How to Be A Private Sector Cyber Mercenary

Monday, August 01, 2011

Kevin McAleavey


Gen. Michael Hayden, former NSA and CIA Director under President George W. Bush, suggested Friday that mercenaries could be the solution to the growing number of digital break-ins.

While making my customary reading rounds checking in on security issues, I happened upon this article at "" and I thought it would be interesting and amusing for everyone here to look into and discuss:

Hayden told the Aspen Security Forum that in the near future, the Department of Defense may have to allow the creation of a "digital Blackwater."

Private sector offense "might be one of those big new ideas in terms of how we have to conduct ourselves in this new cyber domain," Hayden explained. "You think back long enough in history and there are times when the private sector was responsible for its own defense."

"We may come to a point where defense is more actively and aggressively defined even for the private sector and what is permitted there is something that we would never let the private sector do in physical space ... Let me really throw out a bumper sticker for you. How about a digital Blackwater?" he suggested.

"I mean, we have privatized certain defense activities even in physical space and now you've got a new domain in which we don't have any paths trampled down in the forest in terms of what it is we expect the government or will allow the government to do. In the past when that has happened, private sector expands to fill the empty space. I'm not quite an advocate for that, but these are the kinds of things that are going to be put into play here very, very soon."

A video of the presentation can be seen on the "rawstory" site I linked to above.

After reading the adventures of some of the more notorious players in the "one man army" campaign against the Lulzers and other digital "ne'er-do-wells", I've come to appreciate that there are already players just chomping at the bit to be the first ones to step off a "black helicopter" and shoot up a computer room in some foreign backwater somewhere.

And perhaps, visions of some cheap knockoff Duke Nukem-like movie characters spraying a big room with industrial strength bullets might bring a big grin to admins who've been on the wrong side of a raid on their systems. However, I see many downsides to following up on this "plan".

Most of the machines that are used to attack your infrastructure aren't in some secret bunker hidden in an abandoned industrial area in the third world. They belong to the likes of my fabled "Uncle Todd" or grandma or perhaps your own kids in your very own playroom on the "family computer."

Backdoors and rootkits, forming large botnets of clients, are the usual modus operendi of both criminals and state actors. The bad guys hide behind proxies, TOR and other means of creating multiple hops between the attack and their true identities.

Anecdotal evidence I've seen indicates that many of the attacks credited to China actually ended up going through an infected client machine or server there because their security is far worse than our own!

I won't even bother with the quality of "doxing" which points authorities to the actual culprits and perps. Anyone who's been watching the Lulz has already seen how shaky disinformation can waste everybody's time.

So what happens if we give the "go order" on these "Blackwell's worst dressed list" guys like some we've read about here only to find out that they bombed a kindergarten with an infected machine?

My point here is what I've been saying all along. Retaliation feels good until you mess up. And as much as we want to discourage bad guys from raiding our toys, the only practical answer is to deny them the goods they seek by securing our toys so that they can't get into them to begin with.

To my mind it's far better to prevent the burglary in the first place rather than explaining to the cops why there's a dead guy in your living room. (and no, Uncle Todd is fine, just a little shaken up)

Information that you don't want showing up on pastebin or in the hands of your competitors shouldn't be on machines facing the internet at all. Databases shouldn't be directly connected to internet-facing servers. That's what middleware and proper filtering are for. Access passwords should be very long.

One thing I've always told MY users to keep their passwords safe and memorable is to make your password a sentence about something unique to that particular server (I always allowed 256 bytes for PW entries) that only they would know. Something like "Infosec Island is one of my favorite first stops when I wake up, can't wait to see what Krypt3ia wrote."

And no, that's not mine here. Heh. But such allows users to provide decent entropy even without having to remember where to type in special characters, and ensures that they don't call the help desk every morning asking for a reset. It works!

But as much as you secure your server, it's the clients that are almost always the universal bypass for all you've done, especially the infected ones with a VPN right into your design workstations upstairs for a "weekend revision." Keeping those clean is what keeps us all up at night because you never know where they've been.

Here, proper authentication and proper security is the nearly unattainable key as I wrote in a longwinded six article missive on client security into last week. But it can be done. That's what I've spent my last two years doing at The KNOS Project to keep the bad guys out and provide truly trusted computing for the client.

Where I'm going with this is that I see the actual problem being one of proper security and protection of the data you don't want others to have.

When I read about mercenaries taking out threats, it gives me nightmare visions of "jackbooted thugs" dropping from low budget helicopters and smashing all the windows of the tenth floor of the Small Animal Administration's annex in a rented loft downtown because that's where some dox lead them to raid, providing lulz.

CFLCC rules require positive identification of proposed military enemy, and given all we've seen from "Anonymous" and others as far as "false flags" go, I really have a problem with the creation of some "Private Sector Cyber Halliburton" arrangement shooting up the wrong place.

I believe that the best offense is a good defense and we're doing that very poorly. I think we should address that first. Physical retaliation is best served as a response to a physical attack once you have the proper coordinates.

However if this is where we're going to drag this carcass, then I really want to know which institute will issue me the coveted CIWDN certificate ("Cyber Information Warfare Duke Nukem") and how much it's going to cost me to buy one? Oh! And will I be issued a chain gun or does that come out of my pocket too?

"Who wants some?" (grin)

About the author: Kevin McAleavey is the architect of the KNOS secure operating system for client computers ( ) and has been in antimalware research and security product development since 1996.

Possibly Related Articles:
Information Security
Attacks hackers Deterrence Attribution Cyber Mercenary Retaliation
Post Rating I Like this!
JT Edwards I think you are going to see a lot of interest in red team and aggressive offensive security. I think a lot of people out there feel they have done what they should have done and still got hacked and our now looking for alternatives. Heck even NSA has taken the position that creating a system that can’t be broken into is not realistic. The US military learned a long time ago the value of taking the fight to the enemy and the disadvantages that static defense brings you. That mentality will drive a lot of this and the sad thing in it is a lot of organizations out there who should be learning to managing risk are going to be caught up in the hype. You are going to have a lot of IT teams that are going to be asked by some C level dudes to do some crazy stuff..
Sara Hald I read the quote more as a digital attack force than a physical one. The tools would probably be hostile takeovers of C&C servers, bricking routers, or DDOS attacks against the attackers rather than chain guns. But at least you will have easier access to bubble gum...
Alicia Smith Ahh, Best write-up evar! I was actually discussing entropy in passwords earlier today in response to a comic. This reminds me of the novel Mnemosyne's Kiss in which information was as good as currency - depending on what the information was about. It's so easy to hide your identity online - and hackers like to brag - if you know where to look you can find them easy enough. I think you are absolutely right in that we must look at how we are storing data and how it's accessed. Firewalls, IDS, IPS, file integrity monitoring, WAF, code review, updated Anti-Virus, password complexity and aging, Access-control, encryption, two-factor authentication, and biometrics is it not enough? While I realize not every company actually institutes the use of all of these things, there are those that do. Maybe people should be asking the right questions of the companies they want to do business with, and take their business elsewhere if they don't meet the requirements. It will send a message. I don't know what criteria the government uses to hire people or train them in regards of securing important/confidential/top-secret data, but once you start doing business of that nature in the public sector you increase your risk provided you are informing your personnel on what it is they are protecting.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.