Image of Ron Gula via Flickr
When the public hears about cyber-warfare, it tends to be something like the Stuxnet worm, which derailed Iran’s nuclear program by destroying a vital industrial control system. Or we see the Syrian Electronic Army hacking Twitter feeds in order to spread Bashar al-Assad’s counter-propaganda. These are just the juiciest stories, the biggest headlines. A great deal more hacking takes place in the shadows—stuff that is never reported.
Former NSA researcher and current CEO of Tenable Network Security, Ron Gula, has seen a bit of everything. At the NSA, Gula conducted penetration tests of government networks and performed advanced vulnerability research. After his work at NSA, Gula authored the Dragon IDS (Intrusion Detection System), and was CTO of Network Security Wizards, which Enterasys Networks later acquired. During his time at Enterasys, Gula worked in IDS for the government, as well as financial and commercial companies. At Tenable, he does similar work, with clients ranging from the Department of Defense to Fortune 500 companies.
Videos by VICE
When I agreed to meet with Gula, it was with every intention of talking about cyber-warfare at the state and corporate levels. But, upon meeting him yesterday, amidst great echoes of ambient noise at the Time Warner Center, we quickly went off on tangents. We talked about The Invisible Committee’s The Coming Insurrection, and how he gets a kick out of reading both Alex Jones and Mother Jones, before veering off into the fictional realms of the cyberpunk novels Snow Crash and Neuromancer. In fact, Gula thinks we’re headed toward a Snow Crash world; one in which state power will eventually diminish, leaving a bunch of corporate nation-states in its place.
When Gula and I did finally get around to the topics at hand, we spoke about everything from NSA and Anonymous to the hacking of industrial systems, Ocean’s Eleven‘s electro-magnetic pinch, and the Syrian Electronic Army.
Motherboard: How rampant is hacking, whether it be business vs. business, or state vs. state actors?
Ron Gula: Extremely rampant. The evidence is in all of these numbers stating there is more malware out there than ever before. It’s not all NSA, it’s not all China, it’s not some kid in Russia—it’s the full spectrum. There are articles out there about neighbors hacking neighbors to gain access to wifi. Everyone knows how to stalk on Facebook these days. I can download a tool to create a PDF file, mail it to you, and I could be on your computer in no time. It takes very little skill now. The only real way to stop it is to have a defense. And people are stuck in the ’90s with antequated security technologies.
What sort of hacking might big businesses be engaged in?
Well, you’re never going to see the CEO of Coca-Cola asking someone to hack into the CEO of Pepsi-Cola’s computer. They have tens of thousands of employees; all it takes is for one or two of them to be bad. They can get corporate secrets, of course, but there are certain other things that a company can do to gain a competitive marketing advantage. Everyone is on LinkedIn these days. Well, someone could have Pepsi-classified info on their LinkedIn resume, and someone could mine that open-source intel data. That sort of stuff is going on all the time.
“The media really grabs on to the cyber headlines, but the reality is that there are a lot of things you can do to mess with people or businesses.”
Are companies using worms like Stuxnet to sabotage each other’s industrial systems?
That’s very plausible, but it becomes very impractical. If you’ve ever seen a technical demo of anything more complex than a couple of computers talking to each other, you will know that the demo rarely goes well. In the real world, trying to get cyber-operations to work is really, really difficult. This concept that we’re going to break into some place, put in all of these backdoors, and somehow do all of this from a bedroom, while guys who do this for a living need a staff of 30 people and a command center—it’s just not the same thing.
So, you’re not convinced companies or states with dozens of people and command centers are seeking to sabotage industrial control systems?
I tend to believe the Director of National Intelligence, James Clapper, when he says that there are only a few people out there who could actually do this, and they don’t really have any actual interest in doing it.
Interesting. What sort of threats do you think aren’t currently being acknowledged?
Go back to Ocean’s Eleven. There is a pinch in that movie that takes out Las Vegas. It’s a directed energy weapon pretty much—an electromagnetic pulse. That’s probably a big threat factor, but nobody talks about it. It’s sabotage. Back in the ’60s there was a big blackout in the Northeast, and Nixon and his staff thought the Soviets were going up and down the power system cutting power lines.
The media really grabs on to the cyber headlines, but the reality is that there are a lot of things you can do to mess with people or businesses. The question is how much defense do you want? In order to pull these things off, you need money, training, time, and motive, and there aren’t many people out there that can pull these kind of things off.
How big is private sector intelligence gathering?
In the private sector, you can hire private investigators. That’s pretty easy to do. If you ever want to look at a company, there is a lot you can do very legally. In fact, there is a lot more done right out in the open. It’s just there for the taking. If you’re looking at a public company, you might be better off hiring a stock analyst. Every public company probably has rooms where they look at every other public company’s public records.
“It’s easy to pick on NSA because they’re Big Brother. But, if you look at the data being collected by the local and state governments, it’s astounding.”
Palantir organizes data for NSA with algorithms and other tools. If you’re an energy or financial company, the same algorithms and tools are out there to sift through corporate data. It’s not a cool as hiring a hacker to get into another company’s systems, but the dollar spent legally is probably going to get you better data.
Tenable works with the Department of Defense, other state agencies, and a lot of Fortune 500 companies. They are well aware of the need for security and proactive about getting it. Don’t you feel that the average person deserves that level of security and privacy? Acknowledging, of course, that people are generally lazy about understanding security and privacy threats.
The NSA has a lot of bad press from getting all of this email, but Google, Verizon, AT&T, Disney, and other companies have it, and somehow we feel less bad about that. It’s easy to pick on NSA because they’re Big Brother. But, if you look at the data being collected by the local and state governments, it’s astounding.
I don’t disagree, but isn’t it a sad state of affairs when big government and business have such high levels of security, but the average person does not? Mass ignorance is exploited in this way by businesses and government.
Well, you can have this security, too. Let’s say you had your own email server, and you had full control over all of the hardware, and whatever you deployed went through enough places like Tor that you were pretty sure there wasn’t something on the other end sifting through all of that email. Well, what are you defending against? Are you defending against someone reading your email? That’s one attack. Are you a freedom fighter defending against someone figuring out who your contacts are? That is another.
Big government and business do have good security, but they also have things like bank vaults, nuclear weapons, casinos and formulas like the next Viagra to keep secret. There is nothing forcing people to use public phones and I’m impressed when I see people choose to carry a traditional cell phone or leave it home entirely, but this isn’t the society we live in. The one we live in is interconnected and if you choose to exclude yourself from it for security’s sake, you won’t be connected.
I really don’t see government or big business sitting there and trying to exploit people. I speak with people who work with NSA, Google, Facebook, Microsoft, etc, all the time. What they are doing they believe to be in the best interest of their service and the public. And for the most part, the public doesn’t really complain about security although they should.
So you would say the benefits of interconnectivity outweigh the risks?
The thing about risk is figuring out what you are trying to protect. Rememember when The New York Times was DDoS’d by the Syrian Electronic Army? The credit card indusry has this big thing called PCI (Payment Card Industry); it’s designed and optimized to protect our credit cards, but it says nothing about DDoS. If you take out a website, you can’t steal a credit card. You can be 100 percent risk compliant with PCI and not be optimized for denial of service. So, risk is relative.
While we’re on the subject of DDoS attacks, there is an argument that it is a form of digital or cyber-protest. Do you agree?
It absolutely is.
“[W]hen you put a backdoor on every copy of a product, you’re weakening the entire planet at that point… that’s more than spying, that’s something else.”
But, no one in government or business ever seems to acknowledges this reality.
Let’s say that you wanted to protest Hilary Clinton by DDoSing her site. You might, in fact, actually raise her profile in doing so. I was actually impressed with what the Syrian Electronic Army did with Marines.com, which is one of my clients. The SEA didn’t DDoS the Marines website, they wrote a message on the homepage. In my opinion, that’s better cyber-warfare right there, where you speak directly to the warrior. The message was almost as good as Vladimir Putin’s op-ed in The New York Times. It was something you’d read once and go, “Wow, this is awesome. I don’t want to fight these guys.”
When it comes to backdoor access to Gmail or Facebook, and a host of other internet services, many argue that this allows every other malicious individual or entity access to personal data. How would you respond to this argument?
Well, there is that, yes. But, when you hide from the government, you do create the ability to do illegal things. The question is how transparent of a society do we want to be?
Although the potential for everything to be hacked is there, and it’s good practice to assume that your communications and data have been compromised, it’s really unreasonable to assume that you are a target of everyone or that everyone has access to your system. If this were indeed true, I think there would be 100x more WikiLeaks. We’d also see things like TMZ offering scoop after scoop after scoop. It’s hard to put into numbers, but I really feel that 90% if not more of the things out there that matter are pretty secure from most attackers. But, 10% of the Internet is still a lot of data.
Another big difference between the NSA having legally protected access to Gmail and Facebook is that they are working together. They can ask questions directly to the engineers making the system. On the other hand, an organization that is hacking in gets to only see what is stored in the computers that are compromised. There is likely good data in these systems, but it isn’t as efficient as having the people that built the system tell you where the data is. In fact, Google was attacked by reportedly very sophisticated hackers from China and only a portion of Google’s systems were compromised.
But, isn’t it troubling that these government backdoors potentially expose that data to everyone?
Sure. As a culture, we haven’t had a conversation with the NSA where we ask them what they’re doing. I’ve always felt as an engineer that I don’t have any problem if someone ships a product to a foreign country, and it’s intercepted and a backdoor is installed. But, when you put a backdoor on every copy of a product, you’re weakening the entire planet at that point, and I think there should be a way to reconcile that with the need for the backdoor. There better be a really good reason to do that, and I don’t think we’ve had that sort of debate. When somebody intentionally weakens everything out there, that’s more than spying, that’s something else.
Yes, it’s irresponsible and reckless.
Well, of course, it could all be a ruse. That’s the thing with intel. [laughs]
Yeah, it’s a looking-glass world, isn’t it?
Wouldn’t it be great? Yes, we can see your dreams now, so don’t dream anymore. [laughs] All of a sudden terrorists start turning themselves in. Wouldn’t that be something?
Well, a few months back there was such information overload about the NSA leaks and Edward Snowden, that it got to a point where nothing made sense anymore, and I excused myself from writing about it for awhile.
Right. The documents sure look real, but this is an agency which had designed itself to not be in the spotlight, and it’s now in the spotlight. You have to ask why.
More
From VICE
-
Cyberpunk TCG preview. -
Screenshot: Pokemon GO -
PHOTO CREDIT: VINCENT GUGLIELMO -
Photo by Arturo Holmes/Getty Images for Live Nation
