Fine Line between Criminal Activity and National Security

NPR ran a lengthy report on cyber war centered around last month's congressional testimony by the Director of National Intelligence Dennis Blair citing cyber attacks as a top threat to U.S. security.

One important factor noted in the broadcast is the fine line between criminal activity and national security threats. The difference is not so much technique as motive:

"The difference between cybercrime, cyber-espionage, and cyberwar is a couple of keystrokes," says [Richard] Clarke [former Presidential cyber security adviser]. "The same technique that gets you in to steal money, patented blueprint information or chemical formulas is the same technique that a nation-state would use to get in and destroy things."

Cyber Insecurity: U.S. Struggles To Confront Threat

In a Cyberwar, US Would Lose

The U.S. Senate heard testimony from "industry experts" warning of catastrophic consequences from cyber war attacks - including pronouncements that the "government faces the prospect of losing in an all-out cyberwar".

As part of the debate of the Cyber Security Act of 2009, Senator's were told the status quo is not acceptable:

We are "...under attack every day, losing every day vital secrets. We can not wait," [James Lewis, Center for Strategic and International Studies] said. "We need a new framework for cybersecurity and this bill helps provide that.

Lewis went on to add that "...[t]he cyberattack is mainly espionage, some crime".

There is no doubt that the U.S. and most other developed countries are at high risk from significant cyber attacks as demonstrated almost daily by intrusions into military, government, commercial and non-profit organizations. However, it is interesting that many of the companies that would benefit the most from the funding to "fix" the problem are the ringing the congressional alarm bells the loudest.

Experts warn of catastrophe from cyberattacks

International Telecommunications Union (ITU) Focus on Cybersecurity

ITU has announced a partnership with the Intentional Multilateral Partnership against Cyber Threats (IMPACT) to increase international cooperation.

"IMPACT... set up its Global Response Centre (GRC) in Cyberjaya, Malaysia, earlier this year as the international community’s foremost cyberthreat resource, to proactively track and defend against cyberthreats."

The ITU Secretary-General spoke at the ITU Telecom World 2009 on the need for better coordination:

"ITU Secretary-General Dr Hamadoun Touré stressed the importance of cyberpeace, where nations collaborate in a global cybersecurity framework based on enlightened self-interest. "Every country is now critically dependent on technology for commerce, finance, healthcare, emergency services, food distribution and more. Loss of vital networks would quickly cripple any nation – and none is immune to cyberattack."

Cybersecurity in action at ITU Telecom World 2009

Singapore Creates Agency to Protect against IT Threats

The Singapore Government issued a press release announcing the creation of the Singapore Infocomm Technology Security Authority (SITSA) "to secure Singapore’s IT environment, especially vis-à-vis external threats to national security such as cyber-terrorism and cyber-espionage."

Specifically SITSA will provide:

• IT Security Consultancy for strategic Government projects that have national security impact
• Partnership Development to build relationships with key entities strategic to enhancing Singapore’s IT security
• Critical Infocomm Infrastructure Protection to systematically harden the CIIs in nationally critical sectors
• Technology Development to develop and maintain SITSA’s technical competencies and to provide insights on developments in IT security and threats
• Singapore’s planning and preparedness, and response, against any major external cyber attack

The authority will be part of the Ministry of Home Affairs.

Singapore Infocomm Technology Security Authority Set Up to Safeguard Singapore against IT Security Threats

Analysis of Report on Power Grid Intrusions

After publishing a post on The Wall Street Journal article concerning intrusions into the US electrical grid, I re-read the report and noticed a discrepancy in comments by various "government officials". The story first states (I've added the emphasis):

"The intruders haven't sought to damage the power grid or other key infrastructure..."

but then reports that:

"Authorities investigating the intrusions have found software tools left behind that could be used to destroy infrastructure components, the senior intelligence official said. He added, "If we go to war with them, they will try to turn them on."

The article goes on to state:

"Officials cautioned that the motivation of the cyberspies wasn't well understood, and they don't see an immediate danger. China, for example, has little incentive to disrupt the U.S. economy because it relies on American consumers and holds U.S. government debt."

With the caveat that the article provides no real data to perform an accurate risk assessment, these statements, as reported, are worrying to say the least. If software really has been planted that can "destroy infrastructure components" then my professional opinion is that:

1. Damage has occurred - If a system is penetrated to the extent that software has been installed that disrupts operations, the system has been damaged. The integrity and operational capacity of the system is compromised. In a large complex network, it is very difficult to regain control when this level of compromise has taken place.


2. There is immediate danger - As long as systems are compromised with malicious software, the motive of the intruders is unclear and the vulnerabilities and entry points of the intruders remain, then there is an immediate danger. The companies owning these systems are not in control.

U.S. Electrical Grid Intrusions

U.S. Electrical Grid Intrusions

The Wall Street Journal reheated the debate of infrastructure vulnerability with an article concerning intrusions into and mapping of the U.S. electrical grid. The report points to China and Russia as the source, but provides almost no details beyond the generalized comments of anonymous sources to substantiate the claims.

One interesting note is the lack of detection of the intrusions by the companies themselves:

"Many of the intrusions were detected not by the companies in charge of the infrastructure but by U.S. intelligence agencies, officials said. Intelligence officials worry about cyber attackers taking control of electrical facilities, a nuclear power plant or financial networks via the Internet.

"Authorities investigating the intrusions have found software tools left behind that could be used to destroy infrastructure components, the senior intelligence official said. He added, "If we go to war with them, they will try to turn them on."

Of course, the story is spawning many other reports and analysis including the suggestion that the power grid should be disconnected from the Internet:

"The onetime Counter Terrorism Czar, who famously criticized the Bush Administration for doing little to combat al Qaeda early in his first term before 9/11, chided the Obama Administration for not moving fast enough to decide upon the best defense strategy to counter cyber attacks on key infrastructure.

"One thing you can do is disconnect the power grid control system from the internet," Clarke said. "There's no reason for it to be connected."

This could be said of many critical systems. One such system that is rarely discussed is emergency communications including 911 systems that have slowly been connecting to the Internet despite security issues.

Electricity Grid in U.S. Penetrated By Spies
Disconnect electrical grid from Internet, former terror czar Clarke warns

U.K. Intelligence Fears Chinese Made Telecommunication Systems

The Sunday Times report on U.K. intelligence officers' fear China may be able to disrupt British telecommunications via Chinese systems provided to British Telecom (BT):

"A confidential document circulating in Whitehall says that while BT has taken steps to reduce the risk of attacks by hackers or organised crime, “we believe that the mitigating measures are not effective against deliberate attack by China”."

The primary concern is BT using systems manufactured by Huawei:

"According to the sources, the ministerial committee on national security was told at the January meeting that Huawei components that form key parts of BT’s new network might already contain malicious elements waiting to be activated by China.

"Working through Huawei, China was already equipped to make “covert modifications” or to “compromise equipment in ways that are very hard to detect” and that might later “remotely disrupt or even permanently disable the network...”

Spy chiefs fear Chinese cyber attack

Canada Sees Cyber Security As Top National Security Concern

Canada's Public Safety Minister is in Washington for bilateral talks on security and in an interview discussed Canada's cyber concerns:

"Canada is facing a growing threat of cyber attacks from hostile governments and criminals that could cripple critical infrastructure and financial systems, says Public Safety Minister Peter Van Loan."

In fact, the Minister sees cyber attacks as one of the top security concerns for Canada:

"...Van Loan said cyberspace and border security will top the agenda for high-level meetings with his America."

Cyber war tops Public Safety agenda

Chinese Cyber Attacks Back in the News

Attacks from China have resurfaces in the news although its difficult to determine from the coverage if these are new attacks. In a recent interview, Rep. Bennie Thompson, Chairman of the House Homeland Security Committee, provided a few details concerning attack targets:

"Currency trading is among the financial networks targeted by hackers, Thompson said. An attack would be particularly damaging in light of the financial system’s troubled state, he said.

"He said electric utilities’ networks also have several points of weakness.

“We were provided alarming data on the vulnerability of our electrical grid in this country,” he said."

China strongly denies the allegations:

“Allegations that the Chinese government is behind cyber attacks against the U.S. computer networks are totally unwarranted and misleading for the America public,” Wang [Baodong, a spokesman for the Chinese Embassy in the U.S.] said in an e-mailed statement.

Wang said the Chinese government is “cracking down” on computer hacking and other cyber crimes.

Chinese Hackers Attack U.S. Computers, Thompson Says

Obama Adminstration Releases National Security Agenda Including Cyber Security

The new Obama Administration has posted their strategy for national security on the White House website. The document specifies a number of agenda items including terrorism, nuclear weapons and... information security.

The agenda is broad and encompasses many areas of information security that historically have been neglected, drowned in red tape and infighting or handed over to technical PhDs that can't see beyond the length of an encryption key to develop "solutions" that can't be implemented.

It remains to be seen if the new Administration can implement real change. However, if even a few of these initiatives were properly implemented it would be a major step forward.

Here is the full text of the cyber security section:

"Protect Our Information Networks

"Barack Obama and Joe Biden -- working with private industry, the research community and our citizens -- will lead an effort to build a trustworthy and accountable cyber infrastructure that is resilient, protects America's competitive advantage, and advances our national and homeland security. They will:

• Strengthen Federal Leadership on Cyber Security: Declare the cyber infrastructure a strategic asset and establish the position of national cyber advisor who will report directly to the president and will be responsible for coordinating federal agency efforts and development of national cyber policy.

• Initiate a Safe Computing R&D Effort and Harden our Nation's Cyber Infrastructure: Support an initiative to develop next-generation secure computers and networking for national security applications. Work with industry and academia to develop and deploy a new generation of secure hardware and software for our critical cyber infrastructure.

• Protect the IT Infrastructure That Keeps America's Economy Safe: Work with the private sector to establish tough new standards for cyber security and physical resilience.

• Prevent Corporate Cyber-Espionage: Work with industry to develop the systems necessary to protect our nation's trade secrets and our research and development. Innovations in software, engineering, pharmaceuticals and other fields are being stolen online from U.S. businesses at an alarming rate.

• Develop a Cyber Crime Strategy to Minimize the Opportunities for Criminal Profit: Shut down the mechanisms used to transmit criminal profits by shutting down untraceable Internet payment schemes. Initiate a grant and training program to provide federal, state, and local law enforcement agencies the tools they need to detect and prosecute cyber crime.

• Mandate Standards for Securing Personal Data and Require Companies to Disclose Personal Information Data Breaches: Partner with industry and our citizens to secure personal data stored on government and private systems. Institute a common standard for securing such data across industries and protect the rights of individuals in the information age."

THE AGENDA • HOMELAND SECURITY

Information Security Makes GAO High Risk Report for the 12th Year

The U.S. Government Accountability Office (GAO) has updated its list of governmental projects that are at risk "due to their greater vulnerabilities to fraud, waste, abuse, and mismanagement. GAO also identifies high-risk areas needing broad-based transformation to address major economy, efficiency, or effectiveness challenges."

Information security continues to make the list - for the 12th year. In the section titled: "Protecting the Federal Government’s Information Systems and the Nation’s Critical Infrastructures", the report makes note that the Department of Homeland Security (DHS) has made some progress but still falls short:

"Federal information security has been on GAO’s list of high-risk areas since 1997; in 2003, GAO expanded this high-risk area to include cyber CIP [Critical Infrastructure Protection]. The continued risks to information systems include escalating and emerging threats; the ease of obtaining and using hacking tools; the steady advance in the sophistication of attack technology; and the emergence of new and more destructive attacks."

Specifically, the report refers to numerous detailed past GAO reports and summarizes several areas requiring attention:

"Since 2006, GAO has made numerous recommendations in the following key areas:

• bolstering cyber analysis and warning capabilities.
• reducing organizational inefficiencies.
• completing actions identified during cyber exercises.
• developing sector-specific plans that fully address all cyber-related criteria.
• improving cyber security of infrastructure control systems.
• strengthening DHS’s ability to help recover from Internet disruptions.

"Until these and other key cyber security areas are effectively addressed, the nation’s cyber critical infrastructure is at risk of increasing threats posed by terrorists, nation-states, and others."

HIGH-RISK SERIES: An Update

U.S. Nuclear Regulatory Commission Issues New Cyber Security Rules

The U.S. Nuclear Regulatory Commission (NRC) issued a press release concerning new security requirements for nuclear power plants. The release had one line referring to increased cyber security. No other details were provided:

"Additionally, there are new sections requiring a comprehensive cyber security program at nuclear power plants..."

NRC APPROVES FINAL RULE EXPANDING SECURITY REQUIREMENTS FOR NUCLEAR POWER PLANTS

Commentary: U.S. CEOs to Assist in Critical Infrastructure Protection? - Not Likely

Coverage and analysis of the report "Securing Cyberspace for the 44th Presidency" released by the Center for Strategic and International Studies continues.




A recent article from NetworkWorld discusses the recommendation to create a C-level panel of advisers called The President’s Committee for Secure Cyberspace. This panel would represent four key industries: Energy, finance, information technology/communications and government.

"The four industries were chosen for the committee because they “form the backbone of cyberspace. … Keep these sectors running and cyberspace will continue to deliver services in a crisis. Bring them down, and all other sectors will be damaged.”

There will be no problem getting CEOs to sit on a highly visible presidential committee where they can be seen to be doing something for little or no cost. However, expecting for-profit corporations to voluntarily make costly security changes and investments, especially during an economic down-turn, is wishful thinking at best. It will never happen. Remember, these are the same CEOs that require extensive ROIs for the most mundane security investment.

Therefore, the report also recommends new regulatory powers to force security changes:

"The report also seeks new regulations with the teeth to enforce standards that would establish a more secure infrastructure."

The article discusses several possible forms these regulations could take. Unfortunately, if past behavior provides any insight of future behavior, these regulations will be passed with little forethought or, if there is open discussion and debate, will be significantly weakened via lobbying when corporations realize the cost of compliance.

Top execs would roll up sleeves to fight cyber war, according to think tank study

Australian Prime Minister Sees National Cyber Threat

Prime Minister Kevin Rudd commented in Australia's National Security Statement that technological dependence and cyber threats from "hackers, ...commercial entities and foreign states" place Australia's information infrastructure at risk. Prime Minister Rudd stated:

"The irony of technology today is that, while on the one hand we are seeking to invest in sophisticated information, intelligence and military technology, on the other, we have to protect ourselves from the extreme use of basic, readily available technology and hardware by terrorist groups."

Hacker threat: Rudd promises action

Information Security Is "on Vacation" in the U.S.

An interesting commentary on the state cyber war capabilities and vulnerabilities was recently published by Claremont College stating "[t]he security of America’s information infrastructure is on vacation". The article discusses recent cyber attacks, data losses and the nature of distributed denial-of-service (DDoS) attacks and concludes:

"This type of information espionage and Internet vandalism has the potential to be a serious form of assymetrical warfare, allowing state actors deniability and providing them with a powerful new tool in intelligence-gathering. International recognition of current U.S. military dominance has driven other nations to find alternative methods of strengthening their strategic position.

"While our dependency on the Internet grows both economically and politically, we need to provide stronger security regulation of government agencies and key industries..."

The State of Computer Security

GAO Report: US CERT's "Baseline Understanding" Inadequate

Last month, the U.S. Government Accountability Office (GAO) released yet another report condemning the Department of Homeland Security's cyber analysis and warning capability.

As previously observed, there is a deficiency in the most basic capabilities to understand (let alone protect) the national information infrastructure. The GAO report concluded:

"In seeking to counter the growing cyber threats to the nation’s critical infrastructures, DHS has established a range of cyber analysis and warning capabilities, such as monitoring federal Internet traffic and the issuance of routine warnings to federal and nonfederal customers. However, while DHS has actions under way aimed at helping US-CERT better fulfill attributes identified as critical to demonstrating a capability, US-CERT still does not exhibit aspects of the attributes essential to having a truly national capability. It lacks a comprehensive baseline understanding of the nation’s critical information infrastructure operations, does not monitor all critical infrastructure information systems, does not consistently provide actionable and timely warnings, and lacks the capacity to assist in mitigation and recovery in the event of multiple, simultaneous incidents of national significance [emphasis added]."

This lack of a "comprehensive baseline understanding" is not confined to the U.S. Government; it is also rampant in the private sector where risk and threat assessments are too often a simple compliance check-off with little regard to the quality of analysis. In both the public and private sectors, engineers and other technicians tasked with managing information security are not trained as security professionals who can analyze risks and threats across a single organization let alone across entire information infrastructures and global networks.

This lack of professional competence in the information security industry is one of the key factors driving the continued increase in vulnerabilities, attacks and data and monetary losses despite record investment and spending.

The full GAO report is available online:

CYBER ANALYSIS AND WARNING: DHS Faces Challenges in Establishing a Comprehensive National Capability

Commentary: The Problem with Information Security

A recent article from Australian IT provided an Australian perspective of the international cyber warfare games named Cyber Storm II. The exercise was conducted by private and public sectors in Australia, Britain, New Zealand, Canada and the United States. It is available at: Govt can do more on cyber security: report.

However, one point stood out in the article's analysis:

"...participants [of Cyber Storm II], which included the private sector, were surprised by the "borderless nature" of cyber attacks and the "speed with which they can escalate"."

How can people who call themselves "security professionals" be surprised that the Internet is "borderless" or that attacks (or any online activity) can occur quickly? This lack of understanding the basic nature of threats is mindboggling and one of the most daunting problems in information security.

Too often, the "security experts" (in both the government and private sectors) are simply IT engineers who view security as a technical problem with technical solutions. This myopic world view is not only misguided, it precludes proper threat and risk assessments.

While understanding the technological infrastructure and its vulnerabilities are an important component of any threat assessment, it is just as critical to understand adversary motivations, capabilities and methods. Likewise, threats must be analyzed at both the macro and micro levels.

For some reason, physical security professionals and intelligence analysts "get this". However, IT security engineers not only have difficulty incorporating the "people" element but are often hostile to anything that strays from their technical comfort zone.

It is no wonder that security problems are only growing in numbers and impact and they will continue to do so as long as information security is viewed as an engineering issue and the "experts" are "surprised by the "borderless nature" of cyber attacks".

For more on this topic see:

• Convergence: A holistic approach to risk management (Network Security Journal, May 2007)
• IT security professionals must evolve for changing market (SC Magazine, October 12, 2006)

U.S. Cyber Security Not Adaquate

The U.S. Government Accountability Office (GAO) has released a report (originally dated July 2008) critical of the U.S. Government's cyber security.

The report defined, in part, the threat:

"There is increasing concern among both government officials and industry experts regarding the potential for a cyber attack on the national critical infrastructure, including the infrastructure’s control systems. The Department of Defense (DOD) and the Federal Bureau of Investigation, among others, have identified multiple sources of threats to our nation’s critical infrastructure, including foreign nation states engaged in information warfare, domestic criminals, hackers, virus writers, and disgruntled employees working within an organization. In addition, there is concern about the growing vulnerabilities to our nation as the design, manufacture, and service of information technology have moved overseas. For example, according to media reports, technology has been shipped to the United States from foreign countries with viruses on the storage devices. Further, U.S. authorities are concerned about the prospect of combined physical and cyber attacks, which could have devastating consequences. For example, a cyber attack could disable a security system in order to facilitate a physical attack."

The GAO broadly assessed operations in four areas: Monitoring, Analysis, Warning and Response and found issues in each domain.

One of the key challenges the report identified was organizational and management issues within the U.S. Department of Homeland Security (DHS) stating that the cyber security initiative is:

"...operating without organizational stability and leadership within DHS—the department has not provided the sustained leadership to make cyber analysis and warning a priority. This is due in part to frequent turnover in key management positions that currently also remain vacant. In addition, US-CERT’s role as the central provider of cyber analysis and warning may be diminished by the creation of a new DHS center at a higher organizational level."

Until DHS addresses these challenges and fully incorporates all key attributes into its capabilities, it will not have the full complement of cyber analysis and warning capabilities essential to effectively performing its national mission."

CRITICAL INFRASTRUCTURE PROTECTION: DHS Needs to Better Address Its Cybersecurity Responsibilities

Cyber Warfare Article

TechNewsWorld has published a series of articles on politically motivated attacks. The articles discuss the Estonia attacks and Russian and Chinese 'hackers'. The second part discussed the broader issues of asymmetric warfare and the (mostly U.S.) response to the issues.

"These cyber attacks are extremely worrisome because politically supported attacks have the backing of strong entities. Sponsors of these cyber attacks are trying to gain control to the keys to the kingdom..."

The Art of Cyber Warfare, Part 1: The Digital Battlefield
The Art of Cyber Warfare, Part 2: Digital Defense

Review: The National Security Strategy of the United Kingdom

The United Kingdom has released the first ever National Security Strategy "set[ting] out the Government's approach to dealing with threats to national security, ranging from war and terrorism to climate change, disease and poverty."

The report summarizes a wide range of threats and provides a comprehensive prevention and control strategy. Within the report are several references to national threats from computer crime:

Under the heading of "Defending the United Kingdom against state-led threats" the strategy defines the requirements as:

• "...to defend the territory of the United Kingdom, its sea and air approaches, its information and communications systems, and its other vital interests..."
• "On intelligence, in addition to the major effort required to tackle the current level of terrorist threat, the security and intelligence agencies will continue to protect the United Kingdom against covert activity by foreign intelligence organisations aimed at political, economic and security targets, including cyber-attack."

Under the heading "Responding to global trends" the report discusses a strategy to handle cyber incidents:

"In response to the technological challenges, we are committed to working with international, public, and private sector partners to ensure that our government systems and critical national infrastructure are adequately protected against cyberattack.

"We are also investing, through the interception modernisation programme, to update our intelligence and law-enforcement capability to meet the challenges of rapidly advancing communications technology. We are committed to maximising the opportunities and benefits of the internet, by protecting the freedom to develop and host new services, while also reducing the scope for terrorists and criminals to exploit those opportunities and freedoms, and ensuring that the internet itself is resilient enough to withstand attacks and accidents.

"Finally, we support international efforts to monitor and protect the safety and security of new technology including the internet and communications networks, and the space assets that are increasingly important for communications. We will continue to explore how new confidence‑building and arms control measures might contribute to international security in this area."

Finally, under the heading "The interdependence of threats, risks and drivers – an integrated response" the report discusses how many of the threats to the United Kingdom are interrelated and discusses how cyber threats will be managed:

"The Centre for the Protection of National Infrastructure (CPNI) was established in 2007 to act as an interdepartmental organisation providing advice on information, physical and personnel security to businesses and organisations across the national infrastructure. CPNI works closely with the private sector, delivering advice to reduce the vulnerability of critical infrastructure to terrorism and other national security threats."

The full report is available at:

The National Security Strategy of the United Kingdom