In 2003, Saddam Hussein was on the run. With his chain of command eliminated, traditional intelligence efforts to track him down were failing. Col. James Hickey, U.S. Army, heading the intelligence operation to find Saddam, determined that the reclusive Iraqi dictator only trusted and communicated with family members of his own tribal group. As Hickey said, “We built a fairly elaborate estimate of who Saddam’s supporters were in the area; though it did provide security, it also worked against them. Once we learnt who did what, it allowed us to work against them.”¹

Hickey and his team were using a nascent form of Social Network Analysis (SNA). In its purest form, SNA relies on examining the linkages between people and places within a defined group or locality in order to deduce the key decision makers or vulnerable links and where they are located. In this case, it was the pinpointing of Saddam’s chauffeurs that led to his historic capture.

Figure 1

Social Network Analysis

Social Network, or Link, Analysis distinguishes between the friendly, hostile and neutral players who populate the ‘human terrain’ where modern counter-insurgency operations take place. Formerly a paper-driven exercise involving considerable resources, it was largely confined to headquarters’ intelligence staffs rather than front line units. By automating the process it is now possible to map linkages between thousands of intelligence sources simultaneously from routine patrol contacts, electronic warfare intercepts, aerial surveillance and other sources.

Analysts can then identify key nodal points in the decision-making or communications network (Figure 1) in near real time. A recent trial of SNA² demonstrated that it can now be used by front line units to cope with a complex human terrain consisting of multiple actors with differing agendas. “Counter-insurgency operations are complex to say the least; gone is the conventional red and blue intelligence picture. [With SNA] we can operate in a complex human terrain comprising multiple actors and a constant stream of intelligence.”³

Using only a standalone SNA solution, the unit concerned was able quickly to build up a comprehensive ‘Who’s Who’ of people populating their tactical area of responsibility, establish linkages between people and places, pinpoint key decision makers and predict potential firing points – all in near real time.

Linking this capability with compatible databases and geospatial systems makes it even more effective. And the increasing reach and bandwidth of the Afghan Mission Network (AMN) now offers the prospect of networking this capability to operational headquarters, achieving a common intelligence platform operating from tactical to strategic levels with SNA as a key element. Information superiority is at last becoming a realistic and achievable goal in the war against terrorism.

Network Defence

As military systems and civilian society become more networked, they become more vulnerable to exploitation and attack. In World War II Hitler sought to undermine the UK’s Critical National Infrastructure (CNI) by kinetic aerial attacks on its cities and industrial bases. The modern equivalent would be a cyber attack on our computer networks or exploitation of the Internet. We don’t have far to look for a military example. In July 2008 Ossetian rebels provoked a conflict with Georgia; and Georgia countered with its own air strikes and a ground invasion.

The Russian army responded in force, ejecting the Georgian army from South Ossetia. An integral part of this response was cyber warriors striking on the virtual battlefield, using denial-of-service attacks to shut down Georgian government websites, disrupt Georgian financial institutions and block Georgian access to the outside world.

Recognising that Cyber is becoming the fifth dimension of warfare (after Land, Sea, Air and Space) the UK Government has committed more than £600M to Cyber Security. While it was one of the few growth areas in the Strategic Defence and Security Review (SDSR), details have yet to emerge about precisely where those funds will be invested. Identifying specific cyber threats is not as clear-cut as kinetic warfare because of anonymity. Identifying who is initiating the attack, and where it is coming from, will be the key challenge. This is where SNA and link analysis techniques can come to the forefront, identifying key linkages and the source of the attack.

Sources:

¹ “I am Saddam Hussein the President of Iraq and I am willing to negotiate,” The Guardian, 16 December 2003.

² Ist Battalion Royal Gurkha Rifles (1 RGR) used off-the-shelf stand-alone Analyst’s Notebooks from i2 on their recent deployment in Helmand Province, Afghanistan.

³ Major Shaun W Chandler, 1 RGR.

As White House Cyber Czar Howard Schmidt pointed out at an Infragard Alliance breakfast in late January, the technology and capabilities available on mobile devices are way ahead of the current state of security, presenting a high value target for hackers, criminals and terrorists.

For example, applications like Venmo and Bump facilitate payments from mobile devices by linking to bank and credit card information and transmitting payment data via barcodes on the screen, by infrared or by NFC (near-field communications). Starbucks has already made available to customers its own iPhone payment application.  

“These tools [mobile software apps] have historically weak coding and security practices, and will allow cyber criminals to manipulate a variety of physical devices through compromised or controlled apps,” wrote McAfee Labs in the report, adding that many end users do not realize their mobile devices are full-blown computers and they are connected to a network.

Certainly the implications for consumer fraud are rife. More alarming are potential threats to national security and critical infrastructure. The U.S. Army just announced its intention to equip every soldier with a smart phone, and software maker Indusoft recently introduced a SCADA (Supervisory Command and Data Acquisition) application for iPhone, iPad and Blackberry allowing a wireless mobile interface with computer networks that control such critical infrastructure as energy and water facilities.

Dave Marcus, director of Security Research and Communications at McAfee, suggests that for end users, the best defense against mobile cyber crime is knowing your device, knowing what security settings you should have in place, and most importantly knowing what the applications you are using are actually doing. For instance, while end users may be aware that mobile apps can expose privacy and identity data, many users may not be aware that when they post to social networks, send e-mail or perform other seemingly benign activities, many devices are simultaneously transmitting GPS data so that hackers can instantly learn their physical location in addition to whatever else they may be attempting to do.

A byproduct of Twitter for instance – and other limited text communication environments popular on mobile devices – is tiny urls.  Using hyperlink embedding to transmit a longer potentially malicious URL, they are not as easily recognized by users or security software, and are currently capable of bypassing a wide range web filtering countermeasures.

Cyber criminals are targeting more Apple devices in 2011 as their popularity grows in business environments. The use of Botnets, which have now evolved to be capable of swiping data directly from computers vs. simply hijacking them to send spam, will become a common occurrence on Apple platforms in 2011 according to McAfee.

As technology and utilization continue to leapfrog past security, there are nonetheless progressive tools becoming available to help investigators stay ahead of threats by automating and expediting what was once a largely manual process, one which did not easily allow for the pooling and comparison of data from multiple devices.

 To learn more about these tools, attend the upcoming webinar “Mobile Telephony: The Next Wave in Cyber Crime” on Feb. 9.  For more information, visit www.i2group.com.

The Intelligence and National Security Alliance (INSA)  today named i2 CEO Robert Griffin to its Board of Directors.  Griffin joins industry and government leaders from Booz Allen Hamilton, CACI, Lockheed Martin, ManTech, Microsoft, QinetiQ North America, Raytheon Intelligence and Information Systems, SAIC and the Office of the Director of National Intelligence.  In this role, he will work with the Board to help drive INSA’s agenda across the Intelligence and National Security Communities.

Established in 1979, INSA is a non-profit, non-ideological, professional association created by intelligence professionals as a non-partisan, unbiased forum to develop new solutions that improve our nation’s security.  Through member-driven Councils and Task Forces, INSA is engaging the broader public to help find solutions, and is working to create the workforce from which the leaders of the next generation will rise.

“Robert Griffin brings tremendous knowledge and insights about how national security, defense and law enforcement organizations can rely on technology in enhancing information sharing and managing the deluge of data coming from multiple sources,” said Frances Fragos Townsend, INSA Board Chairwoman. “We are pleased to have him join our Board.”

“As the Intelligence Community faces ongoing terror, cyber and criminal threats, the importance of an effective public private partnership is paramount in enhancing public policy, processes and best practices as these threats evolve,” said Griffin.  “INSA has made tremendous strides in bringing together the right mix of perspectives from industry, academia and government.  I look forward to working with the Board in identifying and creating new approaches to solve our national security challenges.”

Griffin leads a global workforce of about 400 employees.  He became i2 CEO after the 2009 merger of i2 and Knowledge Computing Corporation (KCC), where Griffin served as President and CEO.  While there, he successfully transformed KCC from a small technology company to become the leading provider of technology-based crime-fighting solutions. Prior to KCC, Griffin co-founded eMotion Inc., a leader in digital media management technology and services. Under his leadership eMotion achieved the Deloitte and Touche Fast 50 and Fast 500 for each of his years there.

As an INSA Board member, Griffin will serve a three-year term through September 30, 2013.

“We cannot do it without industry support, and industry can’t do it without our support,” he said. “But by the time a company reaches out to DHS after an attack, the damage is already done.”

Discussions about the importance of a Public Private Partnership – widely recognized as P3 in policy circles and by cyber practitioners – are happening on an almost daily basis.  In light of Gen. Alexander’s statements to Congress, there needs to be an honest discussion about the role of the private sector and how involved they should be with the government in developing processes and solutions.  Discussions about how real the threat is are useless unless it leads to action.  P3 efforts in other areas important to our country’s interest like healthcare and education have been challenging.  While hurdles exist in cyber, collectively, we have an opportunity to get this right. 

However, no one has settled on a viable process or standard for what P3 looks like or how it works. For example, Cyber Command, US-CERT, NSA and DHS all will have a role in working with “critical infrastructure” companies but that has yet to be sorted out regarding where responsibilities lie and exactly what they are going to do. The omnibus answer seems to be coming under the Einstein protective umbrella but not everyone is going to want to do that, and it is not ready yet anyway. 

The central issue revolves around trust.  While the technology is strong and getting better every day at identifying and isolating cyber threats, success with P3 initiatives relies on neutrality and a willingness to share information in a way that can lead to quantifiable results.  Organizations like the National Cyber-Forensics and Training Alliance (NCFTA) and InfraGard – which provide protective security advice to businesses and organizations across the national infrastructure – are building cooperation, collaboration and information sharing models between government and the private sector. 

“Information sharing and collaboration are crucial in attaining cyber threat identification and mitigation,” said Ron Plesco, CEO of the NCFTA.

And just recently, the GAO and DHS issued a report on critical infrastructure protection.   The GAO found that “private sector stakeholders…expect their federal partners to provide usable, timely, and actionable cyber threat information and alerts; access to sensitive or classified information; a secure mechanism for sharing information; security clearances; and a single centralized government cybersecurity organization to coordinate government efforts. However, according to private sector stakeholders, federal partners are not consistently meeting these expectations.”  

At the same time, private companies cannot wait for government action to protect their infrastructure.  They should all have cyber plans in place as part of their business continuity planning.  This involves data preservation, Plan B options to stay in touch with customers and vulnerability assessments to determine what is needed to protect them.

William J. Lynn III, deputy defense secretary, and Air Force General Ken Chilton, head of the U.S. Strategic Command (STRATCOMM, which encompasses the U.S. Cyber Command) warn of these escalating threats from cyber espionage and computer crimes, and encourage greater cooperation between the federal government and private industry. The U.S. CERT (Computer Emergency Readiness Team) has been developing the Einstein project since 2004, an intrusion detection system (IDS) that monitors the network gateways of government departments and agencies for unauthorized traffic.  Currently dubbed Einstein 2, its pending third generation deployment (Einstein 3) will not only monitor but also actively block and prevent cyber intrusions.  Businesses that are at risk can ask to come under the protection of the Einstein program; for the time being Einstein is a start in the right direction in protecting critical infrastructure businesses.

“Einstein 2 is like a 1999 Mustang with a little rust,” said James Lewis, a cyber security expert and senior fellow at the Washington-based Center for Strategic and International Studies. “For some companies it isn’t a big deal, but for others who haven’t done much to secure their networks, it would be a good idea.”

There still exists considerable policy discussion as to who will administer this program to private industry.  One possible choice would be the Department of Homeland Security (DHS). There is no question that this needs to become as high a priority as the decision enabling the U.S. Cyber Command to lead the way for military cyber defense.  The risks to national security with an exposed private sector infrastructure are too high.

For more information about cyber, listen to an on-demand Webcast — “Sharing and Layering in Cyber Investigations“.

“Information sharing and collaboration is crucial in attaining cyber threat identification and mitigation” said Ron Plesco, CEO of the National Cyber-Forensics and Training Alliance, a non-profit organization in Pittsburgh, Pa., that brings together academia, law enforcement and industry to share strategies for identifying, mitigating and neutralizing cyber crime.

Drawing on the insights and experience of i2, we have developed a white paper, “Sharing & Layering of Data in Cyber Investigations,”  that explores the impact of cyber crime, the need for multiple data collection and analysis tools and access to relevant data sources to combat it, and the crucial importance of shared information between government agencies, law enforcement and private enterprise as the key to apprehending and convicting the criminals who commit these illegal acts.  A full copy of the white paper is available on the premium content section of the i2 website.  Click this link to register.

Mapping of complex hacker networks

For too long hackers have felt secure hiding behind the disconnect between the real-world and cyber world.  Using BotNets, hackers have too easily been able to conceal their identities.  Or they were, before i2’s Cyber solution provided a way to bridge that gap.  In a new case study about cyber risks, i2 looks at how Dr. Craig Valli and his research students at the Edith Cowan University School of Computer Security and Forensics  used our Cyber solution to identify and isolate hackers.  Dr. Valli’s team set a Honeypot trap for would-be hackers to lure them into attacking a seemingly vulnerable operating system. With each attempted intrusion millions of cyber security logs were collected into a database.  Using the i2 Cyber solution, Dr. Valli’s team saved hundreds of man hours analyzing the records that allowed them to pinpoint the hackers in the real world.

“Analyst’s Notebook takes hundreds of thousands or millions of lines of textual data and transforms it into a rich graphical story.”

– Dr. Craig Valli, Edith Cowan University School of Computer Security and Forensics

To learn more about how Dr. Valli’s team used i2’s Cyber solution, download our latest case study, “Caught in the Honeypot,” available on the premium content section of the i2 website.  Click this link to register. 

Indeed the U.S. Air Force recently inaugurated its first cyberspace-dedicated wing, the 24th Air Force. To earn their wings, these cyber security warriors will complete a challenging “X-Course” and be awarded Basic, Senior and Master Cyberspace Officer status.

In 2009, the intelligence center at Cheltenham in the UK formed a cyber security team similarly aimed at recruiting former “naughty boys”. “You need youngsters who are deep into this stuff…if they have been slightly naughty boys, very often they really enjoy stopping other naughty boys,” said Lord West, UK Minister for Cyber Security.