DefeNDiNG CyberSpACethomas-stanton.com/wp-content/uploads/2012/09/... · foreword On May 8 and 7, 2008, cybersecurity experts, staff from Capitol Hill, academics, and a variety of

Center for the Study of American GovernmentThe Johns Hopkins University 1

Center for the Study of American GovernmentThe Johns Hopkins UniversityWashington, D.C. Center1717 Massachusetts Avenue, NW

DefeNDiNG CyberSpACe: Protecting Individuals, Government Agencies and Private Companies Against Persistent and Evolving ThreatsBY Thomas H. Stanton

Defending Cyberspace: Protecting Individuals, Government Agencies and Private Companies Against Persistent and Evolving Threats by Thomas H. Stanton2

forewordOn May 8 and 7, 2008, cybersecurity experts, staff from Capitol Hill, academics, and a variety of stakeholders met

in Washington, DC, to share information about the growing threat of cyberattacks and cyberespionage in the United

States and worldwide. The conference on Defending Cyberspace 2008 was produced by the Park City Center for Public

Policy and Imadgen, LLC. The Park City Center for Public Policy (www.parkcitycenter.org) is a bi-partisan, non-profit

organization founded on the principle that the most effective policy solutions are created through a collaborative process

and tested in the real-world. Imadgen, LLC (www.imadgen.com) is a strategic management consulting firm with

specialized practices in cyber security and identity management. Defending Cyberspace was co-hosted by the Johns

Hopkins University, the National Association of Manufacturers, and the Information Technology Association of America.

Speakers included several former state Governors, CEOs, and current and past federal officials serving at the policy level.

The Johns Hopkins Washington, D.C. Center offers a range of advanced academic programs leading to M.A. and M.B.A.

degrees. The Johns Hopkins M.A. in Government Program offers concentrations in security studies, legal studies,

and political communication. The courses are designed to give students comprehensive knowledge of governmental

institutions, their political development, and how they interact in the policy-making process. With this knowledge,

students are better equipped to examine governmental and social institutions, assess prospects for reform, effect change,

and become tomorrow’s leaders.

Students may also pursue a Certificate in National Security Studies, which offers a unique approach to the study of

the vital national security field by bringing together experts from science, engineering, international relations, political

science, and public policy. The certificate is tailored to the needs of professionals who seek to broaden their knowledge of

this field without committing to the full degree program.


Defending Cyberspace: protecting individuals, Government Agencies and private Companies Against persistent and evolving Threats

I. The evolvIng ThreaTIt’s a conspiracy of apathy. For the criminals, this is great news. They stand blinking into the dawn of a golden age of criminal enterprise. Like Barbary Pirates in the 18th century, and like Colombian drug cartels in the 1970s, malicious hackers will run amok, unfettered, unafraid and perhaps even protected. Only they won’t use muskets or mules. They’ll use malicious code to run syndicates that will be both less violent and more scalable than in the past. Scott Berinato, “Who’s Stealing Your Passwords? Global Hackers Create a New Online Crime Economy,” www.cio.com, September 17, 2007

Business Week journalist Keith Epstein started to do a story on what he expected would be the “cyber-industry complex,” contractors and policymakers who boosted each other’s fortunes by hyping the threat. As he explored further Epstein realized that the opposite was true: business executives and federal policymakers are seriously underestimating the threat of cyber intrusions.1

This is a report on the growing threat of cyberattacks to individuals, government agencies, and private companies. It draws on insights gained at a Washington, DC conference on Defending Cyberspace 2008, co-hosted by the Johns Hopkins University, the National Association of Manufacturers, the Information Technology Association of America, Imadgen LLC, and the Park City Center for Public Policy. The agenda for that conference is reproduced in Appendix A. This report focuses on cyberdefenses rather than on the equally important tasks of prosecuting cybercrime or conducting operations otherwise to bring down cybercriminals.2

The report looks first at the nature of the threat and then at reasons why it has been so difficult to mount an effective defense. A major reason has been a lack of awareness by many leaders in both the public and private sectors. Dr. John Hamre of the Center for Strategic and International Studies told the conference, “If I could walk in to a CEO and say this is your pricing data that we found in a machine in X country, you have a problem,

1 Brian Epstein, remarks, Defending Cyberspace 2008 Conference, Washington, DC, May 6, 2008. Mr. Epstein’s reports on cybersecurity include a cover story, Brian Grow, Keith Epstein, and Chi-Chu Tschang, “The New E-Spionage Threat: a Business Week Investigation,” Business Week, April 21, 2008, pp. 30-41.

2 The issue of cybercrime prosecution is addressed e.g., in U.S. Government Accountability Office, Cybercrime: Public and Private Entities Face Challenges in Addressing Cyber Threats, GAO=07-705, June 2007.


they will do something. But we have not done that. …We have just not engaged in the dialogue with business in the right way.”

In contrast to other forms of theft or attack, it often can be difficult for a victim to realize that a cyberintrusion is occurring. The most effective cyberattack may surreptitiously obtain information or commit other harm without the victim knowing until much later. Indeed there is evidence that some of the recent drop off in reported incidents reflects the increased cunning of the attackers rather than a reduction in the number of intrusions.3 Among the most important losses that a cyberattack can cause are loss of intellectual property such as plans, proprietary processes and trade secrets, financial manipulation, and overt harm such as an effort to shut down cyberdependent systems. Only the last can be clearly related to a cyberattack, and even then the vulnerabilities might have been caused well before the overt attack occurs.

The report then looks at the elements of effective defense against cyberattack. Cybercriminals and nation states constantly improve the sophistication, scale and nature of their intrusions. Perhaps most importantly, an effective defense cannot afford to be static in the face of evolving threats: protection needs to come in layers that are constantly reviewed and upgraded. Defenders must share information and resources to protect one another and the networks that join them. Another critical issue involves the cost of good cyberprotection. In the vernacular, to become cost-effective, cybersecurity must be “baked in” rather than “bolted on” to each relevant process or activity. Protective measures such as user authentication must become part of the organizational culture.

After looking at the elements of effective defense, the report suggests next steps for individuals and leaders in business and government. One of the critical issues facing policymakers and business leaders is how to make cyberdefenses attractive without imposing restrictions that stifle creativity and make organizational processes more rigid without providing offsetting benefits. Top managers and policymakers cannot usefully make such tradeoffs without being informed enough to understand their implications. Becoming fully aware of the threat is the first and most important step.

The question then becomes how best to distribute responsibility for cyberdefenses between individuals and organizations on the one hand and government on the other. Our political system fosters fragmented responses rather than centralized coordinated action. This has both strength and weakness with respect to cybersecurity. The strength is that many different organizations and approaches have emerged to perform important functions in cybersecurity, such as sharing information about threats and promising practices and, in some industries, active collaboration to assure minimum standards of protection. The weakness results from the dynamics of cybersecurity: often the security of responsible individuals and firms depends critically on addressing vulnerabilities in systems of weaker entities. Uncoordinated action can leave these weaker entities vulnerable, and thereby potentially add to the vulnerability of others.

While government can help, whether by creating positive incentives, by using its purchasing power, or by imposing requirements, the primary responsibility for cyberdefense continues to rest with individuals and organizations, which ignore vulnerabilities at their peril. The report concludes by suggesting areas of further study to attempt to determine the tools of government that are most suitable for promoting a common defense and the areas where particular tools are best applied.4 Once we have created a sound plan, we must commit resources, individually and collectively, to make effective cyberdefenses a reality.

3 Aaron Turner, “The Business of Cybervulnerabilities,” http://www.dtic.mil/ndia/2008dib_cip/Turner.pdf, accessed August 12, 2008.

4 See, Lester M. Salamon, Editor, Tools of Government: A Guide to the New Governance, Oxford University Press, 2002.


II. naTure of The ThreaT[This] represents the shift taking place in Internet crime, from software-based attacks to a service-based economy. Electronic crime has evolved, from an episodic problem, like bank robberies carried out by small gangs, to a chronic one, like drug trafficking run by syndicates. Scott Berinato, “Who’s Stealing Your Passwords? Global Hackers Create a New Online Crime Economy,” www.cio.com, September 17, 2007

China’s strategy…if I could be so bold, they sort of have a privateer’s mentality. They seem to have a very large number of highly trained people with sophisticated tools, who seem to work in small freelance groups. Alan Paller, “Cyberthreats,” The Diane Rehm Show, June 25, 2008

Whenever there is political tension, there is a cyber aftermath. Cybersecurity Expert Gadi Evron, quoted in “Digital Fears Emerge After Data Siege in Estonia” New York Times, May 29, 2007

In military terms, cyberspace is a domain, comparable to the maritime domain. Threats in cyberspace, as on the ocean, can come from pirates intent on private gain or from nation states or subnational groups intent on political or economic gain. Just as countries rushed to build a large naval capability, the United States and other countries are doing so in cyberspace.5 Consider first the types of cyberattack and then the potential sources.

Types of Cyberattack

Cyberspace lends itself to a wide variety of kinds of attack. At the moment, there are several basic methods and many variations of each. New forms of attack emerge with great frequency. One form of cyberattack is direct, such as intruding into a computer or computer network to steal information or manipulate data or disable or deface a website or to pose enough of a threat that the target may be willing to pay protection money. The ability to manipulate data is a new and worrying development. One can imagine the consequences of altering a bank system to make improper payments. The military and others could worry if an intruder altered GPS (global positioning coordinates) of a guidance system. Another direct attack comes from websites that contain malicious software (so-called “malware”) which an unsuspecting person downloads from a site. Aaron Turner of Idaho National Laboratories estimates that perhaps 30 percent of search results create exposure to sites with the potential to download malware.

A second form of attack proceeds indirectly through multiple other computers that are taken over with intrusive code known as a “bot” (short for robot) and coordinated by a so-called “bot herder” in a “botnet.” The bot herder can direct the computers in a botnet to send e-mail messages simultaneously to target computers, websites and servers. The bot herder can use the botnet to send huge volumes of spam, potentially to hundreds of thousands of consumers. Another more destructive use is to send so many e-mail messages that they overwhelm the capacity of a website or server and potentially take it out of service. This kind of attack is called a “distributed denial of service” attack.6

A third form of attack, known as “phishing,” relies on the user of a computer to respond to a deceptive website or e-mail message and voluntarily submit confidential financial or business information. A consumer may be directed to a website that purports to be the consumer’s bank, for example. Nine out of ten phishing sites

5 Clay Wilson, “Information Operations, Electronic Warfare, and Cyberwar: Capabilities and Related Policy Issues,” Congressional Research Service, March 20, 2007; “US reveals plans to hit back at cyber threats: The US Air Force Cyber Command is just as interested in attack as defence, according to a senior general,” ZDNet.co.uk, April 2, 2008, http://news.zdnet.co.uk/security/0,1000000189,39378374,00.htm, accessed August 13, 2008. But see, Pamela Hess, “Pentagon puts hold on USAF cyber effort,” Associated Press, August 13, 2008.

6 See, e.g., Roger A. Grimes, “Bots and DDoS attacks: a primer; Knowing the inner workings of botnets and their attack styles can help you formulate a defense -- or outlast an attack,” InfoWorld, February 23, 2007, http://www.infoworld.com/article/07/02/23/09OPsecadvise_1.html, accessed November 7, 2007.


may be directed at the financial services sector.7 Or, an e-mail message can be tailored to the expectations of an unsuspecting recipient. This kind of targeted attack is called “spear-phishing.” For example, an executive of defense contractor Booz Allen Hamilton received an e-mail message purporting to come from a colleague at the Pentagon with an attachment listing weapons that India sought to purchase. In fact the message was a fake that would have downloaded malware onto the executive’s computer if he had opened the attachment: “Had the Booz Allen executive clicked on the attachment, his every keystroke would have been reported back to a mysterious master at the Internet address cybersyndrome.3322.org, which is registered through an obscure company headquartered on the banks of China’s Yangtze River.”8

Finally, a fourth form of attack is emerging, based on building vulnerabilities into hardware systems. Experts increasingly believe that manufacturers of computers and other IT-based systems can build vulnerabilities into the hardware and associated systems that allow cyberattacks to elude defensive software that the user might add afterwards.

While concrete examples are not public, Richard Clarke, a former national security advisor to President Clinton, in his book, Your Government Failed You, provides a foretaste of this form of attack. His example concerns malware built into digital picture frames sold at electronics stores across the country, including, he says, Best Buy:

“ When you connected the digital picture frame to your computer to download your photos, the picture frame uploaded a program onto your computer that disabled antivirus programs, found all of your passwords, and sent them to China. The picture frame was, of course, made in China.”9

While supply chain controls can protect against many vulnerabilities built into systems, this form of attack may well become more prevalent in the future. In contrast to physical attacks, the perpetrator of a cyberattack may not be known for certain. This is the problem of attribution, knowing where an attack came from:

“ So there are really two aspects of attribution. There’s a technical attribution problem which is what’s the last box of origin or where is the box physically located? The box might be located on an educational network or a commercialized PC in some other country, but then there is the problem of actor attribution, whose fingers are on the keyboard. And that gets into who’s causing that box to be a problem for you, and they may be sitting somewhere else.”10

That can make it difficult to determine whether the source of an attack is a criminal organization, a government, or some other type of bad actor.

A report published by the SANS Institute, a leading source for information security training, certification and research, provides a useful summary of the types of devices that intruders use to obtain information, control computers or cause disruption.11 This is presented in Figure 1, on the following page. Such summaries are likely to need updating from time to time as attacks vary their form and become more sophisticated.

7 Catherine A. Allen, “Detecting and Containing Attacks: A Compliance View,” The Santa Fe Group, presentation to the Defending Cyberspace Conference, May 7, 2008.

8 Brian Grow, Keith Epstein, and Chi-Chu Tschang, “The New E-Spionage Threat: a Business Week Investigation,” Business Week, April 21, 2008, p. 33.

9 Richard A. Clarke, Your Government Failed You: Breaking the Cycle of National Security Disasters, HarperCollins, 2008, p. 315.

10 China’s Proliferation Practices, and The Development of Its Cyber and Space Warfare Capabilities, Hearing before the U.S.-China Economic and Security Review Commission, May 20, 2008, p. 75. Testimony of …

11 Aman Hardikar, “Malware 101 – Viruses,” April 12, 2008, Table 2, p. 9, available at http://www.sans.org/reading_room/whitepapers/inci-dent/, accessed August 17, 2008.


Potential Sources of Attack: Cybercriminals

Early privateers often worked on a business model common to the sixteenth and seventeenth centuries: they obtained royal charters and agreement from the crown that they could keep a percentage of spoils that they captured on the high seas.12 Today’s pirates also use up-to-date business models. As one bank security professional officer describes cybercrime organizations, “[T]hey’re better run and managed than many organizations. They’re properly funded, they have a clear goal, they’re performance driven, focused on a single mission. It’s like an MBA case study of success.”13

Cybercriminals frequently operate in networks. They screen members of the network and enforce codes of conduct. Entry-level hackers are recruited to join the network. The complexity of information technology makes it useful for attackers to work in teams of individuals, each of whom specializes in penetrating certain kinds of systems.

Members may go to secure chat rooms and buy and sell access to services, including, for example, access to computers that a bot herder has enlisted as bots. Subscribers may be offered 30 days of access to bot-infected computers that the subscriber can mine for financial data. Depending what kind of information the unsuspecting computer owner might enter within the 30 day period, the subscriber might gain not only financial information (credit card numbers, etc.) but also details about the identity of the computer owner. The subscriber then could sell the information on the black market or use it himself.

fIgure 1Types of Malware

Type properTy exaMples

Virus Copies itself to other files; Needs a host file to propagate and execute.

CIH, Virut, Redlof, Autorun.abt, Peacomm, NewHeur_PE

Worm Exploits the vulnerabilities that are present and can spread over the network.

Code red, Netsky, Stration, Sasser, Bagle, Skipi, no_virus

Logic Bomb Triggers a specific code on meeting conditions as per the logic written by its author.

Michelangelo

Backdoor Listens on certain ports so that the attacker can gain access through them later.

Xhaker, sub7, Beast, Ginwui, Rexob, Hupigon

Trojan Deceptive program that spoofs a harmless or useful program; but, actually stores other malware.

Limbo/NetHell, Pidief, ZeuS/PRG , Banker.bdn, PGPCoder, Torpig, Gozi

Spyware Software used to spy on victim’s activities and also used to steal sensitive information.

WhenUSave, PuritySCAN Virtumonde, SecurityToolbar

12 Thus, the United States Constitution, Article I, Section 8, authorizes the Congress, “To declare war, grant letters of marque and reprisal, and make rules concerning captures on land and water.”

13 Quoted in Scott Berinato, “Hacker Economics 2: The Conspiracy of Apathy,” www.cio.com, October 8, 2007.


Type properTy exaMples

Rootkit Set of programs that alter the OS functionality to hide themselves.

LRK, AFX, SInAR, Rustock, Mebroot

Bot / Botnet Program that does the work on behalf of its master. A master may control millions of such bots and can use them for malicious purposes.

Agobot, Slackbot, Mytob, Rbot, SdBot, poebot, IRCBot, VanBot, MPack, Storm

The new system of selling services rather than products such as stolen information has advantages to both parties. The vendor essentially acts as a middle man. He need not handle stolen information. It is the subscriber that decides what use to make of it. In a country with lax cybercrime laws such as Russia, the vendor may be left alone because he has not actually caused anyone any harm.

The subscriber also gains from the transaction. He purchases access to the identity of the computer owner, and not merely a stolen credit card number.

“For example, a credit card number alone might be worth $5, but add the three- or four-digit security code associated with that card and the value triples. Add billing address, phone number, cardholder names and so forth which allow a buyer to create new lines of credit and the value can reach into the hundreds of dollars.

“Grab the primary and secondary authentication forms used for financial services login in addition to all that, and you’ve hit the jackpot: a real person’s full financial identity. Everything that person had entered into forms online would create an avatar that could be used in the real world to buy goods, apply for credit and passports, buy cell phones, open new bank accounts and manipulate old ones. A dossier like that would be one of the most valuable commodities available on the information black market.”14

Access to newly infected computer would be rented at much higher prices, perhaps $ 1,000 each, than access to computers that had already been rented out to other subscribers. The subscriber purchases access to multiple machines as a way of balancing risk: some owners of infected computers might enter more valuable financial information into their computers than others.

Other subscribers may want to rent access to large numbers of infected computers for other criminal purposes. Thus, a subscriber might request access to perhaps 20,000 computers for one hour on a Saturday afternoon. The subscriber then mobilizes the computers, linked in a botnet, to direct a huge volume of e-mail messages to a target such as, say, an offshore gambling site. This is a classic distributed denial of service attack. The volume of e-mail

14 Scott Berinato, “Who’s Stealing Your Passwords? Global Hackers Create a New Online Crime Economy,” www.cio.com, September 17, 2007, http://www.cio.com/article/135500/Who_s_Stealing_Your_Passwords_Global_Hackers_Create_a_New_Online_Crime_Economy?contentId=135500&slug=&page=2&, accessed 08-07-2008.


traffic is large enough to bring down the servers of the target. The subscriber then contacts the target company and makes a simple proposition: he is willing to offer protection in return for a payment of, say, a million dollars.15

The beauty of the new business model is its flexibility. Buyers and sellers come together in an active market. Buyers may purchase software, support services, or access to specific targeted computers, besides being able to subscribe to botnets. Vendors also offer so-called “executive phishing services,” which provide information about key executives and the types of queries that would be most likely to appeal to the target and allow the download of malware to infiltrate systems and obtain confidential information.

Each customer has its own criminal purposes that can be satisfied through selective purchases or rentals, as the case may be. The sellers offer both core products and services, and also ancillary support services, tailored to their customers’ needs. Vendors also may adopt a form of risk-based pricing: if a customer uses products or services in a way that attracts unwelcome attention and requires countermeasures, the price is higher than for a customer who regularly is discrete.

Relying on cyberspace to communicate allows cybercriminals to adopt flexible organizations that often are international in scope. Consider the Russian Business Network, a syndicate of cybercriminals:

“ In one sense, RBN (Russian Business Network) does not exist. It has no legal identity; it is not registered as a company; its senior figures are anonymous, known only by their nicknames. Its web sites are registered at anonymous addresses with dummy e-mails. It does not advertise for customers. Those who want to use its services contact it via internet messaging services and pay with anonymous electronic cash.”16

The Russian Business Network has been extremely profitable. One major phishing scam tricked gullible internet users into entering personal financial information such as bank account details and garnered $150 million in 2006. When public exposure became too great, the Russian Business Network simply closed its St. Petersburg cyberaddresses and shifted their location, possibly to somewhere in China.17

Cybercriminals seem to have adopted the latest organizational models, using cyberspace to help flatten their organizational hierarchies:

“ Cybercrime requires less personal contact, less need for formal organization, and no need for control over a geographical territory. Therefore, some researchers argue that the classical hierarchical structures of organized crime groups may be unsuitable for organized crime on the Internet. Consequently, online criminal activity may emphasize lateral relationships and networks instead of hierarchies.”18

The creation of markets offering the sale or rental of tools to accomplish acts of cybercrime helps extend the reach of criminals that earlier might have worked alone or who might have used other methods.19 The prevalence of intellectual property crimes involving theft of confidential information is unknown, but some

15 Stephen Spoonamore, a cybersecurity consultant, provided this example on the Diane Rehm Show, “Cyber Threats,” June 25, 2008.

16 “A walk on the dark side: These badhats may have bought your bank account,” The Economist, August 30, 2007, http://economist.com/dis-playstory.cfm?story_id=9723768, accessed 11/08/2007; Gregg Keizer, “Russian Hackers Behind Attack PDFs: The Russian Business Network, a no-torious hacker gang, is responsible for ongoing spam attacks using malicious PDF files,” Computerworld, October 25, 2007, http://www.pcworld.com/article/id,138892/article.html, accessed 11/07/2007.

17 Gregg Keizer, “Russian Hackers Go Dark to Relocate, Computer World,” Computerworld, November 08, 2007, http://www.pcworld.com/article/id,139465-page,1-c,privacysecurity/article.html, accessed 08-13-2008.

18 Clay Wilson, “Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress,” Congressional Research Service, January 29, 2008, p. 30.

19 See, e.g., Julian E. Barnes, “P.& G. Said to Agree to Pay Unilever $10 Million in Spying Case,” New York Times, September 7, 2001, http://query.nytimes.com/gst/fullpage.html?res=9A0CE1DB1039F934A3575AC0A9679C8B63&sec=&spon=&pagewanted=print, accessed 08-14-2008


believe it to be a serious issue. When undertaken as a cybercrime and done carefully, theft of intellectual property can leave no traces.20

Potential Sources of Attack: Nation States and Their Surrogates

It can be difficult to distinguish an attack by a nation-state from an attack by its surrogates. Easy availability of support from cybercriminals further complicates efforts to ascertain the real source of an attack. Conversely, it appears that nation states can develop systems for cyberattacks, use them, and then offer them in the criminal market to help recoup the costs. While the following examples concern Russia and China, it must be understood that cyberintrusions are a global phenomenon. “U.S. counterintelligence officials reportedly have stated that about 140 different foreign intelligence organizations regularly attempt to hack into the computer systems of U.S. government agencies and U.S. companies.”21

In August 2008 Russia and Georgia, once a Soviet republic, went to war over South Ossetia, an ethnic enclave within Georgia’s borders. Apparently for the first time, the war was preceded by cyberattacks, in this case against Georgia. Servers were taken down that largely prevented the Georgian government from communicating by the Internet either with its citizens or internationally. The attacks disabled Georgia’s foreign ministry website except for a collage that compared the Georgian president with Adolf Hitler. The source of the attacks was not clear. The Russian government denied it was responsible, and suggested that people unhappy with Georgia’s attack on South Ossetia might have initiated the cyberattacks. Some experts saw the attacks as reflecting the methods and coming from computers controlled by the Russian Business Network.

Because Georgia is not overly dependent on the Internet for commercial and other operations, it suffered little harm except to government websites. However, experts were quick to point out how cyberattacks offer an inexpensive and effective complement to other forms of warfare.22 One lesson was how hard it can be to identify the source of a cyberattack. Not only was one of the attacking computers located in the United States, an ally of Georgia, but also surrogates outside of the Russian government itself were able to help if not conduct the entire attack by themselves.

This was not the first time that serious international attacks occurred that could not be attributed conclusively to Russia rather than to Russia’s surrogates. An attack on Estonia in spring 2007 was much more devastating than the 2008 cyberattack on Georgia. Unlike Georgia, Estonia was heavily dependent on the Internet for commerce, and for dealings with the government such as voting and paying taxes. The Estonia incident occurred after the country’s government decided to move a statue commemorating the Soviet defeat of Nazi Germany from a central location to a suburb. There were massive distributed denial of service attacks, on government sites and bank, newspaper, and other commercial sites, which came close to shutting down the country’s Internet infrastructure.

It appears that criminal organizations helped carry out the attack. Experts speculate that up to a million computers were enlisted for the attacks and that the attackers rented time on botnets to supplement their strength. Indeed, as the New York Times reports, “the attackers’ time on the rented servers expired, and the

20 “Corporate espionage: Not if, but when,” ZDNet.co.uk, March 11, 2008, http://resources.zdnet.co.uk/articles/fea-tures/0,1000002000,39365959,00.htm, accessed 08-13-2008

21 Clay Wilson, “Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress,” Congressional Research Service, January 29, 2008, p. 12.

22 John Markoff, “Before the Gunfire, Cyberattacks,” New York Times, August 13, 2008, http://www.nytimes.com/2008/08/13/technology/13cyber.html?_r=2&sq=russia%20georgia%20ossetia&st=cse&oref=slogin&scp=17&pagewanted=print&oref=slogin, accessed 08-13-2008; Kim Hart, “Long Time Battle Lines Are Recast in Russia and Georgia’s Cyberwar,” Washington Post, August 14, 2008, p. D-1.


botnet attacks fell off abruptly.” The Internet also allowed the attackers to enlist other supporters. Even before the attacks began Russian-language forums and chat groups offered “detailed instructions on how to send disruptive messages, and which Estonian Web sites to use as targets.”23

Other attacks, such as the Booz Allen Hamilton spear-phishing incident above, can be traced back to computers located in China. Again, it is difficult to determine the extent that such attacks are backed by the government and the extent that they represent the work of surrogates or specific groups within the government such as the People’s Liberation Army.

General James E. Cartwright, then the commander of the United States Strategic Command, told the U.S.-China Economic and Security Review Commission in 2007 that China actively probes computer networks of federal agencies and private companies. These intrusions help the Chinese with, “identifying weak points in the networks, understanding how leaders in the United States think, discovering the communication patterns of American government agencies and private companies, and attaining valuable information stored throughout the networks.”

General Cartwright observed that this reconnaissance is comparable to strategic intelligence in pre-electronic days, except that “in today’s information environment, the exfiltration that once took years can be accomplished in a matter of minutes in one download session.”24

A massive case of cyberespionage occurred in Germany in 2007. German intelligence officials found that computers in the Chancellor’s Office, and the Foreign, Economics, and Research ministries had been compromised. Mounting what the officials called “the biggest digital defense ever mounted by the German state,” German officials prevented some 160 gigabytes of data from leaving the compromised computers; the German government has no idea how much information had already been taken before the intrusions were detected in May 2007. While the German government did not describe the content of the stolen information, it appears that the secrets related to leading-edge economic information. Germany is the world’s leading exporter (ahead of China), especially in high-technology manufactured products. The stolen information was tracked to three sites in China. “The scale and the nature of the data being stolen suggest, the investigators say, that the operation must have been steered by the State and, in particular, the People’s Liberation Army.”25

A German reporter for the weekly newsmagazine Der Spiegel first broke the story of the Chinese cyberattacks to obtain German economic information.26 The same reporter also covered the 2008 China earthquakes and pointed out shortcomings in government building codes that allowed many schools to collapse with tragic result. At that point the China state security service posted a photo of the Spiegel reporter and his home address on the Internet stating that he was hostile to China. It took the intervention of the German Ambassador to get the posting removed. This cyberattack is an example of how a nation state can post information on the Internet to create a climate for private citizens, or others masquerading as private citizens, to conduct a physical attack on a specified target.

Cyberspace lends itself to such collaboration between government and private actors. In the cyberattacks on Georgia, for example, a Russian language website, stopgeorgianow.ru offered software that Russia’s supporters could use for distributed denial of service attacks. This allowed private attackers more easily to supplement the large-scale attacks being conducted as a part of Russia’s conflict with Georgia. 27

23 Mark Landler and John Markoff, “Digital Fears Emerge After Data Siege in Estonia” New York Times, May 29, 2007.

24 U.S.-China Economic and Security Review Commission, 2007 Report to Congress, June 2007.

25 Roger Boyes, “China accused of hacking into heart of Merkel administration,” Timesonline, August 27, 2007, at http://timesonline.co.uk/tol/news/world/europe/article2332130.ece, accessed August 27, 2007.

26 �Prinzip Sandkorn: Unternehmen aus der Volksrepublik greifen Hochtechnologie-Produkte aus Deutschland an,“ �Prinzip Sandkorn: Unternehmen aus der Volksrepublik greifen Hochtechnologie-Produkte aus Deutschland an,“ Der Spiegel, August 27, 2008.

27 Mark Landler and John Markoff, “Digital Fears Emerge After Data Siege in Estonia” New York Times, May 29, 2007.


The expense of intrusion

It is simply impossible to determine the economic costs of cyberintrusions directed against companies or government organizations in the United States. The Congressional Research Service concluded in 2004 that a limited amount of survey data were available that even the compilers described as being anecdotal.28

There are good reasons why statistical data are simply unavailable. One involves the source of information: many firms and organizations have strong incentives to conceal information about cyber-attacks. Thus, in its semi-annual survey of incidents, Symantec notes that different sectors may face different reporting requirements. Symantec singles out government as one sector that is most likely to report breaches. By contrast, “organizations that rely on consumer confidence may be less inclined to report such breaches for fear of negative consumer, industry, or market reaction.”29

Secondly, as the Congressional Research Service concluded in 2004, there are significant uncertainties and measurement difficulties that limit the ability to specify the dollar amount at risk from particular breaches. “[A]ssigning an overall figure to the cost of cyber-attacks remains highly speculative.”30

There is no reason to believe that better data are available today. Indeed, the problem of measuring the harm caused by cyberintrusions probably has grown much worse. Cyberattacks designed to obtain confidential information have become increasingly sophisticated. That means that the amount of damage from lost intellectual property may well be even less susceptible to measurement than before.

Even though the numbers cannot be accurately estimated, the nature of the threat is large and growing. Available statistics are not reassuring. For example, the Privacy Rights Clearinghouse, a nonprofit consumer rights organization, reports that over 230 million data records of U.S. residents were compromised through security breaches since January 2005.31 The New York Times reports that “a consensus estimate among experts is that 11 percent of the more than 650 million computers connected to the Internet are infected” with so-called bots that can be used for espionage or destructive attacks.32 Other estimates, such as by Greg Garcia, Assistant Secretary for Cybersecurity and Communication in the Department of Homeland Security, are even higher.33

The National Research Council reviewed available studies and concluded in 2007:

“ The documentation of the nature of cybersecurity incidents provided in these reports is fragmented and incomplete…Yet, the available data are sufficient to make assertions about the seriousness of the threat that are more than just statements taken on faith….Taken together, they paint a clear picture of growing impacts, including lost production, operational disruptions, and direct economic costs from fraud and lost business, measured on the scale of several billions of dollars annually. The impact is already very large and growing, and the threat is expanding.”34

28 Brian Cashell, William D. Jackson, Mark Jickling, and Baird Webel, “The Economic Impact of Cyber-Attacks,” Congressional Research Ser-vice, April 1, 2004.

29 “Symantec Global Internet Security Threat Report: Trends for July–December 07,” Volume XII, Published April 2008, p. 12.

30 Brian Cashell, William D. Jackson, Mark Jickling, and Baird Webel, “The Economic Impact of Cyber-Attacks,” Congressional Research Service, April 1, 2004. For one example of a study that attempts to deal with some of the methodological issues, see, Scott Dynes, Eva Andrijcic, M. Eric Johnson, “Costs to the U.S. Economy of Information Infrastructure Failures: Estimates from Field Studies and Economic Data,” Forthcoming in Proceedings of the Fifth Workshop on the Economics of Information Security, Cambridge University, undated, 2006.

31 Privacy Rights Clearinghouse, http://www.privacyrights.org/, accessed August 17, 2008.

32 New York Times, “Wake up your Computer,” January 12, 2007.

33 “We also see that on any given day, there are an estimated 40% of the 800 million computers connected to the internet worldwide are bots [in] bot nets, …which are designed to distribute spam, steal personal information, conduct denial of service attacks.” Greg Garcia, Assistant Sec-retary Assistant Secretary for Cybersecurity and Communication in the Department of Homeland Security, remarks, Defending Cyberspace 2008 Conference, Washington, DC, May 7, 2008.

34 National Research Council, Toward a Safer and More Secure Cyberspace, 2007 (prepublication manuscript), p. 2-17.


The threat of destructive programs is potentially large and particularly hard to measure. Because a destructive program is largely a single-strike weapon, adversaries may wait for an opportune moment, whether political, economic, or military, to launch an attack. The cost of compromised systems becomes clear mostly in retrospect, if then.

III. BarrIers To effecTIve response

You are fighting a war. It is an advanced persistent threat. It never goes away, the tools change everyday. You do one thing the enemy does another. You do another thing, they do another. It is a continuous thing that will not go away in my lifetime. That’s why it is called an advanced persistent threat… Thomas W. Shelman, Defending Cyberspace 2008 Conference, May 7, 2008.

To be honest, most CEOs don’t understand cyberspace and most IT guys don’t know how to talk to them about it either. Dr. John Hamre, Defending Cyberspace 2008 Conference, May 7, 2008.

Mounting an effective response to the proliferation of cyberattacks has not been easy. Some of the barriers to effective response relate to the way that technology facilitates constant evolution of the forms of cyberattack. Other barriers relate to the difficulty of making potential victims aware of their vulnerabilities and the need to improve their defenses. Even if they become aware, victims may believe it is easier to cope with attacks than to bear the expense of improving their information systems and defenses.

Another issue relates to the focus of many effective attacks, which use weak partners or weak systems of a company or agency as the entry point to infect systems that otherwise may be well defended. This “weak link” problem can greatly increase the cost of defense. Moreover, the weak-link problem may mean that the system that is vulnerable doesn’t belong to the organization that will bear the major costs of an attack. This leads then to the need for common defense in many cases and the difficulty that organizations often have in working together to achieve common goals.

Complacency

The threshold problem is that many forms of malware, and especially those forms designed to steal intellectual property, are not detected without making a special effort. Thomas Shelman of Northrop Grumman Information Technology, who has spoken to hundreds of corporate chief information officers (CIOs), is concerned about the lack of awareness: “I worry about corporate America because they think that they are safe. The smartest CIOs and these aren’t bad people, these are good people, they are great leaders, but they don’t know. They don’t know the vulnerabilities.”35

35 Thomas W. Shelman, remarks, Defending Cyberspace 2008 Conference, Washington, DC, May 7, 2008.


Then when a possible intrusion is discovered, the CIO has a significant incentive to apply the least burdensome solution and declare the problem over. Again Mr. Shelman:

“ The typical CIO goes through a learning process, and I went through this learning process. And the first part of it ....starts with denial, you say my firewalls protect me I am okay. Then you go through this thing where you are in shock and say I can’t believe that that’s happening. At some point you think you have the problem fixed because you put the fire fighting team on it and you go do something and maybe you disconnect from the internet, reset everyone’s passwords and say, I am okay. Well, no, you still didn’t get it.”36

By contrast, Mr. Shelman believes that many parts of government, and especially the Department of Defense, do understand the nature of cyberthreat and the need to detect threats and deal with them both preventatively and in an effective response. The question for many government agencies, as discussed below, is whether they have the resources and have assigned cyberdefenses a high enough priority in allocating their resources.

The Problem as an Advanced Persistent Threat

Constant improvements in information technology benefit not only companies and governments, but also attackers. Professional use of targeted attacks to harvest trade secrets and national secrets are superseding amateur attacks that had used viruses and worms to cause destruction. Bots are the current scourge; the next form of attack is just over the horizon.

That means that cyber defense must be a continuing process rather than a one-time cure. For every defensive measure, attackers, whether nation-states or criminals, can develop countermeasures. Intruders constantly adopt new sophisticated approaches, such as so-called client-side attacks that involve e-mail, instant messaging, media streaming, and other interactions with a hostile server. They also defend themselves better against countermeasures, for example with so-called “fast-flux service networks” of compromised computer systems that change their architecture constantly so as to make it hard to track their operations.37 This constant evolution of attack methods means that defense too is a continuing effort.

The Costs of Defense

To build an effective defense requires effort and resources. Companies often do not see the value of expending such effort and resources. If the perceived costs of intrusion are small, a firm may simply pass on the costs in its prices. Or a bank or other firm may be able to limit its exposure by setting contractual limits on its liability to its customers for losses from third-party fraud.

This relates to what economists call “externalities.” The party that bears the costs of an intrusion, in terms of ID theft, theft of proprietary information, or a distributed denial of service attack, for example, may not be the party whose weak defenses allowed the breach to occur. The costs of shoring up a weak defense may fall on a party that is not harmed much at all by the initial intrusion.

A classic example of externalities would be a destructive attack to bring down a piece of critical infrastructure such as an electric power system. The power system might go out of business at a cost to its owners, but the

36 Ibid.

37 For examples of the arms race between cyberattackers and defenders, see, e.g., Scott Berinato, “Hacker Economics 2: The Conspiracy of Apathy,” www.cio.com, October 8, 2007; and Scott Berinato, “Hacker Economics 3: MPACK and the Next Wave of Malware,” www.cio.com, October 8, 2007..


costs to all people and organizations from the power failure could possibly end up being very much greater.38 The particular power company itself might not see enough economic value in upgrading its defenses to a high enough level, unless there were a common effort, for example through regulatory requirements that prevented competitors that spent less on cyberdefense from taking economic advantage.

The problem of “weak links” can create externalities. In other words, successful cyberintrusions often occur through legacy systems at a firm or agency or through the weakly defended systems of a business partner, whose systems provide a conduit for the intruder to bypass the defenses of an otherwise well defended firm or agency. One can imagine a small business, for example, that partners with a large company that possesses strong defenses. The small business might simply not have the financial strength to bring itself up to the same standards that its larger partner can meet.

The Difficulty of Achieving Joint Action

In short, there are many reasons to believe that joint action is needed to deal with many aspects of cyberdefenses. While individual efforts are important, joint effort is also needed, both to enhance protection and to reduce the collective cost of improved cybersecurity. For example, a joint effort can:

• Establish minimum standards so that firms and their business partners, or government agencies and their partners, do not place each other’s systems at risk;

• Encourage expanded availability of certification so that companies and agencies can properly assess the quality of their cyberdefenses and the quality of partners’ systems;

• Provide appropriate incentives so that organizations that can improve cybersecurity at least cost, such as Internet Service Providers (ISPs) or banks or telecommunications companies, provide appropriate levels of protection for their customers rather than requiring customers to undertake individual efforts at a much greater total cost;

• Protect critical infrastructure, whether owned by the public or private sector;

• Share information about the nature and possible timing of major threats; and

• Provide effective support to assist firms or agencies to recover from the effects of a cyberattack.

These benefits of joint action are clear. However, it can be difficult to translate the need for cooperation into effective action. For example, an earlier Johns Hopkins report on identity management systems seemed optimistic that parties might find a way to come to agreement on common standards, certification procedures, and interoperable systems.39 However, that has not happened. There always are tradeoffs, among parties who benefit or lose from a particular proposal, and among desired levels of protection compared to potential risks. The latter is especially problematic in the cyber domain because of the difficulty of understanding the actual level of risk that accompanies each level of protection.

Some economic sectors may be more resistant to adoption of cyberprotection than others. The underlying industrial organization of each particular sector may exert a strong influence on the rate of adoption of common standards. To take a different example from the healthcare sector, the disparate interests of many

38 For a striking example of a successful destructive intrusion into a power generator, see, CNN, “Mouse click could plunge city into darkness,

experts say,” September 27, 2007, http://www.cnn.com/2007/US/09/27/power.at.risk/#cnnSTCVideo, accessed August 17, 2008.

39 This is discussed in Thomas H. Stanton, “Improving Federal Relations with States, Localities, and Private Organizations on Matters of Homeland Security: The Stakeholder Council Model,” Chapter 13 in Thomas H. Stanton, ed., Meeting the Challenge of 9/11: Blueprints for Effective Government, M.E. Sharpe Publishers, 2006.


different actors have impeded adoption of healthcare information technologies and standards despite the major benefits that this could provide to the sector as a whole.40

Overlaid on these issues are legal issues: to what extent do the antitrust laws allow competing companies to collaborate on cyberdefenses? To what extent do federal laws protect companies that share information about cybervulnerabilities with the federal government? Is that protection assured, or might it depend on the discretion of a federal official to decide whether or not to share something? What is the legal liability of a company that discloses that it has been successfully attacked? And what is the legal liability of a company that fails to disclose a successful attack, and to whom does it have a duty to disclose, and how much information?

Increasing amounts of information are available to assist firms in establishing policies to deal with such questions.41 On the other hand, the federal government has not yet created a legal framework for many issues. Some 38 states, following the lead of California that enacted such a law in 2003, have enacted disclosure laws that require companies to notify consumers whose personal information has been compromised. Federal legislation is pending but has not yet been enacted.

Internal and external organizational issues also play a role. Many companies and agencies relegate issues of cybersecurity to the chief information officer or to a chief information security officer who reports to the CIO. This level of a company may be too low to allow for consideration of the kinds of tradeoffs that are needed to decide how much and what kind of cybersecurity to adopt. For example, a large number of cyberincidents can be traced back to a company or agency insider; yet, the CIO alone may not be in a good position to opine about many of the personnel-related security measures, discussed below, that could help bolster cyberdefenses.

Externally, many organizations may find it difficult to collaborate with one another. As the Government Accountability Office reports,

“ …private sector officials stated that their organizations continued to be hesitant to share information on vulnerabilities and threats because of the fear that such sharing might negatively affect their financial bottom line. For example, private sector officials stated that it was difficult to share unfiltered information with their respective infrastructure sector ISAC [information sharing and analysis center] because a competitor operated the ISAC…”42

Within the federal government, collaboration may be especially hard to achieve across organizational boundaries.43 With some exceptions directly relevant to cyberdefense, this has proved to be especially true in national security and national intelligence.

Given these obstacles, what will it take to improve our defenses, for people, organizations, and the country, against cyberattack?

40 “Since 2003 we have witnessed a national effort to advance health IT through a newly developed public-private standard-setting process. This process has proved (1) complex and burdened by too many goals, (2) easy for entrenched interests to dominate, and (3) reluctant to frame issues dealing with disruptive technology aimed at consumers.” David C. Kibbe and Curtis P. McLaughlin, “Alternative: Hanging out the Unmentionables for Better Decision Making in Health Information Technology,” Health Affairs, September/October 2008; vol. 27, no. 5, pp. 396-398; see also, Carol C. Diamond and Clay Shirky, “Health Information Technology: A Few Years Of Magical Thinking?” Health Affairs, September/October 2008, vol. 27, no. 5, pp. 383-390.

41 See, e.g., Tim Proffitt,” Creating and Maintaining Policies for Working with Law Enforcement,” the SANS Institute, http://www.sans.org/reading_room/whitepapers/incident/32803.php, accessed August 17, 2008.

42 U.S. Government Accountability Office, Cyber Analysis and Warning: DHS Faces Challenges in Establishing a Comprehensive National Capa-bility, GAO-08-588, July 31, 2008, p. 44.

43 See, e.g., Thomas H. Stanton, “Improving Collaboration By Federal Agencies: An Essential Priority For The Next Administration,” working paper, National Academy of Public Administration, August 2008, http://www.napawash.org/pmc/papers/collaboration.html, accessed August 17, 2008.


Iv. BuIldIng an effecTIve defenseOur approach in the Department of Defense is based on defense-in-depth. In other words, we do not believe that there is any one thing that you can do to go out and buy cyber security. We believe it spans the spectrum of technology, tactics, techniques, procedures, policy, and most importantly, it requires a culture change. China’s Proliferation Practices, and The Development of Its Cyber and Space Warfare Capabilities, Hearing before the U.S.-China Economic and Security Review Commission, May 20, 2008, pp. 51-52. Testimony of Col. Gary D. McAlum, Director of Operations, Joint Task Force for Global Network Operations, U.S. Strategic Command, May 20, 2008.

The control of the information resource and flexibility for the business to get the job done are of paramount importance. Each one must be satisfied while not overpowering the other. Sara Sinclair, et al., “Information Risk in Financial Institutions: Field Study and Research Roadmap,” 2008

Effective cyberdefense requires both individual and joint efforts. On the one hand, each person and organization must be responsible for its own security. Government and other collective efforts cannot substitute for individual action. On the other hand, collective action also is needed. People and organizations need to work together, to share promising practices, raise standards of weak partners with vulnerabilities that endanger more secure organizations, and provide testing, certification, and other support that is done more effectively and economically on a collective basis. Effective defense involves a range of actions that, taken together, could greatly enhance protection, both individually and collectively. Some sectors, such as financial services or defense and national security, seem much farther along in fostering collective action than others.

develop a culture of cybersecurity awareness

Both individuals and organizations need to adopt a culture of security awareness. Too many individuals still fail to take basic security precautions when going on the Internet. While government has tried to make people more aware, individuals must bear some of the responsibility for protecting themselves.44 This includes antivirus protection and firewalls as well as increased awareness of Phishing and other scams.

For organizations an enterprise-wide sensitivity to security issues is essential. The risk of vulnerability to cyberattack can be seen as a subset of overall enterprise risk management. Note in the following definition how the obligation to ensure appropriate risk management is placed on top management:

“ Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”45

For cybersecurity, as with other risks that potentially go to the core of mission assurance, the right “tone at the top” of the enterprise is critical. It is top management that can decide on the risk appetite of the enterprise and that must make decisions about tradeoffs between security and other aspects of mission success. The most successful companies manage these tradeoffs in a way that attempts to optimize security and mission assurance without impeding the shorter term effectiveness of the enterprise.

44 Brian Krebs, “’A Lot of People Just Don’t Take the Basic Precautions,’” Washington Post, August 19, 2008, p. A11.

45 Committee of Sponsoring Organizations, Executive Summary, Enterprise Risk Management — Integrated Framework, September 2004, p. 2, available at http://www.coso.org/documents/COSO_ERM_ExecutiveSummary.pdf, accessed August 19, 2008.


The CIO cannot make the needed tradeoffs and cannot set the appropriate tone at the top. General Robert Elder of the United States Air Force Cybercommand believes that the Chief Operating Officer (COO) of a company or agency must be responsible for mission assurance, including cybersecurity.46

This can be seen in the problem that statistically “trusted insiders” pose the most significant threat to an organization’s cybersecurity.47 Catherine Allen, Chairman and CEO of the Santa Fe Group, notes that insider fraud often is committed by new employees and usually by people with no prior convictions.48 Examples abound. In the year 2000 a hacker in Australia caused a computerized waste-management system to dump millions of gallons of raw sewage into rivers and parks. The hacker was a former employee of the company that had installed the system.49 Sometimes the vulnerability occurs from insider negligence rather than malice, as when the Department of Veterans Affairs reported that computer equipment containing personally identifiable information on approximately 26.5 million veterans and active duty members of the military was stolen from the home of a VA employee.

To deal with the problem of vulnerabilities created by insiders requires a change in organizational culture so that each person in the organization understands the nature of security requirements and their validity. The human relations office will need to help to build security compliance into the system for evaluating employee performance. The administrative office will need to work with the CIO to implement appropriate controls such as identity management systems for access to physical locations and to information systems. A company interdepartmental committee will need to struggle with the question of “need to know” and the means of adjusting employees’ access to specific information as they shift positions or leave the company. All of this requires a tone at the top that emphasizes the importance of security and encourages members of the organization to report issues and suggest solutions.50

Finally, both individuals and organizations need to become aware of the need for back-up measures and suitable recovery plans. Cybersecurity is not the only reason to establish a recovery plan. The possibility of physical loss of a system, natural disasters such as Katrina, homeland security events, and cyberattacks all provide good reason to create redundancies in information systems and continuity of operations generally. Individuals are well advised to back up their hard drives, a small cost compared to the potential impact on the career of someone who relies on a computer for work. Companies and agencies are increasingly establishing so-called “hot sites” to allow for continuity of operations in the event of a problem. Many firms, especially in the financial sector are adopting two “hot sites” to back themselves up. The financial sector is especially attentive to continuity of operations planning. The federal bank regulators, acting through the Federal Financial Institutions Examination Council (FFIEC), set continuity of operations standards and enforce them.51 Again, as with other aspects of mission assurance, prudent steps are a simple part of doing business in the Internet age.52

46 Lt. General Robert J. Elder, “Cyberdomain Protection and the National Defense,” presentation to the National Defense Industrial Association conference on the Defense Industrial Base Critical Infrastructure Protection, April 8, 2008.

47 Eric A. Fischer, Creating a National Framework for Cybersecurity: An Analysis of Issues and Options, Congressional Research Service, February 22, 2005, p. 22; John Rollins, Terrorist Capabilities for Cyberattack: Overview and Policy Issues, Congressional Research Service, January 22, 2007, p. 19.; ZDNet.co.UK, “The top five internal security threats: It’s widely known that internal staff are the biggest threat to IT security, but what specifi-cally should an employer watch out for?” March 6, 2008, http://resources.zdnet.co.uk/articles/features/0,1000002000,39363097,00.htm, accessed August 20, 2008 .

48 Catherine A. Allen, “Detecting and Containing Attacks: A compliance View,” The Santa Fe Group, presentation to the Defending Cyberspace Conference, May 7, 2008.

49 Ibid., p. 13.

50 M. Eric Johnson and Eric Goetz, “Embedding Information Security Into the Organization,” IEEE Security and Privacy, May/June 2007.

51 See, e.g., Federal Financial Institutions Examination Council, “Business Continuity Planning,” part of the FFIEC IT Examination Handbook, March 2008, http://www.ffiec.gov/ffiecinfobase/booklets/bcp/bus_continuity_plan.pdf, accessed August 20, 2008.

52 For a useful overview of relevant literature, see, e.g., Stacy Jordan, “Mining gold…A primer on incident handling and response,” June 23, 2008, http://www.sans.org/reading_room/whitepapers/incident/32818.php, accessed August 20, 2008.


The economics of cybersecurity: Bake it in; don’t Bolt it on

Once a culture of cybersecurity is established, the economics can be appropriately understood. “Bake it in; don’t bolt it on,” is an expression that summarizes the inclusion of cybersecurity in business decisions. Building considerations of cybersecurity into each business activity can reduce costs and increase effectiveness.

Take, for example, the process of mergers and acquisitions. Given the vulnerability of “weak links” to cyberattack, consideration of cyber security during the planning process can help to shore up the most significant vulnerabilities before they cause harm. Indeed, a good review of cybervulnerabilities before an acquisition may be an important factor in setting the price. The same is true of relations with business partners. Screening potential partners for vulnerabilities before linking systems with one another can help to build an appropriate level of protection into the relationship from the beginning. Again, due diligence in this regard may factor into pricing; a more secure partner is worth more than one that creates unacceptable vulnerability.

Day-to-day operations also require consideration of cybersecurity. Creation of a sound process for taking account of cybervulnerabilities can help to reduce the burdens (i.e., costs, in terms of dollars and management flexibility) of cybersecurity while enhancing the level of protection. Instead of imposing rigid rules, management may be able to devise more flexible approaches to cybersecurity that maintain security while allowing managers the freedom to carry out their work. However, this requires that security professionals develop increased “soft” interpersonal skills so that they can articulate technical issues and explore tradeoffs and options with company managers.53 The cultural change will need to work both ways, including both security professionals and line managers so that they can fruitfully talk with one another.

The issue of building cybersecurity into regular business operations is of strategic importance to an enterprise:

“ In today’s Web 2.0 world, people require instantaneous access to information. They demand instant connectivity. That creates a natural tension with the cyber security folks. So as you try to make a more secure environment to conduct military operations and support military operations, adequate security measures needed to be factored in to the equation. There is some inherent tension in that effort that we’re experiencing in the DOD as we try to find the right balance.” 54

Consider the relations of the Department of Defense with its contractors. One approach to cybersecurity would be to create a separate network between DOD and trusted partners. As is true of the Internet in countries such as South Korea and Japan, members of the network might pay a user fee that could pay for monitoring and enforcement. Members of the network would be licensed and required to meet specified standards. They and their partners would be checked to assure that those standards were being met. In other words, recognizing the vulnerabilities of the Internet, DOD would simply move relations with its business partners into a separate and more secure domain.55

This approach raises a number of issues. DOD units frequently must interface with other nonsecure partners. For example, in the course of tsunami relief in South and Southeast Asia, U.S. naval vessels needed to link to nonprofit organizations and foreign government organizations. This creates the need for a so-called DMZ (demilitarized zone) so that relations with insecure partners may proceed while protecting more secure networks. Second, the building of a separate secure network creates burdens on day-to-day work of the

53 Alex Clayton, “Successfully Building Security into Business Projects,” the SANS Institute, http://www.sans.org/reading_room/whitepapers/leadership/32863.php, accessed August 20, 2008.

54 Col. Gary D. McAlum, Director of Operations, Joint Task Force for Global Network Operations, U.S. Strategic Command, “China’s Prolifera-tion Practices, and The Development of Its Cyber and Space Warfare Capabilities,” Hearing before the U.S.-China Economic and Security Review Commission, May 20, 2008.

55 Lt. General Robert J. Elder, “Cyberdomain Protection and the National Defense,” presentation to the National Defense Industrial Association conference on the Defense Industrial Base Critical Infrastructure Protection, April 8, 2008.


Department of Defense and its partners. The building of redundant systems entails significant costs, both in dollars and in loss of workplace flexibility. Another problem involves the small business partners of large defense contractors. Because of the “weak-link” problem, large contractors may need to build up the security of their smaller partners who cannot afford to do it by themselves. What are the tradeoffs between spending effort and resources to upgrade small business partners versus dealing mostly with larger firms instead?

Some in DOD would prefer instead to find more flexible ways to build cybersecurity into regular operations. Under this conception people with different levels of clearance would have access to different portions of stored information. This approach would require identity management, screening for a few key attributes, and tags on data to allow access according to the clearance level of the requester. The underlying idea is that the benefits of collaboration are so great that one should not confine collaboration unnecessarily or rigidly.56

Approaches to baking in cybersecurity will vary according to available technology, resources, and preferences of top management. The nature of tradeoffs will continue to evolve, as will the nature of costs that must be paid for mission assurance and cybersecurity. Ultimately, as Chris Rouland of IBM ISS puts it, “Our strategy is we have to figure out how you do business with an infected computer. How do you secure a transaction with an infected machine? Whoever figures out how to do that first will win.”57

Finally, the federal government needs to increase the level of its funding for unclassified IT research. Richard Clarke notes that much of the research should focus on how to write computer code that does not contain errors, adding that “current tools that find vulnerabilities…identify only about one-third of the total that are eventually found; moreover, these tools are also available to our adversaries.” 58

share Threat Information and Best practices

Thus far, the discussion of protective measures has concerned individual action by people and organizations and the creation of trusted partnerships and networks of trusted partners. However, it is clear that economies of scale exist in cyberdefenses that deserve to be shared. A number of organizations exist to share information and best practices. These include:

• The United States Computer Emergency Readiness Team (US-CERT), a partnership between the Department of Homeland Security and the public and private sectors, which helps to develop and promote the use of appropriate technology and systems management practices to resist attacks on networked systems, to limit damage, and to ensure continuity of critical services.59

• The CERT coordination center of Carnegie-Mellon University, which is a federally funded research and development center (FFRDC) originally established by the Defense Advanced Research Projects Agency (DARPA). It responds to major security incidents and analyzes product vulnerabilities and is now part of the larger US-CERT Program.

• InfraGard, which is a partnership between the FBI and the private sector, is an association of businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to

56 David Wennergren, Deputy Chief Information Officer, Networks and Information Integration at the Department of Defense, briefing, Center for Strategic and International Studies, July 28, 2008.

57 Scott Berinato, “Hacker Economics 3: MPACK and the Next Wave of Malware,” www.cio.com, October 08, 2007.


59 U.S. Government Accountability Office, Cyberanalysis and Warning: DHS Faces Challenges in Establishing a Comprehensive National Capa-bility, GAO-08-588, July 2008.


sharing information and intelligence to prevent hostile acts against the United States. InfraGard Chapters are geographically linked with FBI Field Office territories.”60

• Information Sharing and Analysis Centers (ISACs) serving major critical infrastructure sectors, including information technology, communications, electricity, supply chain management, water, surface transportation, and public transit. The ISACs operate with varying degrees of effectiveness. They “enable industry experts to establish working relationships, build trust, share sensitive vulnerability, threat, and mitigation information, conduct informed analysis, and collaborate with other sectors and government in an organized manner.”61

• NIST National Vulnerability Database, which “is the U.S. government repository of standards based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics.”62 The database reports on some 30,000 vulnerabilities and has about 50 million hits each year.63

• The SANS Institute is a cooperative research and education organization that serves over 165,000 security professionals worldwide, including auditors, network administrators, and chief information security officers, who share lessons and solutions. Free SANS resources include the Internet Storm Center (an Internet early warning system), weekly news and vulnerability digests, flash security alerts and over 1,200 research papers.

• The Transglobal Secure Collaboration Program (TSCP) is a government-industry partnership serving the aerospace and defense sector. Through adoption of common standards it helps members to mitigate risks related to compliance, complexity, cost and IT needed for collaboration and sharing of sensitive information in international defense and aerospace programs. Members include BAE Systems, Boeing, EADS, Raytheon, Lockheed Martin, Northrop-Grumman, Rolls-Royce, the Netherlands Department of Defence, the U.S. Department of Defense and the U.K. Ministry of Defence,

Numerous other organizations also help to promote collaboration among public and private sector users of the Internet.

That said, and recognizing the high quality of many collaborative efforts, knowledgeable people continue to call for improved collaboration, especially between the public and private sectors. Former Governor John Engler, now President and CEO of the National Association of Manufacturers, suggests a three-part approach to improved communication between the private sector and government:

“ For industry and government to work in coordination, creating an effective cyberdefense strategy, we believe three goals are essential.

• “ Open communication between government and industry on the nature of threats and the speed with which they evolve;

• “True collaboration through work on best practices and the tools of technology;

• “A government that follows through with clear points of contact and incentives – government incentives for industry to protect itself. I would include shields from liability in this area, as well.”64

60 “What is Infragard?” http://www.infragard.net/about.php?mn=1&sm=1-0, accessed August 20, 2008.

61 John T. Sabo, President, Information Technology-Information Sharing and Analysis Center (IT-ISAC) Before the Committee on Oversight and Government Reform Subcommittee on Information Policy, Census, and National Archives, United States House of Representatives, October 23, 2007.

62 The National Vulnerability Database, “About NVD,” http://nvd.nist.gov/about.cfm, accessed August 20, 2008.

63 Daniel J Chenok, Chair, Information Security and Privacy Advisory Board, “Bridging the Gap Between Government and Industry: The Private-Public Link,” presentation to the Defending Cyberspace Conference, May 7, 2008.

64 John Engler, Opening Comments, Defending Cyberspace Conference, Washington, D.C, May 8, 2008.


The United Kingdom provides perhaps the best recent example of clear communication between government and the private sector about threats. In late 2007 the Director-General of M.I.5, the UK’s internal security agency sent a warning to 300 CEOs and heads of security at banks, accounting firms, and law firms, warning them that they were under attack from “Chinese state organisations” :

“ The document gives warning that British companies doing business in China are being targeted by the Chinese Army, which is using the internet to steal confidential commercial information….Another source familiar with the MI5 warning said…that known attacks had not been limited to large firms based in the City of London. Law firms and other businesses in the regions that deal even with only small parts of Chinese-linked deals are being probed as potential weak spots… The MI5 letter includes a list of known “signatures” that can be used to identify Chinese Trojans and a list of internet addresses known to have been used to launch attacks.”65

This warning had critical characteristics that made it useful: it was precise about the likely set of vulnerable firms and the electronic indicators that firms should consider especially dangerous.

The United States does not have an internal security agency. However, it sometimes is possible for U.S. intelligence sources to provide assistance. Thus, in January 2008 a CIA analyst issued a warning to 300 U.S. and international security officials from government and from electric, water, oil, and gas companies who were attending a conference. Tom Donahue, the CIA’s top cybersecurity analyst, said that utility companies outside the United States had been subjected to cyberattacks. In one case the attack resulted in a power outage that affected multiple cities. The identity of the attackers was not known, Donahue said, but it was known that the attackers made extortion demands. “’We suspect, but cannot confirm, that some of the attackers had the benefit of inside knowledge,’” Donahue said. He did not specify where or when the attacks took place, their duration or the amount of money demanded.” 66 It is clear that such warnings can greatly assist both government and the private sector to take significant preventative steps. As the various public-private working groups and other organizations build personal trust, it may be possible to share information more extensively. This is an issue that deserves further study to determine the conditions under which the most effective collaboration can take place without sacrificing other values. Always in this area, tradeoffs must be understood and designed to optimize the benefits and costs.

Often, understanding the nature of the underlying problem is necessary to solve the problem that presents itself. Thus, rapid turnover of cybersecurity officials has reduced the ability of DHS to maintain trusted collaborative relationships with other organizations.67 One may not be able to solve the collaboration problem without addressing the underlying human resources issue.

65 Rhys Blakely, Jonathan Richards, James Rossiter and Richard Beeston, “ MI5 alert on China’s cyberspace spy threat,” The Times, December 1, 2007, http://business.timesonline.co.uk/tol/business/industry_sectors/technology/article2980250.ece, accessed 08-05-2008.

66 Ellen Nakashima and Steven Mufson, “Hackers Have Attacked Foreign Utilities, CIA Analyst Says,” Washington Post, January 19, 2008, p. A04.

67 U.S. Government Accountability Office, Information Security: Despite Reported Progress, Federal Agencies Need To Address Persistent Weaknesses, GAO-07-837, July 2007; U.S. Government Accountability Office, Information Security: Progress Reported, but Weaknesses at Federal Agencies Persist, GAO-08-571T, March 12, 2008.


require partners to Meet Key standards

The importance of assuring the security of trusted partners has already been noted. A good example of joint establishment and management of standards comes from the payment card industry. In 2006 American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc., established the PCI Security Standards Council. The council develops PCI Security Standards, including: the Data Security Standard (DSS), Payment Application Data Security Standard (PA-DSS), and Pin-Entry Device (PED) Requirements. It manages the standards, provides education, and promotes awareness of the standards.

“ All of the five founding members have agreed to incorporate the PCI DSS as the technical requirements of each of their data security compliance programs. Each founding member also recognizes the QSAs and ASVs certified by the PCI Security Standards Council as being qualified to validate compliance to the PCI DSS….Other industry stakeholders are encouraged to join the group and review proposed additions or modifications to the standards.”68

The payment card industry is economically much more concentrated than other industries. Also, payment transactions must be interoperable across payment systems, which creates some interdependence among companies. These factors make it easier for the PCI Security Standards Council to operate, compared to other industries with larger numbers of companies that vary significantly in size and capacity from one another and that do not need to rely on collaboration across the industry to succeed. For such industries, to the extent that they represent critical infrastructure, federal intervention may be necessary.

Governor Engler and the National Association of Manufacturers believe that one effective tool for the federal government would be to build cybersecurity requirements into federal procurement standards: “Government can use its market power, instead of its regulatory power by more prominently including security, along with cost, into its procurement process.”69

This is an important approach for many industries whose level of cybersecurity is essential not only for the particular economic sector, but also for government agencies that the industries relate to. The Department of Defense, for example, is beginning to incorporate increasingly stringent cybersecurity performance standards into its procurement requirements. This can supplement the role of public-private organizations, such as the Transglobal Secure Collaboration Program (TSCP) in setting standards for the defense industrial base.70

However, much of the rest of government is not yet at work to use its procurement power to raise standards of cybersecurity. Many agencies themselves continue to have spotty records with respect to vulnerability to cyberattack.71 For example, the current governmentwide initiative to reduce the number of federal Internet connections and standardize their levels of security has met with a range of responses, from agencies that appear ready or nearly ready to adopt Trusted Internet Connections (TICs) to those that have a long way to go.72

Richard Clarke makes several recommendations:

• All federal networks should use two-factor authentication systems and everyone interacting with federal networks also be required to use authentication;

68 “About the PCI Security Standards Council,” https://www.pcisecuritystandards.org/about/index.shtml, accessed August 20, 2008.

69 John Engler, Opening Comments, Defending Cyberspace Conference, Washington, D.C, May 8, 2008

70 See, www.tscp.org.

71 U.S. Government Accountability Office, Information Security: Despite Reported Progress, Federal Agencies Need To Address Persistent Weaknesses, GAO-07-837, July 2007; U.S. Government Accountability Office, Information Security: Progress Reported, but Weaknesses at Federal Agencies Persist, GAO-08-571T, March 12, 2008.

72 http://www.whitehouse.gov/omb/egov/documents/2008_TIC_SOC_EvaluationReport.pdf, accessed September 27, 2008.


• All data, e-mails and laptops should be encrypted; and

• The size of the OMB staff enforcing federal IT security should be expanded substantially from the current two people and be given authority to require agencies to upgrade their security standards. 73

Also, many government agencies do not assure the performance of their partners. The Office of Management and Budget reviewed the compliance of 25 federal agencies with the Federal Information Security Management Act of 2002. OMB reported that, in Fiscal Year 2007, it asked agency inspectors general to confirm “whether the agency ensures information systems used or operated by a contractor of the agency or other organization on behalf of the agency meet the requirements of FISMA, OMB policy, and NIST guidelines.” OMB found that the number of inspectors general answering that question as “almost always” decreased from 2006 to 2007 from 15 agencies to 12 agencies.74

There is a clear need for government to be more forceful in using its purchasing power to raise the quality of cybersecurity in critical industries. But to be credible, each agency must ensure that it, rather than its business partner, is not the weak link.

create Incentives for critical sectors to Improve cybersecurity

Government can apply various tools to help create incentives. One approach is to use grant funds to encourage adoption of standards. To be effective, the requirement for federal partners to adopt standards likely must be built into federal grant programs that support much larger activities than mere cybersecurity alone. One positive example, from a different homeland security sphere was the SAFECOM Interoperable Wireless Communications Program of the Department of Homeland Security. By leveraging federal grant funds for first responders, especially in major urban areas, DHS was able to encourage adoption of standards for interoperable digital two-way wireless communications products.75

Another area where grants have been beneficial relates to the continuing federal need for employees with high technical skills and knowledge of cybersecurity. The Scholarship for Service program provides grants to students who commit to work for the federal government in return for their grants.76 Again, this grant program is likely effective because of the difference it can make in encouraging behavior, here the opportunity to introduce highly skilled graduates to federal service.

Another major tool of government is regulation.77 As Governor Engler and others have pointed out, regulation is a cumbersome process that generally lags behind market developments. The lag is especially substantial in the fast-moving world of information technology and cybersecurity. That said, regulation may be an important tool for economic sectors that are especially critical and manifest an industrial organization that might preclude companies from adopting adequate cybersecurity on their own. One justification for setting minimum standards is that companies should not benefit competitively from skimping on IT security, including cybersecurity. Otherwise, without standards and regulatory supervision, the result could be a race to the bottom.78


74 Office of Management and Budget, Fiscal Year 2007 Report to Congress on Implementation of The Federal Information Security Management Act of 2002, p. 6.

75 http://www.safecomprogram.gov/SAFECOM/

76 https://www.sfs.opm.gov/StudentBrochureWeb.pdf.

77 See, generally, Malcolm K. Sparrow, The Regulatory Craft, Brookings, 2000

78 Stephen Malphrus, Board of Governors of the Federal Reserve System, remarks to the Conference on Defending Cyberspace, May 8, 2008.


The electric power industry would appear to be such a critical infrastructure sector. Early in 2008 the Federal Energy Regulatory Commission issued eight standards for electric utilities, including identity controls, training, security perimeters, physical security of critical cyber equipment, and incident reporting and recovery. Given the mixed record of the electric power industry in assuring system reliability, additional standards could well be warranted, as well as assurance that any standards in fact are promptly implemented.

Another area where regulation is likely warranted relates to internet service providers (ISPs). Richard Clarke recommends that, “The Federal Communications Commission should require internet service providers to take specific measures to reduce spam, worms, viruses, denial-of-service attacks, phishing, botnets, and other malicious activity.”79 This is a critical area where appropriate regulations can place much of the burden of improved cybersecurity onto the industry that is best positioned to deal effectively with it. It makes much more sense for ISPs to apply protective measures than for millions of individuals and enterprises to attempt to replicate that protection on a computer-by-computer basis.

Mr. Clarke also believes that the federal bank regulators should require two-factor authentication for all online banking and stock trading. There is at least anecdotal evidence that online banking is inadequately protected, and this recommendation too would seem to be cost-effective.80

Once again, careful analysis is needed to select those sectors where regulation is needed because (1) the sector is critical to the well being of the United States, and (2) the industrial organization of the industry or other factors preclude industry wide adoption of appropriate standards. Then careful thought is needed to design regulations, and enabling legislation if necessary, to attempt to shift regulatory responsibilities to those firms that are best placed to assure minimum standards of cybersecurity in the most cost effective manner. Other important issues involve the need to optimize tradeoffs of security against other important values such as innovation. Merely to list these factors indicates how difficult a legislative or regulatory process can be. Regulation is fundamentally a political issue. Different types of firms attempt to shape the contents of regulations – always in the name of protecting consumers and markets – to shift burdens to their competitors.81


80 Scott Berinato, “Hacker Economics 2: The Conspiracy of Apathy,” www.cio.com, October 8, 2007; and Scott Berinato, “Hacker Economics 3: MPACK and the Next Wave of Malware,” www.cio.com, October 8, 2007.

81 Bruce M. Owen and Ronald Braeutigam, The Regulation Game: Strategic Use of the Administrative Process, Ballinger Publishers, 1978.


v. conclusIon

This review of cybersecurity suggests that, threats to cybersecurity are real and significant, both for individuals and for firms and government agencies. The form of cyberattacks is constantly evolving. Perpetrators are developing increasingly sophisticated forms of harmful attack, whether for theft of intellectual property, fraud, or political purposes. Cyberattacks are especially pernicious because perpetrators of the most effective attacks may seek deliberately to hide the success of the attack so as to obtain much greater benefit than if the attack were discovered.

The findings of this report lead to recommendations82:

Cyberdefense is not a problem solely for government to solve; firms and individuals in the private 1. sector must recognize their responsibility for protecting their intellectual property and other assets from cyberattack.

• Individuals and firms need to increase their awareness of the threat of cyberattack

• Organizations must build cybersecurity into their daily activities and a culture of cybersecurity

• Security should become an integral part of systems and processes: bake it in, don’t try just to bolt it on.

• Because attackers try to exploit weak links in security, organizations need to require their business partners to meet appropriate standards.

That said, government must play an important role in encouraging coordinated improvement in both 2. government and the private sector.

Government and the private sector need to improve the sharing of information on many levels, 3. including best practices and alert warnings.

• Economies of scale in cyberdefense mean that effective information sharing can reduce cost for all participants.

• Information sharing often requires personal trust; organizations such as the Department of Defense find it easier to build trust relationships with business partners than organizations with frequent turnover of personnel such as DHS.

The government’s approach of looking at cybersecurity in terms of critical infrastructure sectors 4. makes sense, given the different nature of each sector, in terms of industrial organization and current regulatory context. However, some sectors lag seriously behind others in their vulnerability to cyberattack.

• Research grants and training should recognize the importance of each sector adopting norms of responsible behavior and changing the cultures of individual organizations, and not merely encourage adoption of software and hardware tools to prevent cyberattacks.

82 One other important set of issues relates to the need to engage in diplomatic and other means of increasing international cooperation to counter global cybercrime organizations. At the Conference on Defending Cyberspace, May 8, 2008, Michael Aisenberg stressed both the impor-tance and promising prospects for such efforts. For example, he points out that parts of the Chinese government are likely to be open to partner-ing with organizations in the United States to reduce the level of global cyberattacks, especially given the significant number of such attacks that originate in each country.


Careful analysis is needed to develop an effective layered defense for the country as a whole, through 5. a combination of approaches. Important tradeoffs exist, between security and other values such as innovation, flexibility to carry out the organization’s mission, and cost. So far, this type of analysis has been lacking for many aspects of cybersecurity.

Some private actors, such as internet service providers, are in a position to implement improvements in 6. cybersecurity at much less cost than if the burden were placed on all of their customers. Government should play a role in helping to assure that responsibility for cybersecurity shifts to those places that are best able to implement it cost-effectively.

There is a role for government to apply several tools of government, including grants, requirements in 7. procurement contracts, and regulation.

• Setting requirements in procurement contracts is potentially very effective, especially in sectors such as defense and national security where government is able to bear some of the cost of the improved cybersecurity standards that it requires.

• Where grant programs are large enough to make a difference, grants also can play a role in promoting improved cybersecurity. Grants are likely to be most useful in focused areas such as encouraging a stream of graduates with technical knowledge of cyberdefense to enter public service.

• Because of the weak link problem, regulation may be required to address shortcomings in cybersecurity in a number of economic sectors.

The next administration needs to make cybersecurity a major priority, especially because of the 8. nation’s increased vulnerability at a time of growing financial weakness. This should be a part of enhancing the capacity in the Executive Office of the President to lead the government in addressing such critical issues.83

Needed now is to make these lessons and recommendations more concrete in their application. This should include a compilation of promising practices to help inform the nation’s cyberstrategy: a review of approaches by government and the private sector that have been most effective in promoting cybersecurity, with an analysis of the conditions under which each approach works best. But study alone is not enough. With increased leadership from the Executive Office of the President, and from leaders in the private sector, the public and private sectors must work together to devise effective cyberdefense plans, especially for critical sectors that currently lag in cybersecurity, and then implement them. While this effort will involve a significant commitment of resources, the alternative could be much more costly for us all.

83 Thomas H. Stanton, “Improving Managerial Capacity of the Federal Government: A Public Administration Agenda for the Next President,” Public Administration Review, in press; and Thomas H. Stanton, Working Paper, “Improving Collaboration by Federal Agencies: An Essential Priority for the Next Administration,” August 2008, available at http://www.napawash.org/about_academy/ImprovingCollaborationbyFederal-Agencies.pdf, accessed September 28, 2008.

.


acKnowledgeMenTs

The author wishes to thank the many people who provided insights for this report and the conference sponsors that helped to fund this study. Special thanks go to Michael Aisenberg, Catherine A. Allen, Liesyl Franz, Gov. James Geringer, Gary Glickman, Gov. Jim Hodges, James Lewis, Mary Mitchell, Frank Reeder, Marc-Anthony Signorino, James Souby, Thomas Stack, and Keith Ward. The author is solely responsible for this report and its contents.


8:30 – 8:45 aM

IntroductionJim SoubyPresident, Park City Center for Public Policy

Opening RemarksAn overview of the growing threat of cyber espionage to corporate America. The attacks, perpetrated by organized foreign and domestic entities, threaten our economic well being and our global innovative advantage. Defending against these attacks requires new technologies to be implemented individually and collectively. Corporations need to address critical legal, audit and technology-based issues to ensure their future viability.

John EnglerPresident & CEO, National Association of Manufacturers, and former Governor, Michigan

8:45 – 9:45 aM

The Advanced Persistent ThreatCyber attacks threaten governments, corporations and individuals to extract financial or strategic information. Using increasingly sophisticated methods, sometimes combined with coercion and more traditional corporate espionage, hostile organizations gain access to critical intellectual property, trade and national secrets.

This information, in the wrong hands, threatens our national security and our industrial future – their officers and directors, their shareholders and their customers. Once attacked, government organizations and corporations are understandably reluctant to discuss the impact on their business or mission. Those that do speak publicly talk only in the most general terms.

8:45 – 9:15 aM

The Advanced Persistent Threat – Industry View Thomas W. ShelmanPresident, Defense Group, Northrop Grumman Information Technology

9:15 – 9:45 aM

The Advanced Persistent Threat – Government ViewGreg GarciaAssistant Secretary for Cyber Security and Communication, National Protection and Programs Directorate, Department of Homeland Security

9:45 – 10:00 aM

Break

10:00 – 11:00 aM

Detecting and Containing Attacks – Technology ViewThis panel of experts explores where the attacks are coming from, how they are being done, and what can be done to detect and defeat them. They will discuss the escalating nature of the attacks and the need for leadership, diligence and perseverance on the part of CEOs, CIOs, and CISOs.

Jeremy Grant (Moderator)Senior Vice President, Stanford Group Company

Greg WilshusenDirector, Information Security Issues, Government Accountability Office

Michael AisenbergCounselor to the President of Information & Infrastructure Technologies, Inc.

Valerie AbendDeputy Assistant Secretary for Critical Infrastructure Protection and Compliance Policy, U.S. Department of the Treasury

Appendix ADefending Cyberspace 2008 Conference AgendaMay 6-7, 2008Washington, DC


11:00 aM – noon

Detecting and Containing Attacks – Compliance ViewThe panel will drill down into the complexities of dealing with the attacks, both publicly and organizationally. Issues that will be discussed include: International Trade • Director & Officer Liability • Offshore Outsourcing • Supply Chain Management.

Cathy Allen (Moderator)Chairman and CEO, The Santa Fe Group

David BartlettSenior Vice President Levick Strategic Communications, LLC

Steve MalphrusStaff Director for Management, Board of Governors of the Federal Reserve System

Randy V. Sabett, J.D., CISSPSonnenschein Nath & Rosenthal LLP

noon – 1:30 pM

Keynote LuncheonGary GlickmanPresident, Imadgen, LLP

Keynote:John J. HamrePresident & CEO, Center for Strategic and International Studies

1:30 – 2:30 pM

Current Methods for Information SharingTopics include: Current Cyber Security Initiatives • Limitations Among Business and Government • IT Sector Coordinating Council • Information Sharing and Analysis Centers (ISACs) for IT, Communications, and Other Sectors • Partnership for Critical Infrastructure Security (PCIS) • National Infrastructure Protection Centre (NIPC) • DoD Initiatives for Information Sharing • Information Sharing and Security Initiatives within Key Network Operations Centers Serving the Government and Private Sectors.

Phil Bond (Moderator)President and CEO, Information Technology Association of America

Alan WadeFounder, Wade Associates, Inc.

Ken WatsonChair, Partnership for Critical Infrastructure Security and Senior Manager, Critical Infrastructure Assurance Group, Cisco Systems, Inc.

2:30 – 3:15 pM

View from the Privacy CommunityCyber espionage targets are not limited to company sensitive financial and product information, but to customer and employee personal information as well. Building defenses against cyber attacks helps protect this information from unauthorized use. However, the maintenance and storage of this information, how it is used and how trade-offs between privacy and security must be addressed are part of any solution. These experts will discuss how industry guidelines can help build trust between government, industry, employees and customers.

Ari SchwartzDeputy Director, Center for Democracy and Technology

Rich Baich, CISSP, CISMPrincipal, Deloitte & Touche LLP


3:15 – 3:30 pM

Break

3:30– 4:15 pM

Bridging the Gap Between Government and IndustryWhat is the role of government in helping to protect our industrial base against foreign and domestic cyber attacks? Our Federal government is taking substantive action to safeguard national security. Exercises such as Cyber Storm II demonstrate how government plans to react to a real attack. The Department of Defense, the intelligence agencies and the Department of Homeland Security plan to invest over $6 Billion in building our cyber defense networks. How can this investment be leveraged to help protect the US corporate base? And similarly, how can information gleaned from corporate attacks be funneled back to the government to improve their own readiness?

David Hoffman (Moderator)Group Counsel & Director of Security & Privacy Policy, Intel Corporation

Jacob OlcottStaff Director, Subcommittee on Emerging Threats, Cybersecurity, Science & Technology, Committee on Homeland Security, U.S. House of Representatives

Dan ChenokChair of the Information Security and Privacy Advisory Board and Senior Vice President & General Manager, Pragmatics, Inc.

4:15 – 5:15 pM

Developing an Action PlanThis is a “call for action” session that will present and discuss methods to address confidentiality and secrecy, cross-agency information sharing and planning, best practices, promising solutions and their adequacy to combat cyber threats. What community-wide solutions could be put in place? • What public/private processes are indicated? • What legislative/policy changes appear necessary? • How can a bridge be built between the public and private sectors? • What are the objectives? • Who can lead? • Federal and Private Roles and Responsibilities • What will it take? Planning – Time – People – Training – Investment – Infrastructure • Need for legislation/Change to the Sarbanes-Oxley Act • Suggested Strategic/Policy Action Agenda • How do we communicate? • How do we define “success”?

Facilitators:Governor Jim Geringer,Director, ESRI

Tom StantonFellow, Center for the Study of American Government, Johns Hopkins University

5:15 – 5:30 pM

Closing Remarks and Next Steps



Center for the Study of American GovernmentThe Johns Hopkins UniversityWashington Center1717 Massachusetts Avenue, NW

Documents

DefeNDiNG CyberSpACethomas-stanton.com/wp-content/uploads/2012/09/... · foreword On May 8 and 7, 2008, cybersecurity experts, staff from Capitol Hill, academics, and a variety of