The first duty of any government should be to protect its citizens, and in terms of cyber security we are seeing various governments investing heavily into this area as they wake up to this increasing threat.
In deed the UK government cites hostile attacks upon UK cyber space by other states, and large scale cybercrime, as number 2 in the tier one threats facing the UK. This is second only to International terrorism affecting the UK or its interests, including a chemical, biological, radiological or nuclear attack by terrorists; and/or a significant increase in the levels of terrorism relating to Northern Ireland.
Of course not all threats are equal. Whilst the realization that some threats could be very damaging (and possibly catastrophic, depending on your view) other attacks will probably remain more irritating than damaging.
To this end I put potential threats into one of three cyber threat categories;
- Tier one threats involve a cyber attack on critical national infrastructure such as water, gas, electricity supplies or indeed any other important computer controlled system that runs a modern society. These attacks would be designed to cause major disruption or damage that has a physical effect citizens in a country. In Cyber Shockwave, an exercise conducted in February 2010 by a think tank based in Washington DC, a scenario was created in which a cyber attack was responsible for 40 million people without power in the Eastern United States, 60 million cell phones out of service and Wall Street closed for a week. Another significant attack would be one that affected a key piece of the internet's infrastructure such as the Border Gateway Protocol that enables Internet Service Providers to communicate. We have seen an example of the impact of messing with such important protocols in March 2010 when around 15% of the world's internet traffic was briefly diverted through China. This BGP related problem affected networks used by companies such as Apple, Dell and CNN. Although debate rages about the reason for this momentary diversion it highlights the vulnerability of these key internet protocols and how they are susceptible to attack.
- Tier two threats are attacks against intellectual property and financial systems for criminal gain and include widespread fraud and thefts. These attacks are prevalent occurring day in and day out. That said any affect is normally localized, and not likely to immediately impact critical national infrastructure. Although most citizens would be blissfully unaware of such attacks the end result can be damaging. The constant and corrosive effect of intellectual property draining away over a period of years, coupled with criminal gangs targeting individual and organizational funds is very damaging to an economy.
- Tier three attacks are more annoying than outright damaging. For instance a denial of service attack, which I will talk about later, on a corporate website that does not affect online transactions but puts the website off line is hardly likely to destroy a business during the few hours an attack is live. In many cases by ignoring an attack it may simply go away, certainly a cheaper option than putting in place huge computing horsepower that can be brought into use just in case such an attack happens. Website defacement and similar cyber vandalism is highly unlikely to destroy a nation, but it may be the equivalent of broken windows and graffiti in the real world. This leads to a poor perception of a local area or street and can damage reputations.
Examples of Cyber Attacks
Many cyber attacks are never made public, even if they are discovered. What we do know is that cyber threats occur every day as governments, organisations and companies are probed for weaknesses that may reveal sensitive or secret information.
Speaking in February this year (2011) the UK's Foreign Secretary said some computers belonging to the British government had been infected with the "Zeus" computer virus after users had opened an e-mail purporting to come from the White House and followed a link.
Zeus is a Trojan horse virus that acts as a keyboard logger, keeping a record of the keys a user presses and then sending them to a remote server. It is normally used to capture banking data, enabling user's accounts to be raided once their login and password details have been captured.
But I would pose this question. Was this a targeted attempt to gain national security data or a clumsy attempt to gain civil servants bank details?
In the same speech the Foreign Secretary said that defence contractors in the UK were also being targeted, describing an attempt by someone masquerading as an employee of another defence firm to send a malicious file designed to steal information. Mr Hague also said that three of his staff had been sent an e-mail apparently from another colleague in the Foreign Office. In fact the e-mail was "from a hostile state intelligence agency" and contained "code embedded in the attached document that would have attacked [a users] machine."
This type of malware, in whatever guise it takes, can have a variety of uses for a cyber attacker. Once installed on a computer system it can quietly sit collecting data, leaking it out bit by bit so as not to raise any suspicion. It can also act as a logic bomb, capable of taking action according to a set criteria such as a specific date or time, or command signal from a remote control. When initiated the logic bomb would then take whatever action it was programmed to, including destroying data or undermining critical systems.
Typical Scope of a Cyber Threat
We all know what guns and tanks do, they shoot and blow things up. But what would be the scope of a cyber attack?
I mentioned a distributed denial of service (DDOS) attack earlier. These attacks are the equivalent of having someone call your switch board and then hanging up just as the call is answered. Your operator is tied up dealing with silent calls and can't do the rest of their job. In the same way a website can be bombarded with the internet equivalent of a silent call resulting in the computer servers buckling under the workload. These attacks are normally conducted by multiple computers, in some cases tens of thousands, working under the control of a bot net. This is a rogue command and control system that relies on malware to infect a computer that is then corralled into sending spam messages or taking part in a denial of service attack, unknown to the user of the infected computer. Bot nets are used to spread the Zeus virus by using emails sent to users in the hope they will click on a link and download the malware, as we saw in the case highlighted by the British Foreign Secretary.
At the national security level if a system may become susceptible to a DDOS attack resources need to be quickly added to a computer system so that its performance remains acceptable. The majority of critical systems would normally be air gapped from the internet. This was ably demonstrated only recently when the UK's Serious and Organised Crime Agency's web site was subject to a denial of service attack. Yes it took their website off line but it didn't affect internal systems and I think the attack was met with a "So what", and a shrugging of shoulders.
Of more concern are code exploits that can provide a huge reservoir of potential cyber threats. These exploits may be deliberately engineered into software code or more likely remain as undiscovered bugs, buried deep in millions of lines of code. Of concern to those working in sensitive industries is the security of the software used in their systems, especially that brought in from third parties that may have been written thousands of miles away in a different country.
The good news is that there are a variety of tools that can undertake automatic scanning of programming code to search for known bugs and errors as well as those planted by rogue hackers, but how many organisations actively check the software code provided by a supplier? Not that many I would suggest. And certainly if it is done once how often would they recheck the code for hidden malware, in case it has been tampered with?
The Danger of Threat Inflation
At this point I must discuss the danger of threat inflation.
My concern is with the more esoteric attacks that seem to be reported on a regular basis. By definition the general public are never informed of the full details of ongoing attacks, real or otherwise, as the targets are often secure systems inside secure agencies.
We therefore have to believe the stories we hear as being true on face value, rather than get the chance to analyse the evidence independently. In a kinetic war we have news footage of tanks rolling across the hills and aircraft bombing targets. Even the most uninformed person would agree that such images depict a battlefield, and can form an opinion on the threat that this may pose to their lifestyle or country.
How can we educate our users and businesses to understand the cyber threat in a calm and mature manner, without resorting to scare stories, which in many cases cannot be verified by independent observers?
If we are unable to address cyber threats appropriately there is a real danger of threat inflation as vested interests take hold and any limited verifiable data becomes swamped with excitable language full of doom and gloom. The use of military speak often makes matters worse, and whilst it does have a place it is beholden on us all to use it wisely.
In my experience the information security industry is often at fault, as vendors see cyber war as a cool new way to sell their latest gadget or software, which will often have only tenuous capabilities relevant to a cyber war discussion.
I am sure this is designed to stir up concern amongst citizens who in turn don't complain when hard earned tax dollars get diverted to address the evils of cyber war, real or otherwise. We need to strike a balance.
I started this presentation stating that the primary duty of a government is to protect its citizens. I strongly believe that we really do face a whole new set of threats relating to cyber security and I am glad that my government sees fit to invest in appropriate protective measures. It is my job, as a citizen, taxpayer and information security worker to make sure that money is spent wisely and cautiously against the real cyber threats we face and not wasted on programs that deliver glitz and glamour but no threat protection.
We need to remember that perpetrator attribution can be extremely difficult in the world of cyber threats. In conventional war it is normally pretty obvious who has initiated an attack, as the physical evidence is manifest. Finding out who really conducted an attack, hidden behind layers of proxy servers is problematic and may result in accusations flying unnecessarily, and maybe even starting a kinetic war if a wrongly accused party is sufficiently aggrieved. That doesn't bear thinking about and it is beholden on our governments to have in place the processes and systems to determine absolutely where an attack emanated from for fear of retaliating on an innocent country or entity. This must be coupled with governments focusing their efforts on preventative measures so that the chances of an attack being successful are minimized.