In the security and privacy world, 2012 is turning out to be the year for Internet security bills. From CISPA to CSA to SECURE IT, you name it and there’s been a bill introduced in Congress for “securing” the Internet. The Department of Defense with its DCISE and the White House with the recently announced Industry Botnet Group have chimed in as well. But why now and why so many Internet protection bills suddenly coming up in Congress?
A New Attack Vector
At the heart lies the concept that the Internet has enabled a new attack vector that could be used by the enemies of the United States, or any country for that matter. Think about it. While air and sea used to be the main modes to transport goods and therefore commerce in and out of the U.S., that has now shifted to include cyberspace. By hijacking pieces of the Internet for their own purposes, cybercriminals and state actors are essentially able to breach the United States’ borders without having to leave their desks.
2011 was “the year of the data breach” with numerous high-profile attacks against a wide range of targets, from financial networks to energy companies, to entertainment giants, and of course the security industry itself. Since these attacks appear to have been highly successful as well as long standing, it has become clear that current security practices by many enterprises are inadequate. Further, these attacks typically targeted multiple industries, going after multiple victims. With information on attempts and breaches tightly held within various silos, even when thwarted by one target, that intelligence isn’t available to protect others. Examining the techniques used in many of these breaches like Aurora, Night Dragon, Shady RAT, or the RSA breach, it is clear that intelligence gathered at one targeted organization would have been of enormous benefit to other victims, to identify or even fend off attacks. However, little if any threat “indicators” are shared outside of an organization today.
Making the situation even more grim, recent reports on Stuxnet and other sophisticated viruses in the wild appear to have exposed the U.S.’s own efforts at using the Internet to inflict damage on adversaries. So it’s not much of a stretch to think that similar attacks won’t be launched at the U.S. in the near future—attacking our own critical infrastructure elements.
Thinking along these lines even further, are there ways that attacks of this nature could have even wider ranging implications? Of course the press is rife with speculation about attacks on physical infrastructure like power grids that could certainly be devastating and are very plausible. But one doesn’t have to start making pumps overheat or shut down power generation for Cleveland to create a devastating attack in our hyper-connected world. For instance, if a determined, well-funded and technically adept adversary really wanted to cause a disruption without doing direct physical damage, there are several key points in the Internet infrastructure they could go after. For instance, they could intercept Internet traffic for various key timeservers via routing and DNS hijacking. By hijacking or interfering with network time protocol (NTP) connections, cybercriminals could tell a huge chunk of critical servers that rely on precise timing (including stock exchanges, air-traffic controllers, critical infrastructure support, etc.) that it was a far different time than it was—or maybe just off by a bit. If you think about it, if time for any of those pieces of critical infrastructure is off, it could result in the crash of major stock exchanges, a major disruption in air travel, etc. That could generate a very real Y2K chaos that could have wide-reaching implications. While this may seem farfetched, and would indeed be difficult to accomplish, the types of hijacking needed to pull this off have already been done on a smaller scale.
So now that we see how an attack on the Internet could affect EVERYONE in this or any country, let’s examine what’s philosophically at the heart of recently introduced Internet security bills.
Sharing Information is Key
While there has been well-publicized criticism to many of the Internet information bills being introduced recently, one key intention seems to be at the heart of each bill—sharing information between public and private sector entities to ensure the safety and security of Americans, the U.S. Government and American business. This is driven by the events of 2011 that continue today, and are a logical response to such massive and continuous data exposure events. It has become clear that cybersecurity information sharing isn’t happening at a pace that can keep up with attackers, and the reluctance or barriers to share could be addressed, at least in part, by changing the regulatory atmosphere. Given the ever-evolving nature of cyber threats, the more resources and information about them that can be brought to bear, the better. The key to stopping cyber attacks is sharing actionable information with everyone from government agencies to industry sectors, to open source organizations, to everyone in an extended enterprise.
The Extended Enterprise Blessing and Curse
Coined years ago, the term “extended enterprise” acknowledges that organizations are no longer just made up of employees and management working under one roof, but also encompass a tightly knit network of partners, suppliers, service providers, and customers. Fast forward to the digital present, where it has taken on a whole new meaning and a whole new implication in terms of security risk. In today’s Internet-connected world, organizations routinely and necessarily share large amounts of proprietary and mission-critical information with extended enterprise partners. This is accomplished via corporate data and systems that are directly or indirectly connected in more ways and at more points than ever—enabled by technologies such as cloud computing, virtualization, data and transaction integration, social networking, etc. All of these virtual connections provide exposure points: for your shared data and your networks themselves.
Take your IT department as an example. They regularly connect with Internet Service Providers (ISPs), Third Party Application and Content Providers, Automated Clearinghouse (ACH) transaction partners, software update servers, credit card processors, order fulfillment services and outsourced customer service providers, and much more. While this intimate sharing of information is a security hole that could provide an avenue for cybercriminals, it is essential for business and can actually be turned into a security weapon. By arming your organization with the cyber security information and experience of dozens of organizations, both in and out of your industry, your enterprise should be far more ready for that next cyber attack. This is the power of a “collective defense” that you see in nature and throughout human history. It is ironic that with the Internet connecting everyone more than ever before, that we are finding it difficult to mount such a collective defense via the power of collective intelligence.
While the mechanics of what cyber threat intelligence is shared is a hot-button issue these days with CISPA, CSA, SECURE IT, and other efforts, it is safe to say that if you silo all information, the results could be disastrous. Setting aside the controversial aspects and very legitimate concerns around privacy and powers created by the language in some of these legislative efforts, the idea of providing a path towards better information sharing needs to be explored.
In my next column, I will address specifically where organizations can look to share attack methods (not to be confused with personal data). How is a shared cyber security front so powerful and what kinds of organizations should you align with? Stay tuned!