Threat From the ‘Net: Part II
New Decade, Same Disinterest
By Michael Tanji
Specific details of the events in question were absent, no doubt scheduled for a closed session, but those who follow cyber security events can make reasonably accurate assumptions about what took place. This testimony from the Department of Commerce speaks volumes:
In summary, Commerce and BIS became aware of the break-in to BIS computers on July 13, 2006, which was determined not to be the date of the initial infection. The firewall logs were restored from the date the incident was discovered and the preceding eight months. The DOC CIRT, BIS technical staff, and the NOC reviewed and attempted to identify the initial date of the computer system compromise, to no avail. While firewall logs were reviewed for the preceding eight months prior to detecting the BIS incident, Commerce cannot clearly define the amount of time the perpetrators were inside its BIS computers before their presence was discovered. BIS has no evidence to show that data was lost as a result of this incident.
That’s security officer-speak for “someone sat in our chairs, ate our porridge, and slept in our beds: no biggie.” The big difference between real life and the fairy tale there is that there was no little blond perpetrator found on the premises.
The balance of the testimony from all witnesses said in effect; “We are still coming up short but we promise to work harder.” Congress doesn’t stand for such language from Army Generals talking about Iraq, yet cyber space is no less important to national security. In fact failing to secure the sensitive information that traverses government networks could undo past victories and could render our ability to win future wars impossible.
The fact that federal agency networks are still no better protected than any other network connected to the Internet - despite the massive investments made in security hardware, software, and personnel - is disturbing. Crisis response teams may do an excellent job post mortem, but as recent events have demonstrated: prevention is what precludes victim-hood.
We are still no closer to securing our national information infrastructure than we were when the threat of a “digital Pearl Harbor” was first uttered before Congress in the early 1990s. The Pearl Harbor metaphor has proved to be somewhat inaccurate. What has transpired over the years has been more akin to a Great Digital Chicago Fire or a Cyber Dust Bowl.
The Internet was built to provide a resilient communications capability, not support the multitude of services that it now does. Early ‘Net users were limited and trusted and the level of security required to operate safely online today wasn’t considered decades years ago. Consequently cyber security is a duct-tape solution to a problem that demands more robust engineering. One modest weakness can and has brought Internet-connected systems down. Recovery can be quick, but the impact could be devastating if your stock and trade is timely information.
Nearly all of the problems associated with Internet security are due to the pressures of commerce and convenience. Doing things securely means doing things the long, hard way. In a broadband-everywhere world where people have multiple Internet-enabled devices on their persons for most of the day, extra seconds can mean the difference between mission accomplished and going-out-of-business. Poor security practices exploited by a malicious actor, or even an inattentive innocent, can have a cascading effect that reaches far beyond a localized event.
Heretofore these issues have been addressed from a generic, business-oriented point of view, but the ideas and issues hold true for every online government presence. Government and military network communications operate in different domains only nominally; soldiers might have .mil addresses but their traffic runs through .com-owned pipes. USTRANSCOM – the unified command responsible for getting troops and materiel where they need to be – lives on the Internet. Any outage or degradation that impacts them, impacts our ability to fight and win wars.
Is the importance of cyber security at the national level starting to sink in?
We have built whole institutions dedicated to dealing with cyber security threats. The defense of military networks was the responsibility of the Joint Task Force – Computer Network Defense (now –Global Network Operations) – which the author was lucky enough to help support for a time. The JTF-GNO is part of a federation of military and civilian agencies that play a role in keeping cyberspace safe for Uncle Sam, but to what effect? We would not be having these hearings if our approach to digital defense was working.
Getting serious about cyberspace security means taking substantial steps to defend sensitive information and save lives.
For starters, the government – as one of the largest buyers of computer hardware and software - should start exercising the power of the purse by demanding that all IT-related products and services it procures meet a robust set of security standards. There is no escaping the fact that most of this material is made overseas and ripe for exploitation by foreign intelligence services, but a regular and rigorous inspection regime can help minimize the risk that our next major technology purchase is not an intelligence boon for our adversaries.
The government also needs to get serious about inter-connectivity. Unless there is an extremely strong mission-oriented justification, government employees should have little or no ability to reach most Internet sites. Many agencies currently allow employees to access the Internet if they do so during work breaks and if it does not impact the mission; for most this is still too liberal access. Tax dollars should not be going to fund the fantasy football habits of federal employees or enabling intelligence officers to conduct chat sessions with their former frat brothers.
Speaking of personnel, conforming to cyber security policy needs to be a rated item on every performance evaluation. Policy violations should be treated at least as severely as any breach of physical security. Too many agencies go through the motions of dealing with digital malfeasants, or when they do show them the door it is done without fanfare. Embarrassment should not be a factor in the decision-making calculus: everyone is getting hacked. Public announcement and punishment would have a more substantial deterrent effect than any strongly worded memorandum.
Securing our online presence also requires an iron fist, not a velvet glove. Many agencies and offices have responsibility for defending aspects of our cyber space presence, but their authority to enforce policy can be relatively weak. Most network owners hold and use trump cards when told to secure themselves. No agency has a real or figurative red-button they can press to shut off offenders. Even if they did, the finger on the button would most likely belong to someone who viewed defensive action as a negative, not an opportunity to thwart an adversary.
Serious attempts to secure our own information infrastructure are unlikely to take place absent a technically catastrophic event that leads to either extended system outages or a significant loss of life. Even the terrorist attacks of 9/11 resulted in only a limited network outage (a major Verizon network center was located next to WTC 7) and more people have died in a single ice storm or during a single heat wave than have died from all the cyber attacks that have ever occurred. Cyber attacks can be difficult to recover from but relatively speaking they are an inconvenience, and we’re not engaged in a war on inconvenience.
As long as we make no serious headway in securing our information infrastructure, we should not be surprised every time another adversary eats our virtual lunch. Both nation-states and non-state actors benefit from the cheap, fast, and relatively easy-to-execute sub-set of information warfare. Outsourcing government functions is only going to make the problem worse, as more sensitive data is pushed online to more organizations (contractors, sub-contractors, consultants, etc.) that do not fall under the defensive umbrella of our cyber security forces, and who themselves are pushing the technology envelope and exposing themselves to more risk so as to gain an advantage over their competition.
In 1990 a visionary thinker named Winn Schwartau testified before Congress about the perils of information warfare and cyber attack. In 1998 the L0pht hackers testified before Congress about their ability to bring the Internet down in half an hour. Will this decade’s round of “same story, different speaker” result in meaningful change? To paraphrase another cyber security icon: confidence does not remain high.