Cyber Insecurity

After spending the past two days in forums featuring some of the nation’s leading experts in the cybersecurity field; here is what I have learned.

Your computer is not secure. Your mobile phone is not secure. The networks upon which all of your devices run are not secure, and the underlying architecture of the internet is both insecure and extremely unstable.

General Keith Alexander, who directs both the National Security Agency (NSA) and the US Cyber-Command, calls the more than $1 trillion dollars lost worldwide each year as a result of cybercrime the “greatest transfer of wealth in history”.

He says advances in internet technology offer our country both tremendous opportunity and tremendous vulnerability. “And we’re seeing that other countries are using this space, that the conflict is growing, that the probability of crisis is knocking”, he says. “While we have the time, we should think about and an act on those things that we need to ensure our security in this area– and do it now before there is a crisis.”

On the plus side; there are some very smart, extremely motivated, and very determined people very high up in both the Federal government and private industry who are trying to come up with ways to avert such a crisis.

But, while they all share goals such as protecting vital national infrastructure, guarding valuable intellectual property, and securing online financial transactions, they do not all agree on exactly how to do it.

That’s because the problem is so complex, and technology is changing so rapidly. Instead of talking about completely “fixing” the problem; what the experts are focusing on now is mitigating risk in the short-term, and moving toward a more defensible system in the future.

Before getting into the complicated specifics of how that might be accomplished; here is one  easy thing  you can do right now (other than use anti-virus software) to help protect yourself from cybercrime.

Stop banking on your mobile phone.

According to Gregory Rattray, PhD, who is the President of the Cyber Conflict Studies Association (CCSA), and former chief security adviser to the Internet Corporation for Assigned Names and Numbers (ICANN); “Bank security guys understand mobile is not secure”.
Rattray explained that bank CEO’s let the fear that they’ll lose customers if they don’t provide the same convenient mobile banking options that their competitors offer, override security concerns.

He says bank officials will never admit to it; but they urge you to do online and mobile banking because it’s easier for them; saves them a lot of money; and gives them a competitive edge.

He explains that it is the “inherent nature” of the internet that makes it so difficult to secure. “There is too much openness, too much interconnectedness”, he says. “Security people like borders,” he says, but then again; so do governments like Russia and China who want more control of what their citizens do online.

These conflicting goals; the desire for openness and need for security, along with the rapid pace of technological change, he says, make internet security very difficult.

In order to address those difficulties, and also to protect citizens’ civil liberties and privacy; General Alexander says we need to do the following things:

1. Move more information into the cloud, even though, he says, “cloud computing is not as secure now as it should be.” He describes the ideal cloud solution as “a thin virtual IT infrastructure that is much more defensible than what we have today”.
2. Build a trained and ready cyber force with the “right number and the right capacity.” One way to do that, he says, is to recruit the best graduates from the more than 100 US universities now offering courses in information assurance and cyber-security.
3. Get cybersecurity legislation passed by Congress that allows the government to have “situational awareness”; i.e., the ability to actually see and be notified in real-time about what’s happening on civilian networks. While privacy advocates worry about internet service providers (ISP’s) sharing user data with the government; Alexander insists there is no need or plan for the government to read your email. “We need to know when the nation is under attack, and what we can do about it”.
4. Change the way government currently operates, by defining the command and control relationship between agencies such as the NSA, FBI and Department of Homeland Security (DHS), so that they can all work effectively together as a team.
5. Obtain authority, policies, and rules about how the government operates with regard to cybersecurity.

During both the forum at the American Enterprise Institute (AEI) at the Atlantic Council, the experts agreed that continuing to depend upon improvements in intrusion protection isn’t effective.

What we need, according to Michael Mulville, who is a CyberSecurity Solutions Executive at Cisco Systems, Inc., is a “sweeping change of approach”. He says a lot of customers are relying on technology alone to solve the problem, and that won’t work.

So, what is it going to take? Well, Mulville says, one possibility might be that governments–even those often on different sides of the issue such as the US and China–could collaborate. For example, he says, both countries have an interest in combating Botnets (massive collections of malware-infected computers often used by hackers and/or cybercriminals in denial of service attacks).

But the fact that it was the US that launched military grade malware against Iran in an effort to slow down their nuclear program, could make other countries less likely to want to collaborate.

Jason Healey, Director, Cyber Statecraft Initiative, Atlantic Council observed that the US unleashing the Stuxnet and Flame viruses against Iran could have had the unintended consequence of teaching other nations that it’s “OK to strike first before there’s any conflict”.

When a reporter asked Alexander what vulnerabilities the US creates for itself when taking such actions, the General replied:

“Cyberspace is an area where we have to look at…what are the alternatives? What are the means of potentially getting other countries something that they may or may not want to do? In the physical domain, that would have been a war. What are things that you could do short of a war, and what should we do that are diplomatic, economic, and informational–and not just military–and how you put those on the table? Those are policy decisions, they are not our organization’s decision. My experience is that people weigh those considerations very deliberately, and I think that as a consequence, what they do, and the policies they come up with, use all of that.”

Alexander was also asked whether Al Qaeda terrorists or other “non–state” actors in the cyber world are anywhere close to being able to  create and deploy cyber weapons which, can cause actual physical damage,  like the Flame and Stuxnet viruses  caused to equipment in a Iran’s nuclear facility.

“I don’t personally believe they are a viable threat in that realm right now, no.”, he said. However, he added that while he doesn’t see that happening today; it could “very quickly get to that”.

The role played by non-state actors such as terrorists, hackers, activists (also known as “hacktivists”), and cybercriminals, is one of the factors outlined in a new report on the field of cyber instability just released by the Cyber Conflict Studies Association (CCSA).

That organization released the executive summary for Addressing Cyber Instability, in partnership with the Atlantic Council’s Cyber Statecraft Initiative, with sponsorship from Intelligent Decisions and Cisco.

From the CCSA website:

The report concludes that cyberspace is an inherently unstable national security domain. Its fundamental characteristics—such as the low cost of entry, abundant access points, and the difficulty of attribution—alter traditional power calculations. This enables non-state actors to wage proxy warfare on cyber battlefields, beyond national accountability or control.

The vulnerability of national critical infrastructure endangers whole civilian populations, and places private enterprises on the front lines. Additionally, the absence of international norms and comparatively low costs of cyber attacks create incentives for nations to launch preemptive strikes in a coercive attempt to forestall more traditional kinetic conflict. In such an unstable environment, the consequences of misinterpreted signals between nations may be catastrophic.

For more information follow these links:

Addressing Cyber Instability Executive Summary

The Atlantic Council

American Enterprise Institute
Cybersecurity and American Power


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s