In 2009, a graduate engineering student in China and his professor published a paper entitled “Cascade-Based Attack Vulnerability on the U.S. Power Grid,” which many in the West saw as a statement of Chinese intent to target the American electric power system in the event of a future conflict between the two nations. The authors’ response that they were simply pointing out a serious vulnerability so U.S. authorities could take steps to secure it satisfied some, but was met with skepticism by many others.
Regardless of its intent, the paper further illustrated the growing level of concern about cyber security and distrust of anyone – nations, corporations, non-state groups, or even individuals – seen as having the talent, expertise, and Internet access needed to become a threat.
“As I see the kind of security threat today, there is so much more malware out in the environment. There is so much more expertise behind the top attack vectors than we have previously seen in many years leading up to this point. The sophistication behind the attack structures is also at a much higher level,” Bordwine told Washington Technology. “So from the cybersecurity perspective, there is not a matter of ‘can I go out and get access to a system? Can I break into a system and then go brag about it?’
“Today, the threat is against the information that we use on a day-to-day basis to get our jobs done, to ensure that our companies operate smoothly and our country is operating smoothly. You see a level of sophistication, much better funding behind the efforts, much more high-tech talent trying to steal data information from systems, whether it is for financial gain or political gain. I think that is going to be the model that we’ll be seeing for the next several years.”
It has been estimated that the U.S. government alone will spend more than $55 billion during the next five years on new and continuing efforts to safeguard mission critical systems and data from cyber threats. But the technology of cyberspace – and those who prowl its dark alleys with malicious intent – is expected to continue to outpace whatever measures the United States or any other government can put in place.
Two keys to improving security are a proactive approach to predictive behavioral analysis and improved analysis and knowledge-sharing about existing malware. In combination, experts contend, potential attackers and their weapons can be better identified and blocked before they can act. At the same time, there are concerns the proposed $55 billion federal expenditure through 2015 could have limited results if steps are not taken to coordinate policies and enforcement. Most important to that is properly prioritizing government efforts and shifting emphasis for protecting information to a multi-partner collaborative focus on network, enterprise, and mission protection.
Many major defense and homeland security contractors and IT, computing, networking, and cybersecurity firms have joined one or more consortia intended to bring a broad range of expertise from multiple disciplines into the fight. Those include Northrop Grumman’s Cybersecurity Research Consortium and the Lockheed Martin Cyber Security Alliance.
“We see some promising emerging technologies in many of the areas that our Cybersecurity Research Consortium is addressing,” Dr. Robert Brammer, CTO and vice president of Northrop Grumman’s Information Systems Sector, told a cyberspace security symposium in May. “Substantial work by the government, industry, and academia is needed to realize the potential of these technologies for large-scale implementations that will have national impact.”
Lockheed Martin described its alliance as an integration of the best commercial security capabilities, domain knowledge, and “systems-of-systems” into a world-class NexGen Cyber Innovation and Technology Center, where collaboration and innovation will be employed to meet cyber security needs.
“We face significant known and unknown threats to our critical infrastructure,” Lockheed Martin Cyber Security Solutions Vice President Charles Croom said. “We not only need solid defenses, but also the right technologies to predict and prevent future threats. Innovation and collaboration are key to ensuring mission resilience and securing cyberspace.”
Cyber Storm I, in February 2006, was the first full-scale government-led exercise of its kind, involving more than 115 federal, state, and local government agencies and private-sector organizations. With a focus on IT, communications, energy, and air transportation, participants responded to a variety of simulated attacks against and degraded capabilities of cyber and communications systems related to critical infrastructure, working out collaborative policies, operations, and public affairs responses.
In an August podcast interview with Defence IQ, the online portal of international technology conference producer IPQC, Adm. Lord Alan West, minister for Security and Counter-Terrorism under former U.K. Prime Minister Gordon Brown, warned cyber attacks one day will equal large-scale physical attacks. Even so, he added, “there is a general lack of understanding about cyberspace by the public.”
“People are very strange. They go on their computer and, for some obscure reason, they think it is just them and the person they’re talking to and no one else sees anything. But, actually, more people can see what is on their computer than if they wrote it on a postcard and put it in a letterbox; there are rafts of people who see all the posted information – who it’s from and to, the route it takes – a huge amount of data. How one can control that is quite tricky,” he said – as is how to respond to a cyber event.
“One of the difficulties with cyberspace and the Web is it is actually extremely difficult to identify who has done something. Those with particular skills, such as GCHQ [Government Communications Headquarters, the center for U.K. Signal Intelligence (SIGINT) activities] and NSA [the U.S. National Security Agency], can actually achieve it, but it takes time, even for them. Even when you do identify them, you then have to think about what action you take. And there is no comprehensive legal structure that enables one to handle issues in cyberspace. For example, if I bomb a power station in another country, that is an act of war. If you go in through the Web and destroy it by making things overheat, is that an act of war?”
DHS launched National Cybersecurity Awareness Month in October by announcing a new effort to address the first part of that problem – the “Stop. Think. Connect.” public cyber security awareness campaign. A collaborative, yearlong effort by the Online Consumer Security and Safety Messaging Convention, National Cyber Security Alliance, Anti-Phishing Working Group, and key leaders from industry, government, and nonprofit agencies, the campaign’s goal is to increase both public understanding of cyber threats and basic methods for self-protection.
“We all share a responsibility to prevent cyber attacks and increase our nation’s resilience to cyber threats,” Napolitano said. “The ‘Stop. Think. Connect.’ campaign will help equip the public with simple information to keep themselves and their families safe and secure on the Internet.”
On a far more complex level, just as militaries conduct combat exercises and civil first responders practice dealing with floods, hurricanes, and earthquakes, DHS has organized three congressionally mandated biennial cybersecurity exercises called Cyber Storm.
Cyber Storm I, in February 2006, was the first full-scale government-led exercise of its kind, involving more than 115 federal, state, and local government agencies and private-sector organizations. With a focus on IT, communications, energy, and air transportation, participants responded to a variety of simulated attacks against and degraded capabilities of cyber and communications systems related to critical infrastructure, working out collaborative policies, operations, and public affairs responses.
In March 2008, Cyber Storm II expanded its scope to include five nations (Australia, Canada, New Zealand, the United Kingdom, and the United States), 18 federal Cabinet-level agencies, nine states (California, Colorado, Delaware, Illinois, Michigan, North Carolina, Pennsylvania, Texas, and Virginia), and more than 40 private-sector companies (including Juniper Networks, Microsoft, McAfee, Cisco, Dow Chemical, PPG Industries, and Wachovia).
That year, the focus was on the chemical, communications, IT, and rail/pipe transportation infrastructure sectors and employed 10 Information Sharing and Analysis Centers to exercise processes, procedures, tools, and organizational response to a multi-sector coordinated attack through – and on – the global cyber infrastructure. Participants had a full week to run through and evaluate their ability to respond to the initial attacks and a cascade of interconnected cyber disasters at both the government- and private-sector level.
Cyber Storm III, in September 2010, built on the lessons learned from the first two exercises, with a further expansion to 12 international partners, 11 states and 60 private-sector companies, along with seven Cabinet-level departments, the White House, and representatives from the intelligence and law enforcement communities.
The newly developed National Cyber Incident Response Plan (NCIRP) served as a blueprint for response to direct and secondary attacks on a broad range of infrastructure, including the banking and finance, chemical, communications, dams, defense industrial base, IT, nuclear, transportation, and water sectors. It also was the government’s first opportunity to test the new NCCIC, which stood up in October 2009 as the hub for national civil cybersecurity coordination.
“Exercises of this type give us a real window into what the capabilities are, where we need to make progress,” Phil Reitinger, DHS deputy under secretary of the National Protection and Programs Directorate (NPPD) and director of the National Cyber Security Center (NCSC), said during a news briefing during the exercise. “One of the things that’s critical to recognize about cyberspace is this is beyond the capability of any one government agency to respond to – or even one government or one private-sector entity. This really requires a joint response.”
As planning for Cyber Storm III kicked into high gear in July, a cybersecurity storm of another kind swept through Washington with publication of a Wall Street Journal story about a purported new federal program called “Perfect Citizen.” According to the article, the NSA, the U.S. government’s primary SIGINT entity, had awarded a $100 million contract to Raytheon Corp. for the initial phase of the classified project. With a name the media quickly dubbed Orwellian and the involvement of NSA, which Hollywood has made synonymous with the beyond-CIA-shadowy “men in black,” Perfect Citizen became an instant target for those claiming cybersecurity is endangering personal rights.
The NSA put out a statement saying Perfect Citizen is strictly a research program that will not involve the placement of any activity monitors, even on older computer control systems common to the U.S. communications and power grids – considered most vulnerable to attack – much less on the Internet activities of private citizens.
In only two decades, the Internet has become perhaps the single most important technology system on the planet, a vital component of almost every interaction between individuals, businesses, and governments. It also is home to a new generation of snake oil salesmen, charlatans, con artists, tricksters, and psychopaths, as well as legitimate writers, singers, photographers, painters, inventors, and others looking for opportunities never before available.
As a result, it has become both a worldwide asset of incalculable value and a global Achilles’ heel, through which the right piece of code conceivably could wreak havoc and destruction more devastating than a nuclear attack. But those seeking to use it as a weapon may find it has more in common with poison gas and biological agents – difficult to control and likely to turn back on its user.
A possible example of that may be the Stuxnet virus, largely believed to have been designed to attack Iran’s nuclear facilities before that nation can complete its weapons development program. Apparently created in 2009, the highly sophisticated worm had been found in some 45,000 computers around the world by the summer of 2010 – 30,000 of those in Iran.
What raised concerns for the cybersecurity community even more than Stuxnet itself, however, is the likelihood others will now modify the code, which was posted on a hacker site in July, less than two days after the first official report on how to deal with it. Those second- and third-generation mutations are considered the real danger after Stuxnet, in the words of one researcher, “opened Pandora’s box.” Another said variations of the code could be used by criminals as “precision guided cybermunitions” to steal money from bank ATM machines using Siemens’ programmable logic controllers (PLCs).
While neither the creators, nor their targets, nor their intent had been identified by October, the leading theory was that Stuxnet was designed to halt Iran’s nuclear program, with leading candidates for its origin including Israel, the United States, China, Russia, and various European nations. If so, however, it soon became the embodiment of the worm that turned, spreading beyond Iran to computers in China, Germany, and elsewhere, although not the United States. The worm targeted software developed by German engineering conglomerate Siemens to run industrial control systems, from water treatment plants to nuclear facilities, injecting code into the controller to change a process that has not yet been identified.
What raised concerns for the cybersecurity community even more than Stuxnet itself, however, is the likelihood others will now modify the code, which was posted on a hacker site in July, less than two days after the first official report on how to deal with it. Those second- and third-generation mutations are considered the real danger after Stuxnet, in the words of one researcher, “opened Pandora’s box.” Another said variations of the code could be used by criminals as “precision guided cybermunitions” to steal money from bank ATM machines using Siemens’ programmable logic controllers (PLCs).
“The technology of cyberspace, its protocols, and architecture, were not designed with security in mind. Neither were the rules developed to enable global connectivity,” James Lewis, director of the Center for Strategic and International Studies Commission on Cybersecurity for Obama, said in a March 2010 speech.
“The agglomeration of networked digital devices that form cyberspace have become a crucial international infrastructure and a potential battlefield, but it may not be securable in any reasonable length of time unless we redefine the role of government and sovereign states. This is anathema to many Americans, but other nations with differing views of the politics of cyberspace – and with increasing power – have opened a debate over the extent of sovereignty and the role of the sovereign in cyberspace.”
This article was first published in The Year in Homeland Security: 2010-2011 Edition.
li class="comment even thread-even depth-1" id="comment-377">
Anson
2:09 PM December 10, 2010
This is a very interesting article, especially considering all the media time the WikiLeaks situation has been receiving. It is also interesting that the Protecting Cyberspace as a National Asset Act of 2010 was passed just months before WikiLeaks starting releasing the newest wave of information. This is definitely a technology field will grow exponentially in the future!