Not only is Capitol Hill pushing cybersecurity legislation to the top of the agenda, but the Department of Defense has declared that real-life military retaliation can be a valid response to cyber attacks. The Der Spiegel news magazine reported (German) recently that cybercrime in Germany has reached an all-time high. All around the world, governments face the same challenge: building a national cyber-security strategy to protect their citizens.
Step One: Setting Priorities
Crafting such a strategy means focusing on three key areas: protecting government systems, protecting national infrastructure, and establishing systems, controls and processes to help the private sector operate safely in cyberspace. The overall strategy should incorporate the following activities:
2. Protecting national communication backbones against denial-of-service attacks. This protection should:
• Ensure sufficient internal redundancy.
• Maintain enough redundancy with respect to out-of-country communication lines.
• Include timely detection of various types of attacks (including the physical tampering of communication lines).
3. Engaging in a comprehensive and ongoing risk management process. National infrastructure systems (e.g. traffic control, train systems, and power grids) should first be evaluated according to their potential risk. As a second step, a thorough technical evaluation of the security posture of involved systems (either through pen-testing or exhaustive vulnerability assessment) should be performed. Any further investment in protective controls should be guided by the results of the risk assessment process, directing resources at those places that are at highest risk or at a worse security posture.
4. Performing hacker intelligence. Analyzing hacker activity such as hacker tools, attack origins, and attractive targets, provides the authority to detect substantial attack campaigns against nation-based computers. Based on the data, the authority can also guide on the creation of proper defense mechanisms.
5. Creating processes and tools for analyzing information. Receiving data from the private sector, and especially network carriers, can enhance the data analyzed by the authority’s hacker intelligence. Further collaboration can include the detection of attacks that stem from the country and rooting out these machines on a regular basis.
Step Two: Refine Current Crime Laws
Cyber-crime legislation should be integrated with physical crime laws. For example, the US cyber-security proposal suggests applying RICO (the racketeering laws used to convict organized crime) to cyber-gangs. The government should embrace this initiative, but also to take it one step further by not restricting the crime origin. When RICO was first introduced, it did not specify the Internet since no one could have imagined its existence. Since we cannot imagine what will be in two or more decades we must prepare in advance.
Step Three: Apply Regulations to Businesses
The country should also ensure that citizens’ data, whether it is account numbers, health information or other Personal Identifying Information (PII), is securely stored. This means defining exactly what constitutes sensitive information data and establishing requirements for security controls. Compliance laws must all encompass more than just customer information. It should also take into account Intellectual Property (IP). The perpetrators of IP-theft are often business competitors and nation-states, and since the victimized companies will require the assistance of their country, they should have to adhere to compliance standards.
Step Four: Apply the Above
We are beginning to see nations take the first steps in developing sound cybersecurity strategies. At the end of last year, the European Network Security Agency (ENISA) performed their first pan-European cyber-exercise, which is slated to include the United States next year. Concerned with the growth of botnets, ENISA has also published recommendations on mitigating and preventing the threat of bots. The collaboration of governments and the security community has also started to draw more attention. A recent example of this cooperation was the takedown of the Coreflood botnet, a joint effort that involved federal agents and ISPs.
Part in a Series – Read Noa’s Other Featured Columns Here |
The collaboration between government agencies and the private sector has proven successful. It is now our turn, as citizens, to ensure that the government will not abuse the authority that such a cyber-security strategy may give them. The takedown of Coreflood allowed the feds to actively and directly communicate with infected computers. Yet, it also showed the power that the federal agencies can have over our computing devices – at any point in time.
Next Column
Nations are beginning to take some positive actions to respond to the cybersecurity threats. And while cyber-crime is on the rise, physical crime in the US is declining. Can computer security pros learn from the real world on how to reduce cyber-crime? Stay tuned for the next column as I compare law enforcement strategies.
Previous Column: The Role of Governments in Cyber Security – A Double-Edged Sword