cyberwar: how worried should we be? - austin issabyoung/issa-slides.pdfcyberwar: how worried should...
TRANSCRIPT
Cyberwar: How Worried Should We Be?
Austin ISSA
Dr. Bill YoungDepartment of Computer Science
University of Texas at Austin
Last updated: May 8, 2013 at 17:09
Dr. Bill Young: 1 Austin ISSA, May 9, 2013
From the Headlines
Pentagon accuses China of trying to hack US defence
networks, The Guardian, 5/7/13
China is using espionage to acquire technology to fuel itsmilitary modernisation, the Pentagon has said, for thefirst time accusing the Chinese of trying to break into USdefence computer networks and prompting a firm denialfrom Beijing.
“The US government continued to be targeted for(cyber) intrusions, some of which appear to beattributable directly to the Chinese government andmilitary,” [the report] says, adding that the main purposeof the hacking is to gain information to benefit defenceindustries, military planners and government leaders.
Dr. Bill Young: 2 Austin ISSA, May 9, 2013
From the Headlines
House Intel Chair Mike Rogers Calls Chinese Cyber Attacks
Unprecedented, ABC News, 2/24/13
House Intelligence Committee Chair Mike Rogers,R-Mich., said it was “beyond a shadow of a doubt” thatthe Chinese government and military is behind growingcyber attacks against the United States, saying “we arelosing” the war to prevent the attacks.
“It is unprecedented,” Rogers added. “This has neverhappened in the history of the world, where one nationsteals the intellectual property to re-purpose it—toillegally compete against the country.”
Dr. Bill Young: 3 Austin ISSA, May 9, 2013
From the Headlines
Cyber security in 2013: How vulnerable to attack is US
now?, Christian Science Monitor, 1/9/13
The phalanx of cyberthreats aimed squarely atAmericans’ livelihood became startlingly clear in 2012and appears poised to proliferate in 2013 and beyond asgovernment officials, corporate leaders, security experts,and ordinary citizens scramble to devise protections fromattackers in cyberspace.
Dr. Bill Young: 4 Austin ISSA, May 9, 2013
From the Headlines
U.S. Not Ready for Cyberwar Hostile Attackers Could
Launch, The Daily Beast, 2/21/13
If the nightmare scenario becomes suddenly real ... Ifhackers shut down much of the electrical grid and therest of the critical infrastructure goes with it ... If we areplunged into chaos and suffer more physical destructionthan 50 monster hurricanes and economic damage thatdwarfs the Great Depression ... Then we will wonder whywe failed to guard against what outgoing DefenseSecretary Leon Panetta has termed a “cyber-PearlHarbor.”
Dr. Bill Young: 5 Austin ISSA, May 9, 2013
CyberSecurity: An Existential Threat?
Cyberattacks an ’Existential Threat’ TO U.S., FBI Says,Computerworld, 3/24/10
A top FBI official warned today that manycyber-adversaries of the U.S. have the ability to accessvirtually any computer system, posing a risk that’s sogreat it could “challenge our country’s very existence.”According to Steven Chabinsky, deputy assistant directorof the FBI’s cyber division: “The cyber threat can be anexistential threat—meaning it can challenge ourcountry’s very existence, or significantly alter our nation’spotential,” Chabinsky said. “How we rise to thecybersecurity challenge will determine whether ournation’s best days are ahead of us or behind us.”
Dr. Bill Young: 6 Austin ISSA, May 9, 2013
Question for All of Us
If cyberattacks are a credible threat to the very existence of ournation, why aren’t we at war?
Or are we? Are we currently engaged in a Cyber War?
Or is this talk about Cyber War merely hype and exaggeration?
Dr. Bill Young: 7 Austin ISSA, May 9, 2013
It’s a Dangerous World
“More than 5.5 billion attempted attacks were identified in2011, an increase of 81% over 2010, with an unprecedented403 million unique malware variants that year, a 41% leap.”(Symantec Internet Security Threat Report, 2012)
Once PCs are infected they tend to stay infected. The medianlength of infection is 300 days.(www.insecureaboutsecurity.com, 10/19/2009)
The Privacy Right’s Clearinghouse’s Chronology of DataBreaches (January, 2012) estimates conservatively that morethan half a billion sensitive records have been breached since2005.
The Ponemon Institute estimates that the approximatecurrent cost per record compromised is around $318.
Dr. Bill Young: 8 Austin ISSA, May 9, 2013
Some Notable Cyber Campaigns
First Persian Gulf War (1991): Iraq’s command and controlinfrastructure is targeted. Radar and missile control network isfragmented and sections of radar coverage are taken offlinewithout central control being aware of the outage.
Estonia (2007): Cyberattacks disabled the websites of governmentministries, political parties, newspapers, banks, and companies.Russia was suspected of launching the attack.
Georgia (2008): Russia attacked the nation of Georgia in a disputeover the province of South Ossetia. In addition to the militaryattack, a concerted cyber DoS attack shut down much of Georgia’sability to communicate with the external world.
Dr. Bill Young: 9 Austin ISSA, May 9, 2013
Cyber Attacks on the U.S.
Moonlight Maze: (1998) traced to Russia, exfiltrated manymegabytes of defense-related data, including classified naval codesand info on missile guidance systems.
Titan Rain: (2003) probably Chinese, exfiltrated an estimated10-20 terabytes of data on U.S. systems.
Operation Aurora: (2009) probably Chinese, gained access andpossibly modified code repositories at high tech, security anddefense contractor companies.
Dr. Bill Young: 10 Austin ISSA, May 9, 2013
Greatest Transfer of Wealth in History
In July, 2012, Gen. Keith Alexander, director of NSA andU.S. Cyber Command, referred to intellectual property loss viacyber espionage as the greatest transfer of wealth in history.
“Symantec placed the cost of IP theft to the UnitedStates companies in $250 billion a year, globalcybercrime at $114 billion annually ($388 billion whenyou factor in downtime), and McAfee estimates that $1trillion was spent globally under remediation. And that’sour future disappearing in front of us.”
Dr. Bill Young: 11 Austin ISSA, May 9, 2013
But Is It War?
Cyber warfare involves “actions by a nation-state to penetrateanother nation’s computers or networks for the purpose of causingdamage or disruption.” (Richard Clarke and Robert Knake)
This definition raises as many questions as it answers.
Is “warfare” even a useful term in this context?
Can a non-state entity engage in warfare?
Which computers or networks really matter?
Which actions should qualify as acts of war?
Why can’t we defend ourselves?
Dr. Bill Young: 12 Austin ISSA, May 9, 2013
Is “Cyberwar” the Wrong Concept?
Howard Schmidt, the new cybersecurity czar for theObama administration, has a short answer for thedrumbeat of rhetoric claiming the United States is caughtup in a cyberwar that it is losing. “There is no cyberwar.I think that is a terrible metaphor and I think that is aterrible concept,” Schmidt said. “There are no winners inthat environment.” (Wired, 3/4/10)
Dr. Bill Young: 13 Austin ISSA, May 9, 2013
Is “Cyberwar” a Dangerous Concept?
Security guru Bruce Schneier, in an interview with Search Security(4/9/13) said:
“My real fear is less the attacks from China and more theincrease in rhetoric on both sides that is fueling a cyberarms race. We are definitely not at war. The wholecyberwar metaphor is dangerous. Right now we areseeing cyber espionage. But when you call it ’war’ youevoke a particular mindset and a particular set ofsolutions present themselves.”
Dr. Bill Young: 14 Austin ISSA, May 9, 2013
Is “Cyberwar” a Dangerous Concept?
The cyberwar rhetoric is dangerous. Its practitioners areartists of exaggeration, who seem to think spinning talltales is the only way to make bureaucracies move in theright direction. ... Not only does it promote unnecessaryfear, it feeds the forces of parochial nationalism andmilitarism undermining a communications system thathas arguably done more to connect the world’s citizensthan the last 50 years of diplomacy. (Ryan Singel reviewof Clarke and Knake in Wired, 4/22/10)
Dr. Bill Young: 15 Austin ISSA, May 9, 2013
Espionage, Yes—War, Not so Much
What we are seeing is “Cyber espionage” on a massive scale. Butespionage has never been considered an act of war.
You’re probably thinking: Forget espionage–what about CyberPearl Harbor? What about attacks on critical infrastructure?
Dr. Bill Young: 16 Austin ISSA, May 9, 2013
Critical Infrastructure
Credible security experts suggest that a successful widespreadattack on U.S. computing infrastructure could largely shut downthe U.S. economy for up to 6 months.
It is estimated that the destruction from a single wave of cyberattacks on U.S. critical infrastructures could exceed $700 billionUSD—the equivalent of 50 major hurricanes hitting U.S. soil atonce. (Source: US Cyber Consequences Unit, July 2007)
Dr. Bill Young: 17 Austin ISSA, May 9, 2013
What’s the Risk?
The U.S. is more dependent on advanced technology than anyother society on earth.
Much of U.S. critical infrastructure is remotely accessible.
The openness of U.S. society means critical information aboutfacilities (and their vulnerabilities) is widely available.
Other nation states have much more control over theirnational communication infrastructure.
Technology advances rapidly but remains riddled withvulnerabilities.
Dr. Bill Young: 18 Austin ISSA, May 9, 2013
How Vulnerable is Infrastructure?
“I have yet to meet anyone who thinks SCADA systems should beconnected to the Internet. But the reality is that SCADA systemsneed regular updates from a central control, and it is cheaper to dothis through an existing Internet connection than to manuallymove data or build a separate network.” –Greg Day, PrincipalSecurity Analyst at McAfee
Dr. Bill Young: 19 Austin ISSA, May 9, 2013
Current Concern
The Obama administration has placed an emphasis on protectionof critical infrastructure from cyber attack.
On 2/12/13, the administration released an executive orderImproving Critical Infrastructure Cybersecurity and PresidentialPolicy Directive 21: Critical Infrastructure Security and Resilience
The Nation’s critical infrastructure provides the essentialservices that underpin American society. Proactive andcoordinated efforts are necessary to strengthen andmaintain secure, functioning, and resilient criticalinfrastructure including assets, networks, and systemsthat are vital to public confidence and the Nation’ssafety, prosperity, and well-being.
Dr. Bill Young: 20 Austin ISSA, May 9, 2013
Example Threat: Stuxnet
Stuxnet is a Windows computer worm discovered in July 2010 thattargets Siemens SCADA (Supervisory Control and DataAcquisition) systems.
First discovered malware that subverts specific industrialsystems.
First to include a programmable logic controller (PLC) rootkit.
Believed to have involved years of effort by skilled hackers todevelop and deploy.
Narrowly targeted, possibly at Iran’s nuclear centrifuges.
Widely believed to have been developed by Israel and the U.S.
In interviews over the past three months in the United States andEurope, experts who have picked apart the computer wormdescribe it as far more complex and ingenious than anything theyhad imagined when it began circulating around the world,unexplained, in mid-2009. –New York Times, 1/16/11
Dr. Bill Young: 21 Austin ISSA, May 9, 2013
Stuxnet
Stuxnet is the new face of 21st-century warfare: invisible,anonymous, and devastating. ... Stuxnet was the firstliteral cyber-weapon.
Stuxnet appears to be the product of a moresophisticated and expensive development process thanany other piece of malware that has become publiclyknown.
America’s own critical infrastructure is a sitting target forattacks like this. (Vanity Fair, April, 2011)
Dr. Bill Young: 22 Austin ISSA, May 9, 2013
Game Changer?
Creating Stuxnet and other highly sophisticated malware (DuQu,Flame, Gauss) might only be possible for a nation state.
Using them is not. Stuxnet and its children are accessible toanyone.
“It would be foolish to assume that the usualsuspects—anywhere from China to North Korea—wouldlet such an opportunity to dissect and reuse componentsof the superweapon pass.” (Ralph Langner, LangnerCommunications)
Dr. Bill Young: 23 Austin ISSA, May 9, 2013
Who Could Launch Such an Attack?
Nation states: China, Russia, Iran ... but would they risk war withthe U.S.?
Criminals: Don’t have an obvious motive for causing widespreadchaos. It’s bad for business.
Terrorist groups: Probably don’t currently have the capabilities ...but that doesn’t mean they won’t acquire it.
Dr. Bill Young: 24 Austin ISSA, May 9, 2013
Cyber War With Nation States
Any future conflict of the U.S. with any nation state will involve acyber component.
“War expands to fill all available theaters.” –BruceSchneier
China, Russia, and others are undoubtedly leaving trojans, backdoors, etc. in digital systems. So is the U.S.
Dr. Bill Young: 25 Austin ISSA, May 9, 2013
What You Can Do
Of course, encourage good security practices
The Australian Defence Signals Directorate showed that you canprevent 85% of targeted intrusions with four key measures:
1 use application whitelisting
2 rapidly patch applications
3 rapidly patch OS vulnerabilities
4 minimise the number of users with admin privileges
Dr. Bill Young: 26 Austin ISSA, May 9, 2013
What You Can Do
Understand that war rhetoric can be harmful.
Defending against cyber threats does not require militaryexpertise or prowess. We don’t want a militarized cyberspace.
There is no “exit strategy” in the cyber security challenge.
Beating the drums of war encourages people to give up someof their freedoms.
Dr. Bill Young: 27 Austin ISSA, May 9, 2013
What You Can Do
Educate yourself about Internet goverance and policy issues at thenational level.
Do you understand the implications of SOPA, PIPA, CISPA?CISPA passed the U.S. House of Representatives yesterday. Do youas a security professional have an informed opinion on thisimportant legislation?
“This is something happening now that is beyond computersecurity.” –Bruce Schneier
Dr. Bill Young: 28 Austin ISSA, May 9, 2013
What You Can Do
Educate yourself about Internet goverance and policy issues at theinternational level.
Did you know: there are proposals circulating to take internetgovernance away from IETF and ICANN and give it to ITU(International Telecommunications Union, a U.N. subsidiary).
Dr. Bill Young: 29 Austin ISSA, May 9, 2013
ITU Governance of the Internet
The ITU is a treaty-based organization under U.N. auspices. Eachcountry has one vote.
Many countries don’t want the Internet to remain a freemarketplace of ideas.
The broadest proposal in the draft materials is aninitiative by China to give countries authority over ”theinformation and communication infrastructure withintheir state” and require that online companies ”operatingin their territory” use the Internet ”in a rational way”—inshort, to legitimize full government control. (WSJ,6/17/12)
Russian President Vladimir Putin has declared that his goal andthat of his allies is to establish “international control over theinternet” through the ITU.
Dr. Bill Young: 30 Austin ISSA, May 9, 2013
ITU Governance
What would ITU governance of the Internet mean?
Subject cyber security and privacy to international control
Allow phone companies to charge for international Internettraffic
Impose economic restrictions on traffic-swapping agreements(peering)
Place ICANN under ITU control
Institutionalize national censorship of Internet content
Politically paralyze engineering and economic decisions
Dr. Bill Young: 31 Austin ISSA, May 9, 2013
What Should You Do?
Champion internet independence and the current multi-stakeholdergovernance model.
Vincent Cerf, one of the founders of the Web, recently toldCongress, this U.N. involvement means “the open Internet hasnever been at a higher risk than it is now.”
Dr. Bill Young: 32 Austin ISSA, May 9, 2013
Some Sources
Paul Rosenzweig, Cyber Warfare: How Conflicts inCyberspace are Challenging America and Changing the World,Praeger, 2012.
Joel Brenner, America the Vulnerable: Inside the New ThreatMatrix of Digital Espionage, Crime and Warfare, Penguin,2011.
Richard Stiennon, Surviving Cyber War, GovernmentInstitutes, 2010.
Jeffrey Carr, Inside Cyber Warfare, O’Reilly, 2010.
Richard A. Clarke and Robert K. Knake, Cyber War: TheNext Threat to National Security and What To Do About It,Harper Collis, 2010.
Dr. Bill Young: 33 Austin ISSA, May 9, 2013
Some Sources
Franklin D. Kramer, et al. (editors), Cyberpower and NationalSecurity, National Defense University, 2009.
McAfee, Inc., “2009 Virtual Criminology Report, VirtuallyHere: The Age of Cyber Warfare,” December, 2009.
Matthew J. Sklerov, “Solving the Dilemma of StateResponses to Cyberattacks: A Justification for the Use ofActive Defenses Against States Who Neglect Their Duty toPrevent,” Military Law Review, Winter, 2009.
staff.washington.edu/dittrich/cyberwarfare.html
Dr. Bill Young: 34 Austin ISSA, May 9, 2013