Rome '08 Workshop
Vulnerabilities and Dependencies in Cyber-Space
The Honorable John G. Grimes
U.S. Assistant Secretary of Defense
Last year, when I spoke at the workshop, I focused on the global society dependency on the Internet and how threats to our networks could cause major disruptions. Activities across the global economy, government operations, business operations, airlines, air traffic control, and military operationsare just a few examples of how dependent we have become on this infrastructure, on the Internet.
As I also mentioned last year, and more so now, criminals, terrorists, state and non-state actors, are using IT Network technology for their purposes which are not always for good reasons. At the opening of the workshop, General Camporini mentioned that the terrorists get more leverage from IT and the Internet than we do. The fact that he made IT a major point in his presentation, to include network exploitation, tells you it is on the minds of military leaders. General Camporini also mentioned attribution. The attribution of an attack is hard to determine. The attack last year on Estonias Internet infrastructure used botnets (robots on the network) to take over computers and use them to attack other computers. Who did it? Was that a criminal act or was it an article 5 like act, intentional war?
On the NATO side, at the Riga and Bucharest summits, NATO communiqués recognized the criticality of cyber security to the Alliance. After the events in Estonia, the NATO Consultation, Command and Control Board (NC3 board) which Peter Flory chairs, formalized some of the cyber security processes that address policy, technology and cyber defense operations. NATO also has an operations center headed by General Wolf, the director of the CIS Service Agency, to defend NATOs networks and systems.
Cyber space is where IT is happening. The Internet continues to be a changing influence. The value of IT enabled global trade is estimated at 30% of the global GDP. That is 14 trillion dollars in global economic value that would have been lost without the Internet technology that most of us have in our homes, at work, and even in our pockets (wireless, the BlackBerry or Smart Phone, and other equivalent personal digital assistants). As more IT services and capabilities go online, more markets open up and new technologies fuel creative business models that dictate the need for robust cyber security solutions.
What do we need to be aware of when we talk about cyberspace? A few points can help bring things into focus:
- First, what kinds of vulnerabilities and dependencies do we face in cyberspace?
- Second, how are networks and computers being compromisedwhat are attackers doing?
- Finally, what is being done now, and what can be done down the road to increase security?
VULNERABILITIES AND DEPENDENCIES IN CYBER-SPACEWHAT DO WE FACE IN CYBER-SPACE?
Let us consider the nature of the problem: When cyber activity is detected, is it a crime or an act of war? Who decides? How?
A good example is the Estonian incident of April 2007 in which:
- Hackers used the denial of service attack against the nation of Estonia;
- The attack was focused on ministries, banks, newspapers, TV/radio and the Parliament in order to bring the country down on its knees;
- Websites were knocked offline, emergency telephone lines were inoperable;
- Botnets were used;
Fortunately, Estonia was able to recover very quickly thanks to its Computer Emergency Response Team (CERT) but I am not sure that every nation has all those capabilities.
What do cyber-aggressors have in common?
- About 90% of the attacks focus on home users. This is a global threat but with low value in our minds.
- 70% of the data breaches are in finance, government, and education. This is a corporate threat with medium value.
- Less than 1% of the attacks focus on specific targets for military and corporate espionage such as nuclear command and control, or corporate strategic plans or programs. This is a cyber war threat of high value targets.
HOW DO SYSTEMS GET COMPROMISED?
Gaining Unauthorized Access to Computer Systems
Attackers seek to gain unauthorized access to our computer systems through known security holes in the software. Security flaws in web browsers and servers make it possible to exploit web-based applications, particularly on interactive sites using databases and scripts to generate content. As we move to a Service Oriented Architecture (SOA) and get away from the database architectures, we will have much better security in our networks for sharing information. This is already the case for Google and for the financial markets, which have already moved in that direction.
Security flaws that make it possible to push malicious software to computers are causing widespread problems. In fact, one in four home computers are infected with spyware, key-loggers or other malicious code, called MalWare. Recent reports by Googles security team indicate that 1.3% of search results link to sites infected with MalWare . This means that about 59 million web pages have been intentionally damaged. The trend for new attacks has been going up very fast. There have been about 375 attacks per day over the last two years, and 72% of the PCs that do not have anti-virus protection have MalWare in them. The proliferation of MalWare is approaching epidemic levels, and it is a major concern to our government networks.
Socially Engineered Deception and Cyber Crime
Attackers often use fake emails or web sites to steal information and compromise users computers. How does it work? A type of attack called spear phishing using emails targeted at specific users tries to get them to visit malicious web sites. These emails appear to be from a known or trusted source, from a trusted acquaintance, agency or business with a serious subject like would be for instance Official information for UBS client. These emails entice users to go to realistic websites, causing their computers to be attacked. The web sites push out MalWare, which is set up as a back door on the computer for later attacks.
These socially engineered schemes are a growth industry for organized crime because they are effective, profitable and they work. Criminals craft emails that appear to be from courts of law, businesses, prospective employers, respected civic organizations and more. Sources indicate that since February 07, two groups are behind 95% of these attacks. They are increasingly focused on financial information, institutions and transactions.
There is also something quite disturbing called e-currency which is a slightly different problem from the other Information Assurance/Cyber issues. E-currency has its roots in the early days of the World Wide Web and has a direct impact on economic and national security. Risk assessment tied to e-currency is very complex. Transactions are difficult to track, accessible anywhere and fit well into the illicit movement of moneythere is no way to dispute charges or rescind payment. Why do we care? Because terrorists can move and access money with virtually no accountability, creating tremendous opportunities for illicit activity.
Global Supply Chain Manipulation
Globalization of the supply chain processes and products is another major concern. The offshore global supply chain of computer H/W & S/W is particularly vulnerable to manipulation. An in-depth approach for managing product integrity will be required for ensuring the protection of H/W and S/W IT products. Let me give you a few examples:
Example 1. On February 29, 2008, the U.S. FBIs Cyber Division, the U.S. Immigration and Customs Enforcement, the U.S. Customs and Border Protection and the Royal Canadian Mounted Police cracked a case that identified about 3,500 counterfeit Cisco network components. This led to 10 convictions and $1.7 million in restitution. The retail value of the counterfeit gear was $3.5 million.
Example 2. On January 4, 2008, two brothers in the U.S. were indicted under allegations that they purchased and imported counterfeit computer network hardware from China, then sold them to retailers across the country. Some items were sold to the military, the FAA, the FBI, as well as several defense contractors, universities and financial institutions that procured them through a third party computer retailer.
The Defense Industrial Base (DIB) will need to focus on the industry protection of U.S. government sensitive information on their networks.
IMPROVING CYBER OR INTERNET SECURITY
What are the near term solutions?
A Shift from from IPv4 to IPv6.The transition from Internet Protocol version 4 (IPv4) to Internet Protocol version 6 (IPv6) will dramatically improve security and scalability. The European Commission is looking to get 25% of businesses, public authorities and households on IPv6 by 2010.
ITU: The International Telecommunication Union is working to improve collaboration between industry and government; establishing computer security incident response teams, information sharing and analysis centers and warming, advice and reporting points.
ICANN: The Internet Corporation for Assigned Names and Numbers is working to enforce domain name registration among registrants identified as having registered web site generating illicit traffic. Nearly 90% of illicit sites are tied to approximately 20 registrants.
NATO: The Estonian Cyber Center of Excellence focuses on training, tools and procedures related to improving cyber security and responsiveness.
The Council of Europe: The Convention on Cyber Crime is the first and only legal instrument addressing cyber attacks. It applies only to signatory nations, which are 38 Council members, plus the U.S., Canada, Japan, South Africa, and Montenegro.
ENISA: The European Network and Information Security Agency is looking at the policies and regulations that exist across EU Member States, the measures operators take and the technologies available to improve the resilience (availability and integrity) of communication networks.
The global information infrastructure is under siege every single dayit is being hit constantly, probed for weaknesses and openings where bad actors can gain unauthorized access. Cyber attacks are getting much more focused, and the level of sophistication we are seeing is growing. These cyber security challenges are coming at the same time as the network environment is rapidly expanding, sheer computing capacity is accelerating, and network costs are dropping.
At a recent Massachusetts Institute of Technology workshop on the issue of cyber security, some of the core issues that were discussed have relevance here. Let me share three of them in closing:
- Does the spread of information warfare capabilities impact the stability of the international system?
- Can we create a shared model or concept of escalation levels with related cyber actions that will enjoy international recognition?
- Are cyber agreements really possible given the challenges of enforcement?
The need to cooperate and collaborate and share cyber security information at the national, regional and international level must take place through international partnerships and initiatives that are enforceable before we face a global 9/11.