-information are folded in.

By 2021, the command is due to have a total of 14,500 positions, including 1,500 civilian jobs.

“The expansion of cyber capabilities is an essential contribution to the government’s overall security posture, and offers additional opportunities for preventing conflicts and dealing with crises to include hybrid threats,” the ministry spokesman said.

Defence Minister Ursula von der Leyen will name Lieutenant General Ludwig Leinhos to head the new Cyber and Information Space Command – the sixth major wing of the military in addition to the navy, army, air force, medical service and joint forces.

Chancellor Angela Merkel this month said protecting German infrastructure from potential cyber attacks was a top priority.

In December, Germany’s domestic and foreign intelligence agencies cited increasing Russian cyber attacks against political parties, as well as propaganda and disinformation campaigns aimed at destabilizing German society.

Russia denies engaging in such attacks.

(Reporting by Andrea Shalal; editing by Mark Heinrich)

A scramble at Cisco exposes uncomfortable truths about U.S. cyber defense

The logo of Cisco is seen at Mobile World Congress in Barcelona, Spain, February 27, 2017. REUTERS/Eric Gaillard

By Joseph Menn

SAN FRANCISCO (Reuters) – When WikiLeaks founder Julian Assange disclosed earlier this month that his anti-secrecy group had obtained CIA tools for hacking into technology products made by U.S. companies, security engineers at Cisco Systems <CSCO.O> swung into action.

The Wikileaks documents described how the Central Intelligence Agency had learned more than a year ago how to exploit flaws in Cisco’s widely used Internet switches, which direct electronic traffic, to enable eavesdropping.

Senior Cisco managers immediately reassigned staff from other projects to figure out how the CIA hacking tricks worked, so they could help customers patch their systems and prevent criminal hackers or spies from using the same methods, three employees told Reuters on condition of anonymity.

The Cisco engineers worked around the clock for days to analyze the means of attack, create fixes, and craft a stopgap warning about a security risk affecting more than 300 different products, said the employees, who had direct knowledge of the effort.

That a major U.S. company had to rely on WikiLeaks to learn about security problems well-known to U.S. intelligence agencies underscores concerns expressed by dozens of current and former U.S. intelligence and security officials about the government’s approach to cybersecurity.

That policy overwhelmingly emphasizes offensive cyber-security capabilities over defensive measures, these people told Reuters, even as an increasing number of U.S. organizations have been hit by hacks attributed to foreign governments.

Larry Pfeiffer, a former senior director of the White House Situation Room in the Obama administration, said now that others were catching up to the United States in their cyber capabilities, “maybe it is time to take a pause and fully consider the ramifications of what we’re doing.”

U.S. intelligence agencies blamed Russia for the hack of the Democratic National Committee during the 2016 election. Nation-states are also believed to be behind the 2014 hack of Sony Pictures Entertainment and the 2015 breach of the U.S. Government’s Office of Personnel Management.

CIA spokeswoman Heather Fritz Horniak declined to comment on the Cisco case, but said it was the agency’s “job to be innovative, cutting-edge, and the first line of defense in protecting this country from enemies abroad.”

The Office of the Director of National Intelligence, which oversees the CIA and NSA, referred questions to the White House, which declined to comment.

Across the federal government, about 90 percent of all spending on cyber programs is dedicated to offensive efforts, including penetrating the computer systems of adversaries, listening to communications and developing the means to disable or degrade infrastructure, senior intelligence officials told Reuters.

President Donald Trump’s budget proposal would put about $1.5 billion into cyber-security defense at the Department of Homeland Security (DHS). Private industry and the military also spend money to protect themselves.

But the secret part of the U.S. intelligence budget alone totaled about $50 billion annually as of 2013, documents leaked by NSA contractor Edward Snowden show. Just 8 percent of that figure went toward “enhanced cyber security,” while 72 percent was dedicated to collecting strategic intelligence and fighting violent extremism.

Departing NSA Deputy Director Rick Ledgett confirmed in an interview that 90 percent of government cyber spending was on offensive efforts and agreed it was lopsided.

“It’s actually something we’re trying to address” with more appropriations in the military budget, Ledgett said. “As the cyber threat rises, the need for more and better cyber defense and information assurance is increasing as well.”

The long-standing emphasis on offense stems in part from the mission of the NSA, which has the most advanced cyber capabilities of any U.S. agency.

It is responsible for the collection of intelligence overseas and also for helping defend government systems. It mainly aids U.S. companies indirectly, by assisting other agencies.

“I absolutely think we should be placing significantly more effort on the defense, particularly in light of where we are with exponential growth in threats and capabilities and intentions,” said Debora Plunkett, who headed the NSA’s defensive mission from 2010 to 2014.

GOVERNMENT ROLE

How big a role the government should play in defending the private sector remains a matter of debate.

Former military and intelligence leaders such as ex-NSA Director Keith Alexander and former Secretary of Defense Ashton Carter say that U.S. companies and other institutions cannot be solely responsible for defending themselves against the likes of Russia, China, North Korea and Iran.

For tech companies, the government’s approach is frustrating, executives and engineers say.

Sophisticated hacking campaigns typically rely on flaws in computer products. When the NSA or CIA find such flaws, under current policies they often choose to keep them for offensive attacks, rather than tell the companies.

In the case of Cisco, the company said the CIA did not inform the company after the agency learned late last year that information about the hacking tools had been leaked.

“Cisco remains steadfast in the position that we should be notified of all vulnerabilities if they are found, so we can fix them and notify customers,” said company spokeswoman Yvonne Malmgren.

SIDE BY SIDE

A recent reorganization at the NSA, known as NSA21, eliminated the branch that was explicitly responsible for defense, the Information Assurance Directorate (IAD), the largest cyber-defense workforce in the government. Its mission has now been combined with the dominant force in the agency, signals intelligence, in a broad operations division.

Top NSA officials, including director Mike Rogers, argue that it is better to have offensive and defensive specialists working side by side. Other NSA and White House veterans contend that perfect defense is impossible and therefore more resources should be poured into penetrating enemy networks – both to head off attacks and to determine their origin.

Curtis Dukes, the last head of IAD, said in an interview after retiring last month that he feared defense would get even less attention in a structure where it does not have a leader with a direct line to the NSA director.

“It’s incumbent on the NSA to say, ‘This is an important mission’,” Dukes said. “That has not occurred.”

(Reporting by Joseph Menn in San Francisco. Additional reporting by Warren Strobel in Washington.; Editing by Jonathan Weber and Ross Colvin)

NATO to spend 3 billion euros on satellite, cyber defenses

FILE PHOTO - A NATO flag flies at the Alliance's headquarters in Brussels, March 2, 2014. REUTERS/Yves Herman/File Photo

By Robin Emmott

BRUSSELS (Reuters) – NATO plans to spend 3 billion euros ($3.24 billion) to upgrade its satellite and computer technology over the next three years as the Western military alliance adapts to new threats, a senior official said.

Seeking to deter hackers, and other threats including Iranian missiles, the investments underscore NATO’s recognition that conflicts are increasingly fought on computer networks as well as in the air, on land and at sea.

A senior official at the NATO Communications and Information Agency said the plans include a 1.7-billion-euro investment in satellite communications to better support troops and ships deployed across the alliance, as well as aiding the use of Unmanned Aerial Vehicles (UAVs) or drones.

It was not immediately clear if NATO allies would fund a new military communications satellite to be launched into space or if an increase in broadband capacity could be gained from existing U.S. and other allied satellites.

Non-NATO member Japan launched its first military communications satellite in January.

The proposals, for which some funding must still be approved by NATO governments, also envisage spending about 800 million euros on the computer systems that help command air and missile defenses, said the official, who declined to be named.

Seventy-one million euros will go to improving the protection of NATO’s 32 main locations from cyber attacks.

NATO says it has seen a five-fold increase in suspicious events on its networks in the past three years, while Russian group APT28 is blamed by Western intelligence for the hacking of the U.S. Democratic Party during last year’s U.S. election.

NATO officials have told Reuters they suspect Russia sponsors attacks against their networks before major summits.

Another 180 million euros are to be spent to provide more secure mobile communications for alliance soldiers in the field.

NATO will present its needs in detail at a conference in Ottawa in April and then begin launching the bidding process.

It is likely to attract major Western defense contracts including Airbus Group, Raytheon and Lockheed Martin Corp, the official said, in part because “there cannot be content that does not come from NATO nations.”

NATO rules prohibit Russian or Chinese suppliers unless there is a specific need that allied companies cannot provide.

(Reporting by Robin Emmott; Editing by Janet Lawrence)

Homeland Security employees locked out of computer networks: sources

A U.S. Customs and Border Protection agent applauds President Donald Trump's remarks at Homeland Security headquarters in Washington, U.S. January 25, 2017. REUTERS/Jonathan Ernst

By Dustin Volz

WASHINGTON (Reuters) – U.S. Department of Homeland Security employees in the Washington area were unable to access some agency computer networks on Tuesday, according to three sources familiar with the matter.

It was not immediately clear how widespread the issue was or how significantly it affected daily functions at DHS, a large government agency whose responsibilities include immigration services, border security and cyber defense.

Employees began experiencing problems logging into networks at 5 a.m. ET on Tuesday due to a problem related to the personal identify verification (PIV) cards used by federal workers and contractors to access certain information systems, one source said. At least four DHS buildings were affected, the source said, including locations used by U.S. Citizenship and Immigration Services.

Another source said the cards did not appear to be responsible. DHS did not immediately respond to requests for comment.

President Donald Trump vowed to make cyber security a priority during his administration, following an election marred by hacks of Democratic Party emails that U.S. intelligence agencies concluded were carried out by Russia in order to help Trump, a Republican, win. At a White House event last month he said he would “hold my Cabinet secretaries and agency heads accountable, totally accountable, for the cyber security of their organizations.”

Trump had planned to sign a cyber security executive order last month but it was put on hold to allow more time for review.

(Reporting by Dustin Volz; Editing by Jonathan Oatis)