Home » Around the Globe » A Complex Situation
DefenseTech Cyber Warfare, presented by University of Maryland University College

A Complex Situation

By Kevin Coleman — Defense Tech Cyberwarfare Correspondent

The last few days has shown the complex, threat ridden environment that cyber has become while at the same time how unprepared we are at this point to address these challenges. RSA/EMC a critical player in cyber security, disclosed they suffered a breach and some information was exfiltrated. The organization quickly moved and briefed their customers and advised them as to what actions to take.  At the same time Sen. Susan Collins (R-Maine), the ranking member of the Senate Homeland Security and Governmental Affairs Committee stated that a serious attack on one of the country’s largest technological security providers this week is an “urgent” sign for Congress to pass comprehensive cyber security legislation. Collins used statistics provided last March by the Senate sergeant at arms that showed “the executive branch agencies and the Congress are probed or attacked an average of 1.8 billion times per month.” That is nearly 3.5 times a minute and keep in mind the attackers only have to be successful once while our defenders have to get it right every time.

Then, Gen. Keith Alexander, head of U.S. Cyber Command, told members of Congress that he would give the military a grade of “C” for its cyber protection capabilities. It is widely believed that a large scale cyber attack would quickly tax the current resources. In fact, some have openly stated that the U.S. military does not have the trained personnel or the legal authority required to address this rapidly growing threat. General Alexander was just quoted as saying, “we are finding that we do not have the capacity to do everything we need to accomplish. To put it bluntly, we are very thin, and a crisis would quickly stress our cyber forces.”

It is looking like pundits are right. It will take a major cyber attack with substantive impact before we get out of neutral and address this critical issue.

 

University of Maryland University College

UMUC: Cultivating Tomorrow's Cyber Warriors
UMUC's cybersecurity programs are designed to address the serious workforce shortages of highly skilled cyber professionals needed to protect our nation's infrastructure. These programs provide students — looking to advance professionally, change careers or build on existing skill sets — with the proper tools to enter the cybersecurity field. UMUC is designated a National Center of Academic Excellence in Information Assurance Education by the National Security Agency and the Department of Homeland Security. To learn more about these degree and certificate programs offered entirely online, visit http://military.umuc.edu.

{ 13 comments… read them below or add one }

brian March 21, 2011 at 10:16 am

Alright so there is a threat and a bill, but how does the legislation stop people from probing networks? The only way you can keep people from probing your network is by disconnecting your network from the internet. Does the bill tell the general to do that? Does the general need a bill to have him do the obvious? (Well he isn't going to do that)

These network probes are analogous to satellites taking photographs of installations so they can be targeted for attack. Sure you can shoot the satellite down, but the nation who built it will just launch another one. Simply declaring it illegal won't stop it since the probes are coming from a nation-state. These are the kind of things nation-states do.

How does the Bill increase cyber security against the threat it is set against? There is no meat on this story, just fluff.

Reply

Kevin March 21, 2011 at 10:38 am

The Bill addressed the requirements that must be in place for privately owned critical infrastructure. In a cyber terrorism class I taught last week, the internal staff openly stated they did not need to be connected to the Internet for operations. It is a convenience mostly for software and equipment vendors and some management reporting. All of which is not work the risk! Private, encrypted networks should be the norm in critical infrastructure application. Today they are the exception!

Reply

brian March 21, 2011 at 11:03 am

Encryption is great, but encryption doesn't solve network probes, it just keeps people from sniffing and in most cases forging traffic. That is only 1 vector of attack, most successful attacks I have seen are application stack attacks such as injection and simple password cracking and root escalation methods like uploading shell scripts instead of images.

The more I think about this, the more likely i am set against this bill. There are a lot of crappy vendors and divergent standards out there (how many version of ssl?), and if you require anything, you are probably going to break a lot of things, stuff as simple as low powered embedded devices that don't have support for encryption. Most likely you would have to rip systems out or shut them down before they could be replaced if they can be. This bill could easily be more devastating and more costly then a cyber attack.

BTW DSS (Decision Support Systems) are a critical part of the business. Without it, management would be blind as to what was going on in their business.

Reply

Kevin March 21, 2011 at 2:00 pm

PRIVATE NETWORKS!!!!! You missed the word private. This does not belong on the Internet!!! Private Networks

Reply

brian March 21, 2011 at 2:43 pm

I'm sorry, I am a bit confused, why would you need encryption on a private/closed off network? Isn't the purpose of the bill to protect exposed assets that are privately owned?

Reply

Kevin March 21, 2011 at 2:54 pm

A few reasons.

1. Defense in-depth approach
external interception of information being transmitted via leased lines

2. Foreign component in the hardware (compromised ?)

3. Foreign software (compromised ?)

4. equipment/services suppliers technical staff
Non cleared
May not be US citizens
The good old insider threat

Reply

brian March 21, 2011 at 3:26 pm

Generally speaking if you were transmitting over a leased line, of course you would encrypt, but if you were running a cornered network that was inaccessible, encryption is not really the big concern. The bigger concern is physical access, that means thoroughly vetting and managing the users, since your system is always most vulnerable to its authorized users. Take PFC Manning for instance, encryption didn't stop him, he simply downloaded all the data to a disk and the system decrypted it all for him just fine.

But you didn't answer my prior question "Isn't the purpose of the bill to protect exposed assets that are privately owned?"

Reply

Kevin March 21, 2011 at 3:40 pm

How manning had that much access makes my head hurt when I think about it!

Reply

brian March 21, 2011 at 4:06 pm

Its quite common for access rights to degrade to universal privs, especially if there is no financial consequences for negligence. (Which is why is always implement roles) On the other side of the spectrum, it was thought having too little access was more harmful than having too much. On a more serious thought, how would you be able to predict what an intelligence analyst might need?

Reply

Kevin March 21, 2011 at 3:42 pm

The purpose of the bill it to protect our critical infrastructure in totality.

Reply

brian March 21, 2011 at 4:08 pm

If that's the case, most of our critical infrastructure is exposed, mandatory encryption would most likely cripple us at this point in time.

Reply

brian March 22, 2011 at 10:22 am

Honestly I am not sure that we can do this at all. You can build on standards, do all unix deploys, require LDAP and RSA key propagation, TSA, take the facility off the net, blah blah blah vet everyone and end up like what happened in Iran with their fuel refinement, where some sysadmn gives up the signing key and with that single act destroy an entire plant! cheaper than sending in a B2 with a JDAM!

Don't say the iranians were stupid, the people running that plant, weren't idiots, and their security was way better than anything we have been talking about, but it still it wasn't enough. I think its much like that Battlestar Galatica show were Adama says "Yeah we have computers, but they aren't networked. You network, the cyclons will kill you!". In that light, I think you have to accept intrusion will happen, prevent the best you can, but have overlapping, isolated, redundant systems with differing architectures and administrative staff. That way when intrusion happens, you don't lose everything.

Crazy? Expensive? Unmanageable? You bet. But Security is in essence a form of waste

Reply

Roger March 22, 2011 at 11:50 am

Point of fact on the Iranians and Stuxnet - they were running out of date, unlicensed software. Having said that, there were some other nations running up to date, licensed software that fell victim to the same code. In my opinion, unburdened by any facts, a Russian contractor carried in a USB stick so it was likely the weak, vulnerable human vector yet again. Although the RSA intrusion is likely a very different scenario, I bet once the facts come out (if they do) we will see that a human vector was somehow involved. Unless the new bill addresses the human issues, largely caused by poor leadership on a number of fronts (a whole other discussion by itself) it is unlikely to do anything constructive. Treating this as a technology issue is not addressing the root causes.

Reply

Leave a Comment

Previous post:

Next post: