Loose (Data) Sinks Ships — OpSec for the Information Age

More than a year ago I attended an on-line seminar for businesses that do business with federal agencies.  The speaker, in a refrain now heard quite often said:  “There are two types of businesses; those who have been hacked by the Chinese and those that don’t know they have been hacked by the Chinese.”  While there is a bit of hyperbole in that statement, it does make a valid point, and it is that all data with which we work in this new interconnected age of the internet and social media is vulnerable to being exposed to those who do not have a need to know if we don’t institute the right countermeasures.

And the issue isn’t just related to Chinese ambitions, though their efforts are significant.  For example, the semi-autonomous Red Hacker Alliance consists of a hacking army of at least 300,000 members.  Plus there are other state actors, terrorist organizations, and other equally dangerous threats among the run-of-the-mill identity and information theft hacking community.

Exhibit one along these lines has been floating in the news for a few weeks now and is the hacking of the servers at the Democratic National Committee by Russia.  Exhibit two is the hacking of election databases in Illinois and Arizona by the same hackers.

The infrastructure built around the cult of personality of Vladimir Putin in disrupting the political and international institutions that he views as a threat to his rule and international ambitions is both well documented and expansive.  For some time now Russia has been clandestinely funding extreme parties in Europe as part of its project to undermine faith in self-government and democracy there.  It is now clear that he has also set his sites on the United States electoral process as well.

With assistance from Fifth Columnists like alleged rapist Julian Assange of Wikileaks, who is still hiding out from Swedish due process in the Ecuadorian Embassy awaiting the statute of limitations to run out, Russian hackers have been selectively releasing e-mails, most mundane (John Podesta’s risotto recipe anyone?), but some embarrassing when removed from context, over the course of the current presidential campaign.

But this is headline news.  For those of us in the information management and software industry, what we should know is that just about anything is fair game to hackers beyond the sport of manipulating democracy, due process, and the free world, including privileged, proprietary, competition sensitive, and classified information.  Any system without a robust physical firewall or strategic areas that have an air gap from the network is vulnerable to hacking.  The infamous Chinese hack of the Office of Personnel Management (OPM) data breach demonstrates this clearly, even on what ostensibly appears to be the most secure data repositories.

So what does this tell us?

First, that data streams and data lakes must be reduced so that, aside from the economic benefits, data and information found in those repositories can be traced, categorized, and properly compartmentalized.  This suggestion does not preclude redundant backup systems to eliminate the danger of destruction, but it does keep bits of intelligence from being collected from different, ostensibly unrelated, sources.

Second, that the golden age of putting everything in the Cloud was a bad idea from the start.  I would go as far to say that most hosted, but especially HTML-based applications, at this point have so many security vulnerabilities, regardless of the assurances of software publishers and companies, that industry and government consumers should avoid them for their most sensitive data.  The criteria of the type of data this entails is that which, when given a data breach, would render the system or project completely compromised and represent an existential threat to the organization, or to the national security of the United States, or to its allies.

Third, computer hardware devices should have the same restrictions that we apply to access of data by individuals.  If the device does not support a need to know, then that device should be restricted from certain data.  Data networks should employ encryption, and using a VPN when accessing the internet or working remotely will help to provide a secure connection.

Fourth, where interfaces with the internet are integral to business operations, such as e-mail and data sharing, a minimum of 256-bit encryption should be deployed in transit and storage of communications and data.  Furthermore, two-step login authentication, user login salting and hashing, and other measures will also reduce the value of any hack if it occurs.  For example, the 2012 DropBox hack, which only became completely known last month, was auctioned on the Dark Web at only two bitcoins because the value of the user information was rendered almost valueless because of these very measures instituted by the company.

I would consider these four measures the bare minimum.  Note, however, that if a state sanctioned actor is involved, the chances are that they are going to employ several methods to obtain your data.  The most reasonable approach to take is to invoke the approach from the Second World War that “Loose Lips Sink Ships”.  Simply don’t volunteer operational information regarding your company, organization, or agency to those without a need to know.

Upper Volta with Missiles — Overreach, Putin, and the Russian Crash

Starting out the new year with some additional notes on international affairs.

The reference in the title is from a comment from former German Chancellor Helmut Schmidt in once referring to the Soviet Union.  Of course, as Tony Judt noted in his magisterial book Postwar: A History of Europe Since 1945, there are those missiles.  Thus, this is a topic of concern to everyone, particularly in regard to the events surrounding Crimea and Ukraine.  This past April I noted the threat implicit in Putin’s actions and the need for European solidarity in opposing his actions to maintain the peace and stability of the region.  When combined with Russian violations of nuclear arms treaties this is cause for concern.

Since April much has happened, including measured sanctions by the European Union and the United States, to prevent the Russian Federation from leveraging its economic power to gain an advantage over Ukrainian sovereignty.  In addition, the depressed state of the world economy, among other factors, has created an oil glut that has also reduced Russia’s ability to leverage its oil reserves against any countries that would oppose it.  As a result, the ruble has taken a hit and Russia has made all of the wrong moves to bolster its currency.

On the middle point, certain notable voices here in the United States have pointed to an increase in oil production as the main cause but the numbers do not support this contention.  Instead, a combination of factors: alternative energy production, more efficient fuel consumption, and a drop in consumer demand have all conspired to, well, act as a market is supposed to behave.  Combine this with the refusal of major producers to reduce output to manipulate the market in order to prop up the price and you have what commodities do most often–rise and fall on the whims of the demand of the moment.  I have no doubt that eventually the world economy will recover, but keep in mind that the very real threat of Global Warming will continue to drive societies to find alternatives to fossil fuel.  That is, given that they continue to recognize the existential threat that it poses to humanity (aside from the dysfunctional geopolitics that fossil fuels seem to drive).  In the meantime, seeing the handwriting on the wall, net exporters like Saudi Arabia have little incentive to reduce production when they can sell as much as possible and gain a larger share of the market against their competitors.

For the uninitiated like Fifth Column blogger Patrick Smith at Salon.com, who apparently only sees conspiracies and control of a kind that–well–actually exists in Putin’s Russia, this is known as market competition.  Nary a peep from Mr. Smith has emanated lately (or from our own right wing plutocrats) about the Russian oligarch being a statesman running rings around our democratically-elected U.S. president or his decorated former U.S. Navy officer (and later antiwar activist) Secretary of State.  Were it only possible for the state controlled Russian press to have the freedom to make such alternative observations of its own leadership in their country.  Okay–enough sarcasm for today, but I think I made my point: mendacity and irrationality make for strange bedfellows.

Along these lines some interesting insights about Putin’s Russia have come out in the book entitled Putin’s Kleptocracy: Who Owns Russia? by Karen Dawisha.  This is a brave undertaking given that a lot of critical writing about Russia, apart from the abolition of a free press there, has been taken down from websites.  This is not because of some mysterious ability on the part of Putin and his cronies but because of their immense international (until recently) financial power and the expensive lawyers that such money can buy.  Cambridge University Press, for example, because of the U.K.’s lax libel laws, declined to publish the book.  Thus, a U.S. publisher had to be found.  In addition, Russia has bought off columnists and politicians around the world to muddy the waters about the reality of the regime.  A very enlightening review of the book and the history surrounding it appears in The New York Review of Books by Washington Post and Slate columnist Anne Applebaum.

In summary, Dawisha’s book demonstrates that during the period when Gorbachev was desperately attempting to reform a crumbling and inefficient system that had plodded along under the Brezhnev doldrums, that KBG agents like Putin were moving Russian currency assets aboard in Europe with the intent of eventually using their economic leverage to retake the country when all of the hullaballoo blew over.  Thus, rather than a failing attempt at liberalization and democracy, what we see is the reinstitution of authoritarian rule after a brief respite.  The same old corrupt elites that had run the old Soviet Union under central planning are now simply wearing capitalist oligarch clothing.  This probably explains why the Russian central bank is moving to bolster the ruble through higher interest rates, which will only exacerbate the economic collapse.  But the general welfare is not their concern.  It’s all about the value of Russian reserves and the economic leverage that such value and power lends to control.

Globalization has made this a small world, but one still fraught with dangers.  For companies in my industry and policymakers here in the United States, I would recommend that a wall of separation be established from companies–particularly those technology companies in information systems–with ties to Russian oil and its oligarchs.