2
What Is at Stake?

2.1
INTERCONNECTED INFORMATION TECHNOLOGY EVERYWHERE, ALL THE TIME

For many people today, the information revolution is represented by the most visible and salient interactions they have with information technology (IT)—typing at the keyboard of their computers at work or at home or talking on their cellular telephones. People’s personal lives also involve computing through social networking, home management, communication with family and friends, and management of personal affairs. But a much larger collection of information technology embodied in computing, software, and networking deployments is instrumental to the day-to-day operations of companies, organizations, and government. Companies large and small rely on computers for diverse business processes, ranging from payroll and accounting to the tracking of inventory and sales, to support for research and development (R&D). The distribution of food and energy from producer to retail consumer relies on computers and networks at every stage. Nearly everyone (in everyday society, business, government, and the military services) relies on wireless and wired communications systems. Information technology is used to execute the principal business processes both in government and in many of the largest sectors of the economy, including financial services, health care, utilities, transportation, and services. Indeed, the architecture of today’s enterprise IT systems is the very embodiment of the critical business logic in complex enterprises. It is impossible to imagine the Wal-Marts, the FedExes, and the Amazons of today without information



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 19
Toward a Safer and More Secure Cyberspace 2 What Is at Stake? 2.1 INTERCONNECTED INFORMATION TECHNOLOGY EVERYWHERE, ALL THE TIME For many people today, the information revolution is represented by the most visible and salient interactions they have with information technology (IT)—typing at the keyboard of their computers at work or at home or talking on their cellular telephones. People’s personal lives also involve computing through social networking, home management, communication with family and friends, and management of personal affairs. But a much larger collection of information technology embodied in computing, software, and networking deployments is instrumental to the day-to-day operations of companies, organizations, and government. Companies large and small rely on computers for diverse business processes, ranging from payroll and accounting to the tracking of inventory and sales, to support for research and development (R&D). The distribution of food and energy from producer to retail consumer relies on computers and networks at every stage. Nearly everyone (in everyday society, business, government, and the military services) relies on wireless and wired communications systems. Information technology is used to execute the principal business processes both in government and in many of the largest sectors of the economy, including financial services, health care, utilities, transportation, and services. Indeed, the architecture of today’s enterprise IT systems is the very embodiment of the critical business logic in complex enterprises. It is impossible to imagine the Wal-Marts, the FedExes, and the Amazons of today without information

OCR for page 19
Toward a Safer and More Secure Cyberspace technology. In short, many computing and communications systems are themselves infrastructure and serve as components of the infrastructure of other organizations. In the future, computing and communications technologies (collectively, information technologies) are likely to be found in places where they are essentially invisible to everyday view: in cars, wallets, clothing, refrigerators, keys, cabinets, watches, doorbells, medicine bottles, walls, paint, structural beams, roads, dishwashers, identification (ID) cards, telephones, and medical devices (including some embedded in human beings). Computing will be embedded in myriad places and things or will be easily transported in pockets or on wrists. Computing devices will be coupled to multiple sensors and effectors. Computing and communications will be seamless, enabling the tight integration of personal, family, and business systems. Sensors, effectors, and computing will be networked together so that they pass relevant information to one another automatically. In this vision of truly pervasive computing, the ubiquitous integration of computing and communications technologies into common everyday objects enhances their usefulness and makes life easier and more convenient. Understanding context, personal information appliances will make appropriate information available on demand, enabling users to be more productive in both their personal and professional lives. And, as has been true with today’s desktops and mainframes, interconnections among all of these now-smart objects and appliances will multiply their usefulness many times over. 2.2 THE NATURE OF CYBERSECURITY VULNERABILITIES A security vulnerability in an IT artifact (e.g., a part, hardware component, software module, data structure, system, and so on) exists if there is a way to manipulate the artifact to cause it to act in a way that results in a loss of confidentiality, integrity, and availability. Confidentiality. A secure system will keep protected information away from those who should not have access to it. Examples of failures that affect confidentiality include the interception of a wireless signal and identity theft. Integrity. A secure system produces the same results or information whether or not the system has been attacked. When integrity is violated, the system may continue to operate, but under some circumstances of operation, it does not provide accurate results or information that one would normally expect. The alteration of data

OCR for page 19
Toward a Safer and More Secure Cyberspace in a database or in a sensor data stream or an instruction stream to a mechanical effector, for example, could have this effect. Availability. A secure system is available for normal use even in the face of an attack. A failure of availability may mean that the e-mail does not go through, or the computer simply freezes, or response time becomes intolerably long (possibly leading to catastrophe if a physical process is being controlled by the system). These types of damage may be inflicted without the victim even being aware of the attack. For example, a system may be compromised by the obtaining of information ostensibly protected by that system (e.g., encrypted information may be intercepted and decrypted without the owner realizing it). Or, an attack may be used to support a selective denial of services (i.e., the allowing of access for most connections, but denying or corrupting some particular critical connections). If improper alteration occurs in small amounts in large, seldom-referenced databases, the fact of such corruption may never be discovered. Note also the impact of any such damage on the user’s psychology. A single database that is found to be corrupted, even when controls are in place to prevent such corruption, may throw into question the integrity of all of the databases in a system. A single data stream that is compromised by an eavesdropper may lead system operators and those who depend on the system to be concerned that all data streams are potentially compromised. In such cases, the potential harm from any of these incidents goes far beyond the actual corrupted database or compromised data stream, since enormous amounts of effort need to be made to ensure that other databases or data streams have not been corrupted or compromised. Those other databases may be perfectly good, but may not be considered reliable under such circumstances. Denial of service, corruption, and compromise are not independent—for example, an attacker could render a system unavailable by compromising it. An attacker could seek to inflict such damage in several ways. An attack can be remote—one that comes in “through the wires,” for example, as a virus or a Trojan horse program introduced via e-mail or other communication or as a denial-of-service attack over a network connection. As a general rule, remote attacks are much less expensive, much less risky, and much easier to conduct than are the second and third types listed below. Some IT element may be physically destroyed (e.g., a critical data center or communications link could be blown up) or compromised (e.g., IT hardware could be surreptitiously modified in the

OCR for page 19
Toward a Safer and More Secure Cyberspace distribution chain). Such attacks generally require close access (i.e., requiring physical proximity). A trusted insider may be compromised or may be untrustworthy in the first place (such a person, for instance, may sell passwords that permit outsiders to gain entry); such insiders may also be conduits for hostile software or hardware modifications that can be inserted at any point in the supply chain, from initial fabrication, to delivery to the end user. Compromising a trusted insider can be accomplished remotely or locally. Not all compromises are the result of insider malice; phishing attacks are one example of how a trusted insider can be tricked into providing sensitive information. Of course, these three ways of causing damage are not mutually exclusive, and in practice they can be combined to produce even more destructive effects than any one way alone. Additionally, attackers can easily “pre-position” vulnerabilities to facilitate the timing of later attacks. This pre-positioning could be in the form of trap doors left behind from previous virus infections, unintentional design vulnerabilities,1 or compromised code left by a compromised staff member or by a break-in to the developer’s site.2 2.3 SYSTEMS AND NETWORKS AT RISK What IT systems and networks are at risk? Key elements of information technology fall into three major categories: the Internet; embedded/ real-time computing (e.g., avionics systems for aircraft control; air traffic control; Supervisory Control and Data Acquisition [SCADA] systems controlling the distribution of electricity, gas, and water; the switching systems of the conventional telecommunications infrastructure; bank teller machine networks; floodgates); and dedicated computing devices (e.g., desktop computers). Each of these elements plays a different role in national life, and each is subject to different kinds of attack. 1 An example is the recent episode during which Sony’s BMG Music Entertainment surreptitiously distributed software on audio compact discs (CDs) that was automatically installed on any computers that played the CDs. This software was intended to block the copying of the CD, but it had the unintentional side effect of opening security vulnerabilities that could be exploited by other malicious software such as worms or viruses. See Iain Thomson and Tom Sanders, “Virus Writers Exploit Sony DRM,” vnunet.com, November 10, 2005; available at http://www.vnunet.com/vnunet/news/2145874/virus-writers-exploit-sony-drm. 2 P.A. Karger and R.R. Schell, Multics Security Evaluation: Vulnerability Analysis, ESD-TR-74-193, Vol. II, June 1974, HQ Electronic Systems Division, Hanscom Air Force Base; available at http://csrc.nist.gov/publications/history/karg74.pdf.

OCR for page 19
Toward a Safer and More Secure Cyberspace 2.3.1 Attacks on the Internet The infrastructure of the Internet is a possible target, and given the Internet’s public prominence and ubiquity, it may appeal to terrorists or criminals as an attractive target. The Internet can be attacked in two (not mutually exclusive) ways—physically or “through the wires.” Physical attacks might destroy one or a few parts of the Internet infrastructure. But the Internet is a densely connected network of networks that automatically routes around portions that become unavailable,3 which means that a large number of important nodes would have to be destroyed simultaneously to bring it down for an extended period of time. Destruction of some key Internet nodes could result in reduced network capacity and slow traffic across the Internet, but the ease with which Internet communications can be rerouted would minimize the long-term damage.4 An attack that comes through the wires rather than via physical attack can have much higher leverage. The Internet crosses borders and its reach is extended throughout the globe. But the global Internet was not designed to operate in a hostile environment where information systems and networks can be attacked from inside. Indeed, it is an unfortunate result of Internet history that the protocols used by the Internet today are derived from the protocols that were developed in the early days of the Advanced Research Projects Agency Network, where there were only a few well-respected researchers using the infrastructure, and they were trusted to do no harm. Consequently, security considerations were not built in to the Internet, which means that all cybersecurity measures taken today to protect the Internet are add-on measures that do not remedy the underlying security deficiencies. One type of attack is directed against Internet operations. Such attacks are often based on self-replicating programs (worms and viruses) that are transmitted from system to system, consuming prodigious amounts of router processing time and network channel bandwidth. In recent years, some of these worms and viruses have been transmitted without explicitly destructive payloads and yet have been able to disrupt key Internet backbone subnetworks for several days. Another kind of attack on Inter- 3 National Research Council. 2001. The Internet’s Coming of Age. National Academy Press, Washington, D.C. Note, however, that the amount of redundancy is limited primarily by economic factors. 4 This comment applies largely to U.S. use of the Internet. It is entirely possible that other nations—whose traffic is often physically routed through one or two locations in the United States—would fare much worse in this scenario. See National Research Council. 2003. The Internet Under Crisis Conditions: Learning from September 11. The National Academies Press, Washington, D.C.

OCR for page 19
Toward a Safer and More Secure Cyberspace net operations seeks to corrupt the routing tables that determine how a packet should travel through the Internet. In both cases, the intent of the attack is to reduce the normally expected functionality of the Internet for some significant portion of its users—that is, it is a denial-of-service attack in intent, although not one necessarily based on flooding traffic. An attacker might also target the Internet’s Domain Name System (DNS), which translates domain names (e.g., “example.com”) to specific Internet Protocol (IP) addresses (e.g., 123.231.0.67) denoting specific Internet nodes. A relatively small number of “root name servers” underpins the DNS. Although the DNS is designed to provide redundancy in case of accidental failure, it has some vulnerability to an attack that might target all name servers simultaneously. Although Internet operations would not halt instantly, an increasing number of sites would, over a period of time measured in hours to days, become inaccessible without root name servers to provide authoritative translation information. Physical replacement of damaged servers would be achievable in a matter of days, but changing the IP addresses of the root name servers and promulgating the new IP addresses throughout the Internet—a likely necessary step if the name servers are being attacked repetitively in an automated fashion—would be much more problematic.5 A through-the-wires attack is possible because of Internet-enabled interconnection. Thus, a hostile party using an Internet-connected computer 10,000 miles away can launch an attack against an Internet-connected computer in the United States just as easily as if the attacker were next door. Criminals and adversaries located all over the globe may nonetheless communicate and partly coordinate their activities through the network, without ever having to meet or cross national boundaries, especially in countries were they can operate without a serious fear of surveillance or aided by insider accomplices. By contrast, the planet is a world of sovereign nation-states, with different laws and regulations governing computer activities—a point that makes traditional responses of military retaliation or criminal prosecution much more problematic. Dependence on the Internet for the performance of core business functions is increasingly a fact of life for a growing number of businesses and government agencies, as well as citizens in private life. It is obvious that a disruption to the Internet would be a major disruption to an electronic commerce company such as Amazon.com. But what is less obvious is that in the last couple of years, many large companies have come to depend on the Internet and other networks running Internet protocols 5 National Research Council. 2005. Signposts in Cyberspace: The Domain Name System and Internet Navigation. The National Academies Press, Washington, D.C.

OCR for page 19
Toward a Safer and More Secure Cyberspace for internal voice and data communications and other key functions—and these trends will only accelerate in the future as pressures for cost reduction grow. A good example is the fact that Voice-Over-IP (VOIP) connections are increasingly replacing conventional telephony. Thus, it is only a matter of a relatively short time before today’s independence of voice communications from the Internet no longer exists to any significant degree—and this will be true for business, government, and the general civilian population. Finally, it is an unfortunate fact of life today that in many cases, when a system or a network connected to the Internet is under attack, the only feasible protective action is to disconnect from the Internet. Such an action may eliminate the attack (unless a rogue program has been successfully inserted into the targeted system or network before the connection is cut), but it also renders the attack maximally successful in a certain sense, since now for all practical purposes the disconnected system or network does not exist on the Internet. 2.3.2 Attacks on Embedded/Real-Time Computing and Control Systems Embedded/real-time computing in specific systems could also be attacked. For example, many embedded computing systems could be corrupted over time or be deployed with hidden vulnerabilities.6 Of particular concern could be avionics in airplanes, collision-avoidance systems in automobiles, and other transportation systems. Such attacks would require a significant insider presence in technically responsible positions in key sectors of the economy, likely but not necessarily over long periods of time. Another example is that sensors, which can be important elements of counterterrorism or anticrime precautions, could be the target of an attack or, more likely, precursor targets of a terrorist or criminal attack. Another possible attack on embedded/real-time computing would be an attack on the systems controlling elements of the nation’s critical infrastructure—for example, the electric power grid, the air traffic control system, the railroad infrastructure, water purification and delivery, or telephony. For example, attacks on the systems and networks that control and manage elements of the nation’s transportation infrastructure could introduce chaos and disruption on a large scale that could drastically reduce the capability of transporting people and/or freight (including food and fuel). 6 An inadvertent demonstration of this possibility was illustrated with the year-2000 (Y2K) problem that was overlooked in many embedded/real-time systems designed in the 1980s and earlier.

OCR for page 19
Toward a Safer and More Secure Cyberspace To illustrate, electric generation plants are controlled by a variety of IT-based SCADA systems. Attacks on these SCADA systems could obviously result in local disruptions in the supply of electrical power. But two other scenarios are more problematic. The electric power distribution grid, also controlled by IT-based SCADA systems and being necessary for electric power generated in one location to be useful in another location hundreds of miles away, is also a conduit through which a failure in one location can cascade to catastrophic proportions before the local failure can be dealt with.7 (In this context, the distribution grid includes both the transmission lines that carry electricity and their control channels.) In addition, because SCADA systems are used to control physical elements of the grid, attacks on SCADA systems can also result in irreversible physical damage to unique equipment that may require many months to replace. Although causing such consequences requires inside or expert knowledge rather than just random attacks, the consequences are severe in terms of economic damage to the country. Similar concerns arise with conventional telecommunications and the financial system (including the Federal Reserve banking system, which is a system for handling large-value financial transactions, and a second system for handling small-value retail transactions [including the Automated Clearing House, the credit-card system, and paper checks]). Although these systems are also largely independent of the public Internet, they are utterly dependent on computers, and thus they are subject to a variety of security vulnerabilities that do not depend on Internet connectivity. 2.3.3 Attacks on Dedicated Computing Facilities In many of the same ways that embedded computing could be attacked, dedicated computers such as desktop computers could also be corrupted in ways that are hard to detect. One possible channel comes from the use of untrustworthy IT talent by software vendors.8 The con- 7 For example, the cause of the blackout of August 2003—lasting 4 days and affecting 50 million people in large portions of the midwestern and northeastern United States and Ontario, Canada—was traced to a sequence of cascading failures initiated by the shutdown of a single 345 kV transmission line. Admittedly, the grid was in a stressed state in northeastern Ohio when this occurred, but the grid often faces such stress during heat waves and storms. See U.S.-Canada Power System Outage Task Force, Final Report on the August 14, 2003 Blackout in the United States and Canada: Causes and Recommendations, April 2004; available at https://reports.energy.gov/BlackoutFinal-Web.pdf. 8 Although security concerns are often raised about the offshoring of IT development, untrustworthy talent may be foreign or domestic in origin. Foreign IT workers—whether working in the United States (e.g., under an H1-B visa or a green card) or offshore on outsourced work—are generally not subject to thorough background investigations; therefore, an obvious route is available through which foreign terrorist organizations can gain insider

OCR for page 19
Toward a Safer and More Secure Cyberspace cern is that once working on the inside, these individuals would be able to introduce additional but unauthorized functionality into systems that are widely used. Under such circumstances, the target might not be just any desktop computer (e.g., any computer used in the offices around the country) but rather the desktop computers in particular sensitive offices or in critical operational software used in corporate or government computer centers (e.g., a major bank or the classified and unclassified systems of the Department of Defense). Another possible channel for attacking dedicated computing facilities results from the connection of computers through the Internet; such connections provide a potential route through which terrorists or criminal organizations might attack computer systems that do provide important functionality for many sectors of the economy. Examples of widely used Internet-based vectors that, if compromised, would have a large-scale effect in a short time include appealing Web pages and certain shareware programs, such as those for sharing music files. An appealing Web page might attract many viewers in a short period of time, and viewers could be compromised simply by viewing the page. Shareware programs might contain viruses or other “malware.” In principle, channels for distributing operating systems upgrades could be corrupted as well, but because of their critical nature, these channels are in general much more resistant to security compromise. It is likely that Internet-connected computer systems that provide critical functionality to companies and organizations are better protected through firewalls and other security measures than is the average system on the Internet. Nevertheless, as press reports in recent years make clear, such measures do not guarantee that these large systems are immune to the hostile actions of outsiders.9 2.4 POTENTIAL CONSEQUENCES OF EXPLOITS The possible consequences of successful exploits of cyber vulnerabilities cover a broad spectrum, from causing annoyance to an individual to causing catastrophic consequences for society. It is, of course, possible that the existence of a vulnerability—even if widespread—will not lead to access. Reports of American citizens having been successfully recruited by foreign terrorist organizations add a degree of believability to the scenario of domestic IT talent’s being used to compromise systems for terrorist purposes. 9 For example, the Slammer worm attack reportedly resulted in a severe degradation of the Bank of America’s automatic teller machine network in January 2003. See Aaron Davis, “Computer Worm Snarls Web: Electronic Attack Also Affects Phone Service, BOFA’s ATM Network,” San Jose Mercury News, January 26, 2003; available at http://www.bayarea.com/mld/mercurynews/5034748.htm+atm+slammer+virus&hl=en.

OCR for page 19
Toward a Safer and More Secure Cyberspace disaster (see Box 2.1), but making this possibility the basis for an effective cybersecurity response is clearly not a sensible thing to do today. If a virus attacks a home computer and erases all of the files on it, the consequences range from mere annoyance to emotional trauma (e.g., if irreplaceable pictures were stored). If the user had made a recent backup, the hassle factor involved in recovering the files may be only a matter of an hour or two—though removing the virus may be more involved than that. If the “home” computer involved belongs to a small business, critical business records could be lost. If a cybersecurity breach enables a hostile party to impersonate an individual, the result may be highly problematic for the individual. Victims of identity theft suffer for years under a cloud of uncertainty about their finances and credit records even as they try to clear their records.10 No one dies because someone has impersonated him or her, although the compromise of personal information such as home addresses can certainly lead to serious harm.11 If the identities of many individuals are compromised and identity theft results, serious economic losses to financial institutions may occur.12 If consumers are not confident of online security, they will be more reluctant to engage in online activities and electronic commerce. For example, the Gartner Group estimated that $1.9 billion in e-commerce sales would not occur in 2006 because of consumer concerns about the security of the Internet.13 If a company’s trade secrets or confidential business plans are compromised, its viability as a business entity may be placed at risk (most likely if it is a small company) or its competitiveness in the 10 The term “identity,” as used in “identity theft,” is somewhat misleading in this context. Some observers point out that in a deep philosophical sense, an individual’s identity is inextricably associated with that individual. They thus suggest that a more precise term may be “credential theft” or “theft of personal information,” either of which allows the possessor of the credential or personal information to impersonate the individual to whom that credential refers or with whom that personal information is associated. However, customary usage refers to “identity theft,” and in the interests of clarity for the reader, this report continues that usage. 11 In 1989, actress Rebecca Schaeffer was stalked and murdered by a fan who allegedly retrieved her name and address from the California motor vehicle department. Her death inspired the passage of the federal Driver’s Privacy Protection Act of 1994, 18 U.S.C. 2721. 12 Gartner Press Release, “Gartner Says Number of Phishing E-Mails Sent to U.S. Adults Nearly Doubles in Just Two Years,” November 9, 2006; available at http://www.gartner.com/it/page.jsp?id=498245. 13 Gartner Press Release, “Gartner Says Nearly $2 Billion Lost in E-Commerce Sales in 2006 Due to Security Concerns of U.S. Adults,” November 27, 2006; available at http://www.gartner.com/it/page.jsp?id=498974.

OCR for page 19
Toward a Safer and More Secure Cyberspace marketplace reduced. Millions of dollars might be lost, but people rarely die from the theft of trade secrets. If the fly-by-wire controls of a modern passenger airplane are compromised, the pilot might lose control and be unable to land safely. Hundreds of lives aboard the plane may be placed at risk. If the computer systems controlling the operation of a railroad are compromised, extensive physical damage may be caused in train crashes. If electronic medical records are compromised by the unauthorized alteration of data, medical and pharmaceutical decisions that rely on the integrity of those data are placed at risk, and improper treatment may result. If these alterations are not detected, thousands of lives may be placed at risk. If the Department of Defense’s logistics systems are compromised, large-scale military deployments could become quite difficult or impossible to conduct in a timely manner. If the communications systems used by emergency responders in a city are compromised so that communications capabilities are greatly diminished, police, fire, and medical personnel would be crippled in responding to emergencies. If the computerized controls for an industrial plant are compromised, an adversary might be able to cause a major industrial accident. For example, if a chemical plant near a major metropolitan area were involved, a Bhopal-like accident might occur. If the electric power grid is compromised and attackers are able to cause blackouts over a wide area, public safety may be endangered through collateral consequences, such as rioting and looting. Widespread blackouts that last for more than a few days—entirely possible if the appropriate attack strategy is used—go beyond mere nuisance and begin to threaten economic livelihoods and personal health and safety on a large scale. Even worse, the latter scenarios cannot be considered in isolation. Indeed, if launched as part of a broader terrorist attack, they might be accompanied by physical “kinetic” attacks on vital national interests, either domestically or abroad. Cyberattacks conducted as part of a multi-pronged attack scenario that also includes physical attacks, rather than cyberattacks alone, could have the most catastrophic consequences.14 For example, cyberattacks conducted as part of a larger scenario could result in greater opportunity to widen the damage of a physical attack (e.g., by providing false information that drives people toward, rather than away 14 National Research Council. 2003. Information Technology for Counterterrorism: Immediate Actions and Future Possibilities. The National Academies Press, Washington, D.C.

OCR for page 19
Toward a Safer and More Secure Cyberspace BOX 2.3 On Botnets Botnets (also known as zombie-nets) are collections of compromised computers that are remotely controlled by a malevolent party. A compromised computer is connected to the Internet, usually with an “always-on” broadband connection, and is running software introduced by the malevolent party. Malevolent software can be introduced through a number of channels; they include clicking on a link that takes the user to a certain Web page, downloading an attachment that executes a program, forcing entry into a computer through an unprotected port (e.g., one typically used for file sharing across the Internet), and so on. Using up-to-date security software such as antivirus programs and firewalls helps to reduce the threat of such “malware,” but today most personal computers—even protected ones—are at least somewhat vulnerable to such threats. An individual compromised computer (a zombie or a bot) can be used for many purposes, but the threat from botnets arises from the sheer number of computers that a single malevolent party can control—often tens of thousands and as many as a million. (Note also that an individual unprotected computer may be part of multiple botnets as the result of multiple compromises.) When the zombied computers are connected to the Internet through broadband connections, the aggregate bandwidth of the botnets is enormous (e.g., a small botnet of 1,000 zombies times a 300 kilobit Digital Subscriber Line connection is 300 megabits per second). A further property of botnets is that they can be controlled remotely by an adversary, which means that the apparent perpetrator of a hostile act is a zombie computer—making it difficult to trace a hostile act to its initiator. Indeed, an adversary may be located in a nation other than the home country of the zombies. Typically, an adversary builds a botnet by finding a few machines to compromise. The first hostile action that these initial zombies take is to find other machines to compromise—a task that can be undertaken in an automatic manner. But botnets are capable of undertaking a variety of other actions that have significant impact on the botnet operator’s target(s). For example, botnets can be used to conduct the following actions: Distributed denial-of-service attacks. A denial-of-service attack on a target renders the target’s computer resources unavailable to service legitimate requests by requesting service itself and blocking others from using those resources. But if these requests for service come from a single source, it is easy to simply drop all service requests from that source. However, a distributed denial-of-service attack can flood the target with multiple requests from many different machines, each of which might, in principle, be a legitimate requester of service. Spam attacks. Botnets can be used to send enormous amounts of spam e-mail. Since spam is illegal in many venues and is regarded as antisocial by most, it is in a spammer’s interest to hide his or her identity. Some botnets also search for e-mail addresses in many different locations. Traffic-sniffing attacks and key-logging. A zombie can examine clear-text data passing by or through it. Such data might be sensitive information such as usernames and passwords, and it might be contained in data packets or in various input channels, such as the keyboard channel.

OCR for page 19
Toward a Safer and More Secure Cyberspace Click fraud. A great deal of advertising revenue comes from individuals clicking on ads. A botnet can easily be used to generate a large volume of clicks on ads that do not correspond to any individual’s legitimate interest in those ads. Further, because each zombie appears to be legitimate, it is difficult for the party being defrauded to know that a botnet is being used to perpetrate click fraud. Probes. It is widely reported that only a few minutes elapse between the instant that a computer attaches to the Internet and the time that it is probed for vulnerabilities and possibly compromised itself. Without botnets in operation, finding open and vulnerable machines would be a much more difficult process. Acting as hosts for information exfiltration. Botnets could be used as recipients of clandestinely gathered information—a kind of “dead drop” for Trojan horses planted to gather information secretly that mask the ultimate destination of such information. Botnets would be (and are) a logical vehicle of choice for many malevolent parties. Botnets can be dormant for a long time before being activated. Once activated, the botnet owner or operator can stay in the background, unidentified and far away from any action, while the individual bots—mostly belonging to innocent parties—are the ones that are visible to the party under attack. And botnets are highly flexible, capable of being upgraded on the fly just like any other piece of software. Thus, it is not surprising to see that botnets can be used as the basis of an underground service to unethical end users. A botnet owner could rent the botnet to Party A to send spam, Party B to extort money from an online business, and Party C to sniff traffic and collect online identification credentials. A typical price might be “$0.50 per zombie per hour of use.” Today, it is known that botnets are used for criminal purposes such as cyber-extortion, but the extent to which they are used by terrorists or adversary nations is unknown. SOURCE: Adapted in part from Honeynet Project and Research Alliance, “Know Your Enemy: Tracking Botnets,” March 13, 2005; available at http://www.honeynet.org. ingly pervasive and embedded in all manners of devices. These embedded computers are themselves likely to be in communication with one another when they are in range (with all of the security issues that such communication implies). They are also likely to be much larger in number: an ordinary room at home could conceivably contain tens or hundreds of such devices. These developments—pervasive computing and adaptive (dynamic) ubiquitous networked systems—will call for the development of new security models and architectures. If continued expansion of the use and benefits of IT is to be realized, the information technology systems and networks must be adequately protected. Otherwise, individuals and organizations throughout society

OCR for page 19
Toward a Safer and More Secure Cyberspace will deem it unacceptably risky to increase their reliance on insecure technologies. Even today, cybersecurity issues have not been addressed adequately, and individuals and organizations throughout society find themselves under an increasingly dark and threatening cloud. In short, cybersecurity is increasingly important, both as a pillar of today’s critical computing and communications applications and as an enabler of future advances in computing and information technology. 2.6.2 The Broad Range of Capabilities and Goals of Cyberattackers The committee believes that a very broad spectrum of actors, ranging from lone hackers at one extreme to major nation-states at the other, pose security risks to the nation’s information technology infrastructure. Organized crime (e.g., drug cartels) and transnational terrorists (and terrorist organizations, some of them state-sponsored) occupy a region between these two extremes, but they are closer to the nation-state than to the lone hacker.34 Attackers have a range of motivations. Some are motivated by curiosity. Some are motivated by the desire to penetrate or vandalize for the thrill of it, others by the desire to steal or profit from their actions. And still others are motivated by ideological or nationalistic reasons. Today, the most salient cybersecurity threat emanates from hackers and criminals, although there is growing realization that organized crime is seeing increasing value in exploiting and targeting cyberspace. Thus, most cybersecurity efforts taken across the nation in all sectors—both in research and in deployment—are oriented toward defending against these low- and mid-level threats. Much more work remains to be done to address even these lower-level threats. The state of security practice today is such that even casual attackers can find many vulnerabilities to exploit. The deployment of even quite unsophisticated cybersecurity measures can make a difference against casual attackers. Thus, the cybersecurity posture of the nation could be strengthened if individuals and organizations collectively adopted “best practices” that are known to improve cybersecurity. The research and development (R&D) activities addressed in much of this report will ultimately lead to significant progress against these low- to mid-level threats. However, against the high-end attacker, efforts oriented 34 In certain ways, it could be argued that organized crime constitutes a more potent threat than many nation-states do. One reason is that the resources available to organized crime syndicates for supporting cyberthreat activities may exceed those available to a nation-state. A second reason is that the operations of nation-states are often constrained within a bureaucratic context that may be more cumbersome than in a syndicate.

OCR for page 19
Toward a Safer and More Secure Cyberspace toward countering the casual attacker or even the common cybercriminal amount to little more than speed bumps. The reason is that the high-end cyberthreat, as described below, is qualitatively different from other threats. First and foremost, high-end actors usually have enormous resources. Major nation-states, for example, are financed by national treasuries; they can exploit the talents of some of the smartest and most motivated individuals in their national populations; they often have the luxury of time to plan and execute attacks; and they can draw on all of the other resources available to the national government, such as national intelligence, military, and law enforcement services. Organized crime syndicates, such as drug cartels, may operate hand in hand with some governments; when operating without government cooperation, their human and financial resources may not be at the level available to governments, but they are nevertheless quite formidable. State-sponsored terrorist groups by definition obtain significant resources from their state sponsors. As a result, the high-end cyberattacker can be relatively profligate in executing its attack and in particular can target vulnerabilities at any point in the IT supply chain from hardware fabrication to user actions (Box 2.4). In particular, the resources of the high-end cyberattacker facilitate attacks that require physical proximity. For example, a major nation-state threat raises questions about the nations in which it is safe to design software or to manufacture chips.35 The availability of such resources widens the possible target set of high-end attackers. Low- and mid-level attackers often benefit from the ability to gain a small profit from each of many targets. Spammers and bot harvesters are the best examples of this phenomenon—an individual user or computer is vulnerable in some way to a spammer or a bot harvester, but the spammer or bot harvester profits because many such users or computers are present on the Internet. However, because of the resources available to them, high-end attackers may also be able to target a specific computer or user whose individual compromise would have enormous value (“going after the crown jewels”). In the former case, an attacker confronted with an adequately defended system simply moves on to another system that is not so well defended. In the latter case, the attacker has the resources to escalate the attack to a very high degree—perhaps overwhelmingly so. It is also the case that the resources available to an adversary—especially high-end adversaries—are not static. This means that for a sufficiently valuable target, a high-end adversary may well be able to deploy 35 Defense Science Board. 2005. High Performance Microchip Supply, Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics, Washington, D.C., February; available at http://www.acq.osd.mil/dsb/reports/2005-02-HPMS_Report_Final.pdf.

OCR for page 19
Toward a Safer and More Secure Cyberspace BOX 2.4 Possible Points of Vulnerability in Information Technology Systems and Networks An information technology system or network has many places where an operationally exploitable vulnerability can be found; in principle, a completely justifiable trust in the system can be found only in environments that are completely under the control of the party who cares most about the security of the system. As discussed here, the environment consists of many things—all of which must be under the interested party’s control. The software is the most obvious set of vulnerabilities. In a running operating system or application, exploitable vulnerabilities may be present as the result of faulty program design or implementation, and viruses or worms may be introduced when the system or network comes in electronic contact with a hostile source. But there are more subtle paths by which vulnerabilities can be introduced as well. For example, compilers are used to generate object code from source code. The compiler itself must be secure, for it could introduce object code that subversively and subtly modifies the functionality represented in the source code. A particular sequence of instructions could exploit an obscure and poorly known characteristic of hardware functioning, which means that programmers well versed in minute behavioral details of the machine on which the code will be running could introduce functionality that would likely go undetected in any review of the code. The hardware constitutes another set of vulnerabilities, although less attention is usually paid to hardware in this regard. Hardware includes microprocessors, microcontrollers, firmware, circuit boards, power supplies, peripherals such as printers or scanners, storage devices, and communications equipment such as network cards. On the one hand, hardware is physical, so tampering with these components requires physical access at some point in the hardware’s life cycle, which may be difficult to obtain. On the other hand, hardware is difficult to inspect, so hardware compromises are hard to detect. Consider, for example, that graphics display cards often have onboard processors and memory that can support an execution stream entirely separate from that running on a system’s “main” processor. Also, peripheral devices, often with their own microprocessor controllers and programs, can engage in bidirectional communications with their hosts, providing a possible vector for outside influence. And, of course, many systems rely on a field-upgradable read-only memory (ROM) chip to support a boot sequence—and corrupted or compromised ROMs could prove harmful in many situations. The communications channels between the system or network and the “outside” world present another set of vulnerabilities. In general, a system that does not interact with anyone is secure, but it is also largely useless. Thus, communications of some sort must be established, and those channels can be compromised—for example, by spoofing (an adversary pretends to be the “authorized” system), by jamming (an adversary denies access to anyone else), or by eavesdropping (an adversary obtains information intended to be confidential). Operators and users present a particularly challenging set of vulnerabilities. Both can be compromised through blackmail or extortion. Or, untrustworthy operators and users can be planted as spies. But users can also be tricked into actions that compromise security. For example, in one recent exploit, a red team used inexpensive universal serial bus (USB) flash drives to penetrate an organization’s

OCR for page 19
Toward a Safer and More Secure Cyberspace security. The red team scattered USB drives in parking lots, smoking areas, and other areas of high traffic. In addition to some innocuous images, each drive was preprogrammed with software that would collect passwords, log-ins, and machine-specific information from the user’s computer, and then e-mail the findings to the red team. Because many systems support an “auto-run” feature for insertable media (i.e., when the medium is inserted, the system automatically runs a program named “autorun.exe” on the medium) and the feature is often turned on, the red team was notified as soon as the drive was inserted. The result: 75 percent of the USB drives distributed were inserted into a computer. Given the holistic nature of security, it is also worth noting that vulnerabilities can be introduced at every point in the supply chain: that is, systems (and their components) can be attacked in design, development, testing, production, distribution, installation, configuration, maintenance, and operation. On the way to a customer, a set of CD-ROMs may be intercepted and a different set introduced in its place; extra functionality might be introduced during chip fabrication or motherboard assembly; a default security configuration might be left in an insecure state—and the list goes on. Given the dependence of security on all of these elements in the supply chain, it is not unreasonable to think of security as an emergent property of a system, as its architecture is implemented, its code instantiated, and as the system itself is embedded in a human and an organizational context. In practice, this means that the actual vulnerabilities that a system must resist are specific to that particular system embedded in its particular context. This fact should not discourage the development of generic building blocks for security that might be assembled in a system-specific way, but it does mean that an adversary could attack many possible targets in its quest to compromise a system or a network. SOURCES: Information on compilers based on Ken Thompson, “Reflections on Trusting Trust,” Communications of the ACM, 27(8): 761-763, August 1984. See also P.A. Karger and R.R. Schell, “Thirty Years Later: Lessons from the Multics Security Evaluation,” pp. 119-126 in Proceedings of the 18th Annual Computer Security Applications Conference, December 9-13, 2002, Las Vegas, Nev.: IEEE Computer Society. Available at http://www.acsa-admin.org/2002/papers/classic-multics.pdf. Information on USB drive: See Steve Stasiukonis, “Social Engineering, the USB Way,” Dark Reading, June 7, 2006. Available at http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1. Information on chip fabrication based on Defense Science Board, High Performance Microchip Supply, Department of Defense, February 2005; available at http://www.acq.osd.mil/dsb/reports/2005-02-HPMS_Report_Final.pdf. additional resources in its continuing attack if its initial attacks fail. In other words, capabilities that are infeasible for an adversary today may become feasible tomorrow. This point suggests that systems in actual deployment must continually evolve and upgrade their security. A corollary issue is the value of risk management in such an environment. If indeed an adversary has the resources to increase the sophistica-

OCR for page 19
Toward a Safer and More Secure Cyberspace tion of its attack and the motivation to keep trying even after many initial attempts fail, it raises the question of whether anything less than perfect security will suffice. This question in turn raises understandable doubts about the philosophy of managing cybersecurity risks that is increasingly prevalent in the commercial world. Yet, doing nothing until perfect security can be deployed is surely a recipe for inaction that leaves one vulnerable to many lower-level threats. High-end cyberattackers—and especially major nation-state adversaries—are also likely to have the resources that allow them to obtain detailed information about the target system, such as knowledge gained by having access to the source code of the software running on the target or the schematics of the target device or through reverse-engineering. Success in obtaining such information is not guaranteed, of course, but the likelihood of success is clearly an increasing function of the availability of resources. For instance, a country may obtain source code and schematics of a certain vendor’s product because it can require that the vendor make those available to its intelligence agencies as a condition of permitting the vendor to sell products within its borders. Concerns about a high-end cyberattacker surfaced publicly in congressional concerns about the Department of State’s use of computers manufactured in China (Box 2.5). Although there is no public evidence that the nondomestic origin of IT components has ever compromised U.S. interests in any way, there is concern that it might in the future, or that such compromises in the past may have gone undetected. Second, high-end attackers sometimes do not wish their actions to be discovered. For example, they may hope that their adversaries do not gain a full picture of their own capabilities or do not take defensive actions that might reduce their capabilities in the future.36 (See Box 2.6.) In such situations, and unlike a successful hacker who seeks glory and fame in the eyes of his or her peers, the successes of high-end cyberattackers may well never be known outside a very small circle of individuals. A related point is that sophisticated attackers are very well capable of appearing to be less skilled hobbyist-hackers, when in fact they are actually laying the groundwork for future attacks. Put differently, under such circumstances, it might well be surprising to see actual direct evidence of the high-end attacker, since such evidence would likely be masked. Indirect evidence and inference thus become necessary to make the case that such an attacker even exists, even though such a case is necessarily weaker from an evidentiary standpoint. 36 This is not to say that a high-end attacker would never want to be discovered. In some cases, an attacker may find it desirable to leave some evidence behind so that the damage that an attack causes cannot be attributed to an error or a glitch but instead points to the fact that the attacker is present and is a force to be reckoned with.

OCR for page 19
Toward a Safer and More Secure Cyberspace BOX 2.5 Foreign Sourcing of Information Technology Used in the United States In March 2006, the U.S. Department of State announced that it would purchase 16,000 Lenovo computers and related equipment for use throughout the department. (Lenovo, Inc., is the Chinese company to which IBM sold its laptop and desktop personal computer [PC] business in 2005. Lenovo was incorporated in Hong Kong but is currently headquartered in the United States, and is reported to have ties to the Chinese government as well.) About 900 of the 16,000 PCs were designated for use in the network connecting U.S. embassies and consulates. In May 2006, and after objections had been raised in the U.S. Congress concerning the use of computers made by Lenovo in a classified network, the State Department agreed not to use Lenovo computers for such classified work. The use of computers made by a Chinese company for classified work was bound to raise a number of security concerns. But the State Department–Lenovo incident is symptomatic of a much larger issue. As computers and other information technology (IT) systems are assembled with components manufactured or provided by vendors in many nations, even an “American” computer is not necessarily “Made in the USA” in anything but name. Similar concerns arise with software components or applications that have been designed or coded or are maintained overseas but are being used in the United States. The nations that supply IT components include many—not just China—that might well have an interest in information on U.S. national security or economic matters. In addition, as “American” companies increasingly send some of their work offshore or use foreign citizens in the United States to work on IT, it is easy to see many possible avenues of foreign threat to the integrity of the security of information technology used in the United States. Of course, the committee also recognizes that threats to the integrity of information technology used by the United States do not emanate from foreign sources alone, and there is no evidence known today that the nondomestic origin of IT components has compromised U.S. interests in any way. But there is concern that compromises might occur in the future, or that such compromises in the past may have gone undetected. (As a saying in the intelligence community goes, “We have never found anything that an adversary has successfully hidden.”) Third, the high-end cyberattacker is generally indifferent to the form that its path to success takes, as long as that path meets various constraints such as affordability and secrecy. In particular, the high-end cyberattacker will compromise or blackmail a trusted insider to do its bidding or infiltrate a target organization with a trained agent rather than crack a security system if the former is easier to do than the latter. Many hackers are motivated by the fame that they gain from defeating technological security mechanisms (sometimes by social engineering means rather than by technology exploitation). Fourth, the motivation of a high-end cyberattacker is unambiguously

OCR for page 19
Toward a Safer and More Secure Cyberspace BOX 2.6 The Silence of a Successful Cyberattack Given the existence of systemic vulnerabilities and a party with the capability and intent to exploit them, it is important to consider the motivations of such a party. In particular, it is important to ask why a hostile party with the capability to exploit a vulnerability would not do so. Consider first an analogous situation in the intelligence community. Say that sensitive and important information about Nation A is gathered by (adversary) Nation B from a well-placed but covert source. Under what circumstances might Nation B refrain from using that information against Nation A? The answer depends on the value that Nation B places on protecting the source of the information versus the value it places on using the information at that time. “Protecting sources and methods” is a task of paramount importance in the intelligence community, because many sources and methods of collecting intelligence would be difficult to replace if their existence became known—and thus, certain types of information are not used simply because their use would inevitably disclose the source. Similarly, in the shadowy world of cyberthreat and cybersecurity, a hostile party with the capability to exploit a vulnerability might be well advised to wait until the time is right for it to launch an attack. In fact, one might well imagine that such a party would conduct exercises to probe weaknesses and lay the groundwork for an attack, without actually taking overly hostile action. For example, such a party might use a virus that simply replicated itself but did not carry a payload that did any damage at all in order to prove to itself that such an attack is possible in principle. The cybersecurity community knows of incidents (such as rapidly propagating viruses without destructive payloads and the active compromise of many network-connected computers that can be used to launch a variety of distributed attacks) that are consistent with the likely tactics of intelligent hostile parties. And it knows of intelligent parties whose intentions toward the United States are hostile. These factors do not constitute a logical proof of a high-end cyberthreat, but they do underlie the committee’s judgment that the vulnerabilities with which it is concerned are not merely theoretical. and seriously hostile. For example, a high-end cyberattacker may use IT in an attack as a means to an end and not as an end itself for a high-impact attack, much as the terrorists on September 11, 2001 (9/11), commandeered four airplanes to use as weapons. That is, for a high-end adversary, a cyberattack may be most effective as an amplifier of a physical attack.37 Fifth, as a military strategy (a point relevant mostly to nation-states), 37 National Research Council. 2003. Information Technology for Counterterrorism: Immediate Actions and Future Possibilities. The National Academies Press, Washington, D.C.

OCR for page 19
Toward a Safer and More Secure Cyberspace offensive operations in cyberspace—especially against U.S. national interests—may offer considerable advantages for adversaries.38 The United States is, as a nation, far more dependent on information technology than its potential adversaries are, and thus a hostile nation-state might well seek to exploit this asymmetry. Preparations for conducting cyberwarfare can be undertaken with minimal visibility, thus complicating the efforts of the United States to gather intelligence on the scope and nature of potential threats. Finally, in cyberwarfare, the advantages tend to favor attackers over defenders. For these reasons, adversary nation-states are likely to have strong incentives for developing capabilities to exploit weaknesses in the U.S. cybersecurity posture. How likely is it that a high-end cyberthreat will emerge? Today, it is primarily knowledge of the threat emanating from hobbyists and sophisticated hackers that is widespread and that largely drives present cybersecurity efforts. Losses from these threats are known, though not with any kind of precision, and widespread real-life experience demonstrates their significance to business operations. By contrast, information about the high-end threat emanating from organized crime and hostile nation-states is not easily available. With a lack of specific information, the high-end threat can be easily dismissed by systems owners and operators as one that is hypothetical and undocumented (at least in a public sense); such owners and operators thus might contend that there is an inadequate business case for the further investments that would be needed to counter the high-end threat. However, some analysts, notably those with access to classified information, assert in the strongest possible terms that the high-end cyberthreat is here today, that it is growing, and that the incidents reported publicly only hint at the severity and magnitude of that threat.39 Although the Committee on Improving Cybersecurity Research in the United States itself contained members with varying views on the seriousness or immediacy of the nation-state threat, the committee as a whole concluded that high-level threats—spawned by motivated, sophisticated, and well-resourced adversaries—could increase very quickly on a very 38 Military analysts in the People’s Republic of China are known to be considering such matters. See, for example, L. Qiao and X. Wang, Unrestricted Warfare, 1999, PLA Literature and Arts Publishing House, Beijing, People’s Republic of China; available at http://www.terrorism.com/documents/TRC-Analysis/unrestricted.pdf. 39 See, for instance, Bill Gertz, “Chinese Hackers Prompt Nave College Site Closure,” The Washington Times, November 30, 2006, available at http://www.washtimes.com/national/20061130-103049-5042r.htm; Dawn S. Onley and Patience Wait, “Red Storm Rising: DOD’s Efforts to Stave Off Nation-State Cyberattacks Begin with China,” Government Computer News, August 21, 2006, available at http://www.gcn.com/print/25_25/41716-1.html; and Nathan Thornburgh, “Inside the Chinese Hack Attack,” Time, August 25, 2005, available at http://www.time.com/time/nation/article/0,8599,1098371,00.html.

OCR for page 19
Toward a Safer and More Secure Cyberspace short timescale, potentially leading to what some dub a “digital Pearl Harbor” (that is, a catastrophic event whose occurrence can be unambiguously traced to flaws in cybersecurity)—and that the nation’s IT vendors and users (both individual and corporate) would have to respond very quickly if and when such threats emerged. Therefore, a robust research program that addresses both current and future possible threats driven by the high-end threat is necessary to provide the technological underpinnings of such a response. Moreover, it suggests a research agenda that is necessarily broader and deeper than would otherwise be the case if the threat were known with high confidence to be limited to that posed by hackers and ordinary criminals.