Fearing the specter of crippling attacks on government and private sector computer systems, federal officials
are stepping up efforts to foil cyber terrorism.
A recent solicitation from the Department of Homeland Security’s
advanced research projects agency, HSARPA, illustrates the weaknesses
of current computer systems, and hints at technologies and approaches
to shore up gaping vulnerabilities.
A close reading of the solicitation illustrates DHS’ concern
over the lack of tools available to thwart hostile computer acts,
whether it be a terrorist hacker manipulating valves at a natural
gas refinery, a domestic agitator shutting down a government website
or a strike at the national electric grid by a foreign power.
The HSARPA proposal asks for solutions to a variety of urgent problems
facing the entire private sector, as well as specific DHS agencies.
Awards will be given to those who can create tools and methods to
measure the security of networks, tighten controls over wireless
networks and enhance post-attack forensics.
HSARPA is reviewing research and development proposals, and will
award $4.5 million in contracts by the end of this month, with an
anticipated total of up to $15 million over three years.
Many solutions available today are geared towards marketable products
and not to guard critical infrastructure, said Mark Gembicki, program
director of DHS’ national cyber-security exercise and managing
director of critical asset protection for Bearing Point Inc. “We
need to listen to the needs of critical infrastructure and not the
so-called needs of the vendors,” he said.
He added that much of the intelligence about terrorist networks
indicates that they “are now planning physical and cyber attacks
at the same time. We have to be able to defend ourselves against
a blended attack.”
Infrastructure systems are vulnerable, many experts agree, because
the focus on availability and accessibility has left the door open
to abusers. Supervisory control and data acquisition (SCADA) systems
provide real-time information to operators of vast networks that
keep infrastructure moving, and nearly all use off-the-shelf, commercially
available and therefore easy to hack software.
“General purpose computers are increasingly being used for
mission-critical tasks within critical infrastructures. Moreover,
these systems are increasingly integrated into enterprise networks,”
according to HSARPA documents. “These trends permit companies
to leverage advances in commercial technology and more closely integrate
business and production activities … However, there is a concern
that this has come at the price of increasing the vulnerabilities
of these systems to network attack. ”
Interoperability is a buzzword in Washington, D.C., but the concept
is emerging in a new security environment. This delicate balance
between security and accessibility is at the forefront of the government’s
strategy to secure cyber space for commerce and communication, said
Tom Mazich, public sector chief for the computer security firm Symantec.
“The days are gone of seeing a closed, proprietary system,”
he said. “There’s more and more pressure to move to a
more open environment.”
But these open, off-the-shelf systems also must be secure; it’s
a conundrum that has vexed DHS in its research efforts. “How
do you make security and operations come together?” Mazich
asked. “These two areas have co-existed, but are now starting
to converge.”
However, some newer technologies have outpaced security so thoroughly
that HSARPA is trying hard to catch up.
The wide-scale use of wireless networks worries the security-minded.
Government has shown an inability to halt unauthorized wireless
traffic and, even worse, encryption protocols “have not achieved
consistent usage, or have failed to ensure their claimed security
requirements,” the HSARPA solicitation said.
Wireless networks are an increasingly preferred method of controlling
far-flung infrastructure systems. In the U.S. railroad system, for
example, such devices are preferred to sending crews into remote
regions to do hands-on work. Wireless SCADA systems are being used
to monitor the health of the heaters that prevent tracks from freezing
over during the winter. Wireless technology also is used to link
security cameras, relay passenger information and serve as the backbone
of the entire communications system. In other parts of the nation,
wireless systems run water and wastewater systems, uranium mining
operations and natural oil pipeline pressure and flow rates.
DHS is especially keen on improving wireless security since its
inspector general released a report in June that lambasted the agency
for a lack of control.
“Although DHS security policy requires certification and accreditation
for its systems to operate, none of the wireless systems reviewed
had been certified or accredited,” the report determined. “As
a result of these wireless network exposures, DHS cannot ensure
that the sensitive information processed by its wireless systems
are effectively protected from unauthorized accesses and potential
misuse.”
The solicitation seeks better hardware and software solutions to
scan for unauthorized users on wireless networks.
Also needed are methods to improve signal fingerprint analysis,
which uses the signal’s profile to locate and identify as it
bounces to receivers. The disruptions uniquely mark a signal, much
as the disruptions on a fingertip can identify a person.
The government’s role in cyber security is not best geared
towards protection, since about 85 percent of U.S. infrastructure
is in private hands. What the government can do is punish transgressors—assuming
they have the right tools to find them.
A case called “Moonlight Maze” illustrates the limits
of post-cyber attack forensics. In 2000, U.S. officials accidentally
discovered a pattern of incursions against computer systems at the
Pentagon, Energy Department, private universities and research labs.
The probes began in 1998, and had been going undetected for nearly
two years. The investigations led to dial-up Internet connections
near Moscow, but attempts to trace the signal from there were unsuccessful.
The classified case remains open, and the signals remain untraced.
DHS splits post-attack forensics into two categories: Internet
provider traceback and attack traceback. Both forms need improving,
as current electronic traffic analysis and correlation methods are
not robust enough to serve as next generation tracing systems, the
report said.
In Internet provider traceback, authorities must find computers
that are being used for illicit hacking. Attack traceback is needed
when one computer relays its commands through others, thus, forming
an illicit network. Typical “degrading denial of service”
attacks use a master computer that controls thousands of other computers,
called zombies, to flood systems and obscure the attacker’s
trail. Current IP traceback systems can only identify the zombies.
“Attack traceback schemes need to be robust in the face of
encrypted traffic between masters and zombies,” the solicitation
said. HSARPA is seeking methods that can trace 100,000 or more zombies.
Denial-of-service attacks are common and costly. In the United
States, they can be prosecuted as a federal crime under the National
Information Infrastructure Protection Act of 1996, with penalties
that include imprisonment. Many other countries have enacted similar
laws.
Since these attacks use innocent, unaware host computers, creating
tools for the entire Internet community is necessary, according
to experts.
Quality-of-service tools can help detect attacks, explains Xiaobo
Zhou, of the department of computer science at the University of
Colorado. Zhou’s efforts provide a window into the methods
that can be used to distinguish friend from foe in the wilds of
the Internet.
His platform classifies subjects according to their behavior. They
are labeled normal, aggressive, suspicious or confirmed malicious.
That assessment comes from two parameters: arrival rate and failure
rate.
“A worm-infected host has a much higher connection-failure
rate when it scans the Internet with randomly selected addresses,”
he noted. “A normal host deals with valid addresses because
of the use of domain name system (DNS), assuming the DNS is not
hacked.”
DNS stores information about host names, unique names by which
a computer is known on a network. The hostname is used to identify
a particular computer in email, usenet sites, or other forms of
electronic information exchange.
“It is not necessary to create individual failure-rate and
arrival-rate records for those clients which make a few failed connections
occasionally or show temporary aggressiveness behaviors,” Zhou
said. “The approach will work particularly well in Internet
services whose clients involve human interactions, such as e-commerce
and web browsing, since there is great distinction among the arrival
rate and failure rate of normal clients, aggressive clients, suspicious
clients and confirmed attackers.”
DHS is not the only federal agency seeking advances in cyber security.
A slew of other organizations are dedicating money to the effort,
including the Air Force, Justice Department and intelligence agencies.
The National Science Foundation’s cyber trust program alone
has dedicated $30 million for research, and NSF also supports the
effort through a number of other venues, such as its information
technology research program.
The president’s fiscal year 2005 budget for the Department
of Homeland Security earmarks $18 million for cyber security research.
President Bush created the position of “cyber czar” to
focus on the threat. However, the success of the effort has been
marred by last year’s resignation of the first cyber czar,
Amid Yoran, who reportedly left the position in frustration.
Under Yoran, DHS established a new cyber alert system, which sends
e-mails to subscribers about major virus outbreaks and other Internet
attacks as they occur, along with detailed instructions to help
computer users protect themselves. It also mapped the government’s
universe of connected electronic devices, which is the first step
toward scanning them systematically for weaknesses that could be
exploited by hackers or foreign governments.
The classified nature of the threat and the inability to assess
blame has led to doubters. Indeed, a subculture has grown in the
tech world that states that the threat has been ginned up to exert
government control over the Internet. But since 9/11, cyber terror
has been treated as a more credible threat, and although there has
been no organized assault, the intention to cause havoc via computer
is documented.
“Your systems are being attacked,” observed Lt. Gen.
Steven Boutelle, the Army’s chief information officer, at a
recent industry conference.
In Islamic chat rooms, al Qaeda sympathizers swap “cracking”
tools used to search computers, scan for security flaws and exploit
them to gain entry. In testimony before the Senate, FBI employees
stated that terrorist groups show great interest in developing basic
hacking skills and predict that well-financed groups might hire
experts to hack U.S. systems.
In the summer of 2001, an FBI investigation found multiple intrusions
of sites in major U.S. cities. Hackers looked up information about
city utilities, government offices and emergency systems. The FBI
believes the reconnaissance probes came from the Middle East and
South Asia.
The seizure of computers in Pakistan revealed signs that terrorists
are interested in using computer network disruptions to supplement
conventional strikes, or as low-risk alternatives to physical attacks.
Threats to cyber space include foreign powers. Since so much of
the military’s might relies on civilian run infrastructure,
asymmetric warfare is a concern.
Anthony Tether, director of the Defense Advanced Research Projects
Agency, said that, in today’s battlefield, networks are becoming
as important as weapons. “If anyone can take our network down,
our effectiveness is down to zero,” he told industry executives.
In a 2004 report to Congress on the military power of China, Pentagon
experts said that, before an attack on Taiwan, Chinese information
operations personnel or espionage agents would gain access to communication
nodes for intelligence exploitation and disrupt critical infrastructure.
High on the list, the report said, were the U.S. and Taiwanese power
grids and vulnerable civilian telecommunications.
“Exploiting other portions of the information operations spectrum
through electronic warfare and denial and deception also could disrupt
Taiwan’s defenses, and attacks against unclassified Defense
Department computer networks related to logistics could delay U.S.
efforts to intervene,” the report stated.
Such unconventional methods are part of the defense policy of China,
with a proposed battalion-sized “Net Force” of computer
experts who are trained for disruption and information gathering.
The U.S. military has groups dedicated to protecting its cyber
space. Network Enterprise Technology Command (Netcom) oversees the
operation and protection of Army networks. When a vulnerability
is exposed, either through diligence or by a hacker attack, a team
from the Army’s computer emergency response team at Fort Belvoir,
Va., is called into action.
But since the attacks would be aimed at infrastructure, the private
sector would be on the front lines. “DHS bears the responsibility
of helping to secure a substantial portion of our nation’s
critical infrastructure but does not own or control it,” the
report said.
Nudging chief operating officers to improve cyber security and
increase the cost of doing business is a hard sell because it entails
asking them to point out current weaknesses. Those weaknesses could
be used in civil litigation, appear in Securities Exchange Commission
documents, raise insurance rates, lower investment ratings and even
result in fines for non-compliance, said Gembicki.
The solution could be public-private partnerships that give companies
some cover. The model for this, Gembicki said, is the Chesapeake
Innovation Center, in Annapolis, Md., which provides business start-ups
services and facilities, including cyber security solutions. Companies
can come to the center and match their needs with a supplier, without
reporting directly to the government.
In the end, security has to take a back seat to private sector
profitability. DHS’ position is that a solution that hurts
business is no solution at all.
“When you look at cyber security, corporate security takes
precedence over national security,” Gembicki said. “I
know it’s a jagged pill that is hard to swallow, but it’s
true.’