cyber security conference - rethinking cyber-threat
DESCRIPTION
Cyber Security Conference - Rethinking cyber-threatTRANSCRIPT
Rethinking the Cyber Threat A Framework and Path Forward
SCOTT CHARNEY Corporate Vice President Trustworthy Computing Group Microsoft Corporation
The information contained in this document represents the current view of Microsoft Corp. on the issues discussed
as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be
interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any
information presented after the date of publication.
This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN
THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording or otherwise), or for any
purpose, without the express written permission of Microsoft.
Microsoft may have patents, patent applications, trademarks, copyrights or other intellectual property rights
covering subject matter in this document. Except as expressly provided in any written license agreement from
Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights or
other intellectual property.
© 2009 Microsoft Corp. All rights reserved.
Microsoft is a registered trademark of Microsoft Corp. in the United States and other countries. The names of
actual companies and products mentioned herein may be the trademarks of their respective owners.
Microsoft Corp. • One Microsoft Way • Redmond, WA 98052-6399 • USA
Contents
Introduction .................................................................................................................................................. 5
Understanding the Cyber Threat ................................................................................................................. 5
Rethinking the Cyber Threat ......................................................................................................................... 7
The Problem of Attribution ........................................................................................................................... 8
Categories of Attacks .................................................................................................................................. 10
Conclusion ................................................................................................................................................... 12
5
Introduction
For more than two decades, people have struggled to understand the cyber threat, evaluate the
risks to individuals and organizations (including nation-states), and craft appropriate responses.
Although many organizations have invested significantly in information assurance, most computer
security experts believe that a well-resourced and persistent adversary will more often than not be
successful in attacking systems, especially if raising defenses is the only response to an attack. For this
reason, increasing attention is being paid to deterring such attacks in the first instance, especially by
governments that have the power to investigate criminal activity and use a wide range of tools to
respond to other public safety and national security concerns.
Notwithstanding this emerging discussion, it appears to many people that neither governments
nor industry are well-positioned to respond to this highly complex threat and that, from a policy and
tactical perspective, there is considerable paralysis. The purpose of this document is to better explain
the cyber threat, identify the reasons why cyber attacks often confound those responsible for crafting
responses, and suggest a new framework for creating more effective cyber attack responses.
Understanding the Cyber Threat
The cyber threat is difficult to assess and mitigate for six reasons:
(1) There are many malicious actors. Low cost computer technology, widespread Internet
connectivity, and the ease of creating or obtaining malware means that almost anyone can
engage in malicious activity. Indeed, the Internet is a great place to commit crime because it
provides global connectivity, anonymity, lack of traceability, and rich targets. Malicious actors
include individuals, organized crime groups, terrorist groups, and nation-states, and actions that
might serve to deter one group may be less effective against another.
(2) There are as many motives as there are actors. These motives may relate to traditional areas
of criminal activity (for example, fraud or the distribution of child pornography), economic
espionage, military espionage, or cyber warfare.
(3) There are many different but commonly used attack vectors. Leaving aside supply chain and
insider threats, which pose their own challenges, remote attackers might take advantage of
product vulnerabilities, system misconfigurations, and social engineering. Because different
actors may use similar techniques, the nature of the attack might not yield reliable clues about
the identity of the attacker or the attacker’s motives. This fact, combined with anonymity and
lack of traceability, means that attributing attacks is very difficult, and punishment for malicious
activity is unlikely.
6
(4) The Internet is a shared and integrated domain. It is shared by citizens, businesses, and
governments in a manner that makes it difficult to segregate one group from another.
Moreover, free speech, commercial transactions, espionage activities, and cyber warfare may be
occurring in this shared and integrated domain, all at the same time and over the same
transport medium. With a limited ability to parse actors and activities, tailored responses to
specific threats are extremely hard to craft.
(5) The potential consequences of an attack are very difficult to predict. Certain nefarious
activity such as network scans or unauthorized system access may be a prelude to information
theft, a data integrity breach, or a disruption of service. Moreover, the complex
interrelationships between systems suggest that there may be unanticipated cascading effects,
some which may be more severe than even the intended effect. Finally, while some attacks may
be obvious (for example, a denial of service attack against a critical infrastructure) and generate
a quick response, other attacks may be hard to detect. Much has been written about the
exfiltration of data from sensitive systems; a more disconcerting scenario might be a critical
alteration of data. Not only can this be difficult to detect, but it may be difficult to discern when
the data was changed without authority, thus making it difficult to “roll back” to a known good
state.
(6) The worst-case scenarios are alarming. In the popular press, policy space, and think tanks,
these scenarios include disrupting critical infrastructure services, impeding key economic
functions, or imperiling public safety and national security (thus explaining oft-repeated
references to an “electronic Pearl Harbor”). The complexity of these scenarios, which results in
part from massive interconnectivity and dependencies between systems that are not always
well understood, has made it difficult to develop a consensus regarding the probable
consequences of an attack. As for our ability to recover quickly from such an attack, society’s
increasing dependence on information technology systems and the data they contain may mean
that there is no longer an existing manual process with trained people to fall back on.
In an environment where actors and motives may be unknown and in which the potential consequences
may be dire, it is easy to understand why there is great concern. But where there are so many actors
with so many motives – and these actors and their activities are commingled with innocuous and even
constitutionally protected activities – it is also easy to understand why those responsible for crafting
strategic and tactical responses get bogged down.
To complicate matters even more, society is not starting with a blank slate: there are existing
methods for dealing with bad actors, methods that have been codified in law and that do not work well
in this new environment. For example, in the United States we have a legacy of organizations that use
different authorities to address different threats to public safety and national security. To protect
citizens against crime, we hire, train and equip law enforcement personnel and, as part of an
investigation, we permit them to issue subpoenas, execute search warrants, and obtain wiretap orders
under the Electronic Communications Privacy Act (ECPA). To protect us against those who would steal
7
our military secrets or attack other vital state interests, we rely upon the intelligence community to both
collect foreign intelligence and engage in counterintelligence; as part of its work, that community may
rely upon a different set of authorities, such as National Security Letters and the Foreign Intelligence
Surveillance Act (FISA). Finally, to address the military threat posed by another nation-state, we fund a
military that relies on yet a different set of authorities in the United States code (for example, Title 50
and Title 10). Other countries have a similar separation of authorities. In short, depending upon the
category of threat, countries deploy different resources, and each resource plays by its own set of rules.
This traditional model works well when one can identify the nature of the attack; specifically,
“who” is attacking and “why.” This traditional model fails in the Information Age because when
computers are under attack, the “who” and “why” are frequently unknown. By way of example, many
years ago a Russian military plane shot down a Korean civilian jetliner. For a long time, notwithstanding
Russian claims of non-responsibility, it was widely believed that state action, or at least rogue military
action, was responsible. Why? Because civilians do not have access to fighter jets. But the notion that
only states have access to weapons of war is no longer correct, at least not if information warfare is
considered. Simply put, it is not difficult to obtain computer technology and the skills to misuse it; a
potentially powerful arsenal has been placed in the public domain. Our traditional vigilance regarding
states that support terrorism, political unrest, or are otherwise considered “rogue” (that is, “nations of
concern”) must now be supplemented by vigilance regarding “individuals of concern,” a far larger pool,
and one that is harder to identify and harder to contain. If one appreciates that an attack upon a
defense department may come not only from a foreign nation conducting information warfare, but also
from juveniles living within the victim’s country (as it did in Solar Sunrise, the case name for a cyber
attack against the U.S. Department of Defense), then one appreciates that launching a military response
might not be the right approach. In short, the world is confronted with two problems: (1) a plethora of
attacks by a diverse set of individuals with differing motives and (2) security response systems that are
contingent on knowing facts that may be unavailable.
Rethinking the Cyber Threat
In a world of such diverse threats and increasing allegations of cyber crime, economic
espionage, military espionage, and cyber warfare, it is critically important that governments and cyber
security professionals think differently about malicious cyber events and how to respond to them. The
starting point is breaking down attacks by attribution and category. With regard to “the who” (and,
inferentially perhaps, “the why”), there may be strong attribution, some probability of attribution (high
to low), or no attribution. With regard to categories, there are four: cyber crime, military espionage,
economic espionage (and other areas where nation-states are in philosophical disagreement on
normative behavior) and cyber warfare. Each level of attribution and each category of attack raises
unique issues regarding response with one exception. Defensive measures are always appropriate and
nothing prevents someone from adopting stronger security measures, such as adopting multi-factor
authentication. Strong defenses are not enough, however, as offense almost always beats defense on
the Internet. So although stronger defenses might deter some who will seek easier targets (much like
8
locking one’s door encourages a burglar to seek a less-protected house), persistent, well-funded and
motivated adversaries are not readily deterred by defenses, especially because defenses have proven
insufficient in so many cases.
The Problem of Attribution
The starting point for any new strategy must focus on attribution because, even though the
open and unauthenticated nature of the Internet makes attribution difficult, having some idea of who
the bad actor might be is certainly helpful. Today, attribution is extremely difficult for both technical and
non-technical reasons. Key data relating to source may not exist or be inaccurate, those who have
relevant data may be reluctant to share it, and even governments that want to collaborate may find it
difficult to do so because of legal constraints, especially if data must be obtained and shared across
jurisdictional boundaries. When data is shared, it may still be hard to reach consensus on what the data
means.
For example, in the recent attacks against Google, many different “theories” regarding actors
and motives were advanced. Without in any way suggesting one theory is more plausible than any
other, the recent attacks on Google led people to suggest that these attacks were the work of (1) the
Chinese Government (“Chinese Attack on Google Among the Most Sophisticated Cyberattacks Ever,
Experts Say,” POPSCI, January 15, 2010),1 (2) Chinese universities (“2 China Schools Said to be Tied to
Online Attacks,” The New York Times, February 18, 2010),2 or (3) a Chinese hacker (Steve Ragan, “Was
Operation Aurora really just a conventional attack?”, January 27, 2010).3 More recently, researchers
have expressed some confusion over whether this incident consisted of one attack or two, and have
referenced the existence of a Vietnamese Botnet.4
In light of current realities, it seems that the issue of attribution must be addressed in three
ways. First, attribution should be improved where possible. Leaving aside long-term efforts to re-
architect the Internet, it is possible to increase attribution through wider application of existing strong
authentication technologies (along with appropriate auditing), through more effective technical trace-
back mechanisms (when legally permitted), or through more streamlined international assistance (in
cases where foreign assistance is practical). For example, even today it is possible to deploy technologies
that enforce more robust authentication of hardware and people (for example, TPM to TPM-based
authentication, which is multi-factor authentication based upon the issuance of secure digital
1 http://www.popsci.com/technology/article/2010-01/chinese-cyber-attack-google-among-most-sophisticated-
ever-experts-say 2 http://www.nytimes.com/2010/02/19/technology/19china.html?partner=rss&emc=rss)
3 http://www.thetechherald.com/article.php/201004/5151/Was-Operation-Aurora-really-just-a-conventional-
attack 4 http://blog.damballa.com/?p=652
9
credentials after in-person proofing).5 The benefits of more robust attribution are that some attackers
will be deterred, some attackers will be thwarted, and some attackers may be identified. And although
more sophisticated adversaries may still be successful, the fact that some attacks have been deterred or
prevented permits organizations to refocus some of their existing security resources on more complex
and intractable threats.
Second, it will likely be important to focus on probability of accurate attribution, as opposed to
certainty of attribution. In many areas, of course, absolute certainty is seldom achievable. For this
reason, a range of different standards have developed (for example, proof beyond a reasonable doubt, a
preponderance of the evidence) and individuals and organizations often have to rely upon probabilities
when making critical decisions (such as when opting for one medical treatment over another). Of
course, the greater the certainty, the easier it may be to choose a course of action, but that does not
mean certainty is required before reasonable action can be taken.
Third, it will be necessary to decide what actions, if any, are permissible in those cases for which
the probability of accurate attribution is low for either technical or non-technical reasons. The “safe”
answer is, of course “none,” at least in terms of reducing international tension regarding unilateral
action. But the problem with that answer is it leaves too many threats unaddressed and causes victim
countries to assume too much risk to public safety and national security. If this is correct – if the status
quo is not acceptable – then a different calculus is required. One possible approach is to focus on
probability and harm, and whether that harm can be avoided through traditional mechanisms. If, for
example, (1) an attacker has successfully penetrated a critical system; (2) the attacker has the capability
of causing serious damage; and (3) timely and meaningful foreign assistance is not forthcoming,
affirmative action may be warranted even if one cannot assert, with certainty, that the attacker is
affiliated with a particular group.
This approach, of course, highlights the many challenges in this area. What is the right
“probability” threshold, what is the right tolerance for “harm,” what constitutes “timely and meaningful
assistance,” and what type of response will be viewed as proportionate? Although these are all difficult
questions, society has tackled them in other areas. For example, in the areas of nuclear proliferation,
development of weapons of mass destruction, and harboring terrorists, countries frequently determine
whether another country’s assistance is meaningful, whether negotiations represent progress or a
stalling tactic, and what repercussions might be appropriate if forward progress is not made.
To be clear, one cannot overstate the challenges in this area. While an attack on a supervisory
control and data acquisition (SCADA) system may readily suggest the potential of a dire consequence,
the impact of other attacks can be far more difficult to predict. For example, scanning a system and
accessing accounts without authority may be a prelude to information exfiltration (which is serious, but
perhaps not devastating) or the alteration of critical data that might result in serious physical injury or
death. A system scan may be the prelude to an attack on the confidentiality of data or a denial of service
5 For more on authentication, see the “Establishing End-to-End Trust” white paper at
http://www.microsoft.com/mscorp/twc/endtoendtrust/vision/.
10
attack. Such uncertainties can cause inaction and, ultimately, countries will need to discuss what level of
risk is tolerable and when certain actions are appropriate. It must also be remembered that national
authorities have a wide range of tools at their disposal, from political demarches to economic sanctions
to cyber or kinetic counter attacks; as in the physical world, different predicates will justify different
responses. But establishing some a priori agreement between nation-states might help define
acceptable behaviors and decrease tensions when action is taken.
Categories of Attacks
Of course, in some cases attribution – or at least a high probability of accurate attribution – is
possible, even if not disclosed publicly. These attacks fall into four different categories. Once this is
understood, it becomes clear where society’s current response mechanisms could be improved, and
where new strategies must be adopted.
The first category relates to conventional cyber crimes.6 These crimes include cases in which
computers are targeted for traditional criminal purposes, such as fraud, or used as tools to commit
traditional offenses (for example, the distribution of child pornography). In this category, existing law
enforcement mechanisms generally provide the right framework for response, but much work needs to
be done to update and harmonize national legal regimes and increase dramatically the speed of law
enforcement execution. Nation-states should be encouraged to pass cyber crime legislation where it is
needed, to develop the capability and capacity to fight cyber crime, and to join international efforts (for
example, the Council of Europe Convention on Cybercrime). To the extent that other nations refuse to
help address this threat, governments should think about the mechanisms they traditionally use to
obtain greater international assistance from reluctant countries. Efforts against money laundering and
other transnational crimes can provide valuable lessons in this area.
The second category relates to military espionage cases; more specifically, the allegations that
some nation-states intrude into and exfiltrate large amounts of sensitive military data from government
agencies and/or the military industrial base. Without diminishing the seriousness of these allegations, it
is important to recognize that military espionage has been occurring from time immemorial, and that
some victims of military espionage may be engaged in such espionage activities themselves. Knowing it
is unlikely that such conduct will stop, countries should aggressively raise their cyber defenses, hone
their offensive capabilities, and use those traditional elements of national power that are typically used
to address espionage concerns.
The third category relates to economic espionage cases and other cyber events where
governments clearly have philosophical differences about what constitutes acceptable behavior. For
6 The cyber crime category is by far the broadest as it captures the largest numbers of actors (from juveniles to
repeat offenders) and the largest number of motives/actions (from tampering with one’s school grades to committing complex fraud to causing significant damage to an IT system in a non-warfare context). Clearly, international government responses will have to be flexible and proportional.
11
example, many countries believe that businesses should compete on a level playing field, and that legal
systems should protect the right of those who develop new ideas to monetize them. By contrast, other
countries believe that national security is dependent on economic security and, to achieve economic
advantage, it is the government’s role to support indigenous industries by stealing the intellectual
property created in other nations (or at least turn a blind eye when a domestic company steals
information from foreign competitors). These countries are not deterred by the fact that such an
approach is both immoral and nearsighted. It is immoral because the theft of intellectual property is,
quite simply, theft, and nearsighted because a country cannot establish a culture of innovation and
achieve true economic advantage if intellectual property rights are not respected. Where countries do
have such philosophical differences, international diplomacy should focus on establishing appropriate
international norms and codifying those norms in international agreements, as has been done in other
areas.
Another area of philosophical dispute, and one that is even more challenging than economic
espionage, relates to freedom of speech. With regard to economic espionage, the debate is a fairly
binary one: either the theft of property for national economic benefit is appropriate or it is not. By
contrast, the right of free speech rests along a continuum: some countries are more restrictive than
others. In such cases, questions may arise regarding the extent to which speech is restricted (there is, for
example, a big difference between criminalizing hate speech and criminalizing religious or political
speech) as well as whether the government that restricts speech was democratically elected (thus
indicating that any restrictions are sanctioned by the populace). To complicate matters even more,
when countries do negotiate international agreements and set normative behavior, it is common to
have a treaty provision – essentially a carve out – that reserves to governments the authority to take
those actions necessary to protect public order and national security, notwithstanding other provisions
of the treaty. Because countries will not waive this sovereign right to protect public safety – and because
limitations on speech are often justified as necessary to maintain public order – it is unlikely that
negotiations will easily yield new normative behaviors. Still, agreements on the margins may still be
achievable. For example, in an age in which user-created content is transmitted across global IT systems
and stored in a cloud, ensuring safe harbor for those whose provide the “pipes” or “cloud services”
would be warranted, particularly if they are responsive when issues of legality are raised.
The fourth category relates to cyber warfare, a particularly difficult area because, as noted
earlier, the Internet is a shared and integrated domain. In the physical world, it is easier to separate
troops from hospitals, and there are even rules of war that govern permissible responses when troops
launch attacks from hospital rooftops. The Internet does not permit such clean demarcations. But today
there is also another problem: society is redefining “warfare.” As is well known, an individual recently
attempted to bomb an airliner travelling to Detroit, Michigan. Reported evidence suggested this
individual had connections to a known terrorist group and, in the aftermath of that attempted attack,
there was a debate about whether this individual was a criminal who should be read his constitutional
rights (given his “Miranda” warnings) or an enemy combatant who belonged in military custody. Of
course, in future cases, a person sympathetic to an extremist cause might undertake to blow up a plane
without any formal connection to any organized terrorist group; the actor might simply be a
12
sympathizer who is acting alone. If this happened, a nation-state might well find itself “at war” with a
single individual. Asymmetric warfare has significant implications for cyber attacks, because the Internet
permits a potentially anonymous and untraceable individual with virtually no resources to engage a
nation-state in cyber warfare. Rules for such asymmetric cyber warfare will need to be considered.
But even if cyber warfare was restricted to nation-state activity, the risk of casualties to critical
infrastructures and non-combatant property would be significant, especially when one considers that
the unintended consequences of an attack may be hard to predict. Much has been written about this
(see, for example, the National Research Council Report, “Technology, Policy, Law, and Ethics Regarding
U.S. Acquisition and Use of Cyberattack Capabilities,”7) and it is not my intention to repeat those lengthy
dissertations here. Suffice to say, domestic views and international agreements regarding what
constitutes appropriate military activity in this shared and integrated domain will be increasingly
important as militaries around the world hone their cyber capabilities, and as Internet growth and cloud
computing makes civilians even more dependent on our IT infrastructure. Indeed, if the concern is an
electronic Pearl Harbor, perhaps part of the response is an electronic “Geneva Convention” that
protects the rights of non-combatants.
The preceding four categories are important not because they eliminate all the hard questions
(they do not), but because they do in some cases make it easier to develop preventative and reactive
strategies in cases where attribution exists. They also can help reduce the paralysis that may occur when
one attempts to design a single strategy for the myriad threats that are similar only in their use of
technology.
Conclusion
There is little doubt that the Internet, with its global connectivity, anonymity, and lack of
traceability, poses considerable challenges to those in the private and public sectors who are tasked
with protecting it. The breadth of criminal activity, the number of actors and motives, and the lack of
reliable attribution have all served to make crafting responses to attacks difficult. While there are no
easy answers, greater attribution and clearer rules for responding to both non-attributed and attributed
attacks would enable the development and implementation of better strategies and tactics for
responding to cyber threats.
If this analysis is correct, the course of future action becomes clearer:
There must be innovation related to attribution. This includes both technological innovation (to
permit sources to be found technically) and legal/diplomatic innovation (to allow the data to be
shared quickly, even across borders).
7 Available at http://www.nap.edu/catalog.php?record_id=12651.
13
To deal with cyber crime, it is important for countries to adopt national laws that protect cyber
space, build law enforcement capability and capacity, and support international efforts to fight
cybercrime.
To address economic espionage and other areas of philosophical disagreement, there must be
international discussions leading to the establishment of norms that are then enforced through
national policies and international organizations.
To address military espionage, nation states must improve the state of their own computer
security, build offensive capabilities as appropriate, and rely upon existing diplomatic and
political mechanisms to address disputes.
To address cyber warfare issues, countries must first develop domestic positions on what the
rules for this new domain should be, taking due care to recognize the shared and integrated
nature of the domain. Then there must be an international dialogue designed to create
international norms for cyber space behavior. Creating these norms will be as difficult as it
sounds, but it is still both necessary and, ultimately, unavoidable. Absent such an agreement,
unilateral and potentially unprincipled actions will lead to consequences that will be
unacceptable and regrettable.