After Stuxnet: The New Rules of Cyberwar

Three years ago, when electric grid operators were starting to talk about the need to protect critical infrastructure from cyberattacks, few utilities had even hired a chief information security officer.

1 2 Page 2
Page 2 of 2

Even basic changes in contract terms would help, says Schmidt. "There's a belief held by me and others in the West Wing that there's nothing to preclude one from writing a contract today that says if you are providing IT services to the government you must have state-of-the-art cybersecurity protections in place. You must have mechanisms in place to notify the government of any intrusions, and you must have the ability to disconnect networks," he says.

But government procurement policy's influence on standards can go only so far. "The government isn't buying turbines" and control systems for critical infrastructure, says Lewis.

When it comes to shutting down attacks, faster reaction times are key, says Bejtlich. "Attackers are always going to find a way in, so you need to have skilled people who can conduct rapid and accurate detection and containment," he says. For high-end threats, he adds, that's the only effective countermeasure. Analysts need high visibility into the host systems, Bejtlich says, and the network and containment should be achieved within one hour of intrusion.

Opening the Kimono

Perhaps the toughest challenge will be creating the policies and fostering the trust required to encourage government and private industry to share what they know more openly. The government not only needs to pass legislation that provides the incentives and protections that critical infrastructure businesses need to share information on cyberthreats, but it also needs to push the law enforcement, military and intelligence communities to open up. For example, if the DOD is planning a cyberattack abroad against a type of critical infrastructure that's also used in the U.S., should information on the weakness being exploited be shared with U.S. companies so they can defend against counterattacks?

"There is a need for American industry to be plugged into some of the most secretive elements of the U.S. government -- people who can advise them in a realistic way of what it is that they need to be concerned about," says Hayden. Risks must be taken on both sides so everyone has a consistent view of the threats and what's going on out there.

One way to do that is to share some classified information with selected representatives from private industry. The House of Representatives recently passed an intelligence bill, the Cyber Intelligence Sharing and Protection Act, which would give security clearance to officials of critical industry operators. But the bill has been widely criticized by privacy groups, which say it's too broad. Given the current political climate, Hayden says he expects the bill to die in the Senate.

Information sharing helps, and standards form a baseline for protection, but ultimately, every critical infrastructure provider must customize and differentiate its security strategy, Amoroso says. "Right now, every business has exactly the same cybersecurity defense, usually dictated by some auditor," he says. But as in football, you can't win using just the standard defense. A good offense will find a way around it. "You've got to mix it up," Amoroso says. "You don't tell the other guys what you're doing."

Cyberdefense Strategies

Should the U.S. Strike Back?

Most best practices on dealing with cyberattacks on critical infrastructure focus on defense: patching vulnerabilities and managing risk. But should the U.S. conduct preemptive strikes against suspected attackers -- or at least hit back?

Gen. Michael Hayden, principal at security consultancy The Chertoff Group, and former director of the NSA and the CIA, says the cybersecurity problem can be understood through the classic risk equation: Risk (R) = threat (T) x vulnerability (V) x consequences (C). "If I can drive any factor down to zero, the risk goes down to zero," he says. So far, most efforts have focused on reducing V, and there's been a shift toward C, with the goal of determining how to rapidly detect an attack, contain the damage and stay online. "But we are only now beginning to wonder, how do I push T down? How do I reduce the threat?" Hayden says. "Do I shoot back?"

The DOD is contemplating the merits of "cross-domain" responses, says James Lewis, senior fellow at the Center for Strategic and International Studies. "We might respond with a missile. That increases the uncertainty for opponents."

Ultimately, countries that launch such attacks will pay a price, says Howard Schmidt, former cybersecurity coordinator and special assistant to the president. The U.S. response could involve economic sanctions -- or it could involve the use of military power.

-- Robert L. Mitchell

Global Threat

Hacking on the Rise

Cyberattackers fall into three primary categories: criminal organizations interested in stealing for monetary gain, hacktivists bent on furthering their own agendas, and foreign governments, or their agents, aiming to steal information or lay the groundwork for later attacks.

The Chinese are the most persistent, with several tiers of groups participating, says Richard Bejtlich, chief security officer at security consultancy Mandiant. Below official state-sponsored attacks are breaches by state militias, quasi-military and quasi-government organizations, and what he calls "patriotic hackers."

"It's almost a career path," says Bejtlich.

There's disagreement on which groups are the most sophisticated or dangerous, but that's not what matters. What matters is that the universe of attackers is expanding and they have ready access to an ever-growing wealth of knowledge about hacking, along with black hat tools helpful in launching attacks. "Over the next five years, low-level actors will get more sophisticated and the Internet [will expand] into areas of the Third World where the rule of law is weaker," says Gen. Michael Hayden, principal at security consultancy The Chertoff Group. "The part of the world responsible for criminal groups such as the Somali pirates is going to get wired."

-- Robert L. Mitchell

Telecoms Deal With Escalating DDoS Threat

Electric grid operators worry about compromised computerized industrial control systems taking them offline. Telecommunications companies worry that a large-scale distributed denial-of-service (DDoS) attack will take out another type of critical infrastructure: the Internet.

Until 2009 or so, AT&T might have seen one major DDoS attack a year, says Edward Amoroso, chief security officer and a senior vice president at the telecommunications giant. Today, Tier 1 Internet service providers find themselves fending off a few dozen attacks at any given moment. "It used to be two guys bailing out the ship. Now we have 40, 50 or 60 people dumping the water out all the time," he says. In fact, attacks have been scaling up to the point where Amoroso says he worries they could potentially flood backbone networks, taking portions of the Internet offline.

It would take just 64,000 PCs infected with a virus similar to Conficker to spew out about 10Gbps of traffic, he says. "Multiply that by four, and you've got 40Gbps, which is the size of most backbones," says Amoroso.

AT&T hasn't yet seen an attack generate enough traffic to flood a backbone, but it may just be a matter of time. "So far no one has pushed that button," he says. "But we need to be prepared."

Telecommunications providers must constantly scramble and innovate to keep ahead. They devise new defense techniques, then those techniques become popular and adversaries figure out new ways to defeat them. "We're going to have to change the mechanisms we now use to stop DDoS [attacks]," he says.

-- Robert L. Mitchell

This story, "After Stuxnet: The New Rules of Cyberwar" was originally published by Computerworld.

Copyright © 2012 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
6 digital transformation success stories