Cyberwar: How Worried Should We Be? - Austin ISSAbyoung/issa-slides.pdfCyberwar: How Worried Should...

Cyberwar: How Worried Should We Be?

Austin ISSA

Dr. Bill YoungDepartment of Computer Science

University of Texas at Austin

Last updated: May 8, 2013 at 17:09

Dr. Bill Young: 1 Austin ISSA, May 9, 2013

From the Headlines

Pentagon accuses China of trying to hack US defence

networks, The Guardian, 5/7/13

China is using espionage to acquire technology to fuel itsmilitary modernisation, the Pentagon has said, for thefirst time accusing the Chinese of trying to break into USdefence computer networks and prompting a firm denialfrom Beijing.

“The US government continued to be targeted for(cyber) intrusions, some of which appear to beattributable directly to the Chinese government andmilitary,” [the report] says, adding that the main purposeof the hacking is to gain information to benefit defenceindustries, military planners and government leaders.


From the Headlines

House Intel Chair Mike Rogers Calls Chinese Cyber Attacks

Unprecedented, ABC News, 2/24/13

House Intelligence Committee Chair Mike Rogers,R-Mich., said it was “beyond a shadow of a doubt” thatthe Chinese government and military is behind growingcyber attacks against the United States, saying “we arelosing” the war to prevent the attacks.

“It is unprecedented,” Rogers added. “This has neverhappened in the history of the world, where one nationsteals the intellectual property to re-purpose it—toillegally compete against the country.”


From the Headlines

Cyber security in 2013: How vulnerable to attack is US

now?, Christian Science Monitor, 1/9/13

The phalanx of cyberthreats aimed squarely atAmericans’ livelihood became startlingly clear in 2012and appears poised to proliferate in 2013 and beyond asgovernment officials, corporate leaders, security experts,and ordinary citizens scramble to devise protections fromattackers in cyberspace.


From the Headlines

U.S. Not Ready for Cyberwar Hostile Attackers Could

Launch, The Daily Beast, 2/21/13

If the nightmare scenario becomes suddenly real ... Ifhackers shut down much of the electrical grid and therest of the critical infrastructure goes with it ... If we areplunged into chaos and suffer more physical destructionthan 50 monster hurricanes and economic damage thatdwarfs the Great Depression ... Then we will wonder whywe failed to guard against what outgoing DefenseSecretary Leon Panetta has termed a “cyber-PearlHarbor.”


CyberSecurity: An Existential Threat?

Cyberattacks an ’Existential Threat’ TO U.S., FBI Says,Computerworld, 3/24/10

A top FBI official warned today that manycyber-adversaries of the U.S. have the ability to accessvirtually any computer system, posing a risk that’s sogreat it could “challenge our country’s very existence.”According to Steven Chabinsky, deputy assistant directorof the FBI’s cyber division: “The cyber threat can be anexistential threat—meaning it can challenge ourcountry’s very existence, or significantly alter our nation’spotential,” Chabinsky said. “How we rise to thecybersecurity challenge will determine whether ournation’s best days are ahead of us or behind us.”


Question for All of Us

If cyberattacks are a credible threat to the very existence of ournation, why aren’t we at war?

Or are we? Are we currently engaged in a Cyber War?

Or is this talk about Cyber War merely hype and exaggeration?


It’s a Dangerous World

“More than 5.5 billion attempted attacks were identified in2011, an increase of 81% over 2010, with an unprecedented403 million unique malware variants that year, a 41% leap.”(Symantec Internet Security Threat Report, 2012)

Once PCs are infected they tend to stay infected. The medianlength of infection is 300 days.(www.insecureaboutsecurity.com, 10/19/2009)

The Privacy Right’s Clearinghouse’s Chronology of DataBreaches (January, 2012) estimates conservatively that morethan half a billion sensitive records have been breached since2005.

The Ponemon Institute estimates that the approximatecurrent cost per record compromised is around $318.


Some Notable Cyber Campaigns

First Persian Gulf War (1991): Iraq’s command and controlinfrastructure is targeted. Radar and missile control network isfragmented and sections of radar coverage are taken offlinewithout central control being aware of the outage.

Estonia (2007): Cyberattacks disabled the websites of governmentministries, political parties, newspapers, banks, and companies.Russia was suspected of launching the attack.

Georgia (2008): Russia attacked the nation of Georgia in a disputeover the province of South Ossetia. In addition to the militaryattack, a concerted cyber DoS attack shut down much of Georgia’sability to communicate with the external world.


Cyber Attacks on the U.S.

Moonlight Maze: (1998) traced to Russia, exfiltrated manymegabytes of defense-related data, including classified naval codesand info on missile guidance systems.

Titan Rain: (2003) probably Chinese, exfiltrated an estimated10-20 terabytes of data on U.S. systems.

Operation Aurora: (2009) probably Chinese, gained access andpossibly modified code repositories at high tech, security anddefense contractor companies.


Greatest Transfer of Wealth in History

In July, 2012, Gen. Keith Alexander, director of NSA andU.S. Cyber Command, referred to intellectual property loss viacyber espionage as the greatest transfer of wealth in history.

“Symantec placed the cost of IP theft to the UnitedStates companies in $250 billion a year, globalcybercrime at $114 billion annually ($388 billion whenyou factor in downtime), and McAfee estimates that $1trillion was spent globally under remediation. And that’sour future disappearing in front of us.”


But Is It War?

Cyber warfare involves “actions by a nation-state to penetrateanother nation’s computers or networks for the purpose of causingdamage or disruption.” (Richard Clarke and Robert Knake)

This definition raises as many questions as it answers.

Is “warfare” even a useful term in this context?

Can a non-state entity engage in warfare?

Which computers or networks really matter?

Which actions should qualify as acts of war?

Why can’t we defend ourselves?


Is “Cyberwar” the Wrong Concept?

Howard Schmidt, the new cybersecurity czar for theObama administration, has a short answer for thedrumbeat of rhetoric claiming the United States is caughtup in a cyberwar that it is losing. “There is no cyberwar.I think that is a terrible metaphor and I think that is aterrible concept,” Schmidt said. “There are no winners inthat environment.” (Wired, 3/4/10)


Is “Cyberwar” a Dangerous Concept?

Security guru Bruce Schneier, in an interview with Search Security(4/9/13) said:

“My real fear is less the attacks from China and more theincrease in rhetoric on both sides that is fueling a cyberarms race. We are definitely not at war. The wholecyberwar metaphor is dangerous. Right now we areseeing cyber espionage. But when you call it ’war’ youevoke a particular mindset and a particular set ofsolutions present themselves.”


Is “Cyberwar” a Dangerous Concept?

The cyberwar rhetoric is dangerous. Its practitioners areartists of exaggeration, who seem to think spinning talltales is the only way to make bureaucracies move in theright direction. ... Not only does it promote unnecessaryfear, it feeds the forces of parochial nationalism andmilitarism undermining a communications system thathas arguably done more to connect the world’s citizensthan the last 50 years of diplomacy. (Ryan Singel reviewof Clarke and Knake in Wired, 4/22/10)


Espionage, Yes—War, Not so Much

What we are seeing is “Cyber espionage” on a massive scale. Butespionage has never been considered an act of war.

You’re probably thinking: Forget espionage–what about CyberPearl Harbor? What about attacks on critical infrastructure?


Critical Infrastructure

Credible security experts suggest that a successful widespreadattack on U.S. computing infrastructure could largely shut downthe U.S. economy for up to 6 months.

It is estimated that the destruction from a single wave of cyberattacks on U.S. critical infrastructures could exceed $700 billionUSD—the equivalent of 50 major hurricanes hitting U.S. soil atonce. (Source: US Cyber Consequences Unit, July 2007)


What’s the Risk?

The U.S. is more dependent on advanced technology than anyother society on earth.

Much of U.S. critical infrastructure is remotely accessible.

The openness of U.S. society means critical information aboutfacilities (and their vulnerabilities) is widely available.

Other nation states have much more control over theirnational communication infrastructure.

Technology advances rapidly but remains riddled withvulnerabilities.


How Vulnerable is Infrastructure?

“I have yet to meet anyone who thinks SCADA systems should beconnected to the Internet. But the reality is that SCADA systemsneed regular updates from a central control, and it is cheaper to dothis through an existing Internet connection than to manuallymove data or build a separate network.” –Greg Day, PrincipalSecurity Analyst at McAfee


Current Concern

The Obama administration has placed an emphasis on protectionof critical infrastructure from cyber attack.

On 2/12/13, the administration released an executive orderImproving Critical Infrastructure Cybersecurity and PresidentialPolicy Directive 21: Critical Infrastructure Security and Resilience

The Nation’s critical infrastructure provides the essentialservices that underpin American society. Proactive andcoordinated efforts are necessary to strengthen andmaintain secure, functioning, and resilient criticalinfrastructure including assets, networks, and systemsthat are vital to public confidence and the Nation’ssafety, prosperity, and well-being.


Example Threat: Stuxnet

Stuxnet is a Windows computer worm discovered in July 2010 thattargets Siemens SCADA (Supervisory Control and DataAcquisition) systems.

First discovered malware that subverts specific industrialsystems.

First to include a programmable logic controller (PLC) rootkit.

Believed to have involved years of effort by skilled hackers todevelop and deploy.

Narrowly targeted, possibly at Iran’s nuclear centrifuges.

Widely believed to have been developed by Israel and the U.S.

In interviews over the past three months in the United States andEurope, experts who have picked apart the computer wormdescribe it as far more complex and ingenious than anything theyhad imagined when it began circulating around the world,unexplained, in mid-2009. –New York Times, 1/16/11


Stuxnet

Stuxnet is the new face of 21st-century warfare: invisible,anonymous, and devastating. ... Stuxnet was the firstliteral cyber-weapon.

Stuxnet appears to be the product of a moresophisticated and expensive development process thanany other piece of malware that has become publiclyknown.

America’s own critical infrastructure is a sitting target forattacks like this. (Vanity Fair, April, 2011)


Game Changer?

Creating Stuxnet and other highly sophisticated malware (DuQu,Flame, Gauss) might only be possible for a nation state.

Using them is not. Stuxnet and its children are accessible toanyone.

“It would be foolish to assume that the usualsuspects—anywhere from China to North Korea—wouldlet such an opportunity to dissect and reuse componentsof the superweapon pass.” (Ralph Langner, LangnerCommunications)


Who Could Launch Such an Attack?

Nation states: China, Russia, Iran ... but would they risk war withthe U.S.?

Criminals: Don’t have an obvious motive for causing widespreadchaos. It’s bad for business.

Terrorist groups: Probably don’t currently have the capabilities ...but that doesn’t mean they won’t acquire it.


Cyber War With Nation States

Any future conflict of the U.S. with any nation state will involve acyber component.

“War expands to fill all available theaters.” –BruceSchneier

China, Russia, and others are undoubtedly leaving trojans, backdoors, etc. in digital systems. So is the U.S.


What You Can Do

Of course, encourage good security practices

The Australian Defence Signals Directorate showed that you canprevent 85% of targeted intrusions with four key measures:

1 use application whitelisting

2 rapidly patch applications

3 rapidly patch OS vulnerabilities

4 minimise the number of users with admin privileges


What You Can Do

Understand that war rhetoric can be harmful.

Defending against cyber threats does not require militaryexpertise or prowess. We don’t want a militarized cyberspace.

There is no “exit strategy” in the cyber security challenge.

Beating the drums of war encourages people to give up someof their freedoms.


What You Can Do

Educate yourself about Internet goverance and policy issues at thenational level.

Do you understand the implications of SOPA, PIPA, CISPA?CISPA passed the U.S. House of Representatives yesterday. Do youas a security professional have an informed opinion on thisimportant legislation?

“This is something happening now that is beyond computersecurity.” –Bruce Schneier


What You Can Do

Educate yourself about Internet goverance and policy issues at theinternational level.

Did you know: there are proposals circulating to take internetgovernance away from IETF and ICANN and give it to ITU(International Telecommunications Union, a U.N. subsidiary).


ITU Governance of the Internet

The ITU is a treaty-based organization under U.N. auspices. Eachcountry has one vote.

Many countries don’t want the Internet to remain a freemarketplace of ideas.

The broadest proposal in the draft materials is aninitiative by China to give countries authority over ”theinformation and communication infrastructure withintheir state” and require that online companies ”operatingin their territory” use the Internet ”in a rational way”—inshort, to legitimize full government control. (WSJ,6/17/12)

Russian President Vladimir Putin has declared that his goal andthat of his allies is to establish “international control over theinternet” through the ITU.


ITU Governance

What would ITU governance of the Internet mean?

Subject cyber security and privacy to international control

Allow phone companies to charge for international Internettraffic

Impose economic restrictions on traffic-swapping agreements(peering)

Place ICANN under ITU control

Institutionalize national censorship of Internet content

Politically paralyze engineering and economic decisions


What Should You Do?

Champion internet independence and the current multi-stakeholdergovernance model.

Vincent Cerf, one of the founders of the Web, recently toldCongress, this U.N. involvement means “the open Internet hasnever been at a higher risk than it is now.”


Some Sources

Paul Rosenzweig, Cyber Warfare: How Conflicts inCyberspace are Challenging America and Changing the World,Praeger, 2012.

Joel Brenner, America the Vulnerable: Inside the New ThreatMatrix of Digital Espionage, Crime and Warfare, Penguin,2011.

Richard Stiennon, Surviving Cyber War, GovernmentInstitutes, 2010.

Jeffrey Carr, Inside Cyber Warfare, O’Reilly, 2010.

Richard A. Clarke and Robert K. Knake, Cyber War: TheNext Threat to National Security and What To Do About It,Harper Collis, 2010.


Some Sources

Franklin D. Kramer, et al. (editors), Cyberpower and NationalSecurity, National Defense University, 2009.

McAfee, Inc., “2009 Virtual Criminology Report, VirtuallyHere: The Age of Cyber Warfare,” December, 2009.

Matthew J. Sklerov, “Solving the Dilemma of StateResponses to Cyberattacks: A Justification for the Use ofActive Defenses Against States Who Neglect Their Duty toPrevent,” Military Law Review, Winter, 2009.

staff.washington.edu/dittrich/cyberwarfare.html


staff.washington.edu/dittrich/cyberwarfare.html

Date post:	08-Mar-2021
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

Cyberwar: How Worried Should We Be? - Austin ISSAbyoung/issa-slides.pdfCyberwar: How Worried Should...

Documents