Soloway had garnered vast government experience over the course of his career, including building federal government IT systems from top to bottom. He prided himself on building systems, as he would say, “from a hole in the ground to a fully-functioning operation, with everything in between,” meaning the cables and wiring, cabinets of switches and routers, computers, servers, work stations, printers, IP addressing and domains. This background was why he could quickly determine what might be vulnerable to cyber-attack. As soon as he opened his mouth, it was immediately evident from his knowledge and enthusiasm that he knew what he was talking about, although he had a tendency to diverge onto tangents.
Brendan had evidently notified DCA’s Intelligence Director Loretta, who also showed up long before her regular 7:30am arrival. Parovsky rolled his eyes to no one in particular when he saw her, wishing he had told Brendan to keep this matter under wraps. Loretta simply rubbed him the wrong way, so Parovsky would have preferred waiting for her to come in at her regular time—if at all, but here she was. But considering they had what appeared to be a major anomaly event underway, he had to admit to himself, having another experienced brain contributing ideas probably wasn’t a bad thing. After hearing a quick situation update, Loretta—eager to assist-headed to her work area to see what intelligence she could pick up.
Loretta had come over from the CIA during the initial scurrying to set up the new cyber agency, and never left. She had gone from being one of many in a department at the CIA to head of DCA’s Intel Department, and it had gone to her head. She refused to be subordinate to people she didn’t see as being of the appropriate level. She was so fixated on her status on the agency’s organization chart that she started off her professional resume by writing that she reported to DCA’s CISO, rather than stating her job title or describing her responsibilities. While Loretta was part of the team that Parovsky led, she did not consider herself accountable to it, making the team’s hierarchy dysfunctional. What pissed off Parovsky was that DCA’s CISO gave him assurances along the lines of “yea, I need to take care of this....” without ever doing anything.
The three CIRT members roused from their beds were soon joined by Ted, another member of the team. Ted hadn’t been called to the office but was one of those really early risers, always at the office by 5:00 am, if not earlier. He always said that he didn’t mind waking up really early, which had benefits like beating the morning traffic and enjoying the quiet at the office to drink a cup of coffee in peace before most of his coworkers had even risen from bed.
He was about fifty years old with salt and pepper hair that he wore pulled back in a tight ponytail. After college. Ted had served as a junior officer in the U.S. Army Signals Corps and had remained in the 11’ field ever since; with all his experience Ted was about as knowledgeable as they come. He wasn’t a whiz kid like Brendan, but this unassuming guy knew his stuff. Contrary to Brendan’s at-times excessive enthusiasm, Ted was very laid back and easy-going, which -along with the ponytail-Parovsky found surprising for a West Point Military Academy graduate. While he enjoyed his IT work, Ted’s true passion was tinkering with vintage cars which he would buy, fix-up and take to car shows throughout the Mid-Atlantic region and beyond, dressed in period costumes.
Parovsky appreciated Ted’s knowledge and cool temperament, not to mention his entertaining stories from West Point and subsequent military service, like the one aboutItalian tailors fitting parade uniforms on his very first day as a cadet at the Academy. “They gave me a pair of pants that were too big. When I objected, the tailor said, ‘You’ll a-gain a- weight!” Ted laid on his best old-country Italian accent when he recounted the story, reveling in the attention. “And the jacket was too tight. When I objected, the tailor said, ‘You’ll a-lose a-weight!”
These animated recollections were a departure from Ted’s slow, soft speech that made him come across as rather dry. DCA once made the mistake of sending him to speak at an IT conference, which proved disastrous. The conference organizer reported that an attendee survey gave him the lowest ranking ever received by a speaker! If he talked too much, Parovsky thought, he was capable of boring someone to death!
Parovsky called together the team, which consisted of some serious brain processing power. He didn’t need to tell anyone what to do; they all knew their jobs and could easily note how critical this situation was based on the colored clues and from the real data appearing on a 50-inch monitor Layla had configured to display State Department network information. They were all standing around the SIC, with Layla and the two interns feeling extraneous in face of the heavy guns now on scene to fight this cyber battle.
Loretta reported that intelligence gathering resources had spotted chatroom traffic talking about “teaching Washington a lesson...” and a cryptic post from the time the trouble started that morning that read, “ Tora, Tora, Tora.” Without being asked, one of the interns ran a quick Google search and reported it refers to the Jewish five books of Moses, causing a chuckle in the room from those old enough to know it was a Japanese code word associated with the attack on Pearl Harbor and a movie about the attack.
“Such a massive amount of network traffic has to be coming from a malicious source,” Layla ventured to say to the group.
“No question this is malicious,” Parovsky agreed. He was sipping a cup of plain coffee from the drip percolator coffee machine in a break room off the SIC. It wasn’t Starbucks but at least it wasn’t instant coffee, which he hated.
“Seems State is under a DDOS attack,” confirming Layla’s earlier assessment. Layla’s confidence was bolstered. She caught the eyes of the two interns, smiled and nodded, as if to say, See, I was right.
“This definitely reflects major anomalies,” Parovsky said before turning to Layla with a reassuring, “Good thing you called.” He looked her over for the first time, noticing that she was actually quite sexy in the tight top she wore.
With that, she felt a great sense of relief, taking it as a compliment. It was then that she realized she was perspiring. The attack was now someone else’s problem, although the CIRT kept coming back with questions for her about how it began. She was very much the focus of attention that morning—just what she dreaded.
The Cyber Incident Response Team was congregated in the Security Intelligence Center, watching the attack develop on the flat screen monitors on the wall and on desktop monitors. The special recessed lighting lit up the place but without glare on the many screens in the room. With no windows and a hum of activity around the clock, day and night were indistinguishable.
“State’s on the line.”
Parovsky looked up, seeing one of the interns holding a phone receiver in his hand, stretching the coiled cord nearly to its limits. He hadn’t noticed the phone ringing.
“What do they want from us? We’re working the problem,” he said out loud.
“They want to know what is going on, and when the site will be fully- functional again, sir.”
“Who is it on the line?” Without waiting for an answer, he continued. “Like I said, tell them we’re working the problem, which appears to be a denial of service attack that’s exhausting their server’s resources.”
There was often tension between DCA and the CISOs and IT departments of the government agencies, who were sore at having their authority eviscerated by the establishment of DCA. The irony was that each federal agency was responsible for its own system, with DCA coming in as fire fighters and problem solvers in the event of an attack. No matter how sophisticated the attack, DCA was unrealistically expected to immediately, if not magically, solve the problem and make it go away. That’s what they did, but it required time.
So State’s CISO found himself in the awkward situation of being the one called upon for answers by his own organization, yet at the mercy of DCA, which was responding to and handling the attack. It was a horrible situation in which to find oneself: helpless. State’s critica
l IT applications like email, web sites and VOIP were brought down by the attack, but all their CISO could do was field complaints and shrug helplessly to his managements’ exhortations that he get their website back online.
DCA felt the agency IT folks interfered with their work and sometimes conveyed a condescending attitude of “we know better than you...”. Irony was that attacks made the DCA look bad, so they had internal pressure to end the attack. Agencies might escalate, like going to the Secretary of State. If it were the Department of Agriculture, for example, no one would care about avian influenza or nutrition, but the Department of State is high profile, so DCA had to walk a fine line.
DCA held the upper hand and could be antagonistic, at least that’s how some of the federal agencies perceived them. It always infuriated agency CISO’s when DCA wanted to let an attack continue in order to learn from it, while the agencies felt that DCA should be answerable to them.
The intern held the phone, which seemed to have gone quiet. “Hello?” he asked, and then after a few more seconds, again. From the reaction, Parovsky could see the conversation had come back to life.
“He says the problem needs to be solved quickly, before the Secretary gets involved.”
Turning to the core crisis response team known as a “Tiger Team,” Parovsky said, “I don’t believe him.” Part of this was showmanship, and some the enjoyment of power. “He’s just trying to scare us.”
Parovsky turned his attention back to the boy holding the phone. “Ask them if they’re willing to risk a mass release of American passport holders’ personal data onto the web? Or confidential internal emails, or secret policy documents accessed or—worse yet—posted online. Ask them that! Because until we know for sure there are no hidden exploits just waiting to exfiltrate this data, then we need them to stop bothering us.”
The young intern’s face, with the beginnings of a beard after his night and now morning at DCA, went pale. “Could you repeat that please?” he asked politely.
Realizing this kid couldn’t be expected to tell off State’s CISO, Parovsky had to end the public drama and take the call.
He walked over to the phone extension and took the handset from the intern.
“Parovsky here. Listen. It looks like you are under attack by one or more hackers and that it’s going to take some time to deal with this.” Parovsky nodded his head up and down as the voice on the other end of the line spoke. Anyone standing near the intern could hear the excited voice yelling through the telephone’s handset.
“No. I’m afraid you should not expect to regain normal service soon.”
Delivering another blow to his already wounded prey, Parovsky added, “Once we get a better grasp of all this, we may need to release a formal statement regarding the downtime.”
He held the telephone away from his ear dramatically, and all could hear the screaming.
“We need to make this public, rather than waiting for it to show up on hacker forums.”
“Are you out of your mind?!” State’s CISO could be heard yelling. “If it gets out that we’ve been attacked, if the attackers damage you somehow, it means you’re weak, vulnerable, and everyone will know it. It will encourage others.”
Parovsky responded, “We must remain one step ahead of the attackers,” meaning by going public rather than giving the attacker a PR victory. But let us do our jobs first. We need to figure out where this is coming from, who’s behind it and how to stop it.”
It was already late morning, and Layla was wondering how long she needed to stick around now that her shift was long over and the cavalry had arrived. Since the incident began on her shift, she felt obligated to stick around until the situation was stabilized, or until it was clear she was no longer needed—as if she were somehow responsible for the attack. Much earlier, she had called her husband to get the kids up and off to school. She would much rather have been home far from the limelight. She was an introvert, which is why the night shift suited her; Layla simply did not feel comfortable around so many people.
Analysts had long since arrived and populated the SIC’s empty desks; the center came to life with its regular menu of activities while Parovsky’s Tiger Team addressed the State Department attack.
From impromptu discussions standing around in the SIC looking at the status screens, Parovsky and the team moved into the conference room, whose glass wall looked into the SIC and allowed visibility of the flat screen monitors configured on the wall while offering a table and chairs, better lighting and best of all, quiet. They took their seats around the large dark-stained wooden conference table in sleek black leather chairs that squeaked whenever someone moved.
Using colored markers, Brendan Soloway began mapping out the Department of State’s IT set-up on a 3’x5’ white board mounted on the wall, biting his fingernails as he spoke. Not even noticing, he stopped talking at one point while he gnawed on a nail until there was nothing left to bite, and then continued speaking. Parovsky half sat on the table. by the corner closest to the white board, taking it all in.
Layla was asked to detail once again exactly what had transpired. As she stood there before the group in her flip-flops, tight jeans and a spandex spaghetti-string tank top that was a tad too short, revealing some of her midriff, she regretted being dressed the way she was. She could feel the gazes and wished she could shrink and disappear. Loretta looked her up and down with critical eyes and thought her unprofessional. Parovsky also took notice of her, feeling a stirring in his groin as he looked her over and took in her exposed smooth shoulders, the tight tank top and her painted toe nails, and was thinking how he would like to bend her over the table and have his way with her at that very moment.
“What about the standard culprits?” Ted asked, bringing Parovsky’s attention back to the matter at hand. This was more a matter of curiosity than a true concern of the Tiger Team, whose focus needed to be on solutions rather than who was behind it.
“We’re looking for unusual activity from the Chinese Army’s computing branch, and of course North Korea’s Reconnaissance General Bureau’s Unit 121,” Loretta answered. Sensors situated throughout the web and intelligence assets provided decent clarity on Chinese and North Korean actions. Knowing an attack was coming from one of these actors shed insights into capabilities versus an attack from a rogue group.
“Are we expecting a graduating class of cyber warriors in Red China carrying out their final projects?” Parovsky asked.
“Negative,” Loretta answered. The U.S. Government was guaranteed a wave of attacks at a specific time each year, when the Chinese government instructor assigned his students targets in the United States.
Parovsky nodded his head, showing he was pleased that all the bases were being covered.
“What about the Russians?” he asked.
“Actually a lot of activity on their end,” Loretta stated. “Both offensive and defensive. They’ve been aggressive in Estonia, but also seem to be on the defensive, with very heavy traffic patterns hitting them.”
“Keep your eyes on it,” Parovsky directed. “Thanks.” Then he asked, “What about the server logs?”
“State’s bandwidth is not completely saturated yet,” Ted answered.
“What other support can we call upon to keep the site up and running, despite it all?”
Brendan could always be relied on for solutions. “I’m an engineer,” he would explain matter-of-factly. “I solve problems.” And this was no exception. He recommended getting State hardware that would continuously monitor their traffic, responding to legitimate packets while detecting and dropping suspect packets, exploits and protocol anomalies. In the meantime, a scrubber service would accomplish this same goal.
After a break when the CIRT team sought out more information, they reconvened in the conference room. Loretta reported that Estonian sources were claiming responsibility for the attack. Her straight sh
oulder-length hair was prematurely gray, or maybe she was against hair-dying, and she had eyes that shifted repeatedly, like someone watching a tennis match without moving her head. She was passionate when she spoke, her face becoming animated and her hands moving in all directions. Though he didn’t like her, Parovsky had to admit that
Loretta always presented materials in a clear, articulate and understandable manner. When she spoke, Parovsky found himself distracted by her constant hand movements, and had to remind himself to focus on her words. He could never identify the precise origins of her Southern twang, but never cared enough to ask.
Loretta knew her stuff and was good at managing the network of what amounted to internet spies, whose personalities and activities had to be carefully orchestrated. Like someone suffering from multiple personality disorder, on the web Loretta and her team could be any number of people. With inclinations that the attack on State was originating in Estonia, today she was masquerading as a male Russian hacker named Vladimir on hacker chat rooms, where she had built up a trusted network of “friends” and acquaintances who could vouch for Vladimir’s credibility. Creating such profiles began with seemingly innocuous social media connections to others in the hacker community, when people automatically accept friend or other connection requests without truly knowing the person, and would grow from there.
Shift Delete Page 9
