I am pleased with a recent two-part article on the topic of Network Solutions and SAIC written by Bruce Bigelow and published on Xconomy.com. The first part of the article focuses on Mike Daniels’ role in the acquisition of Network Solutions by SAIC, and the second part of the article is an interview with Mike and me. While you may be familiar with the story, you might also learn something new when you read it. There seems to be some interest in the Network Solutions story, and this is going to be the focus of our new book.

I am also pleased with all the comments that have been posted by readers of my blog in response to my article on cybersecurity. I am concerned, however, that some of you may not have seen these comments. I am therefore posting a selection of them here on my home page so you have a chance to read them. I hope you enjoy them as much as I have.

In other matters, last Thursday I participated in a teleconference with Mike Daniels to discuss the situation on the new book to be written on the history of Network Solutions and its role in commercializing the Internet. On Friday I went sailing with Robert Craig and had a great time.

Here are some of the comments I have received on cybersecurity:

Paul A. Strassmann

There is a common thread that connects all of the reported cyber malfeasance: poorly executed authentication of access privileges.

When I was the CIO of NASA I inspected the information security at the Kennedy Space Center. The precautions that were taken for verifying access to data were not competent. Access privileges were handled loosely by the contractors, who had custody of the data bases, including drawings. There was no way how an unauthorized insider could be tracked. NASA did not have the staff or the competence to do anything about that.

The reported incidents about cyber crime feature stories about symptoms. We should also discuss the root causes.

From The Cybersecurity Challenge: Corporate Cybercrime and Government Cybercrime, 2009/07/28 at 2:15

* * *

Dan Bochneak

Bob,

Some of the underlying attributes that are mandated by DoD, government and federal agencies for network communications and computer gear, are the result of mandated standards for open source, open architectures, and COTS in the acquisition cycle. Goals include reduced costs and improved interoperability for software and hardware that is developed and manufactured by high-tech corporations whose critical mass of operations and research is significantly concentrated in countries from which cyber exploits not-so-coincidentally originate.

If the variables of cost, cycle-time, interoperability, and forward and backward compatibility are some of the factors that are forcing the U.S. to select technologies that are built upon open source, open architectures, and COTS, might it be probable that such factors similarly reduce the barrier-to-entry for the bad guys to conduct rapid prototyping of potent cyber-threats that possess a high probability to compromise U.S. national interests, or at least keep pace with U.S. developed preemptive capabilities?

It may be probable that some of the forces that are vectoring U.S. cyber-preemption capabilities toward open source, open architectures and COTS technologies, are increasing the potency for exploits/cyber-threats toward U.S. interests. America’s adversaries may know our technology as well as we do, and maybe more. Sourcing policy forces commercially available products and subject-matter-expertise, upon which we are dependent for IT and network technologies, to many times originate outside of the U.S., thus further exposing the U.S. to the potential of logic bombs, self-modifying code, and backdoors.

Is the cyber security of America’s critical infrastructure improved or eroded by migrating to a smaller set of networks? Does a larger set of networks imply heterogeneity, and does either the number of networks and/or heterogeneity translate to a greater challenge for cyber network attackers? Does a smaller set of networks imply greater homogeneity, and does that translate to increased exposure to cyber threats, especially when the underlying systems are selected based upon cost as derived from the benefits of open source, open architectures, and COTS?

Will the cyber security budget determine and possibly limit the eventual strategy developed and applied by USCYBERCOM to improve America’s cyber defenses?

If cyber threats to America’s critical infrastructure endanger national security, at what price is our national security?

From The Cybersecurity Challenge: Overview, 2009/07/21 at 8:19 AM

* * *

Paul A. Strassmann

Sir:

Your listing of “Five Key Cyberthreats” is insufficient. The INTERNET is, from an engineering standpoint, fundamentally insecure. It was designed (and continues to operate) with protocols that do not give to security a priority.

The most critical need is for authentication because the Internet does not allow for end-to-end verification of transactions. Unless both the senders as well as the recipients of messages are authenticated there will be always the danger that anything that is received may not be what it claims to be.

Internet messages are mediated by means of software that operates computerized switches (called “routers”) while messages travel on an indeterminate path from their origin to their destination. The average number of connections to complete any transaction is nine but could be much larger when the network is congested. The Internet should be understood as a web of circuits that connect hundred thousands of traffic collectors (Internet Service Providers — ISPs). The ISPs then forward messages through millions of switches (routers) that link over five billion points of contact such as desktops, laptops, cell phones, credit card readers, burglar alarms, teller stations and radio frequency merchandise identity tags.

The insecurity of the Internet is inherent in the ways the routers communicate. The decision to send a message from one router to the next is controlled by the router software that picks one of several possible paths for passing the message in the direction of its ultimate destination. To keep track which one of the routers has the capacity to transport the traffic, every router keeps in contact with others in the neighborhood. In this way every router becomes a switch that changes every fraction of a second in how it operates.

The most dangerous corruption of the Internet originates from malicious changes to the router software. An attacker can manage to take control and change its logic so that a duplicate message (plus passwords) is routed to wherever a criminal collects intelligence.

Having control of a router is not difficult because a sophisticated attacker can install a copy of the switching software on a computer that masquerades as a legitimate router. There are many ways that a bogus machine can be inserted into the Internet, since the characteristics of the entire network are not traceable. The insertion of a fake router is often done with the collaboration from a trusted insider.

Paul

From The Cybersecurity Challenge: Overview, 2009/07/14 at 7:13 AM

* * *

Steve

Here is what I think is happening in the wild to hack the DNS. The Pirate Bay P2P file sharing site was recently purchased and the new owners intend to pool the resources of its users together to create a “Virtual Supercomputer”.

http://www.businessweek.com/globalbiz/content/jul2009/gb2009071_378545.htm

Over the last couple of years investigating network attacks it seems that covert groups have already successfully utilized this concept of creating a “Virtual Supercomputer” to attack specific targets at will. Mainly hacking the DNS.

It is really interesting to see how they do it. The perpetrators acquire a “Hot” movie that everyone is waiting to download and upload it before anyone else, This creates an immediate surge of downloads on the P2P network. They now have their weapon “locked and loaded” and with the expanded bandwidth can focus their attack against whatever server they want to crack.

It would seem to me that a commercial enterprise could be established to deliver subsidized media, software etc. as a “Loss Leader” providing health care, education, and government services for the public good utilizing a “Key Based” system.

Unless somebody fixes the Education system in the USA their will be no one with the skills to defend against future Cyber Attacks, based on my real world experience. Under Secretary of Defense Gordon England expressed these same concerns in 2006 at the Pentagon.

From The Cybersecurity Challenge: Overview, 2009/07/14 at 6:44 AM

* * *

Bill Marlow

Bob — considering that SAIC, while you were there, was at the forefront of Cybersecurity — both commercially with Global Integrity and in the Government — there is a lot to be learned by looking at the past and what has developed into Cyberwarfare and Cyberterrorism.

It is not just a highly intellectual challenge to break into systems — but it is a combination of IO (Information Operations) and PSYOPS (Psychological Operations). If one can create Fear, Uncertainty and Doubt (FUD) in systems — this can be a very useful tool. Overt attacks such as those from North Korea are usual just covers for other more insidious methods to slip in object level patches or splices to do a lot more than just be a nuisance. What if — the financial industry was plagued and there was a run on banks or there was an attack on the food industry causing bad mixtures or processing. What if the control systems of the electric grid were manipulated. Or traffic signals or hospital monitoring systems or etc, etc, etc.

It is not really about “security” — I know this is unusual coming from me — but it is more about verifiable “trust”. When people look at each other and work together there is a bond of Trust, likewise we need to provide this inherent trust in cyberspace — mobile or internet.

Businesses have not yet figure out the value of trust — Take the rash of USB devices from Major Brands that have recently been shipped new with very sophisticated malware build into the electronics, not just stored in the memory or the new routers with malware built in. What and who can be trusted?

Intellectually this has always been fascinating. To provide Trust will be a huge challenge that the government can not politically control, but must take positive steps to help including making infrastructure world wide “trustable”.

It is a formidable challenge but nothing is impossible. However, as in all things it is a political football with agencies and companies arguing and jockeying for position.

I provide Mike so thoughts — hope they help.

My Very Best,

Bill

From The Cybersecurity Challenge: Overview, 2009/07/14 at 5:41 AM

* * *

Blake Escudier

Dr. Beyster,

A lot of my research deals with small business owners within Dynamic Environments. Most dynamic environments are created through natural disasters (hurricane, flood, fire) — yet some are created through man-made situations — large scale such as the rapid evolution of computers systems within Asian countries — or economic bubbles and collapses that happen on a relatively rapid pace. Then there are the possible Dynamic Environments created through human caused emergency (terrorist, human accident).

Prior to the 9/11 attack & Hurricane Katrina, the phenomena of large scale disaster was being studied due to the Lorna Prieta earthquake and Hurricane Andrew. Yet neither had the situations that created a more widespread environment challenge as 9/11 and Katrina (war and floods).

With the present day dependency on electronic commerce, the open systems theory describes a constant and dynamic relationship between organizational systems and numerous environments. The chaos created within a dyanmic environment may be pre-imagined as even Glieck (1987) presented his theory of chaos as sensitive and dependent upon initial conditions. Yet the outcome — or new environment equilibrium can never really be known.

The potential for rapid changes within commercial environments will only become more dangerous as more of the world becomes dependent upon energy driven electronic information systems. (Energy driven is stated due to the very high energy needs for data storage systems).

While there are similar small scale situations that are relative (i.e., 1890 — price of beef goes up when railroads are held up, Delivery of cars are delayed when there is a labor strike at the ball bearing plant) — never before has the world be this tightly connected. Thus the effect will be more global as seen within the recent financial systems reaction to a stoppage of credit markets.

On any given minute would you say there is possibly a half billion people online? When has the world ever been so dependent upon any single human created system?

So — with your presentation of potential security issues and the internet — I think it is just as appropriate to start considering the potential results of these actions.

I’ll always go back to my Boy Scout training — Be Prepared.

Blake

From The Cybersecurity Challenge: Overview, 2009/07/13 at 9:37 PM

* * *

Wesley

The russian example reminds me of an old oil man’s tale about the US sabotaging the trans-siberian oil lines with computer code way back in the old times. As the story goes, the russians were spying on us trying to get their hands on the computer codes to control large oil pipe networks. The US found out and made a trojan-type code and let them steal it. After operating some time the code switched over and made an overpressurized point in the piping and kaboom!! Apparently the explosion was seen from satellite footage and measured with our nuclear weapons testing seismic instrumentation. It supposedly flattened out a large piece of land and created some fierce forrest fires.

This cyber security issue is going to go extreme in the nuclear industry. I think it could put a major burden on the utilities to be compliant. It raises endless questions. Will making a programming error be considered a potential act of terrorism?

I am just smelling another boondoggle for money made out of needless and unrealistic fears. It is impossible to fully secure anything, especially the WWW, so why bother trying to do it . . . so people can make money off of “securing” it. Ultimately for nuclear energy it means more expensive energy and in the trickle down screw-the-little-man-onomics, the rate payer bears the burden. We all will pay more per month so that some OPs guy can surf the web while he is at work.

From Securing the Internet, 2009/07/10 at 8:32 AM

* * *

Blake

Bob,

More of the same — who hit the US over the 4th weekend — and China shuts down a remote area to prevent the social networking — used to gather people together for protesting. Would the US ever do this to prevent the same — or does freedom of speech trump?

In 2004 I had proposed to US Rep. Zoe Lofgren to help set up an internet security incubator in Silicon Valley. At the time the US Govt was more concerned with major security issues and was working with the likes of MIT/Carnegie Mellen etc. The San Jose Business Development was on its own. The purpose was to allow ground up development of security systems through entrepreneurship — we had Intuit and Symantec interested since they have a large small/mid business market. Of course all things come down to where’s the money coming from — and that stopped the idea. Heck we even had a facility — a hospital that closed because they couldn’t make cost effective repairs for earthquake prevention. Would have been interesting.

Blake

From Securing the Internet, 2009/07/07 at 11:53 PM

* * *

Paul A. Strassmann

Dear Dr. Beyster:

You are correct that the new CYBERCOM will centralize much of our DOD’s (not national) efforts to defend against attacks on defense information technologies.

What is perhaps not sufficiently appreciated is the magnitude of the task to be accomplished. DOD’s 15,000 networks are fractured and insufficiently protected.

Perhaps you may wish to have a look at a paper on
http://www.strassmann.com/pubs/dod/cybersecurity-draft-v1.pdf
for a glimpse of what needs to be done.

Remaining with best (and fondest) regards,

Paul

From Securing the Internet, 2009/07/01 at 11:17 AM

* * *

Blake Escudier

Bob,

I would also assume that the Russians would like to have the ability to “somewhat” legally charge people with criminal activity inside their own country. The idea of a treaty allows justification for taking action against people and countries. And it would protect their own people doing such work in foreign countries.

I would think a recently evolving powerful position within most Embassy staff is the CTO — which can always be claimed as helping the countries economic development for technology. The new cover for spying.

Another area to discuss would be a country’s ability to negate electronic communication — this has come to light with the media reports that Iran shut down internet access prior to elections.

If a country can lock down their own internet — why can’t a foreign country do it to them as well? Of couse this brings up the question — can it be done?

Whenever the US develops a new government program designed for protection — pretty much means the US has developed a program to do the same to others. (If I can hit you — it means I had better prepare myself from being hit back)

From drums and smoke signals to global warfare.

From Securing the Internet, 2009/06/30 at 6:05 PM

* * *

Bob Wertheim

Bob: I think your assessment of these challenges to national security is spot on. The new cyber warfare mission for the US Strategic Command is reflected in the tasking of the Strategic Advisory Group, of which I believe you are still a member. These are mostly in the “too hard” category for this ancient mariner but you should consider coming to the next plenary of the SAG and lend us a hand.

From Securing the Internet, 2009/06/30 at 9:39 AM


4 Responses to “Your Thoughts on Cybersecurity”

  1. 1 Al Buckles

    Dr Beyster,
    An interesting aspect of the whole cyber problem is where and how does it play in our overall National Strategic Deterrecne posture. Gen Chilton the commander of USSTRATCOM has requested the SAG to put some thought into that question plus he just hosted what I believe to be the best Deterrence Symposium to date with participants from across our government and represenatives from, among other countried, Russia and China. He is focused at this challange and has the command working it hard.
    Any thoughts you have on Cyber and Deterrence would be welcomed.
    Al Buckles

  2. 2 Dan Bochneak

    Bob,
    Hopefully this might be a helpful contribution to your third element in your cyber security article.
    1. Not so long ago there was an initiative identified as the Cyber Security Working Group. CSWG met periodically at various Silicon Valley facilities, and was comprised of a set of cross-industry experts, diverse in their respective areas of expertise, e.g. wireless communications; solid state device design and manufacture; software architecture, design and development; systems integration, etc.
    2. The CSWG initiative was funded in-effect by industry, because we all had full-time jobs other than CSWG, with participation at times by various federal government agencies. CSWG intentions were to contribute industry’s perspectives of root cause, systemic effects, and long-term corrective measures that could be applied to understanding and reducing the cyber threats to America’s critical infrastructures, including those of the DoD. The existence of CSWG can most accurately be characterized as having evaporated, although I suspect that some might advance the spin that it has merely morphed and become distributed.
    3. The harsh reality of initiatives such as CSWG was and remains the challenge of preserving the vision, mission, goals, stakeholders, capabilities, composition of subject-matter-expertise and progress-made, while effectively enduring and remaining productive and operating within the envelope that is influenced and defined by the changing dynamics of funding, corporate management, political leadership, and conflicting political interests.
    4. Ron Sugar (Chairman & CEO Northrop Grumman) published an open letter to President Obama regarding cyber security, posted in the March 9, 2009 edition of Aviation Week & Space Technology magazine. Mr. Sugar’s appraisal is, “America’s defense industry has heavily invested in the tools, techniques and human talent to address this problem. But, absent a significant change in government policy and a closer government-industry partnership, cyberthreats will continue to advance faster than our responses, and we will continue to fall behind. Losing this race risks catastrophe. Creation of a national effort that gathers the greatest minds in government, industry and academia is therefore imperative.”
    5. It seems to me that unless the dynamics identified in paragraph three are acknowledged, and politically, organizationally and systemically addressed, Mr. Sugar’s prediction will remain accurate. America’s national security and the integrity of our critical infrastructures will continue to be eroded by tireless, resourceful and ever emboldened adversaries, whose consequential effectiveness may be unintentionally enabled by corporate globalization, and empowered by the distribution of research, development, and the manufacture of technology to elsewhere than within the U.S.
    6. I propose that America does not need more root-cause-analysis. Such analyses have been conducted over-and-over and documented. Source causes are understood and documented many-times-over, although such information may not be captured in a single and non-fragmented database. By definition, corrective measures have not been implemented, since critical infrastructures continue to be threatened and compromised.
    7. A few possibly provocative questions might be:
    a. Is there a single existing coherent national policy and strategy for the protection of America’s critical infrastructures?
    b. Is everything really connected to everything else?
    c. Is it technically feasible and affordable to avoid the unintended consequences that appear to currently expose America’s critical infrastructures to disabling cyber attacks?
    d. Can certain finite elements that are critical to America’s interests, and that appear to be connected to everything else, operate effectively if they are decoupled from everything else?
    e. Is America’s need to secure our critical infrastructures advanced with more root-cause-analyses?
    f. Are the dynamics identified in paragraph three accurately characterized, even if not all-inclusive in their capture?
    g. Can USCYBERCOM avoid the pitfalls that are enabled by the dynamics of paragraph three?
    h. Can America’s critical infrastructures be protected, without the focused effort of a single consortium of industry, government, academia and DoD, since it may be that everything is connected to everything else, via the all-encompassing means of “technology”?
    i. How can such a single consortium be prevented from exposing America’s critical infrastructures to cyber threats, against which such a consortium may be intended to protect?
    j. Is a Program Management Office (PMO) a necessity of such a consortium, and can a PMO be designed and implemented to productively and securely manage such a national consortium?
    k. What is the national priority, policy, and strategy that is necessary to justify and fund a sufficiently long-term window of operational effectiveness for such a national consortium, to thwart cyber attacks to America’s critical infrastructures, while enabling the consortium PMO to be insulated from the dynamics of paragraph three?
    l. Can America afford to not absolutely protect our critical infrastructures from cyber attacks?
    Best Regards,

    Dan Bochneak

  3. 3 Dr. Beyster

    Dan: Thank you for your blog submissions on cybersecurity. Your rundown of the problem is certainly very comprehensive and the questions you pose clearly need to be answered more than they have been. I can take a stab at a few. First, is there a single existing coherent national policy and strategy? My guess is that we’re headed that direction, but we’re not there yet. Next, is everything really connected to everything else? Just about everything is today, through the Internet. Next, is it technically feasible and affordable to avoid the unintended consequences? I’m not sure whether it is going to be possible to avoid unintended consequences. I just know it is something we must do.

    I think what happens in this business is almost every day a new cyberthreat develops. Those in charge of protecting our systems from cyberattack and their affiliates must try to implement as quickly as possible new defenses to meet these threats, in near-real time. Can America afford to not absolutely protect our critical infrastructures from cyberattacks? In the words of Lyndon Johnson, “I will do my best. That is all I can do.” My impression so far is that we are meeting the challenge. My personal experience is that my own laptop computer is free of these menaces. So I’m optimistic the country will spend the necessary resources to ensure we are protected. — Bob

  4. 4 Dr. Beyster

    Al: Good to hear from you again, especially on the topic of cybersecurity. Happy to hear that General Chilton has taken an active interest in this program and has sponsored a Deterrence Symposium including countries such as Russia and China. We will need their cooperation in the future since so many of the cyberthreats originate in their countries. I would love to know what happened during the symposium and if you think progress is being made. I have been exchanging blog posts with Paul Strassmann who has written some very interesting articles on cybersecurity. My impression is it that it is getting better, but there is a long way to go. — Bob

Leave a Reply





Add to Google Homepage or Google Feed Reader
What is RSS?
Receive email alerts

July 2014
M T W T F S S
« Jun    
 123456
78910111213
14151617181920
21222324252627
28293031  


Recent Posts


Recent Comments

  • Dr. Beyster: Pete: Thanks for your note. I believe there will be a small gathering at the end of July where I will...
  • Dr. Beyster: Steve: It is always good to hear from you. Thank you for the birthday greetings and the kind words. You...
  • Dr. Beyster: Pamela: Thank you very much for your note. I always enjoy hearing from long-term SAIC employees. It...
  • Dr. Beyster: Joyce: Thank you for the birthday wishes. I am glad to hear that the acquisition of EMA by SAIC worked...
  • Pete Ward, #59: When is the “due date” for the videos? Will there be a party with invited guests, or do...