I am preparing my next road show pitch. My past presentations have followed a pattern. There is one slide I have been using for seven years now, ever since I joined Gartner as an analyst as a matter of fact. It is the Threat Hierarchy slide. It lists threats in rank order of risk:
Exploratory hacking Vandalism Hacktivism Cyber crime Information warfare
When I first started touring I would use my renown Power Point skills (not) to "strike out" Cyber crime, stating that there was no Lex Luthor of the Internet. Wow, times have changed and I have spent the last two years on the road exhorting my audiences to be aware of the threat from cyber criminals. There are now probably at least 100,000 Lex Luthors all working diligently day and night to steal information and make money from cyber victims.
Well, what about Information warfare? All the rest of the threat hierarchy have come to pass. I am rapidly coming tot he realization that cyber war is a topic that should be addressed. Thus I am taking "Surviving Cyber War" on the road.
In preparing for this road show I found that I needed to define a set of Cyber Defense Conditions so here they are:
• Cyber DefCon 1. Travel warnings. Governments issue warnings about protecting data when traveling to foreign nations. Government agents monitor industry conferences and bug hotel rooms. We have been in this condition at least since 1992. Testimony before the US Congress sited a NY Times article that among many other instances mentioned French spying on US businessmen at conferences and by installing listening devices on Air France flights.
• Cyber DefCon 2. Nation states probe each other’s networks for vulnerabilities. They attempt to exploit those vulnerabilities perhaps using teenage hackers as a cover. Of course there are many instances of this world wide. The most covered was the so-called “cyber war” between Chinese and US hacker groups in the aftermath of the Chinese-US spy plane collision that occurred April 1, 2001.
• Cyber Defcon 3. Wide spread information theft with intent to mine industrial as well as military and geo-political secret information. Shortly after the Haephrati Trojan case broke, where it became known that Israeli businesses where hiring private investigators to spy on competitors using custom Trojan software to steal documents and communications, the UK’s NISCC announced that industrial scale attacks using similar techniques were targeting UK businesses and government agencies. The spokesman for NISCC named Asia as the source of the attacks. We now know that he meant China.
• Cyber DefCon 4. Targeted attacks against a nation’s military and government installations. Loss of critical data, collateral damage. In the US attacks emanating from China have been labeled Titan Rain. In recent months more concerted attacks have been leveled at the Pentagon causing an outage that lasted several days. These attacks mirrored similar incidents at Whitehall (UK), and the German Chancellery.
• Cyber DefCon 5. Nation to nation attacks that are malicious with intent to destroy communication infrastructure and disable business processes including financial markets. While the events of last April where Russian sponsored hackers took down most of Estonia’s Internet presence and similar attacks against the Ukraine of last quarter fall into this category, the motivation and purpose where disruptive rather than a precursor to an invasion or more serious acts of war.
From these definitions it is not unrealistic to declare that we are in a state of Cyber Defense Condition 4. Organizations should be taking extreme measures to protect their data from theft by investing in strong authentication, and utilizing encryption technology. They should also be preparing their IT infrastructure for concerted denial of service attacks by hardening their DNS, deploying additional layers of defense, and positioning key cyber assets at network nodes with lots of available bandwidth. Western governments should be using the strongest diplomatic means to curtail the current attacks and avoid future attacks. Strategic defensive measures should be deployed throughout the global networks. Government agencies and individual departments should segregate themselves and defend their perimeters. Offensive capabilities should be prepared as a deterrent to future attacks.