Guest editorial by Andy Purdy and Tom Kellermann
The Internet is having a transformational impact on how individuals, organizations, and governments conduct their daily lives, and holds unrealized promise for impacting society for the better. A mind-numbing amount has been written and spoken about the threats in cyberspace that are affecting, and can even more seriously impact, our privacy, our economic well-being, and even our national security, so much so that there may be a cry-wolf reaction among some. While it is apparent that comprehensive cyber legislation will not be enacted during this term of Congress, significant progress to reduce national cyber risk can and should be made nonetheless.
At a minimum, the success of these efforts requires that key private sector representatives engage in a more formal, ongoing way, with government representatives so that we can better measure the nation’s progress in assessing and reducing the risk in cyberspace. In short, the public sector needs a seat at the table with government to chart the nation’s cyber course. We must work together to specify what is required for progress and what success looks like. We need a much clearer picture of what we as a nation need to worry about in cyberspace, and what we need to do about it. At its heart, this requires that the public-private collaboration identify critical national cyber priorities, set goals and objectives for each, and identify corresponding milestones and metrics for those objectives so that they can be resourced, tracked, and improved over time.
It is important that private companies and government officials have a better idea of what the most important initiatives are or should be, and whether, how, and when to collaborate actively or provide input. A particularly important candidate to be one of the national cyber priorities, is the problem of malicious cyber activity, which should be framed just that way, and not as the narrower problem of cyber crime.
Early in 2010, Google disclosed that they had reached out to the National Security Agency for help in defending themselves against the Aurora cyber intrusions emanating from China, because of the sophisticated attacks that were attempting to steal their intellectual property crown jewels. Reportedly thousands of other American companies have suffered at the hands of the same cyber attackers. The recent revelations about the apparently far more sophisticated “Stuxnet Worm” raise even greater concerns about not only the threat to industrial control systems, but to our information and communications technologies, generally. Stuxnet reportedly targets industrial control systems that use Siemens software and infected over 30,000 computers in Iran, including computers involved in running nuclear facilities in Iran. Although many suspect nation-state sponsorship and intent behind Stuxnet, the public may never know who was behind it.
In the most recent spate of publicity about the cyber threat, the greatest fear articulated by some – of a devastating nation-state or state-sponsored attack against our government and/or critical infrastructure, a so-called “digital Pearl-Harbor,” has reportedly led the Pentagon’s new Cyber Command to “seek[ing] authority to carry out computer network attacks around the globe to protect U.S. interests….” (“Pentagon is Debating Cyber Attacks,” Washington Post, 11/6/2010, p. 1). Deputy Secretary of Defense William Lynn recently wrote in Foreign Affairs about the significance of the threat, and the Departments of Defense and Homeland Affairs announced that they had signed a Memorandum of Understanding to exchange cyber experts to increase the level of coordination to enhance the nation’s preparedness for a cyber attack. White House Cybersecurity Coordinator, Howard Schmidt, has publically stated that his office is reviewing available legal authorities to make sure they do not pose an obstacle to an effective response.
While it is important to clarify or supplement the available legal authorities to support offensive and defensive actions, particularly related to the kinds of attacks that could come in the future, we need to begin to more aggressively address the intellectual property and economic losses we are suffering now, that collectively arise to the level of national security significance. Unfortunately, the facts not only demonstrate that the cyber threat to the U.S. is real in terms of the kinds of attacks that can happen in the future, but that there is a significant ongoing negative impact to American industrial competitiveness – the theft of intellectual property from American companies -- that is not being adequately addressed by a strategic and coordinated government and industry initiative. The Deputy Secretary of State, James Steinberg, recently told a meeting in Washington that companies who feel they have been victimized by attempts or actual thefts of their intellectual property should contact the Department, which can pursue complaints through the World Trade Organization (WTO). However, there does not appear to be a proactive effort by the Department or others in government to reach out to corporate America to solicit such information so there can be a coordinated effort to protect American interests.
The Chinese government, during early conversations in recent weeks with current and former U.S. government officials about malicious activity emanating from China and the possibility of working bilaterally at first to create international norms of behavior in cyberspace, have pointed out that more cyber attacks come from the U.S. than China, no doubt because of the visible (to Internet Service Providers and observant network administrators) presence of millions of computers in networks in the U.S. that have been implanted with malicious software (these infected computers are called “bots”) that are being remotely controlled to launch spam, identity theft, phishing attacks (where the fraudster sends an email disguised as a legitimate business to surreptitiously implant malicious software on the computer), distributed denial of service (DDOS) attacks, and are available to convey more serious attacks if so desired by the person or organization remotely controlling a large number of such bots (a “botnet”). The Chief Information Security Officer of one of America’s largest telecommunications company has said that a botnet containing as few as 65,000 computers (no longer considered a large botnet by any means) could shut down the IT system of ANY organization in the United States.
Strategic possibilities for action are in plain view, although some are controversial. The Obama Administration is reportedly considering an Australian initiative that will be formally launched on December 1st that requires Internet Service Providers (ISPs) to notify customers if they have computers that are infected with malicious software, and to require those customers to take certain ameliorative measures before they can be reconnected to the Internet. Japan has a program the Cyber Clean Center, organized by the Japan Emergency Response Coordination (JP-CERT) Center with over 76 ISPs, in which participating ISPs send customers with infected computers an email or a letter directly them to a website where they can access a cleanup tool. Comcast has begun voluntarily notifying such customers to they can take steps to protect themselves and others. The Federal Communications Commission (FCC) held a hearing on November 5th to consider whether and how ISPs and telecommunications carriers might help address the national cyber risk, and what role the FCC might play.
According to the Wall Street Journal, the Commerce Department is reportedly preparing to release a report in coming weeks that will enhance policing of Internet privacy and create a privacy watchdog position to oversee it. The Journal reports that the White House has convened a task force to create specific policies based on the report.
For proof of this reality, one can turn the pages on countless reports produced by both government researchers and their private industry counterparts. From the Symantec Global Security Threat Report to the Verizon Business Data Breach Investigation Report, and most recently, to the First Annual Cost of Cyber Crime Study -- Benchmark Study of U.S. Companies1 . The U.S. government has produced similar tomes, including the National Strategy for Trusted Identities in Cyberspace (2010) and the White House Cyberspace Policy Review (May 2009). Bottom line: the case for action has been written over and over again.
Despite these efforts, however, to amass some data on the nature and depth of the cybercrime epidemic, almost no one is systematically collecting and sharing statistically significant malicious cyber activity data in the United States, much less globally. In addition, there is precious little effort to focus on the enablers of this malicious activity who knowingly, recklessly, or blindly facilitate this wrongdoing and, in fact, help miscreants and more serious actors to operate with impunity.
When suspicious activity and even evident crimes are discovered there is insufficient capability, even in the U.S., to connect the dots among disparate databases to get a true picture of which instances of criminality are connected to each other, to which malicious actors, and to which enablers. For example, there is no federated information collection, analysis, and sharing capability on cyber activity and malicious actors, even between federal agencies or between them and state agency databases, generally, much less making it possible to connect the dots between suspicious cyber activities that have been tentatively connected with terrorists and other instances of cyber criminality—such as, spam, identify theft, financial fraud, and so forth.
How good a handle can we have on whether terrorists are financing their operations through spam or cyber crime without such capability? Similarly, how can we most effectively focus government resources on the most significant actors and most problematic activity if we cannot connect the dots?
Much has been written about the challenge of attribution in cyberspace. Who is intruding in our systems and who is behind the malicious activity? If we are attacked, will we know who is behind it, so that we can respond, without incurring the wrath of the world community? All too often it remains difficult, if not impossible, to identify the involved parties who hide behind the anonymity and global orientation of the Internet and utilize a catacomb of enablers, consisting of both legitimate and illegitimate providers, to cover their tracks. This includes Internet Service Providers (ISPs), hosting companies, merchant banks and online payment systems. Most times, however, we know who the enablers are and they must become an important part of the initial inquiry and long-term vigilance.
Internationally, even in those limited cases where individual cyber criminals or syndicates involved in this activity are uncovered, often the laws on the books or the investigative resources available in the countries in which they operate make meaningful investigation or consequential prosecution unlikely. In some countries, the ruling governments and resident Internet infrastructure are uncooperative at best, and recalcitrant, at worst. How do deal with these important bottlenecks for effective action against cyber crime is an important component of the challenge. Traditional approaches are not sufficient to impact the problem or reduce the larger risk that it represents to the United States and its allies.
None of these points is actively and openly debated among the government or private industry organizations; nor is the fact that current means of law enforcement have proven insufficient, specifically because they tend to be reactive instead of proactive. We have stood by as law enforcement, however well-intentioned (and well-intentioned they are!), has been the de facto lead nationally and internationally in the fight against malicious cyber activity. Frankly, this is issue is much larger than what law enforcement can or should be called on to solve.
The same could be said of the policies that U.S. legislatures have put in place in an attempt to affect change in these scenarios. While it is important to find and punish as many wrongdoers as possible – an admittedly reactive but essential activity -- even that approach is inadequate to have a significant impact on the magnitude and risk of the involved activities. Legislative action is a key component of ensuring that the necessary laws and investigative and prosecutive resources are available to help the law enforcement perform their traditional and critical function, but it cannot be a substitute for the larger collaborative initiative that we recommend.
Diminishing this vast, complex ecosystem of cyber risk demands a comprehensive approach that crosses the societal and organizational boundaries that the threats themselves transcend. Businesses can and must contribute more to addressing this challenge than merely being called on to report specific incidents, which is a very important activity in its own right. Governments must reach out to its industry partners offering intelligence that can help organizations thwart attacks before they occur.
Despite growing public awareness of increasing malicious online activity and expanding collaboration to encourage broader and more transparent reporting of cyber incidents and warning of potential victims, little progress is being made to stem cyber crime, much less the broader issue of malicious cyber activity. We must recognize that more of the same will not change this reality. We need a new approach.
This ongoing struggle to stem the advancement of cybercrime worldwide has reached the policy and lawmaking arenas. The push for stronger laws to criminalize malicious online conduct has only just begun to bear fruit in the form of any regular prosecution of the involved transgressors, particularly when the problem is viewed through the lens of the global environment. The problems are too great to solve merely by ramping up traditional law enforcement efforts, although increasing the magnitude and coordination of those efforts is important.
Perhaps the most significant issue that continues to thwart such progress is that key government and business stakeholders do not see that the problem of malicious cyber activity is as important as it is, and that to address it seriously requires more effective partnering and information sharing across the public and private sectors. With so much said and written over so many years about the problem of cyber crime – and, in more recent years, malicious cyber activity – the question remains: how can law enforcement, other key government organizations, and businesses come together and partner in a manner that transcends previous efforts and hits back at cybercrime in a game-changing way?
To begin to tackle this problem cybercrime must be addressed with recognition of its context as part of the larger problem of malicious cyber activity – including as it does, a continuum of malicious actors ranging from the low-level hacker and the pure criminal, to organized criminal groups and nation states and their proxies and surrogates. It must be addressed strategically and proactively by an alliance of key business and government stakeholders, including, but not limited to, law enforcement.
Quite simply, the seriousness and complexity of this problem that we need to address desperately requires a public-private alliance – made up of U.S. and international stakeholders – to embark on a truly strategic approach to reducing the frequency, impact and risk of malicious capabilities. More important, to work effectively over time and sustain itself, this partnership must also be one that respects the equities and perspectives of key stakeholders in its processes and path forward that leaves all of its various participants feeling respected and validated for their contributions.
The two overarching problems are, first, that there are virtually no consequences for malicious cyber activity, and second, the Wild West nature of cyberspace enables serious malicious activity to use widely available vulnerabilities, attack tools, alternative payment processes, and traffic patterns to operate with impunity. Thriving malicious activity enables more serious activity while we wait for comprehensive cyber legislation that may never come, and is not as critically required as some think. Melissa Hathaway, the author of the 2009 White House Cyberspace Policy Review, has forcefully called for the need to “drain the swamp” to make it harder for the miscreants of cyberspace to operate, and for those who enable them to do so. That problem, together with the fact that the innumerable positive, but disparate, cyber initiatives and activities are either uncoordinated, stove-piped, or reactive, means that we are working hard, but losing ground.
Now is the time to launch an initiative to develop a strategic roadmap to address malicious cyber activity in a proactive way that uses all available resources, one that includes the engagement of key stakeholders from government and the private sector. This initiative should be informed by the efforts to tackle the global problem of child pornography in 2006-7, led by the National Center for Missing and Exploited Children and the Financial Services Technology Consortium. The heart of that effort was a working group made up of key stakeholders relevant to an understanding of the scourge of child pornography and the flow of funds that enable and reward it, including representatives from law enforcement, academia, payment processors, others in the financial industry, and other representatives of the private sector.
This initiative must include a focused effort to collect and share data on malicious actors and those who enable them to operate successfully and frequently anonymously in cyberspace, and identify and leverage available technologies and processes to better secure the transactions, communications, and online interactions between and among individuals and organizations. By more strategically collecting and sharing data we can better connect the dots between the offending activity and those behind it, and we can supplement the traditional law enforcement response with a response that uses the full authorities and resources of government and the private sector. No single effort or initiative will eliminate the cyber threat posed to our government, critical infrastructure, organizations, or individuals, but this initiative can help us reduce the frequency, impact, and risk of malicious activity.
About the authors:
* Andy Purdy is chief cybersecurity strategist for CSC and helped to found and formerly headed the National Cyber Security Division and U.S. CERT at the Department of Homeland Security.
* Tom Kellermann is vice president of Security Awareness at Core Security Technologies and is a Commissioner on the Cybersecurity Commission for the 44th President. He previously held the position of senior data risk management specialist for the World Bank treasury.