Not only is Capitol Hill pushing cybersecurity legislation to the top of the agenda, but the Department of Defense has declared that real-life military retaliation can be a valid response to cyber attacks. The Der Spiegel news magazine reported (German) recently that cybercrime in Germany has reached an all-time high. All around the world, governments face the same challenge: building a national cyber-security strategy to protect their citizens.
Step One: Setting Priorities
Crafting such a strategy means focusing on three key areas: protecting government systems, protecting national infrastructure, and establishing systems, controls and processes to help the private sector operate safely in cyberspace. The overall strategy should incorporate the following activities:
1. Centralizing all outbound (especially Internet) communications of government organizations under a single authority. The authority’s responsibility should be two-fold: one, to create robust monitoring and attack detection capabilities. The capabilities should span all communication layers, and in particular, the application layer. Second, the authority should set security standards which bind any government-affiliated organizations when adding new public-facing connections.
2. Protecting national communication backbones against denial-of-service attacks. This protection should:
• Ensure sufficient internal redundancy.
• Maintain enough redundancy with respect to out-of-country communication lines.
• Include timely detection of various types of attacks (including the physical tampering of communication lines).
3. Engaging in a comprehensive and ongoing risk management process. National infrastructure systems (e.g. traffic control, train systems, and power grids) should first be evaluated according to their potential risk. As a second step, a thorough technical evaluation of the security posture of involved systems (either through pen-testing or exhaustive vulnerability assessment) should be performed. Any further investment in protective controls should be guided by the results of the risk assessment process, directing resources at those places that are at highest risk or at a worse security posture.
4. Performing hacker intelligence. Analyzing hacker activity such as hacker tools, attack origins, and attractive targets, provides the authority to detect substantial attack campaigns against nation-based computers. Based on the data, the authority can also guide on the creation of proper defense mechanisms.
5. Creating processes and tools for analyzing information. Receiving data from the private sector, and especially network carriers, can enhance the data analyzed by the authority’s hacker intelligence. Further collaboration can include the detection of attacks that stem from the country and rooting out these machines on a regular basis.
Step Two: Refine Current Crime Laws
Cyber-crime legislation should be integrated with physical crime laws. For example, the US cyber-security proposal suggests applying RICO (the racketeering laws used to convict organized crime) to cyber-gangs. The government should embrace this initiative, but also to take it one step further by not restricting the crime origin. When RICO was first introduced, it did not specify the Internet since no one could have imagined its existence. Since we cannot imagine what will be in two or more decades we must prepare in advance.
Step Three: Apply Regulations to Businesses
The country should also ensure that citizens’ data, whether it is account numbers, health information or other Personal Identifying Information (PII), is securely stored. This means defining exactly what constitutes sensitive information data and establishing requirements for security controls. Compliance laws must all encompass more than just customer information. It should also take into account Intellectual Property (IP). The perpetrators of IP-theft are often business competitors and nation-states, and since the victimized companies will require the assistance of their country, they should have to adhere to compliance standards.
The US cyber-security proposal has taken a positive step by suggesting the standardization of the data breach notification process. The problem is that this proposal lacks specifics and should contain more details on implementing the actionable steps to protect data and the intellectual property. The importance of such laws and standards is difficult to overstate. If we look at the Payment Card Industry Data Security Standard (PCI DSS) as an example, studies have shown that businesses that have adopted PCI DSS have experienced a much lower rate of data breaches. Many US states in fact use PCI DSS as their de facto standard for their data privacy and security initiatives, simply because of its effectiveness and prescriptive nature. Countries, as a whole, can apply this model to all legislation on a nation-level.
Step Four: Apply the Above
We are beginning to see nations take the first steps in developing sound cybersecurity strategies. At the end of last year, the European Network Security Agency (ENISA) performed their first pan-European cyber-exercise, which is slated to include the United States next year. Concerned with the growth of botnets, ENISA has also published recommendations on mitigating and preventing the threat of bots. The collaboration of governments and the security community has also started to draw more attention. A recent example of this cooperation was the takedown of the Coreflood botnet, a joint effort that involved federal agents and ISPs.
|Part in a Series – Read Noa’s Other Featured Columns Here|
The collaboration between government agencies and the private sector has proven successful. It is now our turn, as citizens, to ensure that the government will not abuse the authority that such a cyber-security strategy may give them. The takedown of Coreflood allowed the feds to actively and directly communicate with infected computers. Yet, it also showed the power that the federal agencies can have over our computing devices – at any point in time.
Nations are beginning to take some positive actions to respond to the cybersecurity threats. And while cyber-crime is on the rise, physical crime in the US is declining. Can computer security pros learn from the real world on how to reduce cyber-crime? Stay tuned for the next column as I compare law enforcement strategies.
Previous Column: The Role of Governments in Cyber Security – A Double-Edged Sword