If you’ve been hearing about an increased number of internet attacks, hacking, military grade malware, cyber espionage, cybercrime, and other internet security issues lately; it should come as no surprise.
In a recently released summary of a soon-to-be published book, cybersecurity experts from a Washington, DC-based non-profit organization known as the Cyber Conflict Studies Association (CCSA), say that the current strategic cyber environment is fundamentally unstable. As a result it:
- Undermines deterrence against cyber attacks, especially against non-state actors
- Leads to the temptation to consider preventive or preemptive war options
- Provides strong incentives for escalation to the use of other military capabilities once (cyber) conflict has started.”
This is especially true for the United States, they conclude, because it is the most internet-reliant country in the world. After all, the internet was originally conceived and built here. However, back then; security was not an issue.
According to the to the CCSA study,”Addressing Cyber Instability“:
“The core technical problem at the heart of cyberspace is that the underlying architecture was never designed with security in mind; indeed, the original designers never imagined that the network would be used for malicious purposes. The priorities were, and generally remain, openness, ease of interconnection, and facilitating technical innovation.”
Since then, security measures have been “bolted on”, but they have had limited, and ever-diminishing effectiveness, as a result of constant, and increasingly sophisticated attacks.
Jason Healey, who is on the CCSA Board of Directors, and who is also the Director of the Atlantic Council’s Cyber Statecraft Initiative, says he believes non-state actors, such as Internet Service Providers (ISP’s) and non-profits such as the Internet Corporation for Assigned Names and Numbers (ICANN) can do a lot to strengthen cyber-defense by “shoring up the backbone” of the internet.
For example, he says, over the past five years, ICANN has increased security for the DNS root servers that are at the very heart of the internet. Those servers ensure that you actually arrive at the internet destination you intend, when type in URL or click on a link. So, making sure security is extremely tight on those servers is vitally important, he says.
An example of what can happen if you’re re-routed on the way to your destination on the web, is the cybercrime associated with the recently much-publicized DNS Changer malware. Hundreds of thousands of computers worldwide were infected with that virus, which netted millions of dollars in revenue for the perpetrators of the Ghost Click scam until the FBI busted them last spring.
Meanwhile, according to a story on Networkworld.com, AT&T’s DNS servers were hit by a distributed denial of service (DDoS) attack this week. DDoS attacks overwhelm servers with so many requests that they are unable to handle regular traffic, thereby effectively shutting them down.
Those types of attacks, Healey says, ought to be addressed by Internet Service Providers (ISPs). “ISPs have the biggest responsibility for stopping DDoS attacks”, he says, because they can see when those attacks are taking place on their networks, and they could block them.
However, they do not.
Why ISP’s don’t block attacks, and what could be done to induce them to do so, was a frequent topic of discussion on Capitol Hill this year, as both the US House and Senate tried to come up with new cybersecurity laws.
What came out during those congressional hearings, is that ISPs are reluctant to stop malicious traffic on their networks because they are afraid of getting sued by their customers. Their fear stems from the fact that in order to ascertain if packets of information flowing over the network contain malware; they have to take a peek inside to see what they hold.
But, those packets could also include emails, and other information that many people would like to consider private. What the ISPs asked Congress to do, as a result, was to grant them “safe harbor” from privacy lawsuits, so that they could actually block malicious network traffic without fear of getting sued by the same customers they’re trying to protect.
But Healey says doesn’t think most customers would have a problem with ISPs taking direct action to block attacks. “I can’t imagine you’d get a lot of complaints”, he says.
Indeed, most people would probably be relieved if their ISPs blocked malicious traffic such as botnets (vast collections of infected computers remote-controlled by hackers to perpetrate denial of service attacks).
But, it’s exactly how the ISPs would do it, and with whom they would share the information they might uncover; that became a thorny issue when cybersecurity legislation was being debated by Congress this year.
For example, Electronic Frontier Foundation (EFF) Media Relations Director Rebecca Jeschke said during an interview for a post on this blog a few months ago that she was unhappy with the much-maligned House Cybersecurity Sharing and Protection Act (CISPA) because it, in effect, allowed ISPs to “spy on their customers”,for the Federal government.
But while officials from companies such as Comcast and AT&T stressed during House cybersecurity hearings that they didn’t need to share “personally identifiable” customer account information with the government, and that customers should not be worried that they would; that isn’t how the bill wound up being written. Instead, it allowed ISPs to not only share personally identifiable customer details; it also allowed the government to do whatever it wanted with the information once they had it.
Even so; that measure failed to pass a couple of weeks ago, because Republicans opposed it on the grounds that it would be too costly for business, and that mandatory regulations for critical national infrastructure (such as the electric grid and nuclear power plants) should be voluntary.
But the White House isn’t taking that defeat lying down. In fact, President Obama is considering issuing an executive order making the Senate vote, at least with regard to protecting critical national infrastructure, moot.
However, Healey says while some increased government regulation could be useful; it won’t solve the problem.
That’s because it’s much easier and cheaper for “the offense” to exploit holes in security measures, than it is for “the defense” to block them, he says. Attackers only need to find one way in, he explains, and defenders need to block all possible routes–something that is virtually impossible to do.
In addition, the CCSA study explains, the way the internet works, “often provides the attacker with anonymity and plausible deniability”.
But, Healey notes, the same anonymity that allows hackers and governments to launch cyber-attacks, is the same anonymity that allows regular internet users to log on and surf the web without having to enter some form of official identification–something essential to the kind of freedom of use, and freedom of speech that internet users worldwide value very highly.
So, what is the average internet user supposed to do? What can people do to remain safe online, given the fact that the experts agree that the internet at its very core is unstable and hard to defend?
What can the average person do, in light of the fact that the same network that allows them to post cute kitten videos on Facebook, could also enable governments to wage cyber-war?
Or, perhaps even more ominously; what could the average person do if someone totally unconnected to any government, anonymously launches a cyber-attack that could be mistakenly attributed to a particular country? What if that mistaken assumption then triggers a response–perhaps against the wrong people–with actual (kinetic) bombs and guns?
Well, in light of all those threats, Healey says, regular internet users–and even security experts such as himself– can’t do much, other than take basic computer security precautions. Those include “using anti-virus software, not using the same passwords on different sites, and not visiting sites that might be dangerous”.
To keep the average user safe, he says, you have to address the issue from a larger, more global perspective. That, he says, will take cooperation and coordination between private business, the US government, network operators, non-profit organizations, the tech community, and even other countries around the world.
The the CCSA study advises:
“If decision makers accept that cyberspace is inherently unstable from a strategic conflict management perspective and abandon attempting to create a stable cyber environment, this may naturally result in an increased emphasis on resilience, risk management, and mitigation and the potential creation of risk reduction centers.”
What’s needed, the study concludes, is “a national or even global strategy in cyberspace to create stability through resilience and efforts to clean up the ecosystem.”
Click here for a link to information about the CCSA’s “Addressing Cyber Instability” study, and follow these links to learn more about the topic. There are of course, many more, but these are some good places to start.
Schneier On Security (Security expert Bruce Schneier’s website)
CNET.com (Security & Privacy News)