By taking us inside the U.S. intelligence and national security apparatus at the start of his second cyber-thriller, Trojan Horse, distinguished Microsoft Fellow and acclaimed sci-fi writer Mark Russinovich lights a fuse that inches ever closer to the explosive reality of cyber-warfare, not as science fiction but as science fact, right here and right now, and in frighteningly accurate technical detail.
INTERNAL DISTRIBUTION ONLY
SECRETMEMORANDUM
FROM: Rhonda MacMillan-Jones
Deputy Director, Cyber Security
National Security AgencyTO: Admiral Braxton L.R. Compton
Chairman Joint Chiefs of Staff
PentagonRE: Confirmation
This is a follow-up to our conversation earlier today in which I confirmed the discovery of extraneous software embedded within the U.S. Pacific Fleet Command computer structure. This malware has access to the database that manages fleet deployments. At this time, we do not know how it penetrated COMPACFLT computer defenses, how long it has been embedded, or the extent of the infection. It constitutes the most serious penetration to date by malignant software embedded from an unknown source within a highly classified U.S. military command computer system.
Though we cannot know its origin with certainty, the level of sophistication and the nature of the disruption indicates a nation-state with national security interests toward the United States.
cc: CoS, POTUS NSA, White House
INTERNAL DISTRIBUTION ONLY
SECRET—————————————————-
The backdrop of cyberspace is a native habitat for Russinovich, who leads the Windows Azure Cloud Computing Platform initiative for Microsoft in Redmond. Like a cyber storm chaser, Mark is also no stranger to the atmospheric pressures that infiltrate the Net where cyber-attacks can be seeded by exploiting a vulnerable network “port” or by “weaponizing” a treacherous Botnet army with malware.
To spin a great Web story, you have to think like a spider. Before he was 15, Mark was able to reverse engineer the ROM of an Apple II and write programs for it. In 1996, he discovered how to change the values in a Windows Registry to install software licensed to an entirely different breed of server. One keyhole after another was spotted on Mark’s radar in the “rootkits” of software from Sony and Semantic, the latter a security software company. As a co-founder of Winternals Software and the popular Sysinternals Website, Mark was swept up into Microsoft management when they acquired his company.
Like the central figure of his novels, cyber-security analyst Jeff Aiken, Russinovich has sounded the alarm for the United States to harden its defenses against cyber threats. His admonition comes at a critical point in time. U.S. legislation to prevent a potentially devastating attack on American military, transportation, energy, water supply and other life supporting assets, was killed in the current session of Congress and can now only be revived and implemented by an Executive Order of the president of the United States.
We began our conversation by recognizing some of the “self-inflicted wounds” of corporate Web hosting that can leave critical data exposed to even benign events like foul weather or power disruptions, such as those that caused Amazon Web Services’ datacenters in Virginia to fail at least twice in recent months, knocking out Pinterest, Instagram and Netflix, among others.
Seattle24x7: Mark, as head of the Microsoft division architecting the future of Cloud Computing, we have to ask you about the security attributed to this form of network architecture. We always felt the benefits and safety of Cloud-based systems were intrinsic to its distributed architecture, like the Internet itself. We drank the Kool-aid that the Cloud’s grid-like structure made it invulnerable at any single or central point. And yet we read of repeated Amazon-hosted outages that were brought down as a result of wind storms and other inclement weather. Is the Cloud as vulnerable as a single datacenter in bad weather?
Russinovich: Fundamentally, Cloud applications have to live on a physical resource. But if you want to be able to tolerate failure of a specific data center, you need multiple data centers that operate independently of certain types of correlated failures, and to be able to have your application capable or running in two places. If one fails, the application stays available on the other one. Now Amazon has a concept called “Availability Zones.” The intent was to design them to be independent of correlated failures, like power strikes, because they each have their own set of generators. So you can go to Amazon and place your application in different Availability Zones. If localized disasters in the data center occur, one or the other of them will survive.
Seattle24x7: So if that is the theory, why are we are seeing whole servers knocked out by conditions like high winds or electrical storms? [Ed. note: We do not mean hurricanes like “Sandy” that ravaged the east coast this week, but these would also apply. – Ed.] If we are this vulnerable to weather conditions, how do we remain vigilant against deliberate acts of cyber terrorism?
Russinovich: There are two problems that interfere in this context. One, it’s more expensive, and it’s more difficult to write an application that’s truly distributed, an application that remains consistent and maintains high performance. A lot of customers choose to believe that the availability they’re going to get, even facing a data failure, isn’t enough to warrant the additional cost. So we’ve seen Zone situations that affect a lot of customers, where the servers didn’t have redundancy, and were completely taken down. Also, Amazon has had bugs in the implementation of the Availability Zones that have surfaced in a couple of these incidents. A single failure can cascade into affecting several of these Zones, something that violates the promise or principle of Availability Zones. So when more than one becomes affected, even those customers who are distributed and redundant can have their applications completely taken down.
Seattle24x7: How does the Microsoft Cloud architecture deal with this type of exposure in Azure?
Russinovich: Our current structural definition is that of “sub-regions.” Currently, we have four of them in the U.S. So, for example, you deploy your application to a sub-region. We do not foster a concept of data center redundancy that’s exposed to customers, certainly not within the same geographic diameter that Amazon’s Availability Zones are situated. For example, you could place a server in the Central U.S. and one in the Western U.S. If there’s a problem with one or the other, then your application will remain operating. Were working hard right now on designing data center strategy that will support this kind of independence of correlated failures as well as frameworks we can make available to application developers, so that they can more easily write an application that enjoys these benefits without having to be rocket scientists.
Seattle24x7: Shifting to the world of international, cyber-based offensive and defensive measures, let’s consider the Stuxnet infiltration for a moment which is alleged to have occurred in an effort to curtail Iran’s nuclear program (although the actual infiltrators have never been named.) How was it that it took a completely independent, offline effort to deliver such a payload, apart from any form of Internet penetration?
Russinovich: I don’t know the details, but the fact that Stuxnet got in on a USB key means they implemented an Air Gap model. That means that Stuxnet operated on its own, cut off from the Internet. When you operate that way, it’s not possible to jump from an Internet position into the target network. You would have to somehow go in physically. Let’s understand that the most critical infrastructure systems, such as nuclear systems, are “air gapped.”
But we also need to understand that it can be onerous to be air gapped, to say that the network is completely cut off. It means that there is no data you’d ever want to move from the secure network to the insecure network. Practically speaking, that’s almost never the case. If you adopt a pure air gap strategy, that means you are copying things from USB keys or CDs, and then walking from machine to machine. “Sneaker netting” stuff in. This works for some kinds of limited scenarios, but what if you want to analyze the data coming out of the critical infrastructure system?
What if you want to analyze the electric grid power usage? Do you want to do that analysis in the secure network or do you want to do it outside the security? Because the bigger your secure network is the more insecure it ultimately becomes. So you’ve got this trade off where you draw the boundaries and decide how data will cross that boundary. A lot of these critical systems have these points of entry. They’re not completely air gapped. There are points of entry called “Jump Boxes,” where they are very tightly controlled with rigid polices, limiting the types of systems and users that can connect with them. There’s also control over what data is allowed to move through that Jump Box. So that’s a very common technique used to address this scenario, where simply air gapping isn’t feasible.
Seattle24x7: The U.S. Secretary of Defense recently made headlines when he announced that the U.S. was being bombarded by cyber-attacks to the degree of 50,000 attacks per day. How do you assess that estimate?
Russinovich: The DOD claims that tens of thousands of times a day they are probed. Whatever the number is, there are a lot of different “attackers” attacking in different ways, at lots of different times. All of that nuance is lost in those kind of statements. You’re seeing all types of activities from people that are just blindly scanning the Internet trying to run malware, or looking for insecure ports, which is the vast majority of this activity, that these automated scanners are running all the time. And then, there’s also people that are committed to finding any port that’s open, not simply concerned about whether some off-the-shelf tool can break in, but trying to break in themselves. These counts would include “phishing” emails that are sent to people inside of corporations. That would also count as “probing.”
Seattle24x7: When making these assertions about attacks on U.S. assets, the U.S. Defense Secretary has promulgated that the United States would retaliate for any cyber-attacks waged against American corporate or financial interests as if it were an attack on the government. That seems straight out of the Cold War era of symmetrical deterrence. For instance, the classic nuclear war game is that any aggression will be countered with an attack of equally assured destruction. And yet, cyber-attacks are asymmetrical in nature and seemingly counter-intuitive to Cold War games?
Russinovich: I totally agree. The first novel that I wrote, Zero Day, is all about the asymmetry of cyber war. With cyber war, first you encounter the anonymity problem. How do we even know that it was Iran that was doing this? My bet is if we actually knew Iran had something to do with it, the information would come not from tracing network packets, but from the “intel” side of Iran. The problem, of course, is that there are Botnets that are infected random computers from around the world. You can’t say whose operating these things. Even when they do find a Botnet and they can identify command and control servers, it’s extremely difficult to figure out who is operating them. The attackers are logging in and sending commands through multiple hops to machines that are in countries that aren’t very sophisticated, and that don’t have very good cyber laws.
Seattle24x7: So let’s get down to it. What would your protagonist, cyber analyst Jeff Aiken, recommend we do to preempt or intercept these threats? What do you, as the mastermind behind your heroic character, believe we should do?
Russinovich: In some sense, my books are my message. I do have strong beliefs on what we should be doing about it, and they’re echoed by Panneta and by Lieberman and Reed, in the Cyber Security Act that they’re trying to push through, that people like Richard Clarke have been supporting and asking for for a long time. That is the fact that much of our nation’s critical infrastructure is operated by private industry. The electrical grid is one example, water supply systems are another, food transportation, another one. My beliefs say that if the free market will decide what level of cyber security they should implement, they’re only going to implement enough to protect their own value. The risk that they see is to their own business, not the risk to the nation at large.
In other words, I don’t think free market forces are sufficient to drive the right behavior in these areas. If you look at the way we handle the financial system, we don ‘t let the free market run rampant because we know it will lead to undesirable outcomes. The free markets are motivated by their own needs and their own wants, not the greater good. So there needs to be regulation in place to balance that. If you look at the way we regulate food quality, health in medicine, if you look at the way that we regulate any number of other things including regulating the nuclear industry, cyber security has been largely ignored. Large sections of these threats, like our water supply system and other critical pieces of infrastructure, have no regulation at this point. Some of these companies, for their own self-interest, do have reasonable cyber security. Buy you see lots of varying levels of quality.
Seattle24x7: So without a set of regulations that set standards for cyber-security, the defensive measures are wildly inconsistent?
Russinovich: We know from isolated incidents that the quality ranges from reasonable to pretty pathetic. For example, last year, Penetration Tester, was hired by the county of Los Angeles to see if they could run a test and get into their control system through the Internet,. Within 24 hours they were able to control the mix of chemicals going into the water supply. That’s a metropolitan area that’s wealthier than most, more sophisticated than most, because they’re operating on such a large scale. So you’re probably looking at the better end of cyber security measures, when compared to the water supplies in other places. And still.
Seattle24x7: What kind of regulations would you recommend?
Russinovich: The regulations I would suggest are several: Having air gaps in place. Making sure that there’s regular anti-virus scans and patching, and that you’re not using the same passwords everywhere. Using multi-factor authentication for people who have access to the critical systems. Lock-down of people who have access to those critical systems through white listing technologies. Any software that you deploy through those systems has to have gone through some kind of security development life cycle process so that it’s not full of vulnerabilities. Making sure that your firewalls are in place. Making sure that you’ve got continuous monitoring. Making sure you have auditing of operations in that system, and you’re looking at those audit logs and looking for anomalies. So if you see someone logging in from a certain country it will raise an alarm. It’s these kind of practices which are really just Cyber Security Best Practices 101,” that I believe we need regulations for.
Seattle24x7: How is that we’ve let things get this far without taking the precautions that could prevent a real tragedy?
Russinovich: The Cyber Security bill had been under discussion for about a year when one version finally made it to the floor of the House and another version to the Senate. The two versions ended up being very different. The Republicans ended up just killing it, a lobby of Republicans, including John McCain, who was one of the lead forces in shutting it down completely. There was very clear anti-regulatory sentiment that lead to them saying, No, let’s let the free market deal with it.
Granted, there were parts of the original Cyber Security Act that I considered unproductive. There was, in one form of the bill last year, a call for an Internet Kill Switch. They were basing it on a vague holistic notion of national security, not really looking at the critical infrastructure systems and analyzing what we could do to defend those. So the Internet Kill Switch did not have much value and had enormous negative potential too. In comparison, the Cyber Security Bill that made it to the Senate was fairly reasonable. There were still a lot of details that had to be worked out. But the Republicans basically said it was much too rigid and created too much government control, and, by the way, they claimed it was never actually debated, and they killed it. The truth was something different. The bill was bi-partisan and there were Republicans that were supportive of it. Basically McCain came in and stomped on it. So it died. Since it died, there have been calls by Democrats, and others who were supporting the bill to the Obama administration to issue an Executive Order.
Seattle24x7: Trojan Horse is a very intelligent thriller that we would love to see turned into a movie. Will you be bringing out an Audio edition?
Russinovich: There is an audible version for Zero Day and Trojan Horse will be coming out soon from Audible. The publisher asked if I would be willing to do some special content for it. On some of their audio books they have had the author interviewed or have the author in a chat session with someone else. I asked Kevin Mitnick, the author of Ghost on the Wires, and a reformed cyber-hacker to do it with me, so there will be about 45 minutes of bonus material where we’re talking about cyber security.
Seattle24x7: We had to laugh when we read the book’s preface which we presume you asked Kevin to contribute. Mitnick wrote, “After reading the book, I am left wondering how prudent the decision was to open an emailed copy of a manuscript called “Trojan Horse.doc!”
Russinovich: Yes, Kevin did his time in prison and came out reformed. He became a white hat security researcher and consultant. I actually met him because he sent me emails asking about the tools that I make. I had Howard Schmidt do the forward for Zero Day. When I was doing this book, Trojan Horse, I had established this friendship with Kevin, his book Ghost On the Wires was wildly successful, so I reached out to him and he said sure.
Seattle24x7: It’s good to see that at least two cyber-warriors have made peace. [24×7]
Preview Trojan Horse on Amazon. http://www.amazon.com/Trojan-Horse-Novel-Mark-Russinovich/dp/1250010489/ref=sr_1_1?ie=UTF8&qid=1351730197&sr=8-1&keywords=Russinovich
Read the Prequel, Zero Day, on Amazon: http://www.amazon.com/Zero-Day-Novel-Mark-Russinovich/dp/1250007305/ref=sr_1_3?ie=UTF8&qid=1351730197&sr=8-3&keywords=Russinovich
Maddy Holup contributed to this story.