Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cyber war or business as usual


Published on

Are we near the point of cyber-armageddon or are we simply engaged in a new reality of information security priorities? Are the attacks being discovered daily against private sector and public federal systems somehow unique and new, or are they simply the new reality of cyberspace? Organizations are regularly forced to make difficult decisions about how best to protect their information systems. Executives daily open the newspaper to find another example of effective cyber attacks and hacking. How do organizations know when security mechanisms are enough to keep their data safe? In an effort to answer this question and respond to mounting cyber incidents worldwide, the US federal government has been engaging in numerous efforts to secure cyberspace. But what are they and will they be enough? In this presentation James Tarala, a Senior Instructor with the SANS Institute and a Principal Consultant at Enclave Security, will describe current efforts and the tools being offered to help citizens and protect cyberspace.

Published in: News & Politics

Cyber war or business as usual

  1. 1. CyberWar or Business as Usual?The State of International CyberSecurity InitiativesJames Tarala, Enclave Security
  2. 2. Fear, Fear, Scary FearActual headlines from the news: – “Cyberwar declared as China hunts for the West’s intelligence secrets” – The Times of London – “China has declared a cyber war: NATO” – The Times of London – “Cyber War: Sabotaging the System” – 60 Minutes – “Is Israel at Cyber War with Iran?” – ABC News – “FBI Warns Brewing Cyberwar May Have Same Impact as Well-Placed Bomb” – Fox News – “Cyber Warriors” – The Atlantic – “Iran Arrests 30 Accused Of U.S.-Backed Cyberwar” - Darkreading CyberWar or Business as Usual? © Enclave Security 2010 2
  3. 3. Is CyberWar Real?• It depends on who you ask…• The media today has realized that cyber-anything sells• So you can’t help but hear about: – CyberWar – China hacking everyone – The Advanced Persistent Threat (APT) – Russian organized crime & CyberCrime – Stolen credit cards & identities CyberWar or Business as Usual? © Enclave Security 2010 3
  4. 4. Some Say No…“There is no cyberwar…” Howard Schmidt, US Cyber-Security Coordinator“I think that is a terrible metaphor and I think that is a terribleconcept, There are no winners in that environment (Wired).” CyberWar or Business as Usual? © Enclave Security 2010 4
  5. 5. Some Say Yes…"We can anticipate that adversarial actors will make cyberspace abattle front in future warfare… Even today, intrusions andespionage into our networks, as well as cyber-incidents abroad,highlight the unprecedented and diverse challenges we face in thebattle for information.“ – Gen. Kevin Chilton, USAF"Cyber is a domain, just as land, sea, air, and space are domains.God made those four domains; you made the fifth one. God did abetter job.“ – Gen. Michael Hayden , Former USAF / Director of the CIA CyberWar or Business as Usual? © Enclave Security 2010 5
  6. 6. Some Say Yes…“This right has not been specifically established by legalprecedent to apply to attacks in cyberspace, it is reasonable toassume that returning fire in cyberspace, as long as it compliedwith law of war principles... would be lawful.“ – Gen. Keith Alexander, Cybercom"The big question is can a cyber attack invoke a physicalresponse? The answer is we dont know what the appropriateresponse is to cyber war against a NATO ally, or what is theappropriate response by a NATO ally to an attack on us.“ – Mark Rasch, Former Head of DoJ Cybercrime Unit CyberWar or Business as Usual? © Enclave Security 2010 6
  7. 7. What is Real?• CyberWar is real• CyberEspionage is real• CyberCrime is real• However, all three need to be defined• Appropriate responses need to be defined• Rules of engagement for nations / organizations / individuals need to be defined CyberWar or Business as Usual? © Enclave Security 2010 7
  8. 8. First, the Origin of “Cyber”• First coined by William Gibson (cyberspace), in his 1982 short story, Burning Chrome• A later book, Necromancer, defines it further• In 2000 he said, “All I knew about the word "cyberspace" when I coined it, was that it seemed like an effective buzzword. It seemed evocative and essentially meaningless. It was suggestive of something, but had no real semantic meaning, even for me, as I saw it emerge on the page.” CyberWar or Business as Usual? © Enclave Security 2010 8
  9. 9. CyberWar – Defined• Unfortunately there is no agreed upon definition for any cyber related terms• Therefore we will take “cyber” out of the equation• War can be defined as (Encarta): 1. armed fighting between groups: a period of hostile relations between countries, states, or factions that leads to fighting between armed forces, especially in land, air, or sea battles "The two countries are at war." 2. period of armed fighting: a period of armed conflict between countries or groups "during the Vietnam War" 3. conflict: a serious struggle, argument, or conflict between people "The candidates are at war." CyberWar or Business as Usual? © Enclave Security 2010 9
  10. 10. A CyberWar Example• Attacks began 4/27/2007• Included DDoS, web defacement, & spam attacks against the government, businesses, & individuals• Initiated after movement of Bronze Soldier of Tallinn• Russian gov’t denied involvement• Attributed to single Estonian citizen, or various hacktivists CyberWar or Business as Usual? © Enclave Security 2010 10
  11. 11. Another CyberWar Example • South Ossetia War of 2008 • Attacks began 8/5/2008, three days prior to Russian invasion • Attacks included DDoS attacks against news agencies & government sites primarily • Attribution never established officially, again hacktivists are blamed CyberWar or Business as Usual? © Enclave Security 2010 11
  12. 12. More CyberWar Examples• 1982 – US alters code managing Russian natural gas pipeline• 1998 – US hacks into Serbian air defense systems prior to bombing attacks against targets• 2006 – Israel blames Hezbollah for hacking Israeli sites during 2nd Lebanon War• 2007 – Various Kyrgyz websites & ISPs targeted with DoS attack during election by unknown actor• 2009 – Various Iranian government websites targeted in response to elections CyberWar or Business as Usual? © Enclave Security 2010 12
  13. 13. CyberEspionage – Defined• Unfortunately there is no agreed upon definition for any cyber related terms• Therefore we will take “cyber” out of the equation• Espionage (spying) can be defined as (Encarta): 1. Somebody employed to obtain secret information: an employee of a government who seeks secret information in or from another country, especially about military matters 2. Employee who obtains information about rivals: an employee of a company who seeks secret information about rival organizations 3. Secret observer of others: a watcher of other people in secret CyberWar or Business as Usual? © Enclave Security 2010 13
  14. 14. A CyberEspionage Example• Attack made public 4/2009• Attack primarily involved theft of military secrets• Specifically, electronics & design specifications for the F35 project• Information could be used to better defend against the fighters• No official attribution declared, many speculate Chinese origins CyberWar or Business as Usual? © Enclave Security 2010 14
  15. 15. Another CyberEspionage Example • Attack occurred Winter 2009/2010 • Believed to utilize a 0-day exploit in IE6 • Primary target was breach of confidential search engine code & email accounts • Again attribution never officially determined, but again Chinese have been blamed CyberWar or Business as Usual? © Enclave Security 2010 15
  16. 16. More CyberEspionage Examples• 1996 – 2003 – “Titan Rain” attacks against US military targets from alleged Chinese sources• 1996 – 1998 – “Moonlight Maze” attacks against US military, energy, and university targets from alleged Russian sources• 2007 – “Digital Pearl Harbor” attacks against US military networks by unknown national actor• 2009 – “GhostNet” revealed by researchers as an attack against numerous US interests by alleged Chinese sources• 2009 – Unknown national actors attack US & South Korean government facilities from alleged North Korean sources CyberWar or Business as Usual? © Enclave Security 2010 16
  17. 17. CyberCrime – Defined• Unfortunately there is no agreed upon definition for any cyber related terms• Therefore we will take “cyber” out of the equation• Crime can be defined as (Encarta): 1. An illegal act: an action prohibited by law or a failure to act as required by law 2. An illegal activity: activity that involves breaking the law 3. An immoral act: an act considered morally wrong 4. An unacceptable act: a shameful, unwise, or regrettable act CyberWar or Business as Usual? © Enclave Security 2010 17
  18. 18. An Example of CyberCrime • Attack occurred 11/8/2008 • Primarily a financial theft, stealing $9.5 million from user bank accounts • Utilized stolen bank cards, raised their withdraw limit, & used mules to withdraw funds from distributed ATMs • Attribution back to 4 individuals from Eastern European nations CyberWar or Business as Usual? © Enclave Security 2010 18
  19. 19. More CyberCrime Examples• 1/2009 Heartland Payment Systems (130+ million)• 4/2009 Oklahoma Dept of Human Services (1 million)• 4/2009 Oklahoma Housing Finance Agency (225,000)• 5/2009 University of California (160,000)• 7/2009 Network Solutions (573,000)• 10/2009 U.S. Military Veterans Administration (76 million)• 10/2009 BlueCross BlueShield Assn. (187,000)• 12/2009 Eastern Washington University (130,000)• 1/2010 Lincoln National Corporation (1.2 million)• 3/2010 Educational Credit Management Corp (3.3 million) CyberWar or Business as Usual? © Enclave Security 2010 19
  20. 20. The Problem of Attribution• One of the biggest challenges responders face is the issue of attributing attacks to known actors• Attribution: “the ascribing of something to somebody or something, e.g. a work of art to a specific artist or circumstances to a specific cause (Encarta).”• How can incident responders attribute an attack to a bad actor? – IP address / MAC address ? – Coding signatures ? – Public announcements / credit ? CyberWar or Business as Usual? © Enclave Security 2010 20
  21. 21. Admitting to Offensive Capabilities• Which nations admit to having offensive CyberWarfare capabilities?• So far, only the following have stepped forward publically: – The United States (CyberCom) – The United Kingdom (Office of Cyber Security) – South Korea (Cyber Warfare Centre)• The following nations do not deny this capability: – France, Germany – Israel – India, Russia – North Korea, Iran CyberWar or Business as Usual? © Enclave Security 2010 21
  22. 22. One Response to the Attribution Issue• Hold countries responsible for the actions that occur within it’s IP address ranges• “Since the price of entry is so low, and … it’s difficult to prove state sponsorship, one of the thoughts … is to just be uninterested in that distinction and to actually hold states responsible for that activity emanating from their cyberspace… Whether you did [the attack yourself] or not, the consequences for that action [coming from your country] are the same.” – Gen. Michael Hayden CyberWar or Business as Usual? © Enclave Security 2010 22
  23. 23. The US ResponseSo what has the US done since Jan 2009: – Commissioned Melissa Hathaway to perform a 60 day CyberSecurity review of US federal systems – Appointed Howard Schmidt as Cyber Security Coordinator – Proposed numerous pieces of legislation – Authorized the creation of CyberCom – Confirmed Gen. Keith Alexander as the head of CyberCom – Assigned the DHS responsibility for protecting non DoD federal computing systems – Made recommendations for continuous monitoring & assessment controls CyberWar or Business as Usual? © Enclave Security 2010 23
  24. 24. 60 Day Cyber Security ReviewRecommendations from the Review: 1. Appoint a cybersecurity policy official responsible for coordinating the Nation’s cybersecurity policies and activities 2. Prepare an updated national strategy to secure the information and communications infrastructure 3. Designate cybersecurity as one of the President’s key management priorities and establish performance metrics. 4. Designate a privacy and civil liberties official to the NSC cybersecurity directorate. 5. Formulate coherent unified policy guidance that clarifies roles, responsibilities, and the application of agency authorities for cybersecurity-related activities across the Federal government.
  25. 25. 60 Day Cyber Security Review (2)Recommendations from the Review (cont): 6. Initiate a national public awareness and education campaign to promote cybersecurity 7. Develop U.S. Government positions for an international cybersecurity policy 8. Prepare a cybersecurity incident response plan; initiate a dialog to enhance public-private partnerships with an eye toward streamlining, aligning, and providing resources to optimize their contribution and engagement 9. Develop a framework for research and development strategies that focus on game-changing technologies 10. Build a cybersecurity-based identity management vision and strategy
  26. 26. CyberSecurity Legislation• Data Breach Notification Act, S 139• Data Accountability and Trust Act, HR 2221• International Cybercrime Reporting and Cooperation Act, S 1438 and HR 4692• Cybersecurity Enhancement Act, HR 4061• FISMA II, S. 921• Intelligence Authorization Act, HR 2071• Cybersecurity Act of 2009, S 773• The Grid Reliability and Infrastructure Defense Act, HR 5026• Energy and Water Appropriations Act 2010 CyberWar or Business as Usual? © Enclave Security 2010 26
  27. 27. US Military Security EffortsCreation of a Central Cyber Command: – Referred to as Cybercom – To be led by Director of the National Security Agency (NSA) Gen. Keith Alexander – To be located at Fort Meade – To have both defensive and offensive capabilities – Will centrally coordinate all DoD cyber defensive activities – Will assist private industry with “Perfect Citizen” program – This is in addition to numerous commands within each of the branches of service
  28. 28. DARPA’s Contribution • “The National Cyber Range program demonstrates the government’s commitment to incubate and create incentives for game- changing technological innovation.” • “Test new “leap-ahead” concepts and capabilities required to protect U.S. interests against a growing, worldwide cyber threat.”
  29. 29. So, what’s next?• “The times they are a changin” – Bob Dylan• Let’s be definitive with our terms• Not everything is a “Cyber War”• But, that doesn’t mean that bad things aren’t happening• There is a “new normal” – business as usual• Clearly electronic / cyber elements will be involved in future nation state conflicts• Nations / organizations / individuals need to know how to respond & mostly how to protect themselves CyberWar or Business as Usual? © Enclave Security 2010 29
  30. 30. An International Response• Nation states need to agree on terms & appropriate response• A “Cyber Treaty” agreed to internationally makes sense• A new version of the Geneva Convention, that specifically addresses the changing nature of warfare & technology• Russian proposed such a treaty in 1998 – never materialized• 15 nations currently considering such a treaty• Hamadoun Toure of the ITU has also proposed the idea• Many questions still exist, specifically how to enforce & hold nations accountable for attacks CyberWar or Business as Usual? © Enclave Security 2010 30
  31. 31. An Organization’s Response• “Quit whining, act like a man and defend yourself.” – Gen. Michael Hayden• Practically how do we make this happen? – Decide how important information & systems are to you – Determine how bad you really want to protect that information – Dedicate resources to the issue – Consider a control framework that focuses on a methods for deterring directed cyber attacks CyberWar or Business as Usual? © Enclave Security 2010 31
  32. 32. 20 Critical Controls / CAG• “This consensus document of 20 crucial controls is designed to begin the process of establishing that prioritized baseline of information security measures and controls (CAG)”• 20 specific control categories meant to provide a prioritized response to these attacks• A chance for the cyber offense to inform the defense• Controls based on the principles of continuous monitoring & automation• Resources are limited, therefore let’s start with those controls that have the biggest impact in creating defensible systems CyberWar or Business as Usual? © Enclave Security 2010 32
  33. 33. Further Questions• If you have further questions & want to talk more…• James Tarala – E-mail: – Twitter: @isaudit, @jamestarala – Blog:• Resources for further study: – CSIS & SANS 20 Critical Controls – OMB Memorandum M-10-15 – NIST Security Control Automation Protocol (SCAP) CyberWar or Business as Usual? © Enclave Security 2010 33