The Hands-off Approach to Monitoring and Managing Threats that Transit an ISP’s Network is Putting Businesses and Government at Risk.
Nortel was in the news this week, joining a long list of companies who have a problem with the Chinese owning their networks. Nortel had known about the APT problem on their networks for years and did done very little to stop it besides changing the password of the CEO and a few other executives. Shocked? Amazed? Not me. I get it.
What shocks me is the following: it seems APTs have spread their tentacles all over the globe, everyone knows about them, the U.S. government spends millions of dollars investigating it, and on the surface no one calls the Chinese to the table to spread out the evidence and hold them responsible for the shear volume of cyber theft. Nortel and other companies’ continue to be ram shackled by the Chinese daily. It is an open secret. Millions of bytes of data have been sent back to China in the form of intelligence, trade secrets, and military contractor data.
A New York Times article estimates that over 867 Terabyes of data was stolen last year. Ok, everyone knows it. It's in the news, and there is an industry that has grown up around it. So what? The business of information security has not changed much since I got into the business in its infancy, over 15 years ago. Firewall/ IPS/ AV/ Host IDS/ Bastion networks, patch management, configuration management and all of the stuff we are suppose to do has been the paradigm of security since information security became a discipline.
How much money has the U.S. Government spent on cybersecurity? Billions? Corporations? Billions more? And what is the measure of effectiveness? It seems that Anonymous, LuzSec, the Russians, and of course the Chinese, have cut through our expensive defenses like a hot knife through butter. If you remove the emotional impact of being hacked, the compliance issues, the law, etc., and look at ROI for cybersecurity, what is the payback? How is it measured? Spend a dollar, save ten dollars? If you ask the cybersecurity industry they would have you spend lots of CAPEX and lots of OPEX to make sure you save……what?
If you look at the long list of victims of the miscreants it is a wonder that there is not a glut of CISOs and CSO on the street, fired for wasting their companies money. What we are doing does not work, in fact it is only getting worse. As business and government move into the cyber age with no plan B, it will get worse still. What should we do? Keep spending the money on defenses that don’t seem to slow anyone down? Nortel had it right. Let them pillage their networks. Maybe now that it has been leaked that it has happened, people might hem and haw, but Nortel saved a lot of money not trying to stop something that appears to be unstoppable. Good for them. I get it. If businesses and governments are serious about stopping the naughty people then a few things have to happen. Hence, the regulation.
Enter the US Senate’s “The Cybersecurity Act of 2012, S. 2105 ”. The Cybersecurity Act is NOT SOPA or PIPA, nor does it discuss digital rights or copyrights. It deals with the protection of government and critical national infrastructure. The Internet culture hates regulation but people need to understand that if the Internet is unregulated then it will remain a paradise for thieves. The Cybersecurity act is a good start, but the current language is too general and relies on the old security paradigm of stopping an attack at the front door of the target, rather than on the Internet backbone, which does not work. ISPs, as a matter of being critical infrastructure, insomuch as they provide conductivity, must protect themselves from attacks, are not going far enough. They must be the first line of defense. Here’s an idea: Have the government and private organizations track the internet location of the bad guys, provide a “black list” and have the ISPs within the U.S. – both domestic and foreign – route that traffic to dev/null. Also enforce BGB route standards that enforce routes that prevent foreign ISPs, acting on behalf of their governments, from reaching into the U.S. national network and sniff out traffic from the internet that should route wholly within the U.S. This means that if the Office of the Secretary of Defense sends an email to the Whitehouse, it does not route via Mumbai or Shanghai.
Smart regulation of emerging threats to our government and businesses needs to be examined by a group of non-political (maybe there is no hope?) experts in order to accomplish a few other things:
Admit that trying to fix the problem at the enterprise network will never work. Cybersecurity is complicated, dynamic, and expensive. Too expensive to justify the cost, or too complicated to understand the cost, so everyone must accept the enterprise network is just too deep down the stack to fix the problem. You need to go up to the network providers and kill the bad guys in the cloud. That’s right. SaaR (Security as a Regulation). The ISPs can, but will not, stop all kinds of traffic from even getting from one place to another. Tier 1 ISPs can stop most of the naughty traffic from China to the U.S., but would scream bloody murder if someone suggest such a thing. They would be exposed to huge litigation and privacy issues.
The current practice of a total hands-off approach to monitoring and managing threats that transit an ISP’s networks is putting our business and government at risk. To an ISP, privacy laws and other regulations prevent them from doing so in many cases, and it is not part of their business model. They sell bandwidth and are responsible for none of it.
The current language suggests that the role of the ISP, as critical national infrastructure, is to establish a standard to protect itself from attack. There is no draft regulation on rout filtering for peered foreign ISPs within the U.S., essentially meaning a foreign ISP could highjack a route, which China did in 2010, or even black hole a route, grabbing traffic that originated and terminates within the US – essentially reaching into our core national networks and copying traffic as they wish without anyone knowing it. Crazy? You bet it is.
There is no mention of using the intelligence sharing and power of the ISPs to intercept traffic bound toward enterprise targets within the private sector and government, even though there are lots of organizations that have a pretty good idea of who the bad guys are right now. And who they are tomorrow. If you know where they live on the Internet, then you can make the Internet stop working for them. Sounds absurdly simple? Well, emerging technologies have the ability to track, at 40 Gb/s line speeds, lots of the bad people who tend to use a few similar methods to ply their nefarious trade. The point of compromise on an enterprise network is usually though a malicious message, which then exploits vulnerabilities on the computer, that then creates a backdoor and runs behind the network’s perimeter defenses. The malicious message becomes a bot, virus, or a Trojan which then steals data and sends it home to a command and control server. The traffic has to go home. The bad guys and victims are usually geographically separated, so when the traffic needs to phone home, it will probably transit over a Tier 1 ISP on the long haul across the pacific – the case of the Chinese against the Americans. If we know the way home, directly or via an intermediary, then it is simple as pie to stop the traffic at an ISP. Stop the problem. Route their traffic to dev/null. It would take a few minutes to inject a BGB route into a Tier1 network to drop all of the naughty traffic at their peering points by routing it to a null interface on their core routers. They could even drop it on their edge and save the trouble of routing it at all.
Without the ISPs getting involved is addressing the threat directly by working to stop it, the current legislation is just going to mean more regulation, and more money spent on a failed paradigm that will not slow anyone down. It might mean that ISPs protect themselves from DDoS and other outages, which they don’t want to do anyway because it is bad for business, and are not very vulnerable to anyway. The bad guys will like this bill as well, because they rely on a robust network to keep the communications lines open between them and their targets.
We need the new regulation, but we need to take it up the stack… and kill it in the cloud.