A U.S. judge has approved the lawsuit filed by Chinese search engine giant Baidu against its domain register following a cyber attack which occurred in January.

The suit follows the attacks in January which were attributed to a group calling themselves the “Iranian Cyber Army.” Baidu alleges that Register.com gave the hackers access to Baidu’s account when the hackers called the register claiming to be employees of Baidu.

The hackers were then able to change the server number, redirecting users attempting to access the search engine to a site with political messages, according to the BBC.

“It’s like somebody going into the telephone book and changing your phone number,” Graham Cluley of Sophos said.

The search engine claims it lost millions of dollars because of the hack and filed seven lawsuits against the domain register. The U.S. judge allowed two of the suits.

“I hold that Baidu has alleged sufficient facts in its complaint to give rise to a plausible claim of gross negligence or recklessness,” Judge Denny Chin said.

The trial will begin next month in New York. Cluley said it was fortunate the hack didn’t have more serious repercussions.

“Rather than displaying propaganda [the website] could have installed malware or spyware,” he said. “Baidu in China is extremely popular – it could have infected a lot of computers.”

http://www.thenewnewinternet.com/2010/07/23/court-approves-baidu-lawsuit-against-domain-register-for-iranian-cyber-army-hack/

At a recent technical forum in Vancouver, British Columbia, security experts gathered to talk shop. The event usually draws headlines. This March, it was Dragos Ruiu who captured the media attention when he said that Canada was ill-prepared for a cyberattack that could devastate its infrastructure. A 17-year-old could launch such an attack, he said, adding that the Canadian government needs to put more thought into its cybersecurity strategy.

“There’s been a cybersecurity strategy promised now for years, without it having come to fruition,” agrees Rafal Rohozinski, CEO of SecDev, an Ottawa-based company focused on security research. Rohozinski’s organization partners with the Citizen Lab at the Munk Centre for International Studies at the University of Toronto, and produced “Tracking GhostNet” and “Shadows in the Cloud,” two investigations into cyberespionage rings appearing to originate in Asia.

His frustration seems warranted. There has been no cohesive strategy to date, although there have been plenty of half-hearted efforts. In 2004, the Canadian government earmarked around $700 million for a concerted national security effort, but only $5 million went into a workforce to address cybersecurity issues.

Back then, admitted David Black, manager in 2008 of the cyber infrastructure protection section of the Royal Canadian Mounted Police (RCMP), the RCMP’s cybersecurity strategy was “all over the place.” Then, it merged its operations together to form a cohesive unit. Speaking at a technical security conference in 2008, Black promised a Canadian cybersecurity strategy that would evolve over the next few months. But even major players like Microsoft, which Black said was working with the RCMP, were left unimpressed.

John Weigelt, national technology officer for Microsoft Canada, recalls that in 2005, the Canadian government launched the Canadian Cybersecurity Incident Response Centre (CCIRC). However, on the surface, it seems to be little more than a collection of bureaucrats with an RSS feed tracking major product vulnerabilities, along with a website. Compare this with the U.S. government, which has conducted a broad review of cybersecurity and subsequently released a cohesive strategy backed by its president. In fact, President Obama appointed longtime cybersecurity expert Howard Schmidt to a federal post to ensure the nation’s cyber readiness. At the very least, say industry observers, this shows commitment from the top.

“The most important part of the way to get started bolstering a cybersecurity strategy is to establish some sort of vision and direction for Canada,” says Weigelt. He points to a recent consultation on Canada’s digital economy by Industry Canada – a government department responsibile for regional economic progress and research and development – as an example of how the government is striving to establish a broader vision for the country’s digital presence. But looking through the submissions made in that document, there seems to be little focus on cybersecurity.

No more excuses

What is holding things up? A focus on remediating the economic downturn is one issue, suggests Weigelt. But then, President Obama commissioned a cybersecurity review and launched a national strategy for cybersecurity during the first few months of his presidency, while grappling with the financial downturn during its gravest period. Perhaps the minority government in Canada could be to blame. But the U.S. Congress has been one of the most divided in history as it wrestles with controversial issues, such as health care reform and climate change legislation. Citizens north of the border may have to resign themselves to the fact that their government is simply sluggish on cybersecurity.

The Canadian government doesn’t view cybersecurity in the same way as do private sector organizations, such as telecommunications operators, Rohozinski says. He adds that those responsible for cybersecurity matters have been left shouldering an inordinate amount of the security burden because of the government’s complacency.

Things may be about to change, but the question remains: Will the change be enough? Sources close to the matter suggest that Bob Gordon, head of the cybersecurity initiative at Public Safety Canada, has a document already prepared. Not much is publicly known of the plans, although some insiders suggest that the document will focus relatively narrowly on network security.

One reason that the strategy might be developing more slowly is that policymakers may realize that the document needs to be expanded into something broader, says SecDev’s Rohozinski. To be truly effective, a cybersecurity strategy should be holistic in nature, spanning a variety of different public policy areas, he warns. Simply concentrating on securing public networks is not enough.

“We need to speak to the broader issue of how we address cybersecurity in terms of broader policy,” he says. “Defending cyberspace is a domain through which U.S. values and foreign policy will be exercised and the freedom of access in cyberspace will be defended.”

Getting started

What should be done in the meantime? “Some people say that if we only had a vision, we could get started,” says Weigelt. “My response is that we can start doing stuff today.”

So, in the absence of a firm government strategy, who should step up? SecDev’s Rohozinski says that when the Canadian government finally does come to crack down on cybersecurity, it should adopt a measured approach in which it maintains the advantages of computer networks while helping to eliminate the risks.

“There’s a real danger that by yielding to fear-mongering – that every computer is a knife at the throats of our families – we forget the positive benefits and potentially roll back the quasi-freedoms that we’ve seen in the last 20 years,” he says.

In a country that has been criticized for its Draconian approaches to surveillance and security during the Olympics and the G8 talks, that may be the toughest challenge of all.

http://www.scmagazineus.com/a-cyber-strategy-for-canada/article/174642/

If you attended today’s still-unfolding big cybersecurity confab in Washington, sponsored by the Armed Forces Communications & Electronics Association, you heard a parade of military officers and Obama administration officials say — well, not a whole lot.

It’s hard to defend against a cyberattack… Everyone — civilian and military, public and private sector — needs to work together and pool resources and information… Incentivize cooperation… The supply chain is vulnerable… U.S. Cyber Command is developing integrated planning and operational frameworks…

And then there was Bruce Held.

Held is the Department of Energy’s intelligence chief and he said he spoke from the perspective of a longtime intel hand. His answer to the cybersecurity problem: diplomacy.

Well, sort of. For Held, it’s a probability issue. “A static cyber defense can never win against an agile cyber offense,” he told a panel this morning discussing the prevention of catastrophic cyberattacks. “You beat me 99 times, I will come after you 100 times. Beat me 999 times, I will come after you 1000 times, and we will beat you.” If you want to protect the nation’s electricity grid, beefing up security for it — physical security, cybersecurity, etc. — quickly becomes prohibitively expensive. “You need a protection strategy,” he said, and that means you have to change the game.

How? For starters, don’t compartmentalize cybersecurity as a job for the military’s new U.S. Cyber Command or the guardians of civilian networks at the Department of Homeland Security. Treat cybersecurity as component of a broad national defense strategy, rather than a techie-driven deviation from it. Unleash the diplomats and prepare the economic sanctions packages, in other words, if you want to prevent your servers from getting fried.

To take it a step further: it’s about making an adversarial foreign power reconsider launching an attack. “If you wish to influence my behavior, you have to impose risks and consequences on me,” Held continued. “It does not have to be perfect. You just have to impact my behavior.” Someone’s been playing Diplomacy.

Can you spot the presumptions behind Held’s contention? Sure you can. One: we’ll be able to attribute attacks to specific state actors. Well, will we? You can launch a cyber attack from proxy servers in third countries to conceal your identity. Brigadier General John Davis, the director of current operations for Cyber Command, said forthrightly during the same panel discussion that his “number-one challenge” was developing “situational awareness” of the cyberthreats that the U.S. faces.

As an intel guy, Held said he thought the “cyber people tend to make it impossible” to figure out who’s going after your networks. “You don’t need the specific computer it’s coming from. You need to know what country it’s coming from.” But what about those third-country servers?

Two: big cyberattacks are instruments of state power. Bands of hackers and cybercrooks aren’t diplomatic problems. They’re law enforcement problems. So Held at least implicitly reserved his remarks for something like a hypothetical bot attack that took out tens of millions of cellphone subscribers and then followed up with a strike on part of the nation’s electricity grid. That’s a nightmare scenario dreamed up by the Bipartisan Policy Center, an inoffensive Washington think tank earlier this year, for a kind of breathless dramatization of the threat, called Cyber Shockwave.

Something like that is unlikely to be “just a hacker,” Held said. “It’s close to a very unfriendly act. Some might say an act of cyber war.”

General Davis indicated that Cyber Command is on a similar wavelength. One of the challenges for the new command is to “wipe some of the routine threats off the radar,” he said, thereby allowing “the intelligence community to focus on the sophisticated threats.” Whoa, say what? Does that mean that the new military command co-located within the National Security Agency is going to leave the most challenging cyber-defense — and offense – tasks to the spooks?

Davis later clarified to Danger Room that he meant that the command wanted to “put the basic cyber standards in place” across users of the military’s networks (you know, the sites ending in .mil) so the command wouldn’t waste time responding to phishing efforts. “Don’t click on unknown or malicious software,” Davis said. “Basic blocking and tackling.” CYBERCOM: your military tech support. Unfortunately, I wasn’t able to draw Davis out on what he meant by leaving the intel folks to focus on the “sophisticated threats.” Cybercom remains something of a military/intelligence cipher text.

Held, though, capped his point with an analogy. “We never secured New York City from a Soviet nuclear attack,” he observed, “but we protected it very well through the use of broader national deterrent powers.” In other words: Get ready for a Cyber Cold War.

http://www.wired.com/dangerroom/2010/07/how-to-stop-cyberattacks-diplomacy-well-maybe/

Computerworld – A reported federal government plan calling for the National Security Agency to monitor critical infrastructure networks to detect possible cyberattacks is drawing qualified support from security analysts.

Under the plan, first reported by the Wall Street Journal yesterday, the spy agency would monitor those U.S. companies and government agencies that operate critical infrastructure, including electricity grids and nuclear power plants. The report said that as part of the so-called Perfect Citizen program, the NSA would insert sensors in computer networks that would be programmed to alert officials to activity that could portend a cyberattack.

Analysts said the need for such monitoring is long overdue given the escalating threats against government, military and private sector networks. However, they cautioned that the government must tread carefully in having the nation’s chief eavesdropping agency oversee the monitoring.

“I think we don’t have a choice,” said James Lewis, director and senior fellow at the Center for Strategic and International Studies in Washington. “This is the way to go.”

Lewis led a team that prepared a set of cybersecurity recommendations for President Obama in Dec. 2008.

Lewis added that “this notion that public/private partnerships, information sharing and market forces are going to save us” remains unproven in the cybersecurity arena, where there seems an increasing need for direct government action and regulations.

However, letting the secretive NSA oversee the monitoring of government and private networks could prove troubling to some, Lewis conceded. “They have to be careful in explaining how oversight and privacy protections will work for this to survive,” he added.

He added that the use of the NSA to monitor networks presents perception problems for the government. “We had a collapse of oversight of the NSA during the Bush administration,” Lewis said.”People are still saying, ‘how do I know I can trust you?’ That’s what they need to be thinking about,” Lewis said.

Initially at least, Perfect Citizen will focus on vulnerabilities in older computer control systems that are used to run the electric grid, subway systems and air-traffic control systems. Many of these control systems are now connected to the Internet, despite their deployment years ago without Internet connectivity or security in mind.

The goal of Perfect Citizen will be to secure such control networks against cyber attacks, the Journal said.

According to the Wall Street Journal report, defense contractor Raytheon Corp. has already been awarded a classified contract worth an estimated $100 million to work on the project. Funding for the program will apparently come from the multi-billion dollar Comprehensive National Cybersecurity Initiative (CNCI) that was launched during the George W. Bush Administration.

News of the proposed plan comes at a time of increasing concern over whether the U.S government and private industry have the ability to detect and withstand cyberattacks launched by organized state-sponsored groups and others against critical targets.

The concerns grew markedly earlier this year after Google disclosed that its servers had been penetrated, apparently by hackers operating from inside of China. At the time, it was also revealed that the same hackers also hit dozens more high-tech companies.

“There is definitely a need for any nation to monitor its critical infrastructure for attacks,” said John Pescatore, an analyst at Gartner Inc. “But it is very important to realize that [monitoring] is very different from securing the critical infrastructure.”

The best way to secure critical infrastructure is to eliminate vulnerabilities rather than by monitoring attacks, Pescatore said. “Trying to expand this across all of private industry is a nice information security stimulus plan for defense contractors but will not result in any meaningful increase in security,” he said.

“Monitoring internet traffic to and from control systems is such a huge benefit to the utilities and the nation that this is long overdue,” said Alan Paller, director of research at the SANS Institute in Bethesda, Md. “The only really sad element is that this has to be run by NSA instead of by DHS,” he added.

http://www.computerworld.com/s/article/9178989/NSA_plan_to_oversee_cybersecurity_plan_draws_cautious_support_?taxonomyId=17&pageNumber=2

(CNN) — There’s a power struggle going on in the U.S. government right now.

It’s about who is in charge of cyber security, and how much control the government will exert over civilian networks. And by beating the drums of war, the military is coming out on top.

“The United States is fighting a cyberwar today, and we are losing,” said former NSA director — and current cyberwar contractor — Mike McConnell. “Cyber 9/11 has happened over the last ten years, but it happened slowly so we don’t see it,” said former National Cyber Security Division director Amit Yoran. Richard Clarke, whom Yoran replaced, wrote an entire book hyping the threat of cyberwar.

General Keith Alexander, the current commander of the U.S. Cyber Command, hypes it every chance he gets. This isn’t just rhetoric of a few over-eager government officials and headline writers; the entire national debate on cyberwar is plagued with exaggerations and hyperbole.

Googling those names and terms — as well as “cyber Pearl Harbor,” “cyber Katrina,” and even “cyber Armageddon” — gives some idea how pervasive these memes are. Prefix “cyber” to something scary, and you end up with something really scary.

Cyberspace has all sorts of threats, day in and day out. Cybercrime is by far the largest: fraud, through identity theft and other means, extortion, and so on. Cyber-espionage is another, both government- and corporate-sponsored. Traditional hacking, without a profit motive, is still a threat. So is cyber-activism: people, most often kids, playing politics by attacking government and corporate websites and networks.

These threats cover a wide variety of perpetrators, motivations, tactics, and goals. You can see this variety in what the media has mislabeled as “cyberwar.” The attacks against Estonian websites in 2007 were simple hacking attacks by ethnic Russians angry at anti-Russian policies; these were denial-of-service attacks, a normal risk in cyberspace and hardly unprecedented.

A real-world comparison might be if an army invaded a country, then all got in line in front of people at the DMV so they couldn’t renew their licenses. If that’s what war looks like in the 21st century, we have little to fear.

Similar attacks against Georgia, which accompanied an actual Russian invasion, were also probably the responsibility of citizen activists or organized crime. A series of power blackouts in Brazil was caused by criminal extortionists — or was it sooty insulators? China is engaging in espionage, not war, in cyberspace. And so on.

One problem is that there’s no clear definition of “cyberwar.” What does it look like? How does it start? When is it over? Even cybersecurity experts don’t know the answers to these questions, and it’s dangerous to broadly apply the term “war” unless we know a war is going on.

Yet recent news articles have claimed that China declared cyberwar on Google, that Germany attacked China, and that a group of young hackers declared cyberwar on Australia. (Yes, cyberwar is so easy that even kids can do it.) Clearly we’re not talking about real war here, but a rhetorical war: like the war on terror.

We have a variety of institutions that can defend us when attacked: the police, the military, the Department of Homeland Security, various commercial products and services, and our own personal or corporate lawyers. The legal framework for any particular attack depends on two things: the attacker and the motive. Those are precisely the two things you don’t know when you’re being attacked on the Internet. We saw this on July 4 last year, when U.S. and South Korean websites were attacked by unknown perpetrators from North Korea — or perhaps England. Or was it Florida?

We surely need to improve our cybersecurity. But words have meaning, and metaphors matter. There’s a power struggle going on for control of our nation’s cybersecurity strategy, and the NSA and DoD are winning. If we frame the debate in terms of war, if we accept the military’s expansive cyberspace definition of “war,” we feed our fears.

We reinforce the notion that we’re helpless — what person or organization can defend itself in a war? — and others need to protect us. We invite the military to take over security, and to ignore the limits on power that often get jettisoned during wartime.

If, on the other hand, we use the more measured language of cybercrime, we change the debate. Crime fighting requires both resolve and resources, but it’s done within the context of normal life. We willingly give our police extraordinary powers of investigation and arrest, but we temper these powers with a judicial system and legal protections for citizens.

We need to be prepared for war, and a Cyber Command is just as vital as an Army or a Strategic Air Command. And because kid hackers and cyber-warriors use the same tactics, the defenses we build against crime and espionage will also protect us from more concerted attacks. But we’re not fighting a cyberwar now, and the risks of a cyberwar are no greater than the risks of a ground invasion. We need peacetime cyber-security, administered within the myriad structure of public and private security institutions we already have.

The opinions expressed in this commentary are solely those of Bruce Schneier.

http://edition.cnn.com/2010/OPINION/07/07/schneier.cyberwar.hyped/?fbid=za1W1rQO_Wd

SINGAPORE–Africa has been on Datuk Mohd. Noor Amin’s mind of late, yet it has little to do with the ongoing FIFA World Cup tournament in the south.

Having been to the northern part of Africa recently to engage the public and private sectors on cybersecurity, the chairman of the International Multilateral Partnership Against Cyber Threats (Impact) is keenly aware of the continent’s potential for technological progress and the challenges that accompany the developments.

The country, he noted, is at a turning point as submarine cabling is bringing massive capacity to the Internet. At the same time, African governments recognize IT as a very powerful medium to uplift the literacy and standard of living in their countries and therefore are very open to new technologies. However, if security is not in the picture, a lot more safe havens for cybercriminals could spawn in Africa and result in more Nigerian-type scams.

In an interview with ZDNet Asia last week, on the sidelines of a security conference organized by IDC, Amin spoke candidly about Impact’s work in the last two years and his concerns over cyberwarfare.

Impact has been around for just over two years now. What would you consider as significant milestones achieved by the organization?
Impact has been undertaking lots of different activities under different categories. The ITU (International Telecommunication Union) has 191 member states, but because we’re a new entity with constraints in terms of resources, we’re not able to launch our services to all 191 countries at one go. So we have adopted a phase approach.

Currently, there are more than 44 countries for which we have started deploying cybersecurity services, and loosely translated, these services could mean capacity building like training, workshops and seminars. It could also mean scholarship grants and access to our Global Response Center, which is currently the richest threat information database in the world. Or it could mean consultation to governments on the enactment of cyber laws.

I think the milestone is really being able to deploy cybersecurity support and services across more than 44 countries around the world.

What would you say is the biggest misconception the public and private sectors have about Impact and its work?
The type of organization we’re trying to build with Impact is unprecedented–there’s no model for it. That’s why we had to take the CDC (Center for Disease Control) model from the medical field and translate it for Impact. The first misconception was that because it was first initiated by the Malaysian government and headquartered in Malaysia, it is a Malaysian government initiative. It is not; it is a U.N.-backed initiative. It was a multilateral initiative from the start–it was never meant to be a local domestic initiative. We spent a lot of time explaining that multilateralism is even in our name…so that was the first hurdle we had in approaching governments.

The second hurdle was that some governments thought it was a regional–Southeast Asian or Asian–initiative. Again, that was wrong. We deliberately went out of our way to stress the international aspect of Impact. We felt that regional initiatives are always a good start, but [they] cannot be the answer. If you look at the list of top 10 countries being attacked, and the top 10 sources of attacks, you will see that the attacks come from all over the world. So if you have a regional solution, you will not be able to address this issue holistically. That is why Impact has to be known as an international platform.

Speaking of the name Impact, it was originally called the International Multilateral Partnership Against Cyber-Terrorism but later the “T” was used to refer to threats. Why the change and what significance does this have?
When Impact was first initiated, the focus was on cyberterrorism because the concern of governments was that attackers could manipulate critical infrastructure and cause huge damage not just to the economy, but possibly also to life and limb. This is especially true for countries that are very well-connected in terms of infrastructure. Countries like the U.S. and even Singapore that are highly automated and very advanced in terms of IT are at particular risk.

When we had the launch of Impact at the World Congress of IT in May 2008 with 27 governments present, we sought feedback from the ministers and industry leaders on our advisory board who were present. That was incidentally the largest-ever ministerial-level gathering focused on cyberthreats to be organized. The ministers and industry leaders came out very strongly with the recommendation that we should perhaps look at not just cyberterrorism, but to expand our ambit to look at cyberthreats. Obviously, cyberterrorism would be a subset of cyberthreats. They felt that [by] having the involvement of a huge number of countries from all over the world for the first time, we could really build an effective platform for governments to address not just cyberterrorism, but [also] other aspects of cyberthreats. In fact, the recommendation came from the Singapore minister that the “CT” in Impact should be changed from cyberterrorism to cyberthreats. The ministers and advisory leaders concurred.

What frustrates you most being the leader of such a big global coordinating cybersecurity agency?
The frustration lies in the fact that we’re not able to do as much as we like to do. Our mandate is huge–we’re charged with assisting 191 countries. Unfortunately, given our limited resources, we have to phase our activities. So there are still countries we are not able to reach out to immediately. Cyberthreats do not work that way–they will harm the entire global community at one go.

You have spoken before on the need for governments to establish dedicated cybersecurity agencies in each of their own countries. To date, how would you assess those efforts and how do you convince every single country to do so?
The recommendation to have an agency that brings all the different stakeholders under one roof comes from the observation that in many countries, particularly the big economies in the world where the government is a big bureaucracy, there are many different departments, agencies or ministries having overlapping roles. This makes it difficult and challenging to address cyberthreats because there are turf issues and wars. So, the ideal situation is to have all these stakeholders under one roof because it makes it easier to build capacity–to train them. It makes it easier to manage the domestic policy because there are no conflicting interests.

We applaud that governments in the U.K. and Singapore, for instance, have started to do this. It’s still too early to say whether those one-stop agencies are doing an effective job, but I see no reason why they shouldn’t if they are properly implemented, because they will have multidisciplinary people all under one roof with a common aim. For us at Impact, it makes our job so much easier because we do not have to deal with multiple stakeholders in a particular country.

From Impact’s point of view, we obviously would like to see governments seriously evaluating the idea, and if they think it is appropriate, to implement this as soon as possible. But having said that, there are countries which will not necessarily require such an agency because they are small, bureaucracy is not an issue or they may already have a de facto one-stop center to deal with cybersecurity.

The organization’s intent is to work with governments around the world to assess their security posture, using, for example, the customized Government Security Scorecard. Can you share more about the pilot in Malaysia and where the scorecard can eventually be extended to?
There are two aspects to assessments. One is the country-wide assessment, which we’ve been undertaking together with the U.N. and ITU in many countries around the world. We started with Afghanistan at the request of the U.N. a couple of months ago. Impact sent a team to study and assist the Afghan government on its cybersecurity readiness. The country has issues pertaining to the use of the Internet to radicalize the young people into extremist activities. We made some recommendations and a lot of them are currently being implemented by the Afghan government. Following that, we had other cybersecurity readiness exercises in Africa and Asia, and we will be rolling out more depending on requests from governments.

The pilot in Malaysia saw the introduction of an automated tool–an electronic dashboard–that measures the compliance level of different administrative units against the set IT policies of that particular government. In Malaysia’s case, the government has adopted the ISO 27000 as the benchmark standard. Impact worked with Symantec to implement a tool similar to the one the vendor implemented for the U.S. government, to benchmark the compliance level of one agency in Malaysia. We saw that it became an extremely useful tool for the Malaysian government to see where the areas of compliance were best and where they were lacking. This helped the agency to make an educated assessment of where its vulnerabilities may lie, and also to make a plan of action to close these vulnerabilities.

We strongly feel this is a tool that will benefit the rest of the world–it’s not the only tool, but it’s a good start. There’s always a tendency by governments to have beautiful policies bound in leather but sitting on the shelf, and whether or not anyone is compliant to those policies is anyone’s guess. So, by having these automated tools, governments can see in real time whether their people are complying with their own policies. The important thing to stress is that this tool does not introduce new policies; it benchmarks entities against each government’s policy.

Impact recently signed an MOU with the Commonwealth Telecommunications Organisation (CTO). What is the significance of this tie-up and how will it help Impact in its work?
The Commonwealth is quite an established institution and covers both the developed and developing parts of the world. Besides going through channels like the U.N., ITU and Interpol, it’s always useful to include additional channels to reach out to governments. Some governments may have a better relationship with the Commonwealth, the EU (European Union) or APEC (Asia-Pacific Economic Cooperation). Some [may] have a better relationship with the U.N. So with new partnerships, we find that we enhance our ability to reach out to countries because we use the best available means.

There have been concerns around the use of cyberwarfare. How do you manage tensions with different governments, especially when one party initiates cyberwarfare or threatens another country with it? What role does Impact have to play then?
It worries me because, frankly, that is a big challenge. Cyberwarfare is a relatively new area and potentially the most important area of conflict there is to come. Today, militaries around the world equip themselves with cyberskills both as a defensive and offensive measure. Many currently see cyberwarfare as a legitimate means of military action. The jury is still out on whether it is something that is lawful or not, but…there is no escaping the fact that countries are equipping their military with such skills.

Our role is a complex one, and we feel it is first of all to promote what the ITU Secretary-General terms as cyberpeace. One of the focus areas of the next cybersecurity summit is also to expound on this concept as a U.N. and ITU initiative, where perhaps down the road–not today, not tomorrow, but significantly down the line–there will be an acceptable code of conduct on what is do-able and what is not. Currently, we are far away from that because the Internet itself is a relatively new medium. If you talk about the Vienna Convention and the Warsaw Convention, it took decades for us to reach an agreement. I suspect it will take some time also for countries to come to an agreement on cyberwarfare, but until then our task is first of all to promote cyberpeace as well as to get the dialog going on this.

It’s not impossible to manage relations between different countries; it is not impossible for countries of different ideologies and beliefs to be on the same table–we see it every day in the U.N. Security Council. Opposing countries are able to sit together–they may not agree, but at least they are at the table and engaged in the dialog. Impact’s role will be to replicate that as far as the cyberworld is concerned.

On a scale of 1 to 10, where 10 is the best and 1 being the worst, how would you rate the global fight against cyberthreats?
I wouldn’t be able to rate it 5, I’ll probably rate lower than that. Yes, we’ve come a long way and we’ve done a lot–individual countries are beginning to realize what cyberthreats are– but we still have a long way to go before countries can benefit from the true sharing of information and build their individual capacity to deal with cyberthreats.

The problem is magnified when you think about it: you need only one country which is not as well-equipped to serve as the safe haven for attacks and criminal organizations. We have well over 200 nations around the world–it is impossible given the current resources to ensure that every country has iron-tight, airtight or watertight policies, laws and measures taken. But what’s important is that progress is being made. Hopefully, with institutions like Impact, the U.N. and ITU can reach out to countries more effectively and address this as a global issue.

http://www.zdnetasia.com/tackling-cyberthreats-championing-cyberpeace-62201158.htm

AT THE height of the cold war, in June 1982, an American early-warning satellite detected a large blast in Siberia. A missile being fired? A nuclear test? It was, it seems, an explosion on a Soviet gas pipeline. The cause was a malfunction in the computer-control system that Soviet spies had stolen from a firm in Canada. They did not know that the CIA had tampered with the software so that it would “go haywire, after a decent interval, to reset pump speeds and valve settings to produce pressures far beyond those acceptable to pipeline joints and welds,” according to the memoirs of Thomas Reed, a former air force secretary. The result, he said, “was the most monumental non-nuclear explosion and fire ever seen from space.”

This was one of the earliest demonstrations of the power of a “logic bomb”. Three decades later, with more and more vital computer systems linked up to the internet, could enemies use logic bombs to, say, turn off the electricity from the other side of the world? Could terrorists or hackers cause financial chaos by tampering with Wall Street’s computerised trading systems? And given that computer chips and software are produced globally, could a foreign power infect high-tech military equipment with computer bugs? “It scares me to death,” says one senior military source. “The destructive potential is so great.”

After land, sea, air and space, warfare has entered the fifth domain: cyberspace. President Barack Obama has declared America’s digital infrastructure to be a “strategic national asset” and appointed Howard Schmidt, the former head of security at Microsoft, as his cyber-security tsar. In May the Pentagon set up its new Cyber Command (Cybercom) headed by General Keith Alexander, director of the National Security Agency (NSA). His mandate is to conduct “full-spectrum” operations—to defend American military networks and attack other countries’ systems. Precisely how, and by what rules, is secret.

Britain, too, has set up a cyber-security policy outfit, and an “operations centre” based in GCHQ, the British equivalent of the NSA. China talks of “winning informationised wars by the mid-21st century”. Many other countries are organising for cyberwar, among them Russia, Israel and North Korea. Iran boasts of having the world’s second-largest cyber-army.

What will cyberwar look like? In a new book Richard Clarke, a former White House staffer in charge of counter-terrorism and cyber-security, envisages a catastrophic breakdown within 15 minutes. Computer bugs bring down military e-mail systems; oil refineries and pipelines explode; air-traffic-control systems collapse; freight and metro trains derail; financial data are scrambled; the electrical grid goes down in the eastern United States; orbiting satellites spin out of control. Society soon breaks down as food becomes scarce and money runs out. Worst of all, the identity of the attacker may remain a mystery.

In the view of Mike McConnell, a former spy chief, the effects of full-blown cyberwar are much like nuclear attack. Cyberwar has already started, he says, “and we are losing it.” Not so, retorts Mr Schmidt. There is no cyberwar. Bruce Schneier, an IT industry security guru, accuses securocrats like Mr Clarke of scaremongering. Cyberspace will certainly be part of any future war, he says, but an apocalyptic attack on America is both difficult to achieve technically (“movie-script stuff”) and implausible except in the context of a real war, in which case the perpetrator is likely to be obvious.

For the top brass, computer technology is both a blessing and a curse. Bombs are guided by GPS satellites; drones are piloted remotely from across the world; fighter planes and warships are now huge data-processing centres; even the ordinary foot-soldier is being wired up. Yet growing connectivity over an insecure internet multiplies the avenues for e-attack; and growing dependence on computers increases the harm they can cause.

By breaking up data and sending it over multiple routes, the internet can survive the loss of large parts of the network. Yet some of the global digital infrastructure is more fragile. More than nine-tenths of internet traffic travels through undersea fibre-optic cables, and these are dangerously bunched up in a few choke-points, for instance around New York, the Red Sea or the Luzon Strait in the Philippines (see map). Internet traffic is directed by just 13 clusters of potentially vulnerable domain-name servers. Other dangers are coming: weakly governed swathes of Africa are being connected up to fibre-optic cables, potentially creating new havens for cyber-criminals. And the spread of mobile internet will bring new means of attack.

The internet was designed for convenience and reliability, not security. Yet in wiring together the globe, it has merged the garden and the wilderness. No passport is required in cyberspace. And although police are constrained by national borders, criminals roam freely. Enemy states are no longer on the other side of the ocean, but just behind the firewall. The ill-intentioned can mask their identity and location, impersonate others and con their way into the buildings that hold the digitised wealth of the electronic age: money, personal data and intellectual property.

Mr Obama has quoted a figure of $1 trillion lost last year to cybercrime—a bigger underworld than the drugs trade, though such figures are disputed. Banks and other companies do not like to admit how much data they lose. In 2008 alone Verizon, a telecoms company, recorded the loss of 285m personal-data records, including credit-card and bank-account details, in investigations conducted for clients.

About nine-tenths of the 140 billion e-mails sent daily are spam; of these about 16% contain moneymaking scams (see chart 1), including “phishing” attacks that seek to dupe recipients into giving out passwords or bank details, according to Symantec, a security-software vendor. The amount of information now available online about individuals makes it ever easier to attack a computer by crafting a personalised e-mail that is more likely to be trusted and opened. This is known as “spear-phishing”.

The ostentatious hackers and virus-writers who once wrecked computers for fun are all but gone, replaced by criminal gangs seeking to harvest data. “Hacking used to be about making noise. Now it’s about staying silent,” says Greg Day of McAfee, a vendor of IT security products. Hackers have become wholesale providers of malware—viruses, worms and Trojans that infect computers—for others to use. Websites are now the favoured means of spreading malware, partly because the unwary are directed to them through spam or links posted on social-networking sites. And poorly designed websites often provide a window into valuable databases.

Malware is exploding (see chart 2). It is typically used to steal passwords and other data, or to open a “back door” to a computer so that it can be taken over by outsiders. Such “zombie” machines can be linked up to thousands, if not millions, of others around the world to create a “botnet”. Estimates for the number of infected machines range up to 100m (see map for global distribution of infections). Botnets are used to send spam, spread malware or launch distributed denial-of-service (DDoS) attacks, which seek to bring down a targeted computer by overloading it with countless bogus requests.

The spy who spammed me

Criminals usually look for easy prey. But states can combine the criminal hacker’s tricks, such as spear-phishing, with the intelligence apparatus to reconnoitre a target, the computing power to break codes and passwords, and the patience to probe a system until it finds a weakness—usually a fallible human being. Steven Chabinsky, a senior FBI official responsible for cyber- security, recently said that “given enough time, motivation and funding, a determined adversary will always—always—be able to penetrate a targeted system.”

Traditional human spies risk arrest or execution by trying to smuggle out copies of documents. But those in the cyberworld face no such risks. “A spy might once have been able to take out a few books’ worth of material,” says one senior American military source, “Now they take the whole library. And if you restock the shelves, they will steal it again.”

China, in particular, is accused of wholesale espionage, attacking the computers of major Western defence contractors and reputedly taking classified details of the F-35 fighter, the mainstay of future American air power. At the end of 2009 it appears to have targeted Google and more than a score of other IT companies. Experts at a cyber-test-range built in Maryland by Lockheed Martin, a defence contractor (which denies losing the F-35 data), say “advanced persistent threats” are hard to fend off amid the countless minor probing of its networks. Sometimes attackers try to slip information out slowly, hidden in ordinary internet traffic. At other times they have tried to break in by leaving infected memory-sticks in the car park, hoping somebody would plug them into the network. Even unclassified e-mails can contain a wealth of useful information about projects under development.

“Cyber-espionage is the biggest intelligence disaster since the loss of the nuclear secrets [in the late 1940s],” says Jim Lewis of the Centre for Strategic and International Studies, a think-tank in Washington, DC. Spying probably presents the most immediate danger to the West: the loss of high-tech know-how that could erode its economic lead or, if it ever came to a shooting war, blunt its military edge.

Western spooks think China deploys the most assiduous, and most shameless, cyberspies, but Russian ones are probably more skilled and subtle. Top of the league, say the spooks, are still America’s NSA and Britain’s GCHQ, which may explain why Western countries have until recently been reluctant to complain too loudly about computer snooping.

The next step after penetrating networks to steal data is to disrupt or manipulate them. If military targeting information could be attacked, for example, ballistic missiles would be useless. Those who play war games speak of being able to “change the red and blue dots”: make friendly (blue) forces appear to be the enemy (red), and vice versa.

General Alexander says the Pentagon and NSA started co-operating on cyberwarfare in late 2008 after “a serious intrusion into our classified networks”. Mr Lewis says this refers to the penetration of Central Command, which oversees the wars in Iraq and Afghanistan, through an infected thumb-drive. It took a week to winkle out the intruder. Nobody knows what, if any, damage was caused. But the thought of an enemy lurking in battle-fighting systems alarms the top brass.

That said, an attacker might prefer to go after unclassified military logistics supply systems, or even the civilian infrastructure. A loss of confidence in financial data and electronic transfers could cause economic upheaval. An even bigger worry is an attack on the power grid. Power companies tend not to keep many spares of expensive generator parts, which can take months to replace. Emergency diesel generators cannot make up for the loss of the grid, and cannot operate indefinitely. Without electricity and other critical services, communications systems and cash-dispensers cease to work. A loss of power lasting just a few days, reckon some, starts to cause a cascade of economic damage.

Experts disagree about the vulnerability of systems that run industrial plants, known as supervisory control and data acquisition (SCADA). But more and more of these are being connected to the internet, raising the risk of remote attack. “Smart” grids”, which relay information about energy use to the utilities, are promoted as ways of reducing energy waste. But they also increase security worries about both crime (eg, allowing bills to be falsified) and exposing SCADA networks to attack.

General Alexander has spoken of “hints that some penetrations are targeting systems for remote sabotage”. But precisely what is happening is unclear: are outsiders probing SCADA systems only for reconnaissance, or to open “back doors” for future use? One senior American military source said that if any country were found to be planting logic bombs on the grid, it would provoke the equivalent of the Cuban missile crisis.

Estonia, Georgia and WWI

Important thinking about the tactical and legal concepts of cyber-warfare is taking place in a former Soviet barracks in Estonia, now home to NATO’s “centre of excellence” for cyber-defence. It was established in response to what has become known as “Web War 1”, a concerted denial-of-service attack on Estonian government, media and bank web servers that was precipitated by the decision to move a Soviet-era war memorial in central Tallinn in 2007. This was more a cyber-riot than a war, but it forced Estonia more or less to cut itself off from the internet.

Similar attacks during Russia’s war with Georgia the next year looked more ominous, because they seemed to be co-ordinated with the advance of Russian military columns. Government and media websites went down and telephone lines were jammed, crippling Georgia’s ability to present its case abroad. President Mikheil Saakashvili’s website had to be moved to an American server better able to fight off the attack. Estonian experts were dispatched to Georgia to help out.

Many assume that both these attacks were instigated by the Kremlin. But investigations traced them only to Russian “hacktivists” and criminal botnets; many of the attacking computers were in Western countries. There are wider issues: did the cyber-attack on Estonia, a member of NATO, count as an armed attack, and should the alliance have defended it? And did Estonia’s assistance to Georgia, which is not in NATO, risk drawing Estonia into the war, and NATO along with it?

Such questions permeate discussions of NATO’s new “strategic concept”, to be adopted later this year. A panel of experts headed by Madeleine Albright, a former American secretary of state, reported in May that cyber-attacks are among the three most likely threats to the alliance. The next significant attack, it said, “may well come down a fibre-optic cable” and may be serious enough to merit a response under the mutual-defence provisions of Article 5.

During his confirmation hearing, senators sent General Alexander several questions. Would he have “significant” offensive cyber-weapons? Might these encourage others to follow suit? How sure would he need to be about the identity of an attacker to “fire back”? Answers to these were restricted to a classified supplement. In public the general said that the president would be the judge of what constituted cyberwar; if America responded with force in cyberspace it would be in keeping with the rules of war and the “principles of military necessity, discrimination, and proportionality”.

General Alexander’s seven-month confirmation process is a sign of the qualms senators felt at the merging of military and espionage functions, the militarisation of cyberspace and the fear that it may undermine Americans’ right to privacy. Cybercommand will protect only the military “.mil” domain. The government domain, “.gov”, and the corporate infrastructure, “.com” will be the responsibility respectively of the Department of Homeland Security and private companies, with support from Cybercom.

One senior military official says General Alexander’s priority will be to improve the defences of military networks. Another bigwig casts some doubt on cyber-offence. “It’s hard to do it at a specific time,” he says. “If a cyber-attack is used as a military weapon, you want a predictable time and effect. If you are using it for espionage it does not matter; you can wait.” He implies that cyber-weapons would be used mainly as an adjunct to conventional operations in a narrow theatre.

The Chinese may be thinking the same way. A report on China’s cyber-warfare doctrine, written for the congressionally mandated US-China Economic and Security Review Commission, envisages China using cyber-weapons not to defeat America, but to disrupt and slow down its forces long enough for China to seize Taiwan without having to fight a shooting war.

Apocalypse or asymmetry?

Deterrence in cyber-warfare is more uncertain than, say, in nuclear strategy: there is no mutually assured destruction, the dividing line between criminality and war is blurred and identifying attacking computers, let alone the fingers on the keyboards, is difficult. Retaliation need not be confined to cyberspace; the one system that is certainly not linked to the public internet is America’s nuclear firing chain. Still, the more likely use of cyber-weapons is probably not to bring about electronic apocalypse, but as tools of limited warfare.

Cyber-weapons are most effective in the hands of big states. But because they are cheap, they may be most useful to the comparatively weak. They may well suit terrorists. Fortunately, perhaps, the likes of al-Qaeda have mostly used the internet for propaganda and communication. It may be that jihadists lack the ability to, say, induce a refinery to blow itself up. Or it may be that they prefer the gory theatre of suicide-bombings to the anonymity of computer sabotage—for now.

http://www.economist.com/node/16478792?story_id=16478792&fsrc=rss

The chief of the Pentagon’s new cyber-security command on Thursday endorsed talks with Russia over a proposal to limit military attacks in cyberspace, representing a significant shift in U.S. policy.

The U.S. has for years objected to Russian proposals to establish a kind of arms-control treaty for cyber weapons, arguing that international cooperation should first focus on reducing cyber crime. Russia has been working to marshal support for a United Nations treaty to limit the use of cyber weapons, such as software code that could destroy an enemy’s computer systems.

“What Russia’s put forward is, perhaps, the starting point for international debate,” Gen. Keith Alexander said Thursday at the Center for Strategic and International Studies, a Washington think tank. “It’s something that we should, and probably will, carefully consider.”

In the past, the U.S. has also frowned on Russian proposals because a treaty wouldn’t necessarily prohibit countries from using third parties to conduct cyber warfare. Cyber-security specialists say Russia and China rely on proxy groups to conduct attacks on enemies, as Russia allegedly did in 2008 against Georgia. China and Russia deny such accusations.

The Obama administration has begun to reconsider its position on the issue as it emphasizes engagement with U.S. adversaries across a range of national-security issues.

Administration officials have made low-level overtures to Russian officials in the last couple of months, according to people familiar with the matter. Russian officials also visited the U.S. late last year to meet with State Department, Homeland Security and law-enforcement officials to discuss cyber-security matters.

Gen. Alexander’s remarks were the first public comments from a U.S. official indicating a new openness to negotiations. “We do have to establish the lanes of the road” for what governments can and can’t do in cyberspace, he said. The administration should take the Russian proposal and use it to develop a counterproposal, he added.

“It shows a major shift in administration thinking and could be interpreted as an overture” to the Russians, said James Lewis, who directed an influential cyber-security report for CSIS.

Gen. Alexander’s comments could help tamp down concerns many foreign governments have privately expressed regarding the intentions of the Pentagon’s new Cyber Command, Mr. Lewis said. Some fear it will be a mechanism for the U.S. to dominate cyberspace. The U.S. has said the Cyber Command is primarily focused on protecting military networks and conducting military operations in cyberspace.

Gen. Alexander, who also serves as director of the National Security Agency, sought to allay similar concerns about the Cyber Command’s impact on domestic privacy.

Cyber Command, if asked, would provide “support” to the Department of Homeland Security to protect networks running the government or key infrastructure, he said. The military also has a strong interest in ensuring the security of some private networks, such as power, because 90% of the military’s power is provided by the private sector, he said.

Privacy concerns “are valid,” he said, but the public shouldn’t be worried about NSA working closely with Cyber Command because NSA officials are trained to follow “robust and rigorous procedures” to protect Americans’ privacy.

He acknowledged the need to earn public confidence, noting that he has four daughters who are heavy Internet users, and he wants to protect their privacy, too. “The real key to the issue is: How do we build the confidence that we’re doing it right with the American people, Congress and everyone else?” he said. “That’s going to be the hard part.”

The government too has to work hard to protect its cyber secrets. The government was spurred to improve protections for its military networks, Gen. Alexander said, after a series of breaches of classified systems in 2008. In comments after his speech, he also acknowledged for the first time publicly, that the military’s Joint Strike Fighter weapons program had been infiltrated and data had been stolen. The Wall Street Journal reported that breach last year.

http://online.wsj.com/article/SB10001424052748703340904575284964215965730.html?mod=WSJ_Tech_LEFTTopNews