The Bleeding Edge
Technology is as Much Bane as Boon
By Michael Tanji | March 14, 2007
It came to light recently that unknown attackers temporarily incapacitated part of the infrastructure that supports the Web. Hammering several root domain name servers (DNS) – the mechanisms that allow text like “threatswatch.org” to replace numeric IP addresses – made it difficult if not impossible to access some of the .org and .mil domains. The effect may have been temporary, but the implications are far reaching.
People have been using and abusing computer networks for decades. Cliff Stoll documented his involvement in cyber-espionage as far back as 1985 and CERT/CC - the granddaddy of all cyber response teams - was born out of the chaos caused by the Morris worm in ’88. Since then, a variety of colorful personalities and organizations have come and gone, each leaving their unique imprint on the cyber security landscape. Time passes and the threats and vulnerabilities evolve, but there are a few constants we can count on.
For starters, the end-users of systems cannot be trusted to follow secure practices. This isn’t a statement against their intellect or intent; it is just a reflection of human nature. The computer (and by extension the Internet) has become one of those things that “just work,” similar to how many view a car. You’re supposed to do certain things to your car, but all most people do is put gas in it . . . and then they wonder why it breaks down. Users are followed quickly by poor coding practices, poor risk-management decisions, and a mad quest for features in order to attract customers (a.k.a. greed).
Into this environment steps a variety of threat actors, such as the aforementioned DNS hackers as well as organized crime groups. Nations like China have established warfighting doctrine that includes information warfare – a war they seem to be winning - and at least one terrorist group leader has extolled the virtues of using computer network attack against the infidel.
Attacks take numerous forms, from basic Web-page defacements (an almost quaint assault that peaked in popularity about a decade ago) to identity theft, file system extortion (they encrypt your files and then hold the password for ransom) and of course denial-of-service attacks. Some organizations are better prepared than others, but as several years of personal data loss events has shown, even organizations that should have a handle on these issues can have serious weaknesses in their policies and practices.
Perhaps the most dangerous yet under-appreciated attack is the semantic one: compromising a system to lightly but significantly alter system content. It has happened at least once before to a major news outlet. A compromise at the CDC a few weeks ago portends the seriousness a sophisticated attack of this nature could have on the health and welfare of the population.
The counter to all these threats is a multi-billion-dollar cyber security industry that makes a healthy profit selling hardware and software; hardware and software that itself falls victim to exploitation and compromise. The anti-virus industry alone is one of the largest self-licking ice cream cones ever made, as they rely on clues left behind on victim systems to help defend those that have not yet been attacked. In an age when a worm can infect hosts worldwide in a few minutes, the futility of such an approach becomes glaringly obvious yet unchanged. Only after decades of being “owned” are we beginning to take concrete steps towards a secure operating posture.
Despite the inherent weaknesses and the onslaught of threats we still rush to incorporate information technology without making the necessary changes in process and policy. Only a few of those who foist technological boondoggles on our national security apparatus actually have a command of the technology or the broader relevant issues; too many decisions are made after reading a blurb in an in-flight magazine or after a very expensive lunch with a recently retired colleague who, oddly enough, is selling a system.
The benefits to incorporating more information technology into our defense and security systems can be significant, but we cannot approach technological adoption like the .com-ers did a decade ago. When the net-centric, future-combat bubble bursts, more than the stock market is likely to fall.