Guide Meridian Preaches Cyberwarfare In Manila

On a hot Thursday afternoon at the Dusit Thani Hotel, a landmark towering above Metro Manila’s traffic-clogged EDSA highway, ex-FBI agent Stephen Cutler explained the finer points of data breaches. The occasion was a mini-conference obviously titled Dealing With Deadly Data Breaches: Making your business Strong and Profitable in the face of cyber attacks–a real mouthful.

Held on April 21 Dealing With Deadly Data Breaches is the first of a conference series organized by Guide Meridian, a cyber consultancy that helps clients protect their data.

A cyber event isn’t out of the ordinary in the Philippines. Its citizens love their smartphones and social media while bemoaning dismal broadband speeds. Meanwhile, billion-dollar multinationals are moving in to access the local market and cheap labor. So cyber stuff are a big deal for the 12th most populous country on Earth.

But Cutler, who has a PhD in Criminology, lent a martial cast to his presentation and even went as far as mentioning D-Day 1944.

“Think about how the Germans defended the Normandy beaches,” he told his audience. “There are a lot of lessons there for cyber.”

Cutler’s remarks appealed to the majority of the audience in the ballroom who were from the Armed Forces of the Philippines (AFP) and the police. Representatives of neighboring militaries were in attendance.

“Our minds are set in the Westphalian system,” Cutler declared, citing the European balance of power that emerged after the 30 Years’ War. “In order to destroy the nations today we do not need an armed attack.”

Going on sage mode, Cutler then invoked Sun Tzu. “If you know your enemy and know yourself you will never fear the outcome of a hundred battles.” It was a quote he dropped throughout his two speaking sessions.

Estonia and the Kill Chain

Cutler’s liberal use of military jargon drove home the fact that data breaches aren’t any different from today’s cyberwarfare. He even cited the Russian aggression on Estonia in 2007 whose goal, in his words, was to “bring them [Estonia] to their knees” with crippling DDoS.

The Philippines is no stranger to the vagaries of cyber threats. At the turn of the century a computer science student triggered an international panic with the I Love You virus. This year hackers mined the Commission on Elections (Comelec) database a month before presidential elections and leaked the personal data of 55 million voters.

While the Comelec breach grabbed headlines a local bank was used by hackers from China to launder money stolen from Bangladesh. Given the frequency of attacks on Philippine government websites it’s obvious these present soft targets for hacktivists.

But isn’t there a difference between nation-states undermining each other, i.e. Stuxnet, and events Cutler cited like the infamous Sony email hack and the Target Christmas breach?

It appears not. Cutler himself was perplexed, asking his audience “What constitutes an act of war in the cyber world?”

And, “What is a civilian computer and a military computer in a border-less world? In the US we’re still wrestling with the difference.”

This echoes the words of Sir Bernard Hogan-Howe who described the web as an “anarchic” haven for criminals and terrorists. Or former US General and National Security Agency (NSA) boss Keith Alexander who warned “the cost to our nation could be measured in the trillions.” It’s a dire scenario even Edward Snowden believes in.

Whether we like it or not allowing the Internet to take over our lives is fueling the whole cyberwarfare agenda and government spending on inevitable cyber weapons.

So it wasn’t a surprise when, back in the Philippines, Cutler posed somewhat grave rhetorical questions like: “What is the cyber equivalent of a nuclear attack on the Philippines?”

The For Dummies Part

Cutler did explain how to mitigate this new type of sabotage using code with a few simple strategies. For example, the Seven-Stage Kill Chain.

It’s an approach to understanding cyber attacks as a battalion-level engagement. Cutler broke it down to Recon, Weaponize, Deliver, Exploit, Install, Command and Control, and then Action.

There. Seven steps. That’s how you attack an unwitting small business.

Then the most common types of attacks to watch out for, according to Cutler, were:

1. Phishing
2. Targeted Spear Phishing
3. Whaling
4. Lost Devices
5. Lack of Encryption
6. Cracking Passwords

Easy peasy! (Not to forget OWASP has its own dazzling encyclopedia on cyber mischief.)

Cutler spoke about old school deterrence during the latter half of the conference. It was definitely for proving the good guys (victims of cyber attacks) can still win.

To deter hackers Cutler believes it’s best to act like the Pentagon with its disdain for thumb drives. A fitting comparison since the types who attend cyber conferences these days are in uniform. Just as useful are enforcing “Need to Know” protocols, limited download rights, documenting access, proper handling of documentation (paper and digital), and caring about data.

It’s obvious this strategy is about compartmentalizing an office. As helpful as it appears it doesn’t cover the impulses of a leaker with ethical misgivings about their work or how to overcome social engineering.

To further strengthen the ramparts, because even the Nazis couldn’t hold the Normandy beaches no matter how much they prepared, Cutler suggested multi-level authentication, limiting users, and encryption, encryption, encryption.

The price of letting these matters slide, as Cutler reminded everyone again and again, was Sony and Target redux.

Lest his audience become too dispirited Cutler tried to cheer them up a bit. Organizations have all the time in the world to prepare for crisis. Even when the shit hits the fan, Cutler said, “The sun will rise tomorrow.”