Cybersecurity
Written by William Murray
SOTECH 2011 Volume: 9 Issue: 8 (October)
Scientists worked feverishly over a six-month period in 2009-2010 at Iran’s Natanz nuclear facility to replace 10 percent of the facility’s equipment, broken by a computer worm that had infected the nuclear facility’s systems.
This hurried action, caught by United Nations-installed surveillance cameras, reflects what some information security experts consider a game-changing attack on a government’s information systems. “This was a clear indicator to anyone in the security space that they have to be vigilant about the range of possibilities, including the low-percentage but highimpact risk,” said Jason Brvenik, vice president of security strategy at SourceFire Inc. of Columbia, Md., a cybersecurity company.
The Stuxnet worm attack on the Natanz nuclear facility, widely considered to come from Israel, was so sophisticated that it took years of planning and significant funding, according to cybersecurity experts.
But a far larger coordinated attack is possible, targeting U.S. defense, homeland security, financial, banking, credit card, utilities and other critical IT systems.
For example, the Chinese People’s Liberation Army (PLA) has cyber warriors, thousands of highly trained computer hackers. And they are capable of massive attacks on U.S. systems.
One minor attack in 2010 nonetheless caused extreme concern among Google executives when an assault originating in China hacked into the Google IT system and stole intellectual property, while also accessing Gmail accounts of Chinese human rights activists worldwide.
Other companies in the chemicals, finance, internet and other sectors were hacked as well.
Pentagon policymakers for years have been concerned that China might attempt to disable U.S. military IT systems just before sending PLA forces to invade Taiwan, which China regards as a rebel province and vows to conquer by force unless Taiwan capitulates and accepts rule by Beijing. The United States is nominally committed to defend Taiwan.
Such a massive IT attack might involve not only brigades of Chinese cyber warriors attacking U.S. military IT systems, it also could involve China physically attacking U.S. military and commercial satellites.
China could accomplish that in two ways: In 2006, it used a ground-based laser to disable a U.S. military satellite as it passed over China. And in 2007, China used a rocket to intercept and demolish one of its own weather satellites, creating an immense cloud of space debris traveling 17,500 miles an hour that formed a threat to spacecraft and satellites.
Air Force Lieutenant General Henry A. “Trey” Obering, then director of the U.S. Missile Defense Agency, said after the attack that it might be time for the United States to consider orbiting U.S. missile defense systems in space, in addition to those on land and sea.
Concerns have been voiced at the highest levels, including the White House. In the 21st century, Presidents Bush and Obama have both taken steps to study how to respond to the threat.
As an American Enterprise Institute think tank paper noted, “After a series of cyber-attacks in 2007 on the Departments of Defense, State, Commerce, and Homeland Security, as well as NASA and the National Defense University (during which the defense secretary’s unclassified email was hacked), President Bush signed a highly classified order in January 2008 that created the Comprehensive National Cybersecurity Initiative (CNCI).”
The Threat
Trojan Horses, viruses and worms are malicious programs that can cause damage to infected computers. Worms spread from computer to computer and have the capability of disseminating without any human action. Worms take advantage of file and information transportation features on a victim’s system, which allow them to spread unaided.
In light of the Stuxnet attack, the obvious question for U.S. cybersecurity experts is: When will an enemy of our country launch a similar attack?
“It was an extremely complicated threat,” said Dean Turner, director of the Global Intelligence Network for Symantec Corp. “It was the first attack of its kind. It was not just your run-of-the-mill attack. There was significant human capital involved, and the planning took multiple years,” he said.
“Someone had to have that in their back pocket,” to use depending on when they wanted to disable the Natanz nuclear facility’s systems, said Scott Register, director of product marketing for BreakingPoint Systems Inc. of Austin, Texas. “That didn’t just pop out,” because the Stuxnet attack took years to plan. “Once you’ve used it, it’s done,” he said.
Such an attack is much more complicated than the distributed denial of service attacks in July 2008 on Georgian websites, which involved making millions of requests to Georgian servers that took down many Georgian websites before and during a military conflict between Georgia and Russia.
Cybersecurity experts aren’t as concerned with loosely-organized hacker groups such as Anonymous, which make well-publicized, asymmetric attacks on corporate and government systems as an act of civil disobedience. “The truth is there’s nothing new there,” Symantec’s Turner said, making reference to a couple similar groups from years past.
To fortify their systems against cyber-attacks, some Defense Department organizations are using single sign on technology, which allows users to sign on to a portal, which authenticates them, so they can then access individual applications. Not all single sign on solutions are the same, according to one vendor. “The trouble with this application is that most agencies work in a multi-vendor environment,” and no one vendor seems to be looking out for the security of the entire system, said Becky Land, director of business development at Edge Technologies Inc. of Fairfax, Va. “Commanders can’t see the information that they care about. Commanders need to not only have a dashboard view of the health, status and services provided by their systems, but they also need to see integrated information at the data layer instead of the [graphical user interface] layer,” she said. Her company offers a single login product, enPortal, which uses proxy server technology to add another layer of security for single sign on technology. Edge Technologies’ customers include the Space and Naval Warfare Systems Command and the Office of the Secretary of Defense.
Technology Blue, a Pittsburgh-based company, meanwhile is providing a technology framework to enable Defense Department leaders to better analyze events detected by sensors across their enterprise networks using a dashboard. Using an analytics engine, Technology Blue is able to apply a predictive model to a series of events to try to determine if they are significant enough to be potential cyber-attacks, according to Claye Greene, president and chief executive officer of Technology Blue. Users of this predictive model can then set up rules based on network events. “It can pull events from the last month or the last year,” he said. “It helps to enable decisions, such as denying specific requests when they come across the network or routing a network packet elsewhere,” given certain characteristics that might be part of a cyber-attack that exceed the comfort threshold of DoD managers, he said. “It’s such a daunting problem,” Greene said of cyber security. “It takes a significant investment: not just money but time and energy.”
In August, Anonymous attacked the Bay Area Rapid Transit’s (BART) website and published online user emails, addresses and phone numbers from a BART database, after BART officials shut down mobile networks along BART’s route to try to disrupt protesters.
Other significant cybersecurity attacks in the last two years have included Operation Aurora, which anti-virus company McAfee revealed as an attack that used encryption, stealth programming and a security hole in the Microsoft Internet Explorer browser to steal intellectual property from Google, Adobe and dozens of other technology companies.
Cybersecurity experts whose companies work with the Defense Department pointed out that the most common outsider cybersecurity attacks against critical infrastructure and government computers are motivated by financial gain, rather than the desire to shut down key systems and cause havoc.
“The biggest risk is people stealing data,” said Joseph Steinberg, a cybersecurity expert and chief executive officer of Green Armor Solutions Inc. of Hackensack, N.J. To save money on development costs, for example, a criminal enterprise or country could steal design schemas, policy and procedure plans for the Northrop Grumman B-2 Spirit, also known as the Stealth Bomber.
“No country is going to declare war on the U.S. That would be crazy,” Steinberg said. “Stealing technology is easier than to invest in it,” he said. “It’s less costly and risky [to hack into computer systems] than sending spies” to infiltrate an enemy, he said. “There is a rise of countries that are Third World countries but that can be technically powerful,” he said.
Criminal enterprises could have clear financial motivations to break into government systems, according to SourceFire’s Brvenik. They might also be willing to risk getting caught trying to access government systems because of the possibility of being able to find out if they are under investigation and if any pending government legal action is being initiated against them.
The increased adoption of social media, smartphones and teleworking have all decreased the barriers that government employees would have between their work and personal matters, pointed out Symantec’s Turner.
According to BreakingPoint’s Register, the threat landscape has increased significantly because of machine-to-machine malware from mobile platforms as diverse as smartphones and automobiles. Malware is software intended to damage or disable computers and networks.
“Nearly all breaches occur because of human errors,” Steinberg said. One common mistake is that legitimate network users write down their passwords to better remember them, which can create a security vulnerability. In addition, some network users make the mistake of responding to phishing emails from a user account of a person they know and inadvertently give their password to a hacker by responding to an email for such information. “Strong passwords can inevitably be difficult to memorize because they tend to be long words,” Steinberg said.
Education about cybersecurity needs to be “not just bottom up but top down,” Symantec’s Turner said. In other words, senior executive service and military general officers and flag officers need to talk about cybersecurity and be aware of its importance.
A very sophisticated attack on an enterprise network such as those in the Department of Defense involves a hacker breaking into the network and then lying low for a week or two as the hacker collects data on the server without being caught, according to BreakingPoint’s Register. His company helps organizations pinpoint hard-to-detect vulnerabilities in network components such as data centers, firewalls, routers, servers and switches.
DoD organizations would also be well advised to identify and classify all the electronic, confidential data within their systems, according to Turner. “Not all data is worth protecting,” he said. Government officials should also deploy an in-depth defense strategy that includes using multiple firewalls to protect their networks and setting policies on encryption and strong passwords, he said.
When organizations require access credentials, it can make it difficult for hackers to access sensitive computer systems, even when they access passwords, Steinberg said. Green Armor Solutions analyzes users accessing enterprise networks and sending data to users on the network, reviewing information such as the IP addresses and physical locations of those users and what kind of machines they are using to access the network and the potential they could be hackers based on that data.
After they have classified their data, government officials can create and implement plans to protect the data and test those plans. Government officials should also make a distinction between structured data and unstructured data as they assess their networks, according to Turner. “You have to know what kind of data you have,” he said.
“You need to have constantly evolving processes,” SourceFire’s Brvenik. He said it’s important to distinguish between high percentage, low impact cybersecurity threats and low percentage, high impact risks. ♦