'Electronic Pearl Harbor' Winn Schwartau 'Digita

1

• Bill Neugent
• 17 July 2003

The views expressed are those of the author and
boy do they not reflect the official policy or
position of The MITRE Corp.
2
Outline

• Cyberterrorism!
• Who is to blame?
• Whats really happening?
• The simple solution
• National strategy
• Conclusion

3
Global Reach Interconnected Interdependence

• Our cyber-based assets sit on one interwoven rug
  of global communications
• Global Internet
• Global Public Switched Network
• Cyberterrorism issues
• Availability The rug can be pulled out from
  under us
• Access Cyberterrorists are seconds away

4
The Dilemma

• Power travels at light speed
• Power networks are controlled by computers
• Communication signals travel at light speed
• Communication networks are controlled by computers

Remote control makes it possible to ruin a
complex network
5
Whats At Risk?
6
Supervisory Control and Data Acquisition Were
SCADA On Thin Ice

• Underlies gas and oil, water and sewer,
  electronic power distribution
• 3 million SCADA systems in use
• Increased use of Windows, UNIX
• Utilities connecting SCADA to corporate networks,
  Internet, wireless networks

Stratum8 Networks, 30 October 2002, New Layer of
Internet Security is Required to Protect Critical
Systems that Manage Oil, Natural Gas, and
Electricity Resources
7
So You Say Youre Not On The Internet

• Nearly every bank in the United States runs its
  operations on an internal network that connects
  to the Internet.

Maybe your front door isnt
Sandeep Junnarkar, CNET News, 1 May 2002
8
Beware On Net In 2003

• CIA warns of Net terror threat
• IDC prediction for 2003
• Major cyberterrorism event will disrupt economy,
  bring Internet to its knees for at least a day or
  two
• Professional cyber attack could do several
  hundred billion dollars in damage to U.S.

Declan McCullagh, 29 October 2002, CIA warns of
Net terror threat, CNET News 12 December 2002,
IDC Cyberterror and other prophecies, CNET
News 27 February 2002, A Letter From
Concerned Scientists, to President Bush
9
Shouts of Warning

• Electronic Pearl Harbor Winn Schwartau
• Digital Waterloo
• Center for Strategic and International Studies
• Digital Armageddon
• Sen. Charles Schumer, D-N.Y.

10
Outline

• Cyberterrorism!
• Who is to blame?
• Whats really happening?
• The simple solution
• National strategy
• Conclusion

11
Users
12
Bullies
13
What Motivates Bullies?

• The reason the software you buy isnt secure is
  that companies dont care.
• The reason is there is no liability for
  producing a shoddy product.
• Bruce Schneier

IDG News Service, 19 November 2002, COMDEX
Panel Accept the Net is vulnerable to attack
14
Complexity

• Software more complex than any other human
  construct
• No two parts alike
• Software differs profoundly from computers,
  buildings, or automobiles, where repeated
  elements abound
• Rapid time to market
• Armies of programmers work independently
• Complex legacy software carried forward

Frederick Brooks
15
Industry Complexity

• Example freight information systems involve
  changing mix of companies
• Carriers, shippers, distributors, freight
  forwarders, government agencies, e.g., Customs
• Many interconnections, no integration hard to
• Establish consistent security baseline
• Establish security standards for transactions,
  e.g., e-documents
• Identify and authenticate users and systems

800,000 hazmat shipments/day in U.S.

• Transportation Research Board Special Report 274,
  2003, Cybersecurity of
• Freight Information Systems, A Scoping Study,
  National Research Council

16
Market Forces Made Us Do It

• Competition keeps profit margins low, forces
  cost-saving
• Internet has become critical dependency
• Freight information systems efficient, reliable
• Customers have lower inventories, just-in-time
  inbound material strategies

Market forces Computer-enabled
efficiencies Critical dependencies

• Transportation Research Board Special Report 274,
  2003, Cybersecurity of
• Freight Information Systems, A Scoping Study,
  National Research Council

17
Competition

• Got to drop this extra security weight

18
Deregulation

• Weve delegated public safety and national
  security to market forces

Scott Charney, April 2003, PBS Frontline story
on Cyberwar!
19
The Issue Closing The Gap

• Security needed against state-sponsored attacks

• Security provided by market-based solutions

20
The Inescapable ConclusionWere Toast
21
Outline

• Cyberterrorism!
• Who is to blame?
• Whats really happening?
• The simple solution
• National strategy
• Conclusion

22
Terrorist Know-How, Resources

• We train the world
• Try to find an American in an American grad
  school
• Funding

23
Terrorist Requirement

• Make headline news
• Whats the visual?

After a bomb
After a cyberattack
TV news producer, judging whether to include
coverage of a fire
24
Prognosis For Cyberterrorism

• Not top terrorist priority
• Definitely on their to-do list
• Much terrorist research and preparation for
  cyberterrorism

• Col Bradley K. Ashley, USAF, Anatomy of
  Cyberterrorism--Is America Vulnerable?
• Winter 2002/2003, IA Newsletter, Vol. 5., No. 4.,
  IA Technology Analysis Center (IATAC)

25
Computer Crime Were Being Robbed

• Credit card fraud
• 5.2 percent of online shoppers
• U.S. annual losses estimated in billions
• Identity theft
• 1.9 percent of online shoppers (300K people)
• 2 billion lost/year in U.S
• Top consumer complaint in U.S., per FTC
• Spyware
• 40 of companies infected

Greg Sandoval, War on cybercrime--we're
losing, ZdNet News, 14 May 2002 Robert Moritz,
When Someone Steals Your Identity, Parade
Magazine, 6 July 2003
26
Losses and Costs

• Expected 2003 losses from computer crime
• 2.8 billion in U.S.
• 25 percent increase
• 15 billion in world

• Jon Swartz, USA Today, 9 February 2003, Firms
  hacking-related insurance costs soar.
• Washington Monthly, November 2002, The Myth
  of Cyberterrorism, there are many ways
• terrorists can kill youcomputers arent one of
  them

27
An Interesting Case

• Exec received demand for 1 million, or brokerage
  network would crash
• Team spent night searching for malicious code
• System failed as promised
• Extortionist threatened to crash system during
  peak trading hours
• Brokerage paid

Sandeep Junnarkar, CNET News.com, 30 April 2002
28
Vulnerabilities Reported
4,000 3,000 2,000 1,000
2002 4,129
2001 2,437
2000 1,090
1999 417
1998 262
CERT/CC
29
Vulnerabilities Costed

• Were fast approaching the point at which
  were spending more money to find, patch, and
  correct vulnerabilities than we pay for the
  software
• John Gilligan
• USAF CIO
• (formerly DOE CIO)

Washington Monthly, November 2002, The Myth of
Cyberterrorism
30
Are You On The Patch?

• Weve treated this as housekeeping problem what
  if its more?
• What are the limits of our ability to patch?

31
How Bad Is It Really?

• Sanctum broke into 98 percent of 350 corporate
  sites it audited
• Average attack took two hours
• Government Red Teams succeed every single time

• PC World Communications, 23 August 2002,
  Cyberterrorism Scenarios Scrutinized
• Richard Clarke, April 2002, PBS Frontline
  story on Cyberwar!

32
Security on the Internet

• PSINet set up unprotected server
• Was attacked 467 times within 24 hours

Graham Hayday, Silicon.com, 29 January
2003, Exposed servermagnet for hack attacks
33
What Can Happen
Code Red To see an animation, go to
http//www.caida.org/analysis/security/code-red/c
oderedv2_analysis.xmlanimations
Slammer To see an animation, go to
http//www.caida.org/analysis/security/sapphire/s
apphire-2f-30m-2003-01-25.gif
http//www.caida.org/
34
Slammer

• 250 times faster than Code Red
• Within ten minutes, most of systems hit had been
  infected
• Traveled in 404-byte packet

• Crippled sensitive systems, including banking
  operations and 911 centers
• Prevented many ATM withdrawals

Ted Bridis, Associated Press, Internet attack's
disruptions more serious than many thought
possible 27 Jan 2003
35
Implications

• Slammer infected few systems -- 75,000
• What if vulnerability existed on millions of
  systems?

36
There is no current defenseagainst such a
real-time threat
37
Opportunities

• March 2003 flaw in ntdll.dll
• On all W2K systems -- huge installed base
• Accessed by multiple apps, services
• Zero-day flaw
• Significant recent vulnerabilities
• Sendmail (poke through firewalls)
• Email address validity checking
• Long email addresses
• Macromedia Flash
• 75 percent of PCs

38
Why Havent Adversaries Exploited These?

• Its hard
• Weve been lucky

39
Vulnerabilities Ripen With Age

• Holes remain unpatched
• Hackers develop easy-to-use exploits
• Enable kids to launch sophisticated attacks

A kid, even a smart kid, should not be able
to vandalize modern civilization
40
Wish List For An Adversary

• Intelligence
• What we know, what we intend
• Reconnaissance for targeting
• Fund raising
• Money laundering

• Everyone needs the Internet
• Recruitment
• Collaboration
• Command and control

To adversaries, maybe our nets are worth more up
than down
41
Ultimate Disaster Scenario?

• AMERICAN ECONOMY STRUCK BY BUSINESS FAILURES
• Loss of confidence in U.S. goods

• Dartmouth study of business failures shows many
  could have been induced by cyber means
• Could focus on confidentiality and denial of
  service be misplaced?

Scott Borg
42
Its Not Always BadWhen Security and Secrecy Fail

• Chinese Health Minister and Beijing Mayor
  dismissed for cover-up
• At the Iraqi Intelligence Service, a man walked
  up with a grimy sack of documents and tapes.
  Tell the world what happened here, he said.

Melinda Liu, Rod Nordland and Evan Thomas,
NEWSWEEK, 28 April 2003, The Saddam Files
43
Outline

• Cyberterrorism!
• Who is to blame?
• Whats really happening?
• The simple solution
• National strategy
• Conclusion

44
Get Money

• Show vulnerability
• Scan for vulnerabilities
• Map network
• Red team as outsider
• Red team as authorized insider
• Show threat
• Deploy intrusion detection system
• Scan for unauthorized wireless
• Monitor Internet usage

• Prove threat is real
• Produce near-term results

45
Get People

• Empower engineers
• Provide challenge, authority, resources
• Approaches explored in labs
• Build partnerships
• Internal security committee
• Business units
• Infrastructure, service providers
• Legal, human resources
• External
• Infrastructure, service providers
• Software vendors
• Business partners, e.g., critical infrastructure
  sector
• Law enforcement, counterintelligence,
  counterterrorism

46
A Defense-in-Depth Consideration

• Poor security often due to lack of qualified
  people
• Layered security creates more work, not more
  people

47
Simplify Architecture (Pg 1 of 2)

• Firewall enterprise
• Castle walls and gates enable control
• Firewall desktops
• Manage enterprise security
• Network management centers
• Central policy management, e.g., Netegrity
• Consider server-based architecture
• E.g., thin clients, Citrix Secure Gateway
• Password management, e.g., single sign-on
• Identity management

Applies to home computers
48
Simplify Architecture (Pg 2 of 2)

• Manage configurations
• Get it secure
• Configuration management configuration guidance
  and tools, best practices
• Keep it secure
• Patch management prioritize patches against
  configurations, policies, vulnerabilities test
  patches
• Compliance management

Applies to home computers
49
CIOs Choice

• Chaos
• Diverse hardware and software
• Applications testing
• Staff training
• Non-interoperable applications
• Assimilation by The Borg
• Homogeneous hardware and software
• Applications and infrastructure part of a
  coherent, holistic whole

50
The More Integrated And Interoperable You Are,
The Easier You Fall
Defense-in-depth becomes more critical
51
Secure Architecture (Pg 1 of 2)

• Ensure robust foundation
• Protection, resilience, emergency operation
• Not fully Internet-dependent
• Able to counter denial of service attacks
• Create risk domains
• DMZ for sharing with outsiders
• Castle keep for crown jewels
• Strengthen systems, e.g., Host Intrusion
  Prevention Systems (HIPS) such as Okena
  StormWatch, Entercept
• Protect data, e.g., Digital Rights Management
  (DRM)-like technology such as Authentica, Liquid
  Machines
• Deploy strong authentication
• E.g., Public key infrastructure, access tokens

52
Secure Architecture (Pg 2 of 2)

• Deploy automatic malware protection
• Desktop, e.g., HIPS, Symantec AntiVirus, TripWire
• Email gateway, e.g., Trend VirusWall
• eManager plug-in to block installer patches,
  registry files, etc.
• Deploy automatic backup infrastructure
• E.g., Veritas NetBackup
• Monitor and respond
• Security Information Management System (SIMS)
• Harness deluge of event data, e.g., ArcSight,
  netForensics
• Integrate with operations, configuration
  management
• Trap professional adversaries
• E.g., honeytokens

Applies to home computers
53
From Desktops to Belt-Tops

• Laptop
• Personal Digital Assistant (PDA)/Palm PC
• Cell phone
• Display of alerts, messages

• All wireless
• All will include microphones

54
Insurance

• PRO
• Market-based
• Transfers risks to business
• Promotes best practices
• CON
• Lack of actuarial data
• Existing data doesnt scale to disasters
• Assume defenses evolve in step with attacks

55
ConfrontUltimate Threats
56
Nanotechnology
Past
Future
.
(smart dust)
57
Users

• 75 immediately gave passwords when asked
• 15 more required social engineering
• password 12, name 16, football team 11
• 75 knew coworkers passwords
• 67 used same password for everything
• Personal banking, Web site access
• 91 of men circulated dirty pictures or jokes
• 40 of women did same
• If discovering a salary file, 75 would read it
• 38 would pass file around office

User Survey--Infosecurity Europe 2003
58
Two Things To Count On

• Users will click on attachments
• Users will hit Reply All

59
User-Based Security

• Picture a vehicle with an independent steering
  wheel on each tire.

60
Build Culture Of Secure Behavior

• Eliminate passwords--go to tokens, biometrics
• Train users in what is sensitive
• Train users against social engineering
• Monitor user activities
• Enforce secure behavior

Train, Monitor, Enforce
61
Its Who You Know

• 80 percent of murder victims killed by someone
  they knew
• 22 percent killed by people with whom they had
  romantic involvement

The Bureau of Justice Statistics Murder in
Large Urban Counties Study, 1988
62
Separation of Power In Government
Humans dont deal well with absolute power
63
Separation of Power In Systems

• Study of over 100 espionage cases showed 55 of
  spies were network or system administrators

Data is from the Espionage Database Project of
the Defense Personnel Security Research Center
64
Insider Monitoring Industry Is Doing It

• 50 workers At Dow Chemical Co.'s headquarters
  site were fired and another 200 disciplined for
  distributing pornographic or violent pictures
• Merck fired two workers and disciplined dozens of
  others for inappropriate use of the Internet
• Xerox Corporation fired 40 workers and the New
  York Times terminated 23 employees for similar
  offences
• Royal and Sun Alliance has sacked 10 people and
  suspended at least 77 over the distribution of
  lewd" email
• Download Evidence Eliminator now before it's
  too late!

Most Fortune 500 companies monitor employee use
of the Internet
Incident data taken from http//www.evidence-elimi
nator.com Brad Stone, Is the Boss Watching?
NEWSWEEK, 30 September 2002
65
Collateral Benefits of Insider Monitoring

• Reclaim bandwidth
• Avoid liability
• Reclaim excess labor hours
• Discover what your people are doing

UK study -- more employees disciplined for misuse
of Internet and email than any other reason
66
Insider Monitoring At One Agency

• Employee use of business applications
  automatically compared against criteria that
  characterize fraud
• Leads forwarded to investigative organization
• 20 of leads identify employees committing fraud
  or other criminal violations
• In FY01, almost 400 internal investigations
  initiated based on automatically generated leads
• Bribery
• Embezzlement
• Trading of insider information

67
Quis Custodiet Ipsos Custodies?

• Who guards the guards?
• Who watches the watchers?
• Much data from insider monitoring is not crimes
  but sins
• By gathering sensitive data on our people, we
  create a vulnerability
• Inside entrepreneurs
• Foreign adversaries
• Legal discovery

68
Outline

• Cyberterrorism!
• Who is to blame?
• Whats really happening?
• The simple solution
• National strategy
• Conclusion

69
National Strategy to Secure Cyberspace

• Create cyberspace security response system
• Establish threat and vulnerability reduction
  program
• Improve training and awareness
• Secure government systems
• Work internationally

70
New Government Players

• Department of Homeland Security office of
  cybersecurity

• Paul Kurtz, NSC, Special Assistant to the
  President for Critical Infrastructure Protection
• Lt Col Greg Rattrey, NSC, Director of
  Cybersecurity

71
High-Level Strategy--Work As Team

• Share information
• Work together
• Break problem up into pieces
• Tackle each independently, in parallel
• Ensure results can be integrated
• Government assistance without regulation

72
Information Sharing Analysis Centers (ISACs)

• Electric Power (NERC)
• Telecommunications (NCS/NCC)
• Information Technology (LLC., Internet Security
  Systems)
• Banking Finance (LLC., Predictive Systems)
• Water Supply (AMWA)
• Surface Transportation (AAR)
• Oil Gas (LLC., Predictive Systems)
• Emergency Fire Services (USFA)
• Emergency Law Enforcement (NIPC/ELES Forum)
• Food (FMI)
• Chemicals Industry (ACC/ChemTrec)

Others under development
73
Risks of Sharing

• Antitrust law
• Price fixing, restraint of trade, discrimination
  against certain customers
• Freedom of Information Act (FOIA)
• Privacy concerns, loss of proprietary data,
  exposure of vulnerabilities and weaknesses

• Critical Information Infrastructure Protection
  and the Law, An Overview of Key Issues,
• April 2003, National Academy of Engineering,
  National Research Council

74
Work Together Partnerships
Get involved

• Partnership for Critical Infrastructure Security
• 80-company organization that identifies
  vulnerabilities in the private sectors cyber
  infrastructure
• National Infrastructure Simulation Analysis
  Center (NISAC)
• Works with DHS, power, water, rail, banks to
  understand their interdependencies and harden
  critical junctures
• Network Reliability and Interoperability Council
  (NRIC)
• Coordinates voluntary best practices for the
  communications infrastructure

75
Partition ProblemGuidance and Tools

• NSA-lead configuration guidance
• Center for Internet Security (CIS) and SANS
  developing tools to rate compliance with guides
  and benchmarks
• MITRE-led partnership to list Common
  Vulnerabilities and Exposures (CVE)
• Partnership to develop an Open Vulnerability
  Assessment Language (OVAL), a consistent way to
  detect known vulnerabilities
• SANS and General Services Administration (GSA)
  efforts to prioritize top vulnerabilities for
  action

76
Work Together Partnerships
Get involved

• Partnership for Critical Infrastructure Security
• 80-company organization that identifies
  vulnerabilities in the private sectors cyber
  infrastructure
• National Infrastructure Simulation Analysis
  Center (NISAC)
• Works with DHS, power, water, rail, banks to
  understand their interdependencies and harden
  critical junctures
• Network Reliability and Interoperability Council
  (NRIC)
• Coordinates voluntary best practices for the
  communications infrastructure

77
Government Actions Short of Regulation

• Research
• Network coordination in crises
• Government/ISAC coordination
• Information sharing about threats,
  vulnerabilities
• Monitor self-regulation, threaten regulation if
  deficiencies not corrected by certain date
• Do analysis to advise industry on investment
  priorities
• Develop tools to help industry plan for and deal
  with attacks
• Tax credits for investments on behalf of national
  security

78
In Defense Of Freedom
Prosecution
Privacy, civil liberty
National security
Prevention
You dont safeguard freedom by taking it away
79
Questions (1 of 2)

• How do we redraw turf for cyber defense, offense,
  and intelligence? Homeland defense?
• What are economic and political impacts of
  offensive and defensive cyber conflict?
• How much active defense should we employ?
• How do we attribute attacks in cyber-time?
• How do we recognize state-sponsored attacks (and
  thus increase response options)?
• How do we collect against and understand
  capabilities of cyber adversaries?

80
Questions (2 of 2)

• What levels and distribution of security costs
  create problems for industry, customers?
• Based on models of economic input and output,
  what changes might result from varying levels of
  security investment?
• Do tight profit margins risk significant economic
  damage?
• For national security investments that offer
  minimal advantage to companies, what government
  participation is best, e.g., tax credits?

• Transportation Research Board Special Report 274,
  2003, Cybersecurity of
• Freight Information Systems, A Scoping Study,
  National Research Council

81
Outline

• Cyberterrorism!
• Who is to blame?
• Whats really happening?
• The simple solution
• National strategy
• Conclusion

82
As For The Horror Of Cyberterrorism
83
Your Odds Are Good
Final 2000 data    Ten Leading Causes of Death
in the U.S.       Heart Disease 710,760
      Cancer 553,091       Stroke 167,661
      Chronic Lower Respiratory Disease 122,009
      Accidents 97,900       Diabetes
69,301       Pneumonia/Influenza 65,313
      Alzheimer's Disease 49,558
      Nephritis, nephrotic syndrome, and
nephrosis 37,251       Septicemia 31,224
Total murder victims (2000) 12,943
Worldwide death toll from terrorism in
2001 under 4,000
National Center for Health Statistics
Deaths/Mortality (All figures are for U.S.)
84
Actions

• Avoid succumbing to cyberterrorism hype
• Dont swallow it
• Dont dismiss it

ACT

• Counter Computer Crime using common practices

• Tackle the Total problem
• Insiders (trust no one)
• Community partnerships (trust everyone)

85
If You Can, Remember A Fourth Thing

• Sometimes the best way to raise cybersecurity
  awareness is not to tell people what to do but to
  show them what will happen if they dont.

86
Public Service Message

• A CIO's worst nightmare played out in a
  riveting, action-packed story... I will likely
  forward the manuscript to Lin Wells.
• John Gilligan, CIO, USAF

• Anyone interested in the protection of our
  national infrastructure should read this book.
• Margie Munson, former Director of DSS
• Mike Munson, former Deputy Director of NRO