Friday, December 19, 2008

U.S. Unprepared for Cyber Attacks

Reuters reported on the results of a two-day "cyber war game" and concluded that the U.S. still is not prepared for a significant attack.
"Billions of dollars must be spent by both government and industry to improve security, said U.S. Rep. Dutch Ruppersberger of Maryland, the Democratic chairman of the intelligence subcommittee on technical intelligence."

This is unlikely without serious legislation and government regulation (see Commentary: U.S. CEOs to Assist in Critical Infrastructure Protection? - Not Likely).

The article goes on to quote U.S. Homeland Security Secretary Michael Chertoff:
"International law and military doctrines need to be updated to deal with computer attacks, Chertoff said.

"We know that if someone shoots missiles at us, they're going to get a certain kind of response. What happens if it comes over the Internet?," he said."

U.S. not ready for cyber attack

Wednesday, December 17, 2008

U.S. Nuclear Regulatory Commission Issues New Cyber Security Rules

The U.S. Nuclear Regulatory Commission (NRC) issued a press release concerning new security requirements for nuclear power plants. The release had one line referring to increased cyber security. No other details were provided:
"Additionally, there are new sections requiring a comprehensive cyber security program at nuclear power plants..."


Tuesday, December 16, 2008

2009 Georgia Tech Cyber Threat Report

The Georgia Tech Information Security Center (GTISC) 2nd annual report on cyber threats covers five broad areas of interest:
  1. Malware
  2. Botnets
  3. Cyber warfare
  4. Threats to VoIP and mobile devices
  5. The evolving cyber crime economy
The cyber warfare section provides a discussion of the Russian-Georgian cyber conflict and the uncanny timing between online and kinetic attacks and then quotes several security commentators on the situation.

The report concludes with a discussion of the need and types of government regulation required to address these threats.

The full report is available at:
Emerging Cyber Threats Report for 2009

Sunni-Shi'ite Cyber Attacks Motivated by Religious Beliefs

The Middle East Media Research Institute (MEMRI) has published a summary of the history and religious motivation of Sunni-Shi'ite cyber attacks:
"The Sunni-Shi'ite cyberwar started in 2007 when a group of Sunni hackers calling itself "XP Group" threatened to attack all Shi'ite websites on the Internet, and proceeded to hack some 120 Shi'ite sites."

Sunni groups escalated the cyber confrontation in 2008 adding the religious motivation behind the attacks:
"Among them were two groups called Shabab Al-Salafiyin and Al-Ayyoubiyoun. The latter declared on various forums that the war against Shi'ite sites was a form of jihad that brought one closer to Allah."

The article concludes with quotes from Egyptian columnist Diana Muqallid:
"Battles between Sunni and Shi'ite sites are being waged [on the Internet], with each side virtually killing and harming the other by targeting the websites of religious figures, political leaders, and media outlets... In our lifetimes, [we have seen] journalists murdered, incarcerated, tortured and exiled. Media outlets have been closed in our region or placed under supervision, [and their premises] have been burned down. Electronic attacks convey the very same sentiment of wanting to negate the other..."

Recent Rise in Sunni–Shi'ite Tension (Part I): Sunni – Shi'ite Hacker War on the Internet

View of Cyber Terrorism from Taipei

The Taipei Times ran an editorial (by a US author) on they growing threat of cyber-terrorism. Unfortunately, for the most part it simply rehashed recent international cyber events such as the Russian-Georgia-Estonia conflict. However, the article's summary did make several good points:
"Governments can hope to deter cyber attacks just as they deter nuclear or other armed attacks. But deterrence requires a credible threat of response against an attacker. And that becomes much more difficult in a world where governments find it hard to tell where cyber attacks come from, whether from a hostile state or a group of criminals masking as a foreign government.

"While an international legal code that defines cyber attacks more clearly, together with cooperation on preventive measures, can help, such arms-control solutions are not likely to be sufficient. Nor will defensive measures like constructing electronic firewalls and creating redundancies in sensitive systems.

"Given the enormous uncertainties involved, the new cyber dimensions of security must be high on every government’s agenda."

Modern society faces growing cyber-terror threat

Monday, December 15, 2008

Commentary: U.S. CEOs to Assist in Critical Infrastructure Protection? - Not Likely

Coverage and analysis of the report "Securing Cyberspace for the 44th Presidency" released by the Center for Strategic and International Studies continues.

A recent article from NetworkWorld discusses the recommendation to create a C-level panel of advisers called The President’s Committee for Secure Cyberspace. This panel would represent four key industries: Energy, finance, information technology/communications and government.
"The four industries were chosen for the committee because they “form the backbone of cyberspace. … Keep these sectors running and cyberspace will continue to deliver services in a crisis. Bring them down, and all other sectors will be damaged.”

There will be no problem getting CEOs to sit on a highly visible presidential committee where they can be seen to be doing something for little or no cost. However, expecting for-profit corporations to voluntarily make costly security changes and investments, especially during an economic down-turn, is wishful thinking at best. It will never happen. Remember, these are the same CEOs that require extensive ROIs for the most mundane security investment.

Therefore, the report also recommends new regulatory powers to force security changes:
"The report also seeks new regulations with the teeth to enforce standards that would establish a more secure infrastructure."

The article discusses several possible forms these regulations could take. Unfortunately, if past behavior provides any insight of future behavior, these regulations will be passed with little forethought or, if there is open discussion and debate, will be significantly weakened via lobbying when corporations realize the cost of compliance.

Top execs would roll up sleeves to fight cyber war, according to think tank study

Friday, December 12, 2008

Greenpeace Reports Computer Compromises Allow Environmental Damage in Brazil

Greenpeace has just released a story concerning a major investigation in Brazil in which computers that control the logging and exporting of timber in the Amazon rain forest have been compromised to allow logging companies to exceed their timber quotas:
"Police started investigating the suspect hackers in April 2007, swooping a couple of months later to arrest 30 ring leaders. One is still in jail - the intermediary who brought the hackers and the loggers together - and in total, 202 people are facing prosecution. "
Greenpeace is highlighting this activity in advance of a vote by the Brazilian congress allowing greater legal logging of timber:
"If this scandal weren't bad enough, it comes as the Brazilian national congress prepares to vote on a change to the country's forest code which could massively increase the amount of legal logging that will be allowed"

Hackers help destroy the Amazon rainforest

Wednesday, December 10, 2008

Calls to Define Cyberwar

One of the critical points made in the recently released report from the Commission on Cybersecurity for the 44th President was the need to actually define what is and is not cyber war.
"The U.S. military , meanwhile , lacks a formal doctrine on offensive military operations in cyberspace, although the Bush administration is " racing " to finalize such a policy before it leaves office, says one person familiar with the White House ' s work on the issue."
It is always concerning when we see a government body "racing" to do anything and this issue is too important to be done in a haphazard fashion.

However, the report does define three important questions that need to be answered sooner rather than later:

"There are three central issues with which the international legal community must grapple as the debate continues, says James Lewis, the project director of the Commission on Cybersecurity of the 44th Presidency, which issued its report this week. Each country might have different answers, but the questions will be universal.

  • "At what point does a cyberattack constitute an act of war or a violation severe enough to justify a response?
  • "How do we protect the civil liberties of the Internet-using public while improving security?
  • "Which legal authorities will assume responsibility for investigating a cyberattack—the intelligence community, the military, or law enforcement?"
Answering these questions, combined with the creation of Rules of Engagement for Cyber Warfare and better investigative capabilities to determine actual source and motive, would be excellent first steps in gaining some measure of control over the situation.

When Do Online Attacks Cross the Line Into Cyberwar?

Monday, December 08, 2008

China to Require Disclosure of Security

The Chinese government is moving forward with plans to require companies operating in China to obtain approval before using any type of security technology. The rules are scheduled to take effect May 1, 2009 and have resulted in pressure from the U.S. government to scrap the requirement.
"Giving [Chinese] regulators the power to reject foreign technologies could help to promote sales of Chinese alternatives. But that might disrupt foreign manufacturing, research or data processing in if companies have to switch technologies or move operations to other countries to avoid the controls. Requiring disclosure of technical details also might help Beijing read encrypted e-mail or create competing products."

China irks US with computer security review rules

Thursday, December 04, 2008

Myopic Focus on Technology Creates "Achilles' Heel" in Military Cyber Security

One of the greatest failures of both commercial and governmental IT security programs is their tactical and myopic focus on technology at the expense of the larger issues in understanding and mitigating cyber threats. These include organizational, process and people issues.

This dysfunctional situation was noted during a keynote address by the U.S. Air Force's chief information officer, Lt. Gen. Michael Peterson:

"This is our Achilles' heel," he said. "It's not about a denial-of-service attack; it's about the information on the network -- ensuring it's accurate, protected, and available. [But] we're still fighting over what patch to put on."

Lt. General Peterson also tried to put military cyber attacks in a more strategic perspective:

"Despite Russia's cyberwarfare tactics against Estonia and Georgia, Peterson said an all-out cyberwar won't happen; instead, cyberattacks will become one of many combat strategies used by adversaries to bring government to its knees.

"It won't be a pure fight," he said. "It will incorporate all domains … The battle is ongoing and these guys are very good."

Air Force CIO says cybersecurity federal "Achilles' heel"

U.S. Military Officials Look to Obama Administration for Better Cyber Security is reporting that cyber attacks against U.S. military systems are not only growing in numbers but they are being targeted against specific information or individuals.

The article also claims that U.S. military officials want the new Administration to give a higher priority to cyber security:
"U.S. commanders are hoping president-elect Obama, the most computer literate presidents ever, will provide more support for Cyber War efforts, both defensive and offensive."

Pentagon Pounding Persists

Australian Prime Minister Sees National Cyber Threat

Prime Minister Kevin Rudd commented in Australia's National Security Statement that technological dependence and cyber threats from "hackers, ...commercial entities and foreign states" place Australia's information infrastructure at risk. Prime Minister Rudd stated:
"The irony of technology today is that, while on the one hand we are seeking to invest in sophisticated information, intelligence and military technology, on the other, we have to protect ourselves from the extreme use of basic, readily available technology and hardware by terrorist groups."

Hacker threat: Rudd promises action

Wednesday, December 03, 2008

Media Coverage of Cyber Attacks on U.S. Military Systems in Afghanistan

There have been several sketchy news articles on attacks against unclassified U.S. military systems in Afghanistan resulting in the banning of removable media by the U.S. Army's Strategic Command.

This article summarizes a variety of other media coverage. Once again, China is alleged to be the source of the attacks with little or no data related to the true motive or source of the attacks:
"According to the same source, there is still no indication whether the Chinese hackers were sponsored by the government in Beijing or if they were working independently. This seems to be a recurring question that never gets its answer, even though it is not the first time that attacks on U.S. government systems originate in China."

Cyber-Attack Cripples Critical U.S. Military Networks