Cyber: Why we are losing the cyber wars | ADM May 2012

These are troubled times judging by recent reports of the how ill-prepared our allies are to engage in cyber wars.

The US is sustaining substantial cyber attacks from other nation states according to US experts. Former cyber security and cyber terrorism advisor to the White House, Richard Clarke warns we are “defenceless”.

When it comes to cyber security, Clarke suspects every major company in the US has already been penetrated by China. He believes that Chinese companies used information from Beoing and Microsoft – and that the nation is at risk from an economic war of attrition.

Clarke discounts a cyber-Pearl Harbour event. Rather a death by “a thousand cuts” is looming. He fears the US has already lost its competitiveness by having all of its research and development stolen by the Chinese.

A spokesman for the US-based Nuclear Security Enterprise reports its experiences up to 10 million “security significant cyber events” each day. Of the security significant events, less than “one hundredth of a percent “ can be categorised as successful attacks against the Nuclear Security Enterprise computing infrastructure. In practice this suggests the maximum number at about 1,000 daily, as if, that’s a comfort.

China is widely suspected of causing or supporting many hacking attacks on government and commercial websites abroad. But Chinese officials have repeatedly dismissed reports that the government or military could be behind such attacks.

Irrespective of their origin these attacks have become so effective and profound because they highlight the reality of no clear defence perimeter for Defence to make its stand.

The very diversity that ensures a thriving and competitive economy operates is emerging as our core vulnerability to sustained and well-resourced cyber attacks. Unlike the public sector where security and graduated access can be enforced, our privately-owned infrastructure is only as strong as its weakest link.

When companies do well and make profits, they invest in security. But when revenues falter, security arrangements are not free from strategic cut-backs.

Two kinds of cyber attacks

Yet investment in improved security is fundamental now. There are two kinds of cyber attacks that wreck chaos.

Despite its name, a distributed denial of service attack (DDOS), is rarely harmful or permanent. It is more a nuisance in that it can slow down a service such as a bank site from being accessed for a while. However, the damage can be exacerbated by the negative press coverage which follows.

But they are seldom fatal. They can be managed with back-up hosts as well as a range of diagnostic tools to filter against the source, once the attack sets off various alerts.

The more insidious and dangerous attack comes from a stealth cyber attack that breaches a firewall through a variety of technical and social engineering techniques. Where it is effectively espionage, it may not be discovered until its perpetrators are long gone.

Security experts counsel its best to assume a perimeter has been breached and that a forward security strategy resources be dedicated to discovering what has been or is likely to be compromised.

“Firewalls are very easy to penetrate because the current firewall technology is based on a certain policy on access,” ADFA professor Dr Jiankun Hu told the Australian Computer Society’s national conference in March.

Hu said network security inherits a fundamental flaw of conventional cryptography, in that conventional, knowledge – or token-based methods could not be completely trusted to lock unauthorised users out.

“PIN and password indicates what you know and what you possess,” he said. “They do not tell you who you are and what you are. Who is presenting the tokens? That’s the fundamental problem.”

Hu suggests that biometric features such as fingerprint, face and iris patterns could improve identity detection, especially when used in conjunction with smartcards, requiring cryptographic challenges, were the way ahead.

Yet introducing even a standard finger print process would be costly. While large federal government departments could roll these out, most private companies would need a compelling business case for investing in them.

Even when a data breach is discovered, Australia has a few requirements for companies to disclose publicly when such incidents are confirmed. It can affect share prices and reflect on a company’s management making it tougher for it to operate. Instead we have a semi-voluntary approach where companies may disclose the incident to various authorities such as the Office of Australian Information Commission for later inquiry.

Several inquiries including the Australian Law Reform Commission’s 2008 report on Privacy reforms pressed for a mandatory procedure. But such regulations remain subject to consideration by a Federal Government that has a lot more on its plate.

The Perth-based director of the Security Research Centre at Edith Cowan University (secau) Craig Valli urges mandatory reporting of breaches as critical.

“If someone come and robs your business with a shotgun, you are normally obliged to report it, if only for insurance reasons. However if someone comes in your backdoor and steals stuff from your credit card, companies are saying we don’t have to report that … That’s ludicrous,” Valli says.

Add to this the boom in tools and vectors for attack and we can understand why many experts such as Valli believe, it will get worse rather than better.

Organised but how well resourced?

To be fair, these downbeat judgements are well-known in national security circles in Government. The real issue is a lack of resources to deal with it. To date, Australia is notable for establishing an array of anti-cyber security groups including such as the Cyber Security Operations Centre (CSOC), which works closely with the Australian Defence Force, Defence Intelligence Organisation, Defence Science and Technology Organisation, Australian Security Intelligence Organisation, Attorney-General’s Department and the Australian Federal Police.

The Australian Government’s weapons of choice are regulation and ad hoc vetting of critical initiatives such as the National Broadcasting Network (NBN).

On advice thought to have come from ASIO, the Government determined, that the Chinese telecommunications company Huawei should be banned from even bidding for contracts involved in the NBN.

Likewise according to Commsday, the Australian government is proposing a strict risk assessment and reporting regime over telco use of foreign suppliers and personnel. The proposed regime would not only cover infrastructure; it would also cover the handling of network customer and usage data by foreign outsourcing providers, potentially leading to an obligation to onshore such data.

First floated in February in a confidential paper issued by the Attorney-General’s Department titled “Proposed regulatory scheme to enhance the security, integrity and resilience of Australia’s telecommunications infrastructure”, all carriers and carriage service providers would be subject to legislated obligation to protect their networks and data from national security violations. Carriers with network infrastructure would be required to notify the government, in “writing, of proposed significant changes to their infrastructure, procurement or other business arrangements, including offshore and outsourced services.”

It could also impact use of network suppliers from sensitive countries such as China and Israel, Operations sourcing equipment from vendors from such locations would be likely required to subject their builds to national security “risk assessment” and clearance tests.

Australian telecom operators are said to have two concerns; the cost of compliance of such schemes and why such proposed regimes seems to only apply to traditional telco operators. Why omit major players in the Australian information industry such as Google, Skype and Facebook from its remit?

The government frames its proposal as leading to a “partnership with industry”. This initiative will falter in the absence of more aggressive investment by the Government to harden industry’s infrastructure.

All it may do is to reduce bona-fide competition in suppliers as well as putting trading partners off-side.

Not all cyber attacks are national security matters

A related issue is whether some criminal cyber attacks may be a form of civil protest against certain policies rather than a core national security issue. DDOS attacks are best understood as political protests somewhat like the cyber equivalent to sit-ins or Occupy Melbourne.

Groups such as Anonymous, LulzSec and Wikileaks attracted a degree of sympathy within Western liberal democracies.

For example, Anonymous has come to signify the Internet’s irreverent democratic culture when, in the middle of a Polish parliamentary session in February 2012, well-dressed legislators donned Guy Fawks masks – Anonymous’ symbol – to protest their government’s plan to sign the Anti-Counterfeiting Trade Agreement (ACTA). It had the support of well-organised and well-funded companies, particularly in Hollywood and the recording industry. ACTA’s focus on copyright compliance was outside accepted multilateral forms and the tainted ACTA was exposed by Wikileaks back in 2008.

And so a last-minute protest campaign across Europe, using the symbolism of Anonymous, set out to stop the agreement from coming into force and introducing a new fog of public legitimacy into the cyber wars.

In short, there is confusion in the public arena about which threats, or perhaps which motives underlying them we need to be alert to. Targeting all possible cyber attacks against private corporate sites such as MPAA or Sony incurs a risk of coming public backlash as well.

The consultative and participative approach being adopted in the Government’s forthcoming cyber white paper could prompt a much needed national dialogue about where the priorities and counter measures should be.

Valli believes the Government needs to introduce at least $100 million over five years for a rang of such initiatives including investing in skills shortages in this area. However the demand for cyber security specialists is far greater than the supply, according to Valli.

“We have in excess of 400 students enrolled in degree programs related to cyber security. We have a completion cohort of about 150 students a year a post graduate or lower level,” Valli said. “Yet the attacks are getting more dynamic more frequent, more sophisticated and his institution will produce only a fraction of the numbers required.

“This exacerbated by the finding that well resourced cyber attacks can be dynamically changing and defy stable analysis beyond a year or more.

“Unless the Government can bring more than threats to intervene and regulate, it will happen too slowly to make any difference.”