Cyberwarfare is set to grow with devastating consequence, capitalizing on the historical separation between government and industry and the lack of shared visibility within and across these two sectors.
That was the position of a session at Thursday's RSA Conference where the panelists discussed the challenges of combating cyberwarfare. The two panelists were Scott Borg of the U.S. Cyber Consequences Unit, an independent, nonprofit research institute; and Amit Yoran, chief executive officer for NetWitness Corp. and former director of the U.S. National Cyber Security Division within the U.S. Department of Homeland Security.
The session, entitled "Is Cyberwarfare Coming to a Theater near You?," began by noting significant disconnects between the historical model used for handling a traditional act of war and the model we will need to follow to adequately combat cyberwarfare. The measurements and events used to identify the war act possess different attributes: large-scale physical attacks versus low and slow digital information attacks. The payloads applied (dropping bombs versus initiating a DDoS) and the types of assets seized (land versus intellectual property) come in different forms. The methods for which response, recovery and retaliation are performed will require different ways of thinking (bomb for a bomb, DDoS for a DDoS?). In short, the old warfare model used to determine how and when to engage can't be applied and won't work with cyberwarfare, the panelists said.
A successful, calculated attack could easily take down the global economy by simply breaking down some of the weak points within the global supply chain. How do manufacturers, component providers, distributors, wholesalers, retailers, and all of the supporting service providers protect themselves and establish trust in each of their partners within the chain? With the high cost of security, and therefore a lack of proper investment in security across the industry sector, there are certainly plenty of weaknesses to attack. Unfortunately, this means that the members within the supply chain have no choice but to blindly function with a false sense of trust in their security providers and their partners.
If taking down an economic channel is not the goal, maybe seizing intellectual property is more in line with the criminals' business model. The cost and time for a new venture to acquire the schematics for a well-run manufacturing plant through criminal means could very well be significantly less than the investment and time required to build and implement their own same-quality version of the schematics from scratch. If a business could start to produce the same amount of revenue in six months doing what took another company six years to achieve, what would that be worth to them? To the cybercriminals?
To mix it up even more, one could wonder why the cybercriminals would leave the weak link to be introduced by chance. "There is a complete lack of visibility into modern threats," NetWitness' Yoran said. "For example, criminals could control the supply chain to introduce the attack points exactly where they want them – directly introducing their own private vulnerabilities in the hardware, software or even the services they provide.” It's also possible they could manage the vulnerabilities to become enabled at the times they are ready to use them.
To further add to the problem, we can expect even more cybercrime in the years to come. "There has been a major shift in crime as reported by former DEA administrator Francis Mullen," said Yoran. "More money has been made through online crime than the amount made through drug trafficking. The attributes that make cybercrime attractive to civilians and cybergangs also become very attractive to nation states."
Borg added that "as business revenues shrink, overseas outsourcing decreases, and global unemployment rates rise, a number of nation states that provide widescale outsourcing services will become natural breeding grounds for low-cost, well-equipped engineers who are available, ready and willing to provide their services to the cybercriminals in search of them. To find the source of the next wave of attacks before they occur, simply identify these high-volume outsourcing locations that also possess high levels of unemployment."
In a follow-up interview with Yoran, he commented on how we might go about tackling this complex problem. "While we need to continue to invest in sector-specific government and industry protections and detections, we also need to begin to look at security from a global community perspective." Unfortunately, he added, the currently available technologies are ineffective and the community-wide information necessary to identify and combat a cyberattack is not available. "We need to promote transparency across the global security community to enable a broader view into the attack activity, building proper tools and services to take full advantage of the information we collect," he said.
