Protecting the Nation's Critical Infrastructure from Cyber Attack
Even a dynamic process can be influenced by government action.
While a more secure cyberspace will emerge through an evolutionary process, the U.S. government must take immediate action to influence the rate of change. With a series of government actions, the nation can simultaneously address the increasing sophistication of cyberthreats and impediments to public-private information sharing.
U.S. society and the economy rely on the nation’s critical infrastructure. Recognizing the importance of these essential services and the growing threat of cyber attack, two presidential administrations have prioritized efforts to secure cyberspace. The resulting government-led initiatives captured the attention of industry, the media and the world. Yet, despite recognition and significant effort, cybersecurity remains an elusive goal.
The primary reasons for the lack of progress related to critical infrastructure are the increasingly sophisticated cyberthreats and an inability to establish effective public-private information sharing. Regardless of the growing risk, a more secure cyberspace is possible. Cyberspace is the creation of humankind, and humankind possesses the ability to create a more secure future by harnessing the lessons of past oversight and omission. An evolutionary process, this will take vigilance, time and continual assessment.
Recognizing the country’s increasing reliance on technology and growing security threats in cyberspace, President George W. Bush issued “The National Strategy to Secure Cyberspace” in 2003. This strategy committed to defending the nation’s critical infrastructure to protect the people, economy and security of the United States. It also highlighted the importance of a public-private partnership, describing this cooperative approach as the cornerstone for success. Demonstrating an enduring commitment to this priority, President Barack Obama described cybersecurity among the country’s most serious economic and security challenges, acknowledged the inadequacy of current defenses and pledged to build on efforts initiated by the prior administration.
President Bush identified the Department of Homeland Security (DHS) as the federal center of excellence for cybersecurity. President Obama further defined its responsibilities related to critical infrastructure security and resilience to include providing strategic guidance, promoting a national unity of effort and coordinating the overall federal response.
Unfortunately, progress to date does not adequately mitigate, deter or prevent the most sophisticated cyberthreats. Because the nation’s critical infrastructure remains susceptible to cyber attack, the federal government must do more to accelerate the remediation of cyber vulnerabilities.
First, the U.S. government must provide financial incentives to promote programs that accelerate the identification and remediation of zero-day vulnerabilities. The cyber equivalent of invisibility, the term “zero-day” describes vulnerabilities unknown to the public. In this case, the DHS and the Defense Department jointly must define the highest priority risks and provide funding to establish a government-sponsored vulnerability purchase program. Additionally, the DHS must develop mechanisms to encourage vendors to respond to disclosed vulnerabilities in a timely manner. One option involves creating a cybersecurity scorecard for information technology vendors. Vendors with fewer vulnerabilities and a more rapid response would receive higher ratings. Those responsible for purchasing information technology solutions within critical infrastructure industries could use these ratings to avoid less secure products.
The U.S. government also must review current security classification standards related to cybersecurity and prioritize disclosure to those who can mitigate issues and those vulnerable to exploitation. Specifically, the DHS must develop updated classification guidelines to maximize the ability to share information within the critical infrastructure community. The department must also engage the Defense Department to ensure the consistent application of revised classification guidelines. Additionally, the DHS must establish mandatory cybersecurity reporting guidelines. To ensure maximum compliance, the process must permit anonymous reporting. Finally, the DHS must provide timely updates to the critical infrastructure community regarding reported incidents along with detection and response recommendations.
With everyone’s personal lives digitally connected in ways considered impossible just a few years ago, critical infrastructure becomes more integrated with emerging automation. Driven by the benefits of performance, efficiency and cost, this integration also creates an increasingly valuable target for those attempting to disrupt the society, economy and security of the United States. To seize on this opportunity, foreign governments, extremist groups and criminal organizations are dedicating tremendous resources to develop sophisticated cyber weapons that exploit unknown vulnerabilities.
Upon disclosure of a weakness, the cybersecurity community can develop a defensive capability. Until then, those with knowledge of the vulnerability possess supreme power, able to develop exploits and conduct attacks without concern of detection. In the past, governments maintained a zero-day monopoly. The situation today is very different.
In 2005, as the Defense Department expanded efforts related to cyberwarfare, many companies emerged offering offensive cyber capabilities. Participants in this new and lucrative market include Vupen, Montpellier, France; Netragard, Acton, Massachusetts; Exodus Intelligence, Austin, Texas; Endgame, Arlington, Virginia; and ReVuln, Malta. Not surprising, these vendors do not disclose the identity of their clients but acknowledge that some of the largest customers are government agencies. Internationally, the largest investors include Israel, Britain, Russia, India and Brazil. Additionally, North Korea, Malaysia, Singapore and many Middle East intelligence services purchase information related to computer vulnerabilities.
Currently, many zero-day vendors can supply more than 100 exploits per year at an approximate cost of $40,000 to $160,000 each. Vupen customers pay a $100,000 subscription fee to view the catalog of available exploits, which they must purchase separately. Netragard’s exploit acquisition program doubled in the last three years, with rates of security flaws ranging between $35,000 and $160,000. A former director of the National Security Agency (NSA) supports the startup Endgame, which sells vulnerability information primarily to the U.S. government. ReVuln specializes in critical infrastructure targeting industrial control systems.
iDefense created the Vulnerability Contributor Program (VCP) in 2002. Three years later, TippingPoint launched the Zero Day Initiative (ZDI). The purpose of both programs is to purchase vulnerability information before public disclosure, permitting vendors an opportunity to resolve the problem. With the intent of improving the safety of cyberspace, both programs established ethical standards. Unable to resell vulnerabilities to the highest bidder, these programs cannot pay contributors a prevailing market rate. As a result, it is possible that vulnerabilities reported though these purchase programs represent the tip of the iceberg.
Even so, their results demonstrate the magnitude of the problem. As of September 2013, VPC and ZDI collectively had purchased 2,393 vulnerabilities since their inception. The average duration from vulnerability purchase to public disclosure is 133 days for VCP and 174 days for ZDI. A 2012 study by Symantec Research Labs found that zero-day exploits exist for an average of 312 days and as long as 30 months before public disclosure. This study also found that after public disclosure, the volume of related attacks increased by up to five orders of magnitude. Vendors with the most vulnerabilities identified through the VCP and ZDI programs include Microsoft, Apple, HP, Adobe and Oracle. These vendors’ products include the operating systems, databases, office automation software and management utilities that run on nearly every computer and a large percentage of industrial control systems.
To address the issue of zero-day vulnerabilities, some vendors established “bug bounty programs” to purchase information before public disclosure or sale on the black market. Over a three-year period, Google paid $580,000 for 501 vulnerabilities in the Chrome Web browser. During the same time, Mozilla paid $570,000 for 190 vulnerabilities in its competing Web browser, Firefox. Facebook paid approximately $1 million since creation of the program in 2011. In June 2013, Microsoft, after years of resisting such an approach, established a formal program, paying more than $250,000 to date. The recent growth of these programs suggests the approach represents the best option for quickly and discretely addressing vulnerabilities.
President Bush stated that to build a more secure future in cyberspace, public and private organizations must act together. The importance of developing robust information-sharing capabilities endures as a fundamental priority for President Obama’s administration. This commitment led to the creation of numerous information-sharing forums, including the Information Sharing and Analysis Centers (ISACs), the National Cybersecurity and Communications Integration Center (NCCIC) and the U.S. Computer Emergency Response Team (US-CERT). In addition to these information-sharing forums, the FBI established InfraGard, which brings together representatives from business, academia and state and local law enforcement agencies along with other interested parties to prevent hostile acts against the United States. In recent years, additional nonprofit entities emerged, such as the Advanced Cyber Security Center (ACSC), which promotes cybersecurity research and development, education and thought leadership throughout New England. Those seeking to engage in dialogue related to cybersecurity have many options.
Although sufficient quantity exists, the quality of information sharing falls well below the intended goal. Information exchanged with the DHS and other government agencies frequently is outdated or too generic in nature for use by participating members. In other cases, information shared by the DHS is overclassified, preventing disclosure to the private sector. Efforts to place members of the information technology ISAC (IT-ISAC) on the floor of the NCCIC failed because of various legal issues. Despite these challenges, private industry continues to seek government assistance on detecting a compromise. For example, more than 40 percent of those supporting supervisory control and data acquisition (SCADA) systems acknowledge reporting issues to an appropriate government agency. While this represents an essential step in the right direction, changes are necessary to eliminate remaining barriers to information sharing.
In an effort to address information-sharing challenges, specifically security classification, the DHS established the Enhanced Cybersecurity Services (ECS). The purpose of the ECS is to expand the number of companies that receive classified information related to real or potential threats. This program emerged following a successful pilot known as the Defense Industrial Base (DIB) Pilot, which enabled classified information sharing with several Internet service providers.
Although more than 50 companies initially expressed interest in the ECS, not one joined the program. The cost associated with building a classified network and legal issues rank among the most significant roadblocks affecting enrollment. The DHS notes much better progress with unclassified programs, although the sharing of information is predominately one-way, initiated by the government.
Despite presidential recognition that the future of cybersecurity depends upon public-private information sharing, many bureaucratic challenges impede progress. Organizations resist sharing threat information to protect their reputations. Unless convinced that disclosures are anonymous, this hesitation will continue.
Consider public health, where the issue of privacy is paramount—that is, until a patient seeks medical attention for a rare and dangerous illness. In such a case, reporting is mandatory and public safety supersedes patient privacy. Cybersecurity needs a similar process to report the most dangerous threats.
The solution to the security of our critical infrastructure is collective defense. We must improve our ability to tap into the experience and knowledge of all interested parties.
Lt. Col. William A. Barnes, USMC, is a cyber planner assigned to Marine Forces Cyberspace Command in Fort Meade, Maryland. This article is an excerpt from independent research conducted as a member of the Gravely Naval Warfare Research Group, and a version of it received first prize in the AFCEA-sponsored C4ISR Essay Competition at the Naval War College.
Earlier this year, US-CERT issued Technical Advisories TA14-098A and TA14-268A regarding the widely publicized “Heartbleed” and “Shellshock” vulnerabilities, both of which have broad security implications for the public and private sectors.