Critical Infrastructure Protection blog

Cybersecurity: Senate bill would make international cooperation a priority

2009-07-19T07:12:00.000+02:00

US and EU are both going in the direction of International cooperation. On the 30th of March 2009, European Commission Directorate General Information Society and Media released a communication on Critical Information Infrastructure Protection. Below you find an articole abou the new US legislation proposal, introduced on July 10.

Apart from the declarations, we need to define the building blocks of international cooperation. In particular:
a. Research funds that can be obtained by international consortia (all US and UE funds are closed only to US or EU members)
b. Cooperation legislation framework: a new legislation framework should be defined in order to allow exchange of data (data sets for researchers), information sharing (threats, vulnerabilities, incidents) and information exchanges between operators and government agencies from the same sectors
c. Establish clear point of contacts and responsibilities: who do you contact in US or EU in case of incidens/attacks
d. Exercices and simulations

(FederalComputerWeek) A new Senate bill would encourage the secretary of state to work with other governments to further cooperation on cybersecurity and would require the secretary to submit a report to Congress about those efforts.

The legislation, introduced by Sen. Kirsten Gillibrand (D-N.Y.) on July 10, states the secretary should work with other governments to:

Develop cooperative activities.
Encourage international cooperation for improving cybersecurity.
Develop safeguards for privacy, freedom of speech and commercial transactions to be included in agreements or other cybersecurity activities.

The bill would require the secretary to submit a detailed report to congressional committees about actions taken to meet these goals in 270 days of the legislation’s enactment.

“Relevant international cybersecurity agreements focus only on issues relating to cyber crime and common operating standards, and have not been signed by certain countries from which cyberattacks may be launched,” the bill states.

The Obama administration’s cyberspace policy review, released in May, also emphasized the need for international cooperation to secure cyberspace.

"International norms are critical to establishing a secure and thriving digital infrastructure," the policy review states. "The United States needs to develop a strategy designed to shape the international environment and bring like-minded nations together on a host of issues, including acceptable norms regarding territorial jurisdiction, sovereign responsibility, and use of force."

The review recommended that the government develop positions for an international cybersecurity policy framework and strengthen its international partnerships related to cybersecurity.

Internet’s Anonymity Makes Cyberattack Hard to Trace

2009-07-18T00:00:00.001+02:00

(NYTimes) It is an axiom that “on the Internet nobody knows that you are a dog.”

By the same token, it is all but impossible to know whether you are from North Korea or South Korea.

That puzzle is plaguing law enforcement investigators in several nations who are now hunting for the authors of a small but highly publicized Internet denial-of-service attack that briefly knocked offline the Web sites of some United States and South Korean government agencies and companies.

The attack, which began over the Fourth of July weekend and continued into the next week, led to South Korean accusations that the attack had been conducted by North Korean military or intelligence agents, possibly in retaliation for new United Nations sanctions. American officials quickly cautioned that despite sensational news media coverage, the attacks were no different from similar challenges government agencies face on a daily basis.

Cyberwarfare specialists cautioned this week that the Internet was effectively a “wilderness of mirrors,” and that attributing the source of cyberattacks and other kinds of exploitation is difficult at best and sometimes impossible. Despite the initial assertions and rumors that North Korea was behind the attacks and slight evidence that the programmer had some familiarity with South Korean software, the consensus of most computer security specialists is that the attackers could be located anywhere in the world.

“It would be incredibly difficult to prove that North Korea was involved in this,” said Amrit Williams, chief technology officer for Bigfix, a computer security management firm. “There are no geographic borders for the Internet. I can reach out and touch people everywhere.”

But researchers said that law enforcement investigators were likely to be aided in their pursuit by a second computer security truism — that the only ones who get caught are dumb, unsophisticated or both.

For starters, the attacking system, which cannibalized more than 50,000 computers and which is known as a botnet, was actually small, computer researchers said, compared with similar computer malware programs that are now routinely used by members of the computer underground.

Moreover, independent researchers, who have examined the programmer’s instructions used to lash together the tens of thousands of computers, said that it showed that the program, known as a D.D.O.S., or a distributed denial of service attack, revealed a high degree of amateurism.

That fact suggested that the authors, who hid themselves by masking their actions behind an international trail of Internet-connected computers, might have left telltale fingerprints that will ultimately be their undoing.

Last week, investigators quickly located computers that were involved with the control of the botnet in Britain and several other countries. However, the Internet service provider whose systems were implicated in the attack quickly issued a news release stating that the attack was actually coming from Miami. The company said that it was cooperating with the Serious Organized Crime Agency, a law enforcement agency that is part of the British government.

But independent investigators who have tracked the botnet cautioned against placing reliance on the locations for the command-and-control computers that have been publicly identified.

“We’re still looking for the initial infection vector,” said Jose Nazario, a network security researcher at Arbor Networks, a computer security provider for large network systems.

Several researchers recalled a similar incident in 2000, when a series of high-profile denial of service attacks were conducted against companies including Yahoo!, Amazon.com, Dell, ETrade, eBay and CNN. The culprit proved to be a 15-year-old Canadian high school student who was identified as a suspect only after publicly bragging about the attacks in an online forum.

Finding attackers who have no desire to reveal their locations — even amateurs — may be far more vexing.

“The truth is, we may never know the true origin of the attack unless the attacker made some colossal blunder,” said Joe Stewart, a director in the Counter Threat Unit at SecureWorks, a computer security consulting organization.

Some experts pointed to an entirely different origin for the attacks, or at least the attention paid to them. Cyberwarfare has become a hot topic in Washington this year, with the Obama administration undertaking a detailed review of the nation’s computer security preparedness.

“There is a U.S. political debate going on right now with high stakes and big payoffs,” said Ronald J. Deibert, director of the Citizen Lab at the Munk Center for International Studies at the University of Toronto. “With the administration cyberreview there are many government agencies orbiting around the policy debate that have an interest in pointing to this incident as evidence with obvious implications.”

What CEOs Don't Know About Cybersecurity

2009-07-16T14:10:00.001+02:00

(Forbes) Being the chief executive has its privileges. And one of them may be a blissful ignorance of your company's data breach risks.

According to a study to be released Tuesday by the privacy-focused Ponemon Institute, companies' chief executives tend to value cybersecurity just as--if not more--highly than their executive colleagues. But compared to lower-level execs, CEOs also tend to underestimate the frequency of cyberthreats their organization faces.

The survey, which was funded by cybersecurity firm Ounce Labs, asked 213 senior executives about their perceptions of data breach risks. Among those respondents, just 17% of CEOs said their company faced attempts by cybercriminals to steal data at least once every hour, compared with 33% of other executives. By contrast, nearly 50% of CEOs said their company experienced an attack "rarely"--less than once a week--while only 32% percent of other executives reported the same frequency of cyberthreats.

That disconnect, says Ponemon founder and lead researcher Larry Ponemon, isn't a matter of CEOs not valuing cybersecurity. On the contrary, about 77% of chief execs said that preventing cyber attacks and insider data theft was "important or very important" compared with just 51% of other respondents.

But Ponemon says that CEOs' staffs may not tell them the full extent of a company's data risks. "Even in the most transparent of companies, there's a bit of hesitance to give the CEO a report of vulnerabilities or even small breaches," says Ponemon. "We don't know how much filtering of bad news happens that keeps CEOs from hearing some of the darker secrets."

There's plenty of evidence to support the views of the survey's more paranoid respondents. Cybersecurity firms, such as Finland's F-Secure, detect more than 20,000 new variations of malicious software churned out by hackers every day. In fact, the rate of publicly known data breaches has been steadily rising for years, with 646 breaches recorded in 2008, a 46% increase over 2007, according to the Identity Theft Resource Center.

In January, Princeton, N.J.-based payment processor Heartland Payment Systems revealed that it had been the victim of a cybercriminal operation that had gained access to as many as 100 million credit card numbers, potentially the largest data breach of all time.

Despite that sort of high-profile hack, the CEOs interviewed in Ponemon's survey seemed especially unconcerned about cybercrime as a source of data breaches. While 31% named stolen PCs or thumb drives as a source of data loss, only 3% cited malicious hackers as the top threat for their company's data security--about a fifth as many as the lower level employees who cited cybercriminals as the most important threat.

CIP standards may not be enough to secure electric grid

2009-07-16T13:55:00.001+02:00

(GNC.COM) Compliance audits that focus on reliability of electric system begin this month
Industry regulators have begun compliance audits this month on mandatory reliability standards for the nation’s bulk electric power distribution system, a step toward implementing critical infrastructure protection standards for the U.S. power grid.

“It’s a big step,” said Joe McClelland, director of the Office of Electric Reliability at the Federal Energy Regulatory Commission. “It’s the first time they’ll have a critical infrastructure protection standard.”

As the power grid becomes more automated and its control systems networked on a large scale, the system's cybersecurity is becoming a critical issue. The security standards for the system require that operators identify critical cyber assets that support reliable operation of the electric system, using a risk-based assessment. Violators can be fined as much as $1 million a day.

But some security experts say the standards do not go far enough. The technology of the electric grid was designed with the expectation that it would be a private network rather than an interconnected IP-addressable system, and the security standards focus largely on reliability rather than network integrity.

“I don’t think in today’s world that is even close to being adequate security,” said Jack Danahy, chief technology officer of Ounce Labs. “There has to be a more expansive understanding of what security means.”

The cybersecurity of the power distribution system is taking on more urgency with development of a new interactive smart grid and recent reports that hackers have compromised the current grid.

FERC is the government overseer of the U.S. power grid under the Energy Policy Act of 2005, but the audits are carried out by the North American Electric Reliability Corp., the industry’s designated international self-regulatory authority. Despite FERC’s authority, there is still a high degree of self-regulation in the power system. NERC developed the security standards, which FERC can approve or reject.

FERC approved the current Critical Infrastructure Protection Standards this year. FERC will review the audit results and take part in a number of them. “Not every audit,” McClelland said. “Just to check to see how they are being conducted.”

CIP standards may not be enough to secure electric grid

2009-07-16T13:52:00.000+02:00

The cybersecurity of the power distribution system is taking on more urgency with development of a new interactive smart grid and recent reports that hackers have compromised the current grid.

US and UK prepare fightback against eastern hackers

2009-07-16T01:06:00.001+02:00

Hackers are being targeted for attack by US and UK security authorities eager to launch a cyber counteroffensive to kick them off the net

(Guardian) Hackers who attack defence or commercial computers in the US and UK in future may be in for a surprise: a counterattack, authorised and carried out by the police and defence agencies that aims to disrupt and even knock them off the net.

The secret plans, prompted by the explosion in the number of computer-crime incidents from east Asia targeting commercially or politically sensitive information, are known as "strikeback", and are intended to target hackers' computers and disrupt them, in some cases involving denial of service attacks.

According to well-placed sources, work on "strikeback" has already begun in the UK, with the Serious Organised Crime Agency (Soca) and the Metropolitan police's e-crime unit working to deploy teams. The measures are being adopted because of the unprecedented level of attacks being suffered from hacking groups in China, Russia and North Korea, which are suspected of being state sponsored. Among intelligence circles in Washington, DC, the idea of hitting back at foreign hacking groups is being described as the hottest topic in cyberspace.

"This is considered to be a key activity," said a former CIA officer actively involved in the debate. "We are being penetrated and it is not in our tradition to sit back and do nothing. (continue...)

Cyber attacks on South Korea and U.S. 'could have originated in Britain'

2009-07-16T00:54:00.001+02:00

(Mail Online) Britain was the likeliest origin of last weeks crippling cyber attacks on the US and South Korea, a Vietnamese security firm has claimed. The Korea Communications Commission said the information had come from Vietnamese firm Bach Khoa Internetwork Security.

'The (British) server appears to have controlled compromised handler servers which spread viruses,' said Park Cheol-Soon, a network protection team leader of the government-run communications commission.

'However, it needs more investigation to confirm whether this server was the final attacker server or not.'

Seoul had previously laid the blame for the attacks - which briefly crippled major government and commercial websites - on its Communist neighbour.

But according to Park Cheol-Soon, the apparent discovery of a master server in Britain neither exonerated nor implicated North Korea.

'It does not either bolster or undermine claims that someone has done the attacks,' he said. The attacks, which involved sending multiple requests for website access from 166,000 'zombie' computers in 74 countries, crippled 14 major U.S. sites. These included the State Department, the Homeland Security Department, the Federal Aviation Administration and the Federal Trade Commission. In addition to government sites, the New York Stock Exchange, the Nasdaq electronic exchange and the Washington Post newspaper were also hit. The Korea Communications Commission downgraded its alert against the cyber attacks on Monday, saying they were 'fizzling out', and most targeted sites had normal traffic restored.

UK Cyber-security strategy launched

2009-07-15T22:13:00.000+02:00

(BBC)

Britons face a growing online threat from criminals, terrorists and hostile states, according to the UK's first cyber security strategy.

Businesses, government and ordinary people are all at risk, it says.

The strategy has been published alongside an updated, wider National Security Strategy.

Its publication is a sign of the growing recognition within government of the need to bolster defences against a growing threat.

In line with a wider focus within the National Security Strategy on not just protecting the state but also citizens, the cyber-strategy encompasses protecting individuals from forms of fraud, identity theft and e-crime committed using technology as well as defending government secrets and businesses.

'Attack capability'

Launching the strategy, cyber security minister Lord West said: "We know that various state actors are very interested in cyber warfare. The terrorist aspect of this is the least (concern), but it is developing."

He warned that future targets could include key businesses, the national power grid, financial markets and Whitehall departments.

He said: "We know terrorists use the internet for radicalisation and things like that at the moment, but there is a fear they will move down that path (of cyber attacks).

"As their ability to use the web and the net grows, there will be more opportunity for these attacks."

He confirmed that the UK government has already faced cyber attacks from foreign states such as Russia and China.

But he denied that hackers had successfully broken into government systems and stolen secret information.

He also said he could not deny that the government had its own online attack capability, but he refused to say whether it had ever been used.

"It would be silly to say that we don't have any capability to do offensive work from Cheltenham, and I don't think I should say any more than that."

'Missed opportunity'

Among those the government has turned to for help on cyber crime are former illegal hackers, Lord West added.

He said the government listening post GCHQ at Cheltenham had not employed any "ultra, ultra criminals" but needed the expertise of former "naughty boys" he said.

"You need youngsters who are deep into this stuff... If they have been slightly naughty boys, very often they really enjoy stopping other naughty boys," he said.

Dame Pauline Neville-Jones, for the Conservatives, called the strategy was a "missed opportunity".

"It is impossible to know how significant these announcements are because we do not know what funding will be made available to enhance our ability to tackle cyber threats. It is also not clear how these new cyber security structures fit into the existing national security machinery."

Her colleague in the Commons, Crispin Blunt, called it a "pale imitation" of an initiative launched by US President Barack Obama.

Lib Dem home affairs spokesman Tom Brake said: "This new cyber security strategy could lead to an extension of the Government's invasive counter-terrorism powers which already pose significant threats to our civil liberties.

"The cyber security strategy uses broad, undefined terms that risk creating panic among the public and a demand for further government powers. We must not retreat into a Cold War mentality."

'Forensics'

Officials said e-crime crime is estimated to costs the UK several billion pounds a year.

Two new bodies will be established in the coming months as part of the strategy.

A dedicated Office of Cyber Security in the Cabinet Office will co-ordinate policy across government and look at legal and ethical issues as well as relations with other countries.

The second body will be a new Cyber Security Operations Centre (CSOC) based at GCHQ.

This will bring people together from across government and from outside to get a better handle on cyber security issues and work out how to better protect the country, providing advice and information about the risks.

"CSOC's aim will be to identify in real time what type of cyber attacks are taking place, where they come from and what can be done to stop them", according to a Whitehall security official.

Experts say the "forensics" of detecting who is behind a cyber attack and attributing responsibility remains extremely difficult.

Officials said it would require input from those who had their own expertise in hackers. "We need youngsters," an official said.

The range of potentially hostile cyber activity - from other states seeking to carry out espionage through criminal gangs to terrorists - is daunting.

Critical information

At one end of the spectrum, military operations - such as Russia's conflict with Georgia last year - are now accompanied by attacks on computer systems.

The UK's critical national infrastructure is also more reliant on technology than it was even five years ago and terrorists who have used the internet for fundraising and propaganda are also believed to have the intent - if not yet the capability- to carry out their own cyber-attacks.

Officials declined to give a figure of how many attacks on government computer networks take place each day.

In a speech in 2007, the head of MI5, Jonathan Evans, explicitly mentioned Russia and China in the context of a warning that that "a number of countries continue to devote considerable time and energy trying to steal our sensitive technology on civilian and military projects, and trying to obtain political and economic intelligence at our expense. They do not only use traditional methods to collect intelligence but increasingly deploy sophisticated technical attacks, using the internet to penetrate computer networks."

Officials said they were not aware of any "key pieces of information" that had gone missing yet but said that British companies had lost critical information.

The new Cyber Security Operations Centre will work closely with the designated parts of the critical national infrastructure and wider industry and officials say that business are keen for the government to take a lead but also share as much information as possible.

US President Barack Obama has been carrying out a similar re-organisation for defending US computer networks and British officials said the two countries were co-ordinating closely not least because of the intimate relationship between GCHQ and its US equivalent.

British officials believe that their government systems may also have fewer vulnerabilities than their US counterparts partly because they moved online later and have fewer connections between the internal government system and the rest of cyberspace to monitor.

Officials in the US and UK are also thought to be working on forms of offensive cyber-warfare capability but officials are unwilling to go into any details of what this might involve.

UK Cyber-security strategy launched

2009-07-15T01:19:00.001+02:00