Cyberwar: How Worried Should We Be? Austin ISSA Dr. Bill Young - - PowerPoint PPT Presentation

Cyberwar: How Worried Should We Be?

Austin ISSA

• Dr. Bill Young

Department of Computer Science University of Texas at Austin Last updated: May 8, 2013 at 17:09

• Dr. Bill Young: 1

Austin ISSA, May 9, 2013

From the Headlines

Pentagon accuses China of trying to hack US defence networks, The Guardian, 5/7/13 China is using espionage to acquire technology to fuel its military modernisation, the Pentagon has said, for the first time accusing the Chinese of trying to break into US defence computer networks and prompting a firm denial from Beijing. “The US government continued to be targeted for (cyber) intrusions, some of which appear to be attributable directly to the Chinese government and military,” [the report] says, adding that the main purpose

• f the hacking is to gain information to benefit defence

industries, military planners and government leaders.

• Dr. Bill Young: 2

Austin ISSA, May 9, 2013

From the Headlines

House Intel Chair Mike Rogers Calls Chinese Cyber Attacks Unprecedented, ABC News, 2/24/13 House Intelligence Committee Chair Mike Rogers, R-Mich., said it was “beyond a shadow of a doubt” that the Chinese government and military is behind growing cyber attacks against the United States, saying “we are losing” the war to prevent the attacks. “It is unprecedented,” Rogers added. “This has never happened in the history of the world, where one nation steals the intellectual property to re-purpose it—to illegally compete against the country.”

• Dr. Bill Young: 3

Austin ISSA, May 9, 2013

From the Headlines

Cyber security in 2013: How vulnerable to attack is US now?, Christian Science Monitor, 1/9/13 The phalanx of cyberthreats aimed squarely at Americans’ livelihood became startlingly clear in 2012 and appears poised to proliferate in 2013 and beyond as government officials, corporate leaders, security experts, and ordinary citizens scramble to devise protections from attackers in cyberspace.

• Dr. Bill Young: 4

Austin ISSA, May 9, 2013

From the Headlines

U.S. Not Ready for Cyberwar Hostile Attackers Could Launch, The Daily Beast, 2/21/13 If the nightmare scenario becomes suddenly real ... If hackers shut down much of the electrical grid and the rest of the critical infrastructure goes with it ... If we are plunged into chaos and suffer more physical destruction than 50 monster hurricanes and economic damage that dwarfs the Great Depression ... Then we will wonder why we failed to guard against what outgoing Defense Secretary Leon Panetta has termed a “cyber-Pearl Harbor.”

• Dr. Bill Young: 5

Austin ISSA, May 9, 2013

CyberSecurity: An Existential Threat?

Cyberattacks an ’Existential Threat’ TO U.S., FBI Says, Computerworld, 3/24/10 A top FBI official warned today that many cyber-adversaries of the U.S. have the ability to access virtually any computer system, posing a risk that’s so great it could “challenge our country’s very existence.” According to Steven Chabinsky, deputy assistant director

• f the FBI’s cyber division: “The cyber threat can be an

existential threat—meaning it can challenge our country’s very existence, or significantly alter our nation’s potential,” Chabinsky said. “How we rise to the cybersecurity challenge will determine whether our nation’s best days are ahead of us or behind us.”

• Dr. Bill Young: 6

Austin ISSA, May 9, 2013

Question for All of Us

If cyberattacks are a credible threat to the very existence of our nation, why aren’t we at war? Or are we? Are we currently engaged in a Cyber War? Or is this talk about Cyber War merely hype and exaggeration?

• Dr. Bill Young: 7

Austin ISSA, May 9, 2013

It’s a Dangerous World

“More than 5.5 billion attempted attacks were identified in 2011, an increase of 81% over 2010, with an unprecedented 403 million unique malware variants that year, a 41% leap.” (Symantec Internet Security Threat Report, 2012) Once PCs are infected they tend to stay infected. The median length of infection is 300 days. (www.insecureaboutsecurity.com, 10/19/2009) The Privacy Right’s Clearinghouse’s Chronology of Data Breaches (January, 2012) estimates conservatively that more than half a billion sensitive records have been breached since 2005. The Ponemon Institute estimates that the approximate current cost per record compromised is around $318.

• Dr. Bill Young: 8

Austin ISSA, May 9, 2013

Some Notable Cyber Campaigns

First Persian Gulf War (1991): Iraq’s command and control infrastructure is targeted. Radar and missile control network is fragmented and sections of radar coverage are taken offline without central control being aware of the outage. Estonia (2007): Cyberattacks disabled the websites of government ministries, political parties, newspapers, banks, and companies. Russia was suspected of launching the attack. Georgia (2008): Russia attacked the nation of Georgia in a dispute

• ver the province of South Ossetia. In addition to the military

attack, a concerted cyber DoS attack shut down much of Georgia’s ability to communicate with the external world.

• Dr. Bill Young: 9

Austin ISSA, May 9, 2013

Cyber Attacks on the U.S.

Moonlight Maze: (1998) traced to Russia, exfiltrated many megabytes of defense-related data, including classified naval codes and info on missile guidance systems. Titan Rain: (2003) probably Chinese, exfiltrated an estimated 10-20 terabytes of data on U.S. systems. Operation Aurora: (2009) probably Chinese, gained access and possibly modified code repositories at high tech, security and defense contractor companies.

• Dr. Bill Young: 10

Austin ISSA, May 9, 2013

Greatest Transfer of Wealth in History

In July, 2012, Gen. Keith Alexander, director of NSA and U.S. Cyber Command, referred to intellectual property loss via cyber espionage as the greatest transfer of wealth in history. “Symantec placed the cost of IP theft to the United States companies in $250 billion a year, global cybercrime at $114 billion annually ($388 billion when you factor in downtime), and McAfee estimates that $1 trillion was spent globally under remediation. And that’s

• ur future disappearing in front of us.”
• Dr. Bill Young: 11

Austin ISSA, May 9, 2013

But Is It War?

Cyber warfare involves “actions by a nation-state to penetrate another nation’s computers or networks for the purpose of causing damage or disruption.” (Richard Clarke and Robert Knake) This definition raises as many questions as it answers. Is “warfare” even a useful term in this context? Can a non-state entity engage in warfare? Which computers or networks really matter? Which actions should qualify as acts of war? Why can’t we defend ourselves?

• Dr. Bill Young: 12

Austin ISSA, May 9, 2013

Is “Cyberwar” the Wrong Concept?

Howard Schmidt, the new cybersecurity czar for the Obama administration, has a short answer for the drumbeat of rhetoric claiming the United States is caught up in a cyberwar that it is losing. “There is no cyberwar. I think that is a terrible metaphor and I think that is a terrible concept,” Schmidt said. “There are no winners in that environment.” (Wired, 3/4/10)

• Dr. Bill Young: 13

Austin ISSA, May 9, 2013

Is “Cyberwar” a Dangerous Concept?

Security guru Bruce Schneier, in an interview with Search Security (4/9/13) said: “My real fear is less the attacks from China and more the increase in rhetoric on both sides that is fueling a cyber arms race. We are definitely not at war. The whole cyberwar metaphor is dangerous. Right now we are seeing cyber espionage. But when you call it ’war’ you evoke a particular mindset and a particular set of solutions present themselves.”

• Dr. Bill Young: 14

Austin ISSA, May 9, 2013

Is “Cyberwar” a Dangerous Concept?

The cyberwar rhetoric is dangerous. Its practitioners are artists of exaggeration, who seem to think spinning tall tales is the only way to make bureaucracies move in the right direction. ... Not only does it promote unnecessary fear, it feeds the forces of parochial nationalism and militarism undermining a communications system that has arguably done more to connect the world’s citizens than the last 50 years of diplomacy. (Ryan Singel review

• f Clarke and Knake in Wired, 4/22/10)
• Dr. Bill Young: 15

Austin ISSA, May 9, 2013

Espionage, Yes—War, Not so Much

What we are seeing is “Cyber espionage” on a massive scale. But espionage has never been considered an act of war. You’re probably thinking: Forget espionage–what about Cyber Pearl Harbor? What about attacks on critical infrastructure?

• Dr. Bill Young: 16

Austin ISSA, May 9, 2013

Critical Infrastructure

Credible security experts suggest that a successful widespread attack on U.S. computing infrastructure could largely shut down the U.S. economy for up to 6 months. It is estimated that the destruction from a single wave of cyber attacks on U.S. critical infrastructures could exceed $700 billion USD—the equivalent of 50 major hurricanes hitting U.S. soil at

• nce. (Source: US Cyber Consequences Unit, July 2007)
• Dr. Bill Young: 17

Austin ISSA, May 9, 2013

What’s the Risk?

The U.S. is more dependent on advanced technology than any

• ther society on earth.

Much of U.S. critical infrastructure is remotely accessible. The openness of U.S. society means critical information about facilities (and their vulnerabilities) is widely available. Other nation states have much more control over their national communication infrastructure. Technology advances rapidly but remains riddled with vulnerabilities.

• Dr. Bill Young: 18

Austin ISSA, May 9, 2013

How Vulnerable is Infrastructure?

“I have yet to meet anyone who thinks SCADA systems should be connected to the Internet. But the reality is that SCADA systems need regular updates from a central control, and it is cheaper to do this through an existing Internet connection than to manually move data or build a separate network.” –Greg Day, Principal Security Analyst at McAfee

• Dr. Bill Young: 19

Austin ISSA, May 9, 2013

Current Concern

The Obama administration has placed an emphasis on protection

• f critical infrastructure from cyber attack.

On 2/12/13, the administration released an executive order Improving Critical Infrastructure Cybersecurity and Presidential Policy Directive 21: Critical Infrastructure Security and Resilience The Nation’s critical infrastructure provides the essential services that underpin American society. Proactive and coordinated efforts are necessary to strengthen and maintain secure, functioning, and resilient critical infrastructure including assets, networks, and systems that are vital to public confidence and the Nation’s safety, prosperity, and well-being.

• Dr. Bill Young: 20

Austin ISSA, May 9, 2013

Example Threat: Stuxnet

Stuxnet is a Windows computer worm discovered in July 2010 that targets Siemens SCADA (Supervisory Control and Data Acquisition) systems. First discovered malware that subverts specific industrial systems. First to include a programmable logic controller (PLC) rootkit. Believed to have involved years of effort by skilled hackers to develop and deploy. Narrowly targeted, possibly at Iran’s nuclear centrifuges. Widely believed to have been developed by Israel and the U.S. In interviews over the past three months in the United States and Europe, experts who have picked apart the computer worm describe it as far more complex and ingenious than anything they had imagined when it began circulating around the world, unexplained, in mid-2009. –New York Times, 1/16/11

• Dr. Bill Young: 21

Austin ISSA, May 9, 2013

Stuxnet

Stuxnet is the new face of 21st-century warfare: invisible, anonymous, and devastating. ... Stuxnet was the first literal cyber-weapon. Stuxnet appears to be the product of a more sophisticated and expensive development process than any other piece of malware that has become publicly known. America’s own critical infrastructure is a sitting target for attacks like this. (Vanity Fair, April, 2011)

• Dr. Bill Young: 22

Austin ISSA, May 9, 2013

Game Changer?

Creating Stuxnet and other highly sophisticated malware (DuQu, Flame, Gauss) might only be possible for a nation state. Using them is not. Stuxnet and its children are accessible to anyone. “It would be foolish to assume that the usual suspects—anywhere from China to North Korea—would let such an opportunity to dissect and reuse components

• f the superweapon pass.” (Ralph Langner, Langner

Communications)

• Dr. Bill Young: 23

Austin ISSA, May 9, 2013

Who Could Launch Such an Attack?

Nation states: China, Russia, Iran ... but would they risk war with the U.S.? Criminals: Don’t have an obvious motive for causing widespread

• chaos. It’s bad for business.

Terrorist groups: Probably don’t currently have the capabilities ... but that doesn’t mean they won’t acquire it.

• Dr. Bill Young: 24

Austin ISSA, May 9, 2013

Cyber War With Nation States

Any future conflict of the U.S. with any nation state will involve a cyber component. “War expands to fill all available theaters.” –Bruce Schneier China, Russia, and others are undoubtedly leaving trojans, back doors, etc. in digital systems. So is the U.S.

• Dr. Bill Young: 25

Austin ISSA, May 9, 2013

What You Can Do

Of course, encourage good security practices The Australian Defence Signals Directorate showed that you can prevent 85% of targeted intrusions with four key measures:

1 use application whitelisting 2 rapidly patch applications 3 rapidly patch OS vulnerabilities 4 minimise the number of users with admin privileges

• Dr. Bill Young: 26

Austin ISSA, May 9, 2013

What You Can Do

Understand that war rhetoric can be harmful. Defending against cyber threats does not require military expertise or prowess. We don’t want a militarized cyberspace. There is no “exit strategy” in the cyber security challenge. Beating the drums of war encourages people to give up some

• f their freedoms.
• Dr. Bill Young: 27

Austin ISSA, May 9, 2013

What You Can Do

Educate yourself about Internet goverance and policy issues at the national level. Do you understand the implications of SOPA, PIPA, CISPA? CISPA passed the U.S. House of Representatives yesterday. Do you as a security professional have an informed opinion on this important legislation? “This is something happening now that is beyond computer security.” –Bruce Schneier

• Dr. Bill Young: 28

Austin ISSA, May 9, 2013

What You Can Do

Educate yourself about Internet goverance and policy issues at the international level. Did you know: there are proposals circulating to take internet governance away from IETF and ICANN and give it to ITU (International Telecommunications Union, a U.N. subsidiary).

• Dr. Bill Young: 29

Austin ISSA, May 9, 2013

ITU Governance of the Internet

The ITU is a treaty-based organization under U.N. auspices. Each country has one vote. Many countries don’t want the Internet to remain a free marketplace of ideas. The broadest proposal in the draft materials is an initiative by China to give countries authority over ”the information and communication infrastructure within their state” and require that online companies ”operating in their territory” use the Internet ”in a rational way”—in short, to legitimize full government control. (WSJ, 6/17/12) Russian President Vladimir Putin has declared that his goal and that of his allies is to establish “international control over the internet” through the ITU.

• Dr. Bill Young: 30

Austin ISSA, May 9, 2013

ITU Governance

What would ITU governance of the Internet mean? Subject cyber security and privacy to international control Allow phone companies to charge for international Internet traffic Impose economic restrictions on traffic-swapping agreements (peering) Place ICANN under ITU control Institutionalize national censorship of Internet content Politically paralyze engineering and economic decisions

• Dr. Bill Young: 31

Austin ISSA, May 9, 2013

What Should You Do?

Champion internet independence and the current multi-stakeholder governance model. Vincent Cerf, one of the founders of the Web, recently told Congress, this U.N. involvement means “the open Internet has never been at a higher risk than it is now.”

• Dr. Bill Young: 32

Austin ISSA, May 9, 2013

Some Sources

Paul Rosenzweig, Cyber Warfare: How Conflicts in Cyberspace are Challenging America and Changing the World, Praeger, 2012. Joel Brenner, America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime and Warfare, Penguin, 2011. Richard Stiennon, Surviving Cyber War, Government Institutes, 2010. Jeffrey Carr, Inside Cyber Warfare, O’Reilly, 2010. Richard A. Clarke and Robert K. Knake, Cyber War: The Next Threat to National Security and What To Do About It, Harper Collis, 2010.

• Dr. Bill Young: 33

Austin ISSA, May 9, 2013

Some Sources

Franklin D. Kramer, et al. (editors), Cyberpower and National Security, National Defense University, 2009. McAfee, Inc., “2009 Virtual Criminology Report, Virtually Here: The Age of Cyber Warfare,” December, 2009. Matthew J. Sklerov, “Solving the Dilemma of State Responses to Cyberattacks: A Justification for the Use of Active Defenses Against States Who Neglect Their Duty to Prevent,” Military Law Review, Winter, 2009. staff.washington.edu/dittrich/cyberwarfare.html

• Dr. Bill Young: 34

Austin ISSA, May 9, 2013