Threats Imperil The Entire U.S. Infostructure

July 2009
By Robert K. Ackerman
E-mail About the Author

 
From the military to the economy, the country is open to vast damage.

Information security has not kept up with information exploitation as the United States fully embraced the information age. The greater reliance on information systems across the entire breadth of government, military and civilian activities has opened the nation to cyberattacks on its military systems, its vital infrastructure and its economy as a whole.

Cybercrime is leading the way among threats to networks, but cyberespionage is increasing in both number and effect. And, cyberattacks have picked up to the point where entire nations have seen their infosphere crippled by online marauders.

Some experts offer that the threat to the economy from criminals alone—hostile nation-states excluded—could be enough to make the global shock waves of the recent credit collapse pale in comparison. The economic downturn itself is contributing to the problem, as information security spending often is among the first budget items that organizations cut in hard times. This presents a classic chicken-and-egg paradigm—fewer resources for security can lead to greater potential economic losses.

Lt. Gen. Harry D. Raduege Jr., USAF (Ret.), chairman of the Deloitte Center for Network Innovation, describes cybersecurity as a major national security issue for the United States. It is pervasive across traditional security, health care, energy, education, and personal and international finance. He says cybersecurity is a key operational area of each of those major areas of emphasis.

Change must take place if the United States is to meet cybersecurity needs. “Overall, the greatest threat to information security today is for us to be continuing down the same path we’ve been on and somehow expect dramatically different results in the future,” says Gen. Raduege, who also served as the co-chair of the Center for Strategic and International Studies (CSIS) Commission on Cyber Security for the 44th Presidency. He declares that the United States today is “in a catch-up mode” as the threats and their corresponding risk are considerably greater than five years ago.

Just the past 18 to 24 months have seen exponential growth in cybercrime. Ironically, the threat to the military has not changed dramatically, Gen. Raduege offers. “What has probably changed the most is our awareness level,” he says. Senior leaders throughout the military, interagency, legislative and executive branches understand the implications for national and economic security.

Marcus H. Sachs, director of the SANS Internet Storm Center, says that the threat has evolved markedly over the past three decades. The 1980s were characterized by people motivated largely by academic curiosity. The 1990s featured young hobbyists exploring how they could penetrate computer systems as a way of seeking recognition. The criminal element has dominated this past decade, and the coming decade’s threat may be shaping up to be anchored on espionage, although other threats may emerge.

One of the biggest potential consequences of information security failure is for people to lose trust in the networks, Sachs charges. The concept of trust that formally began with a handshake now must extend through networks riddled with thieves and spies. The information-age revolution that has helped increase prosperity everywhere it touches could become derailed if people no longer trust the networks. “If the trust model doesn’t work, we can be as hyperconnected as we want and nobody will use it,” he says. “We have to take measures today that, as we continue building and connecting, we understand that the single biggest threat is the erosion of people’s trust in the resiliency and security of the networks.”

Gen. Raduege defines three specific operational areas: cybercrime; cyberthreats and espionage; and cyberattack. Cybercrime actually has become more profitable to international criminals than drug trafficking, he allows. The risk is lower, and the potential payout is greater. It is becoming a syndicated global criminal operation, and it is intensifying with the economic downturn and “the lucrative target-rich environment” that the criminals find attractive, he adds.

In the United States alone, cybercrime is up more than 50 percent. One in five of U.S. online consumers has become a victim of cybercrime over the past two years. The cost of cybercrime to U.S. consumers last year is estimated to be $8 billion. More than a quarter of a million identities of U.S. citizens have been stolen over the past few years.

In 2008, more than $1 trillion worth of data was lost to cyberespionage, an amount Gen. Raduege describes as “staggering.” It includes what used to be described as industrial espionage, but in this case it also encompasses intellectual property as well as trade secrets. All trends point to this amount increasing, which ultimately will pose a threat to the very nature of Western economies. The United States in particular has built its world-leading economy around innovation, and theft of the years of expensive research and development that generates this intellectual property weakens U.S. competitiveness.

“When we’re developing so much, and where we have been leaders in this kind of innovation, when someone else sits back and steals it from you there is cause for real concern” about the economy, Gen. Raduege declares.

That espionage can have traditional national security implications. Sachs observes that because the Internet provides such a fast pipe, countries find it easier and less costly to leverage that pipe to obtain valuable information. “It is cheaper to connect to someone’s machine from thousands of miles away than to send an agent to try to turn a friendly to give over information,” he says.

And this problem is likely to worsen as “smart” devices increase in popularity. Future innovations such as smart cars, smart homes and the smart grid that increase interconnectivity will expose the country even more to the worst of cybermarauders and disruptions. “The more we ‘smart’ ourselves, the more vulnerable we become to our adversaries who want to take advantage of that highly connected world to do whatever it is they want to do to us,” Sachs posits.

Sachs goes on to say that the economic sides of cybercrime and cyberespionage are one and the same. In some cases, the groups that commit network intrusions might be paid by a criminal group or by an espionage organization—the skill set and tasking are the same. Immediately after the September 11, 2001, attacks, most security experts were focusing on the terrorism threat to networks. Accordingly, they missed the development of large-scale cybercrime. In early 2004, phishing took off and took the experts by surprise. All the signs were there, he relates, but no one knew how to read them.

Cyberattack rapidly is gaining traction as an effective means of warfare. Gen. Raduege cites cyberattacks on Chechnya in 2002, Estonia in 2007 (see page 33), Georgia in 2008 and Kyrgyzstan in early 2009 as examples that cause great concern among security experts. The jury is still out among experts on whether any of those were organized by foreign governments, but their effects on the target countries have illustrated how easily any coordinated cyberattack could cripple a country’s infostructure.

Gen. Raduege adds that the number of reported cyberattacks on U.S. government networks climbed by 40 percent in 2008. This growth is in addition to attacks that go undetected or are not reported properly by government organizations that wish not to reveal their vulnerabilities.

The nature of cyberattacks has become more sophisticated, he  adds. Traditionally cyberattackers would announce their intrusions as a way of leaving a calling card. But now, intruders prefer stealth. They have much more to gain by not revealing their operations within a network.

Another growing trend is the planting of malware in critical infrastructure networks. Between 20 and 40 percent of home computer users may not have firewalls or antiviral software, which opens them up to being used as unwitting botnets for malicious cybermarauders.

Sachs believes that terrorist groups are less likely to sabotage Internet operations—not because they lack the ability to do so, but because they find the Internet more useful in their own terrorist activities such as communications or financial transfers. “In a twisted sort of way, the Internet has become one of the best things that has ever happened to terrorists because it allows them to communicate rapidly around the planet,” he declares. And, the complexity of the networks is one of the best countermeasures to effective sabotage, Sachs offers.

Simply throwing more money at the problem will not solve the complex challenges faced, Gen. Raduege declares. The country needs a comprehensive approach that examines an organization’s total enterprise. This will require a holistic approach to strategy, processes, people and technology. “The bottom line is that we need a major paradigm shift, and we are being forced to think differently because the bad guys are becoming more and more successful on a continuing basis,” he states.

Sachs compares the challenge to the 1960s space race against the Soviet Union. Some of this effort required presidential leadership—President John F. Kennedy setting the goal of a manned lunar landing by the end of the decade—but most of it was driven by expert leaders who knew they had to assemble a skilled work force, enlist industry for innovations and ideas, and seed schools at all levels with fields of study to support a long-term effort. And, the knowledge accrued through the effort would be invested back into society so that people would see direct benefits.

“Forty years later, here we are—we need a visionary statement, broad strategic goals, and government and industry working together to come up with ways that quickly spin off benefits to society,” Sachs says. “We want to inspire third graders, businesses and other local government leaders to be a part of the team.”

Gen. Raduege believes that someone must be placed in charge of orchestrating a comprehensive national strategy for cybersecurity. And, the nation’s critical cyber infrastructure, or CCI, must be identified. Gen. Raduege relates that the CSIS cybersecurity commission identified four specific areas: telecommunications, energy, finance and government services. The country must assess the extent to which these critical areas are vulnerable to, or secure from, attack.

Stronger identity authentication is a must, he continues, especially within the nation’s CCI. The country also must learn effective risk management for cyberspace attacks. “We cannot firewall out everyone from gaining access to our networks,” Gen. Raduege points out. And, the nation must create a national cyber mindset through comprehensive education and awareness.

Overcoming these cybersecurity challenges is more of an organizational problem than a technical one, Sachs says. Another challenge is user awareness and education. People may be aware of cybersecurity problems, but they often think that “somebody else is fixing it,” and individual citizens need not take specific measures beyond common sense. “That type of naïveté is what gets a lot of people into trouble because there is so much that individuals have to do.” He likens it to driving a car badly in spite of all the safety features built into the vehicle.

Gen. Raduege suggests that the key may be the federal government “getting its own house in order.” Doing so could serve as a model for others, both nationally and internationally. The government already is at work defining roles and responsibilities with the necessary authorities and resources to do the job.

The general relates that, when he commanded the Joint Task Force for Global Network Operations in March 2005, his organization dealt with what may have been the first major intrusion. A military installation’s unclassified infrastructure was totally compromised, and this had a major operational effect on the mission that was being undertaken at that site. From that point forward, military leadership began to take note of its implications, and many senior leaders throughout the federal government also were educated about these ramifications.

But the private sector must understand the gravity of today’s threat environment and “not assume someone else—especially federal or state governments—are protecting their systems, their data and their information,” Gen. Raduege offers. But, strong cybersecurity measures cannot always be measured in traditional return-on-investment criteria.

More than 85 percent of the critical infrastructure is owned and operated by the private sector. “What we need is a public-private partnership survivor series teaming effort,” he says. “We’re behind, we’re taking damage daily … and the survivor series is something that I would say is the teaming effort that is required of the public-private partnership.

“We have to have a major catch-up operation.”

The private sector is not opposed to government regulation in cybersecurity, Gen. Raduege offers. Many people in the field believe that sensible regulation upon which government and industry can agree will help stabilize the security problem. One lesson learned over the few years of the information era is that if the problem is left on its own, it will not take care of itself.

The private sector can help with its own areas of strength. “We need to encourage, listen to and cultivate the rich entrepreneurial ideas that are found in private industry,” Gen. Raduege states, pointing out that this is the role that the private sector plays in providing solutions. He suggests that the private sector also can help by providing a cyber work force. This would comprise well-paid scientific and technological jobs that would stimulate the economy.

Sachs calls for senior managers to understand resource constraints in this economic downturn. Security measures often are the first items to be cut out of the budget when revenues decline, and this will make cyberspace less safe. Much as cybermarauders threaten the global economy, so does the economic downturn improve their chances of success.

Time for a New Direction in Federal Information Security

The Federal Information Security Management Act (FISMA) of 2002 established guidelines and criteria for securing government information systems, but new concerns have many experts calling for at least an update to the original FISMA approach.

“FISMA 1.0 was an excellent first step in getting federal agencies to focus on improving IT security,” states Lt. Gen. Harry D. Raduege Jr., USAF (Ret.), chairman of the Deloitte Center for Network Innovation. “However, in some cases, the focus has really shifted to more of a ‘checklist compliance’ mentality than in making risk-based decisions that hinged on the operational realities of today’s threat environment.”

He hopes that the next iteration—FISMA 2.0—will have more of an operational focus. It would need to incorporate risk-based management models and performance-based metrics that truly evaluate operational effectiveness and cybersecurity overall.

Gen. Raduege believes that FISMA 2.0 will make good inroads into information security. If it is defined properly, it will enable improvements by illustrating how people comply with it as well as by allowing overall security to be measured. Again, its operational focus will provide a better means of assessing its success.

Right now, assessing security based on FISMA 1.0 grades leaves something to be desired, he continues. “Certain organizations year after year seem to be graded at ‘F’—and we know operationally that they are not that bad—and other organizations that are grading themselves at ‘A-plus’ perhaps aren’t A-plus category as far as operations, but they have their paperwork in order.”

Y2K May Offer a Model for Cooperation

The public-private partnership that assembled to deal with the year 2000 (Y2K) computer problem could serve as a model for dealing with cybersecurity.

Lt. Gen. Harry D. Raduege Jr., USAF (Ret.), chairman of the Deloitte Center for Network Innovation and former director of the Defense Information Systems Agency, was the director of Command Control Systems, Headquarters, North American Aerospace Defense Command (NORAD) and U.S. Space Command, where he was in charge of Y2K response during that critical period. He relates how the news media described his briefings after Y2K passed as addressing “the biggest non-event ever.” He credits this description to the preparations that government and industry undertook to minimize the problem. For more than four years, the two parties teamed to pre-empt Y2K from crippling the infosphere. The Securities and Exchange Commission, for example, required any privately traded organization to report Y2K compliance status.

The government also held town hall meetings around the country to educate the populace as to the potential threat this computer glitch posed. These meetings addressed local consequences—such as the failure of a traffic light system or the local water supply—that helped provide guidance as well as establish regulations for reporting requirements. “It took us five years of preparation to get a ‘non-event,’ but it was a wonderful thing,” the general says.

But Y2K had one condition that information security lacks—a deadline. All work had to be finished by December 31, 1999, and the goal was specific. Cyberspace security is not a project with a specific goal or a given ending; it is an ongoing quest. Securing cyberspace is a campaign that will continue for a long time, Gen. Raduege allows.

 

Look to Chaos for the Next Cyberthreat

Predicting the next new threat to cyberspace may depend less on expertise and more on chaos theory. Marcus H. Sachs, director of the SANS Internet Storm Center, says that no one can forecast which new threat will emerge because of the complexity of the situation.

Noting that experts missed the rise of cybercrime despite all the signs being available, Sachs says that more than half a dozen potential courses of action all have the same probability of coming to pass. Chaos theory rightly states that no indication exists for determining which one will emerge over the others. “Some small event, some trigger someplace, will cause one of those to be amplified in front of the others—but you have no control over that trigger event.”

The economy could be the source of a game-changing event, he offers. The global drawdown in spending has far-reaching consequences along the entire supply chain. “Some hiccup someplace could have a huge ripple effect across the entire planet,” Sachs suggests. “It could be a natural event—a volcano someplace erupts and darkens the sky. It could be the assassination of a world leader. If you believe in complexity theory, you know that there are trigger events, but you can’t predict the trigger event.

“But one will happen, and it will cause something new to emerge—some new threat, some new angle, some new mechanism will emerge as our concern for the next decade.”

Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.