4. “Cyberspace is [a] continuously contested territory in which we can control memory &
operating capabilities some of the time but cannot be assured of complete control all
of the time or even of any control at any particular time”
-- Richard Danzig, adviser to President Obama
A Contested Territory
5. “Possession, ownership & control [of data & assets in cyberspace] do not overlap”
-- Thomas Dullien, Google Security
A Contested Territory
6. “[Cyber] offence & defence is the wrong dichotomy: it should be control & non-control”
-- Dave Aitel, former NSA cyber operative
A Contested Territory
7. “Think about it for a moment - we share the same network with our adversaries”
-- George Tenet, former CIA director (exactly 20 years ago)
A Contested Territory
8. This anxiety around the paradox of control, or the lack of it, in cyberspace has not waned
even a bit
A Contested Territory
9. “NSA’s aim: mass compromise & expansion of compromise boundaries”
-- Morgan Marquis-Boire, former writer with The Intercept
(Possibly inspired by Dullien’s work)
Try replacing “boundaries” with “territories”…
A Contested Territory
10. “If we were to score cyber the way we score soccer, the tally would be 462-456 twenty
minutes into the game, i.e., all offence”
-- Chris Inglis, former deputy director with the NSA
Structural Dominance of Offence via Politics
11. “If we were to score cyber the way we score soccer, the tally would be 462-456 twenty
minutes into the game, i.e., all offence”
-- Chris Inglis, former deputy director with the NSA
Structural Dominance of Offence via Politics
12. Cyber offensive A-teams rely more on political subterfuge than technical
• NSA’s TAO, SCS, etc., are hybrid & interdisciplinary teams
• “Insert vulnerabilities into commercial encryption systems, IT systems, networks, & endpoint
communications devices used by targets” – 2012 budget document of the NSA
• Traditional cryptanalysis & hacking gave way to clandestine intelligence activities or black-bag
jobs of TAO via the CIA, DIA, FBI, State Deptt., NSF & NIST
• “[S]ecret efforts by the U.S. intelligence community to interdict the shipment of advanced
encryption technology to America's enemies around the world & insert ‘back doors’ into
commercially available computer, communications, and encryption technologies” – Matthew
Aid, Foreign Policy
Structural Dominance of Offence via Politics
13. Cyber offensive A-teams rely more on political subterfuge than technical
“[T]he NSA reviewed National Science Foundation grant…the agency appeared to use this
process to exercise control over nongovernmental cryptography research”
“[T]he NSA reviewed & approved an NSF grant application from Ron Rivest…An internal
NSA history suggests that the agency would have tried to derail Rivest's grant
application if the reviewers had understood what Rivest would do with the money”
-- Henry Corrigan-Gibbs, Stanford Magazine
Structural Dominance of Offence via Politics
14. Cyber offensive A-teams rely more on political subterfuge than technical
“The [EuroCrypt’92] conference again offered an interesting view into the thought
processes of the world’s leading ‘cryptologists.’ It is indeed remarkable how far the
Agency has strayed from the True Path”
-- An anonymous NSA cryptologist writing for CryptoLog, an agency newsletter
declassified in 2014
Structural Dominance of Offence via Politics
15. But why political?
“Investment in a high end "Man on the Side" technology stack can run you into the
billions. You'd better hope the meta doesn't change until your investment pays off. And
what are the strategic differences between TAO-style organizations and the
Russian/Chinese way? It's possible to LOSE if you don't understand & adapt to the
current up-to-date Meta of the domain you are in, no matter what your other
advantages are”
-- Dave Aitel
To rewrite the physics of the domain at will
Structural Dominance of Offence via Politics
16. Cyber Meta has a political architecture
• TURMOIL/QUANTUM: “Relies on its secret partnerships with US telecoms companies”
• BULLRUN: “There will be NO 'need to know’”
Structural Dominance of Offence via Politics
17. Cyber offensive A-teams rely more on political subterfuge than technical
Structural Dominance of Offence via Politics
Dave Aitel
• The SuperMicro story, even if partially true, follows
the same political template of A-team operations
• Were the Chinese using political leverage to tackle
attribution?
18. Political bureaucracy as the technical signature of a cyber operation
Lineage & Mathematics
Verner von Braun et al. > US space programme
• Nazi rocket scientists
Helmut Gröttrup et al. > Soviet space programme
• CV Raman > Homi Bhabha > Vikram Sarabhai > Indian space programme
Structural Dominance of Offence via Politics
19. Political bureaucracy as the technical signature of a cyber operation
• “Your adversary has a boss and a budget” – The Grugq
• It defines operational tooling, tactics & tempo of the offensive team
• Is code reuse a technical thing or an expression of political semantics?
• Exploitation is a technology tree & targeting is limited by policy restrictions -- Aitel
• Did Metasploit originate in the public from the exploitation Meta of pre-2004 TAO toolchains?
Structural Dominance of Offence via Politics
20. Political bureaucracy as the technical signature of a cyber operation
Code Reuse: Opcodes & Ontology
• 2006: Thomas Dullien ran a “phylogenetic clustering algorithm” on a genus of
malware, finding that “although we have ~200 samples, we only have two large
families, three small families, two pairs of siblings, & a few isolated samples”
• 2011: Google acquires Zynamics
• 2012: Google acquires VirusTotal
• 2017:
Structural Dominance of Offence via Politics
21. Political bureaucracy as the technical signature of a cyber operation
Code Reuse: Opcodes & Ontology
• 2018:
Structural Dominance of Offence via Politics
22. Political bureaucracy as the technical signature of a cyber operation
Code Reuse: Opcodes & Ontology
• Exploitation is a technology tree
• Operation Aurora -> Barium/Winnti/APT17/Axiom
• Winnti >>> Hashing subroutine <<< ShadowPad/NetSarang
• Winnti >>> base64 <<< CCleaner Stage 1
• Winnti >>> String obfuscation <<< CCleaner Stage 2
(Sources: Costin Raiu, Kaspersky & Intezer)
Structural Dominance of Offence via Politics
23. Politics influences industry choices & dynamics
• The ciphers you use
• The processors, routers & antivirus you run
• The defensive “innovations” in the security industry
• The unjustifiable persistence of centralized architectures like DNS, SSL & BGP, etc.
• Bug classes like Spectre & Meltdown
• What hackers say, or do not say
Structural Dominance of Offence via Politics
24. The political choice for markets like India is whether to choose Kaspersky or FireEye
• Cybersecurity vendors become foot soldiers
• Malware used by the U.S. in offensive cyber-operations plays “nice”…”We see guardrails on
malware from nations like the U.S.” -- Kevin Mandia, CEO, FireEye
• CyberScoop recently reported that FireEye had drawn a red line around exposing certain
activities by so-called “friendlies”
Structural Dominance of Offence via Politics
25. Politics severely degrades the defensive architecture
Structural Dominance of Offence via Politics
Imagine this for commercial-grade enterprise security?
26. Cybersecurity as A Function of Power
“[C]ybersecurity is all about power & only power”
-- Dan Geer, CISO, In-Q-Tel
27. Cybersecurity as A Function of Power
“Cyberweapons are power projection tools”
-- Gen. Michael Hayden, former director of the CIA & NSA
28. Cybersecurity as A Function of Power
The Declaratory Model: 1995-2014
Aitel labelled Stuxnet as the “announcement of a team” more than anything else, which
could take out any factory, any time
The current structures of offence are biased towards declaratory dominance
29. Cybersecurity as A Function of Power
The Escalatory Puzzle
Look, we’re moving into a new era here where a number of countries have significant
capacities…But our goal is not to suddenly, in the cyber arena, duplicate a cycle of
escalation that we saw when it comes to other arms races in the past, but rather to
start instituting some norms so everybody’s acting responsibly
-- Barack Obama, 2016