The Cybersecurity Challenge: Overview
14 Comments Published by Dr. Beyster July 13th, 2009 in Network Solutions.The possibility of cyberwar and cyberterrorism — and the general topic of cybersecurity — is a topic that seems to me to be gaining in momentum. As one recent example in the press over the past week, I would point to the ongoing cyberattack on South Korean and some U.S. websites by a shadowy organization that some believe may be North Korean military research center 110, which is run by the North Korean Army. Because of this increased interest, I have decided to write a three-part article on cybersecurity. I would like to acknowledge and thank Mike Daniels for his help in developing some of the ideas in this article.
Today I consider the general nature of the cybersecurity challenge. In future installments, I will look at the implications of cybersecurity to our nation, and then I will examine what we can and should do to meet this growing challenge. I welcome your comments and I hope you’ll add to this blog your own information and opinions about cybersecurity and the threats posed to our nation. I am reading your posts with great interest.
The Cybersecurity Challenge
There are many threats to our national security today. Some have existed for some time now — like the threats from Iran, North Korea, Russia, China — but the nature of these threats has been changing dramatically within the past decade, and we are now facing a direct threat to our national information structure, which both the military and civilian infrastructures depend on. This threat is getting worse as more subtle means of attack manifest themselves.
Many experts have been voicing alarm about the problem of cybersecurity for a number of years. Some of these experts are still heavily involved with the Department of Defense and other federal agencies to help find solutions. For example, Paul Strassmann — an outspoken authority on cybersecurity at the time I was running SAIC — continues to voice his concerns, most recently in a paper entitled “Cyber Security for the Department of Defense” (PDF), which I highly recommend for its very current reporting of the threat.
While honest observers may argue among themselves about the current magnitude of the threat and how vulnerable our systems are to attack, there can be no doubt that this threat is a real one, and it is growing. According to Verisign, Internet cyberattacks are widespread, and remarkably frequent. The portion of the Internet that the company is responsible for running sustains more than 2 million attacks a day. The attacks are on the network itself, websites, companies, governments, and any other target that hackers can remotely identify and access.
President Obama recently disclosed that hackers had free rein through much of his presidential campaign’s website and computer systems. According to Obama, “It’s no secret that my presidential campaign harnessed the Internet and technology to transform our politics. What isn’t widely known is that during the general election hackers managed to penetrate our computer systems.” Some of the information compromised included email messages, travel plans, policy position papers, and campaign files. Concluded Obama, “We’re not as prepared as we should be, as a government or a country.”
Five Key Cyberthreats
Experts are primarily concerned about five significant and evolving cybersecurity threats to users worldwide. These five threats are: cybercrime, cyberwar, malware, botnets, and threats to VoIP and mobile devices.
- Cybercrime — simply, crime committed using computers and most often the Internet — is driven by criminals who are increasingly professional, well-organized and driven by the chance for significant profits. There are growing reports of organized crime and governments getting involved in the business of cybercrime as they “follow the money.”The cost of cybercrime to businesses and to the global economy is growing. However, businesses and governments are reluctant to discuss this issue for fear of disclosing just how significant a loss this is becoming and the exact methods employed. A conservative estimate might put the figure at about $100 billion lost each year.
- Cyberwar — the deliberate use by one nation of computer technology to weaken, cripple, destroy, or confuse an enemy nation’s military, economic and infrastructure assets — is a growing and troubling aspect of cybersecurity.Evidence now available implicates the Russian government in cyberattacks against Georgia during their 2008 battles over Georgia’s breakaway regions of South Ossetia and Abkhazia. Most Internet traffic in Georgia is routed through Turkey and Russia. On August 10, 2008 — the day after the Russian Air Force was authorized to make air attacks against Georgia by Russian military commanders — Internet traffic routed through Turkey was almost completely blocked and traffic through Russia “was slow and effectively unusable” according to a report from the Georgia Tech Information Security Center (GTISC). In 2007, the country of Estonia faced similar cyberattacks which appeared to originate in Russia.
- Malware is software which is used for a variety of purposes, but typically to infect computing devices and track what that computer is doing. Malware has become increasingly sophisticated and is being used to exploit weaknesses of poorly configured websites, especially social networking sites. Some experts in this area predict a 10-fold increase in malware objects detected in 2008 over the previous year.Malware is a major problem for enterprises and we can expect this to continue to grow in the future. Malware typically exploits weaknesses which are found in enterprise systems and take time to patch and update. While these problems are being investigated and taken care of at the enterprise level, the malware is constantly exploiting the systems until the problems in the software are resolved. By then, the loss of information can be widespread, and the damage significant.
- Botnets are delivery mechanisms that infect computing devices with software code that effectively puts the device under the control of someone — known as a botmaster — in a remote location, which could be anywhere in the world. This angle on cybercrime is relatively new and what we know so far is unfortunately not much. Uncovering botnet communications is difficult for a variety of technical reasons, but some of the best data we have today comes from the Georgia Tech Information Security Center. In a recent report GTISC estimated that by the end of 2008, 15 percent of online-enabled computers will have been transformed into botnets. That’s up from an estimated 10 percent at the end of 2007.Botnets are particularly insidious because, as they become more and more sophisticated, computer users don’t have to do anything for their computers to become infected except visit a simple webpage that may be disguised to look like any other. Increasingly, search engines such as Google and Yahoo! are directing people to such infected webpages. According to the GTISC, more than 10 million botnet computers are used to distribute spam and malware over the Internet each and every day.
- VoIP and Mobile Devices. The fifth Internet threat — and what is certain to be the next major area for future cyberattacks and cybercriminal activity — is mobile devices and voice over IP (telephony using the Internet, such as Skype or Vonage). Today there are about 1.5 billion computers in use worldwide and about 3 billion mobile devices. Most of these mobile devices such as mobile phones are relatively easy to use and fairly inexpensive. However, the number of mobile devices continues to rapidly expand and increasing numbers are being used for business purposes — creating vulnerabilities within the companies and other organizations that use them.These devices will be increasingly targeted for theft, fraud, scams and diversion of financial and other business and governmental data as the use of these devices expands for mobile banking, credit reporting, sensitive customer data transactions, and more. All the cybersecurity issues which have arisen with the Internet and regular computing platforms will eventually migrate to the mobile device and VoIP area.
Looking Ahead
When exploring the issue of cybercrime and the implications for our nation, there are two broad areas to consider. The first is what is commonly classified as corporate or commercial cybercrime and the second is governmental cybercrime. The two are interrelated, but separate problems — much of the government’s routine traffic runs over regular commercial data networks. I will consider both in the next installment of this article.
Dr. Beyster,
Electronic transactions have opened the door for the “intelegent criminal” – here in Melbourne, AU – an international ciminal element placed electronic devices on a string of ATM machines and it was capturing indivdiuals card and pin numbers. They say for more than 6 months before being found. The device was placed onto the front of the unit and people would never know it was not part of the ATM.
So in the Grand Scale – countries will battle through electronic means – and so will petty theives and crime syndicates. No need to counterfit bills when a person can counterfit a whole corporation (Madoff).
The Age of Electronics – Positives and Negatives.
Dr. Beyster,
A lot of my research deals with small business owners within Dynamic Environments. Most dynamic environments are created through natural disasters (hurricane, flood, fire) – yet some are created through man-made situations – large scale such as the rapid evolution of computers systems within Asian countries – or economic bubbles and collapses that happen on a relatively rapid pace. Then there are the possible Dynamic Environments created through human caused emergency (terrorist, human accident).
Prior to the 9/11 attack & Hurricane Katrina, the phenomena of large scale disaster was being studied due to the Lorna Prieta earthquake and Hurricane Andrew. Yet neither had the situations that created a more widespread environment challenge as 9/11 and Katrina (war and floods).
With the present day dependency on electronic commerce, the open systems theory describes a constant and dynamic relationship between organizational systems and numerous environments. The chaos created within a dyanmic environment may be pre-imagined as even Glieck (1987) presented his theory of chaos as sensitive and dependent upon initial conditions. Yet the outcome – or new environment equilibrim can never really be known.
The potential for rapid changes within commercial environments will only become more dangerous as more of the world becomes dependent upon energy driven electronic information systems. (Energy driven is stated due to the very high energy needs for data storage systems).
While there are similar small scale situations that are relative ( ie. 1890 – price of beef goes up when railroads are held up, Delivery of cars are delayed when there is a labor strike at the ball bearing plant) – never before has the world be this tightly connected. Thus the effect will be more global as seen within the recent financial systems reaction to a stopage of credit markets.
On any given minute would you say there is possibly a half billion people online? When has the world ever been so dependent upon any single human created system?
So – with your presentation of potential security issues and the internet – I think it is just as appropriate to start considering the potential results of these actions.
I’ll always go back to my Boy Scout training – Be Prepared.
Blake
Bob – considering that SAIC, while you were there, was at the forefront of Cybersecurity – both commercially with Global Integrity and in the Government – there is a lot to be learned by looking at the past and what has developed into Cyberwarfare and Cyberterrorism.
It is not just a highly intellectual challenge to break into systems – but it is a combination of IO (Information Operations) and PSYOPS (Psychological Operations). If one can create Fear, Uncertainty and Doubt (FUD) in systems – this can be a very useful tool. Overt attacks such as those from North Korea are usual just covers for other more insidious methods to slip in object level patches or splices to do a lot more than just be a nuisance. What if – the financial industry was plagued and there was a run on banks or there was an attack on the food industry causing bad mixtures or processing. What if the control systems of the electric grid were manipulated. Or traffic signals or hospital monitoring systems or etc, etc, etc.
It is not really about “security” – I know this is unusual coming from me – but it is more about verifiable “trust”. When people look at each other and work together there is a bond of Trust, likewise we need to provide this inherent trust in cyberspace – mobile or internet.
Businesses have not yet figure out the value of trust – Take the rash of USB devices from Major Brands that have recently been shipped new with very sophisticated malware build into the electronics, not just stored in the memory or the new routers with malware built in. What and who can be trusted?
Intellectually this has always been fascinating. To provide Trust will be a huge challenge that the government can not politically control, but must take positive steps to help including making infrastructure world wide “trustable”.
It is a formidable challenge but nothing is impossible. However, as in all things it is a political football with agencies and companies arguing and jockeying for position.
I provide Mike so thoughts – hope they help.
My Very Best,
Bill
Dr Beyster, it is great to see you still engaged with the Nations serious threats…as you have always been through the Advisory Groups you sat on…especially the SAC/STRATCOM Strategic Advisory Group. As you recall prior to your leaving the SAG the SAG was dealing with the emerging Cyber threat and the vulnerabilities of the Nations Critical Infrastructure.
I still enjoy being a special advisor to the STRATCOM SAG on its Cyber Panel. STRATCOM and its mission partners are deeply engaged in their mission of ensuring operations of the Global Information Network by understanding the threats, vulnerabilites, operations and defense of the networks.
Like EMP the cyber threat has the capability of paralyzing a nation by taking down its critical infrastructure. Great to have you involved again.
Here is what I think is happening in the wild to hack the DNS.
The Pirate Bay P2P file sharing site was recently purchased and the new owners
intend to pool the resources of its users together to create a “Virtual Supercomputer”.
http://www.businessweek.com/globalbiz/content/jul2009/gb2009071_378545.htm
Over the last couple of years investigating network attacks it seems that covert groups have already succesfully utilized this concept of creating a “Virtual Supercomputer” to attack specific targets at will. Mainly hacking the DNS.
It is really interesting to see how they do it. The perpetrators acquire a “Hot” movie
that everyone is waiting to download and upload it before anyone else, This creates an immediate surge of downloads on the P2P network. They now have their weapon “locked and loaded” and with the expanded bandwidth can focus their attack against whatever server they want to crack.
It would seem to me that a commercial enterprise could be established to deliver
subsidized media, software etc. as a “Loss Leader” providing health care, education,
and government services for the public good utilizing a “Key Based” system.
Unless somebody fixes the Education system in the USA their will be no one with the
skills to defend against future Cyber Attacks, based on my real world experiance.
Under Secretary of Defense Gordon England expressed these same concerns in 2006
at the Pentagon.
Sir:
Your listing of “Five Key Cyberthreats” is insufficient. The INTERNET is, from an engineering standpoint, fundamentally insecure. It was designed (and continues to operate) with protocols that do not give to security a priority.
The most critical need is for authentication because the Internet does not allow for end-to-end verification of transactions. Unless both the senders as well as the recipients of messages are authenticated there will be always the danger that anything that is received may not be what it claims to be.
Internet messages are mediated by means of software that operates computerized switches (called “routersâ€) while messages travel on an indeterminate path from their origin to their destination. The average number of connections to complete any transaction is nine but could be much larger when the network is congested. The Internet should be understood as a web of circuits that connect hundred thousands of traffic collectors (Internet Service Providers – ISPs). The ISPs then forward messages through millions of switches (routers) that link over five billion points of contact such as desktops, laptops, cell phones, credit card readers, burglar alarms, teller stations and radio frequency merchandise identity tags.
The insecurity of the Internet is inherent in the ways the routers communicate. The decision to send a message from one router to the next is controlled by the router software that picks one of several possible paths for passing the message in the direction of its ultimate destination. To keep track which one of the routers has the capacity to transport the traffic, every router keeps in contact with others in the neighborhood. In this way every router becomes a switch that changes every fraction of a second in how it operates.
The most dangerous corruption of the Internet originates from malicious changes to the router software. An attacker can manage to take control and change its logic so that a duplicate message (plus passwords) is routed to wherever a criminal collects intelligence.
Having control of a router is not difficult because a sophisticated attacker can install a copy of the switching software on a computer that masquerades as a legitimate router. There are many ways that a bogus machine can be inserted into the Internet, since the characteristics of the entire network are not traceable. The insertion of a fake router is often done with the collaboration from a trusted insider.
Paul
Paul: I marvel at your command of the issues confronting cybersecurity. It’s remarkable to me that the situation does not seem to be getting better after all these years and hundreds of millions of dollars spent on securing the Net. I don’t know about you, but when I crank up my desktop computer I don’t worry about security too much, not that I have anything to steal. — Bob
Steve: Thanks for your note. It’s clear that this is a growing threat and so long as the threat continues to outpace our ability to respond, then hackers and their supporters will be able to continue to harass Internet users virtually unimpeded. — Bob
Al: Good to hear from you, Al. I still haven’t made it to Omaha, but maybe someday I’ll make it happen. It seems these threats never cease to be a growing problem. I’m sure you guys at STRATCOM have improved the situation considerably, but new threats arise just as quickly as old threats are addressed. Tell Admiral Bell I said hello. — Bob
Bill: Thanks for your blog entry. I agree with you that it’s not just the physical security threat that we face — which is being addressed with improved technology — but it’s also the psychological effect that these breaches in security have on Internet users who are afraid their personal data is not being protected. — Bob
Blake: Thank you for your note on my blog. I think what you’re telling me is we are still tremendously vulnerable to cyberattack in this country, and the environment — though better — is far from perfect. I agree with you that we should be prepared. Unfortunately, we are not. — Bob
Blake: Thank you for your note. I’m sure this sort of attack by intelligent criminals you experienced in Melbourne is a common thing occurring many times each day around the world. By now I would hope that the banks have developed better protection against such threats. They’ve been going on for too long. — Bob
Bob,
Some of the underlying attributes that are mandated by DoD, government and federal agencies for network communications and computer gear, are the result of mandated standards for open source, open architectures, and COTS in the acquisition cycle. Goals include reduced costs and improved interoperability for software and hardware that is developed and manufactured by high-tech corporations whose critical mass of operations and research is significantly concentrated in countries from which cyber exploits not-so-coincidentally originate.
If the variables of cost, cycle-time, interoperability, and forward and backward compatibility are some of the factors that are forcing the U.S. to select technologies that are built upon open source, open architectures, and COTS, might it be probable that such factors similarly reduce the barrier-to-entry for the bad guys to conduct rapid prototyping of potent cyber-threats that possess a high probability to compromise U.S. national interests, or at least keep pace with U.S. developed preemptive capabilities?
It may be probable that some of the forces that are vectoring U.S. cyber-preemption capabilities toward open source, open architectures and COTS technologies, are increasing the potency for exploits/cyber-threats toward U.S. interests. America’s adversaries may know our technology as well as we do, and maybe more. Sourcing policy forces commercially available products and subject-matter-expertise, upon which we are dependent for IT and network technologies, to many times originate outside of the U.S., thus further exposing the U.S. to the potential of logic bombs, self-modifying code, and backdoors.
Is the cyber security of America’s critical infrastructure improved or eroded by migrating to a smaller set of networks? Does a larger set of networks imply heterogeneity, and does either the number of networks and/or heterogeneity translate to a greater challenge for cyber network attackers? Does a smaller set of networks imply greater homogeneity, and does that translate to increased exposure to cyber threats, especially when the underlying systems are selected based upon cost as derived from the benefits of open source, open architectures, and COTS?
Will the cyber security budget determine and possibly limit the eventual strategy developed and applied by USCYBERCOM to improve America’s cyber defenses?
If cyber threats to America’s critical infrastructure endanger national security, at what price is our national security?
Dan: Thanks for your in-depth and provocative response. I appreciated it and I’m sure my blog readers did as well. — Bob