Is it even possible to protect cyberspace?
Communications networks underpin modern society like the nervous system of a living organism. The public switched telephone network, the Internet, VoIP, cable television, submarine cables, and satellite communications form the major information pathways that keep society functioning.
This system is under daily attack. Viruses, unauthorised access, security breaches, spam, phishing, illicit electronic surveillance, denial of service attacks and cyber terrorism are on the increase. The very interconnectedness that the modern world depends upon has become one of its major weaknesses.
Recent events illustrate the threat to commercial and government networks, and the information that flows over them.
"I'm not sure that most law-abiding citizens understand the magnitude of the threat from cyber-criminals," says Colonel Gary A McAlum, formerly Chief of Staff, Joint Task Force for Global Network Operations at the US Strategic Command, who recently joined Deloitte Touche Tohmatsu, a global financial services company. "There is a thriving cyber-crime market for personal and financial information."
In March, thieves stole 4.2 million credit and debit card numbers from Hannaford and Sweetbay, supermarket chains in north east US and Florida, respectively. The cyber-criminals put software on computers to capture credit-card information. The breach went undetected for three months and led to about 1,800 frauds. Ironically, on the day it was discovered, Hannaford received a certificate saying it was fully compliant with the Payment Card Industry standard, which obliges retailers to encrypt data sent over publicly accessible networks, but not over private lines. Both supermarket chains thought they were safe. But the cyber-criminals intercepted unencrypted credit-card data as it travelled from shop tills to corporate servers, from where it would have been encrypted and routed to credit-card company servers for authorisation.
The extent of the problem is hard to measure, because reporting is largely voluntary. Victims of cyber-crime don't like to discuss it, because hacked systems damage reputations and cost customers. The US Treasury Department has estimated the annual profits from cyber-crime at $105bn. "I believe that is on the low end," says McAlum.
Cyber war and web security
In addition to organised crime, there are other murky presences lurking in cyberspace: spies. intelligence agencies, the shadowy groupings that assist them, and the military of several nations, are all interested in mining information from the networks of target countries.
"A significant amount of data [has been taken] from federal networks over the past few years. I don't think we will ever know the true extent of how much and exactly what was taken," says McAlum. "There is also a significant concern about the level of access obtained in some cases that would allow a potential adversary to become disruptive at a time and place of their choosing. This is a huge concern."
Cyber skirmishes have already begun. In 1998 the Internet Black Tigers, a guerrilla organisation, flooded Sri Lankan embassies with 800 emails a day for two weeks. The first cyber war between nations may have occurred last year, when the digital infrastructure of public institutions in Estonia, including the parliament, ministries, banks, newspapers, broadcasters and telecommunications companies, was attacked. Estonian networks were blasted with up to 90Mbit of traffic a second for up to ten hours. Most of the traffic was part of a distributed denial of service (DDoS) attack, in which a network of computers, perhaps one million strong, was hijacked and used to flood the Estonian networks with requests for services such as web-page transfers. The attacks happened after Estonia offended Russia by relocating a Russian Second World War memorial. The attacks originated from computers allegedly traced to Russia, but the Russian government has denied any involvement.
This year's conflict between Russia and Georgia had a cyber-war component. DDoS attacks disrupted access to many Georgian websites, including that of the Ministry of Foreign Affairs.
The United States is also under continual attack. In a recent statement to Congress, Jim Lewis, of the Center for Strategic and International Studies, said: "Cybersecurity is now one of the most important national security challenges facing the US...this is not some hypothetical catastrophe. We are under attack and taking damage."
More than 30 nations are now believed to have information warfare programmes. And individuals with technical expertise have found their power to disrupt their enemies transformed in cyberspace. In March 2000, a disgruntled Australian employee used the Internet to release one million litres of raw sewage into the river and coastal waters of Queensland. The same year, a university student in the Philippines created the 'Love Bug' virus, which caused damage estimated at up to $15bn world-wide - or about as much as a major hurricane disaster.
The problem is growing fast. Mikko Hyppönen, chief researcher at antivirus software company F-Secure Corporation, says: "We are now seeing tens of thousands of unique malware samples each day. It was nothing like this even three years ago."
Key escrow cryptography
The US National Academy of Engineering has recognised the importance of securing cyberspace by declaring it one of 14 Grand Challenges for Engineering, alongside issues such as providing energy from fusion, preventing nuclear terror and making clean water accessible to all. It is right to focus on the problem, especially because it cannot be overcome by a single approach. It's just not that simple.
As Hyppönen says: "The power and growth of cyberspace is due to it being an open system. 'Open' doesn't always equal 'secure'. How can you secure cyberspace? Close it - but then you might also end up killing it."
Complete solutions, even if they could be built, could have unwanted consequences. In today's open cyberspace, anyone or anything can connect to the Internet. It might be possible to introduce controls that guarantee that all the endpoints in the network are known to be 'safe'. But that would destroy the Internet as it is today, reducing it to a closed system.
The US government has proposed another solution using 'key escrow', in which information is handled under the same kind of public-key cryptography that protects Web commerce, but government agencies hold a spare key that they can use to decrypt any message they want. It's the kind of 'solution' that holds the seeds of its own destruction - it wouldn't be used by those it seeks to expose, and also raises tremendous civil liberties issues.
"Cyberspace cannot be secured 100 per cent without radical and fundamental changes in the architecture and implementation of governance models that would never fly," says McAlum. "We cannot secure cyberspace any more than we can completely secure the oceans or the airspace."
Toralv Dirro, security analyst at McAfee, says: "Because of its nature, cyberspace is very difficult, maybe even impossible, to secure. There is no real central instance controlling it, each country has different laws that apply, and it is growing at a rapid pace. The best hope is to make some vital parts as safe as possible, to allow business to be done in a reasonably secure manner, and to protect the users as well as possible."
Dr Guy Bunker, chief scientist of security software and services company Symantec Corporation, says: "Cyberspace as we know it is, in some places, very insecure. So it is relatively simple for fraudulent behaviour to occur. We could secure it very rapidly, but that would shut it down for most people."
Hackers, honeypots and internet security
Most experts agree that there is no single answer to securing cyberspace. Instead, think evolution. Think arms race. Progress will come by incremental improvements to many technologies.
The traditional model of cyber-security is to use a perimeter defence, the classic firewall. But perimeters often have holes. Today, a perimeter defence is seen as just one component of a multi-layered defence: it will not keep out a determined adversary, but reduces minor threats so that effort can be concentrated on more sophisticated exploits or insider threats.
Today, machines get their own firewalls. Host-based intrusion prevention systems run on a remote desktop or mobile laptop, protecting the machine wherever it goes. Instead of hiding behind the castle walls, and only being safe there, individual machines are given their own armour.
Cyberspace security has also become an active, rather than passive, discipline. Instead of a guard patrolling a perimeter fence, think of a roving investigator seeking out threats before they cause damage. Hackers are lured out of hiding by tempting them with 'honeypots' and 'honey-clients', apparently unprotected machines that can be used to detect threats. However, it takes two to make an arms race. Advanced viruses fight back by constantly changing their attributes to outwit security technology. Clever hackers learn to side-step honeypots.
Malicious software (malware) is becoming so prevalent that it is beginning to outnumber legitimate software. At that point, it is easier to create 'white lists' of legitimate software than to maintain the blacklists of malware. Hyppönen recommends a blend of whitelists and blacklists for best effect.
Symantec's Global Intelligence Network
Fighting a war demands a good map of the battlefield. Symantec runs a Global Intelligence Network that has more than 40,000 sensors around the world and more than two million dummy email accounts - all of which are monitored all day, every day. Hundreds of millions of users contribute statistics on malware.
"This means that outbreaks can be readily spotted and contained," says Bunker. "It also means that new virus or malware definitions can be quickly and effectively written and rolled out to prevent the infection spreading."
McAlum would like to see more than just lots of sensors.
"There are sensors all over the place and most feed back to a particular security information management application or a derivation of such a system," he says. "What I'd like to see is more effort placed on capabilities that provide a holistic picture of the enterprise that is more than just an integration of existing views and [which] helps develop the risk picture based on current threats, vulnerabilities, and anomalous activities. And I think there needs to be a 'cause-effect' aspect that helps leadership understand the impact of actions they may take, for example blocking a port or disabling a service."
Cyberspace will get more secure as software learns more about how we behave. Suppose an employee, who typically uses a company database to access individual customer records, suddenly looks at the top 1,000 customers: software could be written to highlight this anomaly. Or suppose an Internet user goes to a website he or she has not visited before: software could warn them that they may have misspelled the address, helping counter malware infections caused by downloads from web pages masquerading as popular sites. Dirro believes that behaviour-based technology is "very important, the next big thing".
Companies today tend to rely on implicit trust to control access to their networks: employees are given a username and password and then expected to do the right thing. This will change. Companies will keep closer tabs on what their employees are doing and how they are doing it. Behaviour-based technology "can look at things such as typing speed or style as an additional means of authentication," says Bunker.
Advanced reputation services may also help secure cyberspace.
"Reputation-based technology helps people browse the Internet safely and engenders trust between consumers and businesses, as well as between businesses," says Bunker. However, reputations can be inflated. Take an online auction seller who sells and promptly delivers 100 pencils at £1 each, gaining a great reputation. They then offer a car for £100,000, and abscond with the payment. The reputation system was perverted to abet the crime.
Systems will get smarter. "Neural networks and other artificial intelligence technologies have a place in learning what is good, bad or indifferent about networks and systems to help administrators make intelligent decisions to enable them to fix problems," Bunker says.
But let's not get carried away. A lot of progress can be made by getting on with the drudge work of implementing current security techniques. The Hannaford supermarket chain says that since its security breach earlier this year, it has started encrypting customer credit-card data as soon as the card is swiped.
Other low-technology activity, such as creating information-sharing mechanisms between affected groups such as banks, who are notoriously shy about revealing their cyber-crime losses, could also help. Just locking equipment up can help a lot: laptop computers and PDAs are increasingly a target for thieves who want them for as much for the value of the data they may carry as for what they might get by selling the hardware down the pub.
"In many cases, particularly when it comes to industrial espionage, employees of particular companies may be targeted for the opportunity to snatch a laptop," warns McAlum.
As the UK civil service is learning, you shouldn't leave laptops on a train, or put unencrypted data on a CD in the post. Perhaps this is the biggest chink in cyberspace's armour - ordinary people and their ordinary working practices. According to a study by Compuware, only 1 per cent of recent corporate data losses were due to hackers. The biggest culprits were negligent employees, with outsourcing and malicious employees being among the other causes of significant breaches. Worryingly, of the 1,112 practitioners surveyed, 79 per cent said their organisation had experienced at least one data breach.
Dirro of McAfee thinks that what's needed to secure cyberspace for the long run is progress on many fronts, including technology, awareness, legal redress and human behaviour.
Given the complexity of the issue, is there any sign that we are winning the cyber-security war yet?
"No," says McAlum. "We're not even close."