Module 8 Textbook Reading
The textbook reading assignment for Module 8 is pages 193-216.
Understand the Limits of the State in Cyberspace: Why Can't the Government
Handle it?
Governments cannot control the movement of data the way that governments can control the
movement of people and things. Surprisingly, the authors don't point out the two main reasons
this is true:
• A country may try to control all physical connections to the internet, but wireless is almost
impossible to control.
• Even if a government were able to monitor all internet traffic, the meaning of data is often
unclear to anybody other than the sender and the recipient of that data. The most obvious
example of this is when data is encrypted, but even unencrypted data is often meaningless
without context.
On top of that, data can be instantly moved across borders to anywhere in the world. One day it
might be stored in Seattle, the next day in Finland and the next day in South Africa.
One of the ramifications of these facts is that governments cannot control internet content as
much as they would like. The other ramification, which is more immediately of interest to us, is
that governments also cannot simply monitor internet traffic for attacks and block the attacks.
There's no way to monitor the internet for cyberattacks in the way that radar can be used to
monitor for attacks by aircraft.
The authors discuss other related topics in this section as well, including the government's
reliance upon the private sector. For instance, at the top of page 196:
“98 percent of US. government communications, including classified communications,
travel over civilian owned-and-operated networks”
This statistic makes it easy to grasp just how dependent the government, including the military, is
dependent upon private sector infrastructure. (by the way, they are not saying that classified
communications travel over private networks in plaintext, they would be encrypted to preserve
confidentiality while on those networks)
Rethink Government's Role: How Can We Better Organize for Cybersecurity?
This section and the next have a lot of good information in them, but I have to admit that the
organization of these sections is not obvious to me – it almost feels like stream of consciousness
writing. For instance, in this first section, I made a list of 21 separate topics that the authors cover
in just seven pages. Perhaps the authors wrote these sections to make clear one of their main
points – that the government is also not organized when it comes to cybersecurity!
IT 238 Introduction to Cyberterrorism Central Washington University – ITAM
Module 8 Textbook Reading 2
You should probably view both this section and the next more as examples of what the
government is doing, is not doing, and could be doing to improve cybersecurity. I will just point
out some specific topics you should not miss.
By the way, very little has changed in any of these topics since the ...
1. Module 8 Textbook Reading
The textbook reading assignment for Module 8 is pages 193-
216.
Understand the Limits of the State in Cyberspace: Why Can't
the Government
Handle it?
Governments cannot control the movement of data the way that
governments can control the
movement of people and things. Surprisingly, the authors don't
point out the two main reasons
this is true:
• A country may try to control all physical connections to the
internet, but wireless is almost
impossible to control.
• Even if a government were able to monitor all internet traffic,
the meaning of data is often
unclear to anybody other than the sender and the recipient of
that data. The most obvious
example of this is when data is encrypted, but even unencrypted
data is often meaningless
without context.
On top of that, data can be instantly moved across borders to
anywhere in the world. One day it
might be stored in Seattle, the next day in Finland and the next
day in South Africa.
2. One of the ramifications of these facts is that governments
cannot control internet content as
much as they would like. The other ramification, which is more
immediately of interest to us, is
that governments also cannot simply monitor internet traffic for
attacks and block the attacks.
There's no way to monitor the internet for cyberattacks in the
way that radar can be used to
monitor for attacks by aircraft.
The authors discuss other related topics in this section as well,
including the government's
reliance upon the private sector. For instance, at the top of page
196:
“98 percent of US. government communications, including
classified communications,
travel over civilian owned-and-operated networks”
This statistic makes it easy to grasp just how dependent the
government, including the military, is
dependent upon private sector infrastructure. (by the way, they
are not saying that classified
communications travel over private networks in plaintext, they
would be encrypted to preserve
confidentiality while on those networks)
Rethink Government's Role: How Can We Better Organize for
Cybersecurity?
This section and the next have a lot of good information in
them, but I have to admit that the
organization of these sections is not obvious to me – it almost
feels like stream of consciousness
writing. For instance, in this first section, I made a list of 21
separate topics that the authors cover
3. in just seven pages. Perhaps the authors wrote these sections to
make clear one of their main
points – that the government is also not organized when it
comes to cybersecurity!
IT 238 Introduction to Cyberterrorism Central Washington
University – ITAM
Module 8 Textbook Reading 2
You should probably view both this section and the next more
as examples of what the
government is doing, is not doing, and could be doing to
improve cybersecurity. I will just point
out some specific topics you should not miss.
By the way, very little has changed in any of these topics since
the book was written.
On pages 199-200 there's an important discussion of the conflict
in the dual roles of the
government, and the NSA in particular, as they want both to
improve cybersecurity of some
devices but to be able to infiltrate other devices. We'll look
more at this in the outside readings.
One of the most helpful things that the government has done is
to provide guidance for cyber
defenses. It is not obvious from the name, but the National
Institute of Standards and Technology
(NIST) is the government entity that does the most to provide
cybersecurity expertise both for
the rest of the government and for the private sector. Unlike the
NSA, NIST does not have any
4. other competing mission. You can browse NIST's website here:
http://csrc.nist.gov/
After the mention of NIST, there's a discussion of critical
infrastructure and the electric power
grid in particular. It shouldn't make you feel any more confident
in the security of critical
infrastructure, and again, little has changed since the book was
written.
Then they talk about the government's ability to use market
forces to improve cybersecurity. The
government is a large customer of IT products, and could
presumably use that leverage to require
companies to create more secure products. The textbook
mentions one difficulty of that strategy,
which is that the government really is only about 0.1% of the
market today. The textbook doesn't
mention the other difficulty, which is that if procurement rules
are going to require higher levels
of security, there has to be some way of measuring the security
of competing products, and of
determining what premium should be paid for the difference in
security. This is not just a
difficulty for the government, but for any organization (or
person) who wants to use security as
criteria for making purchasing decisions.
Finally, don't miss the comment about the relationship between
a $100 microchip and a $100
million helicopter. This is a perfect example of the supply chain
problem from Module 4.
Approach It as a Public-Private Problem: How Do We Better
Coordinate
5. Defense?
Brian Krebs is the star of the first story in this section. He
started as a Washington Post reporter
and really took the time to learn about cybersecurity. He left the
Post and is a freelance blogger
and author. He has been the original source of many cybercrime
news stories during the past few
years. Though his focus is cybercrime (for profit, not political
goals) and therefore isn't directly
relevant to this class, I still highly recommend his blog:
http://krebsonsecurity.com/
The discussion that follows, about trying to make it difficult for
cybercriminals to turn their
IT 238 Introduction to Cyberterrorism Central Washington
University – ITAM
http://csrc.nist.gov/
http://krebsonsecurity.com/
Module 8 Textbook Reading 3
stolen data into cash, is an important topic in cybercrime, but
not nearly as relevant to our course.
But starting at the top of page 208 we get to some very key
topics for this course.
First up, the authors discuss how ISPs could be more involved
in cybersecurity. ISPs are uniquely
positioned to identify and block certain types of attacks, though
they are reluctant to do so. The
6. book doesn't mention it, but ISPs will get involved in some big
cases, for instance, DDOS attacks
against large customers, but they do little for other customers.
Next is a short discussion of the fact that most organizations
aren't all that interested in working
with law enforcement to catch attackers after a breach. The
textbook mentions two reasons,
which are worth elaborating on.
• The first reason is that law enforcement wants to preserve
evidence, and preserving
evidence takes time that the organization would rather spend
restoring their systems.
• The second reason is the potential for bad publicity. If an
organization doesn't report a
cyberattack to law enforcement it is much less likely that the
attack will become public
knowledge.
This not unique to cybercrime. Organizations often don't report
non-cyber crime either, because
they don't want the disruption and bad publicity.
In Module 9 we will talk about situations where organizations
are required by law to report
breaches.
Exercise Is Good for You: How Can We Better Prepare for
Cyber Incidents?
This is a great discussion, but it may be easy to miss the fact
that they are talking about four
distinct types of exercises:
7. • Red team/blue team exercises. Using a simulated network, the
red team attempts to attack
the network while the blue team defends it. The red team plays
the role of an attacker with
no boundaries on what they are willing to do, while the blue
team is usually prohibited
from hacking back against the red team.
• Exercises that test the technical defenses of an organization,
including their ability to
detect attacks. This is usually known as penetration testing. In
penetration testing there is
a red team attacking the organization's network, but since it is a
real, operating network,
there are always strict limits on how far the red team can go, for
instance, destruction is
not allowed. The defenders are usually unaware or just vaguely
aware that a penetration
test is underway, making the test more realistic.
• Exercises that test the resilience of an organization when a
security breach occurs. This
type of exercise typically addresses the technical tasks to
detect, contain, maintain and
recover, but also public relations, interaction with law
enforcement, and so on. These
exercises are simulations, because you can't practice with a real
attack without creating
real consequences.
• Military exercises that simulate cyberwar. These don't
necessarily have the artificial
IT 238 Introduction to Cyberterrorism Central Washington
University – ITAM
8. Module 8 Textbook Reading 4
limitations of the other types of exercises, but just like other
types of military exercises,
they require the participants to make assumptions about the
motivations, tactics and
capabilities of the enemy.
There are several academic competitions that involve red
team/blue team exercises, at the college
and even high school levels. Probably the best known, at least
in this region, is the Collegiate
Cyber Defense Competition (CCDC).
http://www.nationalccdc.org/
This section has a nice example of a lack of resiliency. Near the
bottom of page 213, there's an
example of a security team that relied entirely upon email and
instant messaging for
communication, tools that could be lost during an attack, when
they need them the most.
For resiliency they need to have backup communications
methods that will function during a
cyber attack. For instance, cell phones using a cellular network
instead of their own (possibly
compromised) WiFi network. And of course, for this to be
successful, they also have to ensure
that everyone knows all of the relevant phone numbers, even
though they will only be using them
in an emergency. One thing to be very aware of is that it is easy
to set up a backup system like that
but fail to maintain it, for instance, by not updating contact
9. information as personnel changes.
IT 238 Introduction to Cyberterrorism Central Washington
University – ITAM
http://www.nationalccdc.org/