Federal, Commercial Worlds Contribute to Cyberdefense

December 2008
By Henry S. Kenyon

Private-sector efforts, such as this Symantec security operations center, must actively support the government by protecting critical assets such as electric and gas grids to provide wider and more flexible national defense.
Shielding critical systems becomes everyone’s responsibility.

U.S. government agencies and private-sector firms must improve communications to better protect vital national infrastructure. Besides the ongoing need to shield both classified and unclassified computer network assets, an industry expert maintains that a vigorous defense has a deeper psychological impact, implying that systems can be trusted.

The current state of the U.S. government’s cyberspace security and critical infrastructure protection is dynamic, explains Keith Rhodes, chief technology officer for QinetiQ North America, McLean, Virginia. Rhodes, who recently stepped down as the chief technologist for the Government Accountability Office, notes that several key factors have shifted the threat model from old Cold War nation-state paradigms. During the Cold War, both sides had a clear understanding that states could control their subordinates and surrogates. “Now that model has turned on its head. When somebody can release a virus, set up a botnet or do some kind of storm over the Internet, individuals now have a tremendous amount of power,” he says.

Another threat in the constantly shifting post-September 11 environment is the rise of unaffiliated, independent groups that can form for a specific mission and immediately disband afterward. The government must be very dynamic to keep ahead of this quick, global and amorphous threat, Rhodes says. To accomplish this fluid work, government agencies are moving from compartmentalized, need-to-know environments to need-to-share structures. “If your opponent is ad hoc and opportunistic and agile, then you have to be ad hoc, opportunistic and agile to respond,” he observes.

Rhodes does not see this situation changing in the near future, but he believes that the government understands that dealing with terrorist networks is not very different from dealing with cybercrime networks. He maintains that the government’s model for responding to the Global War on Terrorism is also suitable for cyber events. “Trying to understand and extract that [information] pattern is one of the keys that the government is working on [for cyberspace],” he says.

But national security does not end at government networks. Private-sector infrastructure protection is another aspect of national cybersecurity. Rhodes explains that in the commercial world, the financial sector has among the best security features because banks have been targets for robbers as long as there have been banks. Now that trillions of dollars move digitally every year, he believes that banks are very good at providing their own security. “Industry does take it seriously, I think more seriously than they did 10 or 15 years ago. But then the government also takes it more seriously than it did 10 or 15 years ago,” he admits.

A key change is that both the government and private sector understand that they must partner with each other. While each group has functions specific to their worlds, Rhodes notes that both sides are responsible for national security. “It is not possible for companies in this nation’s industrial base to think that they don’t have a role to play in national security. Even if they’re making washing machines, it doesn’t matter any more. If you’re a part of the United States of America, you therefore have a global reach, a global economy and partners. You have to understand that you are part of the protective mission of this nation,” he maintains.

Although the virtual world has no boundaries or maps, Rhodes explains that everyone must understand that they have a role to play. For example, for information security, it is not enough for an organization to focus on technology. While technology is important, the human element is critical. “You have to make certain that everyone down to the lowest-level individual in the organization knows his or her role in security. Otherwise, security is always discussed as the weakest link in the chain. Industry has to understand that all the integrity of this nation has a role to play in national security, and the government has a role to play in making certain industry understands what it’s up against,” he explains.

Rhodes describes national-level cybersecurity as being in a familiar neighborhood, where everyone knows their neighbors and is comfortable with the local security. He extends this analogy to the virtual world, which can now be accessed wirelessly by growing numbers of people. “When you’re having a [electronic] conversation with me, you want to know that I am who I am, that I am actually the voice on the other end of the phone, that I’m not embedding some terrible software on your cell phone or your BlackBerry. You want to have some level of trust,” he says.

On a business level, firms that cannot protect data—for themselves and their customers—affect customer confidence. Rhodes explains that branding is an important part of this viewpoint because firms, especially information technology or communications companies, want their customers to view their services as secure and reliable.

This human element is a strong part of corporate marketing, which also focuses on consumer confidence. “One of the things that you have to make certain you are conveying—whether it’s your home, your neighborhood, your virtual persona or your business protection model—you have to make certain that what you are really projecting is that you are diligent and vigilant. Protection is not something you do once, or that is one size fits all,” he says.

But organizations must avoid creating the impression of a false sense of security. Rhodes offers the example of an office building: If the facility has a guard in front of it, it implies a certain level of security. If that guard is armed, it is interpreted as an even greater level of defense. He observes that customers view virtual security in a similar manner.

A major challenge facing national-level cybersecurity is that the world is evolving into a cyber/physical place through technologies such as supervisory control and data acquisition (SCADA) systems or distributed control systems. Rhodes notes that even cars and mass transit are now connected to the digital world. “We’re rapidly moving to where there is no distinction between the virtual and the physical world,” he says, adding that this connection is more a wireless than wired one.

Rhodes believes that this intersection between “worlds” is an important point because it relates to vital infrastructure such as electric power, water and gas. This consideration also affects issues such as emergency response and transportation. Because this web of vital systems is growing more interconnected by the day, it must be protected.

Chemical plants, power plants and other industrial facilities all use embedded systems to manage their operations, which increases their vulnerability to hacking and cyberattacks. Rhodes believes that it is a major challenge for the government and private sector to defend these facilities and the networks they rely on to operate. “It’s one thing to think about protecting information, but when we talk about protecting the critical infrastructure, we really are talking about infrastructure. It’s not an abstract idea. This is where a mouse click meets brick and mortar. I think that’s going to be the great challenge for the next decade,” he maintains.

Although worries remain about a “digital Pearl Harbor,” where cyber terrorists or a nation-state attacks the United States’ national infrastructure, Rhodes notes that this concept is rather hard for most people to imagine. He is more worried about an “electronic Three Mile Island,” which he describes as an initially small event with far-reaching consequences. For example, if a group gains control of a city’s power plant to make a political point that its members can do this to other plants, it will have major implications, he says.

Rhodes explains that the national infrastructure is extremely varied, which makes it very difficult for an attack to take down large parts of the infrastructure simultaneously. However, if the infrastructure is brought down in one city, it is a major issue, especially for a large city. Beyond the direct physical effects, there would be a psychological impact to such an attack. Bringing down the telephone system or power grid for more than a few days would deeply impact the population. An attack on infrastructure that requires long periods of time to replace or repair would have very problematic consequences for individuals and their government. “You’re having a real effect on people’s comfort, how they view things. You’re changing that psychological and social benefit of the environment so that people aren’t comfortable, they don’t feel safe. That’s a very powerful tool,” he concludes.

However, the U.S. government has been working on methods to counter cyberattacks. One recent development is ongoing research on pattern extraction and analytical tools to understand and identify network attacks. Rhodes explains that networks suffer constant perturbations and glitches that cause slowdowns in performance. The current research is creating tools to identify when these disturbances are normal and when they are part of an attack.

Rhodes is heartened by this work, noting that it is a necessary tool because the proliferation of ad hoc networking and wireless connections greatly complicates detecting an attack. “There’s a lot of very good research and development going into understanding network environments, when a problem is something you should worry about. But the environments are extremely ad hoc, and they are proliferating—more computers every day, more networks every day. There’s more storage space out there. There’s a natural tension that we have [between network growth and security]. This is the thing that makes us have to be agile, vigilant and diligent to be responsive,” he says.

Because there traditionally has been a lag of minutes or hours for administrators to detect an attack, Rhodes notes that the goal of the government’s research is to reduce this lag to as short a time period as possible. “We’ve got to get it [the time] down in order to be able to respond. It’s the old rule: network defenders have to be right all the time, and an attacker has to be right only once,” he says.

Web Resources
QinetiQ North America: www.qinetiq-na.com
Government Accountability Office: www.gao.gov


Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.