Title: 'Electronic Pearl Harbor' Winn Schwartau 'Digita
1- Bill Neugent
- 17 July 2003
The views expressed are those of the author and
boy do they not reflect the official policy or
position of The MITRE Corp.
2Outline
- Cyberterrorism!
- Who is to blame?
- Whats really happening?
- The simple solution
- National strategy
- Conclusion
3Global Reach Interconnected Interdependence
- Our cyber-based assets sit on one interwoven rug
of global communications - Global Internet
- Global Public Switched Network
- Cyberterrorism issues
- Availability The rug can be pulled out from
under us - Access Cyberterrorists are seconds away
4The Dilemma
- Power travels at light speed
- Power networks are controlled by computers
- Communication signals travel at light speed
- Communication networks are controlled by computers
Remote control makes it possible to ruin a
complex network
5Whats At Risk?
6Supervisory Control and Data Acquisition Were
SCADA On Thin Ice
- Underlies gas and oil, water and sewer,
electronic power distribution - 3 million SCADA systems in use
- Increased use of Windows, UNIX
- Utilities connecting SCADA to corporate networks,
Internet, wireless networks
Stratum8 Networks, 30 October 2002, New Layer of
Internet Security is Required to Protect Critical
Systems that Manage Oil, Natural Gas, and
Electricity Resources
7So You Say Youre Not On The Internet
- Nearly every bank in the United States runs its
operations on an internal network that connects
to the Internet.
Maybe your front door isnt
Sandeep Junnarkar, CNET News, 1 May 2002
8Beware On Net In 2003
- CIA warns of Net terror threat
- IDC prediction for 2003
- Major cyberterrorism event will disrupt economy,
bring Internet to its knees for at least a day or
two - Professional cyber attack could do several
hundred billion dollars in damage to U.S.
Declan McCullagh, 29 October 2002, CIA warns of
Net terror threat, CNET News 12 December 2002,
IDC Cyberterror and other prophecies, CNET
News 27 February 2002, A Letter From
Concerned Scientists, to President Bush
9Shouts of Warning
- Electronic Pearl Harbor Winn Schwartau
- Digital Waterloo
- Center for Strategic and International Studies
- Digital Armageddon
- Sen. Charles Schumer, D-N.Y.
10Outline
- Cyberterrorism!
- Who is to blame?
- Whats really happening?
- The simple solution
- National strategy
- Conclusion
11Users
12Bullies
13What Motivates Bullies?
- The reason the software you buy isnt secure is
that companies dont care. - The reason is there is no liability for
producing a shoddy product. - Bruce Schneier
IDG News Service, 19 November 2002, COMDEX
Panel Accept the Net is vulnerable to attack
14Complexity
- Software more complex than any other human
construct - No two parts alike
- Software differs profoundly from computers,
buildings, or automobiles, where repeated
elements abound - Rapid time to market
- Armies of programmers work independently
- Complex legacy software carried forward
Frederick Brooks
15Industry Complexity
- Example freight information systems involve
changing mix of companies - Carriers, shippers, distributors, freight
forwarders, government agencies, e.g., Customs - Many interconnections, no integration hard to
- Establish consistent security baseline
- Establish security standards for transactions,
e.g., e-documents - Identify and authenticate users and systems
800,000 hazmat shipments/day in U.S.
- Transportation Research Board Special Report 274,
2003, Cybersecurity of - Freight Information Systems, A Scoping Study,
National Research Council
16Market Forces Made Us Do It
- Competition keeps profit margins low, forces
cost-saving - Internet has become critical dependency
- Freight information systems efficient, reliable
- Customers have lower inventories, just-in-time
inbound material strategies
Market forces Computer-enabled
efficiencies Critical dependencies
- Transportation Research Board Special Report 274,
2003, Cybersecurity of - Freight Information Systems, A Scoping Study,
National Research Council
17Competition
- Got to drop this extra security weight
18Deregulation
- Weve delegated public safety and national
security to market forces
Scott Charney, April 2003, PBS Frontline story
on Cyberwar!
19The Issue Closing The Gap
- Security needed against state-sponsored attacks
- Security provided by market-based solutions
20The Inescapable ConclusionWere Toast
21Outline
- Cyberterrorism!
- Who is to blame?
- Whats really happening?
- The simple solution
- National strategy
- Conclusion
22Terrorist Know-How, Resources
- We train the world
- Try to find an American in an American grad
school - Funding
23Terrorist Requirement
- Make headline news
- Whats the visual?
After a bomb
After a cyberattack
TV news producer, judging whether to include
coverage of a fire
24Prognosis For Cyberterrorism
- Not top terrorist priority
- Definitely on their to-do list
- Much terrorist research and preparation for
cyberterrorism
- Col Bradley K. Ashley, USAF, Anatomy of
Cyberterrorism--Is America Vulnerable? - Winter 2002/2003, IA Newsletter, Vol. 5., No. 4.,
IA Technology Analysis Center (IATAC)
25Computer Crime Were Being Robbed
- Credit card fraud
- 5.2 percent of online shoppers
- U.S. annual losses estimated in billions
- Identity theft
- 1.9 percent of online shoppers (300K people)
- 2 billion lost/year in U.S
- Top consumer complaint in U.S., per FTC
- Spyware
- 40 of companies infected
Greg Sandoval, War on cybercrime--we're
losing, ZdNet News, 14 May 2002 Robert Moritz,
When Someone Steals Your Identity, Parade
Magazine, 6 July 2003
26Losses and Costs
- Expected 2003 losses from computer crime
- 2.8 billion in U.S.
- 25 percent increase
- 15 billion in world
- Jon Swartz, USA Today, 9 February 2003, Firms
hacking-related insurance costs soar. - Washington Monthly, November 2002, The Myth
of Cyberterrorism, there are many ways - terrorists can kill youcomputers arent one of
them
27An Interesting Case
- Exec received demand for 1 million, or brokerage
network would crash - Team spent night searching for malicious code
- System failed as promised
- Extortionist threatened to crash system during
peak trading hours - Brokerage paid
Sandeep Junnarkar, CNET News.com, 30 April 2002
28Vulnerabilities Reported
4,000 3,000 2,000 1,000
2002 4,129
2001 2,437
2000 1,090
1999 417
1998 262
CERT/CC
29Vulnerabilities Costed
- Were fast approaching the point at which
were spending more money to find, patch, and
correct vulnerabilities than we pay for the
software - John Gilligan
- USAF CIO
- (formerly DOE CIO)
Washington Monthly, November 2002, The Myth of
Cyberterrorism
30Are You On The Patch?
- Weve treated this as housekeeping problem what
if its more? - What are the limits of our ability to patch?
31How Bad Is It Really?
- Sanctum broke into 98 percent of 350 corporate
sites it audited - Average attack took two hours
- Government Red Teams succeed every single time
- PC World Communications, 23 August 2002,
Cyberterrorism Scenarios Scrutinized - Richard Clarke, April 2002, PBS Frontline
story on Cyberwar!
32Security on the Internet
- PSINet set up unprotected server
- Was attacked 467 times within 24 hours
Graham Hayday, Silicon.com, 29 January
2003, Exposed servermagnet for hack attacks
33What Can Happen
Code Red To see an animation, go to
http//www.caida.org/analysis/security/code-red/c
oderedv2_analysis.xmlanimations
Slammer To see an animation, go to
http//www.caida.org/analysis/security/sapphire/s
apphire-2f-30m-2003-01-25.gif
http//www.caida.org/
34Slammer
- 250 times faster than Code Red
- Within ten minutes, most of systems hit had been
infected - Traveled in 404-byte packet
- Crippled sensitive systems, including banking
operations and 911 centers - Prevented many ATM withdrawals
Ted Bridis, Associated Press, Internet attack's
disruptions more serious than many thought
possible 27 Jan 2003
35Implications
- Slammer infected few systems -- 75,000
- What if vulnerability existed on millions of
systems?
36There is no current defenseagainst such a
real-time threat
37Opportunities
- March 2003 flaw in ntdll.dll
- On all W2K systems -- huge installed base
- Accessed by multiple apps, services
- Zero-day flaw
- Significant recent vulnerabilities
- Sendmail (poke through firewalls)
- Email address validity checking
- Long email addresses
- Macromedia Flash
- 75 percent of PCs
38Why Havent Adversaries Exploited These?
39Vulnerabilities Ripen With Age
- Holes remain unpatched
- Hackers develop easy-to-use exploits
- Enable kids to launch sophisticated attacks
A kid, even a smart kid, should not be able
to vandalize modern civilization
40Wish List For An Adversary
- Intelligence
- What we know, what we intend
- Reconnaissance for targeting
- Fund raising
- Money laundering
- Everyone needs the Internet
- Recruitment
- Collaboration
- Command and control
To adversaries, maybe our nets are worth more up
than down
41Ultimate Disaster Scenario?
- AMERICAN ECONOMY STRUCK BY BUSINESS FAILURES
- Loss of confidence in U.S. goods
- Dartmouth study of business failures shows many
could have been induced by cyber means - Could focus on confidentiality and denial of
service be misplaced?
Scott Borg
42Its Not Always BadWhen Security and Secrecy Fail
- Chinese Health Minister and Beijing Mayor
dismissed for cover-up - At the Iraqi Intelligence Service, a man walked
up with a grimy sack of documents and tapes.
Tell the world what happened here, he said.
Melinda Liu, Rod Nordland and Evan Thomas,
NEWSWEEK, 28 April 2003, The Saddam Files
43Outline
- Cyberterrorism!
- Who is to blame?
- Whats really happening?
- The simple solution
- National strategy
- Conclusion
44Get Money
- Show vulnerability
- Scan for vulnerabilities
- Map network
- Red team as outsider
- Red team as authorized insider
- Show threat
- Deploy intrusion detection system
- Scan for unauthorized wireless
- Monitor Internet usage
- Prove threat is real
- Produce near-term results
45Get People
- Empower engineers
- Provide challenge, authority, resources
- Approaches explored in labs
- Build partnerships
- Internal security committee
- Business units
- Infrastructure, service providers
- Legal, human resources
- External
- Infrastructure, service providers
- Software vendors
- Business partners, e.g., critical infrastructure
sector - Law enforcement, counterintelligence,
counterterrorism
46A Defense-in-Depth Consideration
- Poor security often due to lack of qualified
people - Layered security creates more work, not more
people
47Simplify Architecture (Pg 1 of 2)
- Firewall enterprise
- Castle walls and gates enable control
- Firewall desktops
- Manage enterprise security
- Network management centers
- Central policy management, e.g., Netegrity
- Consider server-based architecture
- E.g., thin clients, Citrix Secure Gateway
- Password management, e.g., single sign-on
- Identity management
Applies to home computers
48Simplify Architecture (Pg 2 of 2)
- Manage configurations
- Get it secure
- Configuration management configuration guidance
and tools, best practices - Keep it secure
- Patch management prioritize patches against
configurations, policies, vulnerabilities test
patches - Compliance management
Applies to home computers
49CIOs Choice
- Chaos
- Diverse hardware and software
- Applications testing
- Staff training
- Non-interoperable applications
- Assimilation by The Borg
- Homogeneous hardware and software
- Applications and infrastructure part of a
coherent, holistic whole
50The More Integrated And Interoperable You Are,
The Easier You Fall
Defense-in-depth becomes more critical
51Secure Architecture (Pg 1 of 2)
- Ensure robust foundation
- Protection, resilience, emergency operation
- Not fully Internet-dependent
- Able to counter denial of service attacks
- Create risk domains
- DMZ for sharing with outsiders
- Castle keep for crown jewels
- Strengthen systems, e.g., Host Intrusion
Prevention Systems (HIPS) such as Okena
StormWatch, Entercept - Protect data, e.g., Digital Rights Management
(DRM)-like technology such as Authentica, Liquid
Machines - Deploy strong authentication
- E.g., Public key infrastructure, access tokens
52Secure Architecture (Pg 2 of 2)
- Deploy automatic malware protection
- Desktop, e.g., HIPS, Symantec AntiVirus, TripWire
- Email gateway, e.g., Trend VirusWall
- eManager plug-in to block installer patches,
registry files, etc. - Deploy automatic backup infrastructure
- E.g., Veritas NetBackup
- Monitor and respond
- Security Information Management System (SIMS)
- Harness deluge of event data, e.g., ArcSight,
netForensics - Integrate with operations, configuration
management - Trap professional adversaries
- E.g., honeytokens
Applies to home computers
53From Desktops to Belt-Tops
- Laptop
- Personal Digital Assistant (PDA)/Palm PC
- Cell phone
- Display of alerts, messages
- All wireless
- All will include microphones
54Insurance
- PRO
- Market-based
- Transfers risks to business
- Promotes best practices
- CON
- Lack of actuarial data
- Existing data doesnt scale to disasters
- Assume defenses evolve in step with attacks
55ConfrontUltimate Threats
56Nanotechnology
Past
Future
.
(smart dust)
57Users
- 75 immediately gave passwords when asked
- 15 more required social engineering
- password 12, name 16, football team 11
- 75 knew coworkers passwords
- 67 used same password for everything
- Personal banking, Web site access
- 91 of men circulated dirty pictures or jokes
- 40 of women did same
- If discovering a salary file, 75 would read it
- 38 would pass file around office
User Survey--Infosecurity Europe 2003
58Two Things To Count On
- Users will click on attachments
- Users will hit Reply All
59User-Based Security
- Picture a vehicle with an independent steering
wheel on each tire.
60Build Culture Of Secure Behavior
- Eliminate passwords--go to tokens, biometrics
- Train users in what is sensitive
- Train users against social engineering
- Monitor user activities
- Enforce secure behavior
Train, Monitor, Enforce
61Its Who You Know
- 80 percent of murder victims killed by someone
they knew - 22 percent killed by people with whom they had
romantic involvement
The Bureau of Justice Statistics Murder in
Large Urban Counties Study, 1988
62Separation of Power In Government
Humans dont deal well with absolute power
63Separation of Power In Systems
- Study of over 100 espionage cases showed 55 of
spies were network or system administrators
Data is from the Espionage Database Project of
the Defense Personnel Security Research Center
64Insider Monitoring Industry Is Doing It
- 50 workers At Dow Chemical Co.'s headquarters
site were fired and another 200 disciplined for
distributing pornographic or violent pictures - Merck fired two workers and disciplined dozens of
others for inappropriate use of the Internet - Xerox Corporation fired 40 workers and the New
York Times terminated 23 employees for similar
offences - Royal and Sun Alliance has sacked 10 people and
suspended at least 77 over the distribution of
lewd" email - Download Evidence Eliminator now before it's
too late!
Most Fortune 500 companies monitor employee use
of the Internet
Incident data taken from http//www.evidence-elimi
nator.com Brad Stone, Is the Boss Watching?
NEWSWEEK, 30 September 2002
65Collateral Benefits of Insider Monitoring
- Reclaim bandwidth
- Avoid liability
- Reclaim excess labor hours
- Discover what your people are doing
UK study -- more employees disciplined for misuse
of Internet and email than any other reason
66Insider Monitoring At One Agency
- Employee use of business applications
automatically compared against criteria that
characterize fraud - Leads forwarded to investigative organization
- 20 of leads identify employees committing fraud
or other criminal violations - In FY01, almost 400 internal investigations
initiated based on automatically generated leads - Bribery
- Embezzlement
- Trading of insider information
67Quis Custodiet Ipsos Custodies?
- Who guards the guards?
- Who watches the watchers?
- Much data from insider monitoring is not crimes
but sins - By gathering sensitive data on our people, we
create a vulnerability - Inside entrepreneurs
- Foreign adversaries
- Legal discovery
68Outline
- Cyberterrorism!
- Who is to blame?
- Whats really happening?
- The simple solution
- National strategy
- Conclusion
69National Strategy to Secure Cyberspace
- Create cyberspace security response system
- Establish threat and vulnerability reduction
program - Improve training and awareness
- Secure government systems
- Work internationally
70New Government Players
- Department of Homeland Security office of
cybersecurity
- Paul Kurtz, NSC, Special Assistant to the
President for Critical Infrastructure Protection - Lt Col Greg Rattrey, NSC, Director of
Cybersecurity
71High-Level Strategy--Work As Team
- Share information
- Work together
- Break problem up into pieces
- Tackle each independently, in parallel
- Ensure results can be integrated
- Government assistance without regulation
72Information Sharing Analysis Centers (ISACs)
- Electric Power (NERC)
- Telecommunications (NCS/NCC)
- Information Technology (LLC., Internet Security
Systems) - Banking Finance (LLC., Predictive Systems)
- Water Supply (AMWA)
- Surface Transportation (AAR)
- Oil Gas (LLC., Predictive Systems)
- Emergency Fire Services (USFA)
- Emergency Law Enforcement (NIPC/ELES Forum)
- Food (FMI)
- Chemicals Industry (ACC/ChemTrec)
Others under development
73Risks of Sharing
- Antitrust law
- Price fixing, restraint of trade, discrimination
against certain customers - Freedom of Information Act (FOIA)
- Privacy concerns, loss of proprietary data,
exposure of vulnerabilities and weaknesses
- Critical Information Infrastructure Protection
and the Law, An Overview of Key Issues, - April 2003, National Academy of Engineering,
National Research Council
74Work Together Partnerships
Get involved
- Partnership for Critical Infrastructure Security
- 80-company organization that identifies
vulnerabilities in the private sectors cyber
infrastructure - National Infrastructure Simulation Analysis
Center (NISAC) - Works with DHS, power, water, rail, banks to
understand their interdependencies and harden
critical junctures - Network Reliability and Interoperability Council
(NRIC) - Coordinates voluntary best practices for the
communications infrastructure
75Partition ProblemGuidance and Tools
- NSA-lead configuration guidance
- Center for Internet Security (CIS) and SANS
developing tools to rate compliance with guides
and benchmarks - MITRE-led partnership to list Common
Vulnerabilities and Exposures (CVE) - Partnership to develop an Open Vulnerability
Assessment Language (OVAL), a consistent way to
detect known vulnerabilities - SANS and General Services Administration (GSA)
efforts to prioritize top vulnerabilities for
action
76Work Together Partnerships
Get involved
- Partnership for Critical Infrastructure Security
- 80-company organization that identifies
vulnerabilities in the private sectors cyber
infrastructure - National Infrastructure Simulation Analysis
Center (NISAC) - Works with DHS, power, water, rail, banks to
understand their interdependencies and harden
critical junctures - Network Reliability and Interoperability Council
(NRIC) - Coordinates voluntary best practices for the
communications infrastructure
77Government Actions Short of Regulation
- Research
- Network coordination in crises
- Government/ISAC coordination
- Information sharing about threats,
vulnerabilities - Monitor self-regulation, threaten regulation if
deficiencies not corrected by certain date - Do analysis to advise industry on investment
priorities - Develop tools to help industry plan for and deal
with attacks - Tax credits for investments on behalf of national
security
78In Defense Of Freedom
Prosecution
Privacy, civil liberty
National security
Prevention
You dont safeguard freedom by taking it away
79Questions (1 of 2)
- How do we redraw turf for cyber defense, offense,
and intelligence? Homeland defense? - What are economic and political impacts of
offensive and defensive cyber conflict? - How much active defense should we employ?
- How do we attribute attacks in cyber-time?
- How do we recognize state-sponsored attacks (and
thus increase response options)? - How do we collect against and understand
capabilities of cyber adversaries?
80Questions (2 of 2)
- What levels and distribution of security costs
create problems for industry, customers? - Based on models of economic input and output,
what changes might result from varying levels of
security investment? - Do tight profit margins risk significant economic
damage? - For national security investments that offer
minimal advantage to companies, what government
participation is best, e.g., tax credits?
- Transportation Research Board Special Report 274,
2003, Cybersecurity of - Freight Information Systems, A Scoping Study,
National Research Council
81Outline
- Cyberterrorism!
- Who is to blame?
- Whats really happening?
- The simple solution
- National strategy
- Conclusion
82As For The Horror Of Cyberterrorism
83Your Odds Are Good
Final 2000 data Ten Leading Causes of Death
in the U.S. Heart Disease 710,760
Cancer 553,091 Stroke 167,661
Chronic Lower Respiratory Disease 122,009
Accidents 97,900 Diabetes
69,301 Pneumonia/Influenza 65,313
Alzheimer's Disease 49,558
Nephritis, nephrotic syndrome, and
nephrosis 37,251 Septicemia 31,224
Total murder victims (2000) 12,943
Worldwide death toll from terrorism in
2001 under 4,000
National Center for Health Statistics
Deaths/Mortality (All figures are for U.S.)
84Actions
- Avoid succumbing to cyberterrorism hype
- Dont swallow it
- Dont dismiss it
ACT
- Counter Computer Crime using common practices
- Tackle the Total problem
- Insiders (trust no one)
- Community partnerships (trust everyone)
85If You Can, Remember A Fourth Thing
- Sometimes the best way to raise cybersecurity
awareness is not to tell people what to do but to
show them what will happen if they dont.
86Public Service Message
- A CIO's worst nightmare played out in a
riveting, action-packed story... I will likely
forward the manuscript to Lin Wells. - John Gilligan, CIO, USAF
- Anyone interested in the protection of our
national infrastructure should read this book. - Margie Munson, former Director of DSS
- Mike Munson, former Deputy Director of NRO