Tuesday, November 27, 2012

A Framework For Thinking About Cyber Security Policy

An article on the technical blog Ars Technica gives an interesting perspective on cyber war that should be taken into consideration when developing policies for US cyber security. The article, based on a study by Dr. Ian Brown out of the Oxford Internet Institute, claims that a pure cyberwar fought entirely in cyberspace is highly unlikely. Current cyber attacks and cyber weapons exploit known vulnerabilities in computer systems. Once an attack has been executed, top security and technical firms begin developing counter measures to 1. Fix the vulnerability and 2. Restore currently vulnerable systems. This reduces any ability to reuse a cyber weapon. This isn’t to say that similar techniques can’t be reused to exploit other vulnerabilities, but verbatim reuse of a cyber weapon is almost impossible. Because of this, long-term cyber warfare conducted in cyberspace, the way we think of conventional warfare conducted in physical space, is almost impossible. If a vulnerability has been patched, the only way to execute another attack is to find another flaw in the system. Thus, it would be difficult to maintain frequent and continuous assaults on one system or a set of systems over time.

Keeping this in mind, the real risk of a cyber attack lies in the time frame between when an attack is launched and when the attack is detected and patched. Therefore subtlety is a cyber criminal’s best friend. The longer an attack can go unnoticed the more damage it can do. If an attack obtusely disrupts a system it will be detected and resolved much more quickly than if it quietly disrupts a system. The success of malware such as Flame takes advantage of this factor. Identified in May of 2012, file names of the main maleware component were seen as early as December 2007. This means that Flame had at least 5 years to wreak havoc on computer systems.  

It is also important to note that the greater risk in a cyber attack is to the systems and information a computer network controls and not to the computer network itself. Development of cyber weapons to disrupt systems such as Iran’s nuclear centrifuges (Stuxnet) is where the threat of a cyber attacks really lies. In securing our computer networks we can also ensure security for the infrastructure in our communications, energy, finance, food, government, health and transport systems.

What then do we need to keep in mind in developing cyber security policy? First, deterrence is nearly impossible because of the anonymity individuals can maintain when acting in cyber space. If you don’t know who is attacking you, it is quite difficult to deter them from doing so. I don’t see this characteristic of cyber space changing anytime soon either due to the strong desire to keep the Internet open and decentralized.

The best way to prevent cyber attacks from occurring is by eliminating the opportunity. In other words, software developers need to design flawless systems without significant vulnerabilities cyber criminals can exploit. It’s nearly impossible to get rid of all vulnerabilities, but requiring a stronger focus on the larger ones would be manageable. This will require changing the nature of software development entirely. If you have ever downloaded a software application from the web, only to find that you have to install ‘updates’ for the application months later - Congratulations! you have had first hand experience of the software industries ‘good enough’ mentality. Software developers no longer try to get an application working right the first time. Instead they unveil a product that works ‘good enough’ and assume that potential problems can be fixed as users detect and report them. Policy needs to be framed on changing this aspect if they ever hope to be able to manage and thwart cyber attacks.   

For more info check out.....

1 comment:

SweetB said...

Changing the nature of software development to avoid significant vulnerability to cyber attacks would certainly be a step in the right direction for achieving cyber security. Security updates are designed for addressing vulnerability for software in current use. But how do we address the security threat posed by theft of outdated systems? As you correctly state, the greater risk in a cyber attack is to the systems and information rather than to the network. With rapidly changing technology, systems themselves quickly become replaced. I would argue that a program for ensuring the protection of old systems is equally important as addressing the development of new software for national security.

The International Atomic Energy Agency (IAEA) announced today that one of its old computer servers was hacked by an anti-Israeli, pro-Iranian hacker group, identified as Parastoo. The hackers claimed to have stolen the contact information for nearly 200 scientists and officials associated with the IAEA. The names include scientists at U.S., British, European, and Japanese universities, as well as Russia’s Space Research Institute. The group has already posted numerous e-mail addresses of these personnel on the Parastoo website, and is threatening to post the employees’ personal information, unless the IAEA takes immediate action to investigate Israel’s nuclear power plant for evidence of nuclear weapons. The group further demands that the individuals listed sign a petition for the investigation, lest they be considered party to a crime in the event that Israel causes a nuclear incident. The group also vowed to become a permanent fixture in the hacker community.

An IAEA spokesperson stated that the server from which the information was stolen was shut down some time ago, and that efforts to eliminate vulnerability were taken well before it was hacked. Although it is believed that the stolen data did not include information related to the confidential work carried out by the IAEA, technical and security teams are still trying to analyze the situation to ensure that information is no longer vulnerable. Whether information on the IAEA's work was hacked or not, the question of whether it could have been is incredibly alarming simply due to the IAEA's work in nuclear energy.

While these types of cyber attacks do not pose a disruption to sensitive networks, they still pose a major security threat, as there is little chance of recovering the information once it is taken, and no limit as to how the information will be shared or used. Unfortunately, in this type of cyber attack, there is no “patch”. An attack cannot be fixed, it can only be prevented. While technical experts are devising a way to create foolproof software, they should not forget the dire importance of counseling agencies and companies on how to protect what they are no longer using.