More than a year ago, we’ve learned that Stuxnet would be a game changer. Indeed, no advisor in all things security missed to mention that the alleged U.S.-Israel (Langner) originated hack and blow-up of Iranian Uranium enrichment facilities posed a show-case of future attacks on our beloved infrastructures and industrial production sites. While one might argue that the transfer of the world’s production sites to China serves as a mediator to scare going wild, there are still some Industrial Control Systems implemented and running within, say, the EU or the U.S. With Stuxnet discussed ad nauseam both at security conferences and in global mainstream media, with policy awareness increased up to the level of the leaders of the universe, with calls for decisive policy responses on all policy levels, calls for cyber-defense programmes against prospective attacks in cyber-warfare (by non U.S.-Israel) for national and international critical infrastructure protection programmes – with all that stuff one would assume that at least some of the most obvious steps have been accomplished.
And then you read an update by the commercial community of technical experts on Industrial Control Systems. According to their assessment, the ICS industry acts deaf and akin to the automotive industry in “Fight Club” (mentioned in the scene in which the automotive white-collar insomniac protagonists meets Tyler Durden on the airplane): it’s cheaper to let systems go bust occasionally and pay for some clean-up than to preventively fix the systems. Industrial control systems are still highly buggy, a group of ICS security researchers around the consultancy Digitalbond have tried to showcase at their SCADA Security Scientific Symposium (S4). For experts in the field, this is common knowledge for more than a decade.
The technical ICS geniuses at the S4 conference put all the blame to the vendors, such as Siemens, General Electric, Schneider Modicon, Rockwell Automation, SEL, or Koyo Automation. But is that easy? My experience from general IT, not ICS admittedly, tells me that life is more complicated. Independent consultancies, which are bound to specific vendors, have certainly no incentive to blame existing or prospective customers. More substantially, while there might be customers with inadequate security procedures out there, I highly doubt that knowledge about notorious insecurity of a particular set of artefacts doesn’t exist somewhere in customer companies and doesn’t climb up the communication ladder to the CIOs or CSOs. If owners are not interested in getting their 20-years old ICS fixed, a vendor interested in subsequent orders wouldn’t want to embarrass itself and its clients by being utterly explicit about the risks or the security hick-ups of the installed base of legacy systems.
The financial sector and the nuclear industry serve as nice role models for dealing with, as we institutional-economics-infected researchers call it, negative externalities of societal or technical systems. For both system vendors and owners of such infrastructures, inactivity is a viable option to respond to publication of vulnerabilities. Why would you want to spend millions on hardening your chemical facilities against a rather hostile hack into its control systems? If shit hits the fan, writing off your production site and transferring the external costs to the public is probably the most economic approach. Just make sure that the downfall of one site doesn’t bring down the complete parent group as with this TEPCO guys who failed to install proper economic firewalls inside their group. There are no columns or rows for the rhetoric of cyber-warfare in the Excel sheets on which executive boards of infrastructure owners rely in their decision making. The ongoing installation of insecure systems and components is certainly is worrying.
The great potential realigner of incentives aka public authorities have have remained rather calm on this issue, too. For Europe, Kroes is gunning for “providing the right incentives“, but we don’t know yet what the Commission will come up with eventually. Hohlmaier, rapporteur of the European Parliament on Cybersecurity issues and with a constituency in Siemens land, has been likewise silent on this, Google tells us. Inaction by incompetent or unwilling operators of information and industrial infrastructures might pose risks for the public at large. The public might want to live with some risks. Or prefer to have incentives realigned, i.e. get regulations installed that force vendors, customers or third parties to invest into security measures. For the last couple of years, policy makers, researchers and public authorities have been obsessed with “incentivising” third parties such as ISPs to make up for the failures of vendors and customers of ICT systems. For industrial control systems, I don’t see this option. It’s either the vendors and/or the customers (owners of infrastructures) that need to take the bill. Or learn to live with the risks. Just like we did with financial and nuclear systems.
The unnamed Economist author shares her notes of a prep-conference for the upcoming cyber sec conference in London next month.
A “senior” participant remarked:
“It is so big it does my head in.”
But why? The author notes:
“Because this stuff is all mashed up. The interconnectedness of cyberspace breaks down borders and distinctions around which societies and states are organised.
It mashes up people and geography. …
Cyber mashes up functions. …
Cyber mashes up the trivial and the critical. …
It mashes up weapons. …
Finally, the internet mashes up state and private … “
Release often, release early:
By definition we need international co-operation. … So we should start with something small and build out. I see it as a quilt, a patchwork… The role of NGOs, think-tank and private experts in sensitising governments, without it seeming a form of electronic imperialism, is important.
The role of states:
Whatever the threat, it seems to me that the private sector will be involved in almost all responses. One working group made the point that “knowledge implies more responsibility”.
Indeed, indeed. Operationally, cyber security rests on those who control the components that make up the internet.
In any case, it is hard to translate rules and practices of war. Two examples: – Is private industry ready to be the warfighter? – How do you put red crosses on hospitals and orphanages? Do we have to put them on separate networks, ie, create a “dot.humanitarian” domain? Here we start to move into polders. Should we create “dot.secure” areas? People are willing to give up a lot of privacy in social networking. It seems to me that they would be wiling to do it for security.
Stewart Baker, former official at DHS and NSA, in an article called “Denial of Service” on Foreign Policy:
“We should not wait for our own Prince of Wales moment in cyberspace.”
Now, that’s disturbing. Virtual Pearl Harbour no more. Welcome to: Oh, that I were a bot upon that machine that I might touch that juicy data? Well, I shouldn’t start reading articles at their very last paragraph. The second last comes to rescue.
In 1941, the British sent their most modern battleship, the Prince of Wales, to Southeast Asia to deter a Japanese attack on Singapore. … It took Japanese bombers 10 minutes to put an end to their fantasy, to the Prince of Wales, and to hundreds of brave sailors’ lives.
Besides that, the message is:
But the lesson of all this for the lawyers and the diplomats is stark: Their effort to impose limits on cyberwar is almost certainly doomed.
Therefore, cyber strategies are necessary:
The offense must be powerful enough to deter every adversary with something to lose in cyberspace, so it must include a way to identify attackers with certainty. The defense, too, must be realistic, making successful cyberattacks more difficult and less effective because resilience and redundancy has been built into U.S. infrastructure.
How to identify attackers with certainty without fundamentally altering the architecture of the internet or the ability to enforce collaboration of intermediaries such as ISPs worldwide? The latter could be accomplished in several ways: a) by foreign governments as a proxy, convinced by diplomatic influence ad-hoc or by institutions such as international treaties; or b) by supportive worldwide technical communities.
Microsoft’s Trustworthy Computing product manager, Tim Rains, observed that a number of countries had been doing particularly well in Microsoft’s annual Security Intelligence Report. So they asked their local teams for potential reasons behind the stats.
Answer from Austria by Leon Aaron Kaplan, CERT.at:
“We believe the low piracy rate, combined with a generally strict IT security enforcement of ISPs and the fact that updates are quickly installed due to fast Internet lines (broadband, cable connection) forms a basis for the generally low infection score in Austria.”
Answer from Finland by Erka Koivunen, CERT.fi: skills and tools, admin culture, regulative environment. On regulation:
There are clear and pragmatic provisions in Finnish legislation granting network admins the right (and at times an obligation) to defend their networks and interconnected IT systems against breaches of technical information security…. The rules start with administrative engagement: appointing responsible network security admins and the so-called abuse helpdesks to handle complaints is mandatory. The more technical stuff includes provisions such as exercising what we call “address hygiene” in core networks (e.g., filtering spoofed and source-routed packets) and restricting broadband subscribers’ ability to send spam or participate in denial-of-service attacks. There are also a requirement for ISPs to inform their subscribers about the possible dangers of the Internet and ways to mitigate them. As a side effect, this has greatly boosted the purchase of security software by private consumers
Microsofts local Chief Security advisor in Finland adds: a community of peers in public and private sectors, educated users.
Lessons from Germany and Japan.
Summing up:
1. There exists strong public – private partnerships that enable proactive and response capabilities
2. CERTs, ISPs and others actively monitoring for threats in the region enable rapid response to emerging threats
3. An IT culture where system administrators respond rapidly to reports of system infections or abuse is helpful
4. Enforcement policies and active remediation of threats via quarantining infected systems on networks in the region is effective
5. Regional education campaigns and media attention that help improve the public’s awareness of security issues can pay dividends
6. Low software piracy rates and widespread usage of Windows Update/Microsoft Update has helped keep infection rates relatively low
African news outlet coastweek.com reports from the ongoing Internet Governance Forum:
According to International Telecommunications Union (ITU) Secretary General Hamadoun Toure, governments should put in place round the clock Internet surveillance to prevent cyber-crime.
Toure called for the need for governments and the private sector to enter into partnership to ensure measures to guard Internet users in order to realize the full benefits of information technology growth.
Has Touré really called for “round the clock Internet surveillance”?
Anyhow, the design of coastweek.com makes me feel 15 years younger.
Joint request by May, Strickling, Beers:
The U.S. Department of Commerce and U.S. Department of Homeland Security are requesting information on the requirements of, and possible approaches to creating, a voluntary industry code of conduct to address the detection, notification and mitigation of botnets. (…) The Departments seek public comment from all Internet stakeholders, including the commercial, academic, and civil society sectors, on potential models for detection, notification, prevention, and mitigation of botnets’ illicit use of computer equipment.
DHS asks for contributions in three segments: a) Practices To Help Prevent and Mitigate Botnet Infections, b) Effective Practices for Identifying Botnets, c) Reviewing Effectiveness of Consumer Notification, d) Incentives To Promote Voluntary Action To Notify Consumers.
I’ve seen similar public request for comments in other policy domains before in the political system of the US. Thus, I’m not sure whether this is as unique as it appears to be from my European perspective.
Currently, Microsoft – and not some state agency – seems to be the botnet take-downer du jour.
Update. Joel Harding with regard to Microsoft’s role in botnet response:
DHS does not have the resources to protect US citizens, US corporations or any other government infrastructure beyond the critical infrastructure. Yet it is their mission to provide Homeland Security. When will DHS step up to the plate and perform their mission? Do we need a Department of Microsoft instead?
Well, I shouldn’t make these all-encompassing headlines, after all, forcing me to write way too long texts. Anyhow. I’ve been in Belgium a couple of weeks ago, used the opportunity of proximity for a Brussels visit. The first glaring characteristic of Brussels is the scent of Waffles all over Midi station. It is like any station comes with a little suprise for its passengers. At Luxembourg station, the on which neighbours the European Parliament, the party in control of the facility equipment opted for an acoustic treatment: Abba’s “The winner takes it all.” For sure she does. (Which reminds me of “Mamma Mia”: Meryl Streep has quite a voice, by the way.)
The voices of the European citizens are represented by representatives sitting in offices matching in size those of elaborated knowledge workers in corporate headquarters. A nice quality surplus however […]
I guess when average media consumer hears “cyber-defense centre”, she likely has Star-War-ish control rooms in mind,. Now, starting today, Germany has its National Cyber Defense Centre. It is located in the offices of the Federal Office for Information Security (BSI), which reports to the Federal Minister of the Interior. Not much of a surprise, any Quite some headlines in national media for a 10-persons task-force. (Sources: FAZ, Ministry of the Interior, both in German)
[…]
“The threat is there to see and if the worst were to happen…” (Donald Rumsfeld, Feb 2003)
Looks like Stuxnet is the best of all electronic Pearl Harbours, so far. The signs on the walls of what could be. The “game changer” (DHS cyber director), the menace that seems to convince politicians, media and the public alike that there is something potentially very threatening. It has taken some fifteen years of fear mongering to achieve that.
Menaces, threats, risks, dangers require responses, yet which? […]
In February, the Dutch Ministry of Security and Justice released its “National Cyber Security Strategy (NCSS) – Success through cooperation.” (govcert.nl) Section 5.4, “Response capacity for withstanding ICT disruptions and cyber attacks”, is particularly interesting and highlights the ongoing transformation of the organisational landscape. While the strategy’s briefness makes a refreshing change for lazy readers like us, is also raises a couple of questions.
[…]
The Baltic TImes reports:
Estonia’s defense minister has said he plans to create a volunteer “cyber defense league”… “We are thinking of introducing this conscript service, a cyber service,” Defense Minister Jaak Aaviksoo said in an interview with NPR. “[Our] league brings together specialists in cyberdefense who work in the private sector as well as in different government agencies.”
[…]
Summary: There is no cyberwar-problem, only cyber espionage. Cyberwar is made up by cybergeddonists, who happen to work for security contractors after having left their public cyber-security posts. China has no interest in launching a cyberwar against the US, even if it might possibly have the means. Cyberwar is hardly wageable, because of unintended consequences caused be the openness of the web. Espionage could be dealt with by obligatory encryption, which however is costly and hard to operate and maintain. Non-encryption however might not be the underlying cause for internet security problems. And military activities can however have unintended consequences. Nevertheless, recommended reading.
The political situation:
In the next few months, President Obama, who has publicly pledged that his Administration will protect openness and privacy on the Internet, will have to make choices that will have enormous consequences for the future of an ever-growing maze of new communication techniques: Will America’s networks be entrusted to civilians or to the military? Will cyber security be treated as a kind of war?
Blurring definitions of cyber war and cyber espionage…
Blurring the distinction between cyber war and cyber espionage has been profitable for defense contractors—and dispiriting for privacy advocates.
The cybergeddonists’ false scenarios:
The most common cyber-war scare scenarios involve America’s electrical grid. … There is no national power grid in the United States. There are more than a hundred publicly and privately owned power companies that operate their own lines…. …an electrical supplier that found itself under cyber attack would be able to avail itself of power from nearby systems.
Stuxnet:
If Stuxnet was aimed specifically at Bushehr, it exhibited one of the weaknesses of cyber attacks: they are difficult to target and also to contain. India and China were both hit harder than Iran… The real hazard of Stuxnet, he [Schneier] added, might be that it was “great for those who want to believe cyber war is here.”
On Army General Keith Alexander (head of US cyber command, director of NSA):
One of Alexander’s first goals was to make sure that the military would take the lead role in cyber security and in determining the future shape of computer networks.
Military-civilian relationship:
If the military is operating in “cyberspace,” does that include civilian computers in American homes?
Encryption as he solution for the cyber security problems (citing John Arquilla):
“We would all be far better off if virtually all civil, commercial, governmental, and military internet and web traffic were strongly encrypted.” … “Today drug lords still enjoy secure internet and web communications, as do many in terror networks, while most Americans don’t.”
A Maginot line mentality (citing Marc Rotenberg, EPIC):
“The question is: Do you want an agency that spies with mixed success to be responsible for securing the nation’s security? If you do, that’s crazy.”
Clipper-Chip 2.0:
The legislation, similar to that sought two decades ago in the Clipper Chip debate, would require manufacturers of equipment such as the BlackBerry, and all domestic and foreign purveyors of communications, such as Skype, to develop technology that would allow the federal government to intercept and decode traffic.
A long list of interviewees and sources:
Jonathan Pollack, Whitfield Duffie, Jeffrey Carr, “a retired four-star Navy general”, John Arquilla, Marc Rotenberg, Howard Schmidt, “a senior official in the Department of Homeland Security”, William J. Lynn III, James Lewis (senior fellow at CSIS), Bruce Schneier, J. Michael McConell, Army General Keith Alexander (head of US cyber command, director of NSA), “a defense contractor” (“one of America’s most knowledgeable experts on Chinese military and cyber capabilities”), Richard Clark (cybergeddonist, security contractor and Bush’s man for cybersecurity, “poison gas clouds…”), J. Michael McConell (Bush’s second director of National Intelligence, now cybergeddonist and security contractor, “Our cyber-defenses are woefully lacking”).
I’ve pointed out earlier some of the research questions for social scientific internet governance research. The main issues I described there are:
- There is a lack of empirical analysis undertaken by social scientists, who are not affiliated with biased agencies engaged in turf-wars or the fear-mongering security industry, about the scale, quality and impact of internet security issues. Furthermore, existing institutions have hardly been researched.
- Ongoing debates in the political sphere often refer to an lack-of-enforceability argument. More often than not, these arguments fail to be backed by scientific findings.
- The geopolitical dimension of internet security is under-researched.
- The potentially disruptive impact of internet-based collaboration on traditional security provisioning processes is to be explored. We can observe these discourses about new forms of distributed collaboration everywhere, but not in the field internet security governance.
The main issue for social sciences however to provide guidance for institutional and organisation design for internet security governance.
Ad-hoc defense system protecting railway embankment against Danube flood
[…]
It’s finally happening. After an abysmally long time of politicians, military, and the security industry coming up with streams of innovative policy tangle in the name of internet security or cybersecurity, a critical mass of social scientists and research interested practitioners has teamed up to start deepening our knowledge of internet security and its governance. While Hungary was having difficult times by floods and economic turmoils, Budapest couldn’t have been a more lovely and welcoming place in the last couple of days.
[…]
I’ve written a quick analysis of the recent anti-botnet politics in Germany. Kind crew behind netzpolitik.org has published it on this blockbuster blog. It’s written in German, though, but you could alternatively give Google Translator a moment of embarrassment.
This is going to be an interesting experiment in internet security governance. Scientists have argued for years that internet security problems are as much caused by a misalignment of incentives as they are by technological flaws in software and hardware. One obvious recipe to call ISPs for action against botnets is one that has helped to increase software vendors’ activities in increasing software robustness.
Gathered under the umbrella of the Shadowserver Foundation, a group of engineers and scientists have scrupulously gathered evidence and background information about the activities of the Conficker botnet. They have known for months that millions of machines worldwide had been infected with Conficker malware. Yet, no one reacted, only shoulders were shrugged. At govcert.nl in October, many were contemplating how to proceed with Conficker.
Starting today, Shadowserver let’s everyone know where these Conficker-infected machines are. The move is a valuable contribution to increase global transparency about the somewhat obscure botnet problem.
An interesting example from Germany immediately sticks out. 1&1, a big hosting and medium-sized accessed provider, had initiated an internal initiative against botnet-infected customer systems earlier this year. Today, only ten IP addresses and 0% of their routed space are assigned to infected machines. For customers of Deutsche Telekom, which hasn’t announced a similar program, things look worse: 0.1% of all IP addresses or more than 32,000 IP addresses belong to a Conficker-infected machine.
Yersterday, press reports about an alleged joint venture of national ISPs and the national IT security agency to build a national botnet center stirred some scepticism and perplexety in Germany. After heise online brougth the news, the hacker association CCC informed that this rather is a hoax.
However, the German national ICT security agency (Bundesamt für Sicherheit in der Informationstechnik, BSI) and the association of the German internet business, eco (Verband der deutschen Internetwirtschaft), have cooperated on botnet issues at least since October 2008.
A workshop on botnets in early February 2009 addressed topics such as data-exchange between ISP regarding information from systems such as honeypots, abuse systems, spam traps (email analysis), DNS analysis, IDS/IAS (anomalie detection) or harmful websites. This information provided by ISPs could then be complemented with external data sources. Given the lack of published data, it is not clear which techniques ISPs actually use to exchange data today.
Another workshop on botnets, obviously organized by eco, took place in early February 2009. One of the speakers was Frank Ackermann, senior legal counsel to eco, who talked about judicial aspects of botnet fighting. According to Ackermann, “ISPs are interested in moderate filtering” of spam. Thus, politics should be discouraged from strict anti-spam regulation.
The programme of another joint eco-BSI workshop, the 7th German Anti Spam Summit mid-September 2009 on conficker, has sessions like “Status Quo central botnet disinfection call center DE” and “Legal Guide on Technical Approaches against Botnets” listed. According to the programme, Dr. Lothar Eßer, Head of Division Internet Security of BSI, also attended this session.
In late November 2009, eco mentioned in a summary of their IGF09 activities that it is going to build a “Botnet Disinfection Center” in a joint effort with BIS and several providers.
So, Germany will get it’s public-private anti-botnet center. According to eco’s press release, eco and BSI will establish a user-support center. ISPs will forward customers with infected machines to a website which provides tools and descriptions for removing malicious software from their machines. In addition, users with infected computers can call a special hotline with experts assisting users in removing harmful software.
—-
Upd. 9.12.; 16.12: changed headline, added the paragraph with eco’s press release; corrected typos
UK
UK cybersecurity centre starting operations in March – ZDNet.co.uk
Administered by Cabinet Office; staff partly to be recruited from GCHQ, should have hacker mentality; “primarily … a defensive role “, cyberattack as “last resort”.UK also has an Office of Cyber Security (OCS), set up last summer. UK launches dedicated cybersecurity agency – ZDNet.co.uk Gordon Brown: “we … have to secure our position in cyberspace in order to give people and businesses the confidence they need to operate safely there”
As UK is at it: Digital Economy Bill passed:
Britain’s new Internet law — as bad as everyone’s been saying, and worse. Much, much worse. – Boing Boing Including 3-strikes, stricter video-game ratings, ISPs forced to deliver data with content industry, business secretary gets carte blanche to come up with stricter regulations.
“It’s a declaration of war by the entertainment industry and their captured regulators against the principles of free speech, privacy, freedom of assembly, the presumption of innocence, and competition.” (BoingBoing)
US
The cyberwar plan, not just a defensive game – Nextgov
Stupid headline – who would think that cyber-warfare is about defense only.
„Computerized tools to penetrate an enemy’s phone system“, „computer viruses and malicious software programs that can disable electrical power systems, corrupt financial data, or hijack air traffic control systems“, „cyber-intruders have probed our electrical grid“ (no, not the squirrel terrorists), “we’d have cadres of people who’d know how to do that”, “Military forces fight for the ownership of that domain [cyber-battlefield]”, “Defense Department graduates only about 80 students per year from schools devoted to teaching cyber-warfare”, ” proposed building a military “botnet,” an army of centrally controlled computers to launch coordinated attacks on other machines”. “The risk of losing control of a weapon provides a powerful incentive not to use it”
See also: National Journal Magazine – The Cyberwar Plan
Who’s in Big Brother’s Database? – The New York Review of Books
Degree of surveillance measured in electricity bills: 70 millions per year http://bit.ly/3DwW49
Information Security News: NIST Drafts Cybersecurity Guidance
“tackling criticism that federal cybersecurity regulations have placed too much weight on periodic compliance audits”; “more onus on applying risk management throughout the lifecycle of IT systems”. Yawn.
[ISN] Inside the Ring – Chinese, Russian cyberwarfare
Like nuke-counting in the eighties.
Noteworthy: a new Cyber Security Alliance 14 tech firms form cybersecurity alliance for government — Government Computer News
Australia
Australian government overhauls national cyber security arrangements – Government & Policy “against increasing online espionage and attacks on critical infrastructure”, new CERT Australia, Cyber Security Operations Centre (CSOC), details undisclosed
EU
Automated Social Networking Surveillance Systems Statebook is going to be developed!?
====
How the Internet Ruined Newspapers, TV, Music, Movies, Microsoft – Newsweek 2010, The Internet: A Decade of Destruction – Internet Use/New Technologies „wherever companies were profiting by a lack of transparency or a lack of competition, wherever friction could be polished out of the system, those industries suffered“ – What about national political institutions (in the wider sense) then?
Security of the internet isn’t provided by a hierarchical, secretive and central organisation. There is no global internet police, and there is no internet defence corps. Internet security is the result of the collaboration of diverse types of actors such as internet service providers, technical experts, police and law enforcement, governments and academics. These actors make a dense, highly complex internet security governance network in which each type of actor is characterized by its own organisational idiosyncrasies while at the same time being part of the overall governance structure.
My focus currently is on bottom-up processes to provide internet security, like task-forces and working groups that are set up in an ad-hoc manner to tackle with the lates security phenomenon. Academics, engineers, experts and geeks from all over the world collaborate to provide. The way in which they are addressing security problems resembles what could be called peer production of internet security. My interest is to learn to what extent this mode of security provisioning is used, the settings in which we can observe it and whether this mode is sustainable or not. And how this all relates to internet security and the overall structure of internet security in general.
The internet is a tool that already has fundamentally changed business processes and business models. It is too early to tell what its long-term impact on societies and politics will be. Debates about ‘freedom’ on the internet have been going on for a while, such as if and how the internet fosters freedom of expression, or how authoritarian internet governance approaches could suppress individuals’ rights. The practices of internet security provisioning will have decisive consequences for the shape of ‘freedom’ on the internet.