An article on
the technical blog Ars Technica gives an interesting perspective on cyber war
that should be taken into consideration when developing policies for US cyber
security. The article, based on a study by Dr. Ian Brown out of the Oxford
Internet Institute, claims that a pure cyberwar fought entirely in cyberspace
is highly unlikely. Current cyber attacks and cyber weapons exploit known
vulnerabilities in computer systems. Once an attack has been executed, top
security and technical firms begin developing counter measures to 1. Fix the
vulnerability and 2. Restore currently vulnerable systems. This reduces any
ability to reuse a cyber weapon. This isn’t to say that similar techniques
can’t be reused to exploit other vulnerabilities, but verbatim reuse of a cyber
weapon is almost impossible. Because of this, long-term cyber warfare conducted
in cyberspace, the way we think of conventional warfare conducted in physical
space, is almost impossible. If a vulnerability has been patched, the only way
to execute another attack is to find another flaw in the system. Thus, it would
be difficult to maintain frequent and continuous assaults on one system or a
set of systems over time.
Keeping this in
mind, the real risk of a cyber attack lies in the time frame between when an
attack is launched and when the attack is detected and patched. Therefore
subtlety is a cyber criminal’s best friend. The longer an attack can go
unnoticed the more damage it can do. If an attack obtusely disrupts a system it
will be detected and resolved much more quickly than if it quietly disrupts a
system. The success of malware such as Flame takes advantage of this factor.
Identified in May of 2012, file names of the main maleware component were seen
as early as December 2007. This means that Flame had at least 5 years to wreak
havoc on computer systems.
It is also important to note that the greater risk in a
cyber attack is to the systems and information a computer network controls and
not to the computer network itself. Development
of cyber weapons to disrupt systems such as Iran’s nuclear centrifuges
(Stuxnet) is where the threat of a cyber attacks really lies. In securing our
computer networks we can also ensure security for the infrastructure in our communications,
energy, finance, food, government, health and transport systems.
What then do we
need to keep in mind in developing cyber security policy? First, deterrence is
nearly impossible because of the anonymity individuals can maintain when acting
in cyber space. If you don’t know who is attacking you, it is quite difficult
to deter them from doing so. I don’t see this characteristic of cyber space
changing anytime soon either due to the strong desire to keep the Internet open
and decentralized.
The best way to
prevent cyber attacks from occurring is by eliminating the opportunity. In
other words, software developers need to design flawless systems without
significant vulnerabilities cyber criminals can exploit. It’s nearly impossible
to get rid of all vulnerabilities, but requiring a stronger focus on the larger
ones would be manageable. This will require changing the nature of software
development entirely. If you have ever downloaded a software application from
the web, only to find that you have to install ‘updates’ for the application
months later - Congratulations! you have had first hand experience of the
software industries ‘good enough’ mentality. Software developers no longer try
to get an application working right the first time. Instead they unveil a
product that works ‘good enough’ and assume that potential problems can be
fixed as users detect and report them. Policy needs to be framed on changing this
aspect if they ever hope to be able to manage and thwart cyber attacks.
For more info check out.....
1 comment:
Changing the nature of software development to avoid significant vulnerability to cyber attacks would certainly be a step in the right direction for achieving cyber security. Security updates are designed for addressing vulnerability for software in current use. But how do we address the security threat posed by theft of outdated systems? As you correctly state, the greater risk in a cyber attack is to the systems and information rather than to the network. With rapidly changing technology, systems themselves quickly become replaced. I would argue that a program for ensuring the protection of old systems is equally important as addressing the development of new software for national security.
The International Atomic Energy Agency (IAEA) announced today that one of its old computer servers was hacked by an anti-Israeli, pro-Iranian hacker group, identified as Parastoo. The hackers claimed to have stolen the contact information for nearly 200 scientists and officials associated with the IAEA. The names include scientists at U.S., British, European, and Japanese universities, as well as Russia’s Space Research Institute. The group has already posted numerous e-mail addresses of these personnel on the Parastoo website, and is threatening to post the employees’ personal information, unless the IAEA takes immediate action to investigate Israel’s nuclear power plant for evidence of nuclear weapons. The group further demands that the individuals listed sign a petition for the investigation, lest they be considered party to a crime in the event that Israel causes a nuclear incident. The group also vowed to become a permanent fixture in the hacker community.
An IAEA spokesperson stated that the server from which the information was stolen was shut down some time ago, and that efforts to eliminate vulnerability were taken well before it was hacked. Although it is believed that the stolen data did not include information related to the confidential work carried out by the IAEA, technical and security teams are still trying to analyze the situation to ensure that information is no longer vulnerable. Whether information on the IAEA's work was hacked or not, the question of whether it could have been is incredibly alarming simply due to the IAEA's work in nuclear energy.
While these types of cyber attacks do not pose a disruption to sensitive networks, they still pose a major security threat, as there is little chance of recovering the information once it is taken, and no limit as to how the information will be shared or used. Unfortunately, in this type of cyber attack, there is no “patch”. An attack cannot be fixed, it can only be prevented. While technical experts are devising a way to create foolproof software, they should not forget the dire importance of counseling agencies and companies on how to protect what they are no longer using.
Post a Comment