Sunday, June 19, 2011

It's Worse Than You Can Understand

June 19, 2011: The U.S. Department of Defense is trying to improve its network defenses, and those of companies that supply weapons and equipment. The new plan is to pool intelligence, and defensive techniques with the major defense companies. This is being done as a pilot project called DIB (Defense Industrial Base) Cyber Pilot. This is a long shot, as the organizations with the best Internet security are not inclined to share. That's because the most dangerous vulnerability is someone knowing how your defenses are organized, and what kind of intelligence you are collecting (and how you do it) on the hackers. When it comes to security, the net is a very paranoid place.
Firms with the most to lose, like financial institutions, guard their data most successfully. They do this the old-fashioned way, with layers and layers of security, implemented by the best (and most highly paid) people and pushed by senior managers who take the time to learn about what they are dealing with, and what it will take to stay on top of the problem.

It's different in the defense business. If the Chinese steal data on some new weapon, there might be a problem years down the road, when the Chinese offer a cheaper alternative to an American weapon, for the export market. But even that problem has a silver lining, in that you can get away with insisting that those clever Chinese developed your technology independently. Meanwhile, everyone insists that there was no espionage, cyber or traditional, involved. As a further benefit, the American firm will get more money from a terrified government, in order to maintain the American technical edge. It's the same general drill for military organizations. But for financial institutions, especially those that trade in fast moving currency, derivatives and bond markets, any information leaks can have immediate, and calamitous consequences. You must either protect your data, or die.

Because of the shortage of high-end Internet security people (it's complex stuff, and a lot of the best people are lured away to the dark side), there is not enough talent to go around. Then there's that disinclination to share. Sharing with the government or defense contractors is seen as a particular waste, as these organizations lack sufficient short term incentives to stay alert and reliable.

Meanwhile, Chinese Internet based espionage has been going on for years. Some of the attacks have been traced back to Chinese government computers. But how do you respond? It's possible that there has already been a response. Espionage is a two way street, and the United States certainly has the resources (in terms of talented Internet engineers and hackers) to do the same kind of snooping against Chinese computers. If so, like the Chinese, there would be no admission of such activities. That's how espionage is done, in the dark, with denials all around. Meanwhile, China has been making more desperate sounding exhortations for their own civilian firms to get stronger Internet defenses. But China has an even greater shortage of Internet security specialists, and is much more vulnerable than the government will allow anyone to admit (or go into detail about).

But the biggest problem, according to military Cyber War commanders, is the difficulty in making it clear to political leaders, and non-expert (in Internet matters) military commanders, what the cyber weapons are, and the ramifications of the attacks. Some types of attacks are accompanied by the risk of shutting down much, or all, of the Internet. Other types of operations can be traced back to the source. This could trigger a more conventional, even nuclear, response. Some attacks use worms (programs that, once unleashed, keep spreading by themselves.) You can program worms to shut down after a certain time (or when certain conditions are met). But these weapons are difficult, often impossible, to test "in the wild" (on the Internet). By comparison, nuclear weapons were a new, very high-tech, weapon in 1945. But nukes were easy to understand; it was a very powerful bomb. Cyber weapons are much less predictable, and that will make them more difficult for senior officials to order unleashed.

So the first order of business is to develop reliable techniques to quickly, and accurately, educate the senior decision makers about what they are about to unleash. This would begin with the simplest, and cheapest, weapons, which are botnets, used for DDOS attacks. In plain English, that means gaining (by purchase or otherwise) access to hundreds, or thousands, of home and business PCs that have had special software secretly installed. This allows whoever installed the software that turned these PCs into zombies, to do whatever they want with these machines. The most common thing done is to have those PCs, when hooked up to the Internet, to send as many emails, or other electronic messages, as it can, to a specified website. When this is done with lots of zombies (a botnet), the flood of messages becomes a DDOS (Distributed Denial of Service) attack that shuts the target down. This happens because so much junk is coming in from the botnet, that no one else can use the web site.

But there are even more dangerous cyberwar weapons out there. You can unleash worm and virus software modified to take advantage of largely unknown Internet vulnerabilities, that allow the user access to many business, government and military computers. This sort of thing is called, "using high value exploits" (flaws in code that are not yet widely known). These exploits are a lot more expensive, and require more skill to use. Currently, a major source of exploits are hackers for hire. These are skilled hackers, who know they are working on the wrong side of the law, and know how to do the job, take the money, and run. This situation has developed because organized crime has discovered the Internet, and the relatively easy money to be made via Internet extortion and theft.

It is believed that those nations that have Cyber War organizations, maintain arsenals of exploits. But these have a short shelf-life. Nearly all exploits eventually come to the attention of the publisher that created the exploitable software, and gets fixed. Not every user applies the "patches", so there will always be some computers out there that are still vulnerable. But that makes "zero day exploits" (discovered and used for the first time) very valuable. That's because you can use these exploits on any computer with the flawed software on it. Thus it is expensive to maintain an exploits arsenal, as you must keep finding new exploits to replace those which are patched into ineffectiveness.

Most of the Internet combat so far has been done under peacetime conditions. In wartime, it's possible (especially for the United States) to cut off enemy countries from the Internet. Thus potential American foes want to maintain an official peacetime status, so the United States cannot use its ability to cut nations off (or nearly off) from the Internet, and remove easy access to American (and Western) targets. Thus the need to make attacks discreetly, so as to make it more difficult for an enemy to target stronger attacks against you, or threaten nuclear or conventional war.

Meanwhile, everyone (including the bad guys) seems to be concentrating on defense as the true extent of Internet vulnerability becomes known. So DIB Cyber Pilot might actually work, if the decision makers can be convinced of how vulnerable they are, and become truly and convincingly scared into action.

Strategypage

0 Comments:

Post a Comment

<< Home