Perspectives on Cyber Security

8/3/2019 Perspectives on Cyber Security

1/19

IntroductionTodays cybersecurity landscape is changing rapidly. Conventional security standards

and practices cannot keep up with the frequency and sophistication of attacks.

Between May and July 2011, the industry and governments experienced a sharp

increase in cyber attacks against a number of large, technically savvy organizations:

Sony revealed several major customer data thefts occurred, which affected more than 100million user accounts (77 million PlayStation Network users and 24.6 million PC games

customers).1

RSA, a company that makes one of the industrys most widely-distributed two-factor

authentication SecurID tokens, suffered an attack that resulted in RSA replacing 40 million

of its tokens.2

In an attack directly related to the RSA breach, defense contractors Lockheed Martin and

L-3 Communications were hit by sophisticated attackers who used counterfeit RSA tokens

to impersonate the access codes of targeted employees.3

The International Monetary Fund suffered cyber attacks in June, but it did not disclose the

nature of attacks or whether a security breach actually happened.4

Citibank reported that credentials for 200,000 users were stolen, including names, account

numbers and email addresses.5

Infragard, an FBI-lead partner organization, was compromised by hackers in Connecticut

and Atlanta, revealing passwords of hundreds of industry and law enforcement users.6

The identities of border patrol agents in Arizona were released in protest of Arizonas

immigration enforcement policies by hacktivists (defined as one who uses computers and

networks as a means of protesting political ends).7

Websites operated by organizations such as the CIA, the U.S. Senate, PBS and Citibank

have been defaced in high-profile attacks by a hacking group called LulzSec (hacking for

laughs).8

STUXNET, one of the most sophisticated computer viruses on record, specifically targeted

and severely damaged an Iranian nuclear facility and signaled the future of cyberwar

attacks on critical infrastructure.

9

Pag

Perspectives on CybersecurityThe Rapidly Evolving Risks, the Implications and the Path Forward

October 2011

Cyberspace is inextricablywoven throughout the

fabric of society.

Treating the security ofcyberspace separately from

the physical world can bemisleading, particularly

considering the range ofcritical infrastructure

applications that requiredigital communications.

Each group that is involvedwith cyberspace has a role

to play in increasingcybersecurity.

1 http://online.wsj.com/article/SB10001424052748704436004576299491191920416.html2 http://www.businessweek.com/news/2011-06-07/emc-unit-rsa-to-replace-security-tokens-after-data-

breach.html3 http://www.wired.com/threatlevel/2011/05/l-3/4 http://gcn.com/articles/2011/06/14/imf-hacked-foreign-government-suspected.aspx5 http://www.theregister.co.uk/2011/06/09/citibank_hack_attack/6 http://www.huffingtonpost.com/2011/06/21/lulzsec-hack-fbi-partner-infragard-ct_n_881038.html7 http://www.azcentral.com/news/articles/2011/06/23/20110623lulzsec-hacks-into-arizona-dps-system-abrk23-

ON.html8 http://www.huffingtonpost.com/2011/06/20/lulzsec-anonymous-war-_n_880637.html9 http://en.wikipedia.org/wiki/Stuxnet

WHITE PAPER


2/19

WWW.LEVEL3.COM

Page 2

SummaryCyberspace is inextricably woven throughout the fabric of society. It extends

from the public Internet, through both wired and wireless telecommunications

networks, and into every home and business that uses digital voice, video and

data. Treating the security of cyberspace separately from the physical world can

be misleading, particularly considering the range of critical infrastructure appli-

cations such as transport, energy distribution, and finance that require digital

communications. Because it is ubiquitous, cyberspace is vulnerable to at tacks by

malicious parties from anywhere around the world. Ensuring cybersecurity is

essential for society because the costs of ignoring it are too high. Also, due to

the evolving sophistication of attackers, the tools, policies and procedures

effective against attacks yesterday may continue to become obsolete. Therefore,

any new cybersecurity framework needs to avoid rigid procedures. Innovation

and rapid response to threats should be rewarded. Appropriate incentives (both

rewards and punishments) are needed for each segment of cyberspace. Because

new threats are constantly developing into new, potentially unrecognizableattacks, any legislative or policy initiatives designed to combat these threats

must be flexible and adaptable to encourage a high level of innovation.

Level 3 Communications believes all entities individuals, corporate,

government and non-government need to contribute towards securing vital

infrastructure. Responsibilities exist for individual end users, end-user organiza-

tions, broadband service and Internet service providers as well as government

agencies. Hardware and software vendors providing products that comprise

network infrastructure also need to help protect cyberspace. These vendors must

communicate vulnerabilities more rapidly to qualified recipients (such as the

government and major Internet carriers) and perform more comprehensive

testing prior to product r elease. Once all of the major cyberspace participants

invest in cybersecurity, it is conceivable that the overall number of damagingattacks could be reduced.

Cybersecurity, which consists of protecting computer systems and networks

from malicious software and attacks by outside parties, has become essential

for modern civilization. As more types of critical infrastructure depend on

software for global commerce, national security, emergency response, distrib-

ution of electricity, transportation and other critical services, the potential for

large-scale cyber attacks becomes ever greater. Individuals, corporations and

government agencies at local, state and federal levels all need to develop and

implement plans to protect their systems and networks from malicious software

and external attacks.

Each group that is involved with cyberspace has a role to play in increasingcybersecurity:

End users must ensure that their devices are free of malware, software intended

to penetrate and compromise security. Broadband access providers should

monitor traffic and help defeat malicious attacks at their sources. Equipment

and software providers must improve their development, testing and patching

procedures and be more forthcoming about latent defects in products when

they are discovered. Carriers should provide more informat ion to government

agencies and each other about potential network vulnerabilities and recurring

Ensuring cybersecurity isessential for society because the

costs of ignoring it are too high.Innovation and rapid responseto threats should be rewarded.


3/19

Pag

sources of attacks. Government agencies should be directed to disseminate

information about potential cyber threats to network providers, thereby

enabling more timely and effective responses to attacks. And finally, critical

infrastructure providers outside the telecommunications industry should receivegovernment and industry support to develop more extensive cybersecurity plans

and capabilities.

Legislation currently pending before Congress and Executive Branch initiatives

has the potential to significantly improve the overall level of cybersecurity

throughout government agencies and general public. These regulations can be

more effective by removing barriers to a llow greater communication between

private network providers and government agencies. Also, greater emphasis

should be placed on developing defensive strategies against unknown and

emerging attacks, while less focus is needed for the formal security and certifi-

cation processes.

Threats against critical cyberspace infrastructure will continue to increase inscope and severity in coming years. Legislation encouraging network

providers and government agencies to improve communication and focus on

outcomes instead of processes will increase the chances for success against

malicious actors.

Level 3 PurposeThis white paper is not intended to be an all encompassing review of the issues

and policies surrounding cybersecuri ty.

The intention is to:

Summarize Level 3 Communications policy concerning the responsibilities of

communications carriers, corporations, government and other segments of the U.S.Internet community.

Emphasize the importance of productive relationships and efficient, multilateral

communication between service providers and government agencies on issues

ranging from threat identification and evaluation to interoperability between

services and hardware.

Provide Level 3 perspectives on proposed legislation affecting cybersecurity policy.

Share Level 3 experience and learning in cybersecurity issues dealing with interna-

tional governments, customers and end users.

Assessment of Evolving Threats

To understand cybersecurity challenges some common attacks and obstacles aredescribed below.

EVOLVING SOURCES OF THREATS

The complexity of attacks against targets in cyberspace is constantly increasing.

As threats are discovered and counteracted, new threats are developed by a

range of perpetrators. Most attacks come from one these sources:

Foreign Governments: Many governments have cyberwarfare and cyberintelli-

gence agencies focused on gathering information from entities outside their borders,

Greater emphasis should beplaced on developing defensive

strategies against unknown andemerging attacks, while lessfocus is needed for the formalsecurity and certificationprocesses.


4/19

WWW.LEVEL3.COM

Page 4

including government and military agencies, commercial enterprises, non-profit

organizations and individuals. Some of these attacks are brute force, whereas others

are so subtle the victim never becomes aware of the data theft. A foreign nations

motivation goes beyond military intelligence. Some countries operate cyber-intelli-gence agencies to collect intellectual property for commercial competitive advantage.

Organized Crime: Earlier attacks were targeted at individuals, who were

persuaded to buy worthless items or provide credentials required for accessing bank

accounts. Recently, the focus has moved to corporate targets, where larger returns

can be achieved. Crime syndicates are international and specialized; it is not

uncommon for groups from around the world to join together for a specific attack

and then to dissolve once the exploit has been completed.

Hacktivists: Hacker activists are entities using hacking techniques for social or

political activism. Frequently cooperating in groups with a shared purpose,

hacktivists target corporations or non-profit organizations that supply products or

behave in ways that are disagreeable to the hacktivists. Victims come from a wide

spectrum of society. Usually, the goal is to embarrass people or deface websites.Recently, many hacktivist organizations have turned to Distributed Denial of Service

(DDoS) attacks intended to disrupt their targets commercial operations in an

attempt to influence policies.

Hacking Universities: These are informal, underground schools that teach

hacking techniques. Legitimate universities are teaching cybersecurity students

courses in hacking and countermeasure design.

Professional Hackers: These are experienced hackers who get paid for devel-

oping and launching attacks against targets. Many of them sell their services to the

highest bidder, whether its a government agency, a corporation looking to test their

own defenses or an organized crime syndicate. Others are more selective in their

approach; so-called white hats are focused on improving cybersecurity for specific

organizations or the Internet at large. Recreational Hackers: Many hackers get their start pursuing hacking for recre-

ational purposes, particularly young people who may have limited resources and

restrictions on their Internet usage. Their goal can range from curiosity to harmless

fun, to serious attempts at penetrating hardened websites. While these hackers are

capable of significant exploits, they can be a distraction from more experienced

attackers who can cause greater damage. Prudent cybersecurity plans take recre-

ational hackers into consideration, but success in thwarting these types of attacks

should not be considered to be an indicator of the cybersecurity plans ability to

deflect advanced attacks.

EVOLVING USES OF TECHNOLOGY

Technical innovation can provide better solutions for cybersecurity, such as more

computing power for packet inspection within firewalls. But it can also create

new areas where attacks can be a threat. Some of the new technologies that

pose an increasing challenge for cybersecurity include:

Cloud Computing: In place of using dedicated hardware servers to provide

websites and other processing functions, enterprises are increasingly using cloud

computing resources. The key benefit of a cloud is virtualization. Hardware resources

are dynamically allocated to software processes as needed, as opposed to a fixed

configuration of software on each hardware server. Attackers see cloud computing

companies as prime targets to gain access to multiple companies at once.

The complexity of attacksagainst targets in cyberspace is

constantly increasing.As threats are discovered andcounteracted, new threats are

developed by a range ofperpetrators.


5/19

Pag

Mobile Devices: Many people today carry mobile telephones and tablet

computers that have more processing power than previous desktop computers.

Coupled with their always-connected state, these devices are literally millions of

potential sources of new threat sources and targets for attack. DDoS Attacks: While there is nothing new about DDoS attacks, some technical

evolution is under way. The availability of botnets for hire is increasing the severity of

DDoS attacks. Botnets simultaneously bring millions of traffic sources online with the

intent of overwhelming websites. They can be controlled using encrypted proprietary

communications channels to precisely orchestrate their behavior. As botnets become

more sophisticated, they become harder to defeat and more dangerous to victims.

Technical Tradeoffs: As users migrate to high-speed network connections and

faster processors, they also expect quicker Internet response times. Technologies,

such as deep packet inspection, can parse individual packets looking for virus and

other malware signatures. In spite of the increasing levels of processor performance,

tradeoffs must still be chosen between network speed and cybersecurity.

EVOLVING TYPES OF ATTACKS

Several new attack types have been successfully developed by malicious agents.

Here are a few examples:

Spear Phishing is a variant of phishing, where users are lured to give out personal

data, such as credit card and bank account numbers, through websites and email that

appeared legitimate. In this attack, specific individuals are targeted based on their

access to information, technology or levels of administrative access within targeted

organizations. For example, a system administrator for a major financial institution

would be specifically targeted with messages or website referrals that appeared to be

coming from close fr iends or coworkers. To gain the information needed to prepare

these false messages, attackers often leverage information extracted from the targets

contact lists and online social networking profiles. This precise targeting of specificindividuals is what adds the spear concept to basic phishing.

Zero-Day Attacks exploit latent defects that existed in a product when it was

first delivered to market. These attacks may be simple tools to gain unauthorized

control of compromised systems by utilizing malicious code. As a result, there has

been an increase in professional researchers who identify and develop methods and

tools that take advantages of security weaknesses in applications, systems or

networks (called vulnerabilities or exploits) . And, a vibrant online market exists

to sell these methods and tools to criminal syndicates who use them to attack

networks for financial gain, such as stealing company proprietary data or financial

information from end users.

Advanced Persistent Threats (APT) represent a cyber attack which is focused

on obtaining specific types of information, such as business plans, identities of dissi-dents or government secrets. An APT is often the work of a group which has

demonstrated capabilities in persistently attacking a specific entity with precision.

Common targets include government agencies, media and social or culturally based

activist organizations. The scope of APTs can vary widely, ranging from telephone or

data communication intercepts, to malware and virus attacks. The most successful

attacks are designed to avoid detection by the victim and penetrate hardened

targets in a methodical fashion. The STUXNET worm described earlier is an APT, used

in several zero-day exploits, which targeted a brand of industrial control equipment

known to be used in Iranian uranium enrichment facilities.

Technical innovation canprovide better solutions for

cybersecurity, such as morecomputing power for packetinspection within firewalls.

But it can also create new areaswhere attacks can be a threat.


6/19

WWW.LEVEL3.COM

Page 6

Cybersecurity Roles and ResponsibilitiesAn effective cybersecurity program must include range of stakeholders who

share responsibility for security. There is no single point in the cyber ecosystem

where all protection activities are concentrated, as there are too many possible

attack vectors. Attacks that exploit weaknesses in one area can be thwarted by

protections within another layer. For example, if a virus happens to bypass the

defenses erected by a broadband provider, users could be shielded by security

software running on their own devices.

Todays Internet is formed through connections between millions of discrete

devices, which provide various capabilities for different parties. Security

behaviors can be grouped into broad categories: end users (both individuals and

enterprises), broadband access providers, equipment and software providers,

carriers, government, and critical infrastructure providers.

ROLES OF USERS

End users make up the largest group of Internet participants. Individual users

and sophisticated enterprise users connect to the Internet through networks

supplied by carriers and access providers.

The best security practice is for users to ensure their devices and networks are

free of viruses and botnets. In most cases, these tasks are best performed

automatically with virus protection programs and software update utilities.

Any changes in Internet user behavior needs to address privacy concerns of

individuals and enterprises. A federal law forcing users to submit to intrusive

device security scans may be rejected by the public and the courts. Instead,

regulations must identify unacceptable behaviors and appropriate remedies. For

example, user devices may not be allowed to send more than a specified number

of ping requests to an IP address each minute. If exceeded, the remedy wouldbe a temporary disconnection of the device.

ROLES OF BROADBAND ACCESS PROVIDERS

Broadband access providers play a crucial role in connecting all types of users

to carrier backbones. This category includes local suppliers of digital subscriber

line (DSL) and cable modem services, which may serve a few neighborhoods or

span across multiple states.

These networks are in a unique position of being able to detect and

prevent malicious traffic on computers, which is typically the largest source of

botnet traffic.

Backbone network carriers are challenged to prevent the propagation ofmalicious traffic from broadband access providers due to several factors: identi-

fying the source of malicious traffic; the volume of traffic that must be

monitored; and their caution in terminating a connection that may carry both

legitimate and illegitimate traffic. Traffic from malicious sources is better

filtered if those sources are confined to individual network connections. A

potential solution for controlling malicious traffic from unsuspecting users is

called the clean pipe method, enforced by broadband providers. It requires

users to have working anti-virus software on their PCs and up-to-date patches,

which will prevent general access to the Internet until the machine is properly

An effective cybersecurityprogram must include range of

stakeholders who shareresponsibility for security.


7/19

Pag

protected. In addition, clean pipe methods can also detect malicious activity

and reactively restrict the user on the Internet, providing the user with a method

to clean their machine. This practice will decrease the amount of malicious

traffic that flows over a network.

However, an interesting legal issue could arise: Is i t permissible for an access

provider to deny customers access if they do not meet the carriers clean pipe

criteria? Legislation may be needed to regulate criteria requirements and to

support carrier enforcement.

ROLES OF EQUIPMENT AND SOFTWARE PROVIDERS

Carriers, broadband access providers and users depend on a collection of

suppliers to provide the hardware and software used to build networks. System

components from PCs to routers to virus protection software are available. As

most carriers act as system integrators, they depend heavily on these suppliers.

They select best-of-breed components and combine them to provide compre-

hensive solutions.

Unfortunately, some hardware and software equipment contain defects, which

makes systems vulnerable to attacks. Many of these are zero-day defects, while

others are introduced by faulty patches or software upgrades applied to existing

code that attempt to alter the structure of that code.

Improvements clearly need to be made in commercial software development,

testing and release. Already, carriers and other system users are strongly encour-

aging technology suppliers to improve software development methods, yet

software product continue to yield significant number of security flaws that

pose security threats to infrastructure.

Alongside the need to reduce defects in commercial products, carriers would

benefit from prompt notification of defects after discovery. Today, manysuppliers hesitate to announce product issues until a remedy is developed and

tested. If critical infrastructure providers and government agencies were

notified at the time of discovery, they could institute their own remedies. By

rerouting sensitive traffic away from vulnerable systems or intensifying the

monitoring of systems with known defects to catch intrusions, significant

damage could be avoided.

Early notification of product defects might negatively affect equipment and

software suppliers due to the competitive market. Confidential information

about latent defects should only be used for the defense of critical infrastruc-

tures so that technology suppliers do not fear notifying users of product defects

when they are discovered. Suppliers intellectual property needs to be protected.

A government agency could be given a mandate to implement the necessary

regulations for distributing product defect information. Sanctions for any person

or enterprise that compromise the confidentiality of the defect report also must

be enforced.

ROLES OF CARRIERS

Carriers play a key role in cybersecurity, but should not be the sole focus of

security initiatives. Carriers can improve network security for users by providing

safe, secure mechanisms for domain name system (DNS) lookups. Accurate

Carriers play a key role incybersecurity, but should not be

the sole focus ofsecurity initiatives.


8/19


9/19

Pag

cooperatively with private network providers to develop and implement

effective cybersecurity policies. These policies must support the narrow goal of

protecting governmental infrastructure and the broader goal of increasing

communication security and public safety.

The federal government can contribute to increased cybersecurity by improving

information flow among carriers and other parties about threats and vulnerabil-

ities. The two-way information flow between carriers and the government about

actual and suspected threats must improve. New legislation should require

significantly improved communication between these organizations.

Several different types of information would be beneficial to both carriers and

government agencies:

Knowledge about common sources (by geographic location and/or IP address) for

threats and attacks.

Historical data about threats and related solutions.

Descriptions of new attack technologies and vectors, including the means of

infection and the targeted systems. Any exploits that target carrier-grade networking

equipment could be a priority, as these can impact connectivity to many customers

simultaneously.

Advance warning about software flaws uncovered during testing by equipment and

software suppliers or zero-day exploits discovered in the wild (exploits that are

actively being used).

Guidelines recommending minimum-security configurations and procedures. More

extensive or different technologies could be implemented, but the minimum set of

procedures must be met.

A government-industry sharing database that provides real-time information of

attack signatures, sources and other security-related data.

There is already a precedent for cooperative information sharing between

telecommunications carriers for fighting toll fr aud. An organization called the

Communications Fraud Control Association (CFCA) maintains a Fraud Alert

Library. This library offers members up-to-the-minute information about the

latest scams, evolving investigations and cases, compromised calling card and

authorization codes, and other related fraud matters.

When long-distance telephony providers identify a source of fraudulent

telephone calls, information about the suspected perpetrator is shared. This infor-

mation sharing helps in three major ways: It alerts carriers to suspected sources

and mechanisms for fraud; it can potentially increase evidence used by law

enforcement; and it helps to reduce the amount of fraud on other carriers

networks. These same benefits would result from sharing cybersecurity infor-mation. Another precedent is information sharing taking place between anti-virus

vendors, which provides companies greater awareness of emerging threats.

Currently, most government agencies purchase network services from carriers

on a piecemeal basis. They rely on the carriers to design overall system connec-

tivity on an incremental basis, as contracts are won or lost. This approach leaves

much to be desired. Overall efficiency and security of networks serving the

government are not based on a cohesive master architecture. This needs to be

re-examined. The Federal Government should take the lead in defining an

The federal government cancontribute to increased

cybersecurity by improvinginformation flow among carriersand other parties about threatsand vulnerabilities.


10/19

WWW.LEVEL3.COM

Page 10

overall architecture for communications between agencies and for interfaces to

non-government parties.

Government agencies could also benefit from establishing their own

autonomous system number (ASN) that could act as a peering separation layer

between government agencies and the rest of the Internet. The peering layer

could easily be utilized as a unified, protective barrier, ensuring all threats are

uniformly analyzed and appropriate responses are created. One possible benefit

of this arrangement would be to spur innovation among technology vendors to

help implement this enhancement on a carrier scale.

ROLES OF CRITICAL INFRASTRUCTURE PROVIDERS

A variety of private enterprises provide infrastructure that supply items that are

critical to modern society, including communications, energy, healthcare,

finance, food and water. Virtually all of these providers depend on modern

communications for routine daily operations and data transfers. The

government, in turn, depends on these private networks; therefore, ensuring ahigh level of cybersecurity for critical infrastructure network providers should

be a priority for all levels of government.

Beyond the networks used by telecommunications carriers, autonomous control

networks are common within large infrastructure enterprises. Automated

systems are used to regulate the supply of electricity within the power distrib-

ution grid, convey financial transactions between banks, and control devices

used to deliver healthcare and produce food. These systems and the connecting

networks need to be secured against cyber attacks. This includes ones similar to

the STUXNET infestation, which targeted industrial control systems not

normal computer workstations, servers or IP networking equipment.

Technical assistance could improve cybersecurity for critical infrastructureproviders by helping them develop a mature, comprehensive and agile plan that

reacts to threats from many sources. Since the primary business of many of

these providers is not related to networking, outside cybersecurity design and

implementation would be advantageous. Government agencies should develop

the framework necessary to gather assistance from industry experts.

LEVEL 3S PERSPECTIVE

As a large global provider of network infrastructure and services, Level 3 has a

broad view of issues impacting cybersecurity. We believe it is the responsibility

of service providers and government agencies at federal, state and local levels

to communicate openly regarding cybersecurity issues. Through cooperative

efforts between carriers and the government, and among carriers themselves,

cybersecurity can be improved on many levels.

Level 3 believes legislative efforts need to focus on creating a flexible, powerful

framework for identifying, communicating and defeating cybersecurity threats.

Because the frontline in this battle is constantly shifting, legislation that

mandates specific methods for dealing with threats typically becomes obsolete

before put into practice. A better policy would establish a set of clear goals,

reporting rules and appropriate sanctions for cybersecurity requirements.

Currently, cooperation between carriers and government agencies is hampered

Technical assistance couldimprove cybersecurity for critical

infrastructure providers byhelping them develop a mature,comprehensive and agile plan

that reacts to threats frommany sources.


11/19


12/19

WWW.LEVEL3.COM

Page 12

point for cybersecurity implementation. This is underscored by the increase

FISMA compliance within government agencies with little or no corresponding

addition in broad measures of cybersecurity.

FISMA could be improved by incorporating a set of best practices for the

protection of management and back-office network environments and systems.

This would help both government agencies and private network providers better

understand how to develop systems that are less vulnerable to cyber attack.

The DHS has established the Critical Infrastructure Partnership Advisory Council

(CIPAC) to facilitate effective coordination of infrastructure protection programs

between the federal, private, state, local, territorial and tribal sectors. The CIPAC

represents a partnership between government and critical infrastructure/key

resource (CIKR) owners and operators. It provides a forum to engage in a broad

spectrum of activities to support and coordinate critical infrastructure

protection.

KEY POINTS OF CONCURRENCE IN PROPOSED LEGISLATION

The following describes some of the provisions Level 3 believes should be

included in legislation:

A nationwide system of breach reporting is needed by government and critical infra-

structure providers. This will provide a richer data set for analysis of current and

potential threats, as well as support the development of better algorithms for attack

detection and prevention.

The proposed new penalties for cyber criminals appear to offer more effective conse-

quences. By applying stiffer penalties, deterrence and benefits of prosecution

are increased.

AREAS FOR FURTHER STUDY IN PROPOSED LEGISLATIONSome areas of proposed legislation require clarification or potential revision to

make them more closely aligned with the overall goal of enhancing cyber-

security. Level 3 proposes the following be considered for possible revision in

the proposed legislation:

The definition for the term security breach needs further clarification, particularly

when mandatory breach reporting requirements are being woven into the proposed

legislation. Level 3 submits the following definition for consideration:

An unauthorized acquisition of and access to unencrypted or unredacted

computerized data that materially causes or is reasonably likely to cause

substantial economic loss.

Disclosure of summaries of security plans to the general public has merits. It helps

reassure the public the government and critical infrastructure providers are makingsubstantial changes improve overall cybersecurity. Summary plans should include

very abstract descriptions with an emphasis on principles and goals. Actual

technologies and methods should not be disclosed. This will help retain cyberse-

curity solutions for longer periods of time. Current FISMA regulations provide a

framework designed to enhance cybersecurity.

There are a number of solid, practical rules included that make sense for any modern

networking organization. Unfortunately, the detail required for documenting and

certifying procedures is time-consuming, costly and can compete for resources to

Disclosure of summaries ofsecurity plans to the general

public has merits. It helpsreassure the public thegovernment and critical

infrastructure providers aremaking substantial changes

improve overall cybersecurity.


13/19

Page

design and implement cybersecurity measures. Further, the documentation require-

ments tend to incent maintaining the status-quo, instead of encouraging and

rewarding innovations that could help enhance security.

An adequate supply of trained, qualified personnel to design, implement and

monitor security systems and procedures is a requirement for any successful

cybersecurity operation. The proposed legislation actually may decrease the

staffing levels at carriers due to the continuing education and recertification

obligations required. Level 3 believes more than 20 percent of available staff

hours will be consumed by certifi cation, making those personnel unavailable for

active cybersecurity efforts. Modifications to reduce required formalized training

and certification should be considered. Carriers must also be encouraged to

employ qualified individuals and support them with continuing education.

OMISSIONS

More emphasis on communication and action regarding actual and potential

threats within proposed legislation could further enhance cybersecurity benefitsfor all stakeholders. Level 3 urges consideration be given to the following.

Higher standards of accountability need to be developed and enforced to ensure

that hardware and software suppliers develop and implement effective cyberse-

curity product controls. Manufacturers should be held responsible for developing

and executing effective hardware and software security test plans prior to manufac-

turing release.

The White House director of cybersecurity policy should define security and

validation requirements for hardware and software vendors. At a minimum, these

requirements could be used as criteria for future government purchase decisions.

Private enterprises (including carriers and broadband access providers) would also

be able to evaluate suppliers based on their compliance with these published

requirements.

The White House cybersecurity coordinator or director of cybersecurity policy must

formalize a national vulnerability disclosure policy for carriers and their vendors. It

needs to clarify the types of information required to be disclosed as well as the rules

to be used for distributing the information.

Many different types of infrastructure have been identified as critical infrastructure

in various pieces of existing and proposed legislation. Establishing a prioritized list

of these items to help guide actions of first responders in the event of a large-scale

attack would be beneficial.

Information about threats and attacks detected or suspected from carriers is

routinely shared with the government, and is a well-established feature of proposed

legislation. This could be improved by requiring the sharing of information between

government and carriers.

The National Cybersecurity and Communications Integration Center (NCCIC) should

be mandated to provide public databases to distribute current and past threat data

with carriers and other critical infrastructure providers. Additional information

including the identities of suspected attackers and methods for dealing with threats

should also be added. Different levels of access privileges may need to be enabled

for the database, with backbone Internet carriers and broadband access providers

having the greatest level of access, and commercial enterprises and other end users

having limited access privileges.

The proposed legislationactually may decrease the

staffing levels at carriers due tothe continuing education andrecertification obligationsrequired.


14/19

WWW.LEVEL3.COM

Page 14

Regulations should give broadband access providers greater responsibility for

detecting threats and stopping them. This will help overall cybersecurity goals by

helping thwart attackers closer to their source and preventing the attacker traffic

from integrating with other traffic. These regulations should be enforced throughincentives for strong security measures taken by broadband access providers and by

sanctions for failure to meet minimum standards.

For access providers hoping to implement a clean pipe strategy (i.e. only providing

network access to users who have installed effective anti-virus software on their

devices), a legal framework needs to be established. It should include a clarification

of the types of acceptable rules providers can establish. Liability protection for

carriers denying service to users whose machines do not meet clean-pipe require-

ments also needs to be addressed.

System logs record a great deal of valuable data that can be used to perform forensic

analysis after a cyber attack has occurred and for monitoring network health on a

long-term basis. Gathering and analyzing log data from a range of different network

devices and providers would create a rich data set for research and analysis.Unfortunately, data logs are captured by devices from different manufacturers and

deployed by individual carriers. This causes incompatibilities and inconsistencies,

which makes comparisons between logs extremely difficult. A standardized log

format developed by NIST or another suitable entity would greatly increase the

potential for data sharing. To stimulate use of a standard format, legislation

requiring carriers to routinely deliver copies of log files to a central repository could

be enforced. This should be managed by a federal agency, such as the NCCIC.

The White House cybersecurity coordinator has significant influence on the federal

administrations cybersecurity conduct and on regulations developed by various

federal agencies. Due to the level of responsibility, Senate confirmation should be

required.

Future Directions in CybersecurityBeyond the current legislative and regulatory initiatives, significant develop-

ments will shape the landscape of cybersecurity for years to come. The following

four paragraphs address several of these developments and potential impacts

on government networks as well as the public Internet.

IPV6 MIGRATION

As the September 2012 federal agency deadline approaches for IPv6 implemen-

tation, several issues must be addressed. First, any vulnerabilities arising from

publishing addresses inside the DNS network will need to be corrected. Second,

when more devices are issued with native IPv6 addresses and connected directly

to the Internet (bypassing the Network Address Translation servers commonlyused to protect IPv4 systems today), new mechanisms will need to be developed

for ensuring device cybersecurity. And third, the added complexity required to

simultaneously handling two protocol stacks (IPv4 and IPv6) within web servers

and other devices will require extra vigilance in design and increased testing to

prevent new vulnerabilities.

IDENTITY MANAGEMENT

Secure, flexible identity management can be easily deployed across multiple

platforms with support from carriers. By placing credential servers with the

More emphasis oncommunication and action

regarding actual and potentialthreats within proposedlegislation could further

enhance cybersecurity benefitsfor all stakeholders.


15/19

Page

network core, personnel can be verified across mult iple agencies networks. This

portability provides greater mobility for staff and improves agencies abilities to

redistribute staff during network outages and public emergencies. Additionally,

centralizing these functions could reduce overheads and lower costs.

FISMA REVISIONS

Future revisions to FISMA should focus on protecting systems against current

and emerging attack vectors. This will help ensure response plans are developed

to protect against specific threats. Once agencies start to implement incident

response capabilities, those judged to be superior can be shared. Through infor-

mation sharing and continuous improvement, the overall level of cybersecurity

will increase for all federal agencies.

FUTURE RULEMAKING

More complex viruses, worms and other malware are continuously developed at

rapid speeds. To keep pace, advanced innovation is needed throughout the

cybersecurity industry. Rules and regulations must be flexible to avoid inter-

fering with the development of effective countermeasures. Level 3 agrees with

DHS Secretary Janet Napolitano, who said, "We believe that any government

rules for cyberspace should identify where we want to be, not proscribe exactly

how to get there, and should allow ample space for innovation. They should also

be clear, fair and broadly supported, and respect and reflect the diversity of the

society in which we live."

ConclusionCybersecurity cannot be achieved through simplistic, rigid rules. Effective

defense against cyber attacks requires flexibility to adapt to an evolving array

of threats. Cybersecurity adversaries utilize multifaceted approaches tocompromise critical infrastructures. The cybersecurity industry must begin

working together as a unified force to prevent these attacks.

Legislation supporting increased two-way communications between service

providers and government agencies encourages all Internet participants to

accept appropriate responsibilities. It avoids burdensome certification and

documentation requirements and can help increase overall levels of security.

Although the threat of malicious cyber attacks and malware will never

completely disappear, effective regulations and policies can make government

and public networks safer and more secure.

2011 Level 3 Communications, LLC. All Rights Reserved. Level 3 Communications, Level 3 and theLevel 3 Communications logo are registered service marks of Level 3 Communications, LLC in theUnited States and/or other countries. Level 3 services are provided by wholly owned subsidiaries ofLevel 3 Communications, Inc. Any other service, product or company names recited herein may be

trademarks or service marks of their respective owners.

Appendix: Defining Cybersecurity and Other TermsLevel 3 broadly defines cybersecurity as the ongoing development and mainte-

nance of the security of all computers and systems in a network environment.

This definition may include related broad-based topics like social, political and

Cybersecurity cannot beachieved through simplistic,

rigid rules. Effective defenseagainst cyber attacks requiresflexibility to adapt to anevolving array of threats.


16/19

WWW.LEVEL3.COM

Page 16

legislative concerns. In contrast, the focus of the traditional information

assurance industry is protection of any given datas confidentiality, integrity and

authentication. Another way to understand the difference is that cybersecurity

aims to prevent attacks from accessing or destroying sensitive data, whereasinformation assurance is focused on encrypting data and recovering from

system failures and attacks. Cybersecurity rules are formulated in FISMA and

developed in Einstein; information assurance rules are based on HIPAA (Health

Insurance Portability and Accountability Act of 1996) and the Sarbanes-Oxley

Act of 2002.

A working knowledge of several key telecommunications and data networking

terms and concepts is helpful in understanding the content within this paper.

The following glossary should help define the key terms used in the document.

Access Provider: An enterprise that supplies network connections and Internet

access to households, organizations and enterprises on a retail basis. Also known as

ISPs (Internet service providers) and broadband access providers. Can take manyforms, including local telephone co-ops, community services and cable TV providers.

APT (Advanced Persistent Threat): Sophisticated malware or other cyber attack

targeted at a specific objective, such as disabling a certain website or obtaining

particular information. Differs from many other attacks that merely seek financial

gain from victims at random.

ASN (Autonomous System Numbers):A globally unique number that identifies

each of the Autonomous Systems (AS) that are connected to make up the Internet.

Each AS must have a single, consistent policy that is used for routing packets, and

must be under the control of a single entity, such as a carrier or a large corporation.

An AS can peer with another AS by exchanging routing information, which allows

data traffic to flow directly between the systems.

Attack Vectors: Mechanisms or routes that are used to gain unauthorized accessinto a computer system. Examples include Internet connections, email attachments,

USB thumb drives, and many others.

Backbone: International network of high-speed communication links and high-

performance routers that provides connections between different portions of

the Internet.

Botnet: Group of user devices or servers that have been infested with malware that

gives an external party the ability to control some or all functions of the devices.

Botnets made up of large numbers of compromised user PCs are frequently used to

carry out DDoS attacks.

Carriers: National and international providers of Internet backbone services. May

connect directly to large customers, but focus primarily on high-speed connections

to access providers. Clean Pipe: Cybersecurity principle wherein all devices connected to a specific

network (or pipe) demonstrate to be free of malware.

Cloud Computing: Software design concept where strict associations between

software modules and hardware platforms is replaced with a flexible, distributed

pool of computing resources that can be quickly allocated to tasks to meet rapidly

shifting processing loads.

Control Families: Groups of protocols or procedures that provide related forms of

protection against external threats. NIST has developed a reference list of control


17/19

Page

families including items such as Access Control, Physical and Environmental

Protection, Identification and Authentication, and several others.

Cyber Attack: Malicious attempt by an outside party (often of criminal

background) to gain control of a system, obtain unauthorized information orinterfere with the normal behavior of the system.

Cybersecurity: A condition of being safe from unauthorized access to private

information and protected against malicious use of networked devices; also, the

actions taken to achieve this state.

DDoS (Distributed Denial of Service) Attack: Cyber attack that utilizes

multiple coordinated processes to flood a targeted IP address with large numbers of

pings or other packets, thereby causing the target to malfunction or to be unable to

respond to requests from normal users.

Deep Packet Inspection: Technique used in firewalls and other devices where

each IP packet is subject to rigorous screen for malware, including all or most types

of embedded protocols.

DNS (Domain Name System): Functional component of World Wide Web thatconverts user-readable URLs (Uniform Resource Locators) into numeric IP addresses

required for Internet transport. Corruption of the DNS database can cause devices to

unknowingly connect to malicious servers.

FISMA (Federal Information Security Management Act of 2002): Federal

law that defined cybersecurity requirements to be followed by each federal agency,

including risk assessment, security planning and required certifications for systems

and personnel.

Hosting: Providing a processing platform, including hardware and software, that

allows an application to run. For example, web hosting provides a server and

related software necessary to support the delivery of web pages in response to

user requests.

IANA (Internet Assigned Numbers Authority): Organization that overseesthe assignment of numerical values that must be globally unique on the public

Internet, such as IP addresses and ASNs.

Identity Management: Process for verifying users and issuing them credentials

necessary to access specific systems and information. Commonly used in large

organizations.

Internet Protocol (IP): Part of the TCP/IP family of protocols describing software

that tracks the Internet address of nodes, routes outgoing messages and recognizes

incoming messages.

Intranet: Private IP-based network that may or may not connect to the public

Internet though a firewall.

IPSec: Set of secure IP transport technologies that use cryptography to prevent

unauthorized parties from reading packet contents.

IPv4 and IPv6: Current and emerging versions of Internet Protocol. IPv4 supports

vast majority of users and servers on todays Internet. IPv6, which has been defined

for more than a decade, is increasingly being used to support new users due to the

scarcity of new addresses in IPv4 needed to support new users and servers. All

access providers must migrate to IPv6 by September 2012, as outlined in the Trusted

Internet Connection mandate from the Office of Budget and Management.


18/19

WWW.LEVEL3.COM

Page 18

ISP (Internet Service Provider): Company or organization that provides

network access to the Internet for individuals and enterprises, generally on a

monthly fee basis.

Kill Switch: Informal name for a network feature that provides the ability tocompletely isolate one portion of a network from another, often along lines that

correspond to national boundaries.

Malware: Generic name for software with a malicious intent, comprising trojans,

viruses, worms and other algorithms designed to cripple, control or steal information

from targeted systems.

NCIRP (National Cyber Incident Response Plan): Document developed by the

DHS to define the roles and responsibilities of government agencies and private

industry in the event of a significant cyber attack.

Packet: A variable-length data container, consisting of a header and a payload,

which can be transported over an IP network.

Ping: Short control message used to verify connectivity between two devices on a

network. Devices can suffer from degraded performance when attempting torespond to a large number of simultaneous ping messages.

Provider Edge: Point that defines the limit of a given carriers network, where

connections are made to other carriers or to customer provided equipment. Provider

edge devices supply connectivity and packet forwarding functions that bring data

into and out of a providers network.

PSTN (Public Switched Telephone Network): Global telecommunications

network that connects voice and data circuits among hard-wired, mobile and other

devices that use numeric dialing.

Router: In IP networks, a device that examines the addressing information

contained in each IP packet header to determine where to transmit packets through

the network along towards their ultimate destinations.

Scareware: Web-browser pop-ups and email messages that provide false security

alerts to users in order to convince them to download and install useless or harmful

anti-malware utilities. Frequently used to distribute trojans.

Server: Generically, any hardware or software device that provides services to

another device or user. For Internet applications, web servers fulfill requests for data

that are made from end users operating web browsers.

SSL (Secure Sockets Layer): Predecessor to the TSL (Transport Security Layer)

that is used to provide secure, encrypted communications between devices over the

Internet or any other network.

STUXNET: One of the most sophisticated APTs encountered to date, this worm was

apparently intended to disrupt the operation of centrifuges used to enrich uranium

at facilities located in Iran. Stuxnet reportedly utilized four unknown zero-day

vulnerabilities along with an advanced mechanism for propagation through portable

USB thumb drives.

TIC mandate (Trusted Internet Connection): Set of rules issued by OMB for

all civilian federal agencies that was intended to increase the overall level of cyber-

security and to simplify and control the interface between federal networks and

the Internet.

Tier 1 Carriers: Large, self-sufficient network providers that provide data transport

primarily over facilities that are owned and operated by the carrier. Tier 1 carriers


19/19

provide direct connections to multiple Autonomous Systems and are typically inter-

national in scope.

Trojan: Named after the infamous Trojan horse described in Virgils epic poem, this

is a form of malware that hides inside a purportedly useful program such as a freeanti-virus scanning utility. A trojan propagates by prompting unsuspecting users to

download and install the program.

Virus: Form of malware that is typically transmitted through user actions such as

opening an email attachment or visiting a specific website. Like their biological

namesake, computer viruses often include a means to replicate within an infected

system in order to infect new host devices.

Worm: Form of malware that autonomously propagates among systems that are

connected by a common network, such as a shared corporate network.

Zero Day: System vulnerability that was present in a software system when initial

released; could also be considered a latent security weakness that can be exploited

by a malicious attacker.

Documents

Perspectives on Cyber Security