On the feared "cyber Pearl Harbor" and how well the U.S. can fight back
This past summer, the Saudi Arabian oil company Aramco was struck by a computer virus, Shamoon, which reportedly affected 30,000 computers and caused Aramco to isolate its networks for 10 days. Two weeks later, a similar attack hit the Qatari gas company RasGas.
In his well-covered comments forewarning a "cyber Pearl Harbor," Leon Panetta used these events as a springboard to issue a threat to would-be aggressors that "...the United States has the capacity to locate them and hold them accountable for their actions that may try to harm America." The Defense Secretary undoubtedly has many tools to help carry out this warning -- but likely not, as some commentators have speculated, new computer technology that reliably identifies perpetrators. A fundamental law of the Internet is that it is structured to support anonymity. A determined organization with sufficient skill and resources can launch attacks that are practically untraceable by digital forensics alone. The spread of malware can fly under any fancy network radar that government money can buy, and the process of identifying the source of an attack is much slower than the attack itself.
Consider: Even if the National Security Agency could analyze every bit of computer traffic that enters the U.S. from abroad, malware could cross into our borders on a USB flash drive in someone's pocket. Even if all the major Internet Service Providers (ISP) gave the government complete access to all their operational data and kept a copy of every bit of information that they handle -- which is impossible given the immense amount of data -- malware could be spread before it ever reaches an ISP.
Public wireless networks are often unsecured or use weak cryptography. For example, attackers could infiltrate the networks of coffee shops that offer free Wi-Fi and entice customers with a fake web page at log-in, perhaps offering a customer-loyalty reward if a button is clicked. That click instead downloads malware onto the laptop, which could then be transported to a bank, insurance company, university, government office, or factory, where it could infiltrate the organization's network.
The key point is that when malware is stealthily distributed, you cannot determine the malware's nation of origin simply by looking at the attack traffic. And that is supposing that enough data could be recovered for analysis after an attack in the first place.
How great is the danger? Most people are likely familiar with the idea that malware can be used to collect data that will then be used for illicit financial gain. But there's an even more frightening possibility. The same malware technologies that currently infect vast arrays of computers for the purposes of stealing data and identity information could be used to invisibly infiltrate networks and then, on remote command or at a pre-programmed time, destroy both the network and other resources connected to it.
Shamoon didn't even try to attack process control computers, the machines that handle automatic control of industrial processes. By contrast, in late 2009 or early 2010, the Stuxnet worm is believed to have destroyed up to 1,000 Iranian nuclear centrifuges by causing their control systems to increase and then decrease their operating speed, resulting in catastrophic physical damage to the delicate equipment. Stuxnet demonstrated the ability of malware to slip past the barrier presented by physical isolation of equipment, infect devices that control industrial processes, and cause physical harm. Further, the Stuxnet code has long been available for other potential attackers to modify and reuse; the threat is very real.
We should heed Panetta's stark warning. What happened at Aramco could absolutely happen at any industrial plant in the United States. Shamoon was very likely introduced when the recipient of a maliciously crafted email clicked on an attachment, or was deliberately implanted by a trusted insider. Vulnerability to human mistakes or insider attacks exists in every company and in every sector.
Panetta indicated that it's time to rewrite the rules for engagement in the cyber-world. Policy rules have to be informed by technological realities. Major efforts in technology development will figure prominently in the battle and may take many forms. Better defenses are technically feasible, but it is technically infeasible to make defenses perfect and still have systems be usable for legitimate functions.
Defending against cyber-attackers is something like playing "whack-a-mole"; you may swat down some types of attacks, but new ones spring up to replace them. Our best shot is to admit that the goal of preventing 100% of intrusions is simply not realistic, and structure systems so that they are capable of managing and containing the effects of attacks. We also cannot expect to achieve the capability to identify an attacker as quickly as an attack can be carried out. At present, any methods we have to identify attackers who are determined to be anonymous rely on human analysis of multiple sources of data.
America's strategy for identifying perpetrators has to include ordinary, old-fashioned police work that correlates different sources of human intelligence, technological markers in the code itself, and network traffic forensics. It is not generally possible simply to push a few buttons and sit back while a software tool journeys across the Internet, following a trail of evidence back to the perpetrators. Even with software tools, identifying the origin of cyber terrorism takes significant human effort.
It's worth noting that ITI is engaged in some ambitious research and education efforts that will help society handle the mounting cyber security challenges of the coming years. For example, resiliency of cyber infrastructure to attack is a major area of research activity in ITI's TCIPG (Trustworthy Cyber Infrastructure for the Power Grid) Center, which is supported by the Department of Energy and Department of Homeland Security. And ITI is the recipient of a new grant from NSF to develop cross-disciplinary curricular material on digital forensics. Better and more widespread education in forensics is desperately needed, not only to support national security but also to handle the lower-level legal, business, and technical ramifications of cyber crime.
But for now, this much is clear: the cyber-world is a very dangerous place, and while technological advances are providing crucial help, they are a long way from being able to eliminate the dangers on their own.