Your Thoughts on Cybersecurity

I am pleased with a recent two-part article on the topic of Network Solutions and SAIC written by Bruce Bigelow and published on Xconomy.com. The first part of the article focuses on Mike Daniels’ role in the acquisition of Network Solutions by SAIC, and the second part of the article is an interview with Mike and me. While you may be familiar with the story, you might also learn something new when you read it. There seems to be some interest in the Network Solutions story, and this is going to be the focus of our new book.

I am also pleased with all the comments that have been posted by readers of my blog in response to my article on cybersecurity. I am concerned, however, that some of you may not have seen these comments. I am therefore posting a selection of them here on my home page so you have a chance to read them. I hope you enjoy them as much as I have.

In other matters, last Thursday I participated in a teleconference with Mike Daniels to discuss the situation on the new book to be written on the history of Network Solutions and its role in commercializing the Internet. On Friday I went sailing with Robert Craig and had a great time.

Here are some of the comments I have received on cybersecurity:

Paul A. Strassmann

There is a common thread that connects all of the reported cyber malfeasance: poorly executed authentication of access privileges.

When I was the CIO of NASA I inspected the information security at the Kennedy Space Center. The precautions that were taken for verifying access to data were not competent. Access privileges were handled loosely by the contractors, who had custody of the data bases, including drawings. There was no way how an unauthorized insider could be tracked. NASA did not have the staff or the competence to do anything about that.

The reported incidents about cyber crime feature stories about symptoms. We should also discuss the root causes.

From The Cybersecurity Challenge: Corporate Cybercrime and Government Cybercrime, 2009/07/28 at 2:15

* * *

Dan Bochneak

Bob,

Some of the underlying attributes that are mandated by DoD, government and federal agencies for network communications and computer gear, are the result of mandated standards for open source, open architectures, and COTS in the acquisition cycle. Goals include reduced costs and improved interoperability for software and hardware that is developed and manufactured by high-tech corporations whose critical mass of operations and research is significantly concentrated in countries from which cyber exploits not-so-coincidentally originate.

If the variables of cost, cycle-time, interoperability, and forward and backward compatibility are some of the factors that are forcing the U.S. to select technologies that are built upon open source, open architectures, and COTS, might it be probable that such factors similarly reduce the barrier-to-entry for the bad guys to conduct rapid prototyping of potent cyber-threats that possess a high probability to compromise U.S. national interests, or at least keep pace with U.S. developed preemptive capabilities?

It may be probable that some of the forces that are vectoring U.S. cyber-preemption capabilities toward open source, open architectures and COTS technologies, are increasing the potency for exploits/cyber-threats toward U.S. interests. America’s adversaries may know our technology as well as we do, and maybe more. Sourcing policy forces commercially available products and subject-matter-expertise, upon which we are dependent for IT and network technologies, to many times originate outside of the U.S., thus further exposing the U.S. to the potential of logic bombs, self-modifying code, and backdoors.

Is the cyber security of America’s critical infrastructure improved or eroded by migrating to a smaller set of networks? Does a larger set of networks imply heterogeneity, and does either the number of networks and/or heterogeneity translate to a greater challenge for cyber network attackers? Does a smaller set of networks imply greater homogeneity, and does that translate to increased exposure to cyber threats, especially when the underlying systems are selected based upon cost as derived from the benefits of open source, open architectures, and COTS?

Will the cyber security budget determine and possibly limit the eventual strategy developed and applied by USCYBERCOM to improve America’s cyber defenses?

If cyber threats to America’s critical infrastructure endanger national security, at what price is our national security?

From The Cybersecurity Challenge: Overview, 2009/07/21 at 8:19 AM

* * *

Paul A. Strassmann

Sir:

Your listing of “Five Key Cyberthreats” is insufficient. The INTERNET is, from an engineering standpoint, fundamentally insecure. It was designed (and continues to operate) with protocols that do not give to security a priority.

The most critical need is for authentication because the Internet does not allow for end-to-end verification of transactions. Unless both the senders as well as the recipients of messages are authenticated there will be always the danger that anything that is received may not be what it claims to be.

Internet messages are mediated by means of software that operates computerized switches (called “routers”) while messages travel on an indeterminate path from their origin to their destination. The average number of connections to complete any transaction is nine but could be much larger when the network is congested. The Internet should be understood as a web of circuits that connect hundred thousands of traffic collectors (Internet Service Providers — ISPs). The ISPs then forward messages through millions of switches (routers) that link over five billion points of contact such as desktops, laptops, cell phones, credit card readers, burglar alarms, teller stations and radio frequency merchandise identity tags.

The insecurity of the Internet is inherent in the ways the routers communicate. The decision to send a message from one router to the next is controlled by the router software that picks one of several possible paths for passing the message in the direction of its ultimate destination. To keep track which one of the routers has the capacity to transport the traffic, every router keeps in contact with others in the neighborhood. In this way every router becomes a switch that changes every fraction of a second in how it operates.

The most dangerous corruption of the Internet originates from malicious changes to the router software. An attacker can manage to take control and change its logic so that a duplicate message (plus passwords) is routed to wherever a criminal collects intelligence.

Having control of a router is not difficult because a sophisticated attacker can install a copy of the switching software on a computer that masquerades as a legitimate router. There are many ways that a bogus machine can be inserted into the Internet, since the characteristics of the entire network are not traceable. The insertion of a fake router is often done with the collaboration from a trusted insider.

Paul

From The Cybersecurity Challenge: Overview, 2009/07/14 at 7:13 AM

* * *

Steve

Here is what I think is happening in the wild to hack the DNS. The Pirate Bay P2P file sharing site was recently purchased and the new owners intend to pool the resources of its users together to create a “Virtual Supercomputer”.

http://www.businessweek.com/globalbiz/content/jul2009/gb2009071_378545.htm

Over the last couple of years investigating network attacks it seems that covert groups have already successfully utilized this concept of creating a “Virtual Supercomputer” to attack specific targets at will. Mainly hacking the DNS.

It is really interesting to see how they do it. The perpetrators acquire a “Hot” movie that everyone is waiting to download and upload it before anyone else, This creates an immediate surge of downloads on the P2P network. They now have their weapon “locked and loaded” and with the expanded bandwidth can focus their attack against whatever server they want to crack.

It would seem to me that a commercial enterprise could be established to deliver subsidized media, software etc. as a “Loss Leader” providing health care, education, and government services for the public good utilizing a “Key Based” system.

Unless somebody fixes the Education system in the USA their will be no one with the skills to defend against future Cyber Attacks, based on my real world experience. Under Secretary of Defense Gordon England expressed these same concerns in 2006 at the Pentagon.

From The Cybersecurity Challenge: Overview, 2009/07/14 at 6:44 AM

* * *

Bill Marlow

Bob — considering that SAIC, while you were there, was at the forefront of Cybersecurity — both commercially with Global Integrity and in the Government — there is a lot to be learned by looking at the past and what has developed into Cyberwarfare and Cyberterrorism.

It is not just a highly intellectual challenge to break into systems — but it is a combination of IO (Information Operations) and PSYOPS (Psychological Operations). If one can create Fear, Uncertainty and Doubt (FUD) in systems — this can be a very useful tool. Overt attacks such as those from North Korea are usual just covers for other more insidious methods to slip in object level patches or splices to do a lot more than just be a nuisance. What if — the financial industry was plagued and there was a run on banks or there was an attack on the food industry causing bad mixtures or processing. What if the control systems of the electric grid were manipulated. Or traffic signals or hospital monitoring systems or etc, etc, etc.

It is not really about “security” — I know this is unusual coming from me — but it is more about verifiable “trust”. When people look at each other and work together there is a bond of Trust, likewise we need to provide this inherent trust in cyberspace — mobile or internet.

Businesses have not yet figure out the value of trust — Take the rash of USB devices from Major Brands that have recently been shipped new with very sophisticated malware build into the electronics, not just stored in the memory or the new routers with malware built in. What and who can be trusted?

Intellectually this has always been fascinating. To provide Trust will be a huge challenge that the government can not politically control, but must take positive steps to help including making infrastructure world wide “trustable”.

It is a formidable challenge but nothing is impossible. However, as in all things it is a political football with agencies and companies arguing and jockeying for position.

I provide Mike so thoughts — hope they help.

My Very Best,

Bill

From The Cybersecurity Challenge: Overview, 2009/07/14 at 5:41 AM

* * *

Blake Escudier

Dr. Beyster,

A lot of my research deals with small business owners within Dynamic Environments. Most dynamic environments are created through natural disasters (hurricane, flood, fire) — yet some are created through man-made situations — large scale such as the rapid evolution of computers systems within Asian countries — or economic bubbles and collapses that happen on a relatively rapid pace. Then there are the possible Dynamic Environments created through human caused emergency (terrorist, human accident).

Prior to the 9/11 attack & Hurricane Katrina, the phenomena of large scale disaster was being studied due to the Lorna Prieta earthquake and Hurricane Andrew. Yet neither had the situations that created a more widespread environment challenge as 9/11 and Katrina (war and floods).

With the present day dependency on electronic commerce, the open systems theory describes a constant and dynamic relationship between organizational systems and numerous environments. The chaos created within a dyanmic environment may be pre-imagined as even Glieck (1987) presented his theory of chaos as sensitive and dependent upon initial conditions. Yet the outcome — or new environment equilibrium can never really be known.

The potential for rapid changes within commercial environments will only become more dangerous as more of the world becomes dependent upon energy driven electronic information systems. (Energy driven is stated due to the very high energy needs for data storage systems).

While there are similar small scale situations that are relative (i.e., 1890 — price of beef goes up when railroads are held up, Delivery of cars are delayed when there is a labor strike at the ball bearing plant) — never before has the world be this tightly connected. Thus the effect will be more global as seen within the recent financial systems reaction to a stoppage of credit markets.

On any given minute would you say there is possibly a half billion people online? When has the world ever been so dependent upon any single human created system?

So — with your presentation of potential security issues and the internet — I think it is just as appropriate to start considering the potential results of these actions.

I’ll always go back to my Boy Scout training — Be Prepared.

Blake

From The Cybersecurity Challenge: Overview, 2009/07/13 at 9:37 PM

* * *

Wesley

The russian example reminds me of an old oil man’s tale about the US sabotaging the trans-siberian oil lines with computer code way back in the old times. As the story goes, the russians were spying on us trying to get their hands on the computer codes to control large oil pipe networks. The US found out and made a trojan-type code and let them steal it. After operating some time the code switched over and made an overpressurized point in the piping and kaboom!! Apparently the explosion was seen from satellite footage and measured with our nuclear weapons testing seismic instrumentation. It supposedly flattened out a large piece of land and created some fierce forrest fires.

This cyber security issue is going to go extreme in the nuclear industry. I think it could put a major burden on the utilities to be compliant. It raises endless questions. Will making a programming error be considered a potential act of terrorism?

I am just smelling another boondoggle for money made out of needless and unrealistic fears. It is impossible to fully secure anything, especially the WWW, so why bother trying to do it . . . so people can make money off of “securing” it. Ultimately for nuclear energy it means more expensive energy and in the trickle down screw-the-little-man-onomics, the rate payer bears the burden. We all will pay more per month so that some OPs guy can surf the web while he is at work.

From Securing the Internet, 2009/07/10 at 8:32 AM

* * *

Blake

Bob,

More of the same — who hit the US over the 4th weekend — and China shuts down a remote area to prevent the social networking — used to gather people together for protesting. Would the US ever do this to prevent the same — or does freedom of speech trump?

In 2004 I had proposed to US Rep. Zoe Lofgren to help set up an internet security incubator in Silicon Valley. At the time the US Govt was more concerned with major security issues and was working with the likes of MIT/Carnegie Mellen etc. The San Jose Business Development was on its own. The purpose was to allow ground up development of security systems through entrepreneurship — we had Intuit and Symantec interested since they have a large small/mid business market. Of course all things come down to where’s the money coming from — and that stopped the idea. Heck we even had a facility — a hospital that closed because they couldn’t make cost effective repairs for earthquake prevention. Would have been interesting.

Blake

From Securing the Internet, 2009/07/07 at 11:53 PM

* * *

Paul A. Strassmann

Dear Dr. Beyster:

You are correct that the new CYBERCOM will centralize much of our DOD’s (not national) efforts to defend against attacks on defense information technologies.

What is perhaps not sufficiently appreciated is the magnitude of the task to be accomplished. DOD’s 15,000 networks are fractured and insufficiently protected.

Perhaps you may wish to have a look at a paper on
http://www.strassmann.com/pubs/dod/cybersecurity-draft-v1.pdf
for a glimpse of what needs to be done.

Remaining with best (and fondest) regards,

Paul

From Securing the Internet, 2009/07/01 at 11:17 AM

* * *

Blake Escudier

Bob,

I would also assume that the Russians would like to have the ability to “somewhat” legally charge people with criminal activity inside their own country. The idea of a treaty allows justification for taking action against people and countries. And it would protect their own people doing such work in foreign countries.

I would think a recently evolving powerful position within most Embassy staff is the CTO — which can always be claimed as helping the countries economic development for technology. The new cover for spying.

Another area to discuss would be a country’s ability to negate electronic communication — this has come to light with the media reports that Iran shut down internet access prior to elections.

If a country can lock down their own internet — why can’t a foreign country do it to them as well? Of couse this brings up the question — can it be done?

Whenever the US develops a new government program designed for protection — pretty much means the US has developed a program to do the same to others. (If I can hit you — it means I had better prepare myself from being hit back)

From drums and smoke signals to global warfare.

From Securing the Internet, 2009/06/30 at 6:05 PM

* * *

Bob Wertheim

Bob: I think your assessment of these challenges to national security is spot on. The new cyber warfare mission for the US Strategic Command is reflected in the tasking of the Strategic Advisory Group, of which I believe you are still a member. These are mostly in the “too hard” category for this ancient mariner but you should consider coming to the next plenary of the SAG and lend us a hand.

From Securing the Internet, 2009/06/30 at 9:39 AM