US Intel Chief Paints Dark Picture of Cyberattack Defense
Feb 4, 2010 11:53 AM PT
As the United States' private and public sectors increasingly leverage the Internet, the U.S. intelligence community fears that they are severely endangering the country's critical infrastructure.
On its own, neither the public nor private sectors can combat this threat, U.S. Director of National Intelligence Dennis Blair told Congress this week during an annual threat assessment briefing on national security.
"Malicious cyberactivity is occurring on an unprecedented scale with extraordinary sophistication," he said, adding that the perpetrators include nation-states, terrorists and organized criminal gangs.
Two global trends -- network convergence and the concentration of data captured about individual users -- what Director Blair calls "channel consolidation" -- make the situation worse, he said.
The Web Is a Dangerous Thing
"The national security of the United States, our economic prosperity, and the daily functioning of our government are dependent on a dynamic public and private information infrastructure, which includes telecommunications, computer networks and systems, and the information residing within," Blair told the Senate Select Committee on Intelligence. "This critical infrastructure is severely threatened."
While this information infrastructure is "exponentially expanding our ability to create and share knowledge," it is also making life easier for cyberattackers, Blair said. He cited the recent attack on Google's infrastructure as an example. This attack, which also hit other U.S. companies, was launched through a zero-day flaw in Internet Explorer 6 and is known as "Operation Aurora."
The public and private sectors in the U.S. need to cooperate to battle cyberattacks, Blair said. "I am here today to stress that, acting independently, neither the U.S. government nor the private sector can fully control or protect the country's information infrastructure."
Cyberattacks are becoming increasingly frequent and sophisticated and could possibly crash our infrastructure at a bad time, he stated. "We cannot be certain that our cyberspace infrastructure will remain available and reliable during a time of crisis," Blair said.
Currently, the way the Internet is set up favors the bad guys, and this situation is likely to continue into the foreseeable future, Blair pointed out. Criminals' increasing skills make matters worse.
"Criminal elements continue to show growing sophistication in their technical capability and targeting. Today, cybercriminals operate a pervasive, mature online service economy in illicit cybercapabilities and services, which are available to anyone willing to pay." This is how cybercriminals can reach across national borders to steal credit cards and user information from victims in distant countries; they then sell those cards and information to other criminals in yet another country.
Cybercriminals also have a reach beyond that of law enforcement, and their activities can impact countries' economies. "Globally, widespread cyberfacilitated bank and credit-card fraud has serious implications for economic and financial systems and the national security, intelligence and law enforcement communities charged with protecting them," Blair said.
Security experts have complained for years that law enforcement agencies don't cooperate well at the state, national and international levels and that this inability hampers their fight against cybercrime and terrorism. For example, the Christmas Bomber, Umar Farouk Abdulmutallab, got onto a Northwest Airlines flight with explosive powder in his underwear even though his father had warned the U.S. embassy in Lagos, Nigeria, about his radical tendencies and he had been turned away by British immigration authorities previously.
We need high-level coordination between countries as well as between law enforcement agencies here in the U.S., Rob Enderle, principal analyst at the Enderle Group, told TechNewsWorld. "In addition, well-funded, properly trained mitigation and investigation teams are required to quickly identify and eliminate the threats and prosecute the attackers," he said. Countries that provide safe havens for criminals should be cut off from the common networks, he added.
The More We Get Together
One of the trends that makes things worse is network convergence -- the merging of voice and data technologies to the point where all communications are transported over a common network structure, Blair pointed out. "This convergence amplifies the opportunity for, and consequences of, disruptive cyberattacks and unforeseen secondary effects on other parts of the U.S. critical infrastructure," he said. This convergence will be just about completed within five years, he predicted.
Defending against this weakness requires the ability to accurately identify people and entities accessing and managing these resources, Enderle said. "Anonymous access and password protections are simply not adequate given the threats we currently face," he pointed out.
Another trend that makes things worse is channel consolidation, which Blair describes as "the concentration of data captured on individual users by service providers through emails or instant messaging, Internet search engines, Web 2.0 social networking means, and geographic location of mobile service subscribers."
This increases the potential and consequences for exploitation of personal data by malicious entities, Blair said. "The increased interconnection of information systems and data inherent in these trends pose potential threats to the confidentiality, integrity and availability of critical infrastructures and of secure credentialing and identification technologies," he pointed out.
What to Do - Ban Google?
Companies like Google, which aggregate users' data, are among the agencies of channel consolidation. So, should we impose stricter controls on the collection of data or ban Google and other Internet companies from collecting user information?
That may not be the answer. The real problem is not data access but data misuse, Enderle contended. "The focus should be on the misuse, not on the access; going back to the stone age by banning Google, for example, would not make the world a better place."
In any event, it's not possible to turn back the clock. "I see the risk of putting all your stuff on the Web in one place," Stewart Baker, distinguished visiting fellow at CSIS and a law partner at Steptoe & Johnson, told TechNewsWorld. "On the other hand, knowing how sophisticated the attackers are, I have zero confidence in my ability to protect myself." Baker is the lead author of a McAfee report on critical infrastructure and cyberwar presented at the world economic forum in Davos on Jan. 28.
However, Google and other companies that do collect user data should take more responsibility, Scott Crawford, managing research director at Enterprise Management Associates, told TechNewsWorld.
"Far too many private sector organizations see security as being about the protection of themselves," he pointed out. "They likely acknowledge at least some responsibility for customers and stakeholders, but far too few seem to recognize that digital security is fast becoming a matter of national interest and failing to recognize just how critical their role in it has become."
Private organizations have an obligation to be more realistic about security, not simply adopting measures that may or may not have real impact just because they are common, or simply check off a compliance checkbox, Crawford said. "It is past time to see this as simply being a business cost or an inconvenience."