October 24, 2012 CYBER'S EMERGING ROLE IN COMPETITION, CONFLICT AND WAR - Social Engineering and Human Hacking


Speaker Thomas Quiggin, Canadian Cyber Security Specialist

Wednesday, October 24, 2012

6:00-7:30 pm

Battelle Atrium

American University

Speakers Biography:

Tom Quiggin has spent the last two and a half years designing and building a security and operational risk management section for a major financial organization that has four trillion dollars under management and handles hundreds of billions of dollars a day in transactions.   He has spent most of his 35 year career in providing intelligence and information advice to decision makers in military, government, legal, enforcement and private sector circles. He is a court appointed expert in three different levels of court, including the area of determining the “reliability of intelligence as evidence in court.”  He has lived and worked in Canada, the USA, Singapore, the UK and the Netherlands in addition to wartime service as a uniformed intelligence officer in the former Yugoslavia.

Summary: CYBER'S EMERGING ROLE IN COMPETITION, CONFLICT AND WAR - Social Engineering and Human Hacking

Computer Network Exploitations (CNE) occur when a group or foreign state penetrates a network to extract potentially valuable commercial, defense or political information.   Such events occur daily.  Once penetrated, an exploitation event can last for minutes or as much as 18 months!  Large organizations such as finance ministries and private corporations have had all their IT based information removed by groups or foreign states.

Computer Network Attacks (CNA) in which the intent of the attacker is to damage or disrupt network operations remain quite rare by comparison to CNEs.  Nonetheless, they can be catastrophic and destroy a business organization overnight. With respect to CNAs, the most serious emerging threat may be attacks that cause a loss of confidence in the data being produced.  For financial organizations or critical systems such as aircraft controls, a loss-of-confidence attack would be more difficult to address than destructive or disruptive attacks.

Throughout history, competition and conflicts that have evolved into warfare have been kinetic (employing energy and mass) and occurred in three primary domains - air, land, and sea. Outer space became a fourth domain in the last half of the 20th Century. Cyber attacks have now moved competition, conflict and warfare into a fifth, non-kinetic domain: cyberspace. The most critical factor here is that many leaders in government and the private sector have not understood that their organizations may be on the front line of a new form of competition, conflict and warfare.

For the advanced Western democracies, the greatest vulnerabilities lie in the financial and economic sectors.  The most critical infrastructure of all is the "payments and settlements" systems that allow our debit, credit and bank cards to function, along with ATMs.  Without theses hyper-connected systems, food and fuel would become unobtainable in 24 to 48 hours and social unrest would produce blood in the streets.  China has already demonstrated both an interest and a capability to use an attack against these hyper-connected and interdependent systems.  While there are no indications that China has an intent to use such a capability, a situation that moves from competition and conflict on to warfare would suggest the use of such a capability.

Recent cyber exploitations and attacks have demonstrated the vulnerabilities of major companies, including those thought to be leaders in computer security. RSA, a major provider of computer security devices and software was hacked in 2011.  It was not an advanced persistent threat style attack, but rather a single socially engineered email with a PDF attachment containing malware. The information gained from this attack, most likely carried out by China, allowed the attacker to immediately access files at Lockheed. A number of successful attacks have been confirmed at a variety of globally recognized institutions including the finance ministries of Canada and France, the Prime Minister's Office of Australia, Oak Ridge Labs, Los Alamos Labs and Sony. In many of these cases, social engineering played a major role. In general terms, IT operators should consider themselves on their own should they become the victim of an IT attack.  The governments of the advanced Western democracies are incapable of defending private sector critical IT infrastructure against group or foreign attacks and will provide no useful assistance after an attack.  The concepts of deterrence, escalation and retaliation are not well developed in cyberspace.

Social engineering attacks attempt to manipulate individuals into taking actions or violating security procedures by exploiting personal vulnerabilities or needs.  The required information can be gathered in a variety of ways such as personal contact with the individual or through social media sites.  Given the spread of social media sites, potential attackers will have a seemingly endless supply of opportunities. The future of cyber activity in competition, conflict and warfare will also feature the concept of human hacking.  Already in practice, the concept involves using computers to hack into the human mind and exploit the buffer zone and pattern based decision making patterns of the human mind.  The next battleground may be the sixth domain of warfare: cyber attacks on the human mind itself.