Government computers under attack
Based on data provided to USA Today by US-CERT, unauthorized access to government computers and installations of hostile programs rose from a combined 3,928 incidents in 2007 to 5,488 in 2008.
The culprits seem to be after military secrets, said Brad Curran, Frost & Sullivan senior aerospace & defense industry analyst. They want to steal technology, or in a new strategy, what he calls asymmetric warfare.
“With our military capabilities, these groups cannot compete or stand toe to toe, so they look for asymmetric gaps to exploit,” Curran told SCMagazineUS.com. “State actors want to exploit information gaps on our networks, and read or alter our email.”
On the commerce side, these attackers can lessen a country's willingness to fight by emptying bank accounts or shutting down infrastructure, such as electric grids or power supplies, he said.
“They can mess up a country and cause panic,” Curran said. “If we're that easy a target, then we're not doing all we can.”
Ravi Sandhu of The Institute for Cyber Security at The University of Texas at San Antonio said the attackers seem in no hurry to achieve an ultimate prize.
“The stealthy and sophisticated nature of some recent attacks and their ability to bypass detection tools in well-managed networks suggests that the attackers are highly organized and possibly originate from nation states," Sandhu said in an email. "The lack of obvious means of monetizing the information gathered by these attacks is further evidence for a deeper and longer-term motive. There is enough published in the public domain to suggest that the attackers are ultimately interested in gathering vital national security and infrastructure information in preparation for possible cyberwarfare or cyberterrorism against the U.S.”
Authorities have little chance of catching them, said James Andrew Lewis, director and senior fellow, technology and public policy program at the Center for Strategic & International Studies.
“If you are savvy enough to operate from a foreign country, there's no chance of being caught," he told SCMagazineUS.com on Tuesday.
These foreign intruders appear to be focused on extracting confidential data from U.S. government agencies and contractors, said Rohyt Belani, CEO of the Intrepidus Group, a security consultancy specializing in phishing awareness and training.
“They use stealthy techniques like spear phishing attacks as the attack vector of initial compromise,” said Belani.
Spear [or targeted] phishing allows the perpetrators to stay below the radar of intrusion detection and prevention systems, as well as most email filters as they do not match any specific signatures or spam email characteristics, he said. These are highly customized and personalized emails, sent to a select group of employees in an attempt to lure them into clicking on links that appear to point to a legitimate resource, but in actuality point to a hacker-controlled malicious site.
Sanhu said more proacive solutions – which include improving diplomatic relations with nation states – must be applied to limit attacks.
“The industry and government have been stuck in a mode of fixing security vulnerabilities after they are exploited by attackers," he said. "The traditional technical approach to computer security is too narrow-minded and the security professional needs to look at the bigger picture. We need a new breed of security professional.”
The federal government must deploy technologies such as encryption and implement a defense strategy, led by a dedicated professional, Sanhu said.
The attacks will continue to be dynamic in nature and the government will continue to adapt its defenses to counter this changing landscape, said Rob Pate, CSO of Renesys, an internet monitoring company.
“The government is doing a good job of utilizing commercial, off-the-shelf products to detect the known attacks, as well as funding research and projects focused on detection of the unknown novel attacks,” Pate told SCMagazineUS.com.
But he said he wants to see the U.S. government fund more university research, and specifically, more public-private partnerships that put researchers in contact with the internet service provider community, so they can work with lots of real data.
From the top
Melissa Hathaway is taking the lead role -- at least for now -- on federal cybersecurity. Hathaway, 40, a former management consultant at Booz Allen Hamilton for 15 years who specialized in aiding military and intelligence organizations to collaborate, and spent the past two years engaged in the Bush administration's cyberefforts, was recently selected by the Obama administration to lead a review of government computer networks.
She has been given two months to review the nation's already existing cybersecurity policies to determine whether the government needs to be more proactive in slowing attacks on individuals and businesses.
Lewis said she is a good person to handle this mission. She knows the details and she knows what's already been done.
“If they give her enough freedom, she should be able to come up with a plan,” he said.
“There's really only one way to thwart attacks, following what Melissa Hathaway calls ‘offense-informed defense,' said Alan Paller, director of research at the SANS Institute. "This means you stop asking security consultants and vendors what needs to be done, and you replace that with asking the people who know attacks, both our offensive folks and the clean-up people who go in after attacks to see how they were done."
That means bringing together groups such as the National Security Agency, US-CERT, Los Alamos National Laboratory and the U.S. Department of Defense Cyber Crime Center (DC3).
Hathaway also is charged with looking over recommendations issued in December by a bipartisan commission of senators and security experts. The priority in that report was to take cybersecurity responsibilities away from the U.S. Department of Homeland Security and transfer them to a special White House cyberadviser reporting directly to the president.
Experts said Hathaway's job will be a challenge.
Collaboration across all the government agencies needs to be increased, Curran said. To achieve this, Hathaway will need budget authority; otherwise it will be difficult to get cooperation.
But Lewis, who has spoken with members of President Obama's transition team, said the administration is serious about making cybersecurity a priority, something it pledged during the campaign. The previous administration “really didn't sort that out."
The challenge that Melissa faces is to make sharing of information transparent, Pate said. “We are happy to see the focus on cybersecurity and the attacks against America continue to be a high priority and the fact that the government leadership has selected Melissa to lead this effort.”
With the support of the White House, Hathaway has a decent chance, Sandhu added. “A lot depends on where the budgets are going to come form and whether she has some control over the spending.”