Are we at risk of being victims or casualties in a government cyberwar? In the first of this three-part series, we explore what the experts say about the current state of cyberwar -- and what it means to IT departments everywhere.
Insider Threats: 10 Ways To Protect Your Data
(Click image for larger view and slideshow.)
Cyberwar is an ugly word, not only because of what it implies, but because the term is ill-defined. It's suggestive of digital attacks alone. That's simply not the case. It is far more likely that cyberattacks would be only one form of aggression in the otherwise familiar hells of war.
The biggest question of all, for corporations and citizens alike, is: Are we here in the US simply in the midst of informal nation-state aggression, or are we in a full-fledged cyberwar?
The distinction between the two situations may not matter for IT's purposes, since neither poses a serious threat to corporations. Nonetheless, it's important to understand the nature of the threat in order to prepare an effective defense.
To help answer these questions, InformationWeek interviewed 57 experts for this three-part series that explores where we stand today, where we're headed, and what CIOs and other IT leaders need to do to prepare.
To War or Not to War?
"Regrettably, in a way akin to the notion of mutual assured destruction [MAD], we are in the midst of a cyberwar at present that could have severe consequences for major nation-states," said Joe D. Whitley, chairman of law firm Baker Donelson's government enforcement and investigations group, in an interview with InformationWeek. Whitley was the first General Counsel of the US Department of Homeland Security and is former Acting Associate Attorney General for the US Department of Justice.
If we are in the midst of a cyberwar, why hasn't such been publicly declared by the US government and broadcast across all of the news media? The coverage has been piecemeal, at best. This summer, NBC News obtained an exclusive NSA map of cyberattacks reportedly perpetrated by China against US targets. Even so, there's been no formal government declaration of a cyberwar. Why not?
"Cyberwar is a vague concept, and must be viewed within the larger strategic context of relations between [nation] states," said Andrea Little Limbago, principal social scientist at Endgame, in an interview with InformationWeek. Endgame is a cyber-security company with roots in protecting the US government's national security assets.
"The recently released [Department of Defense] Law of War manual outlines the digital activities that may constitute war, largely based on the physical impact of digital operations," Limbago said. "This includes things ranging from cyber-operations that result in a nuclear plant meltdown, to undermining the military's logistic systems, to destroying a dam. It does not include those attacks that have dominated the media lately, such as website defacement or theft of private information."
Federal hacks -- such as those of the Veterans Administration (VA), the White House, the State Department, the US Postal Service (USPS), the Government Publishing Office (formerly the Government Printing Office), and the Office of Personnel Management (OPM) -- may not fit the DoD's criteria of acts that constitute war. But that doesn't mean that American lives and corporate livelihoods aren't in danger.
It also doesn't mean that IT need only worry about data breaches in a business-as-usual state of mind, for there's nothing usual about this situation. For perhaps the first time ever, IT in private companies is, for all practical purposes, the first line of defense for both these organizations and the country.
"Our defenses to a cyberattack in the United States are much weaker than they should be," Whitley said. "The reasons for our vulnerabilities are many, but they have their roots in a free-market society where 85% to 90% of our critical infrastructure in the United States is in private hands. As a consequence, we are much better positioned to launch attacks than to defend against them."
(Image: Mikko Lemola/iStockphoto)
Not only is most of our critical infrastructure in private hands, but IT is already charged with defending against the tactics used to attack it, regardless of whom the attacker is. Whether or not the government labels it as war, and whether or not the aggressor is a terrorist or a nation state, IT is on-point.
Take for example, the tactic used in the OPM hack, wherein an employee's user credentials were stolen and used to access and copy data. The user was an employee of government contractor KeyPoint Government Solutions, which was working on OPM's systems at the time of the theft of credentials, according to KeyPoint CEO Eric Hess's testimony during a House Oversight and Government Reform Committee hearing. The theft happened on IT's watch -- at OPM, or KeyPoint, or both -- and reflects the general and prevailing lack of attention IT is giving to security weaknesses in systems.
In other words, it's not that hackers are smart. It's that IT, as a general rule, is not mounting much of a defense. Even though it's obvious that the risk has grown significantly and far surpasses merely a loss of digital data.
Hacking the Hacks
"The significance of the OPM hack is so profound that no matter what is written, it's underreported," said Valerie Plame, the former covert CIA operations officer outed in 2003 by the Bush administration in the lead up to the Iraq war, in an interview with InformationWeek. "From what I understand, NSA and CIA employee data wasn't included in that hack, but I still wouldn't want to be serving overseas now."
Information is power, Plame said, and this much power is deadly to operatives and other key government workers in myriad ways.
"It's all about human relationships. That's what I did [at the CIA] -- I learned about and formed relationships to build trust," said Plame. "It's all about building trust to get what you want, and the OPM hack gives an adversary a huge advantage in that regard. People don't realize how much information was gained from the OPM hack and that it puts family, friends, spouses, previous lovers, college roommates, landlords, neighbors, and previous employers -- everyone that anyone documented in that dataset ever came into contact with or got close to -- at risk."
That information can be acted upon with harmful or deadly effect now, and/or it could be the prelude to something much bigger later.
David J. Venable, CISSP, a former intelligence collector at the NSA and currently director of professional services at Masergy, which owns and operates a global cloud networking platform, says there are three prime categories of vulnerabilities in this country: our utility infrastructure, our government, and our finance sector.
A serious attack on any one of those could prove disastrous, but an attack on all three would be catastrophic. That scenario would go something like this, he says:
Clever attackers could pre-position some Gauss-like malware across the financial industry, lying dormant until the right time.
They could also propagate Stuxnet-like malware across the country's utility/SCADA networks and leave that malware also lying dormant until an agreed upon time.
The attackers could then trigger the exfiltration of vast amounts of financial data and, while they're at it, clean out the bank accounts of individuals, companies, and governments -- all within a very short amount of time.
Once all of that was completed successfully, they could use the SCADA malware to shut down utilities -- even power grids.
They could simultaneously release messages to the public, disguised to be from the government, by compromising content delivery networks, resulting in even more mass panic.
In each case, IT is at the head of defense and response. Preventative and fast-response planning should be put in place, tested, and drilled regularly by IT staff members to ensure that defenses are tightened and, should the worst happen, that they regain immediate and unfettered control of systems. This means not only that security must be implemented and prioritized at every level, but also that such efforts must be ongoing, diligent, and increasingly sophisticated.
Further, IT should design and be prepared to deploy robust and resilient recovery tactics that include -- but go far beyond -- data backup and recovery. While this is true across all industries, it is especially so in
Page 2: Are China and Russia the true culprits?
Pam Baker is author of Data Divination: Big Data Strategies, which met with rave reviews and is currently being used in universities as a textbook for both business and tech courses. It's also sold to business audiences in the general market. The US Chamber of Commerce and ... View Full Bio
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.