Establishing Digital Trust: Don't Sacrifice Security for Convenience
When Cyber War: The Next Threat to National Security and What to Do About It came out in April, publisher HarperCollins had high hopes it would race up the bestseller list.
It didn't. It should have.
Cyber War is co-authored by Richard A. Clarke, a Harvard professor, former White House security advisor and novelist, and Robert Kanake, a bright young security analyst currently completing a fellowship at the Council on Foreign Relations.
"The book was meant to be a conversation starter," says Kanake. "We wrote it to highlight the issue and bring attention to it - and try and make an issue that is highly technical and sometimes difficult to understand manageable even for the general public."https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
Cyber War, written in an engaging, vivid style - Clarke is a novelist - succeeds, perhaps too well.
The book paints a stark, uncompromising picture of the problems posed by rising organized cyber crime and espionage and the looming threat of cyber war. And the authors' recommended solutions are often unpalatable.
That may be one reason it didn't find the wider readership its publisher anticipated. Cyber War is an uncomfortable read. It sometimes makes you want to run around screaming with your hands waving in the air and then stick your head in the sand.
One of the most disturbing messages is that organized cyber attacks are virtually impossible to defend against. Indeed, you may not even know you've been attacked.
"For many threats," Kanake confirms, "there is no defensive solution. The Internet by its nature is fundamentally insecure. Given the way we build hardware and design and write software, there are inherent vulnerabilities that make it much easier to carry out offense than to defend against attacks."
So what are the solutions?
Changing the way we design and build software and hardware would help - but would be awfully difficult to achieve.
Building hardware and software offshore, including in China, which is suspected of engaging in organized cyber espionage, makes it difficult to prevent malware being introduced into products at inception, Kanake points out.
It might mean building really critical systems and software in controlled facilities in the U.S., he says.
Human error in the software development process is another major cause of security vulnerability and hence of security breaches. Changing "liability standards" could help tighten the process.
"If you load a piece of software and this leads to the loss of your personally identifiable information or assets, the developer would now be legally liable," Kanake says.
You can see what we mean by unpalatable solutions. Imagine the howls from Silicon Valley lobbyists if a government tried to push through legislation to enable this kind of scenario. And imagine the congestion in the court system.
Part of the answer, the authors say, is that government has to become more involved.
The notion that the Internet is an initiative of - and the exclusive sphere of - the private sector is a myth grown up in the last decade and a half, Kanake points out. The Internet was originally developed by government and academe. Decisions made in the 80s and 90s let the private sector run with it and kept government from interfering.
"Those were the right decisions then," Kanake says. "But now, given the criticality of these networks, their importance to society, to government and business, we argue that it's no longer a situation that government cannot be involved in."
Government should be regulating ISPs, forcing them to implement basic security measures at the network level to prevent nuisance attacks and reduce the organized activity, and to forcibly quarantine computers known to be infected by bots. Currently, the FCC cannot enforce such regulations on ISPs.
The other important role for government is to focus on the power grid, which is very vulnerable to attack - the book outlines how and shows startling evidence suggesting it is being targeted by foreign governments - and absolutely vital.
"The Department of Homeland Security has identified 19 critical industries," Kanake notes. "In our view, there is really only one, and that's power. Without power, none of the others can operate." The military also depends to a large extent on the public power grid.
Solution: regulate the industry and force it to disconnect the power grid from the Internet.
This wouldn't make it 100% secure, but it would make it more difficult for attackers and increase their risk. They incur virtually no risk when they can sit within their own borders and use the Internet to attack the U.S. power grid.
"If on the other hand, they have to sit in a white van on the side of road somewhere in the Midwest with a big dish and try to intercept microwave relays, our chances of catching them are much greater," Kanake says. "And the consequences for them are much more serious."
Should other kinds of enterprises do the same - simply disconnect? The book suggests it might be the only way to prevent organized "exfiltration" attacks designed to steal intellectual property and intelligence.
"It does pose a problem for the way a lot of us like to work," Kanake allows. "We want to have connectivity at home and work remotely at all hours. Most of us don't want to work in a windowless secure facility - but if the assets we're protecting are really that valuable, it may be necessary."
While the book is designed to foster broad-based discussion of the issues, there is definitely a message there for IT and security professionals.
The real threat is no longer from malware, worms, viruses, Trojans. It's from sophisticated, organized, dedicated groups with missions - either for criminal or espionage purposes - to steal assets or plant logic bombs.
"They're working around the clock to achieve those missions," Kanake says. "That means your response needs to be equally dedicated."
"If you've got critical assets and you're not running a 24-hour-a-day network security operation, you might as well give up now. This is not something that can be done 9 to 5 anymore. You can't just check logs in the morning."
But what about the fact that the attacks are indefensible and undetectable? That's a problem for sure, Kanake says.
"It's a classic game of cat and mouse. It means you need to spend more time looking for evidence and start by assuming you have been or are being attacked."
And hope in the meantime that government wades in and the defensive technology improves.
Gerry Blackwell is a veteran technology journalist based in Canada. He covers cyber security for eSecurityPlanet.