The Network Surveillance Threat:
Government Defense Strategies
CHRISTOPHER R. WILDER, TAG CYBER
very government knows that its ability to collect information through signals intelligence (SIGINT)
has changed considerably. Where circuit-
switched and satellite communications once reigned supreme in global network infrastructure, individuals and organizations now utilize IP-based networks, including the public internet, managed by service providers and mobile operators.
Monitoring such communications is now performed through traffic and activity monitoring using distributed collection. The means for mitigating such action cuts in two ways. That is, while one’s own government might be exposed, such monitoring also allows defense, military, intelligence, and even civilian agencies to reduce their risk. Such best practices have typically not found their way into commercial use, but this is beginning to occur.
This article explains how government surveillance typically happens along with the most effective strategies deployed to avoid the consequences of such monitoring or surveillance. We offer a description of such a strategy at a broad level so that readers can interpret and tailor the approaches to their local situation. All methods presume that the target IP-based solutions are traversing the public internet, military networks, service provider networks, and mobile infrastructure.
It should be emphasized that significant risk has emerged for surveillance from hostile adversaries, as well as from governments and organizations performing such monitoring action routinely. Businesses, governments, and citizens are thus urged to take the time to learn how this is done—and the sections below are intended to support this objective.
2.1 MONITORING IP NETWORKS
In partnership with internet and telecommunications providers, US intelligence agencies have turned the domestic internet backbone into a collection point for the surveillance of bad actors and those who wish to harm the country. Initial collection programs focused on human-to-human communications, like email, photos, social media, encrypted messaging services, and file transfers. Today, many intelligence organizations use data obfuscation to evade detection and firewalls when exfiltrating data from adversaries and bad actor networks.
Intelligence agencies install filters, back doors into the software, encryption-breaking keys, and secret court orders to gather data from foreign and domestic sources. The number of connected devices and the shift from a centralized workforce to a distributed one has allowed these agencies to expand their surveillance efforts to command and control assets (C2) and machine-to-machine communications. Using obfuscation, governments have been able to exfiltrate data from adversary and bad actor networks, often completely evading firewalls and detection tools.
The result is that governments have significant capability to monitor IP networks and the devices that live on these networks. This is true across the board, including for smaller countries with less funding for military teams, which means that our national competitors and adversaries can monitor the US, with all of the threats and vulnerabilities that entails. Developing an effective monitoring program does not require significant funding, so it is considered a valuable tool for national cyber offense and defense.
2.2 OFFENSIVE MONITORING MINDSET
By taking a “live-on-the-network” approach, the US DoD/intelligence community (IC) and other intelligence agencies can be proactive to protect and control information access. The military, intelligence agencies, and operations, including those responsible for the movement of personnel, material, and C2, have a low tolerance for adversarial monitoring and the threat of disruption or interference. They are highly motivated to deter committed and aggressive adversaries. The exploitation of cyber vulnerabilities undermines DoD’s ability to operate and threatens national security and economic competitiveness.
Cryptographic-based technologies are at the core of protecting and sharing sensitive information across the government, and this has always
been at the core of government avoidance of the monitoring threat. It must be understood, however, that encryption does not obfuscate the source of encrypted traffic and high-level analysis of traffic and routing flows can be done in the presence of encryption. Data owners and cloud providers deploy various methods and schemes to preserve the privacy of their data, but each encryption scheme has its vulnerabilities and poses a potential threat for data leakage. A holistic approach is needed to protect sensitive data; one that includes not just threat reduction, but countermeasures to prevent future leaks.
Figure 2.2-1. Traffic Monitoring in the Presence of Encryption
Throughout its lifecycle, the confidentiality and integrity of data (i.e., create, transmit, process, and store) is critical to maintaining overall trust in government systems. Continual modernization and strengthening of current communications and data integrity must keep ahead of adversaries’ advances. The US government has begun to use advanced data deception and obfuscation techniques to ensure its personnel in the field remain uncompromised.
An effective offensive security posture requires a combination of human tradecraft, secure infrastructure policies, practices, and a strategy for responding to and mitigating risks before they happen.
2.3 SURVEILLANCE WITHIN GOVERNMENT
Government surveillance evokes the image of federal agents in the back of a van listening to people’s private phone conversations or tracking their whereabouts. More commonly, the government uses digital or physical surveillance methods to identify and track bad actors and terrorists, break up counterfeit or money laundering organizations, and expose disinformation campaigns from hundreds of miles away.
Today’s surveillance programs work to ensure real-time situational awareness when responding to public threats and collecting evidence in the event of an incident. Surveillance programs are not always nefarious, but organizations must also defend against these tactics to ensure the integrity of their sensitive information. Below are a few insights into how the intelligence community builds its surveillance programs.
2.3.1 ESTABLISH THE GOALS, METHODS, AND OBJECTIVES UP FRONT
Each initiative, system, or program must have specific goals and methods defined, whether offensive or defensive surveillance. These programs must be regularly reviewed with all stakeholders and have clearly defined goals. There is no argument that the IC indexes and stores information across all communications and internet activity that passes through a collection site. These agencies develop the insight to detect anomalous events and suspicious activity and enhance their SIGINT or open-source intelligence (OSINT) capabilities.
2.3.2 DATA COLLECTION AND STORAGE
All surveillance programs that involve data collection or transport should have clearly defined protocols for securing and transporting information to stakeholders. They must adhere to documented procedures and security controls for data collection.
2.3.3 DATA TRANSFER
Organizations should not transfer sensitive surveillance data unless it is necessary. However, if there is a need to move sensitive data, actions must adhere to agreed-upon methods such as data obfuscation, deception, sharing agreements, or smart contracts.
2.4 A FOCUSED PLAN TO DEFEND “THE FORT”
From a defense perspective, there are four strategic focuses the DoD and IC have adopted to protect themselves. The US government is going through a transformation to ensure its infrastructure, workforce, endpoints, and sensitive data are protected as they defend against adversarial cyber bad actors. The IC and DoD are following several best practices; below are just some of the approaches they are taking:
• Focus 1: Establish a Resilient Cyber Defense Posture – Build a cyber-resilient defense posture that
combines human tradecraft, architecture and engineering, and the delivery of new technologies and capabilities to support current information and communication platforms.
• Focus 2: Build a Secure and Defensible Information Environment –
The DoD and IC are migrating to eliminate silos and share information across IT infrastructures, services, and intelligence capabilities. Because determined nation-state hackers consistently barrage the DoD/IC, it must maintain a high level of operational awareness. The DoD/IC can increase mission effectiveness and improve cyber defense efforts by sharing information amongst various agencies.
• Focus 3: Practice Cyber Hygiene for Systems and Data Protection –
Cyber hygiene exists to create a secure environment that impedes the bad actor’s ability to gain access, establish a presence, infiltrate deeper into the network, and attack or exfiltrate data. Understanding where to interrupt the intrusion to protect the data is critical to designing capabilities that harden and defend against an attack.
• Focus 4: Strengthen Data Defenses – Shoring up the confidentiality
and integrity of information throughout its lifecycle (i.e., create, transmit, process, and store) is critical to maintaining end-user trust in DoD/IC systems. The use of multiple tools and technologies, including public key infrastructure, data obfuscation, and other cryptographic-based technologies, is already building a foundation for protecting and sharing information within DoD, the IC, its partners, and other agencies.
ABOUT TAG CYBER
TAG Cyber is a trusted cyber security research analyst firm, providing unbiased industry insights and recommendations to security solution providers and Fortune 100 enterprises. Founded in 2016 by Dr. Edward Amoroso, former SVP/CSO of AT&T, the company bucks the trend of pay-for-play research by offering in-depth Research as a Service (RaaS), market analysis, consulting, and personalized content based on hundreds of engagements with clients and non-clients alike—all from a former practitioner’s perspective.
SecureCo creates the most secure internet connections possible, addressing a critical gap in existing cyber security solutions. Our patented stealth technology protects networks and transmissions from interference and disruption, powering resilient data links, secure applications, and end user privacy. SecureCo offers a next generation replacement or augmentation for legacy VPNs while extending zero trust principles to data transport, cloaking data exchange, services, and assets to reduce network attack surface and targetability. Trusted by some of the most demanding cyber security customers in the world, we deliver high performance, exceptionally secure data transit for military, intelligence, industrial and commercial applications.
IMPORTANT INFORMATION ABOUT THIS DOCUMENT
Contributor: Christopher R. Wilder
Publisher: TAG Cyber LLC. (“TAG Cyber”), TAG Cyber, LLC, 45 Broadway, Suite 1250, New York, NY 10006.
Inquiries: Please contact Lester Goodman, (email@example.com), if you’d like to discuss this report. We will respond promptly.
Citations: This paper can be cited by accredited press and analysts but must be cited in context, displaying the author’s name, author’s title, and “TAG Cyber”. Non-press and nonanalysts must receive prior written permission from TAG Cyber for any citations.
Disclosures: This paper was commissioned by SecureCo Inc.. TAG Cyber provides research, analysis, and advisory services to many cybersecurity firms mentioned in this paper. No employees at the firm hold any equity positions with any companies cited in this document.
Disclaimer: The information presented in this document is for informational purposes only and may contain technical inaccuracies, omissions, and typographical errors.
TAG Cyber disclaims all warranties as to the accuracy, completeness, or adequacy of such information and shall have no liability for errors, omissions, or inadequacies in such information. This document consists of the opinions of TAG Cyber’s analysts and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. TAG Cyber may provide forecasts and forward-looking statements as directional indicators and not as precise predictions of future events. While our forecasts and forward-looking statements represent our current judgment and opinion on what the future holds, they are subject to risks and uncertainties that could cause actual results to differ materially. You are cautioned not to place undue reliance on these forecasts and forward-looking statements, which reflect our opinions only as of the date of publication for this document. Please keep in mind that we are not obligating ourselves to revise or publicly release the results of any revision to these forecasts and forward-looking statements considering new information or future events.
Copyright © 2022 TAG Cyber LLC. This report may not be reproduced, distributed or shared without TAG Cyber’s written permission. The material in this report is composed of the opinions of the TAG Cyber analysts and is not to be interpreted as consisting of factual assertions. All warranties regarding the correctness, usefulness, accuracy or completeness of this report are disclaimed herein.
Download the Complete eBook for Free!
This is one article of a five part research paper from TAG Cyber on advanced stealth and obfuscation solutions designed to defend commercial networks and internet data communications against the world’s toughest adversaries. The eBook is free with registration.
Implementing the above strategic imperatives requires a significant transformation within the DoD and IC. New processes, policies, and especially data protection technologies are already helping with discrete actions, information sharing, and reducing the data silos within the DoD and IC.
Executing these next steps will require a commitment to continued and increased cooperation and collaboration across the cyber community, including the intelligence, counterintelligence, and security partners, alignment of cybersecurity and defense strategies, plans, projects, and initiatives across DoD, and a DoD organizational construct that will foster the accomplishment of these objectives.
The use of technology to accomplish these objectives, including the deployment of techniques such as obfuscation and non-attribution will help operational teams achieve the desired reduction in risk of network monitoring and other offensive measures from an adversary.