Querencia Talk: - It's a Dangerous (Cyber) Worldbyoung/querencia-talk-slides.pdf · 2014. 8. 26. · Querencia Talk: It’s a Dangerous (Cyber) World Dr. Bill Young Department of

Querencia Talk:

It’s a Dangerous (Cyber) World

Dr. Bill YoungDepartment of Computer Science

University of Texas at Austin

Last updated: August 26, 2014 at 10:46

Dr. Bill Young: 1 Dangerous Cyberworld

What I’d Like to Discuss

The scope of the problem

Why cyber security is hard

Are we at (Cyber) war?

What responses are legaland feasible


From the Headlines

Silent War, Vanity Fair, July 2013

On the hidden battlefields of history’sfirst known cyber-war, the casualties arepiling up. In the U.S., many banks havebeen hit, and the telecommunicationsindustry seriously damaged, likely inretaliation for several major attacks onIran.

Washington and Tehran are ramping up their cyber-arsenals, builton a black-market digital arms bazaar, enmeshing such high-techgiants as Microsoft, Google, and Apple.


From the Headlines

Iran’s supreme leader tells students to prepare for cyber war,rt.com, 2/13/14

Ayatollah Ali Khamenei has delivered asabre-rattling speech to Iran’s’Revolutionary foster children’ (in otherwords, university students) to preparefor cyber war. The supreme leader hasurged his country’s students whom hecalled “cyber war agents” — to preparefor battle.


From the Headlines

Cyber security in 2013: How vulnerable to attack is US

now?, Christian Science Monitor, 1/9/13

The phalanx of cyberthreats aimed squarely at Americans’livelihood became startlingly clear in 2012 and appears poised toproliferate in 2013 and beyond.

That prediction came true:

2013 was the most historic year ever for cyber attacks. Theindustry saw several mega attacks that included sophisticatedDDoS attack methods. (IT Business Edge, 12/16/13)

Health care hardest hit:

The Identity Theft Resource Center reported that health-careorganizations suffered 267 breaches (in 2013), or 43 percent of allattacks. That’s significantly higher than the business sector.(Wonkblog, 2/5/14)


From the Headlines

U.S. Not Ready for Cyberwar Hostile Attackers Could

Launch, The Daily Beast, 2/21/13

The Chinese reportedly have been hackinginto U.S. infrastructure, and Leon Panettasays future attacks could plunge the U.S.into chaos. We’re not prepared. If thenightmare scenario becomes suddenly real... If hackers shut down much of theelectrical grid and the rest of the criticalinfrastructure goes with it ...

If we are plunged into chaos and suffer more physical destructionthan 50 monster hurricanes and economic damage that dwarfs theGreat Depression ... Then we will wonder why we failed to guardagainst what outgoing Defense Secretary Leon Panetta has termeda “cyber-Pearl Harbor.”


The U.S. at Risk?

Experts believe that U.S. is perhaps particularly vulnerable tocyberattack compared to many other countries.

The U.S. is probably moredependent on technologythan any other society onearth.

Sophisticated attack toolsare readily available toanyone on the Internet.

The openness of U.S.society means criticalinformation andvulnerabilities are accessible.


Why We’re Vulnerable

Much of the U.S. criticalinfrastructure is accessibleon-line.

Other nation states have muchmore control over their nationalcommunication infrastructure.

The defense establishment isdrowning in data.

Technology advances rapidlybut remains riddled withvulnerabilities.


How Bad Is It?

Cyberwarfare greater threat to US than terrorism, say

security experts, Al Jazeera America, 1/7/14

Cyberwarfare is the greatest threatfacing the United States — outstrippingeven terrorism — according to defense,military, and national security leaders ina Defense News poll.

45 percent of the 352 industry leaders polled said cyberwarfare isthe gravest danger to the U.S., underlining the government’s shiftin priority—and resources—toward the burgeoning digital arena ofwarfare.


The U.S. Government Takes this Seriously

“The Pentagon has concludedthat computer sabatoge comingfrom another country canconstitute an act of war, a findingthat for the first time opens thedoor for the U.S. to respondusing traditional military force.”(Wall Street Journal, 5/31/11)

“The Pentagon will expand its cyber security force from 900personnel to a massive 4,900 troops and civilians over the next fewyears following numerous concerns over the dangerously vulnerablestate of their defenses, according to US officials.” (rt.com,1/18/13)


But What is Cyber Warfare?

Cyber warfare involves “actions by anation-state to penetrate another nation’scomputers or networks for the purpose ofcausing damage or disruption.” –Clarke andKnape.


And Are We Already There?

Cyber warfare involves “actions by a nation-state to penetrateanother nation’s computers or networks for the purpose of causingdamage or disruption.” –Clarke and Knape.

Clarke’s definition of Cyber warfare raises as many questions as itaddresses:

Can’t a non-state entity engage in warfare?

Which computers or networks matter?

Which actions should qualify as acts of war?

Is “warfare” even a useful term in this context?

Why not just make our computers and networks impervious tosuch attacks?


Why Are We At Risk?

Arguably, the only way that anothernation-state can “penetrate [our]computers or networks for the purposeof causing damage or disruption” is

1 if they have insider access; or

2 there are exploitable vulnerabilitiesthat allow them to gain remoteaccess.

So, why not just “harden” our computers and networks to removethe vulnerabilities?


Is Cyber Security Particularly Hard?

Why would cybersecurity by any harder than other technologicalproblems?

Partial answer: Most technologicalproblems are concerned with ensuringthat something good happens.Security is all about ensuring that badthings never happen.


Cyber Defense is Asymmetric

The defender has to find andeliminate all exploitablevulnerabilities; the attacker onlyneeds to find one!

In cybersecurity, you have to defeat an actively maliciousadversary. Security Guru Ross Anderson characterizes this as“Programming Satan’s Computer.”


Cyber Security is Tough

Perfect security is unachievablein any useful system. Wetrade-off security with otherimportant goals: functionality,usability, efficiency,time-to-market, and simplicity.


Is It Getting Better?

“The three golden rules to ensure computersecurity are: do not own a computer; do notpower it on; and do not use it.” –Robert H.Morris (mid 1980’s), former chief scientist ofthe National Computer Security Center

“Unfortunately the only way to really protect[your computer] right now is to turn it off,disconnect it from the Internet, encase it incement and bury it 100 feet below theground.” –Prof. Fred Chang (2009), formerdirector of research at NSA


Some Sobering Facts

There is no completely reliableway to tell whether a given pieceof software contains maliciousfunctionality.

Once PCs are infected they tendto stay infected. The medianlength of infection is 300 days.

“More than 5.5 billion attempted attacks were identified in2011, an increase of 81 percent over 2010, with anunprecedented 403 million unique malware variants that year,a 41 percent leap.” (Symantec Internet Security ThreatReport, 2012)


The Cost of Data Breaches

The Privacy Right’sClearinghouse’s Chronology ofData Breaches (January, 2012)estimates that more than halfa billion sensitive records havebeen breached since 2005.This is actually a very“conservative estimate.”

The Ponemon Institute estimates that the approximate currentcost per record compromised is around $318.

“A billion here, a billion there, and pretty soon you’re talking realmoney” (attributed to Sen. Everett Dirksen)


But is it War?

How real is the threat?

Is the warfare metaphor ahelp or a hinderance?

Are cyberattacks bestviewed as crimes, “armedattacks,” both, or somethingelse entirely?

Is this issue about semanticsor substance?

Does it really matter?


Warfare: Cyber and Otherwise

Recall Clarke’s definition of cyber warfare: “actions by anation-state to penetrate another nation’s computers or networksfor the purposes of causing damage or disruption.”

Can activity in cyberspace have “kinetic” consequences such asproperty damage and loss of lives? Does it have to have suchconsequences to qualify as an act of war?


The Pentagon View

Cyber Combat: Act of War, Wall Street Journal, 5/31/11

“The Pentagon has concluded thatcomputer sabatoge coming fromanother country can constitute an actof war, a finding that for the first timeopens the door for the U.S. to respondusing traditional military force.


Notable Cyber Campaigns

First Persian Gulf War (1991):Iraq’s radar and missile controlnetwork taken offline.

Estonia (2007): websites ofgovernment ministries, politicalparties, newspapers, banks, andcompanies disabled.

Georgia (2008): DoS attack shutsdown much of Georgia’s ability tocommunicate with the externalworld.


What Might a Cyber-attack Look Like: Stuxnet

Stuxnet is a Windows computerworm discovered in July 2010that targets Siemens SCADA(Supervisory Control and DataAcquisition) systems.

In interviews over the past three months in the United States andEurope, experts who have picked apart the computer wormdescribe it as far more complex and ingenious than anything theyhad imagined when it began circulating around the world,unexplained, in mid-2009. –New York Times, 1/16/11


Stuxnet Characteristics

Stuxnet is the new face of 21st-century warfare: invisible,anonymous, and devastating. ... Stuxnet was the firstliteral cyber-weapon. America’s own criticalinfrastructure is a sitting target for attacks like this.(Vanity Fair, April 2011)

Stuxnet was the first (known) malware that subverts specificindustrial systems.

Believed to have involved years of effort by skilled hackers todevelop and deploy.

Narrowly targeted, quite possibly at Iran’s nuclear centrifuges.

Widely believed to have been developed by Israel and the U.S.


Stuxnet Worm

Kaspersky Lab Provides Its Insights on Stuxnet Worm,Kaspersky.com, 9/24/10

“I think that this is the turning point, this isthe time when we got to a really new world,because in the past there were justcyber-criminals, now I am afraid it is the timeof cyber-terrorism, cyber-weapons andcyber-wars.”


Children of Stuxnet

The successors of Stuxnet may be even more sophisticated:

DuQu: (Sept. 2011) looks for information that could be useful inattacking industrial control systems.

Flame: (May 2012) designed for cyber-espionage,targeted government organizations and educationalinstitutions in Iran and elsewhere.

Gauss: (Aug. 2012) complex cyber-espionage toolkit designed tosteal sensitive data.

Unlike conventional munitions, could be repurposed and redirectedat the sender.


Cyber Attacks on the U.S.

The U.S. has already been “attacked” in the sense of cyberespionage.

Moonlight Maze: coordinated attacks onU.S. computer systems (1999), traced toMoscow; compromised huge amount of data,possibly including classified naval codes andmissile guidance systems specs.

Titan Rain: coordinated attacks on U.S.systems since 2003 probably Chinese andcompromising an estimated 10-20 terabytes ofdata.

There are undoubtedly others that we don’t yet know about.


From the Headlines

House Intel Chair Mike Rogers Calls Chinese Cyber Attacks

’Unprecedented’, ABC News, 2/24/13

House Intelligence Committee ChairMike Rogers, R-Mich., said it was“beyond a shadow of a doubt” that theChinese government and military isbehind growing cyber attacks againstthe United States, saying “we arelosing” the war to prevent the attacks.

“It is unprecedented,” Rogers added. “This has never happened inthe history of the world, where one nation steals the intellectualproperty to re-purpose it—to illegally compete against thecountry.”


Does It Go Beyond Espionage?

Some security experts warn that asuccessful possible widespread attackon U.S. computing infrastructurecould largely shut down theU.S. economy for up to 6 months.

It is estimated that the destruction from a single wave of cyberattacks on U.S. critical infrastructures could exceed $700 billionUSD—the equivalent of 50 major hurricanes hitting U.S. soil atonce. (Source: US Cyber Consequences Unit, July 2007)


CyberAttacks: An Existential Threat?

Cyberattacks an ’Existential Threat’ to U.S., FBI Says,Computerworld, 3/24/10

A top FBI official warned today thatmany cyber-adversaries of the U.S. havethe ability to access virtually anycomputer system, posing a risk that’s sogreat it could “challenge our country’svery existence.”

According to Steven Chabinsky, deputy assistant director of theFBI’s cyber division: “The cyber threat can be an existentialthreat—meaning it can challenge our country’s very existence, orsignificantly alter our nation’s potential.”


Not Everyone Agrees

Howard Schmidt, the new cybersecurity czarfor the Obama administration, has a shortanswer for the drumbeat of rhetoric claimingthe United States is caught up in a cyberwarthat it is losing. “There is no cyberwar. I thinkthat is a terrible metaphor and I think that is aterrible concept,” Schmidt said. “There are nowinners in that environment.” (Wired,3/4/10)

Mr. Schmidt doesn’t think there’s no problem, just that we’recalling it by the wrong name.


Is a Cyber Attack an Act of War?

There are some serious questions that deserve national andinternational dialogue.

How serious would a cyber attack have to be considered an“act of war”?

What if it were an act by non-state actors?

Would it require certainty about who initiated it?

What degree of control would the offending nation have toexert over such actors?

Must the response be electronic or could it be “kinetic”?


Selecting Targets

States are supposed to adhere to certain criteria in selectingtargets of attack:

Distinction: requires distinguishingcombatants from non-combatants anddirecting actions against military objectives

Necessity: limits force to that “necessary toaccomplish a valid military objective”

Humanity: prohibits weapons designed “tocause unnecessary suffering”

Proportionality: protects civilians andproperty against excessive uses of force

Do these apply to cyberattacks? To responses to cyberattacks?


Targets

There are good reasons to believe that the choice of targets mightbe different in cyber vs. kinetic warfare.

Non-state actors may not feel bound by the conventional lawsof war.

The actors may be in an asymmetric power relationship.

Non-state actors may be looking for “soft” high-value targets.

Cyber attacks offer the ability to “skip the battlefield.”

Systems that people rely upon, from banks to air defenseradars, are accessible from cyberspace and can be quicklytaken over or knocked out without first defeating acountry’s traditional defenses. –Clarke and Knape, 31


Targets

In a cyberattack, targets could be: military, civil or private sector.

If a major cyber conflict betweennation-states were to erupt, it is very likelythat the private sector would get caught inthe crossfire. Most experts agree thatcritical infrastructure systems—such as theelectrical grid, banking and finance, and oiland gas sectors—are vulnerable in manycountries. –McAfee (2009) VirtualCriminology Report


How Vulnerable is Our Infrastructure?

Nobody would be dumb enough to make such critical functionalityaccessible remotely. Would they?

“I have yet to meet anyone whothinks SCADA systems should beconnected to the Internet. Butthe reality is that SCADAsystems need regular updatesfrom a central control, and it ischeaper to do this through anexisting Internet connection thanto manually move data or build aseparate network.” –Greg Day,Principal Security Analyst atMcAfee


The Attribution Problem

Often it is extremely difficult todetermine the source of a cyberattack.

If you’re not sure who attacked you,can you attack back?

“States find themselves in a ‘response crisis’ during a cyber attack,forced to decide between effective but arguably illegal, activedefenses, and the less effective, but legal, passive defenses andcriminal laws.” –Carr, Inside Cyber Warfare, 47


U.N. Charter

The U.N. Charter preserves the rightof states to engage in “individual orcollective self-defense” in response toan “armed attack.” (Article 51).

However, that begs the question of when a cyber attack should beconsidered an “armed attack.”


The Law of War

How do the laws of war apply to cyber attacks?

Laws of war arose in a conventional context inwhich:

it is easy to assess the damage followingan attack, and

it is typically easy to identify the attacker.

“Current international law is not adequate for addressing cyberwar. Analogies to environmental law, law of the sea and kineticwar all break down at some point.” –Eneken Tikk, legal advisor forthe Cooperative Cyber Defence Centre of Excellence in Estonia


The Prevailing View

According to Lt. Cmd Matt Sklerov (quoted in Carr, 47):

“The prevailing view of states and legal scholars isthat states must treat cyber attacks as a criminalmatter

1 out of uncertainty over whether a cyberattackcan even qualify as an armed attack, and

2 because the law of war requires states toattribute an armed attack to a foreigngovernment or its agents before responding withforce.”


The Crime-Based Approach

If you treat cyber attacks as a criminalmatter, with deterrence from criminallaws and penalties, how do you forcestates to comply with internationalcriminal laws?

“Several major states, such as China and Russia, allow theirattackers to operate with impunity when their attacks targetrival states.” (Carr, 47)

“International legal acts regulating relations arising in theprocess of combating cyber crimes and cyber terrorism mustnot contain norms violating such immutable principles ofinternational law as non-interference in the internal affairs ofother states, and the sovereignty of the latter.” (MoscowMilitary Thought, 3/31/97)


The Law of War

Nations have a duty to preventnon-state actors from using theirterritory to commit cross-borderattacks, including the requirement forstates to act against groups generallyknown to carry out illegal attacks.

Sklerov suggests that duty “should be interpreted to require statesto enact and enforce criminal laws to deter cross-border cyberattacks.”

A state that fails to do so could be labeled a sanctuary state andsanctioned by the international community.


International Agreements

Most directly relevant is theEuropean Convention onCybercrime, which recognizes theneed of states to criminalizecyber attacks and the duty ofstates to prevent non-state actorson their territory from launchingthem.

requires states to establish domestic criminal offenses for mosttypes of cyber attacks

recognizes the importance of prosecuting attackers

requires extending jurisdiction to cover a state’s territory andactions of citizens regardless of their location.

The Convention has been signed by 26 countries including the U.S.


Conclusions

Cyber attacks are a serious threat tothe U.S. and other states.

Cyber warfare may not be a helpfulmetaphor.

The nature of the Internet makescyber attacks powerful, difficult tocounter, and difficult to attribute.

No technical solutions are on thehorizon.

Treaties and legal frameworks have not kept pace with thethreat.Promising theories and approaches are developing to help theinternational community cope.


Documents

Querencia Talk: - It's a Dangerous (Cyber) Worldbyoung/querencia-talk-slides.pdf · 2014. 8. 26. · Querencia Talk: It’s a Dangerous (Cyber) World Dr. Bill Young Department of