Successful Cyber Attacks Reveal Chinks in US and UK Security Reviews

Contributor:  Chris McIntosh
Posted:  06/28/2011  12:00:00 AM EDT
Rate this Article: (5.0 Stars | 3 Votes)
Warfare is constantly evolving along with advances in technology. In the past few years, and especially in recent months, it has become apparent that the cyber world is the next theatre of battle. One only has to look at statements that the Ministry of Defence and Treasury have come under cyber-attack; the development and release of the Stuxnet virus; the large-scale hacking attack against Sony; or the Lulzsec hacking collective’s ongoing attacks against everyone from computer game companies to the CIA and US Senate. The message is clear: defence technology to combat cyber-attack needs to be a significant factor in any defence strategy.

Despite the 2010 National Security Review making cyber-crime and cyber-security a priority, there is still no clear agreed definition of what a cyber-attack entails. For the purposes of this discussion, a cyber-attack is defined as an electronic attack on a computer network or system for the purposes of theft, espionage or denial of service.

New battle lines and new enemies

This represents a shift in battle lines. While warfare has become more fluid since the 20th century, there is generally still understood to be a front line where military forces engage. With cyber-attacks, the front line can be literally anywhere: a server in a forward base is as legitimate a target as a computer in an obscure data centre in the Outer Hebrides. Government bodies, industry (including nuclear power generation), utilities, economies and even the personal systems of relevant individuals all become opportunities for cyber-attackers: indeed, given varying levels of security a remote target is likely to be easier to attack.
Data needs to be protected when outside the system, for example, when transmitted
via RF [image: USAF]

There is also a corresponding shift in the composition of the attacking force. The capabilities required to engage in cyber-warfare are virtually age blind and, due to the remote nature of cyber operations, operators may be located almost anywhere. Alongside this difficulty in identifying attackers is a similar confusion regarding motive. Attackers may be direct representatives of a foreign power – also know as state actors. They may be mercenaries in the pay of a wide variety of interests. They may be driven purely by ideological concerns. Alternatively, as with the current attacks by Lulzsec, they may be motivated by simple mischief. This makes such attacks difficult to predict and even more difficult to counter.

High stakes: the possible consequences

As a cyber-attack could strike anywhere, from any source, for seemingly any reason, so the results can vary greatly. At its very simplest, a cyber-attack could involve simple data theft, either of comprehensive strategic importance or immediate tactical application; or simply security codes or confidential personal details belonging to ‘high value targets’. It can also shut down critical services. This can be achieved by crashing a website or by targeting, for example, energy infrastructure or air traffic control systems. Lastly, a dedicated cyber-attack could even turn IT systems against the owner - by feeding false information to forces or by hijacking control of transport infrastructure. This may seem like the plot to a Die Hard film, but it is now very much within the realm of possibility.

Protecting against cyber-attacks: from firewalls to failsafes

While governments and other organisations are now making noise about defending against cyber-attack, there is less evidence that this is actually being followed up with firm, decisive action. This must change: as with any form of defence, the most important point is to be thorough. Network security, intrusion prevention and detection and follow-up actions all have a part to play. For example, any IT system will have a firewall - the first line of defence against external cyber-attack. However, with enough time and expertise, a dedicated attacker will breach this barrier. Indeed, in the constant race between cyber-attackers and IT security, gaps in firewalls are always being spotted, exploited and patched. What is vital is making sure that the correct security measures are in place when the firewall is broken.

Firstly, organisations must ensure systems are in place that will alert them when a breach has occurred. Warnings should be sounded when a firewall is breached and when any sensitive data or controls are accessed, especially by unknown or unexpected users. Data, itself, should be protected at all times: whether on an aircraft, in a government data centre or on the Defence Secretary’s laptop, all data should be encrypted and accredited access control mechanisms should be implemented. In worst case scenarios, kill-switches should be used to ensure data is rendered completely unusable. It is also vital to know your systems: they should be constantly reviewed, both in order to identify possible vulnerabilities and to identify any unexpected changes that could be evidence of an attack. Data also needs to be encrypted and protected when outside the system, for example, when being transmitted via RF. Short-cuts should be avoided at all costs. They may make everyday operations seem simpler but the risks to security are increasingly difficult to justify.

Lastly, whilst cyber-attack is a remote threat, physical security should not be ignored. Multi-layered and highly sophisticated IT defences are worthless if the enemy can simply walk into a location and walk out with servers crammed with information. This may be simple for military installations. However, for civilian systems, high levels of physical security will largely prove impractical. At the very least, there should always be a way to track and, if necessary, wipe data if removed from its original location.
Overcoming the barriers to a full cyber-security strategy

As always, there are complications inherent in providing 360 degree protection against cyber-attack. The first is education: forces must be taught how to prevent their data and systems from being open to attack; for example, by adhering to security policies and always ensuring that data is encrypted to the appropriate level. Additionally, cost must always be a consideration. Comprehensive security is not cheap and concerns have already been raised regarding the amount of data that the government secures to a military standard. Last is the question of who shall be responsible for maintaining overall control for cyber-security; whether it rests with a branch of the military, with GCHQ, with the security services or with an entirely separate body. Included in this is the issue of how the vast numbers of systems that need to be protected are effectively coordinated. These are issues that must be overcome nonetheless. It would indeed prove irresponsibly risky to mandate national security measures according to the lowest possible costs. Indeed, the escalating threat of cyber-attack is currently greater than the risk of a similar kinetic equivalent. At the same time, regardless of who controls our cyber-security infrastructure, the basic principle should be the same as in any other form of defence: think of the ways in which the enemy can inflict damage and then apply appropriate countermeasures.  
Chris McIntosh is the CEO of ViaSat UK
Chris McIntosh Contributor:   Chris McIntosh

You Should Check Out:
comments powered by Disqus

Advertise With Us

Join Defence IQ