Information Operation Threats Strike Public Sector

December 2008
By Robert K. Ackerman
E-mail About the Author

Government, industry team, look at military solutions.

The danger to the Free World’s information infrastructure has become more sophisticated and widespread, and it now poses a threat to the very economic well-being of the Free World. Economics and national security have become so closely intertwined that both now are facing common threats from global information operations.

The very types of information operations that have threatened militaries for years now are menacing the critical information infrastructure. Conversely, the same devices and techniques used by cyberthieves or hackers are being employed by foreign militaries and intelligence services to endanger the national security of Free World societies.

Some analogies emerge from looking at consequences. Internet denial-of-service attacks are the public sector’s version of military jamming. Hacking into Web sites or databases to alter data is the purest form of sabotage. Extracting identity, economic or industrial information is electronic espionage.

But other analogies apply to the adversaries themselves. Foreign governments and organizations such as terrorist cells are probing and attacking civil government and civilian information systems for their own monetary gain and to damage Free World societies, just as they might do through military or intelligence operations.

These efforts are global in origin and in targeting, and it will take nothing less than an unprecedented coordinated global effort to counter them, according to a U.S. government official.

Melissa E. Hathaway, Office of the Director of National Intelligence cyber coordination executive, states unequivocally that a strategic partnership is required to close the gap between cybermarauders on the offense and the Free World’s defenses. Government and the private sector need to change the way they do business and instead recognize that a vulnerability to one affects all, she offers.

Private-sector risk models are inadequate for national security and critical systems, she continues, so the government must define higher standards and specifications. The government also must incubate and create incentives for industry to generate the needed game-changing security technologies and to add innovation. Government is late in addressing this, she warns.

“It must become our long-term national security and economic security priority,” Hathaway declares. “And, I don’t believe that this is a single-year or even a multiyear investment—it’s a multidecade approach.

Government and private-sector networks and information are being exploited at an unprecedented scale,” she states. “It is a serious economic and national security problem.

“But, I can say with assurance, we are not the only ones experiencing this problem. It’s really a global problem that will require global or international solutions enabled through the private sector and international alliances,” she adds.

Hathaway reports, “We’re seeing a series of threats that cross a number of vectors.” These threats include the insider threat, which entails the unauthorized use or access of information systems and networks by trusted agents such as employees or foreign intelligence agents. Employee threats could consist of deliberate malefactors or faithful but unwitting users who employ tainted technologies that compromise a system.

Another threat, which has been growing, involves data manipulation through close and expanded access. This approach features an unauthorized user gaining access to a system by deploying a technology in the proximity of a network or database. The attacker may use a cell phone, for example, to access a computer across a room. Hathaway notes that this technology often is used to intercept information passing through wireless systems.

A third threat vector is the most common of all—remote access through networks. This usually entails accessing information through the Internet and other information systems, and it is the target of most counter-intruder technologies.

But a new threat is coming through the supply chain. Cybermarauders explore or manipulate the supply chain during either the development or the distribution process—of both hardware and software.

“We’re really facing a dangerous combination of known and unknown vulnerabilities—strong adversary capabilities and weak situational awareness across those different attack vectors,” Hathaway says.

The criminal element is employing a combination of these different attack vectors, and this activity is growing in sophistication and ability to target, Hathaway allows. It currently is manageable, but it is becoming worse, especially in other countries. System exploitation of the public and private-sector networks for intellectual property and critical information is “a significant vulnerability,” Hathaway states.

The 12 Steps in the Comprehensive National Cybersecurity Initiative

• Trusted Internet connections/reduced access points—led by the Office of Management and Budget

• Einstein II—beefed-up passive intrusion detection sensors

• Improved prevention

• Research and development, including a comprehensive census of all U.S. government efforts

• Sharing threat information across the U.S. government

• National counterintelligence strategy

• Protect closed classified networks

• Public outreach and education—building a cyber work force

• Leap-ahead technologies

• Deterrence strategy

• Supply chain security

• Information sharing with private sector—led by the Department of Homeland Security

Source: Office of the Director of National Intelligence 

Significant data destruction and manipulation have taken place in other countries, she says, and it has the potential to be a strategic vulnerability.

Over the past year alone, threat activity has grown more sophisticated, more targeted and more serious, Hathaway reports. Officials also have seen greater volume across the board. These trends are likely to continue, she adds.

For examples, she cites that the insider threat has grown 55 percent this year. Malicious intrusions through the Internet have increased more than 50 percent. And, according to the Georgia Tech Information Security Center, more than 10 percent of the world’s computers may be operating as part of a botnet—unwitting robots running malicious software.

These growth rates could be a result of increased vigilance and improved detection technologies and methods, she admits. However, she offers little doubt about the increase in threat sophistication.

Phishing and social engineering attacks also are on the rise. Social engineering attacks are similar to spear phishing (SIGNAL Magazine, August). A marauder posing as a trusted person sends an e-mail with a “document of interest” that deposits malware on the unsuspecting recipient’s system.

Hathaway is not sanguine about the menace facing computer and network systems. “The threat is agile and aggressive,” she declares. But, she also recounts how the government has been aggressive over the past 18 months in its efforts to address the threat on all vectors.

This has involved developing a comprehensive program to address the threats across all of the attack vectors—the Comprehensive National Cybersecurity Initiative, which was announced almost a year ago. A unified executive branch is working with the legislative branch, and the program has just begun full execution. She explains that this initiative comprises 12 primary programs (see box below).

A key element is how to address cybersecurity from a federal government perspective, particularly the Internet-based threat. This is where military expertise comes to bear: many of the problems now facing the federal government are issues with which the military has dealt—or is still dealing—over the years.

For example, military networks used to have thousands of external access points. The military has collapsed this number down to 17 primary gateways. Hathaway reports that the federal government identified more than 8,000 external access points in the .gov space. This number already has been reduced to 2,500 over the past six months, and it is dropping by 25 percent to 50 percent every 45 to 60 days. The goal is to reduce the number of external access points to less than 100, she says.

“Once you start to understand where and how you are channeling that traffic, it’s important to put the most sophisticated sensors on those networks—both for intrusion protection systems and intrusion prevention systems,” she continues. “Again, we are trying to take the best practices from both the government/military side and the industry side.”

Government researchers are examining how to apply military information security technologies—including those in the intelligence community—to the .gov arena. Foremost among these are intrusion detection systems and network mapping tools, Hathaway says. When successful, the government then would look for mechanisms to extend the security measures into the private sector.

The federal government has six centers of excellence for cyberspace, and it is trying to connect them “in a very robust manner” to increase warning and to enhance global situational awareness, Hathaway says. These centers are within the Federal Bureau of Investigation, the U.S. Computer Emergency Readiness Team (U.S. CERT), the Defense Department Cybercrime Center, the Defense Information Systems Agency (DISA) Joint Task Force–Global Network Operations, the National Security Agency’s Threat Operations Center and the intelligence community’s Incident Response Center. Connecting these centers will provide more consistent threat detection and quicker response, Hathaway offers.

But defending against full-spectrum threats remains a high-priority goal. This will require a counterintelligence strategy, particularly with the growth in the insider threat, she says. The plan under development addresses both technology and enterprise objectives, and this should help detect anomalous behavior inside networks. Concurrently, a multipronged approach will manage the risk to the supply chain. This will require a broader understanding of how risk is being introduced through the supply chain, she adds.

And, the government is examining how to coordinate and redirect current research and development while developing future leap-ahead technologies and strategies. This aims at an environmental change in the information technologies and security arenas. The goal is a future with an assured information infrastructure with built-in security.

This will take a public-private partnership, she continues. It will entail a next-generation infrastructure that includes telecommunications providers, hardware builders, software creators and service providers. These next-generation capabilities must have built-in security and identity management, Hathaway adds.

One government activity that will help the private sector is to provide more information on the nature of the threat, particularly from network observations. In turn, the private sector can identify and monetize the risk to networks. For example, research has established the value of credit card breaches, yet no model exists for determining the value of intellectual property losses over time. Developing and embracing this type of determination will help address the role that the government can play—indemnification, liability insurance, tax incentives or market regulation, for example.

Hathaway believes that industry has “some appetite” for a common set of standards that all companies must meet. She continues that, if the government establishes a minimum set of standards, then companies that meet that due diligence might feel that they are not negligent in the event of a data breach. These standards would need to be global in nature, she emphasizes.

Dealing with information operations will include deterrence, and the government is examining how to define and develop that strategy. The threat ranges from hackers to organized crime and espionage, and different motives will require different deterrence. Hathaway admits that this thinking is still in its infancy, particularly because it is a global problem. A global alliance to develop information operations deterrence likely will have an economic thread rather than a military one.

And, private-sector security must be extended and incentivized. The majority of the U.S. critical infrastructure—including that upon which economic and national security systems rely—is operated by the private sector, so industry must be a major player in any security effort.

The government must work with industry to ensure that the next generation of information technology products are less vulnerable and have fewer known weaknesses, Hathaway continues. The government can help industry illuminate unknown security vulnerabilities before they reach market.

“It’s paramount that we start to think about the IT [information technology] system and the global IT arena as something that enables our freedom to maneuver in cyberspace—and enables the global economy,” she declares. “We need to be able to work on and do our day-to-day business in that infrastructure without fear of the different things that are happening in those networks and architectures.”

Secure information technology is vital for global competitiveness across markets, and information sharing will increase across sectors as well. A vulnerability introduced by a software, by definition, is a vulnerability that must be dealt with by the hardware provider. The government long has viewed “a risk to one is a risk to all,” Hathaway notes. Now, that same philosophy is applying to the infostructure in the global economy.

Web Resource
Office of the Director of National Intelligence: 

The Future Is Bright for Web 2.0 Aficionados—and Cybermarauders
The new generation of information system users, who are coming of age in the Web 2.0 arena, will reap the benefits of the new society that they are building around these networking capabilities. Unfortunately, so will the denizens of cyberspace who would wage malevolent operations against them.

Melissa E. Hathaway, Office of the Director of National Intelligence cyber coordination executive, points out that members of this younger generation have a different sense of privacy and risk. They tend to focus on greater efficiencies in communication instead of on what information or access could be used against them.

Increased cloud computing, in which services are pushed out to second- and third-order vendors, will generate a different risk profile for both the public and private sectors. “We need to come up with a more sophisticated risk management process, as you’re pushing your very sensitive data out to be managed by a second- or third-order party,” Hathaway predicts. “If there is a data breach in that second- or third-order party, the liability, brand integrity and/or elements of that market still go back to the primary vendor or market provider.

“We’re headed into a brave new world as we move toward pushing more and more information out to the edge—or the cloud,” she warns.

The vulnerability will increase as more information is pushed into the cloud, she continues. This in turn will require a higher level of identity management, and the technologies must be capable of verifying the credentials of data, software and hardware as well as people. She describes this as one of the key technology needs coming online in the near term.

Shaping the future environment will be critical to defending cyberspace against all types of marauders, Hathaway states. One key focus must be education, and the earlier the better. “It’s not just pipelining in the universities and creating a professionalization of cybersecurity,” she expands. “It’s extending the program—and the education needs—into grades K through 12.”

She likens this effort to the one that was applied after the Soviet Union launched Sputnik in October 1957. Shocked that it had been beaten to the start of the space age, the United States placed greater emphasis on science and mathematics education at all levels. Hathaway is calling for “the same type of reinvigoration of the education system” to raise awareness of information technology vulnerabilities and how they are managed. 

Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.