In a historic turn, the U.S. government is asking for help in fighting an increasingly sophisticated cyber enemy, reports Deb Radcliff.
In an ironic twist, the director of the National Security Agency (NSA) and commander of United States Cyber Command (USCYBERCOMM) recently stood before thousands of hackers asking for their help. This was the scene in July at the 20th annual DefCon hacking conference in Las Vegas.
Relaxed in jeans and a black T-shirt, U.S. Army Gen. Keith Alexander told a rapt audience about an escalating cyber war now fully underway on multiple sectors and fronts. During his speech, he laid out a five-step process asking for the private sector's help on many levels, particularly emphasizing the need for organizations to instantaneously share their threat information with the Department of Homeland Security in order to spot larger, orchestrated attacks on the infrastructure. But, the talk was also ironic, given that the NSA has been outed as the agency behind Stuxnet – which caused collateral damage on unintended targets in multiple countries, while the United States provided no intel to system operators that may have needed protection.
“Power, water, manufacturing, chemical and gas companies are all over this,” says Don Fergus, chair of the IT Security Technology Council at the American Society of Industrial Security and senior vice president of services at infrastructure security company Patriot Technologies. “There are questions: ‘Was Stuxnet just a practice run?' ‘What will come next?' The recipe's been made. Stuxnet is out in the wild.”
As with Stuxnet, cyber war starts out ‘cold,' with the theft of information that can lead to larger-scale attacks. In that instance, information about targets (Siemens control systems at Iranian enrichment facilities) was collected in preparation for stage two and three of cold war – to disrupt and cause damage. The final stage is when attacks against the national infrastructure and military operations make it impossible for the target nation to respond to a physical assault.
Stuxnet is one of only a few cases of actual cyber warfare with intent to damage physical systems, says Martin Libicki, senior management scientist at the RAND Corp., a government advisory think tank. He says cyber war is different in many ways, and a lot of it depends on the vulnerabilities of the target and the organization's ability to respond.
“Cycle times are short for cyber attacks if the attacks are noticed early,” he says. “Often, it takes a long time between when espionage starts and when it is discovered.”