What happens when the Net is attacked?

Featured eBooks
Changes in State and Local Government Workforces
NASCIO Special Report 2024
A New Era of Social Media Regulation
Insights & Reports
Unlocking digital potential: Strategies for modernizing government services
Presented By Adobe
Download Now
Unlocking public sector potential
Presented By NTT DATA
Download Now
By William Jackson
 

Connecting state and local government leaders

By William Jackson

|

When a building collapses, you can see the devastation. When a network is brought to its knees, the effects are less obvious.

When a building collapses, you can see the devastation. When a network is brought to its knees, the effects are less obvious. That's why a little-known research institute funded by the Homeland Security Department is working to bring some order to the study of cyberattacks.Despite annual reports from the FBI and repeated consultant studies, surprisingly little is known about the real costs of malicious code, denial-of-service and other attacks, because the companies that own the infrastructure are reluctant to share the information.'Historically, the threat of cyberattacks has not received as much attention as the physical threat posed by terrorism and natural disasters,' said Andy Purdy, acting director of the DHS National Cyber Security Division.As a result, estimates of financial impact have been based on guesses, said Scott Borg, director and chief economist for the U.S. Cyber Consequences Unit. There has been little solid data to analyze, and no tested methodologies to analyze it.We don't even know what threats we should be protecting ourselves against.'So much of what we have been hearing about cyberattacks was just hearsay,' Borg said. 'We found out a lot of things people were worried about were extremely unlikely.'US-CCU was established in 2004 with a shoestring, four-month budget of $200,000 to do surveys of the electrical-power and health care sectors. Other industry sectors providing critical infrastructure were to be added later.'We were very naive,' Borg said. 'The research project proved larger and more difficult than anticipated.'The original contract was stretched out to cover a year, and now'well into its second one-year contract'US-CCU is still in what Borg calls a 'rather extended start-up phase.'Fortunately, doomsday scenarios such as shutting down the power grid or the Internet are not likely to occur soon.'These are not impossible, but they are way harder to do than a lot of people anticipated,' Borg said. 'Al-Qaida is not going to shut down the Internet or the power grid. So we have time.'To use that time wisely, US-CCU recently released a security checklist to help enterprises focus on real-world consequences of cyberattacks. Borg and research director John Bumgarner based the 478 checklist items on their on-site visits.'We started seeing huge vulnerabilities during our visits,' Borg said. Most of the systems they evaluated were compliant with current security checklists and industry best practices. 'And portions of those systems were extraordinarily secure. But they were Maginot lines,' susceptible to being outflanked.The problem was that existing best practices were static lists based on outdated data. The US-CCU list shifts the focus from perimeter security to monitoring and maintaining internal systems. The problem with perimeter security is that there is always some way to circumvent it.'We are way into diminishing returns on our investments in perimeter defense,' Borg said. 'To deal with it now, you have to think of the problem of cybersecurity not from a technical standpoint, but by focusing on what the systems do, what you could do with them and what the consequences [would] be.'Unfortunately, the tools for analyzing consequences have been lacking. The biggest roadblock has been the unwillingness of companies to share data, either with other companies or with the government.'Without a comprehensive understanding of the potential economic impacts from cyberattacks, it is difficult to make an informed decision regarding investment in and prioritization of countermeasures,' Purdy said.It was Purdy's predecessor in the Cyber Security Division of DHS, Amit Yoran, who authorized formation of US-CCU in April 2004. But the initial impetus came from the department's Private Sector Office, which was concerned about the lack of credible information about the costs of cyberattacks.Borg, a senior research fellow at Dartmouth College's Tuck School of Business, had given briefings to government agencies and corporations on his models for economic analysis. He also had been chief economist on the Livewire cyberattack exercise in 2003 and served in the same capacity in this year's DHS Cyber Storm exercise. He was tapped to lead the effort.Borg advocates applying real-world economics rather than quick-and-dirty estimates to the cost of cyberattacks.'The cost of cyberattacks can be assessed by looking at how they change the overall inputs and outputs of business,' Borg wrote in his funding proposal to DHS.This is obvious, but previous attempts have simply added up the cost of lost capacity attributed to attacks, without taking into account how much capacity is normally used or how much value it creates. Disruptions in critical infrastructure are often mitigated by work-arounds or by postponing an activity, and value is not completely lost.Initial studies by US-CCU have produced some surprises. In an era of just-in-time inventory and high-speed delivery, shutting down a company or a portion of the infrastructure is normally seen as the greatest threat to productivity.'But shutting things down for up to three days just doesn't cost much,' Borg said. Systems have enough excess capacity and inventory to survive short shutdowns well.On the other hand, poorly secured process control systems, which form a nexus of the nation's physical and IT infrastructures, appear to be a greater danger than anticipated. These supervisory control and data acquisition'or SCADA'systems, have long been a security concern.'I had already been paying attention to SCADA systems,' Borg said. 'But I was surprised by the degree of interconnections with the Internet.'Most of this stuff has not been a big surprise to the relevant business people,' he said. The problem has been the lack of communication among business people and between business and government, because much of this information is proprietary.It was this wariness that required US-CCU to be set up as an independent institute, working at arms-length from DHS and able to protect corporate data from government.Funds for US-CCU have been funneled through a General Services Administration contract with Sonalysts Inc. of Waterford, Conn., an e-business consulting group that is the legal and financial administrator for the unit.US-CCU has been able to survive on its shoestring budget because the 10-person staff uses its own day-job offices, and much of their work is donated, Borg said.His next goal at US-CCU is to develop more industry-specific security tools, because one size does not fit all in IT security.'No wonder we have vulnerabilities,' he said. 'This is a huge opportunity for both security vendors and the hacker community.'But instability within the DHS Cyber Security Division has hampered the unit's ability to gain either funding or attention, Borg said. Yoran resigned in September 2004, and Purdy remains in an acting capacity nearly two years later. A newly created slot for assistant secretary of cyber-security is unfilled, and personnel changes have limited institutional memory. The draft of the US-CCU cyber-security checklist was released in April without the DHS name or seal and has yet to be vetted by the department.'I have tried hard to keep the National Cyber Security Division informed about the CCU's work and sought guidance on the release of the checklist,' Borg said. He tried to set up a meeting to discuss the checklist, but 'the relevant people seemed to have trouble fitting me into their schedules.'Still, Purdy said that 'understanding the consequences of cyberattacks is particularly important in assessing the risk to a critical infrastructure,' and this requires a 'quantitative, systematic and rigorous process,' which US-CCU is striving to provide.Let's hope it's given the chance to succeed.

The IT security checklist developed by the U.S. Cyber Consequences Unit is an effort to update outdated checklists that researchers say have left gaping holes in the cyberdefenses of critical infrastructures.

The list is a result of on-site visits and interviews with personnel in the electric-power and health care industries, and is an attempt to focus security efforts on real-world consequences of security breaches.

The checklist contains 478 questions grouped into six categories and 16 avenues:

  • Hardware vulnerabilities. Physical equipment, environment and by-products.

  • Software access vulnerabilities. Identity authentication, application privileges, input validation and appropriate behavior patterns.

  • Network vulnerabilities. Permanent network connections, intermittent network connections and network maintenance.

  • Automation vulnerabilities. Human maintenance procedures and intentional actions threatening security.

  • Human operator vulnerabilities. Maintenance of security procedures and intentional actions threatening security.

  • Software supply vulnerabilities. Internal policies for software development and polices for dealing with external vendors. Scott Borg, director and chief economist at US-CCU, outlined some of the major concerns in each of the primary categories.

  • Physical equipment. The overlap between physical and IT security opens many vulnerabilities. Physical access to hardware often is not adequately controlled. One electric-power facility reported a plague of petty thefts from temporary construction workers in sensitive areas that had not been secured. This area accounts for the greatest number of vulnerabilities. As hospitals move to electronic records, the emphasis is on convenience, with little monitoring of how software is used or changed. 'There's a huge opportunity for mischief,' Borg said.

  • Network vulnerabilities. Access to the network is not adequately controlled and documented. Often this is a result of demands by senior management for immediate changes that do not go through proper authorization channels. 'We are finding all kinds of undocumented ways of accessing the networks.'

  • Automation. 'This is going to the heart of SCADA,' Borg said. Control systems are designed to be as clear and simple as possible, making them both user- and hacker-friendly. Often there is no monitoring or record of access to these systems, because they are not supposed to be accessed from the outside.

  • Human operators. The weak spot in almost any IT security system. Improper behavior and use of unauthorized programs open vulnerabilities in networks.

  • Software suppliers. Whether software is developed in-house or outsourced, the quality of the code is rarely guaranteed. Certifying the software can be counterproductive, because it's often obsolete by the time the process is completed. 'One of the ways around this is to certify the procedure for developing the software rather than the software itself.'


    • 'Solutions for all of the things we are talking about already are under way,' Borg said.

    But for some of the items on the checklist, there are still no cost-effective commercial solutions. Borg urged industry to step up to the plate and develop solutions, and said government should encourage development by creating incentives through its acquisition policies.

Without a comprehensive understanding of the potential economic impacts from cyber attacks, it is difficult to make an informed decision regarding ... countermeasures.'

'Andy Purdy, DHS

Rick Steele



















'We have time'

































Cybersurprise





















NEXT STORY: VHA takes its forms online

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.