Facebook’s former top security officer says military and commercial cyber defense should be united

Max Kelly, the former chief security officer at Facebook, said in a speech today at the Defcon conference that the military and commercial defense against cyber attacks should be unified.

Right now, there isn’t a common doctrine in the military on how to fight a cyber war. As far as Kelly can tell, there are dozens of potential military strategies. Under the Obama administration, a newly created Cyber Command is working on a common doctrine on how to fight. (See our roundup of all Black Hat and Defcon stories).

During a cyber war, Kelly believes there won’t be an apocalyptic event that takes down the entire internet and all networks, mainly because each of the parties in a cyber war has a vested interest in keeping the network — or at least the network they use — up and running. Any attacks might be locally focused on bringing down a particular power plant, for instance, as part of a larger hot war.

While Kelly is a civilian, he previously worked at the FBI, and at Facebook he had to deal with attacks against Facebook’s network all the time. He dealt with the primary attackers and the attacks they perpetrated, but didn’t have the time to focus on all of the possible threats out there nor the vulnerabilities underlying the threats. He prepared as much as possible to deal with vulnerabilities. But he suggested that organizations attack the attackers “with everything you can,” using legal avenues. This was a so-called counterinsurgency strategy.

Facebook’s own terms of service allowed it to look at the private details of anyone who was suspected of launching an attack from a Facebook user account. The company would go to public sources to find the person and then serve them with legal papers or bring them to the attention of law enforcement.

“You’d be surprised at how quickly spam will drop off if you get $800 million judgments against them,” he said, referencing Facebook’s efforts to shut down spammers.

Kelly believes this counterinsurgency strategy will work for the military as well. The military’s big problem right now is “attribution,” which means identifying someone who launches an attack in cyberspace. If a 15-year-old kid in China attacks the U.S. with cyber weapons, does the U.S. declare war on China? Probably not. But if the military creates perfect attribution tools that can identify attackers, then the military will likely have the problem of seeing those tools used against it as well. Yesterday, at the Black Hat security conference (a sister conference to Defcon, also in Las Vegas this week), former national security director Michael Hayden said there were active discussions about what to do about attribution.

“I am saying initially don’t worry about the attribution,” he said. “Worry about the attack. Mitigate it. Then close off the behavior for attack.”

Once the military comes up with its cyber war doctrine, that doctrine should lead to a unified defense. And commercial entities at some level should be brought into that unified defense.

“Commercial entities and the military are dealing with the same problem,”  he said. “They should both understand their roles in the larger picture. There isn’t enough information shared.”

Facebook, for instance, has a wealth of experience in dealing with attackers, considering it has 500 million users to protect. The good thing is that users self-police the system and alert Facebook when attacks are happening.

After five years at Facebook, Kelly decided to leave the company three weeks ago. It was a tough environment to work in, he said. One of the tough problems at Facebook is that it’s very easy to put malicious code into user-generated content. People share photos and links, and it’s very easy to embed viruses and other bad code into the shared content. The problem for the attackers is that they are easily identified and can have their accounts deleted quickly. Kelly said there was one attacker who went to elaborate lengths to hide his identity; Facebook tracked leads to Europe and then to Canada before locating him.

Kelly mentioned there were systems at Facebook for detecting bad actors. Facebook will detect someone sending lots of messages to friends, particularly bad messages with malicious code. Facebook deletes those malicious messages from the entire system. The company blocks the links that it already knows about, but there are plenty of bad links the company didn’t know about and had to jump on. One frequent type of attack is to capture a person’s password and then expose their private content. Quite often, however, Kelly said that the problem in the release of private information is that users fail to properly set their privacy settings.

The good thing is that bad apps — those with malware — tend to not propagate through the system fast. If developers post malware apps on Facebook, the company can review the apps, delete them, and shut down the developer. Often the bad apps tried to pull email addresses, because they were verified as authentic.