Today I am posting the third and final part of my article on cybersecurity. Thank you for all your discussion and feedback on the first two parts. Your comments have been stimulating and informative. As the Internet becomes an even more pervasive part of our lives in the future, countering the threats to it will become an increasingly important task and will require more resources and attention. Last week’s resignation of Melissa Hathaway — the top White House cybersecurity aide — after the current administration’s ongoing delays in appointing a national cybersecurity coordinator leaves me wondering exactly who is leading this important effort.
Looking to the Future
The five threats mentioned in Part 1 of this article will continue to increase both at the governmental level and the commercial level and probably spread more widely across the globe. However, the threats won’t just spread geographically, they will spread technologically. As the Internet continues to proliferate into new platforms, cybercriminals won’t be far behind. If you connect to the Internet, you cannot keep people out of your computer. There’s no way to guarantee perfect security for your own computers when they are connected to the public Net — even when you have invoked all the security systems present on your computer.
Take, for example, the idea of providing airline passengers with in-flight Internet service, the demand for which has been gaining momentum in recent years. American Airlines, Delta, and Virgin America now offer in-flight Wi-Fi Internet connections via a company by the name of Gogo. It’s not hard to imagine that people would be able to hack such systems and tap into an airplane’s onboard computers, gaining control of its flight and communications systems.
Today’s modern aircraft rely on computers to navigate — some even use digital fly-by-wire systems (which require computers to operate) to manipulate flight control surfaces such as rudders, ailerons, and elevators. Assuming the systems are electronically linked, it wouldn’t be an impossible task to jump from an in-flight Internet access port and into an in-flight computer system.
The potential threat in such a scenario is obvious — some aircraft could be turned into remotely controlled missiles by terrorists and used against our country or others 9/11-style, or simply crashed into the ground. Similarly, other computer-based transportation systems that run on networks with Internet access (such as IVHS — the intelligent vehicle highway systems that are envisioned to help keep traffic moving smoothly on busy freeways in the future) could be vulnerable as well.
The other big issue is the nature of the damage these people are really doing. On one hand, if they’re just hacking into websites to deface them, the net impact is relatively small. It’s mostly just an inconvenience for the organizations hosting the sites. However, if they’re stealing defense and intelligence secrets out of the Department of Defense and intelligence communities in the U.S., Great Britain, Germany, and so forth, that’s a major, major problem for the governments. And if they are able to penetrate and bring down certain corporate network capabilities, then there is a real potential disruption of commerce — a scenario that could be particularly damaging for corporations that are more and more dependent upon the Internet for commerce, including supply chains, personnel records, financial flows, and more.
Another doomsday scenario is where a state-sponsored terrorist group is sophisticated enough to shut down the New York Stock Exchange or the London Stock Exchange — or both together — for a day or a week or longer. The impact on the global economy could be catastrophic.
In December 2008, a government and technology industry panel on cybersecurity issued a report for the incoming Administration of President Barack Obama — Securing Cyberspace for the 44th Presidency — that among other things recommends widespread adoption of strong authentication within key infrastructures and phasing out of the use of passwords. Says Tom Kellermann, a member of the panel that issued the report, and vice president for security awareness, “We need to move away from passwords.”
The report made a variety of very specific recommendations to improve cybersecurity, including:
- The United States should make strong authentication of identity, based on robust in-person proofing and thorough verification of devices, a mandatory requirement for critical cyber infrastructures (ICT, energy, finance, government services). The president should direct the NOC and appropriate agencies, using the federated regulatory model…and consulting with industry and the privacy and civil liberties community, to implement critical infrastructure authentication. The president should receive a report on progress within six months.
- The United States should allow consumers to use strong government-issued credentials (or commercially issued credentials based on them) for online activities, consistent with protecting privacy and civil liberties.
Something clearly needs to be done. We’ve seen plenty of people — from the Russian mafia to Chinese state-sponsored cybercriminals — illegally pulling large amounts of money out of banking institutions. This is something nobody wants to talk about — it could potentially frighten customers — but many who work in that world know it’s a growing problem.
And what if there was a smart terrorist operation that had cyber capability — or that simply hired some really bad guys in the Russian mafia to do this, who coincidentally have been deeply involved from reports in cybercrime — to penetrate the computer networks of Saudi Aramco, the largest oil company in the world? Now, what if this group shut down Ras Tanura, which is the largest refinery in the world? Ras Tanura is almost completely computer controlled. When you stand and look out across the Persian Gulf from the facility, there are oil tankers lined up as far as you can see waiting to be filled up with oil. If they were able to gain control of the computers and shut down Ras Tanura, within two hours the world oil markets would react and there would be a crisis of a magnitude that would likely shake the financial community for quite some period of time.
Through a series of white papers on cybercrime and cyberterrorism, ARPANET pioneer Steve Lukasik is exploring possible ways to defend against attack. In his report Cyber Burglary, Lukasik outlined the following ten possible initiatives for defending against cyberattacks:
- Identify and monitor attack teams. While the number of attacks is high, the number of skilled teams around the globe that field these attacks is limited. Each attack leaves a trail that can be pursued. According to Lukasik, it should be possible to manage many of these cases for further investigation.
- Limit the extent of theft. If an attack against a machine can be detected, then it can be disconnected from the network.
- Limit networking. The current default is for computers to be connected to networks, making them vulnerable to intrusion. The default should be flipped, says Lukasik, “…to require connection into networks to the result of an efficiency-risk analysis.”
- Impose costs on attackers. Currently, there is no penalty for attackers when they fail — they just try again somewhere else. However, if there was some way to “shoot back” at the attackers, then the number of attacks would decrease.
- Increase the density of early warning sensors. The power of volunteer watchers can be leveraged — much in the same way as are ham radio operators and volunteer firefighters — to monitor attacks and report them to authorities.
- Make failure to install security patches a civil offense. Much as our modern society requires routine childhood vaccination against a whole host of serious diseases, so too should we require computer users to keep the software security patches on their machines up to date. According to Lukasik, there are documented cases where software vendors alert users to vulnerabilities in their products, and attackers immediately exploit this newly publicized vulnerability while users neglect installing the patch.
- Maintain instantaneous awareness of information assets. Users must understand and know what software and processes are running within their computers at any given time, why they are running, and if they are being used legitimately.
- Manage trust and distrust. Says Lukasik, “…we end up putting far more trust in systems and fellow users than is justified by practical experience.” In reality, there are many cybercriminals for whom dishonesty is simply a cost of doing business, and trust in the good of fellow users should not be assumed.
- Practice defensive design. Just as military systems and equipment are designed to withstand enemy attempts to destroy them or their operators, so too should computer systems be designed to withstand the concerted attack of dedicated and smart adversaries. This may require a complete rethinking of how computers, software, and networks are designed.
- Provide appreciation of the power of information technology. The power of computing has been democratized, providing a clear and compelling social good. However, the downside of this democratization is that people are not instructed about the power that they wield, and they treat passwords, keys, and other protective measures too casually. People need to be given an appreciation of just how much power they wield, and the need to protect it from attack.
The unprecedented growth of the Internet has led to a series of cybersecurity threats which have been underestimated. Unfortunately, business, government, and individual users have been slow to realize the extent of threats, the magnitude of threats, and the potential future threats posed.
Penetration of government data poses major threats to national and economic security as governments begin to increasingly rely on the Internet and related networks for daily operations. As global business relies more and more on the Internet for billions of dollars of global commerce, daily communication with its workforce, and numerous critical functions integral to business operations, the potential for serious consequences grows.
Governments, businesses, and individuals must be vigilant and proactively step up their security efforts now.