More Related Content Similar to Cyber war or business as usual (20) More from EnclaveSecurity (17) Cyber war or business as usual1. CyberWar or Business as Usual?
The State of International CyberSecurity Initiatives
James Tarala, Enclave Security
2. Fear, Fear, Scary Fear
Actual headlines from the news:
– “Cyberwar declared as China hunts for the West’s
intelligence secrets” – The Times of London
– “China has declared a cyber war: NATO” – The Times of
London
– “Cyber War: Sabotaging the System” – 60 Minutes
– “Is Israel at Cyber War with Iran?” – ABC News
– “FBI Warns Brewing Cyberwar May Have Same Impact as
Well-Placed Bomb” – Fox News
– “Cyber Warriors” – The Atlantic
– “Iran Arrests 30 Accused Of U.S.-Backed Cyberwar” -
Darkreading
CyberWar or Business as Usual? © Enclave Security 2010 2
3. Is CyberWar Real?
• It depends on who you ask…
• The media today has realized that cyber-anything sells
• So you can’t help but hear about:
– CyberWar
– China hacking everyone
– The Advanced Persistent Threat (APT)
– Russian organized crime & CyberCrime
– Stolen credit cards & identities
CyberWar or Business as Usual? © Enclave Security 2010 3
4. Some Say No…
“There is no cyberwar…”
Howard Schmidt,
US Cyber-Security Coordinator
“I think that is a terrible metaphor and I think that is a terrible
concept, There are no winners in that environment (Wired).”
CyberWar or Business as Usual? © Enclave Security 2010 4
5. Some Say Yes…
"We can anticipate that adversarial actors will make cyberspace a
battle front in future warfare… Even today, intrusions and
espionage into our networks, as well as cyber-incidents abroad,
highlight the unprecedented and diverse challenges we face in the
battle for information.“
– Gen. Kevin Chilton, USAF
"Cyber is a domain, just as land, sea, air, and space are domains.
God made those four domains; you made the fifth one. God did a
better job.“
– Gen. Michael Hayden , Former USAF / Director of the CIA
CyberWar or Business as Usual? © Enclave Security 2010 5
6. Some Say Yes…
“This right has not been specifically established by legal
precedent to apply to attacks in cyberspace, it is reasonable to
assume that returning fire in cyberspace, as long as it complied
with law of war principles... would be lawful.“
– Gen. Keith Alexander, Cybercom
"The big question is can a cyber attack invoke a physical
response? The answer is we don't know what the appropriate
response is to cyber war against a NATO ally, or what is the
appropriate response by a NATO ally to an attack on us.“
– Mark Rasch, Former Head of DoJ Cybercrime Unit
CyberWar or Business as Usual? © Enclave Security 2010 6
7. What is Real?
• CyberWar is real
• CyberEspionage is real
• CyberCrime is real
• However, all three need to be defined
• Appropriate responses need to be defined
• Rules of engagement for nations / organizations / individuals
need to be defined
CyberWar or Business as Usual? © Enclave Security 2010 7
8. First, the Origin of “Cyber”
• First coined by William Gibson
(cyberspace), in his 1982 short
story, Burning Chrome
• A later book, Necromancer, defines it
further
• In 2000 he said, “All I knew about the
word "cyberspace" when I coined
it, was that it seemed like an effective
buzzword. It seemed evocative and
essentially meaningless. It was
suggestive of something, but had no
real semantic meaning, even for me, as I
saw it emerge on the page.”
CyberWar or Business as Usual? © Enclave Security 2010 8
9. CyberWar – Defined
• Unfortunately there is no agreed upon definition for any cyber
related terms
• Therefore we will take “cyber” out of the equation
• War can be defined as (Encarta):
1. armed fighting between groups: a period of hostile relations
between countries, states, or factions that leads to fighting
between armed forces, especially in land, air, or sea battles
"The two countries are at war."
2. period of armed fighting: a period of armed conflict between
countries or groups "during the Vietnam War"
3. conflict: a serious struggle, argument, or conflict between
people "The candidates are at war."
CyberWar or Business as Usual? © Enclave Security 2010 9
10. A CyberWar Example
• Attacks began 4/27/2007
• Included DDoS, web
defacement, & spam attacks
against the
government, businesses, &
individuals
• Initiated after movement of
Bronze Soldier of Tallinn
• Russian gov’t denied
involvement
• Attributed to single Estonian
citizen, or various hacktivists
CyberWar or Business as Usual? © Enclave Security 2010 10
11. Another CyberWar Example
• South Ossetia War of 2008
• Attacks began 8/5/2008,
three days prior to Russian
invasion
• Attacks included DDoS
attacks against news
agencies & government
sites primarily
• Attribution never
established officially, again
hacktivists are blamed
CyberWar or Business as Usual? © Enclave Security 2010 11
12. More CyberWar Examples
• 1982 – US alters code managing Russian natural gas pipeline
• 1998 – US hacks into Serbian air defense systems prior to
bombing attacks against targets
• 2006 – Israel blames Hezbollah for hacking Israeli sites during
2nd Lebanon War
• 2007 – Various Kyrgyz websites & ISPs targeted with DoS
attack during election by unknown actor
• 2009 – Various Iranian government websites targeted in
response to elections
CyberWar or Business as Usual? © Enclave Security 2010 12
13. CyberEspionage – Defined
• Unfortunately there is no agreed upon definition for any cyber
related terms
• Therefore we will take “cyber” out of the equation
• Espionage (spying) can be defined as (Encarta):
1. Somebody employed to obtain secret information: an
employee of a government who seeks secret information in or
from another country, especially about military matters
2. Employee who obtains information about rivals: an employee
of a company who seeks secret information about rival
organizations
3. Secret observer of others: a watcher of other people in secret
CyberWar or Business as Usual? © Enclave Security 2010 13
14. A CyberEspionage Example
• Attack made public 4/2009
• Attack primarily involved
theft of military secrets
• Specifically, electronics &
design specifications for the
F35 project
• Information could be used
to better defend against the
fighters
• No official attribution
declared, many speculate
Chinese origins
CyberWar or Business as Usual? © Enclave Security 2010 14
15. Another CyberEspionage Example
• Attack occurred Winter
2009/2010
• Believed to utilize a 0-day
exploit in IE6
• Primary target was breach
of confidential search
engine code & email
accounts
• Again attribution never
officially determined, but
again Chinese have been
blamed
CyberWar or Business as Usual? © Enclave Security 2010 15
16. More CyberEspionage Examples
• 1996 – 2003 – “Titan Rain” attacks against US military targets
from alleged Chinese sources
• 1996 – 1998 – “Moonlight Maze” attacks against US military,
energy, and university targets from alleged Russian sources
• 2007 – “Digital Pearl Harbor” attacks against US military
networks by unknown national actor
• 2009 – “GhostNet” revealed by researchers as an attack
against numerous US interests by alleged Chinese sources
• 2009 – Unknown national actors attack US & South Korean
government facilities from alleged North Korean sources
CyberWar or Business as Usual? © Enclave Security 2010 16
17. CyberCrime – Defined
• Unfortunately there is no agreed upon definition for any cyber
related terms
• Therefore we will take “cyber” out of the equation
• Crime can be defined as (Encarta):
1. An illegal act: an action prohibited by law or a failure to
act as required by law
2. An illegal activity: activity that involves breaking the law
3. An immoral act: an act considered morally wrong
4. An unacceptable act: a shameful, unwise, or regrettable
act
CyberWar or Business as Usual? © Enclave Security 2010 17
18. An Example of CyberCrime
• Attack occurred 11/8/2008
• Primarily a financial theft,
stealing $9.5 million from
user bank accounts
• Utilized stolen bank cards,
raised their withdraw limit, &
used mules to withdraw funds
from distributed ATMs
• Attribution back to 4
individuals from Eastern
European nations
CyberWar or Business as Usual? © Enclave Security 2010 18
19. More CyberCrime Examples
• 1/2009 Heartland Payment Systems (130+ million)
• 4/2009 Oklahoma Dept of Human Services (1 million)
• 4/2009 Oklahoma Housing Finance Agency (225,000)
• 5/2009 University of California (160,000)
• 7/2009 Network Solutions (573,000)
• 10/2009 U.S. Military Veterans Administration (76 million)
• 10/2009 BlueCross BlueShield Assn. (187,000)
• 12/2009 Eastern Washington University (130,000)
• 1/2010 Lincoln National Corporation (1.2 million)
• 3/2010 Educational Credit Management Corp (3.3 million)
CyberWar or Business as Usual? © Enclave Security 2010 19
20. The Problem of Attribution
• One of the biggest challenges responders face is the issue of
attributing attacks to known actors
• Attribution: “the ascribing of something to somebody or
something, e.g. a work of art to a specific artist or circumstances
to a specific cause (Encarta).”
• How can incident responders attribute an attack to a bad actor?
– IP address / MAC address ?
– Coding signatures ?
– Public announcements / credit ?
CyberWar or Business as Usual? © Enclave Security 2010 20
21. Admitting to Offensive Capabilities
• Which nations admit to having offensive CyberWarfare
capabilities?
• So far, only the following have stepped forward publically:
– The United States (CyberCom)
– The United Kingdom (Office of Cyber Security)
– South Korea (Cyber Warfare Centre)
• The following nations do not deny this capability:
– France, Germany
– Israel
– India, Russia
– North Korea, Iran
CyberWar or Business as Usual? © Enclave Security 2010 21
22. One Response to the Attribution Issue
• Hold countries responsible for the actions that occur within
it’s IP address ranges
• “Since the price of entry is so low, and … it’s difficult to prove
state sponsorship, one of the thoughts … is to just be
uninterested in that distinction and to actually hold states
responsible for that activity emanating from their
cyberspace… Whether you did [the attack yourself] or not, the
consequences for that action [coming from your country] are
the same.” – Gen. Michael Hayden
CyberWar or Business as Usual? © Enclave Security 2010 22
23. The US Response
So what has the US done since Jan 2009:
– Commissioned Melissa Hathaway to perform a 60 day
CyberSecurity review of US federal systems
– Appointed Howard Schmidt as Cyber Security Coordinator
– Proposed numerous pieces of legislation
– Authorized the creation of CyberCom
– Confirmed Gen. Keith Alexander as the head of CyberCom
– Assigned the DHS responsibility for protecting non DoD
federal computing systems
– Made recommendations for continuous monitoring &
assessment controls
CyberWar or Business as Usual? © Enclave Security 2010 23
24. 60 Day Cyber Security Review
Recommendations from the Review:
1. Appoint a cybersecurity policy official responsible for
coordinating the Nation’s cybersecurity policies and activities
2. Prepare an updated national strategy to secure the
information and communications infrastructure
3. Designate cybersecurity as one of the President’s key
management priorities and establish performance metrics.
4. Designate a privacy and civil liberties official to the NSC
cybersecurity directorate.
5. Formulate coherent unified policy guidance that clarifies
roles, responsibilities, and the application of agency
authorities for cybersecurity-related activities across the
Federal government.
25. 60 Day Cyber Security Review (2)
Recommendations from the Review (cont):
6. Initiate a national public awareness and education campaign
to promote cybersecurity
7. Develop U.S. Government positions for an international
cybersecurity policy
8. Prepare a cybersecurity incident response plan; initiate a
dialog to enhance public-private partnerships with an eye
toward streamlining, aligning, and providing resources to
optimize their contribution and engagement
9. Develop a framework for research and development strategies
that focus on game-changing technologies
10. Build a cybersecurity-based identity management vision and
strategy
26. CyberSecurity Legislation
• Data Breach Notification Act, S 139
• Data Accountability and Trust Act, HR 2221
• International Cybercrime Reporting and Cooperation Act, S
1438 and HR 4692
• Cybersecurity Enhancement Act, HR 4061
• FISMA II, S. 921
• Intelligence Authorization Act, HR 2071
• Cybersecurity Act of 2009, S 773
• The Grid Reliability and Infrastructure Defense Act, HR 5026
• Energy and Water Appropriations Act 2010
CyberWar or Business as Usual? © Enclave Security 2010 26
27. US Military Security Efforts
Creation of a Central Cyber Command:
– Referred to as Cybercom
– To be led by Director of the National Security Agency (NSA)
Gen. Keith Alexander
– To be located at Fort Meade
– To have both defensive and offensive capabilities
– Will centrally coordinate all DoD cyber defensive activities
– Will assist private industry with “Perfect Citizen” program
– This is in addition to numerous commands within each of
the branches of service
28. DARPA’s Contribution
• “The National Cyber Range
program demonstrates the
government’s commitment
to incubate and create
incentives for game-
changing technological
innovation.”
• “Test new “leap-ahead”
concepts and capabilities
required to protect U.S.
interests against a growing,
worldwide cyber threat.”
29. So, what’s next?
• “The times they are a changin” – Bob Dylan
• Let’s be definitive with our terms
• Not everything is a “Cyber War”
• But, that doesn’t mean that bad things aren’t happening
• There is a “new normal” – business as usual
• Clearly electronic / cyber elements will be involved in future
nation state conflicts
• Nations / organizations / individuals need to know how to
respond & mostly how to protect themselves
CyberWar or Business as Usual? © Enclave Security 2010 29
30. An International Response
• Nation states need to agree on terms & appropriate response
• A “Cyber Treaty” agreed to internationally makes sense
• A new version of the Geneva Convention, that specifically
addresses the changing nature of warfare & technology
• Russian proposed such a treaty in 1998 – never materialized
• 15 nations currently considering such a treaty
• Hamadoun Toure of the ITU has also proposed the idea
• Many questions still exist, specifically how to enforce & hold
nations accountable for attacks
CyberWar or Business as Usual? © Enclave Security 2010 30
31. An Organization’s Response
• “Quit whining, act like a man and defend yourself.”
– Gen. Michael Hayden
• Practically how do we make this happen?
– Decide how important information & systems are to you
– Determine how bad you really want to protect that
information
– Dedicate resources to the issue
– Consider a control framework that focuses on a methods
for deterring directed cyber attacks
CyberWar or Business as Usual? © Enclave Security 2010 31
32. 20 Critical Controls / CAG
• “This consensus document of 20 crucial controls is designed
to begin the process of establishing that prioritized baseline of
information security measures and controls (CAG)”
• 20 specific control categories meant to provide a prioritized
response to these attacks
• A chance for the cyber offense to inform the defense
• Controls based on the principles of continuous monitoring &
automation
• Resources are limited, therefore let’s start with those controls
that have the biggest impact in creating defensible systems
CyberWar or Business as Usual? © Enclave Security 2010 32
33. Further Questions
• If you have further questions & want to talk more…
• James Tarala
– E-mail: james.tarala@enclavesecurity.com
– Twitter: @isaudit, @jamestarala
– Blog: http://www.enclavesecurity.com/blogs/
• Resources for further study:
– CSIS & SANS 20 Critical Controls
– OMB Memorandum M-10-15
– NIST Security Control Automation Protocol (SCAP)
CyberWar or Business as Usual? © Enclave Security 2010 33
Editor's Notes Are we near the point of cyber-armageddon or are we simply engaged in a new reality of information security priorities? Are the attacks being discovered daily against private sector and public federal systems somehow unique and new, or are they simply the new reality of cyberspace? Organizations are regularly forced to make difficult decisions about how best to protect their information systems. Executives daily open the newspaper to find another example of effective cyber attacks and hacking. How do organizations know when security mechanisms are enough to keep their data safe? In an effort to answer this question and respond to mounting cyber incidents worldwide, the US federal government has been engaging in numerous efforts to secure cyberspace. But what are they and will they be enough? In this presentation James Tarala, a Senior Instructor with the SANS Institute and a Principal Consultant at Enclave Security, will describe current efforts and the tools being offered to help citizens and protect cyberspace. http://ricks.foreignpolicy.com/posts/2010/04/16/here_comes_cyber_command_but_it_probably_will_be_headed_by_a_human