In his State of the Union address this year, President Barack Obama, expressing concern over the security of critical infrastructures that are exposed to the Internet, declared that enemies of the U.S. are “seeking the ability to sabotage our power grids, financial institutions and air traffic control systems.”
Unfortunately, the nation is still struggling to formulate and implement an effective strategy to protect ourselves.
The evidence bears out Obama's warning. Recent Distributed Denial of Service (DDOS) attacks on the banking system, and the espionage activities of a group of hackers traced to China by Mandiant Corporation, the security firm that investigated the recent hacking of the New York Times, are just recent examples of the increasing number of cyber attacks carried out with either the explicit or implicit backing of nation states.
According to a Department of Homeland Security ICS-CERT Report, cyber-attacks on critical industrial control systems rose from 9 in 2009 to 198 in 2012, with a large portion of the attacks aimed at the energy sector.
While these events don't necessarily all involve state-sponsored actors, control systems exposed on the Internet which could be readily attacked from other nations were of particular concern.
Similar dire warnings were issued last week by the nation's intelligence chiefs. Testifying at the Senate Intelligence Committee's annual hearing on worldwide threats, Director of National Intelligence James Clapper told lawmakers that terrorist groups are increasingly pursuing the ability to wage cyberattacks, which, if successful, could bring businesses and the government to a collapsing halt.
“It's hard to overemphasize its significance,” said Clapper, who spoke on behalf of himself, FBI Director Robert Mueller, CIA Director John Brennan and National Counterterrorism Center Director Matthew Olsen.
Cybercrime and hacking have long been a part of the Internet. State sponsored attacks, however, pose considerable defensive challenges. A single organization will likely not have the resources to thwart such an attack, especially if it persists.
Deterrence requires a coordinated national strategy.
There is good cause to worry about cyber attacks on power grids, water treatment systems and the other physical systems that depend on computers and networks. Many of these systems were put in place long before the Internet became the pervasive presence it is today.
The networks and computers used to control these systems usually do not employ the type of security measures typically found in modern networks and the hosts they support, such as intrusion detection and prevention.
Many of these networks still depend largely on isolation for security, i.e., the systems are located behind a restricted physical perimeter.
Even worse, many systems still have in place vendor passwords and software that is never or infrequently updated. The Stuxnet computer virus, widely believed to have been developed by the US and Israel, clearly illustrated that physical isolation offers little security in a world where software and applications are routinely downloaded from the Internet and USB drives move readily from computer to computer.
Analysis of various versions of Stuxnet by leading antivirus companies indicates it was designed for the sabotage of industrial control systems including those used in refineries, chemical and nuclear plants. Security analysts believe Stuxnet was responsible for damage to centerfuges used in Iranian nuclear enrichment facilties at Nataz in 2009.
Nations appear to be making good use of the Internet for cyber espionage and intellectual property theft. A recently released report by Mandiant described in detail the capabilities of just one cyber espionage unit, the so-called APT1, that it traced back to the Shanghai region of China.
Mandiant claims to have investigated attacks by the group on over 150 organizations during the past seven years. The report also claims that APT1 maintains an extensive inventory of over 900 command and control servers in 13 different countries from which the group was observed to launch attacks.
The group's main goal appears to be cyber espionage—the report doesn't cite any attempts by the group to attack critical physical infrastructures.
But the report also provides little information on who was attacked.
For example, Department of Defense facilities and defense contractors are not singled out, although Mandiant is a major provider of security services to both the U.S. government and various defense contractors.
Hacking traced to China does indicate, however, an interest in various types of infrastructures.
The New York Times recently reported that Chinese hackers gained illegal access to the computers of Telvent, a company that monitors oil and gas pipelines. Investigators were not sure what the hackers were after.
In 2011, Chinese hackers were implicated in the breach of the RSA Security Division of EMC. The hackers were able to obtain information that compromised RSA's SecureID Token, a device used by organizations around the world to provide secure two factor authentication to highly sensitive systems. RSA would never confirm the source of the breach.
RSA did confirm, however, that the compromised tokens were used in the breach of the systems of defense contractor Lockheed Martin.
Many defense analysts agree that China's primary interest thus far has been state-sponsored cyber espionage, particularly to support its industries. Nevertheless, according to a report last year by Northrup Grumman, China continues to develop both offensive and defensive cyber warfare capabilities as well as increasingly sophisticated cyber espionage capabilities.
The APT1 group and the group that attacked RSA both used the same packet transmission tool, purportedly written by a Chinese hacker, to enable communications through intermediate hops with command and control servers.
Last week, China's foreign minister, Yang Jiechi, speaking to reporters during a session of the National People's Congress, disavowed China's involvement in any of the recently reported attacks. According to a report in the New York Times he claimed that China is often the victim of such attacks, and went on to say that cyberspace should not be turned into a battleground.
Shortly after the Chinese minister's statement, in an address to the Asia Society, Tom Donilon, White House National Security Advisor, called on China to investigate and put a stop to “sophisticated, targeted theft of confidential business information and proprietary technologies through cyber intrusions emanating from China on an unprecedented scale.”
Actions by groups possibly sponsored by nations, who function as hacktivists, are another source of concern.
Attacks from Iran
Recent DDoS attacks on financial Institutions by the group Izz ad-Din al-Qassam Cyber Fighters appear to emanate from Iran and other Middle Eastern countries. According to security analysts at Radware, a firm that offers services to mitigate DDoS attacks, the attacks have become more powerful and difficult to deter as attackers add systems to the Brobot botnet used in the attacks.
The attacks target banks' cloud based servers and infect applications on those servers. They also go after other cloud-based hosting services in order to have a high bandwidth platform from which to launch attacks. Thus the attacks can be very difficult for banks to mitigate. Furthermore, it is often difficult to weed out traffic that is part of a DDoS attack from legitimate traffic, especially when the attack targets a specific application.
Since August, three separate waves of DDoS attacks have been directed at the cloud servers employed by large banks. The banks have experienced some outages but generally have been able to defend against the attacks. Banking of course is a highly regulated industry and banks must devote considerable resources to security since in the event of a loss to customers the bank is likely to bear the liability.
“If they can be exploited in this way how will other industries fare?” says Tracey Kitten of Bank Info Security, a publication of the Security Media Group of Princeton, N.J., which provides coverage of information security for the banking industry. “If the banking industry – one of the most secure in the world – can be tested and exploited in this way, how can we expect other industries to fare? Not well.”
The appearance of nation states as malicious actors raises the stakes since attackers now have considerable resources available.
Cyber criminals typically go after low hanging fruit. If the potential for gain is significant, they may expend significant resources to try to achieve an objective, yet their resources are limited. Hacktivists will target an organization, but eventually their interest will wane.
A nation-state, however, with a specific objective such as intellectual property theft, theft of defense secrets or economic disruption, will keep on coming, creating a truly advanced persistent threat.
Organizations may be forced to expend significant resources continually to combat the onslaught and may simply not be able to muster the security resources to counter the threat. A recent concern has been the spreading of DDoS attacks to smaller financial institutions and credit unions.
Potential for Deterrence
Most nations view possession of cyber offensive capabilities as a deterrent. The U.S. does little to hide the fact it is developing cyber weapons as many other nations have been doing for a number of years. By demonstrating significant offensive capability, cyber weapons are seen to provide a form of deterrence.
But as Richard Clarke and Robert Knake point out in their book Cyber War, there has been little interest among nations to restrict cyber weapons. Most nations who have cyber offensive capabilities reject the idea of treaties to regulate cyber weapons, arguing that compliance would be impossible to verify.
The authors now suggest that the US review its position on cyber arms control and ask if an international agreement could benefit its security interest.
Even if cyber arms treaties may not be realistic, at the very least, a secure, open and free global Internet requires that each participating nation address attacks that originate within its borders and are directed at systems in other nations.
Retaliation with cyber weapons would be a dangerous game.
Unlike in a physical conflict, there are no rules of engagement for the use of cyber weapons. Which targets would be fair game is anyone's guess. In the event of a cyber-attack, attribution would be difficult and any counter attack could easily lead to retaliation against a proxy.
Much of the work cited here required months of monitoring hackers who often did not make a concerted effort to cover their tracks. A cyber-attack on a physical infrastructure that did significant damage would call for a quick response, which probably would not be possible.
The StuxNet Attack
Finally, as StuxNet illustrated, the side effects of cyber weapons are very hard to predict. The virus, despite features to limit its proliferation, inadvertently wound up on personal computers in India, Indonesia, Germany and the United States.
The U.S. is particularly vulnerable if the cyber hostilities continue to escalate. Although Internet operators have shown tremendous resilience over the years in working together to deter major threats and address routine operational problems, the Internet in the U.S. is certainly not built for national defense. It is largely an open system in private hands without a central administration—probably a key reason that it has been so successful.
Contrast this version of the Internet with other nations where national networks are monitored extensively and largely under the control of a central government administration.
Research reports indicate that a key security feature of the next generation Internet in China will be an elaborate system of source address validation, which will bind traffic to its source and give those who control the network information needed to filter traffic at various levels in the network.
In the event of cyber hostilities, China likely would be in a better position than the U.S. to protect its national networks. Of course, it would have much to lose if denied Internet access to major trading partners.
The global Internet is merely a large collection of networks managed by different nations, companies, universities and telecommunications companies throughout the world. Major players, especially nations, must work as cooperating partners to keep a global Internet functioning.
The glue that holds this network together is the mutual and self-interest of the players. All players are stakeholders and they have at their disposal a global information infrastructure that can be used to reduce costs, gain access to foreign markets and support innovation.
If the major players decide to undermine the arrangement, all bets are off. The global Internet we know will cease to exist, and quite quickly.
Unfortunately, today the trust that holds the global Internet together is being whittled away as nations engage in rampant IP theft, blatant espionage and jockey for strategic position in the event of a cyber conflict.
Increased use of technical defensive mechanisms have not reduced the threats and the defense costs of both private and governmental organizations continue to rise.
The most immediate problem is the reckless behavior by rogue groups who can launch powerful cyber attacks with little difficulty and have available significant capabilities.
Unless the major players find a way to coexist on the Internet and build on mutual interest to establish some ground rules for behavior, a global, open, free Internet, along with many of the benefits it offers, may turn out to be a short-lived part of history.
Doug Salane is director of the Center for Cybercrime Studies at John Jay College of Criminal Justice. He welcomes comments from readers.