It’s the evil them versus the inept us.
Today’s threats to U.S. national security range from the bloody reality of terrorist suicide bombers who kill and maim individuals to weapons of mass destruction that potentially hold many thousands at risk. The U.S. information infrastructure is a vital element of U.S. national security, but the design and management of software render its terminals, nodes and networks demonstrably vulnerable to malicious manipulation.
Opinions vary as to the source, scope and severity of the cyberthreat; who should lead the defense or be held accountable when systems fail; and what role a privacy-fixated citizenry will yield to government in any of these matters. These are some of the issues said to be thwarting a coordinated action plan for shared public-private action in building a more resilient information infrastructure.
Insofar as the government’s role, the Bill Clinton and George W. Bush administrations recognized their limited leverage over public/private systems and prudently opted to plead for partnerships in policing the information highway. And, both administrations pledged to lead by example by reducing vulnerabilities in federal information systems. However, the public sector has been reluctant to share data on cyberattacks, fearing that it would be mishandled to the detriment of business and privacy. Further, the goal of leadership has been undercut by the poor track records of federal agencies in reducing vulnerabilities—only five even bothered to take the first steps by inventorying their technical assets. (SIGNAL, August 2004, page 29).
The U.S. Congress has tried to spur corrective actions, but it enacted laws that lack incentives for owners to self-police their networks, and it failed to demand accountability or provide sanctions when they did not. Rep. Adam H. Putnam (R-FL) wants to amend the Clinger-Cohen Act to specifically include security in software buying decisions.
News media coverage has added heat without light to the discussion. Articles titled “cyberterrorism” routinely garner front-page coverage, while those on worms, viruses, phishing, spyware and Trojan horses must duke it out for a few column inches in the financial section.
As for the public, an apathetic user community tolerates the cyberthreat as an expensive but insurable nuisance. The deciding vote on software security is being cast in the marketplace by buyers who readily acknowledge a growing dependence on efficient automated information systems and who rush to purchase software that features the coolest backward-compatible functionality. However, either they resist buying, or they do purchase but mismanage products that, however imperfect, do reduce system vulnerability.
Industry’s role often is under fire. Federal policy is criticized because many believe that the software industry has manipulated the federal legislative and executive branches. Despite pleas of mea culpa from industry leaders and vows to reform, the software industry has deflected criticism of its faulty software by citing buyer preferences and by blaming security breaches on sloppy operating practices.
To date, the software industry has charted its own course opting for a strategy that favors maintenance of a competitive market position over product reliability and security. However, that policy now is being rethought. Reports from task forces of the National Cyber Security Partnership—a group of security technology experts, academics and business and government officials—call for improving security across the software development life cycle and propose that security be placed at the heart of the software design process.
Corporate indifference to the cyberthreat also is under fire. A Corporate Governance Task Force has challenged the user community to integrate information security governance into corporate governance, effectively making chief executive officers (CEOs)—rather than chief information officers (CIOs)—accountable for security.
Finally, a surprising blitz of ads from the organization Business Roundtable has demanded a balanced approach that reflects the shared responsibility of end users and suppliers.
A lack of agreement on threat sources and trends is yet another excuse for keeping cybersecurity fixes on the back burner. Business Week reported surveys showing that “for a third year in a row, attacks on computer networks have fallen.” This is the lowest level of reported unauthorized use of systems since 1999, due, in the view of one commentator, to “organizations becoming savvier about security.” Or, perhaps it is due to savvier reporting?
Don O’Neill of the Center for National Software Studies sees no lessening of cyberthreats. In an “Open Forum” column in the June 2004 issue of CrossTalk, he writes that both threat and vulnerability are increasing because of neglect by venders in “product trustworthiness and inadequate user commitment in security readiness.” O’Neill faults “unwise legislation, inadequate public-private collaboration, a patchwork of government regulatory infrastructure, and the lack of business incentive practices.” He believes that the nation’s software infrastructure is fragile, and when it is targeted by a competent determined attacker, it might collapse.
The U.S. Department of Homeland Security also sees no diminution in threat. An April 2004 report by its Office of Inspector General, titled Progress and Challenges in Securing the Nation’s Cyberspace, finds that speed, virulence and maliciousness of cyberattacks and computer vulnerabilities have increased dramatically in recent years and that “industry experts agree that cyberterrorism … is one of the nation’s top five security threats and will likely remain so for years to come.”
Adding strident voice to alarms of cyberterrorism is Robert Cook, CEO of Sigaba, who notes sophistication by terrorists in using Internet tools. He says, “It’s not a stretch to believe the reports that al Qaida plans to use cyberterrorism as one of its tools.”
That terrorists value the power of information systems in furthering their agenda is not at issue. Daily they display skills in using Web sites, chat rooms and e-mail to transmit encrypted orders, transfer funds, recruit and train, plan and perform other vital management functions. But, beyond a suspicious pattern of probes on the Internet—which indeed could be a precursor of evil intent—a plausible rationale is yet to surface for terrorists intentionally damaging the very information infrastructure they depend on to command and control a dispersed and networked organization.
In fact, one commentator speculates that terrorist Web sites are so effective in exploiting the Internet for command and control of their cells and for reaching out to the hearts and minds of the Islam “street” that they now have become targets for U.S. military information operations.
The United States has been on heightened alert to a threat of cyberterrorism since September 11, 2001. This includes fears that attacks would cripple power systems, air traffic control, banking and communications. But, security expert Bruce Schneier writes in his June 2004 Crypto-Gram, “The impending cyberwar was a big dud … caused,” he reasons, “by a misunderstanding of both the attackers and the attacks.” Schneier acknowledges an information infrastructure filled with vulnerabilities, “but not generally the kind that cause catastrophic disruptions.” Further, he argues that “attacks [on software based systems] are very difficult to execute” because that infrastructure is filled with interactions that we simply do not understand ourselves.
Schneier claims that less than 1 percent of all attacks on the Internet have originated from countries on the U.S. government’s Cyber Terror Watch List, while 35 percent originated from inside the United States.
The insider threat is a significant cybersecurity menace. This recently was demonstrated by an employee theft of 92 million e-mail addresses from America Online. This prompted security expert Peter Neumann to comment on “this [insider] threat, which is largely ignored by the popular focus on hackers, spammers and others.”
Writing in The Washington Post about industry attempts to curb the insider threat, Jonathan Krim says, “Computers are so pervasive that almost any employee is a potential threat.” He adds that the extent of this threat is hard to measure because so much goes unreported and that “despite all of the new measures available, security experts say that companies remain woefully inattentive.”
The term “insider” can mislead. Contracts for much software—and especially that used for U.S. military systems—are being outsourced offshore. Consequently, a foreign “outsider” easily can become an insider. A May 2004 report by the Government Accountability Office found that “Defense Department acquisition and software security policies do not fully address the risk of using foreign suppliers to develop weapon system software.”
In his book Beyond Fear, Schneier says that people make security decisions based on perceived instead of actual risk. They underestimate risks they willingly take and overestimate risks in situations they cannot control. Schneier argues there is no single level of security applicable for all users. Instead, there is a condition to be determined by each consumer, based on that person’s threat and risk assessments, and then only after application of tradeoffs to reach a comfort level. He suggests this approach to risk assessment:
• What assets are held so dear as to demand protection?
• How vulnerable are those assets and from what specific threat? Who is the feared attacker: an insider, journalist, vandal, competitor, criminal, hostile nation-state, nosy neighbor, curious adolescent? What is that attacker’s specific objective and what protective steps might deter intrusion or reduce losses if protection fails?
• What tradeoffs are available to raise security to the user’s comfort level? Tradeoffs could vary from the extremes of insuring or writing off losses to installing the most sophisticated detection, protection and restoration software. (However, not every cyberwayfarer has alternatives and tradeoffs. The U.S. armed forces, having opted to go light, mobile and wireless on a nonlinear battlefield, already have traded off mobilization and mass for overmatching power that depends, absolutely, on dominating the information domain.)
Some conclusions and supporting rationale can be sifted from this cacophony of dissonance and conflicting opinion:
• The cyberthreat is increasing because information about “things” has come to equal or exceed the worth of physical possession of things. As Wayne Crews of the Cato Institute writes, “technology puts us at even more risk if physical things become too dependent on [information] technology.”
• Vulnerability will increase because digital technology creates subtle vulnerabilities that contain the seeds of catastrophic failures and because the user will either remain indifferent to the threat or prove incompetent in managing cascading system complexity.
• Emphasis on system interoperability and horizontal sharing of information through standards and open commercial technology, while necessary, inevitably will create what Schneier calls the growing risk of “class breaks”—that is because common systems share common vulnerabilities.
• While technology favors neither side, the defender always will be one step behind because he or she must defend all options while the adversary will be able to choose the time, target and tactic. However, having conceded this tactical advantage, the defender may find that growing system complexity also adds complication, uncertainty and the risk of unintended consequences to the plan of any adversary. How so? Because the weakest link now has become a moving target.
• The insider—including the privileged outsider—will remain the primary cyberthreat. As former Defense Department CIO Paul Strassmann cautioned more than a decade ago, “Don’t blame hackers for problems that can best be explained by incompetence.”
• Because the information infrastructure will remain fragile to determined attack and could collapse, emphasis also must be given to readiness, resilience, damage control and reconstitution.
• The case for cybersecurity is weakened when bonded to terrorists, to criminals, or even to potentially hostile rogue nations or nation-states. This coupling encourages preoccupation with “the evil them” whose identity is irrelevant to the erection of more effective defenses, rather than with “the inept us” where cooperation and collaboration can make a real difference in building a more secure information infrastructure.
Fortunately, consensus on threat is not a prerequisite for owners and operators to reduce vulnerabilities in their information systems. As Schneier reminds us, “the same countermeasures aimed at cyberterrorists will also prevent hackers and criminals. If organizations secure their computer networks for the wrong reasons, it will still be the right thing to do.”
Col. Alan D. Campen, USAF (Ret.), is a contributing editor to SIGNAL and the contributing editor of four books on information warfare and cyberwar.