søndag den 15. februar 2009

Cyberwarfare – Is the IT-infrastructure protected?

Already during his election campaign Barack Obama stressed the need to improve the protection of US against Cyber Warfare and to set up an organisation to improve protection level.

As cited by Wired in July 2008, he said:

“As President, I'll make cyber security the top priority that it should be in the 21st century. I'll declare our cyber-infrastructure a strategic asset, and appoint a National Cyber Advisor who will report directly to me.

Once the election was over Obama and Biden declared at the transition website for the President elect what would be the policy when they took office. The key areas of an increased effort against cyberwar would be (of course) to defeat terrorism Worldwide, to prevent Nuclear Terrorism, To strengthen American bio-security and to protect information networks.

At the same level the importance of improving Intelligence Capacity and at the same time protect civil liberties (a different recepei than George Bush!) plus the objective to protect American citizens from terrorist attacks and natural disasters. Protect American infrastructure and to Modernize the aging American infrastructure.

Particularly the policy to Protect Our Information Networks seems to be a new approach, as the New President is knowledgeable and capable of understanding what Cyber warfare could really do to a modern society, where most of the infrastructure - from communication networks, Media, to trains and airplanes to power stations, to sewers and drinking water - is controlled by IT systems that may be the target for cyber attacks.

As was stated also by the Frontpage in January 2009, this policy was further defined by these focus areas:

Strengthen Federal Leadership on Cyber Security:
Declare the cyber infrastructure a strategic asset and establish the position of national cyber advisor who will report directly to the president and will be responsible for coordinating federal agency efforts and development of national cyber policy.

Initiate a Safe Computing R&D Effort and Harden our Nation’s Cyber Infrastructure:

Support an initiative to develop next-generation secure computers and networking for national security applications. Work with industry and academia to develop and deploy a new generation of secure hardware and software for our critical cyber infrastructure.

Protect the IT Infrastructure That Keeps
America’s Economy Safe:

Work with the private sector to establish tough new standards for cyber security and physical resilience.

Prevent Corporate Cyber-Espionage:

Work with industry to develop the systems necessary to protect our nation’s trade secrets and our research and development. Innovations in software, engineering, pharmaceuticals and other fields are being stolen online from U.S. businesses at an alarming rate.

Develop a Cyber Crime Strategy to Minimize the Opportunities for Criminal Profit:

Shut down the mechanisms used to transmit criminal profits by shutting down untraceable Internet payment schemes. Initiate a grant and training program to provide federal, state, and local law enforcement agencies the tools they need to detect and prosecute cyber crime.

Mandate Standards for Securing Personal Data and Require Companies to Disclose Personal Information Data Breaches: Partner with industry and our citizens to secure personal data stored on government and private systems. Institute a common standard for securing such data across industries and protect the rights of individuals in the information age.

Where did Obama get these ideas from? Undoubtedly from having studied what took place in Estonia in 2007, where a Russian led protest against the movement of a Russian war-memorial from the centre of Tallin to some outskirts initiated a denial of service attack that blocked the better part of the Estonian Financial Sector as well as most of the central and local government web sites for weeks. This in turn led to NATO’s profound interest in extending the defence lines of the alliance to include cyber war, so according to Computerworld, May 2008, NATO is launching a centre to detect, prevent and protect member states against cyber attacks.

The official NATO statement can be found here http://www.nato.int/docu/update/2008/05-may/e0514a.html

But President Obama’s very first task was to launch an in-depth analysis of the security threats against US, due in 2 months from now, according to The Register.:

“This 60-day interagency review will develop a strategic framework to ensure that U.S. Government cybersecurity initiatives are appropriately integrated, resourced and coordinated with Congress and the private sector.”

The importance of the coordination with the private sector is that the threat is not only being seen as directed towards the public net services, and the analysis will be a 360 degrees review. Also it is clearly stated that privacy laws and regulations and respect for personal integrity has to maintained in parallel with an increased level of security against cyber attacks.

Also the German Bundeswehr is building up capacities and a national center consisting of 76 highly skilled specialists to oversee, predict and prevent cyberwarfare. The article in Der Spiegel February 7, 2009, states that the reason for this is an increased number of cyber attacks against German ministries and public websites.

Other very recent examples of cyber warfare was the cyberattack on Israel as a result of the attack on Gaza, and even in the former Russian Republic of Kyrgystan the Government felt the anger of the hackers (presumably either from inside Russia or – worst case – maybe endorsed by Russia) to try to down the feeble Kyrgystani network before consenting anything to US’ wish to have an airbase in the country. As stated by Computerworld UK:

“Since 18 January, the two biggest Internet service providers (ISPs) in Kyrgyzstan have been under a "massive, sustained distributed denial-of-service attack," said Don Jackson , the director of threat intelligence for SecureWorks. “

The attack followed almost similar pattern as a cyberattack against Georgia during the conflict with Russia in 2008. Seems the hackers are getting their act together based on a lot of practice by now!

The Danish Super-blogger Dorte Toft noticed that as 8000 Danish net bank users were locked out of their net bank because they had been affected by the so-called ‘Donadup’ worm this clearly illustrated the vulnerability of the Danish IT Infrastructure. As the work had a clearly identifiable Russian origin, we may be looking into the same family of super hackers as the other recent cases.

In a later blog dated February 8 2009, Dorte Toft notes that Denmark clearly lacks a central organisation to supervise and protect us against massive cyber attacks, and that the way the Financial sector handled the case of 8000 infected PC’s is a clear sign of misunderstood restrictive communication to the general public.

In fact this is not the first time the attention has been brought to the need for a more coordinated defence against cyber attacks in Denmark. In May 2004 the Danish Technology Council published a report on a project called ‘How vulnerable is the Danish IT Infrastructure?’ . This report concluded that the threat is real, it is increasing and it has to be met by a ‘total defence’ view led by a coordinating organisation. A number of other practical suggestions were proposed, but only a few of them seem to have been followed. So it seems that Dorte Toft is absolutely right in her conclusion and it would be about time that the warnings from 2004 are being heard – and followed. It is not enough to rely on a NATO centre, we have to have a coordinating, practical body with sufficient level of expertise and with legal power to coordinate sector organisations like Finansrådet – The Danish Bankers’ Association - but also other sector organisations like the Telesector, the Energy sector, the transportations sector and of course Danish Industry including the IT industry.

It is not a moment too early that the Government and the heavy ministries – Ministry of Defence, Ministry of Justice – together with the Ministry of Technology - start to do something. They have got a clear advice not only from Teknologirådet /The Technology Council but also from the IT industry ITEK and the Danish Industry Security Committee. And from Dorte Toft as well.

Ingen kommentarer: