Cyberwarfare Looms Large in Information Systems
The digital realm may host key battles in coming conflicts.
Then-Secretary of Homeland Security Michael Chertoff gives a keynote address at the AFCEA Solutions Cyberspace conference, held in Washington, D.C., in December.
Cyberspace, the virtual domain existing within the chips and wires of computer networks, may be the front line of the next big battle. A clash there may not be decisive, but it could be over in less than a second. As to whether the
This was the prevailing consensus at AFCEA’s Solutions conference on cyberspace, held at the
Another notable characteristic of cyberspace, Hollis said, is the dominance of the offense over the defense. “In cyber, offense is cheap and easy, and defense is tough and expensive,” he shared. Attackers do not even need to write their own code—downloadable freeware and shareware is there for the taking. Defense is not enough, he concluded. “You’ve got to integrate exploitation and offense into the package, and you may have to incorporate kinetic, i.e., real-world attacks,” he said.
Cyberspace also is the only warfighting domain susceptible to weapons designed at home by talented teenagers, Hollis warned. But the attacker’s profile is changing. In the last five years, the offense has moved from ego-driven attacks to assaults motivated by politics and profit as well as by prestige, said Josh Corman, a principal security strategist with IBM.
“Control of cyberspace may well be as decisive in the early- and mid-21st century as control of the air was for most of the 20th century,” asserted Daniel Kuehl, a professor at the
|Gordon England, deputy secretary of defense, warns of the ubiquity of cyberspace weapons during his keynote address.|
Modern militaries and societies rely on enormous databases to conduct their daily operations, Kuehl said. If that data becomes unreliable, the result is chaos. Cyberattackers need weapons of “precision disruption,” not mass destruction. “We cannot afford to lose this battle,” even though it may last only a matter of microseconds, hours or days, he noted.
Despite the aura of the fantastic that surrounds this subject, cyberwarfare is not science fiction.
Cyberattacks can occur on many levels—ranging from the individual to the group to the nation-state. Chertoff cited a criminal ring apparently responsible for stealing 140 million credit card numbers. They captured the numbers as they were transmitted over a wireless network between major retailers.
|Panelists in a Solutions town hall session are (l-r) John Grimes, assistant secretary of defense for networks and information integration (ASD NII); Bob Lentz, deputy assistant secretary of defense for information and identity assurance; Vice Adm. Nancy Brown, USN, J-6, the Joint Staff; and David M. Wennergren, deputy assistant secretary of defense for information management and technology.|
In response to the perceived threat, the Bush administration launched the Comprehensive National Cyber Initiative (CNCI) in 2008. This initiative envisions “integrating all the tools and capabilities of national power,” Chertoff said, to make them available to the government domains and potentially to share them “in a somewhat refined form” with the private sector.
Chertoff and other speakers emphasized the importance of partnership between government and the private sector. The DHS chief, however, stressed the government’s sensitivity to privacy and civil liberty issues. The government is not looking to form a “massive federal presence sitting on the Internet,” he said.
The mechanism for cooperation with the private sector already exists, he shared, citing the sector coordinating councils that have been created under the National Infrastructure Protection Plan. He predicted “strong acceptance” of a partnership by the private sector but described the relationship as one to be handled with a “great deal of delicacy.” He suggested that government could play the role of the “enabler,” helping the private sector choose “performance standards.”
But Chertoff stated that the first priority is getting the government’s own house in order. The federal government’s civilian domains, for example, have had “literally thousands of points of access to the Internet,” a number that needs to be reduced in order to get a handle on the traffic coming in and out. According to Hathaway, the number of trusted public Internet connections in the federal .gov space at one point was more than 8,000. After a house cleaning effort, that number is now down to 2,700, she said, with an eventual target of fewer than 100. In the last decade, the .mil domain was similarly rationalized, reducing Internet access points from thousands to dozens.
Where attribution is difficult to determine, automatic massive cyberretaliation similar to Cold War nuclear deterrence may not be advisable. An instantaneous attack-back methodology built into computers could set up fratricides that could take everybody down, Hollis warned.
One improvement would be more realistic training, Kuehl suggested. “A lot of exercises include the cyber aspect up to the point where it starts to be painful,” he said. So it may be important to let a network exercise collapse in order to make the point.
Another area touched on by many speakers is the need for a well-trained work force to defend
|Cyberoperations and adversary motivations are discussed in a panel featuring (l-r) Professor Daniel Kuehl, National Defense University; Doug Chabot, vice president, principal solutions architect, Qinetiq North America; Josh Corman, principal security strategist, IBM; and David Hollis, senior cyberspace and information assurance program manager, ASD NII.|
Although it often does not grab headlines, the insider threat still is a major issue. Insider attacks are up more than 52 percent, according to Hathaway. Intrusion detection systems, intrusion prevention systems and firewalls are designed to look at the threat from the outside coming in rather than from the inside going out.
On the technology front, there has been insufficient emphasis on detecting anomalous behavior, she said. Signature- and behavior-based technology has not kept pace because “we have never looked at information as a strategic asset.”
Hathaway also underscored the necessity to understand and deal with the risks that may be introduced through the supply chain. She argued that the way to do this is through a public-private partnership. The government needs to understand “when somebody is starting to manipulate [the supply chain],” she said, and make decisions that are right from a security standpoint but that are not a “point defense” or harmful to industrial competitiveness.
Photography by Michael Carpenter
A New Cyberthreat Is Underestimated
One area that does not seem to be in the crosshairs of cyberwarriors involves botnets, the million-strong networks of “zombie” computers hijacked from their unwitting owners through malware spread by e-mail spam. Run by faceless criminals, these mechanical attackers also rake in revenues in the millions of dollars a year from e-mail “product” sales, fraud and identity theft.
Although the infamous Storm botnet attack peaked in 2007, the security industry still lacks adequate defense mechanisms against botnets, claimed Josh Corman, a principal security strategist with IBM. The root cause of this inertia is that the security community is “looking at technology, not motives,” he argued.
Storm cleverly avoided retaliation by attacking consumers, not corporations, Corman said. The innocent, PC-buying public is not an interest group; it cannot make waves. Thus cyberpredators continue to make a killing by “targeting the part of the market we just don’t care about,” Corman explained.
He described botnets as a “sleeping giant—a potential weapon of mass destruction.” Corman said he often is asked what the biggest security threats are. “It’s the leper colony,” as he termed the hijacked consumer population, “that has the most computational power [and that represents] the most risk to our infrastructure.” Although botnets today are used primarily to generate revenue, he said that the political aspects of these threats should not be ignored.
Today’s signature antivirus software is not the answer, Corman warned. It is “antiquated defense technology” predicated on the idea that someone is “going to write a single executable to infect millions of PCs.” But the threat has shifted from the old, ego-driven style of attack, he argued. For one thing, it does not work. “Once a few victims have fallen, you can gather a sample [of the code] and inoculate the masses,” he said, whereas the smart, “for-profit” attacker will “write one virus for one target—one shot, one kill.” This enemy will infect a pharmaceutical company, for example, and extract ransom. The security community needs to realize these trends and take appropriate action, he asserted.