This document discusses rethinking the cyber threat and proposes a new framework for crafting effective cyber attack responses. It outlines six reasons why the cyber threat is difficult to assess and mitigate, including many malicious actors with different motives, common attack vectors, an integrated shared Internet domain, unpredictable consequences, and worst-case alarming scenarios. Existing models for addressing crime, espionage and military threats based on threat type do not work well for cyber attacks where the attacker is often unknown. A new framework is needed to create more effective cyber attack responses.
Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...SafeNet
Cloud computing services can support nearly every mission the federal government performs –
from defending our nation’s borders to protecting the environment. Offering an elastic, adaptive
infrastructure, cloud computing enables federal agencies and their component organizations
to share information and create services, improving how agencies support the federal mission
and serve the American public. Just as the benefits are obvious, however, so too are the security
concerns. When consolidating their infrastructures with cloud service providers, how do federal
agencies ensure that sensitive data remains secure? How do they remain in control of their
information assets and compliant with U.S. Office of Management and Budget (OMB) and
agency-specific mandates and policies? Of equal importance is how the security concerns differ
within the federal community. This white paper outlines the role of trust in different federal
government communities, the path federal agencies can take to start building trust into cloud
deployments, and the approaches and capabilities that these organizations need to make this
transition a reality.
This research report studies the economic impact that Cyber Security attacks have on society as a whole. The aim of this analysis is to examine the negative and positive impact of these compromises on multiple entities. Our descriptive analysis focuses on individuals, private and public organizations, costs, revenues, innovations, and jobs to determine if proliferation's of these attacks are either, negative or positive. Although this
paper draws upon the economic factors as result of cyber-attacks, it looks at the outlay in its historical context of capital expenditures to private and public organizations due to the increased number of compromises and factors of this paradigm helping to fuel the growth of innovations or spawn a new industry as a whole.
As the Trump administration has provided a limited framework on cybersecurity issues, opportunities still exist for companies to involve themselves in the formation of this agenda. Companies looking to influence the cyber policy debate should reach out to the administration and influential parties early to participate in this rapidly changing conversation.
Brunswick’s cybersecurity experts provide insight into who the prominent policy influencers are and the likely cyber issues confronting the Trump administration.
Contact our Washington DC office for more information: http://www.brunswickgroup.com/contact-us/washington-dc/
Hør hvordan Windows Azure hjælper Danmarks Miljøportal til fleksibilitet og b...Microsoft
Danmarks miljøportal samler de offentlige miljødata et sted og er et samarbejde mellem kommuner, regioner og Miljøministeriet. Miljøportalen tjener to overordnede formål. Dels som en portal, hvor miljødata udstilles for offentligheden. Dels understøtter miljøportalen myndighedernes opgavevaretagelse ved at koordinere og facilitere samarbejdet mellem parterne bag miljøportalen og samler alle miljødata ét sted.
Microsoft Next 2014 - Insights session 1 - Mobilt BI i Søfartsstyrelsen – tan...Microsoft
Microsoft Next 2014 - Insights session 1 - Mobilt BI i Søfartsstyrelsen – tanker, udfordringer og resultater, v. Gunnar Lenzing, Chefkonsulent, Søfartsstyrelsen
Cyber Security Conference - Praktiske erfaringer med Implementering af Cyber ...Microsoft
Cyber Security Conference - Praktiske erfaringer med Implementering af Cyber Defense, v/ Seniorkonsulent Martin Kiær, Security & Infrastructure Business Lead
Cloud Computing and the Federal Government: Maximizing Trust Supporting the M...SafeNet
Cloud computing services can support nearly every mission the federal government performs –
from defending our nation’s borders to protecting the environment. Offering an elastic, adaptive
infrastructure, cloud computing enables federal agencies and their component organizations
to share information and create services, improving how agencies support the federal mission
and serve the American public. Just as the benefits are obvious, however, so too are the security
concerns. When consolidating their infrastructures with cloud service providers, how do federal
agencies ensure that sensitive data remains secure? How do they remain in control of their
information assets and compliant with U.S. Office of Management and Budget (OMB) and
agency-specific mandates and policies? Of equal importance is how the security concerns differ
within the federal community. This white paper outlines the role of trust in different federal
government communities, the path federal agencies can take to start building trust into cloud
deployments, and the approaches and capabilities that these organizations need to make this
transition a reality.
This research report studies the economic impact that Cyber Security attacks have on society as a whole. The aim of this analysis is to examine the negative and positive impact of these compromises on multiple entities. Our descriptive analysis focuses on individuals, private and public organizations, costs, revenues, innovations, and jobs to determine if proliferation's of these attacks are either, negative or positive. Although this
paper draws upon the economic factors as result of cyber-attacks, it looks at the outlay in its historical context of capital expenditures to private and public organizations due to the increased number of compromises and factors of this paradigm helping to fuel the growth of innovations or spawn a new industry as a whole.
As the Trump administration has provided a limited framework on cybersecurity issues, opportunities still exist for companies to involve themselves in the formation of this agenda. Companies looking to influence the cyber policy debate should reach out to the administration and influential parties early to participate in this rapidly changing conversation.
Brunswick’s cybersecurity experts provide insight into who the prominent policy influencers are and the likely cyber issues confronting the Trump administration.
Contact our Washington DC office for more information: http://www.brunswickgroup.com/contact-us/washington-dc/
Hør hvordan Windows Azure hjælper Danmarks Miljøportal til fleksibilitet og b...Microsoft
Danmarks miljøportal samler de offentlige miljødata et sted og er et samarbejde mellem kommuner, regioner og Miljøministeriet. Miljøportalen tjener to overordnede formål. Dels som en portal, hvor miljødata udstilles for offentligheden. Dels understøtter miljøportalen myndighedernes opgavevaretagelse ved at koordinere og facilitere samarbejdet mellem parterne bag miljøportalen og samler alle miljødata ét sted.
Microsoft Next 2014 - Insights session 1 - Mobilt BI i Søfartsstyrelsen – tan...Microsoft
Microsoft Next 2014 - Insights session 1 - Mobilt BI i Søfartsstyrelsen – tanker, udfordringer og resultater, v. Gunnar Lenzing, Chefkonsulent, Søfartsstyrelsen
Cyber Security Conference - Praktiske erfaringer med Implementering af Cyber ...Microsoft
Cyber Security Conference - Praktiske erfaringer med Implementering af Cyber Defense, v/ Seniorkonsulent Martin Kiær, Security & Infrastructure Business Lead
Salgsproduktivitet og effektiv sagsbehandlingMicrosoft
Microsoft's salgsproduktivitetsløsning kan hjælpe salgsteams og sagsbehandlere med at yde deres bedste, så de kan engagere kunder og borgere på en meningsfyldt måde, styrke relationerne og levere fantastiske oplevelser. Oplev hvordan Microsoft Dynamics CRM udnytter Office 365 services som Power BI, Yammer, Skype og Social Engagement.
v. Jesper Osgaard, Technical Solution Specialists, Microsoft
Cyber Security Conference - A deeper look at Microsoft Security Strategy, Tec...Microsoft
Cyber Security Conference - A deeper look at Microsoft Security Strategy, Technology Trends and the Economy of Cybercrime, By Chief Security Advisor Reto Haeni, Microsoft Western Europe
13 слайдов о парадоксах, проблемах и мотивации научно-исследовательской деятельности студента в вузе. Предложено содержание курса Основы научно-исследовательской деятельности
Статья о знаменитом киевском "матче смерти", мифах вокруг него и отражении этих мифов в кинематографе.
Смерть не умеет играть в футбол // Pubtime. Журнал о пивной культуре. ‒ 2012. ‒ № 3. Июнь-июль. ‒ С. 78-89
The uniqueness of the text61.5SHOW ALL MATCHESPage addre.docxarnoldmeredith47041
The uniqueness of the text:
61.5%
SHOW ALL MATCHES
Page address
Similarity
View in text
http://yandex.ru/
18.1%
Show
http://google.ru/
20.3%
Show
http://yandex.ru/
1%
Show
I NEED HELP WITH MY CONTENT EDIT THIS TEXT CHECK ANOTHER TEXT
Information Security Issues Faced by Organizations In any organization, Information Security threats may be many like Software assaults, theft of intellectual belongings, identity robbery, theft of gadget or statistics, sabotage, and facts extortion. A risk can be something which could take gain of a vulnerability to breach security and negatively adjust, erase, damage object or gadgets of interest. Software attacks imply an attack by Viruses, Worms, Trojan Horses and so forth. Many customers consider that malware, virus, worms, bots are all the same matters. But they're now not identical, the simplest similarity is that they all are malicious software program that behaves differently. Apart from these threats, there are some headache information security threats they are: Cyberattack Threats: - Cyber-attacks are, of course, establishments’ pinnacle problem. There are many methods cybercriminals can target companies. Each will motive distinct types of harm and need to be defended in opposition to in one-of-a-kind methods. Some attacks, consisting of phishing campaigns, are typically designed to thieve private information. Others, such as ransomware and denial-of-carrier assaults, have several feasible pursuits, ranging from extorting cash to disrupting business operations for political reasons. Cyber threats, unfortunately, are getting an increasing number of risks in these days clever international. But what precisely is cyber risk? A cyber threat is an act or viable act which intends to scouse borrow records (non-public or in any other case), damage records or motive a few types of digital damage. Today, the time period is nearly exclusively used to explain records safety topics. Because it’s tough to visualize how digital signals touring throughout a cord can represent an assault, we’ve taken to visualizing the virtual phenomenon as a bodily one. A cyber-attack is an assault this is hooked up in opposition to a corporation (that means our digital gadgets) making use of cyberspace. Cyberspace, a digital space that doesn’t exist, has grown to be the metaphor to assist us to understand virtual weaponry that intends to harm us. What is actual, but, is the purpose of the attacker as well as the potential impact. While many cyberattacks are mere nuisances, a few are quite serious, even potentially threatening human lives. Malware: - Software that plays a malicious project on a goal tool or community, e.g. Corrupting facts or taking on a machine. Ransomware: - An attack that involves encrypting information on the goal system and traumatic a ransom in alternate for letting the consumer has got right of entry to the facts again. These assaults range from low-level nuisances to severe incidents just like the locking do.
A1 - Cibersegurança - Raising the Bar for CybersecuritySpark Security
In the past few years, a new approach to cybersecurity has emerged, based on the analysis of data on successful attacks. In this approach, continuous diagnostics and mitigation replace the reactive network security methods used in the past. The approach combines continuous monitoring of network health with relatively straightforward mitigation strategies. The strategies used in this approach reduce the opportunities for attack and force attackers to develop more sophisticated (and expensive) techniques or to give up on the target. In combination, continuous monitoring and mitigation strategies provide the basis for better cybersecurity.
Vision: By 2023, the Department of Homeland Security will have improved national
cybersecurity risk management by increasing security and resilience across government
networks and critical infrastructure; decreasing illicit cyber activity; improving responses to
cyber incidents; and fostering a more secure and reliable cyber ecosystem through a unified
departmental approach, strong leadership, and close partnership with other federal and
nonfederal entities.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
May 15, 2018
U.S. DEPARTMENT OF HOMELAND SECURITY
CYBERSECURITY STRATEGY
i
TABLE OF CONTENTS
INTRODUCTION......................................................................................................................... 1
SCOPE .......................................................................................................................................... 1
THE CYBER THREAT .................................................................................................................... 2
MANAGING NATIONAL CYBERSECURITY RISK ............................................................................ 3
GUIDING PRINCIPLES ................................................................................................................... 5
DEVELOPMENT AND IMPLEMENTATION ....................................................................................... 6
PILLAR I – RISK IDENTIFICATION ...................................................................................... 7
GOAL 1: ASSESS EVOLVING CYBERSECURITY RISKS ................................................................... 7
PILLAR II – VULNERABILITY REDUCTION ...................................................................... 8
GOAL 2: PROTECT FEDERAL GOVERNMENT INFORMATION SYSTEMS .......................................... 8
GOAL 3: PROTECT CRITICAL INFRASTRUCTURE ......................................................................... 11
PILLAR III: THREAT REDUCTION ..................................................................................... 15
GOAL 4: PREVENT AND DISRUPT CRIMINAL USE OF CYBERSPACE ............................................ 15
PILLAR IV – CONSEQUENCE MITIGATION .................................................................... 19
GOAL 5: RESPOND EFFECTIVELY TO CYBER INCIDENTS ............................................................ 19
PILLAR V – ENABLE CYBERSECURITY OUTCOMES ................................................... 22
GOAL 6: STRENGTHEN THE SECURITY AND RELIABILITY OF THE CYBER ECOSYSTEM ............... 22
GOAL 7: IMPROVE MANAGEMENT OF DHS CYBERSECURITY ACTIVITIES ................................. 25
CONCLUSION ........................................................................................................................... 27
APPENDIX: DHS CYBERSECURITY AUTHORITIES .................................................... A-1
1
INTRODUCTION
...
Similar to Cyber Security Conference - Rethinking cyber-threat (20)
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
3. Contents
Introduction .................................................................................................................................................. 5
Understanding the Cyber Threat ................................................................................................................. 5
Rethinking the Cyber Threat ......................................................................................................................... 7
The Problem of Attribution ........................................................................................................................... 8
Categories of Attacks .................................................................................................................................. 10
Conclusion ................................................................................................................................................... 12
4.
5. 5
Introduction
For more than two decades, people have struggled to understand the cyber threat, evaluate the risks to individuals and organizations (including nation-states), and craft appropriate responses. Although many organizations have invested significantly in information assurance, most computer security experts believe that a well-resourced and persistent adversary will more often than not be successful in attacking systems, especially if raising defenses is the only response to an attack. For this reason, increasing attention is being paid to deterring such attacks in the first instance, especially by governments that have the power to investigate criminal activity and use a wide range of tools to respond to other public safety and national security concerns.
Notwithstanding this emerging discussion, it appears to many people that neither governments nor industry are well-positioned to respond to this highly complex threat and that, from a policy and tactical perspective, there is considerable paralysis. The purpose of this document is to better explain the cyber threat, identify the reasons why cyber attacks often confound those responsible for crafting responses, and suggest a new framework for creating more effective cyber attack responses.
Understanding the Cyber Threat
The cyber threat is difficult to assess and mitigate for six reasons:
(1) There are many malicious actors. Low cost computer technology, widespread Internet connectivity, and the ease of creating or obtaining malware means that almost anyone can engage in malicious activity. Indeed, the Internet is a great place to commit crime because it provides global connectivity, anonymity, lack of traceability, and rich targets. Malicious actors include individuals, organized crime groups, terrorist groups, and nation-states, and actions that might serve to deter one group may be less effective against another.
(2) There are as many motives as there are actors. These motives may relate to traditional areas of criminal activity (for example, fraud or the distribution of child pornography), economic espionage, military espionage, or cyber warfare.
(3) There are many different but commonly used attack vectors. Leaving aside supply chain and insider threats, which pose their own challenges, remote attackers might take advantage of product vulnerabilities, system misconfigurations, and social engineering. Because different actors may use similar techniques, the nature of the attack might not yield reliable clues about the identity of the attacker or the attacker’s motives. This fact, combined with anonymity and lack of traceability, means that attributing attacks is very difficult, and punishment for malicious activity is unlikely.
6. 6
(4) The Internet is a shared and integrated domain. It is shared by citizens, businesses, and governments in a manner that makes it difficult to segregate one group from another. Moreover, free speech, commercial transactions, espionage activities, and cyber warfare may be occurring in this shared and integrated domain, all at the same time and over the same transport medium. With a limited ability to parse actors and activities, tailored responses to specific threats are extremely hard to craft.
(5) The potential consequences of an attack are very difficult to predict. Certain nefarious activity such as network scans or unauthorized system access may be a prelude to information theft, a data integrity breach, or a disruption of service. Moreover, the complex interrelationships between systems suggest that there may be unanticipated cascading effects, some which may be more severe than even the intended effect. Finally, while some attacks may be obvious (for example, a denial of service attack against a critical infrastructure) and generate a quick response, other attacks may be hard to detect. Much has been written about the exfiltration of data from sensitive systems; a more disconcerting scenario might be a critical alteration of data. Not only can this be difficult to detect, but it may be difficult to discern when the data was changed without authority, thus making it difficult to “roll back” to a known good state.
(6) The worst-case scenarios are alarming. In the popular press, policy space, and think tanks, these scenarios include disrupting critical infrastructure services, impeding key economic functions, or imperiling public safety and national security (thus explaining oft-repeated references to an “electronic Pearl Harbor”). The complexity of these scenarios, which results in part from massive interconnectivity and dependencies between systems that are not always well understood, has made it difficult to develop a consensus regarding the probable consequences of an attack. As for our ability to recover quickly from such an attack, society’s increasing dependence on information technology systems and the data they contain may mean that there is no longer an existing manual process with trained people to fall back on.
In an environment where actors and motives may be unknown and in which the potential consequences may be dire, it is easy to understand why there is great concern. But where there are so many actors with so many motives – and these actors and their activities are commingled with innocuous and even constitutionally protected activities – it is also easy to understand why those responsible for crafting strategic and tactical responses get bogged down.
To complicate matters even more, society is not starting with a blank slate: there are existing methods for dealing with bad actors, methods that have been codified in law and that do not work well in this new environment. For example, in the United States we have a legacy of organizations that use different authorities to address different threats to public safety and national security. To protect citizens against crime, we hire, train and equip law enforcement personnel and, as part of an investigation, we permit them to issue subpoenas, execute search warrants, and obtain wiretap orders under the Electronic Communications Privacy Act (ECPA). To protect us against those who would steal
7. 7
our military secrets or attack other vital state interests, we rely upon the intelligence community to both collect foreign intelligence and engage in counterintelligence; as part of its work, that community may rely upon a different set of authorities, such as National Security Letters and the Foreign Intelligence Surveillance Act (FISA). Finally, to address the military threat posed by another nation-state, we fund a military that relies on yet a different set of authorities in the United States code (for example, Title 50 and Title 10). Other countries have a similar separation of authorities. In short, depending upon the category of threat, countries deploy different resources, and each resource plays by its own set of rules.
This traditional model works well when one can identify the nature of the attack; specifically, “who” is attacking and “why.” This traditional model fails in the Information Age because when computers are under attack, the “who” and “why” are frequently unknown. By way of example, many years ago a Russian military plane shot down a Korean civilian jetliner. For a long time, notwithstanding Russian claims of non-responsibility, it was widely believed that state action, or at least rogue military action, was responsible. Why? Because civilians do not have access to fighter jets. But the notion that only states have access to weapons of war is no longer correct, at least not if information warfare is considered. Simply put, it is not difficult to obtain computer technology and the skills to misuse it; a potentially powerful arsenal has been placed in the public domain. Our traditional vigilance regarding states that support terrorism, political unrest, or are otherwise considered “rogue” (that is, “nations of concern”) must now be supplemented by vigilance regarding “individuals of concern,” a far larger pool, and one that is harder to identify and harder to contain. If one appreciates that an attack upon a defense department may come not only from a foreign nation conducting information warfare, but also from juveniles living within the victim’s country (as it did in Solar Sunrise, the case name for a cyber attack against the U.S. Department of Defense), then one appreciates that launching a military response might not be the right approach. In short, the world is confronted with two problems: (1) a plethora of attacks by a diverse set of individuals with differing motives and (2) security response systems that are contingent on knowing facts that may be unavailable.
Rethinking the Cyber Threat
In a world of such diverse threats and increasing allegations of cyber crime, economic espionage, military espionage, and cyber warfare, it is critically important that governments and cyber security professionals think differently about malicious cyber events and how to respond to them. The starting point is breaking down attacks by attribution and category. With regard to “the who” (and, inferentially perhaps, “the why”), there may be strong attribution, some probability of attribution (high to low), or no attribution. With regard to categories, there are four: cyber crime, military espionage, economic espionage (and other areas where nation-states are in philosophical disagreement on normative behavior) and cyber warfare. Each level of attribution and each category of attack raises unique issues regarding response with one exception. Defensive measures are always appropriate and nothing prevents someone from adopting stronger security measures, such as adopting multi-factor authentication. Strong defenses are not enough, however, as offense almost always beats defense on the Internet. So although stronger defenses might deter some who will seek easier targets (much like
8. 8
locking one’s door encourages a burglar to seek a less-protected house), persistent, well-funded and motivated adversaries are not readily deterred by defenses, especially because defenses have proven insufficient in so many cases.
The Problem of Attribution
The starting point for any new strategy must focus on attribution because, even though the open and unauthenticated nature of the Internet makes attribution difficult, having some idea of who the bad actor might be is certainly helpful. Today, attribution is extremely difficult for both technical and non-technical reasons. Key data relating to source may not exist or be inaccurate, those who have relevant data may be reluctant to share it, and even governments that want to collaborate may find it difficult to do so because of legal constraints, especially if data must be obtained and shared across jurisdictional boundaries. When data is shared, it may still be hard to reach consensus on what the data means.
For example, in the recent attacks against Google, many different “theories” regarding actors and motives were advanced. Without in any way suggesting one theory is more plausible than any other, the recent attacks on Google led people to suggest that these attacks were the work of (1) the Chinese Government (“Chinese Attack on Google Among the Most Sophisticated Cyberattacks Ever, Experts Say,” POPSCI, January 15, 2010),1 (2) Chinese universities (“2 China Schools Said to be Tied to Online Attacks,” The New York Times, February 18, 2010),2 or (3) a Chinese hacker (Steve Ragan, “Was Operation Aurora really just a conventional attack?”, January 27, 2010).3 More recently, researchers have expressed some confusion over whether this incident consisted of one attack or two, and have referenced the existence of a Vietnamese Botnet.4
In light of current realities, it seems that the issue of attribution must be addressed in three ways. First, attribution should be improved where possible. Leaving aside long-term efforts to re- architect the Internet, it is possible to increase attribution through wider application of existing strong authentication technologies (along with appropriate auditing), through more effective technical trace- back mechanisms (when legally permitted), or through more streamlined international assistance (in cases where foreign assistance is practical). For example, even today it is possible to deploy technologies that enforce more robust authentication of hardware and people (for example, TPM to TPM-based authentication, which is multi-factor authentication based upon the issuance of secure digital
1 http://www.popsci.com/technology/article/2010-01/chinese-cyber-attack-google-among-most-sophisticated- ever-experts-say
2 http://www.nytimes.com/2010/02/19/technology/19china.html?partner=rss&emc=rss)
3 http://www.thetechherald.com/article.php/201004/5151/Was-Operation-Aurora-really-just-a-conventional- attack
4 http://blog.damballa.com/?p=652
9. 9
credentials after in-person proofing).5 The benefits of more robust attribution are that some attackers will be deterred, some attackers will be thwarted, and some attackers may be identified. And although more sophisticated adversaries may still be successful, the fact that some attacks have been deterred or prevented permits organizations to refocus some of their existing security resources on more complex and intractable threats.
Second, it will likely be important to focus on probability of accurate attribution, as opposed to certainty of attribution. In many areas, of course, absolute certainty is seldom achievable. For this reason, a range of different standards have developed (for example, proof beyond a reasonable doubt, a preponderance of the evidence) and individuals and organizations often have to rely upon probabilities when making critical decisions (such as when opting for one medical treatment over another). Of course, the greater the certainty, the easier it may be to choose a course of action, but that does not mean certainty is required before reasonable action can be taken.
Third, it will be necessary to decide what actions, if any, are permissible in those cases for which the probability of accurate attribution is low for either technical or non-technical reasons. The “safe” answer is, of course “none,” at least in terms of reducing international tension regarding unilateral action. But the problem with that answer is it leaves too many threats unaddressed and causes victim countries to assume too much risk to public safety and national security. If this is correct – if the status quo is not acceptable – then a different calculus is required. One possible approach is to focus on probability and harm, and whether that harm can be avoided through traditional mechanisms. If, for example, (1) an attacker has successfully penetrated a critical system; (2) the attacker has the capability of causing serious damage; and (3) timely and meaningful foreign assistance is not forthcoming, affirmative action may be warranted even if one cannot assert, with certainty, that the attacker is affiliated with a particular group.
This approach, of course, highlights the many challenges in this area. What is the right “probability” threshold, what is the right tolerance for “harm,” what constitutes “timely and meaningful assistance,” and what type of response will be viewed as proportionate? Although these are all difficult questions, society has tackled them in other areas. For example, in the areas of nuclear proliferation, development of weapons of mass destruction, and harboring terrorists, countries frequently determine whether another country’s assistance is meaningful, whether negotiations represent progress or a stalling tactic, and what repercussions might be appropriate if forward progress is not made.
To be clear, one cannot overstate the challenges in this area. While an attack on a supervisory control and data acquisition (SCADA) system may readily suggest the potential of a dire consequence, the impact of other attacks can be far more difficult to predict. For example, scanning a system and accessing accounts without authority may be a prelude to information exfiltration (which is serious, but perhaps not devastating) or the alteration of critical data that might result in serious physical injury or death. A system scan may be the prelude to an attack on the confidentiality of data or a denial of service
5 For more on authentication, see the “Establishing End-to-End Trust” white paper at http://www.microsoft.com/mscorp/twc/endtoendtrust/vision/.
10. 10
attack. Such uncertainties can cause inaction and, ultimately, countries will need to discuss what level of risk is tolerable and when certain actions are appropriate. It must also be remembered that national authorities have a wide range of tools at their disposal, from political demarches to economic sanctions to cyber or kinetic counter attacks; as in the physical world, different predicates will justify different responses. But establishing some a priori agreement between nation-states might help define acceptable behaviors and decrease tensions when action is taken.
Categories of Attacks
Of course, in some cases attribution – or at least a high probability of accurate attribution – is possible, even if not disclosed publicly. These attacks fall into four different categories. Once this is understood, it becomes clear where society’s current response mechanisms could be improved, and where new strategies must be adopted.
The first category relates to conventional cyber crimes.6 These crimes include cases in which computers are targeted for traditional criminal purposes, such as fraud, or used as tools to commit traditional offenses (for example, the distribution of child pornography). In this category, existing law enforcement mechanisms generally provide the right framework for response, but much work needs to be done to update and harmonize national legal regimes and increase dramatically the speed of law enforcement execution. Nation-states should be encouraged to pass cyber crime legislation where it is needed, to develop the capability and capacity to fight cyber crime, and to join international efforts (for example, the Council of Europe Convention on Cybercrime). To the extent that other nations refuse to help address this threat, governments should think about the mechanisms they traditionally use to obtain greater international assistance from reluctant countries. Efforts against money laundering and other transnational crimes can provide valuable lessons in this area.
The second category relates to military espionage cases; more specifically, the allegations that some nation-states intrude into and exfiltrate large amounts of sensitive military data from government agencies and/or the military industrial base. Without diminishing the seriousness of these allegations, it is important to recognize that military espionage has been occurring from time immemorial, and that some victims of military espionage may be engaged in such espionage activities themselves. Knowing it is unlikely that such conduct will stop, countries should aggressively raise their cyber defenses, hone their offensive capabilities, and use those traditional elements of national power that are typically used to address espionage concerns.
The third category relates to economic espionage cases and other cyber events where governments clearly have philosophical differences about what constitutes acceptable behavior. For
6 The cyber crime category is by far the broadest as it captures the largest numbers of actors (from juveniles to repeat offenders) and the largest number of motives/actions (from tampering with one’s school grades to committing complex fraud to causing significant damage to an IT system in a non-warfare context). Clearly, international government responses will have to be flexible and proportional.
11. 11
example, many countries believe that businesses should compete on a level playing field, and that legal systems should protect the right of those who develop new ideas to monetize them. By contrast, other countries believe that national security is dependent on economic security and, to achieve economic advantage, it is the government’s role to support indigenous industries by stealing the intellectual property created in other nations (or at least turn a blind eye when a domestic company steals information from foreign competitors). These countries are not deterred by the fact that such an approach is both immoral and nearsighted. It is immoral because the theft of intellectual property is, quite simply, theft, and nearsighted because a country cannot establish a culture of innovation and achieve true economic advantage if intellectual property rights are not respected. Where countries do have such philosophical differences, international diplomacy should focus on establishing appropriate international norms and codifying those norms in international agreements, as has been done in other areas.
Another area of philosophical dispute, and one that is even more challenging than economic espionage, relates to freedom of speech. With regard to economic espionage, the debate is a fairly binary one: either the theft of property for national economic benefit is appropriate or it is not. By contrast, the right of free speech rests along a continuum: some countries are more restrictive than others. In such cases, questions may arise regarding the extent to which speech is restricted (there is, for example, a big difference between criminalizing hate speech and criminalizing religious or political speech) as well as whether the government that restricts speech was democratically elected (thus indicating that any restrictions are sanctioned by the populace). To complicate matters even more, when countries do negotiate international agreements and set normative behavior, it is common to have a treaty provision – essentially a carve out – that reserves to governments the authority to take those actions necessary to protect public order and national security, notwithstanding other provisions of the treaty. Because countries will not waive this sovereign right to protect public safety – and because limitations on speech are often justified as necessary to maintain public order – it is unlikely that negotiations will easily yield new normative behaviors. Still, agreements on the margins may still be achievable. For example, in an age in which user-created content is transmitted across global IT systems and stored in a cloud, ensuring safe harbor for those whose provide the “pipes” or “cloud services” would be warranted, particularly if they are responsive when issues of legality are raised.
The fourth category relates to cyber warfare, a particularly difficult area because, as noted earlier, the Internet is a shared and integrated domain. In the physical world, it is easier to separate troops from hospitals, and there are even rules of war that govern permissible responses when troops launch attacks from hospital rooftops. The Internet does not permit such clean demarcations. But today there is also another problem: society is redefining “warfare.” As is well known, an individual recently attempted to bomb an airliner travelling to Detroit, Michigan. Reported evidence suggested this individual had connections to a known terrorist group and, in the aftermath of that attempted attack, there was a debate about whether this individual was a criminal who should be read his constitutional rights (given his “Miranda” warnings) or an enemy combatant who belonged in military custody. Of course, in future cases, a person sympathetic to an extremist cause might undertake to blow up a plane without any formal connection to any organized terrorist group; the actor might simply be a
12. 12
sympathizer who is acting alone. If this happened, a nation-state might well find itself “at war” with a single individual. Asymmetric warfare has significant implications for cyber attacks, because the Internet permits a potentially anonymous and untraceable individual with virtually no resources to engage a nation-state in cyber warfare. Rules for such asymmetric cyber warfare will need to be considered.
But even if cyber warfare was restricted to nation-state activity, the risk of casualties to critical infrastructures and non-combatant property would be significant, especially when one considers that the unintended consequences of an attack may be hard to predict. Much has been written about this (see, for example, the National Research Council Report, “Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities,”7) and it is not my intention to repeat those lengthy dissertations here. Suffice to say, domestic views and international agreements regarding what constitutes appropriate military activity in this shared and integrated domain will be increasingly important as militaries around the world hone their cyber capabilities, and as Internet growth and cloud computing makes civilians even more dependent on our IT infrastructure. Indeed, if the concern is an electronic Pearl Harbor, perhaps part of the response is an electronic “Geneva Convention” that protects the rights of non-combatants.
The preceding four categories are important not because they eliminate all the hard questions (they do not), but because they do in some cases make it easier to develop preventative and reactive strategies in cases where attribution exists. They also can help reduce the paralysis that may occur when one attempts to design a single strategy for the myriad threats that are similar only in their use of technology.
Conclusion
There is little doubt that the Internet, with its global connectivity, anonymity, and lack of traceability, poses considerable challenges to those in the private and public sectors who are tasked with protecting it. The breadth of criminal activity, the number of actors and motives, and the lack of reliable attribution have all served to make crafting responses to attacks difficult. While there are no easy answers, greater attribution and clearer rules for responding to both non-attributed and attributed attacks would enable the development and implementation of better strategies and tactics for responding to cyber threats.
If this analysis is correct, the course of future action becomes clearer:
There must be innovation related to attribution. This includes both technological innovation (to permit sources to be found technically) and legal/diplomatic innovation (to allow the data to be shared quickly, even across borders).
7 Available at http://www.nap.edu/catalog.php?record_id=12651.
13. 13
To deal with cyber crime, it is important for countries to adopt national laws that protect cyber space, build law enforcement capability and capacity, and support international efforts to fight cybercrime.
To address economic espionage and other areas of philosophical disagreement, there must be international discussions leading to the establishment of norms that are then enforced through national policies and international organizations.
To address military espionage, nation states must improve the state of their own computer security, build offensive capabilities as appropriate, and rely upon existing diplomatic and political mechanisms to address disputes.
To address cyber warfare issues, countries must first develop domestic positions on what the rules for this new domain should be, taking due care to recognize the shared and integrated nature of the domain. Then there must be an international dialogue designed to create international norms for cyber space behavior. Creating these norms will be as difficult as it sounds, but it is still both necessary and, ultimately, unavoidable. Absent such an agreement, unilateral and potentially unprincipled actions will lead to consequences that will be unacceptable and regrettable.