« Your Thoughts on Cybersecurity
What Do You Think of the Economy? »

The Cybersecurity Challenge: Vigilance and Defense

Comments Published by Dr. Beyster August 12th, 2009 in Government, Network Solutions.

Today I am posting the third and final part of my article on cybersecurity. Thank you for all your discussion and feedback on the first two parts. Your comments have been stimulating and informative. As the Internet becomes an even more pervasive part of our lives in the future, countering the threats to it will become an increasingly important task and will require more resources and attention. Last week’s resignation of Melissa Hathaway — the top White House cybersecurity aide — after the current administration’s ongoing delays in appointing a national cybersecurity coordinator leaves me wondering exactly who is leading this important effort.

Looking to the Future

The five threats mentioned in Part 1 of this article will continue to increase both at the governmental level and the commercial level and probably spread more widely across the globe. However, the threats won’t just spread geographically, they will spread technologically. As the Internet continues to proliferate into new platforms, cybercriminals won’t be far behind. If you connect to the Internet, you cannot keep people out of your computer. There’s no way to guarantee perfect security for your own computers when they are connected to the public Net — even when you have invoked all the security systems present on your computer.

Take, for example, the idea of providing airline passengers with in-flight Internet service, the demand for which has been gaining momentum in recent years. American Airlines, Delta, and Virgin America now offer in-flight Wi-Fi Internet connections via a company by the name of Gogo. It’s not hard to imagine that people would be able to hack such systems and tap into an airplane’s onboard computers, gaining control of its flight and communications systems.

Today’s modern aircraft rely on computers to navigate — some even use digital fly-by-wire systems (which require computers to operate) to manipulate flight control surfaces such as rudders, ailerons, and elevators. Assuming the systems are electronically linked, it wouldn’t be an impossible task to jump from an in-flight Internet access port and into an in-flight computer system.

The potential threat in such a scenario is obvious — some aircraft could be turned into remotely controlled missiles by terrorists and used against our country or others 9/11-style, or simply crashed into the ground. Similarly, other computer-based transportation systems that run on networks with Internet access (such as IVHS — the intelligent vehicle highway systems that are envisioned to help keep traffic moving smoothly on busy freeways in the future) could be vulnerable as well.

The other big issue is the nature of the damage these people are really doing. On one hand, if they’re just hacking into websites to deface them, the net impact is relatively small. It’s mostly just an inconvenience for the organizations hosting the sites. However, if they’re stealing defense and intelligence secrets out of the Department of Defense and intelligence communities in the U.S., Great Britain, Germany, and so forth, that’s a major, major problem for the governments. And if they are able to penetrate and bring down certain corporate network capabilities, then there is a real potential disruption of commerce — a scenario that could be particularly damaging for corporations that are more and more dependent upon the Internet for commerce, including supply chains, personnel records, financial flows, and more.

Another doomsday scenario is where a state-sponsored terrorist group is sophisticated enough to shut down the New York Stock Exchange or the London Stock Exchange — or both together — for a day or a week or longer. The impact on the global economy could be catastrophic.

In December 2008, a government and technology industry panel on cybersecurity issued a report for the incoming Administration of President Barack Obama — Securing Cyberspace for the 44th Presidency — that among other things recommends widespread adoption of strong authentication within key infrastructures and phasing out of the use of passwords. Says Tom Kellermann, a member of the panel that issued the report, and vice president for security awareness, “We need to move away from passwords.”

The report made a variety of very specific recommendations to improve cybersecurity, including:

  • The United States should make strong authentication of identity, based on robust in-person proofing and thorough verification of devices, a mandatory requirement for critical cyber infrastructures (ICT, energy, finance, government services). The president should direct the NOC and appropriate agencies, using the federated regulatory model…and consulting with industry and the privacy and civil liberties community, to implement critical infrastructure authentication. The president should receive a report on progress within six months.
  • The United States should allow consumers to use strong government-issued credentials (or commercially issued credentials based on them) for online activities, consistent with protecting privacy and civil liberties.

Something clearly needs to be done. We’ve seen plenty of people — from the Russian mafia to Chinese state-sponsored cybercriminals — illegally pulling large amounts of money out of banking institutions. This is something nobody wants to talk about — it could potentially frighten customers — but many who work in that world know it’s a growing problem.

And what if there was a smart terrorist operation that had cyber capability — or that simply hired some really bad guys in the Russian mafia to do this, who coincidentally have been deeply involved from reports in cybercrime — to penetrate the computer networks of Saudi Aramco, the largest oil company in the world? Now, what if this group shut down Ras Tanura, which is the largest refinery in the world? Ras Tanura is almost completely computer controlled. When you stand and look out across the Persian Gulf from the facility, there are oil tankers lined up as far as you can see waiting to be filled up with oil. If they were able to gain control of the computers and shut down Ras Tanura, within two hours the world oil markets would react and there would be a crisis of a magnitude that would likely shake the financial community for quite some period of time.

Through a series of white papers on cybercrime and cyberterrorism, ARPANET pioneer Steve Lukasik is exploring possible ways to defend against attack. In his report Cyber Burglary, Lukasik outlined the following ten possible initiatives for defending against cyberattacks:

  • Identify and monitor attack teams. While the number of attacks is high, the number of skilled teams around the globe that field these attacks is limited. Each attack leaves a trail that can be pursued. According to Lukasik, it should be possible to manage many of these cases for further investigation.
  • Limit the extent of theft. If an attack against a machine can be detected, then it can be disconnected from the network.
  • Limit networking. The current default is for computers to be connected to networks, making them vulnerable to intrusion. The default should be flipped, says Lukasik, “…to require connection into networks to the result of an efficiency-risk analysis.”
  • Impose costs on attackers. Currently, there is no penalty for attackers when they fail — they just try again somewhere else. However, if there was some way to “shoot back” at the attackers, then the number of attacks would decrease.
  • Increase the density of early warning sensors. The power of volunteer watchers can be leveraged — much in the same way as are ham radio operators and volunteer firefighters — to monitor attacks and report them to authorities.
  • Make failure to install security patches a civil offense. Much as our modern society requires routine childhood vaccination against a whole host of serious diseases, so too should we require computer users to keep the software security patches on their machines up to date. According to Lukasik, there are documented cases where software vendors alert users to vulnerabilities in their products, and attackers immediately exploit this newly publicized vulnerability while users neglect installing the patch.
  • Maintain instantaneous awareness of information assets. Users must understand and know what software and processes are running within their computers at any given time, why they are running, and if they are being used legitimately.
  • Manage trust and distrust. Says Lukasik, “…we end up putting far more trust in systems and fellow users than is justified by practical experience.” In reality, there are many cybercriminals for whom dishonesty is simply a cost of doing business, and trust in the good of fellow users should not be assumed.
  • Practice defensive design. Just as military systems and equipment are designed to withstand enemy attempts to destroy them or their operators, so too should computer systems be designed to withstand the concerted attack of dedicated and smart adversaries. This may require a complete rethinking of how computers, software, and networks are designed.
  • Provide appreciation of the power of information technology. The power of computing has been democratized, providing a clear and compelling social good. However, the downside of this democratization is that people are not instructed about the power that they wield, and they treat passwords, keys, and other protective measures too casually. People need to be given an appreciation of just how much power they wield, and the need to protect it from attack.

Conclusion

The unprecedented growth of the Internet has led to a series of cybersecurity threats which have been underestimated. Unfortunately, business, government, and individual users have been slow to realize the extent of threats, the magnitude of threats, and the potential future threats posed.

Penetration of government data poses major threats to national and economic security as governments begin to increasingly rely on the Internet and related networks for daily operations. As global business relies more and more on the Internet for billions of dollars of global commerce, daily communication with its workforce, and numerous critical functions integral to business operations, the potential for serious consequences grows.

Governments, businesses, and individuals must be vigilant and proactively step up their security efforts now.

4 Responses to “The Cybersecurity Challenge: Vigilance and Defense”

Feed for this Entry
  1. 1 Blake Escudier Aug 12th, 2009 at 9:55 pm

    Bob,
    This is of course the tip of the iceberg – from this segment I conclude that no transactions of critical information or financial information should be conducted through the internet – - if you don’t want the chance for it to be stolen and possibly misued later on.

    No system that is considered critical should be connected to the internet – thus the system should be a closed system – thus no person can remotely connect into the system ie. no telecommuting etc.

    So here is the problem – all critical systems should be closed systems – no one can interact unless they were inside – internal workers who manage electronic systems must be logged on through DNA or some other rigid access control path.

    While this would be okay for organizations that can afford such high security controls – this does nothing for the Billion plus people in the world who want to check their bank balance online – or who want to purchase a gift online using a credit card. Or the business owner who purchases supplies online using a credit card. General online commerce is open for theft and criminal activity. How can this open system be better managed – if the onus is placed on the general user – you are asking the impossible as the “scratch and snif” society is ignorant of technology. Ignorance is bliss for the knowledgable – just ask any politician on how they get votes.

    If you place a hot apple pie on the windowsil and a hungry person walks by and sees the pie – the only thing that may stop this person from taking the pie would be the fear of what may happen to them if caught.

    With the internet – this hungry person may not be within the same legal jurisdiction as the location of the pie – thus there would be no fear at all.

    I strongly believe that a secure internet is priority #1 for America – much more important than health care insurance and immigration – yet too many people are ignorant of the criminal possibilities and the political clout is going towards programs that people can see and relate. I believe that the US Congress should be moved towards more punishment for criminal internet activity – and should push for international liabilities for countries that allow cyber criminals to operate – the US should use technology as an economic weapon to fight cybercriminals in countries that ignore the Rights of US Citizens to be protected.

    I like apple pie – but I’ll buy mine in a store and pay cash – yet I should feel secure if I purchased one online and used a credit card. That is a Right of being a US Citizen and I would expect our US Congress to make laws and use force to help protect this right.

    How’s this for a stand on the issue?

  2. 2 Dr. Beyster Aug 24th, 2009 at 8:45 am

    Blake: I read your blog input and you seem to be very much on top of the problem. I have a hard time understanding why we haven’t made more progress over the past 10 years in Internet security. It sounds like the same problems exist today as existed 5 or 6 years ago. I hope progress has been made, but from what I read here and elsewhere, I’m not sure. What do you think? — Bob

  3. 3 Blake Escudier Aug 25th, 2009 at 8:51 pm

    The key with security is secrecy – not many new developments are going to be known by the general public – and if not within the industry itself – little can be known about developments.

    I too would hope the “Experts” are doing something positive – rather than just management of systems. There is a philosophy that can occur – “if it ain’t broke don’t fix it” – while this is usually due to a lack of leadership – which is needed to promote and support entrepreneurship within government and large organizations. If the politicians don’t have the knowledge to lead towards growth and improvement – and are only protectionists – few true solutions will be found. (think of this – would there have been a nuclear navy had Rickover not been involved?)

    Security is a perception – I remember walking onto a plane directly after getting my ticket from the counter. But then I also remember being told in MBA classes about the need for competitive advantages, knowing your competition – and corporate espionage.

    The US has felt very secure for a few generations and we are a trusting society – believing that people are or want to be good. Any company or government institution that has something someone else wants – they will be subjected to having it accessed or stolen. Or just “botched” so the competition can take an advantage.

    I believe the answer is in leadership – - and because many government workers are risk averse – not much gets done. Most protect turf rather than take development risks – One program that helps a little is the SBIR – where government programs can allow independent companies attempt research – but the program needs expansion.
    Blake

  4. 4 Dr. Beyster Sep 18th, 2009 at 7:57 am

    Blake: I beg to differ with you. I agree that government workers are risk averse. But I also think that in any government organization there are employees who are quite entrepreneurial and who want to get things done. A lot of what the government does is good. Presently I’m pleased with the Administration and the fact it is taking on the big elephants like healthcare. You mentioned that you think the SBIR program is a good thing. I couldn’t agree more. I am familiar with the DARPA SBIR program. It has been responsible for many important discoveries. — Bob

Search







Where Have They Gone?

(Click image to read more) Companies formed by SAIC alumni -- click image for larger version

Photos

www.flickr.com

See more photos

Archives



Categories



Brought to you by:

Foundation for Enterprise Development

Subscribe

Add to Google Homepage or Google Feed Reader
What is RSS?
Receive email alerts

April 2024
M T W T F S S
« May    
1234567
891011121314
15161718192021
22232425262728
2930  


Recent Posts


Recent Comments

  • Jim Russell: Some 45 years ago in early 1972, I flew out to La Jolla and met with Dr. Beyster to decide whether to...
  • Edgar Cruz: In the 14 years I served at SAIC, I learned from people who knew Dr. Beyster personally, that employee...
  • Paul Hobin: I’ll always remember the awkward, somewhat apologetic explanations for Dr. Beyster’s low pay...
  • Steve Purcell: Well said Mr. Berg!! Dr. Beyster left a big imprint on many of us. Best to all and keep on making a...
  • Bob Berg: Like so many other thousands of people, my life was incredibly and positively changed by “Dr....