8/14/2019 In the crossfire - presentation
1/25
January 28, 2010
In the Crossfire
Critical Infrastructure in the Age of Cyber WarStewart BakerCenter for Strategic and International Studies
Steptoe & Johnson
8/14/2019 In the crossfire - presentation
2/25
January 28, 20102 Confidential McAfee Internal Use Only
Summary
1. The threat is real
2. Preparedness is spotty
3. Adoption of security measures lags behind the threat
4. The many roles of governments
5. Outlier regions and sectors
8/14/2019 In the crossfire - presentation
3/25
January 28, 20103 Confidential McAfee Internal Use Only
1. The threat is real
8/14/2019 In the crossfire - presentation
4/25
January 28, 20104 Confidential McAfee Internal Use Only
1. The threat is real
60% reported theft-of-service cyberattacks Low: Germany, UK (42%)
High: India (83%), Brazil (77%), France (76%)
29% reported multiple large-scale denial of service attacks each month,and nearly two-thirds of those reported an impact on operations
High: France (60%), India (50%)
20% reported extortion via network attacks
High: India (40%), Middle East (35%) Low: US, Germany (12%)
89 percent report infection with viruses or other malware
70-plus percent report a wide range of other attacks
E.g., phishing and pharming. More sophisticated attacks like DNS poisoning or SQL injection are less
common, but still widespread more than half of respondents report these attacks
8/14/2019 In the crossfire - presentation
5/25
January 28, 20105 Confidential McAfee Internal Use Only
Extortion is widespread
Why? Because the reported cost of a 24-hour network outage is $6.3 million
8/14/2019 In the crossfire - presentation
6/25January 28, 20106 Confidential McAfee Internal Use Only
Most believe things are getting worse, not better-
Major incident: an outage of at least 24 hours, loss of life or failure of a company
Nearly twice as many see vulnerability growing (37%) asshrinking (21%)
Two-fifths expect a major incident within a year
Four-fifths expect a major incident within 5 years
8/14/2019 In the crossfire - presentation
7/25
January 28, 20107 Confidential McAfee Internal Use Only
2. Preparedness is spotty
8/14/2019 In the crossfire - presentation
8/25
January 28, 20108 Confidential McAfee Internal Use Only
2. Preparedness is spotty
8/14/2019 In the crossfire - presentation
9/25
January 28, 20109 Confidential McAfee Internal Use Only
Low confidence in others preparedness
30% lacked confidence in their banks and telecom providers
ability to withstand attack
High confidence: China (10-22%). Germany (20%), US (25%)
Low confidence: Japan (50-60%)
Wide differences in national preparedness assessments
In Middle East, 95% said that their sector was not very prepared forGhostnet-style attacks; in Japan, 50% said the same
In Germany, US and Spain, only 13-17% said their sector was not very
prepared for such attacks
8/14/2019 In the crossfire - presentation
10/25
January 28, 201010 Confidential McAfee Internal Use Only
Resources are tight due to recession
Security budget cuts are widespread
but most believe they can cope with reduced resources
8/14/2019 In the crossfire - presentation
11/25
January 28, 201011 Confidential McAfee Internal Use Only
3. Adoption of security measures lags
behind the threat
8/14/2019 In the crossfire - presentation
12/25
January 28, 201012 Confidential McAfee Internal Use Only
3. Adoption of security measures lags behind the threat
Basic, key security measures are not widely adopted
Fewer than 60% patched and updated software on a regular schedule
User name and password the most common form of login/authentication
more than three-quarters of SCADA/ICS systems are connected to an IPnetwork or the Internet
nearly half of those admitted that these connections create unresolvedsecurity issues
Security measure adoption rates vary widely by country Chinese respondents report the highest rate
Italy, Spain and India had the lowest rates
8/14/2019 In the crossfire - presentation
13/25
January 28, 201013 Confidential McAfee Internal Use Only
Security measure adoption rate
More than two dozen different security measures -- technologies,policies and procedures
Security Information and EventManagement tools
Network access control measures
Intrusion prevention systems
Database security and access
controlsData leak prevention tools
Intrusion detection systems
Firewalls to public network
Firewalls between systems
Application whitelisting
Role and activity anomaly detection
Standardized desktopUse threat monitoring service
Encryption for
Online transmission tonetworkLaptop hard drives
Individual emails
Data in databases
Data while in network storage
Tapes, portable media
Authentication by
User name and passwordToken
Biometrics
Regular patches and updates
Threat information sharingRestrict or ban USB sticks
8/14/2019 In the crossfire - presentation
14/25
January 28, 201014 Confidential McAfee Internal Use Only
China leads in adopting security measures
8/14/2019 In the crossfire - presentation
15/25
January 28, 201015 Confidential McAfee Internal Use Only
4. The many roles of governments
8/14/2019 In the crossfire - presentation
16/25
January 28, 201016 Confidential McAfee Internal Use Only
4. The many roles of governments
Regulators
Regulation seen as generally positive
74% have implemented new measures as a result of regulation
58% say regulation has sharpened policy and improved security 28% say it has diverted resources from improving security to
recording/reporting incidents or other forms of compliance
Audit frequency varies widely
Partners Co-operation levels vary widely
72% of Chinese respondents participated in an industry information sharingassociation; only 33% of Italian respondents did
Policemen
Widespread skepticism about governments ability to protect networks
Attackers, infiltrators and adversaries
8/14/2019 In the crossfire - presentation
17/25
January 28, 201017 Confidential McAfee Internal Use Only
Regulator: auditing to enforce compliance varies widely
8/14/2019 In the crossfire - presentation
18/25
January 28, 201018 Confidential McAfee Internal Use Only
Policeman: Little faith in laws against cyber-attack
8/14/2019 In the crossfire - presentation
19/25
January 28, 201019 Confidential McAfee Internal Use Only
Attacker: 60% believe governments are alreadyattacking their infrastructure
8/14/2019 In the crossfire - presentation
20/25
January 28, 201020 Confidential McAfee Internal Use Only
Attacker: Many report government-style attacks
Half report stealthy infiltration by high-level adversary like in Ghostnet
Half report DDOS attacks by high-level adversaries including governments:
8/14/2019 In the crossfire - presentation
21/25
January 28, 201021 Confidential McAfee Internal Use Only
Attacker: United States and China are most feared
8/14/2019 In the crossfire - presentation
22/25
January 28, 201022 Confidential McAfee Internal Use Only
5. Outlier regions and sectors
8/14/2019 In the crossfire - presentation
23/25
January 28, 201023 Confidential McAfee Internal Use Only
China the outlier
Chinese executives report --
Uniquely close cooperation with officials
High levels of regulation and auditing
Very robust confidence in government
Much higher adoption of security measures
China is taking concerted steps to bolster its industriesdefenses
Are the steps effective?
Chinese companies report low to average levels of attack and damage
China does appear better protected than other large developing
countries, such as India and Brazil
8/14/2019 In the crossfire - presentation
24/25
January 28, 201024 Confidential McAfee Internal Use Only
Oil and gas sector at risk
The oil and gas sector stands out as a target
Reports more Ghostnet-style infiltration than any other sector (71% v. 54% overall)
More large-scale DDOS attacks than other sectors (66% v. 54% overall)
More extortion attacks than other sectors (31% v. 20% overall)
More theft of service attacks than others (75% v. 60% overall)
Attackers more likely to target SCADA systems of oil and gas sector (other sectors
see financial information as main target)
Highest cost from 24 hours of down time ($8.4 million v $6.3 m overall)
Second highest recession-driven cuts in security resources (73% v. 66% overall)
8/14/2019 In the crossfire - presentation
25/25
January 28, 201025 Confidential McAfee Internal Use Only
Principal Authors
Stewart Baker
Former official at both Department of Homeland Security and NationalSecurity Agency
Cybersecurity law practice at Steptoe & Johnson Distinguished Visiting Fellow, Center for Strategic and International
Studies
Shaun Waterman
Journalist formerly with BBC and UPI Center for Strategic and International Studies
Further questions for Stewart Baker:
202-429-6402