NATO cybersecurity is worse than it looked; a lot worse

Fake Facebook pages targeting NATO top general are tip of a very insecure iceberg

If you've ever returned from a lunchtime or late-night event a few minutes or hours (or days) late to find a boss, a spouse or a parent standing, arms folded, waiting for an explanation, no one has to tell you it's easy for other people to leap to the wrong conclusions based on scant evidence.

On the other hand, scant evidence and obvious conclusions are often pretty accurate; even by definition, the once-in-a-lifetime series of coincidences that made you late and may be responsible for that sick new tattoo are simply too rare to undermine the credibility of the obvious conclusion under certain circumstances.

I mention this because of my disappointment at having an obvious conclusion confirmed.

Yesterday I mentioned that the North American Treaty Organization (NATO) had formed a Rapid Response Team that would be responsible for dealing with sudden cyberattacks from unfriendly countries intent on committing acts of cyberwar.

I pictured the team forming NATO's Computer Incident Response Capability (NCRIC) springing into action with a more-lethal, military version of the fluid, aggressive response that was standard operating procedure at content-distribution-network Akamai when I wrote about it in 2005.

The attack I wrote about wasn't terribly unusual for the time – a DDOS attack on a few of Akamai's DNS servers that generated a volume of DDOS traffic that was near the high end of attacks recorded by 2005, but not nearly enough to set any records or overwhelm Akamai's multilayered network.

The response was pretty impressive, however. Alarms alerted Akamai's chief of security and network operations center as soon as the first DNS server started misbehaving under the attack.

By the time Andy Ellis, the security chief, walked to the NOC, most of the White Hat quick-response team who were on call for immediate response were already on a conference bridge assigning portions of the detailed attack-response plan appropriate for that particular attack.

Within 90 minutes the White Hat crew had used a series of packet filters, router reconfigurations, redirects and other countermeasures to block off most of the traffic from the attack, notify Internet and government sources to do what they could to shut down or prepare for the assault and cache forensic evidence that could be used to try to track the attack back to its source.

It wouldn’t have made a good action sequence; sysadmins and systems architects spring into action in ways that are not visually arresting.

But Akamai had a lot of experience in DDOS and other attacks – long before most companies would even admit having been probed by vandals, extortionists or vandals.

On-call members of the response team showed up when they were supposed to, knew their roles in various emergency response plans, knew how to apply countermeasures and who to notify of the attack and how to divvy up specific tasks quickly rather than spend more time talking on the conference bridge than it would have taken to put down the attack.

How could a content-distribution network be better prepared for cyberwar than the alliance that won the Cold War?

By contrast, the NATO release announcing the new cyberwar-response team described its emergency response procedure being to "meet immediately and draw up a plan of action. The aim is to restore the systems so that everything gets back to normal operation as quickly as possible."

No mention of identifying the source of the attack, using preconfigured defenses or countermeasures to take control of the attack and then carry it back to the enemy, all of which have become standard procedure for modern civilian IT security operations.

Most military organizations include that same sequence as part of the response plan to any stimulus – from an ambush to a booty call.

I thought for a while I might have been reading too much into a little drab verbiage from a military organization that is heavily bureaucratized and larded with diplomatic requirements and responsibilities.

Under the bland descriptors, it's possible NATO had the digitized version of Rambo and Chuck Norris confined in armored containers, waiting to be kill and eat any hacker foolish enough to toy with the toughest multinational military organization this side of the U.N.

This morning Sophos security's NakedSecurity newsletter ran advice called Five free tips to avoid falling for Facebook scams.

Rather than using the usual victimized computer-phobic grandmother as the news hook/human-interest-angle to the story, however, Sophos re-told the story about hackers suspected of being Chinese spies created a fake Facebook account for the Supreme Allied Commander of NATO in Europe.

The U.K.'s Guardian newspaper referred to the fake account as having the "sophistication and relentlessness" of attacks often referred to as advanced persistent threats and theorized that only a state-sponsored intelligence agency could have been behind the attack.

It's probably more accurate to say the attackers must have had at least the technological sophistication of the average 14-year-old American high school kid.

That might have made NATO look even more lame for not having detected or stopped the "attack" until an unspecified number of NATO and British military officials had friended the fake Admiral James Stavridis, allowing the fakers to harvest their private email addresses, pictures and phone numbers according to the Telegraph.

The fake NATO-commander page may have seemed more credible because Stavridis actually does maintain a genuine Facebook page on which he announced the end of the war in Libya last October.

There have been a number of other fake James Stavridis pages on Facebook, according to a NATO spokesperson quoted in the Telegraph.

No one is admitting how long any of the pages were up before being identified and deleted; this one managed to remain undetected for at least a few days despite regular efforts to identify fakes from Facebook, NATO itself and what the Guardian describes only as a "major defence company" recently awarded a 40-million-pound contract to bolster security at NATO headquarters and outlying offices in Europe.

Cold War? Call NATO. Cyberwar? Call someone else. Anyone else.

I admit, a laconic description of a quick-response-team's organization and goals and leisurely reaction to fake-Facebook pages may not be good indications of how effective NATO will be at defending itself against cyberattack.

Its tendency to rely on Facebook's ability to sniff out fake-seeming pages and delete them, rather than police social networks itself, doesn't make me any more optimistic about the likelihood that NATO will become really effective at defending against an actual cyberattack, rather than a social-engineered spoof.

The issue, as with the U.S. military, isn't the skill of the security experts involved or the sophistication of the attacks.

It's the attitude of commanders who say cyberspace is the new battlespace, but who think of information warfare as something for spies and geeks, not for real warriors who don't think anything is dangerous that doesn't explode.

It's the tendency of military organizations to overprepare for dangers they've already experienced and not take new dangers seriously.

It's the training and groupthink that leaves (mostly U.S.) commanders who talk about cyberspace as the new battlespace sounding like they're talking about the plot of the original Tron rather than opponents whose offensive skills are so well developed you can't keep them from penetrating your networks even when you've known for years they spend more time on your servers than you do.

It's the orderly, organized, mayhem-controlled though process that allows military people to be prepared for the brutal chaos of real war.

Rigid process orientation is a handicap when facing enemies who arrive with no notice and no support, who attack targets the military has never needed to protect much in ways that don't seem that dangerous to officers who have learned to judge danger by the ratio of metal to air in the atmosphere, not the length of the key in an encryption scheme.

I admit it's entirely possible I'm jumping to conclusions about NATO, though both NATO and my conclusions about it are modeled on the U.S. military.

It's more likely that NATO will continue to be vulnerable to what the Chinese are turning into a dominance of cyberspace almost as complete as the British dominance of naval power during the growth of its Empire in the 19 th century.

It's likely that the safest place NATO can keep its secrets, even when they're protected by a military rapid-response team, will be somewhere – anywhere – other than NATO.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon