unlocking the secrets of cyber security

Achiever | University of MArylAnd University college

CyberseCurity

shortly After defense secretAry leon PAnettA wArned of A “cyber Pearl harbor,” three of University of Maryland University college’s top advisers on cybersecurity agreed that he was wrong. A cyber Pearl harbor is not in our future, they said. it already happened—as long as 20 years ago. sneak attacks against the nation’s computer infrastructure occur daily—from personal identity theft, to “hacktivists” trashing targeted web sites, to thieves stealing corporate secrets, to foreign agents probing U.s. security weaknesses. but with these dangers come opportunities. for people willing to get the right education, cybersecurity offers unlimited possibilities for creative employment that will provide essential services to the nation. speaking were three members of UMUc’s cybersecurity think tank, which has helped the university establish undergraduate and graduate programs in cybersecurity education:

Retired U.S. Navy Rear Adm. Elizabeth Hight, who was vice director of the defense information systems Agency and deputy director of Jtf-global network operations. she is now vice president of the cybersecurity solutions group, U.s. Public sector, of the hewlett-Packard co.

Marcus Sachs, vice president of national security policy at verizon communications, who coordi-nates cyber issues with federal, state, and local governments.

L. William Varner, president and chief operating officer of Mission, cyber and intelligence solutions at Mantech international corp.

they joined Achiever writer gil Klein at the national Press club in washington, d.c., to probe this unprecedented new security threat. they talked about the possibility of what Panetta meant by a cyber Pearl harbor—an overwhelming attack that shakes the nation’s security and economic system and warrants a military response.

ILLUSTRATION BY ADAM NIKLEWICZ

PHOTOGRAPHS BY SAM HURD

Unlocking the Secrets of

Industry experts discuss the challenges of hacking, tracking, and attacking in a virtual world.

BY GIL KLEIN

www.UMUc.edU | Achiever


very bad that’s unpredictable, and we only hear about it the next morning.

GIL KLEIN: And Bill, how about you? L. WILLIAM VARNER: My real fear is the consequences of a successful cyber attack anywhere in our critical infrastructure. i think we had a little taste last summer of what that might be like with the storms that came through the washington, d.c., area. Many lost power for several days. i was fortunate to be able to find power sources nearby and keep my phone and laptop charged for the five days i was without power. but what would we have done had the power not come on in five days? what if it hadn’t come on for five weeks? i think our behavior as a society would change at that point, and it would be a much different place to live.

GIL KLEIN: Defense Secretary Leon Panetta, who probably doesn’t sleep at all given all his responsibilities, recently warned of a cyber Pearl Harbor. Now, let’s start with Marc. What do you think that would look like?MARCUS H. SACHS: well, fortunately, Pearl harbor has already hap-pened, and it probably happened about 20 years ago. the problem is that we don’t know what a Pearl harbor looks like. when was the first intrusion into our networks? when was the first actual loss due to cyber crime? A Pearl harbor is usually painted as an unex-pected attack, where the airplanes come in at dawn. cyberspace is a little different. we’re constantly being attacked; we’re constantly being penetrated. so, many would say that our cyber Pearl harbor moment is actually in our past. we just don’t recognize it; we’re still waiting for this big event, and we’re not paying attention to everything that has already happened. ELIZABETH A. HIGHT: Most people equate Pearl harbor with the big bang. i mean, there were bombs dropping, there were people injured and dying. there was a lot of noise. so when professionals use that reference, we think there’s going to be a great big, loud bang somewhere. but that’s not the way cyberspace works.

1969ARPANet Transmission

1971 Creeper Worm demonstrates mobility and self-replicating programs on ARPANet

1972File Transfer and TCP

1973ARPANet Virtual Communication with Europe

1973Motorola invents the first cellular portable telephone to be commercialized

1974Development of the Graphical User Interface (GUI) paves the way for the intuitive design of Mac and Windows OS

A BRIEf HISTORY Of CYBERSECURITYBY MELISSA E. HATHAWAY,president of Hathaway Global Strategies and a member of UMUC’s Cyber Think Tank. Hathaway served in two presidential administrations, spearheading the Cyberspace Policy Review for President Barack Obama and leading the Comprehensive National Cybersecurity Initiative for President George W. Bush.

1969 1970 1971 1972 1973 1974

1970Intel introduces the first 1k DRAM chip

‟A Pearl Harbor is usually painted as an unexpected attack, where the airplanes come in at dawn. Cyberspace is a little different. We’re constantly being attacked, we’re constantly being penetrated. So, many would say that our cyber Pearl Harbor moment is actually in our past. We just don’t recognize it. —MARCUS H. SACHS

but they were careful to emphasize that the situation is not totally dire. solutions are available and opportunities abound to expand them to meet the ever-changing danger. As Marcus sachs said, “All is not bad. we may paint a very horrible picture here, but we want to make sure people under-stand it’s not the end of the world.”

GIL KLEIN: Betsy, what keeps you up at night?ELIZABETH A. HIGHT: the whole host of “unknown unknowns,” whether they be very well-meaning but poorly educated informa-tion security officers, those who believe that the current host of products will keep their systems well defended, or those who have found unique and still undiscovered exploits to get into public, private, or personal systems. All of those things are still unknown unknowns to most of us.

GIL KLEIN: And Marc, do you sleep well?MARCUS H. SACHS: generally, i do, because if you know what bad is out there and what good is out there, you can sleep well. but what bothers a lot of people is that one lucky person. this is one of the problems in cyberspace: somebody can make a mistake somewhere that we don’t know about, and somebody can get lucky—an unknown hacker, an unknown terrorist, an unknown criminal can get very lucky and do something very,

Timeline content excerpted from a broader presentation and analysis.


1977Emergence of smaller computers

1977Microsoft forms

19791G network (launched by Nippon Telegraph and Telephone in Japan) allows the first cell-to-cell transmis-sion without dropping the call

1979Intel introduces the8088 CPU and it is chosen to power IBM personal computers

1978TCP-IP becomes universally accepted global standard to supply network layer and transport layer functionality

1981IBM personal computer

1982AT&T divestiture in return for the opportunity to go into the computer business

1983DNS Registry lays foundation for expansion of Internet

1983DoD begins using MilNet—mandates TCP-IP for all unclassified systems

1977 1978 1979 1981 1982 1983

1983Fred Cohen authors the first computer “virus”—a term coined by his academic advisor, Len Adelman

so if we think about it that way, everyone will say, “oh, no, no, there’ll never be a big Pearl harbor.” but the consequences could be so severe that we would have exactly the same kind of mayhem, if in fact our critical infrastructure were destroyed or even penetrated in some way. L. WILLIAM VARNER: And the worst thing is, we might not know until such an attack is well under way. it might not be the big, explosive, kinetic activity that we think we would immediately recognize.MARCUS H. SACHS: it is, however, a fair analogy, because a lot of what led up to Pearl harbor, what actually allowed it to happen, was the misinformation sharing and the stove-piping of information. People knew what was going on. we had intelligence, but there was no sharing. And this is exactly what we see today.

GIL KLEIN: And in general terms, how is the United States military preparing for a cyber attack? Is it happening quickly enough? L. WILLIAM VARNER: we should look at the responsibilities of the U.s. cyber command and the department of homeland security. even more importantly, look at all of the aspects of our internet infrastructure that are not protected by either the cyber command or homeland security.

what that means is that a lot of our protection today is left up to private industry. in all honesty, companies like ours are, in large measure, responsible for protecting their own networks. And it’s a big challenge. the bad guys only have to be right once. we have to be right 100 percent of the time.

GIL KLEIN: Do you think the general public is aware of the threat? What more can be done to prepare the public for the possibility of a major cyber attack?MARCUS H. SACHS: i think the awareness is there that cyberspace has problems. but what’s missing is the “so what?” what do i do about that? in the physical world, we do a pretty good job of teaching people about looking left and right before crossing the street or about not slipping on the ice. we don’t do as good a job of teaching people what to do in cyberspace to make themselves secure. that’s the education gap.ELIZABETH A. HIGHT: People may be very aware of the threat, but they really don’t know how it impacts them personally. Unless they—or a close friend or family member—have had their iden-tity stolen, for example, they won’t know the true impact on their credit report. they won’t know how long it will take to recover.

TIMELINE ILLUSTRATIONS By ROBERT NEUBECkER

LEFT TO RIGHT: Gil Klein, Marcus H. Sachs, Elizabeth A. Hight, L. William Varner.


‟

1991National Academy of Sciences: Computers at Risk Report

1991First GSM network launches in Finland, giving way to 2G cellular networks

1992OSD issues Policy 3600.2 Information Warfare

19922G networks make instant messaging possible

1989DoD Corporate Information Management (CIM) Initiative to identify and implement management efficiencies in DoD information systems

1990CERN develops HTML code and software (World Wide Web is possible)

1990Rise of Internet innovation

1988Morris is Internet’s first widely propagating worm

1988After Morris Worm, DEC white paper introduces the concept of firewalls and packet filtering; launches the market for security products

1988DoD funds Carnegie Mellon CERT-CC as a result of Morris Worm

1985Microsoft Windows; utility of computer easier for consumer

1985Generic top-level domains are officially implemented (.com, .gov, .mil, .edu)

1984 1985 1988 1989 1990 1991 1992

they won’t know that in fact what they put on social media is open to the world and will be there forever. i tell people all the time that we need to have a cyberspace ethics and civics class in elementary school to help teach our citizens from the very beginning what this cyber thing is. because children like to reach out and touch things, and they can’t do that in cyberspace.

GIL KLEIN: What is the need for a trained cybersecurity workforce? Are universities producing the numbers needed? Are there enough students coming out of high school with the skills needed to begin learning this kind of complex information? And, of course, how intense is the compe-tition for these jobs? That’s a lot of questions. L. WILLIAM VARNER: those are easy questions, gil, because the answer to most everything is no. there are not enough people currently. there are not enough people coming out of high schools or being trained in our colleges. And there are just not enough people in the general steM—science, technology, engineering and math—curricula altogether. i know betsy and Marc and i all share an interest in trying to increase the number of trained cyber professionals in the country, particularly those who are able to obtain the clearances that let them work closely with our government agencies. And we sponsor a lot of training programs. Just because someone graduates from college with a master’s degree in electri-

cal engineering or computer science does not necessarily mean he or she is ready to join the ranks of cyber warriors. MARCUS H. SACHS: cyber education is a lot like health and health-care. when kids are going through elementary, middle, and high school, we teach basic health principles. but not all kids grow up to be doctors and nurses. cybersecurity is the same sort of thing. we need to teach the basics of hygiene in cyberspace, the basics of what can go wrong. some can go on to become the professionals. but i think what we’re missing is that early education. we tend to think this is only for the little geeks and wizards. but it should be for everybody, just like health education is for everybody. ELIZABETH A. HIGHT: if ever there was a case for lifelong learn-ing, it is cyberspace. All three of us are digital immigrants; we did not grow up with this technology. our children and our grandchildren are very comfortable with it. but the technology is so complex and changes so rapidly, there is no one who can sit back and think, “oh, well, i understand it, and i don’t need any more education.”

GIL KLEIN: Are there enough university programs to do this? Or is this an open field for universities? And who do you get to teach this if everybody who knows it has to be working and protecting somebody?MARCUS H. SACHS: there’s a lot of opportunity there.L. WILLIAM VARNER: there is. UMUc has a great program. i also work with almost every university in the area, as well as with some that are not local. but to me, one of the most important things is making our career field attractive to people who are of the age where they are thinking about what kinds of careers they want. MARCUS H. SACHS: it applies to all career fields. it’s not just for those who get a degree in cybersecurity. if your degree is in educa-tion, there needs to be a cybersecurity component, because you’re going to be the one talking to kids. you need to understand cyber-space at a level where you can talk about it, just like you talk about American history, just like you teach math.

And when you’re at UMUC, or in any college environment, that is the time to take your innovative ideas and tinker with them and mature them. And then offer them to the greater good. Because cyberspace is open to all of us. So when you innovate, you’re helping all of us. —ELIZABETH A. HIGHT

1984Cisco Systems Inc. forms


1993MILNET becomes NIPRNET

1993Mosaic Web browser makes the Internet an everyday tool

1994$10 million stolen from Citibank; Steve katz becomes the first chief information security officer (CISO)

1995AOL phishing attacks for passwords and credit card information

1995Evident Surprise wargame DEPSECDEF and IC agree to coordinate IW policy

1996ITU works on stan-dard (H-323) for Voice over Internet Protocol (voice and data over single network reduces infrastructure costs)

1996Defense Science Board paper: Information Warfare-Defense

1997Framework for Electronic Global Commerce policy (known as the “Green Paper” in the U.S.)encourages international adoption of DNS

1997President‘s Commission on Critical Infrastructure Protection leads to formation of ISACs (information sharing and analysis centers)

1994VCJCS directs IW Joint Warfare Capability assessment

1994Nokia proof—sends data over cell phone (Wi-Fi possible)

1996OSD Issues 3600.1 Information Operations Broadening the Definition to Engage During Peace

1996US relaxes export controls on encryption products to foster global electronic commerce

1993 1994 1995 1996 1997

but other career fields—engineering, law—are also wide open. it doesn’t just have to be focused on technical skills. i think this is where UMUc is really gaining an advantage, because they have a wide course curriculum, a big audience. L. WILLIAM VARNER: And in the position we’re in now, i don’t think all of the universities and colleges added together could produce enough people to meet the needs that we have today.

GIL KLEIN: Talk a little bit about the kinds of attacks that are going on right now. Who is making these attacks? And how much impact do they have?ELIZABETH A. HIGHT: there are basically three types of attackers. there are the hacktivists and the joyriders that we’ve seen for years and years. there are the state-sponsored attackers. And there are criminals. so each of them has varying degrees of support and education and training and opportunity. that creates a huge problem for the entire federal, state, and local government environment, because they have to protect against the entire continuum.MARCUS H. SACHS: there are some commonalities. it’s not machines that are attacking us; people are attacking us. the con-

versation we were just having about manpower—our adversaries have the same problem. there aren’t a lot of smart attackers out there, either. in fact, if i had the choice to work for one of us and have a beautiful, bright career, or to work for a terrorist organiza-tion and perhaps get blown up, i might decide that i don’t want to be a terrorist. this is an interesting quandary, because our adversaries do face the same problems. government targets are lucrative, but a government system is no different from a private sector system, or a university system, or a home system. it’s the same silicon, the same software, the same vulnerabilities. the information may be different; the value of the information may be different, but that is actually a strength, because lessons that you learn in the government can be applied to industry, to academia, or to home systems. And vice versa. so it’s a fairly level playing field in terms of defense. solutions work in multiple places. And that’s a strength we need to play to.

GIL KLEIN: Can any of you tell me a story about an attack, how it came about, and what was accomplished?

LEFT TO RIGHT: Marcus H. Sachs, Elizabeth A. Hight, and L. William Varner


2001Launch of first pre-commercial trial 3G network (packet-switch) by Nippon Telegraph and Telephone

2001DoD Quadrennial Defense Review renews focus on information operations

2001Wikipedia created

2000HTML accepted as international standard ISO: 15445

2000National Academy of Sciences: Trust in Cyberspace

1999U.S. Space Command assigned military Cyber Offense-Defense Mission responsibility

1999Melissa Virus sets stage for rapid infections

1997 1998 1999 2000 2001

1998Internet Corporation of Assigned Names and Numbers (ICANN) established

1998PDD-63 Critical Infrastructure Protection Policy

1998Solar Sunrise DoD penetrations realized

1999In-Q-Tel established to help government innovate

1999DCI agrees to use same definitions signing out DCID 7-3

2000y2k

2000DDoS attacks againste-commerce affect Amazon, Ebay, CNN

ELIZABETH A. HIGHT: we’ve had cases of government organizations dealing with their own bureaucracies. A recent state case involved the lack of a state information security officer for more than a year. the thing that held it up was the bureaucracy of finding someone with these critical skills who would accept the pay of a person in a government bureaucracy. here in washington, d.c., especially, i think the unemploy-ment rate for cybersecurity specialists is less than zero. they’re in great demand. And that’s true not just for government but for industry as well. GIL KLEIN: Bill, do you have a great story here?L. WILLIAM VARNER: when you are attacked you might not even know it; the data is still there. they take a copy of it; they don’t take the data. it’s a lot different from physically breaking into a building and stealing something, where you notice, “hey, my stereo system is gone.” you may not know that somebody has taken your valuable intellectual property. MARCUS H. SACHS: let me mention a real-world case here. the rsA corporation, as many of us are aware, is at the top of their game when it comes to cybersecurity. devices, software, consulting services, they’re all over. but yet they got breached. And it kind of reflects back on that very first question: what keeps you up at night? here you have the best, and they get broken into, even though they’re doing everything right. ELIZABETH A. HIGHT: so 10, 15, or 20 years ago, we thought if we could protect the outer perimeter, we could keep all the bad guys out. As a matter of fact, in 2005, the department of defense really cracked down on two-factor authentication and required everyone to log on to the network with their cAc cards—something that they knew, something that they held in their hands that could not be stolen by someone who was putzing around in a network looking at the password file. so those defenses were developed, and then we went on to phishing. And now we’re into spear phishing, and the human

‟Companies like ours are, in large measure, responsible for protecting their own networks. And it’s a big challenge. The bad guys only have to be right once. We have to be right 100 percent of the time. —L. WILLIAM VARNER

MARCUS H. SACHS: what we see today usually comes on one of two levels. there is the subversive attack that is very hard to see. the adversary is interested in targeting you because there is informa-tion that they want specifically from you. And they will take time to get it. they go in and grab what they want, they take it, and you may not realize that it’s gone. often we see this happen after the fact. we have forensics teams that will go in and investigate, and a company or organi-zation will realize that they have been breached. And it some-times turns out that the initial entry was more than a year ago and the adversaries have had that much access before they are finally noticed. then you have the class of attacks that are very noisy, like denial-of-service attacks or flooding attacks. the target may be an organization like a bank or a government, or it may just be any-body who happens to be connected to the internet. those are like a flash; here today, gone a few moments later. but they can still be very visible. And we face this all the time, particularly with high profile web sites. this is the hacktivist problem we’re talking about, where in the past you might go up to whomever you didn’t like and spray paint your message all over their glass wall. today, you go online and maybe deface their web site, or cause a denial-of-service attack so their customers can’t get there.

1997Google search engine invented

1997802.11 International Standard agreed upon

1997Eligible Receiver Exercisefocuses DoD and IC on vulnerabilities of U.S. infrastructure and foreign IO programs


2006Facebook forms

2006Congressional Testimony NSA outlines closercoordination with DHS

2006Hengchun Earthquake (Taiwan) affects undersea cables and Internet for 49 days

2003CA State Data Breach Law: Businesses must report breach of PII

2003LinkedIn: Business applica-tion of social networking

2003DoD Transformation Planning Guidance formalizes Net Centric Warfare

2003Skype (beta) debuts

2004DoD IO Roadmap programs more than $1 billion in new funds to normalize IO

2004EW Roadmap to focus DoD’s efforts to provide electronic attack options

2005Choice Point first breach of personal identifiable information (PII)

2005NERC announces standards for cybersecurity for reliability of bulk-power systems

2002Department of Homeland Security assumes Critical Infrastructure Protection Mission

2002Social networking technology takes off with Friendster

2002 2003 2004 2005 2006

2001Council of Europe, Cybercrime Convention (treaty)

2001Nuclear Posture Review calls for replacement of nuclear weapons with non-kinetic weapons

2002U.S. Strategic Command assigned military Cyber Offense-Defense Mission responsibility

2002DoD 3600.1 policy is reissued with new definition for Information Operations

Cyber-Speak Glossary

element is so unpredictable. A very well-documented case that involved an effort to hack into an international company was really engineered around calling a system engineer overseas and claiming to be a member of the company. it was very late in the evening, and the system admin overseas said, “sure, i can reset your pass-word.” And the hacker actually got into the system that way.

GIL KLEIN: Is there a level of cyber attack that you think would warrant a traditional military response? Or could we even figure that out?ELIZABETH A. HIGHT: i think with technology today, there are some who can figure that out. And as a citizen of the United states, if an organization or an individual actually turned off my power, or poisoned my water, or caused an airplane to crash, i certainly hope the United states would respond somehow. MARCUS H. SACHS: that somehow is the question. is the somehow diplomacy that ultimately finds its way into the military? or is

the somehow trade sanctions? or is the somehow just a demarche or a public outing? i think that’s a public policy problem we have here in washington. we don’t have that answer.L. WILLIAM VARNER: of course, that brings up the whole issue of attribution, which, in my opinion, is the most difficult problem in cybersecurity. you need to be pretty certain who launched the attack before you strike back. in reality, many attacks originate right here in the United states; they are just routed through other countries. MARCUS H. SACHS: we have a very clear policy about the use of nuclear weapons, for example. there is no ambiguity about what the United states’ response would be if somebody fired a nuclear weapon at us. we have a very clear policy on invasion. but we don’t have a clear national policy that says, “it is the policy of the United states to do the following if there is a cyber attack that meets such-and-such a threshold.” i think we have to have that.

CAC Card is a common access card issued by the Defense Department that allows entry to government buildings and computer networks. About the size of a credit card, it has an embedded microchip that has a digital image of the card- holder’s face, two digital fingerprints, Social Security number, and other identifying data.

DARPA is the Defense Advanced Research Projects Agency, an independent research branch of the Department of Defense created in 1958 that funded a project that led to the creation of the Internet. Its mission is to think independently of the rest of the military and to respond quickly and innovatively to national defense challenges.

Exfiltration, also known as extrusion, is the unauthorized transfer of data from a computer or network.

Hacktivists are people who break into computer systems for politically or socially motivated purposes. Their motives are usually not to steal infor-mation but to alter a targeted Web site or hamper the organization’s ability to operate online.

Spear Phishing is an attempt to gain unauthorized access to an organization’s information by targeting specific individ-uals in that organization. Unlike regular phishing, which is typically carried out by random hackers, spear phishers know exactly what information they want and who can provide access. They send mes-sages that appear to be from authorita-

tive sources asking for passwords and other information that will grant them access to classified information.

Stuxnet is a computer worm believed to have been developed by the United States and Israel that was used in 2010 to attack the supervisory control and data acquisition systems of Iran’s nuclear development program.

U.S. Cyber Command was created in 2009 in the Department of Defense to plan, coordinate, integrate, synchronize, and direct activities to operate and defend the department’s networks. When directed, the Cyber Command con-ducts military cyberspace operations to ensure the United States and its allies freedom of action in cyberspace while denying the same to its adversaries.


2008RBS World Pay $9 million stolen in 30 min., 49 cities

2008President announces modernization program (Smart Grid, Next Gen FAA, Health-IT, Broadband to America)

2008Georgia-Russia conflict demonstrates cyber in warfare

2009Heartland Payments breach demonstrates that compliance does not equal security

2009Cyberspace Policy Review: Cyber is eco-nomic and national security priority

2007 2008 2009

2007USAF establishes a Cyber Command

2007Comprehensive National Cybersecurity Initiative (CNCI)

2007TJ Maxx breach (exploits Wi-Fi)

2007Estonia DDoS highlights use of force (wartime applications with con-scripted computers)

2007Joint Staff, National Military Strategy for Cyberspace Operations

2008Cable cut(s) in Mediterranean dramatically slow down Internet and Egypt affected badly

2008Conficker Worm requires unprecedented international cooperation and operational response

2009Move to cloud computing

2009National Research Council Report: Cyber Attack Capabilities

20094G offered via WiMAX standard (Sprint) speed improvement of 10-fold

2009Operation Aurora coordinated attack on many high-profile companies targeting intellectual property

ELIZABETH A. HIGHT: And i think that is one of the great things about the UMUc curriculum. there are courses where students are challenged to think critically about those policy issues. And that area is ripe with opportunity, whether you’re a student, a private citizen, or a member of the legislative or judicial branch. those discussions need to happen before we actually wake up one day and discover the catastrophic effect of a cyber attack.L. WILLIAM VARNER: And the interesting thing we’re all saying here is that cyber technology is more advanced than cyber policy.MARCUS H. SACHS: And of course cyberspace doesn’t belong to anybody. it belongs to everybody. it’s really a metaphor; it’s not really a thing. it’s not like dirt or air. it’s this made-up and synthetic thing that humans have built. so when we ask the question, “what should the military do?” it really depends on whom you’re asking. because a network owner and operator would say, “the military has no role here, other than perhaps protecting my physical assets. the actual essence of cyber-space is a business; it’s not a military battleground.”

so this is an ongoing debate here in washington. Maybe we need to just keep talking about this, not wrapping it up behind classified doors, because it is a very serious policy matter that we have to start discussing openly.ELIZABETH A. HIGHT: i think one of the things to consider is the foundation of our own country. i mean, individualism and privacy and all of those concepts that our country was founded on really fly in the face of cyberspace. because a lot of people would say there is no privacy in cyberspace, and others would say that there is all kinds of privacy, it just depends on how you use cyberspace.MARCUS H. SACHS: if you start with the constitution, everybody understands the first Amendment. freedom of speech, we want that; so, okay, we check that off. then you get to the second Amendment and things get very awkward. what does it mean to have the right to bear arms in cyberspace? what is an arm? And we’re only on the second Amendment! we haven’t even gotten to three or four. [Laughter.] so, again, this is the debate we have got to have. what does this stuff mean?

LEFT TO RIGHT: Marcus H. Sachs, Elizabeth A. Hight, and L. William Varner at the National Press Club in Washington, D.C.


2010Intel Corporation SEC Filing

2010Texas bank sues customer over cyber-theft

2010Uk Data Protection Law: $500,000 fine for lost protected data

2010Stuxnet Worm strikes Iran’s nuclear facilities

2010 2011

2010STANDUP OF U.S. CyBER COMMAND

2010Smokescreen, online virtual reality game, guides teenagers through dangers of social networking

2010Court rules in favor of Comcast; Net Neutrality debate heats up on Internet regulation

2010NATO Strategic Concept Review highlights cyber

2010NATO declares cyber defense a priority

2010Market shift: Proliferation of handheld wireless devices

201188 percent of Egyptian Internet cut off from citizens

2011NASDAQ penetrated

2011Libya cuts off Internet and social networking sites from citizens

2011The Netherlands, France,and Germany publish cybersecurity strategies

2011IPV-4 address allocation exhausted

2011Hackers break into Canada’s Treasury system

2011Uk states that cyber-attacks and cybercrime are among its top five security issues

2011Epsilon breach: High profile customers exposed

2011RSA/EMC Corporation SEC filing (SecureID breach)

2011G8 discusses that laws need to apply to the Internet

GIL KLEIN: The United States and Israel apparently launched a success-ful cyber attack known as Stuxnet against Iran’s nuclear development program. Is that the type of low-level warfare we can expect to see that avoids actual firepower? Do you see an offensive use for the U.S. military? ELIZABETH A. HIGHT: well, i wouldn’t call trying to disable a coun-try’s nuclear arsenal “low level.” i think that as we evolve in this arena, we will continue to see operations of certain types until we have case law or legislation that defines that. i think one of the most important things to realize is that it’s not just U.s. citizens that are thinking about conducting defensive or offensive operations. this is a global domain; there is no state line or national border. And these conversations need to be held globally. MARCUS H. SACHS: it’s hard for the United states because we’ve always been ahead of this game when it comes to technology—from airplanes to spaceships to nuclear weapons. but enter cyberspace, and we just assume we’re in charge. we assume we have more capabilities than others. that may not be the case. And that’s very awkward for us, because now we have worthy adversaries. but they’re not necessarily countries like china or russia. An adversary could be an individual, a corporation, a loosely affiliated group or a terrorist group. it could be a cause. that’s what makes cyberspace so interesting. when we say what offensive is, we try to go back to our classic industrial think-ing of tanks and planes and ships and invasions. but offensive in cyberspace may be completely different. And i think stuxnet is a great example, but it’s like a biplane compared to a strike fighter. this is so basic, to do a stuxnet-type thing. And the history books will record this. Play this tape back even 10 years from now. look at how we will refer to stuxnet and say, “wow, in its day that was pretty cool. but that’s so simple. we issue that capability to our kids; we show them how to do that to each other.” [Laughter.]

GIL KLEIN: So is this asymmetrical warfare taken to a new level?L. WILLIAM VARNER: that’s an excellent question, because it is

asymmetrical warfare, and the barriers to entry are small. they’re the cost of a laptop or a Pc and an internet subscription; that’s all it takes. it’s just an inordinate cost to defend against what an attacker can do almost for free. MARCUS H. SACHS: but do you know the good news in all of this? there really are basic, simple things people can do to protect themselves. oftentimes we do get wrapped up in the, “oh dear, cyberspace is so dangerous; i think i’ll just unplug and go farm for the rest of my life.” but it turns out there are a lot of very simple things that any-body can do to reasonably protect themselves, much like in the real world. we’ve learned that as humans and as part of society. i think that’s the piece that we’re hunting for with cyberspace: what are those basic things individuals can do? because you’re always going to have threats, and you’re always going to have attackers.

GIL KLEIN: What is the responsibility of the private sector in providing a level of security? And what is the responsibility of the federal govern-ment in making sure that it is meeting that responsibility? ELIZABETH A. HIGHT: i think cybersecurity has moved out of the computer operations center and into the boardroom. the boards and senior management teams who take the time to become educated in the risks associated with cybersecurity realize that there is a real reason to understand cybersecurity. A wonderful sec guidance came out recently saying that if you have a significant risk to a public company, it has to be reported, and that includes cyber risks. so i think that’s a step forward in educating both the boards and the senior management teams of industry.MARCUS H. SACHS: cybersecurity is now emerging as one of those areas where you’re actually better off if you’re outsourcing it and using what’s emerging as managed security services. this has become so complex and so technical and so specific that it may be better as a business leader not to try to do it all yourself.L. WILLIAM VARNER: this calls for a public/private partnership, along with a way to share information about attacks that may be

‟We’ve pushed the government right now not to regulate us, but to let us innovate. Let us find our way out of this security problem by being creative. That’s what Americans do best. We are the world’s best innovators. —MARCUS H. SACHS


2011

2011Sony PlayStation net-work breached; initial clean-up, $170 million

201165 percent of Syrian Internet removed from routing tables (40/59 networks)

2011Microsoft acquires Skype for $8.5 billion

2011Austria declares cyber defense a national priority

2011New Zealand publishes cybersecurity strategy

2011IMF penetrated and severs connection to World Bank as a precaution

2011EU increases penalties for cybercrime

2011Citigroup breach; 200,000 accounts accessed

2011Syrian Electronic Army (SEA), a pro-government computer attack group, actively targets political opposition and Western Web sites

2011Anonymous targets NATO

2011Federal Financial Institutions Examination Council (FFIEC) issues supplemental guidance on risk management: “Authentication in an Internet Banking Environment”

2011DigiNotar certificate breached

2011Singapore announces it will stand up a National Cyber Security Centre headed by the Singapore Infocomm Technology Security Authority

2011CERT–EU opens

2011International Code of Conduct for Information Security brought to the 66th UN General Assembly

occurring so that both government and industry can benefit. in fact, there are activities like that under way that we’re all part of, and they are having some success. ELIZABETH A. HIGHT: i think we have been talking about public/private partnerships for years. but in my view, most of these discussions are just far too general. they are not taken seriously by most people who are in control. those individuals may like control, but they don’t understand that in fact they don’t have the expertise to keep up with this incredibly, remarkably dynamic, complex space.

GIL KLEIN: Along that line, former CIA Director James Woolsey said hackers are stealing us blind by breaking into company databases and taking secret development plans. How big a threat is this to U.S. busi-ness? And how adequate is the response?MARCUS H. SACHS: that’s probably the number one threat to our country right now. it’s death by a thousand paper cuts. we are leaking—what’s the estimate?—trillions of dollars annually, intellectual property that’s just going out the door. we look at our current economy, which is kind of sputtering, and one of the factors we never talk about is cyberspace. what about the leakage of all this intellectual property that’s gone to other countries who can now compete against us because they stole all of our know-how?

GIL KLEIN: Is it possible to give an example?L. WILLIAM VARNER: one estimate by people who are generally well regarded in the intelligence community is that at least one tera-byte per day of U.s. intellectual property is being exfiltrated to other countries. so to put that in perspective, the written material in the library of congress comprises about 10 terabytes. general Keith Alexander, the director of nsA and head of the U.s. cyber command, has stated publicly that he believes this is the largest wealth transfer in the history of the world.

GIL KLEIN: So how much rigorous scientific experimentation is going on now that will lead to security breakthroughs? ELIZABETH A. HIGHT: i think there’s a lot going on, both in govern-ment and in industry. As a matter of fact, dArPA [the defense Advanced research Projects Agency] has recently released a fraud area announcement for some really exquisite defenses. And dArPA has hired some of the best-known hackers in the United states to turn their tradecraft into a defensive mechanism. so this is a well-recognized problem that academia, govern-ment, and private industry are all trying to solve. MARCUS H. SACHS: often when we say cyberspace, we really mean the internet. but the internet is just a piece of cyberspace. Air traffic control and interbank transfers don’t go over the internet, for example, but they’re part of the communication infrastructure. the internet today is largely based on the explosion of per-sonal computers back in the 1980s, followed by the explosion in the 1990s of the internet itself, as everybody became familiar with it and as faster networks and laptops came along. in the past five to 10 years, a new wave known as wireless has come along. we’re beginning to see a different type of device, different applications, different ways of thinking. And in fact, that wireless world is now bleeding into home security systems. it’s in your car, thanks to bluetooth. so there’s opportunity here. where the old internet is largely built on a string of wired Pcs and hard drives, we now have a new cyberspace that’s coming out, largely internet-centric, but with pieces that aren’t the internet. And in fact, right behind that is this new thing called cloud computing. so just like any other technology, we have waves of innovation.And what i think some are seeing is that each wave gives us the opportunity to add security that wasn’t there in the previous wave. so cyberspace can in fact get more secure as we go forward.because we tend to build in new resiliency. we build in new safety features. we kind of build on previous mistakes. continued on page 18

‟I use this phrase: “Hug an ethical hacker.” Start thinking about how to protect your systems by thinking like a bad guy. One of the new industries that has sprung up is ethnical hacking courses for senior government and industry executives. —ELIZABETH A. HIGHT


2011ISO formally ratifies ISE/IEC 27035:2011, an information security best practices process for incident reporting

2011Blackberry outage affects millions of customers

2011NCIX Report: Foreign Spies Stealing U.S. Economic Secrets in Cyberspace

2011SEC guidance to public companies: Cybersecurity Is a Material Risk

2011kenya launches informa-tion security master plan to safeguard public infor-mation on the Internet

2011United kingdom publishes new Cyber Security Strategy

2011EU TLD registry makes it easier for registrars to use Internet secu-rity protocol Domain Name System Security Extensions (DNSSEC)

2011Cyclone Dagmar affects power supplies to elec-tronic communication net-works in Nordic countries; millions of users left with-out telephony or Internet for up to two weeks

2011South korea leads the world in ICT development and peer-to-peer botnets

2011 2012

2012WEF ranks cybercrimes as #1 technological risk

2012INTERPOL announces stand up of Global Complex for Innovation in Singapore focused on digital security and cybercrime

what i’m trying to say is that all is not bad. we may paint a very horrible picture here, but we want to make sure people under-stand it is not the end of the world. As new technologies come along, new vulnerabilities are introduced—don’t get me wrong there—but we are making some remarkable changes. but for anybody who is interested in this area, the field is wide open for new ideas, new concepts. My company and your com-panies, we all have open doors for innovators, for new ideas, for fresh concepts and fresh ways of doing things. And to kind of wrap this up, we’ve pushed the government right now not to regulate us, but to let us innovate. let us find our way out of this security problem by being creative. that’s what Americans do best. we are the world’s best innovators. ELIZABETH A. HIGHT: And when you’re at UMUc, or in any college environment, that is the time to take your innovative ideas and tinker with them and mature them. And then offer them to the greater good. because cyberspace is open to all of us. so when you innovate, you’re helping all of us.

GIL KLEIN: So if you could get the ear of President Barack Obama or of Congress, what would you tell them?MARCUS H. SACHS: if the president were sitting right here, i would like to know, first, what he does to protect himself as the leader of the most powerful nation in the world. what does he do personally in cyberspace? it may be a bit of an embarrassing question, because it catches a lot of people off guard: what do i do? because i can pontificate all day long about what everybody else should do, but what do i do? that might lead to a very interesting discussion. now, the president might get it right, and might actually have a lot of insight. in which case, Mr. President, please stand up in front of the bully pulpit and start preaching. [Laughter.] but we don’t know where the president comes down on this. ELIZABETH A. HIGHT: i think what you’re really saying is, “be a role model.” that’s one of the barriers to getting our young people really excited about these careers.

i think it would be wonderful to shine a light on some of our heroes in cyberspace. And i think keeping everything behind the classified green door is a mistake. i guess if i were across the table from the president, now that he has won a second term, i would say, “take a chance. look at the issues that need to be developed. look at the lack of case law. let’s think about what that means to our econom-ic future and our personal privacy. let’s look at those issues, now that you’re in a position to take that risk.” And i would say, “go for it!” L. WILLIAM VARNER: right, so we would stress just exactly how important it is to develop that cybersecurity policy to the level of the policy and the doctrine we used to have, for example, in the days of the cold war. we don’t have that for cyberspace.

GIL KLEIN: you mentioned cybersecurity heroes. Can you give me a case study or a story? Can you tell me a story about cybersecurity, or is it all still classified?ELIZABETH A. HIGHT: well, i know a lot of heroes who man network and security operations centers around the world for the United states military and for the department of homeland security, and for some of our industry partners. i know local and state government heroes that are doing that job every day. they’re sort of like firefighters and policemen. Until something terrible happens, you just don’t know about them. GIL KLEIN: I was hoping you could give me a real name here.MARCUS H. SACHS: there was a book called The Cuckoo’s Egg, by cliff stoll. cliff was an astronomer in a university and recognized that there was a problem in one of his computing systems, where the accounting was off by a few pennies. now, computers are precise. they should be exactly correct. And when he found that they were off by a few pennies, he began to ask questions. come to find out, there were intruders in there. And the intruders were changing the logs.

continued on page 20

‟One estimate by people who are generally well regarded in the intelligence community is that at least one terabyte per day of U.S. intellectual property is being exfiltrated to other countries. —L. WILLIAM VARNER

2012An Israeli IDF Team launches an attack against a Hamas Web site (qassam.ps), knocking it offlline to protest the site’s anti-Israeli stance


2012Google announces new privacy policy

2012ISO/IEC 27032 publishes international guidelines on cybersecurity

2012Shamoon used against Saudi Aramco and damages some 30,000 computers (attack aimed at stopping oil and gas production at the biggest OPEC exporter)

2012Presidential Policy Directive 20 establishes national guidance for operations in cyberspace

2012Distributed Denial-of-Service against U.S. financial institutions peaks at 60 gigabytes/second.

2012Hurricane Sandy affects power supplies and com-munication networks in northeastern U.S. for up to four weeks

2012World Conference on International Telecommunications (WCIT) updates and revises the International Telecommunication Regulations (ITR)

2012

2012U.S. Congress releases a report on national security issues posed by Chinese telecom companies

2012Syria shuts off Internet access across the country

so an entire book has been written about this. it would make a fascinating movie.

GIL KLEIN: Bill, have you got any heroes out there?L. WILLIAM VARNER: i think of some of the former directors of some of our major agencies—general Kenneth Minahan, for example, the former director of nsA [national security Agency] and diA [defense intelligence Agency]. he was involved in the very early beginnings of the internet and working with Microsoft when some of the early vulnerabilities were discovered. bill crowell is another cyber hero, i think. he’s now a venture capitalist, but he was a former deputy director of the nsA. i think there are numerous people who have taken advantage of the positions that they had to make enormous strides in getting us to where we are today.

GIL KLEIN: Just to wrap up here, what I’m reading about is the next phase of the Internet; it’s so unbelievable, when you get into the cloud and you get into artificial intelligence. Do you see greater threats here? At some point you were saying, “No, this could actually be better for us.” We’ve come through 20 or so years of the Internet and the world’s still here. What are we doing right?L. WILLIAM VARNER: in my opinion, gil, we’re in a wonderful position. we have more technology than anybody ever dreamed we would have. we’re using it. My car sends me e-mails just to let me know how it’s doing. And i do think we have the opportunity to make it even more secure, especially when we move into cloud environments. because when the internet was developed, security was just not a consideration; it was about communication and convenience. we have tacitly made the assumption over all of these years that we value the convenience and the efficiency that we get from today’s internet and all of cyberspace, and we’re willing to work really hard to develop the security that we need to be able to con-tinue to use it.

but i think it’s a system that the entire world depends on. it would be very difficult to imagine living without it. so i think we’ve made tremendous strides, and we just have to continue to work very, very hard to deal with all the security issues that come up.ELIZABETH A. HIGHT: this is a journey. A secure cyberspace is not necessarily a destination. with technology comes vulnerabilities. our ability to recognize them is incredibly important. i use this phrase: “hug an ethical hacker.” start thinking about how to protect your systems by thinking like a bad guy. one of the new industries that has sprung up is ethnical hacking courses for senior government and industry executives. this is a continuum that we will be on forever, long after we’re no longer here.

GIL KLEIN: Marc, do you have any final thoughts?MARCUS H. SACHS: cyberspace being a metaphor, it is also an extension of the human mind and human society, what we think and what we do. there’s opportunity for the bad guys to take advantage of it, and there’s opportunity for the good guys to do it right. And there are opportunities for governments, for the private sector, for academics. right now, we’re at the beginning of something really, really cool. And we’re the only generation that gets the first bite of the apple. subsequent generations have to put up with our thinking. when historians look back on our legacy, i hope they will say, “these guys got it right. facing this complex challenge, they got it right.” shame on us if hundreds of years from now they’re still fixing the problems that we come up with here. i think that’s our challenge. that’s a challenge we can meet. but can we lead? can we cause these changes so that future generations can build on what we’ve done?

GIL KLEIN: That is a terrific way to end this. Marc, Bill, and Betsy, thank you so much for being here. We certainly appreciate all the time you’ve given us. Thank you. G

‟But enter cyberspace, and we just assume we’re in charge. We assume we have more capabilities than others. That may not be the case. And that’s very awkward for us, because now we have worthy adversaries. But they’re not necessarily countries like China or Russia. An adversary could be an individual, a corporation, a loosely affiliated group or a terrorist group. It could be a cause. —MARCUS H. SACHS

unlocking the secrets of cyber security

Documents