Wednesday, March 26, 2014

Today's Cybercrime - The Market is "Growing Up"

I've been a student of cybercrime since my full-time entry into cybersecurity in 2001.  When I had some time on my hands recovering from an accident I actually spent a month reading every document I could find on the Internet covering the subject.

Well, I wouldn't recommend that you spend a month recuperating in front of the Internet but you will find a report from RAND Corporation on today's cybercrime market fascinating and disturbing and will give you a sense of the maturity of the cybercrime market and its "workers and leaders."

The Rand report (picture above) is 83 pages of discussion about today's black market for such things as credit cards, passwords, identities, etc.  To quote the preface of the report...

This report describes the fundamental characteristics of these markets and how they have
grown into their current state in order to give insight into how their existence can harm the
information security environment. Understanding the current and predicted landscape for
these markets lays the groundwork for follow-on exploration of options that could minimize
the potentially harmful influence these markets impart. This report assumes the reader has a
basic understanding of the cyber, criminal, and economic domains, but includes a glossary to
supplement any gaps.

The final take-away to offer is another quotable quote from the report:

In certain respects, the black market can be more profitable than the
illegal drug trade; the links to end-users are more direct, and because worldwide distribution
is accomplished electronically, the requirements are negligible.

Action:  To my fellow security professionals, take a moment to give this to your boss and maybe the CEO and Board of Directors.  They need to see that the threat is real and the opportunities for the miscreants are increasing.  Hence, you need more resources - money, qualified staff, tools, techniques -- to do your job.


Thursday, March 6, 2014

New Policy Approaches to Address Cyber Threats Impacting the Electric Grid

In February the Bipartisan Policy Center released a report focused on cybersecurity and the North American Electric grid.  At first I was worried that this report would be another collection of the same ol' ideas of leaning on the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards as the panacea -- fortunately, this report is very good and really has some excellent ideas to help protect the electric grid from and during a cyber attack.

In a simple way I'd strongly suggest you skim this report if you are in any way/shape/form involved with electric grid cybersecurity defense, policy, funding or response.

The key areas of discussion in the report include:

  • The Existing Landscape for Electric Grid Cybersecurity Governance
  • Standards and Best Practices for Cybersecurity
  • Information Sharing
  • Responding to a Cyber Attack on the North American Electric Grid
  • Paying for Electric Grid Cybersecurity
The report is very refreshing and offers some new ideas on ways to defend the grid and respond to cyberattacks.  

One idea that has some merit is the concept of implementing an "Institute" similar to the Institute of Nuclear Power Operations (INPO) that would focus in continuous improvement of cybersecurity of the electric grid.  I sent the following email to one of the Advisory Board members supporting this idea.  In my email I observed:

The Institute of Nuclear Power Operations (INPO) was used as a model agency for oversight of the security of the grid.  I worked at INPO from 1986 to 1992 and when I left I was the Secretary of the Corporation and an evaluation Team Manager.  

Of note, the recently published Cybersecurity Framework (CSF) has an approach very similar to INPO's.  That is the CSF is "performance-based" rather than "compliance-based" which is an approach that INPO pursued.  INPO published a document entitled Performance Objectives and Criteria for Operating and Near-Term Operating Nuclear Plants that really focused on what would be viewed as optimal performance in particular areas (e.g., management, administration, operations, maintenance, etc.) with a collection of criteria that supported the performance objectives (similar to the CSF).  However, the process was not focused on compliance to the performance objectives but instead to how the plant truly performed.

An example to demonstrate this approach would be relative to CIP-008, incident response.  The NERC approach to reviewing CIP-008 is to actually sight the utility's incident response procedure; however, they do not check to see that it actually is a workable, accurate document (i.e., are the phone numbers/email addresses accurate, can it truly be used as written, is it practiced, etc.).  On the other hand the INPO approach would be to view the document but with emphasis on watching the utility perform the incident response process and observe strengths, weaknesses, etc. and highlight areas needing improvement.

In other words the assessment was based on the true performance of the utility; not a simple view of its paperwork -- a serious flaw with the NERC approach (in my opinion).

I am very pleased with the tone, content and ideas put forth in this report and I look forward to the "new" dialogue that surfaces in this domain different from the old, stale ideas that really don't solve the problem for the entire electric grid from generator to transmission line to distribution system to the toaster in your home.

Again, compliments to the authors and advisory group on this report!


Monday, March 3, 2014

Funding Terrorism via Poaching and Organized Crime

In early January 2014 Mr. Johan Bergenas of the Stimson Center prepared a report called Killing Animals, Buying Arms.  This brief 17-page report woke me up to the concerns of rhino and elephant poaching in East Africa and its eventual financial support for local and global terrorists.  It is a disconcerting state of affairs.

Some disturbing facts that are not well publicized include:

  • Wildlife has become the 4th largest illicitly traded product in the world.  It is a $19B USD industry.  Illegal wildlife trade is larger than illicit trafficking of small arms, diamonds, gold and oil.
  • Transnational criminals and terrorist organizations such as Al-Shabaab and the Lord's Resistance Army make hundreds of thousands of dollars every month by partaking directly or indirectly in the killing and sale of animal parts.  Part of their proceeds go towards buying guns and bombs, paying their members, and planning and executing terrorist attacks.
  • The Elephant Action League -- an independent organization fighting elephant exploitation and poaching -- asserts that Al-Shabaab exports poached ivory via southern Somalia ports.  The tusks are cut into blocks and hidden in crates of charcoal.  Their monthly income is reported to be $200,000 to $600,000 USD per month.  The ivory sells for $3,000 per 2.2 pounds (kilogram) in China.
  • A rhino horn is worth $50,000 USD per pound on the black market -- more than gold or platinum.  A rhino is killed by a poacher every 11 hours.
The United Nations Office on Drugs and Crime (UNODC) has published several studies on organized crime and its global and regional impact.  In its seminal report issued in 2010, the UNODC depicted the geographic challenges with ivory export as shown below:

In its 2013 regional report on organized crime in Eastern Africa (UNODC) the theme of money being made from ivory continued.  In the report they note "It is estimated that between 5,600 and 15,400 elephants are poached in Eastern Africa annually, producing between 56 and 154 metric tons of illicit ivory, of which two-thirds (37 tons) is destined for Asia, worth around US$30 million in 2011."  But the area is also a concentration of illegal -- and profitable -- activities such as human trafficking, heroin transportation, and piracy -- besides ivory and rhino horn poaching.

At a US Senate hearing in May 2012, Mr. Tom Cardamone of Global Financial Integrity observed in his  written testimony that ever since the terrorist attacks of 9/11 and actions taken by Congress/Administration to target terrorist financing has nearly eliminated shell banks and decapitated Al Qaeda's central command.  As such the terrorists are cash-starved and looking for new sources of funding.  Hence, illicit trafficking of wildlife is one way the Al Qaeda affiliates have chosen to raise money.  As an example, two Bangladesh-based Islamic terrorist groups affiliated with Al Qaeda are raising funds for their operations via illegal poaching of ivory, tiger pelts and Rhino horns in the jungles of northeastern India.  And, during its years of war with Northern Sudan, the Sudan People’s Liberation Army  is alleged to have poached “...elephants with grenades and rocket‐propelled guns.”

And...when it comes to Al-Shabaab, the same 2013 report notes,  "Members of Al-Shabaab have been linked to ivory poaching in Kenya and to a Tanzanian Islamist group reportedly linked to heroin trafficking. They have also allegedly taxed pirates working from the ports they control..."

The Elephant Action League says it best, "If you buy ivory, you kill people."  But as noted in all three of the reports cited above, each one says that the task at hand is difficult and requires money and resources to even slow the poaching and subsequently the flow of money to the terrorists.  Border security needs to be stronger, needs to be enforced and the markets for the ivory and illicit items need to be closed.  Also, oversight of cash transfers need to be tightly regulated in the more "suspicious" parts of the world.

Sadly, this sounds daunting and challenging.  I hope this blog raises awareness and guides some action.