National Academies Press: OpenBook

Toward a Safer and More Secure Cyberspace (2007)

Chapter: 2 What Is at Stake?

« Previous: 1 Introduction
Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

2
What Is at Stake?

2.1
INTERCONNECTED INFORMATION TECHNOLOGY EVERYWHERE, ALL THE TIME

For many people today, the information revolution is represented by the most visible and salient interactions they have with information technology (IT)—typing at the keyboard of their computers at work or at home or talking on their cellular telephones. People’s personal lives also involve computing through social networking, home management, communication with family and friends, and management of personal affairs. But a much larger collection of information technology embodied in computing, software, and networking deployments is instrumental to the day-to-day operations of companies, organizations, and government. Companies large and small rely on computers for diverse business processes, ranging from payroll and accounting to the tracking of inventory and sales, to support for research and development (R&D). The distribution of food and energy from producer to retail consumer relies on computers and networks at every stage. Nearly everyone (in everyday society, business, government, and the military services) relies on wireless and wired communications systems. Information technology is used to execute the principal business processes both in government and in many of the largest sectors of the economy, including financial services, health care, utilities, transportation, and services. Indeed, the architecture of today’s enterprise IT systems is the very embodiment of the critical business logic in complex enterprises. It is impossible to imagine the Wal-Marts, the FedExes, and the Amazons of today without information

Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

technology. In short, many computing and communications systems are themselves infrastructure and serve as components of the infrastructure of other organizations.

In the future, computing and communications technologies (collectively, information technologies) are likely to be found in places where they are essentially invisible to everyday view: in cars, wallets, clothing, refrigerators, keys, cabinets, watches, doorbells, medicine bottles, walls, paint, structural beams, roads, dishwashers, identification (ID) cards, telephones, and medical devices (including some embedded in human beings). Computing will be embedded in myriad places and things or will be easily transported in pockets or on wrists. Computing devices will be coupled to multiple sensors and effectors. Computing and communications will be seamless, enabling the tight integration of personal, family, and business systems. Sensors, effectors, and computing will be networked together so that they pass relevant information to one another automatically.

In this vision of truly pervasive computing, the ubiquitous integration of computing and communications technologies into common everyday objects enhances their usefulness and makes life easier and more convenient. Understanding context, personal information appliances will make appropriate information available on demand, enabling users to be more productive in both their personal and professional lives. And, as has been true with today’s desktops and mainframes, interconnections among all of these now-smart objects and appliances will multiply their usefulness many times over.

2.2
THE NATURE OF CYBERSECURITY VULNERABILITIES

A security vulnerability in an IT artifact (e.g., a part, hardware component, software module, data structure, system, and so on) exists if there is a way to manipulate the artifact to cause it to act in a way that results in a loss of confidentiality, integrity, and availability.

  • Confidentiality. A secure system will keep protected information away from those who should not have access to it. Examples of failures that affect confidentiality include the interception of a wireless signal and identity theft.

  • Integrity. A secure system produces the same results or information whether or not the system has been attacked. When integrity is violated, the system may continue to operate, but under some circumstances of operation, it does not provide accurate results or information that one would normally expect. The alteration of data

Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

in a database or in a sensor data stream or an instruction stream to a mechanical effector, for example, could have this effect.

  • Availability. A secure system is available for normal use even in the face of an attack. A failure of availability may mean that the e-mail does not go through, or the computer simply freezes, or response time becomes intolerably long (possibly leading to catastrophe if a physical process is being controlled by the system).

These types of damage may be inflicted without the victim even being aware of the attack. For example, a system may be compromised by the obtaining of information ostensibly protected by that system (e.g., encrypted information may be intercepted and decrypted without the owner realizing it). Or, an attack may be used to support a selective denial of services (i.e., the allowing of access for most connections, but denying or corrupting some particular critical connections). If improper alteration occurs in small amounts in large, seldom-referenced databases, the fact of such corruption may never be discovered.

Note also the impact of any such damage on the user’s psychology. A single database that is found to be corrupted, even when controls are in place to prevent such corruption, may throw into question the integrity of all of the databases in a system. A single data stream that is compromised by an eavesdropper may lead system operators and those who depend on the system to be concerned that all data streams are potentially compromised. In such cases, the potential harm from any of these incidents goes far beyond the actual corrupted database or compromised data stream, since enormous amounts of effort need to be made to ensure that other databases or data streams have not been corrupted or compromised. Those other databases may be perfectly good, but may not be considered reliable under such circumstances.

Denial of service, corruption, and compromise are not independent—for example, an attacker could render a system unavailable by compromising it. An attacker could seek to inflict such damage in several ways.

  • An attack can be remote—one that comes in “through the wires,” for example, as a virus or a Trojan horse program introduced via e-mail or other communication or as a denial-of-service attack over a network connection. As a general rule, remote attacks are much less expensive, much less risky, and much easier to conduct than are the second and third types listed below.

  • Some IT element may be physically destroyed (e.g., a critical data center or communications link could be blown up) or compromised (e.g., IT hardware could be surreptitiously modified in the

Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

distribution chain). Such attacks generally require close access (i.e., requiring physical proximity).

  • A trusted insider may be compromised or may be untrustworthy in the first place (such a person, for instance, may sell passwords that permit outsiders to gain entry); such insiders may also be conduits for hostile software or hardware modifications that can be inserted at any point in the supply chain, from initial fabrication, to delivery to the end user. Compromising a trusted insider can be accomplished remotely or locally. Not all compromises are the result of insider malice; phishing attacks are one example of how a trusted insider can be tricked into providing sensitive information.

Of course, these three ways of causing damage are not mutually exclusive, and in practice they can be combined to produce even more destructive effects than any one way alone. Additionally, attackers can easily “pre-position” vulnerabilities to facilitate the timing of later attacks. This pre-positioning could be in the form of trap doors left behind from previous virus infections, unintentional design vulnerabilities,1 or compromised code left by a compromised staff member or by a break-in to the developer’s site.2

2.3
SYSTEMS AND NETWORKS AT RISK

What IT systems and networks are at risk? Key elements of information technology fall into three major categories: the Internet; embedded/ real-time computing (e.g., avionics systems for aircraft control; air traffic control; Supervisory Control and Data Acquisition [SCADA] systems controlling the distribution of electricity, gas, and water; the switching systems of the conventional telecommunications infrastructure; bank teller machine networks; floodgates); and dedicated computing devices (e.g., desktop computers). Each of these elements plays a different role in national life, and each is subject to different kinds of attack.

1

An example is the recent episode during which Sony’s BMG Music Entertainment surreptitiously distributed software on audio compact discs (CDs) that was automatically installed on any computers that played the CDs. This software was intended to block the copying of the CD, but it had the unintentional side effect of opening security vulnerabilities that could be exploited by other malicious software such as worms or viruses. See Iain Thomson and Tom Sanders, “Virus Writers Exploit Sony DRM,” vnunet.com, November 10, 2005; available at http://www.vnunet.com/vnunet/news/2145874/virus-writers-exploit-sony-drm.

2

P.A. Karger and R.R. Schell, Multics Security Evaluation: Vulnerability Analysis, ESD-TR-74-193, Vol. II, June 1974, HQ Electronic Systems Division, Hanscom Air Force Base; available at http://csrc.nist.gov/publications/history/karg74.pdf.

Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
2.3.1
Attacks on the Internet

The infrastructure of the Internet is a possible target, and given the Internet’s public prominence and ubiquity, it may appeal to terrorists or criminals as an attractive target. The Internet can be attacked in two (not mutually exclusive) ways—physically or “through the wires.”

Physical attacks might destroy one or a few parts of the Internet infrastructure. But the Internet is a densely connected network of networks that automatically routes around portions that become unavailable,3 which means that a large number of important nodes would have to be destroyed simultaneously to bring it down for an extended period of time. Destruction of some key Internet nodes could result in reduced network capacity and slow traffic across the Internet, but the ease with which Internet communications can be rerouted would minimize the long-term damage.4

An attack that comes through the wires rather than via physical attack can have much higher leverage. The Internet crosses borders and its reach is extended throughout the globe. But the global Internet was not designed to operate in a hostile environment where information systems and networks can be attacked from inside. Indeed, it is an unfortunate result of Internet history that the protocols used by the Internet today are derived from the protocols that were developed in the early days of the Advanced Research Projects Agency Network, where there were only a few well-respected researchers using the infrastructure, and they were trusted to do no harm. Consequently, security considerations were not built in to the Internet, which means that all cybersecurity measures taken today to protect the Internet are add-on measures that do not remedy the underlying security deficiencies.

One type of attack is directed against Internet operations. Such attacks are often based on self-replicating programs (worms and viruses) that are transmitted from system to system, consuming prodigious amounts of router processing time and network channel bandwidth. In recent years, some of these worms and viruses have been transmitted without explicitly destructive payloads and yet have been able to disrupt key Internet backbone subnetworks for several days. Another kind of attack on Inter-

3

National Research Council. 2001. The Internet’s Coming of Age. National Academy Press, Washington, D.C. Note, however, that the amount of redundancy is limited primarily by economic factors.

4

This comment applies largely to U.S. use of the Internet. It is entirely possible that other nations—whose traffic is often physically routed through one or two locations in the United States—would fare much worse in this scenario. See National Research Council. 2003. The Internet Under Crisis Conditions: Learning from September 11. The National Academies Press, Washington, D.C.

Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

net operations seeks to corrupt the routing tables that determine how a packet should travel through the Internet. In both cases, the intent of the attack is to reduce the normally expected functionality of the Internet for some significant portion of its users—that is, it is a denial-of-service attack in intent, although not one necessarily based on flooding traffic.

An attacker might also target the Internet’s Domain Name System (DNS), which translates domain names (e.g., “example.com”) to specific Internet Protocol (IP) addresses (e.g., 123.231.0.67) denoting specific Internet nodes. A relatively small number of “root name servers” underpins the DNS. Although the DNS is designed to provide redundancy in case of accidental failure, it has some vulnerability to an attack that might target all name servers simultaneously. Although Internet operations would not halt instantly, an increasing number of sites would, over a period of time measured in hours to days, become inaccessible without root name servers to provide authoritative translation information. Physical replacement of damaged servers would be achievable in a matter of days, but changing the IP addresses of the root name servers and promulgating the new IP addresses throughout the Internet—a likely necessary step if the name servers are being attacked repetitively in an automated fashion—would be much more problematic.5

A through-the-wires attack is possible because of Internet-enabled interconnection. Thus, a hostile party using an Internet-connected computer 10,000 miles away can launch an attack against an Internet-connected computer in the United States just as easily as if the attacker were next door. Criminals and adversaries located all over the globe may nonetheless communicate and partly coordinate their activities through the network, without ever having to meet or cross national boundaries, especially in countries were they can operate without a serious fear of surveillance or aided by insider accomplices. By contrast, the planet is a world of sovereign nation-states, with different laws and regulations governing computer activities—a point that makes traditional responses of military retaliation or criminal prosecution much more problematic.

Dependence on the Internet for the performance of core business functions is increasingly a fact of life for a growing number of businesses and government agencies, as well as citizens in private life. It is obvious that a disruption to the Internet would be a major disruption to an electronic commerce company such as Amazon.com. But what is less obvious is that in the last couple of years, many large companies have come to depend on the Internet and other networks running Internet protocols

5

National Research Council. 2005. Signposts in Cyberspace: The Domain Name System and Internet Navigation. The National Academies Press, Washington, D.C.

Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

for internal voice and data communications and other key functions—and these trends will only accelerate in the future as pressures for cost reduction grow. A good example is the fact that Voice-Over-IP (VOIP) connections are increasingly replacing conventional telephony. Thus, it is only a matter of a relatively short time before today’s independence of voice communications from the Internet no longer exists to any significant degree—and this will be true for business, government, and the general civilian population.

Finally, it is an unfortunate fact of life today that in many cases, when a system or a network connected to the Internet is under attack, the only feasible protective action is to disconnect from the Internet. Such an action may eliminate the attack (unless a rogue program has been successfully inserted into the targeted system or network before the connection is cut), but it also renders the attack maximally successful in a certain sense, since now for all practical purposes the disconnected system or network does not exist on the Internet.

2.3.2
Attacks on Embedded/Real-Time Computing and Control Systems

Embedded/real-time computing in specific systems could also be attacked. For example, many embedded computing systems could be corrupted over time or be deployed with hidden vulnerabilities.6 Of particular concern could be avionics in airplanes, collision-avoidance systems in automobiles, and other transportation systems. Such attacks would require a significant insider presence in technically responsible positions in key sectors of the economy, likely but not necessarily over long periods of time. Another example is that sensors, which can be important elements of counterterrorism or anticrime precautions, could be the target of an attack or, more likely, precursor targets of a terrorist or criminal attack.

Another possible attack on embedded/real-time computing would be an attack on the systems controlling elements of the nation’s critical infrastructure—for example, the electric power grid, the air traffic control system, the railroad infrastructure, water purification and delivery, or telephony. For example, attacks on the systems and networks that control and manage elements of the nation’s transportation infrastructure could introduce chaos and disruption on a large scale that could drastically reduce the capability of transporting people and/or freight (including food and fuel).

6

An inadvertent demonstration of this possibility was illustrated with the year-2000 (Y2K) problem that was overlooked in many embedded/real-time systems designed in the 1980s and earlier.

Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

To illustrate, electric generation plants are controlled by a variety of IT-based SCADA systems. Attacks on these SCADA systems could obviously result in local disruptions in the supply of electrical power. But two other scenarios are more problematic. The electric power distribution grid, also controlled by IT-based SCADA systems and being necessary for electric power generated in one location to be useful in another location hundreds of miles away, is also a conduit through which a failure in one location can cascade to catastrophic proportions before the local failure can be dealt with.7 (In this context, the distribution grid includes both the transmission lines that carry electricity and their control channels.) In addition, because SCADA systems are used to control physical elements of the grid, attacks on SCADA systems can also result in irreversible physical damage to unique equipment that may require many months to replace. Although causing such consequences requires inside or expert knowledge rather than just random attacks, the consequences are severe in terms of economic damage to the country.

Similar concerns arise with conventional telecommunications and the financial system (including the Federal Reserve banking system, which is a system for handling large-value financial transactions, and a second system for handling small-value retail transactions [including the Automated Clearing House, the credit-card system, and paper checks]). Although these systems are also largely independent of the public Internet, they are utterly dependent on computers, and thus they are subject to a variety of security vulnerabilities that do not depend on Internet connectivity.

2.3.3
Attacks on Dedicated Computing Facilities

In many of the same ways that embedded computing could be attacked, dedicated computers such as desktop computers could also be corrupted in ways that are hard to detect. One possible channel comes from the use of untrustworthy IT talent by software vendors.8 The con-

7

For example, the cause of the blackout of August 2003—lasting 4 days and affecting 50 million people in large portions of the midwestern and northeastern United States and Ontario, Canada—was traced to a sequence of cascading failures initiated by the shutdown of a single 345 kV transmission line. Admittedly, the grid was in a stressed state in northeastern Ohio when this occurred, but the grid often faces such stress during heat waves and storms. See U.S.-Canada Power System Outage Task Force, Final Report on the August 14, 2003 Blackout in the United States and Canada: Causes and Recommendations, April 2004; available at https://reports.energy.gov/BlackoutFinal-Web.pdf.

8

Although security concerns are often raised about the offshoring of IT development, untrustworthy talent may be foreign or domestic in origin. Foreign IT workers—whether working in the United States (e.g., under an H1-B visa or a green card) or offshore on outsourced work—are generally not subject to thorough background investigations; therefore, an obvious route is available through which foreign terrorist organizations can gain insider

Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

cern is that once working on the inside, these individuals would be able to introduce additional but unauthorized functionality into systems that are widely used. Under such circumstances, the target might not be just any desktop computer (e.g., any computer used in the offices around the country) but rather the desktop computers in particular sensitive offices or in critical operational software used in corporate or government computer centers (e.g., a major bank or the classified and unclassified systems of the Department of Defense).

Another possible channel for attacking dedicated computing facilities results from the connection of computers through the Internet; such connections provide a potential route through which terrorists or criminal organizations might attack computer systems that do provide important functionality for many sectors of the economy. Examples of widely used Internet-based vectors that, if compromised, would have a large-scale effect in a short time include appealing Web pages and certain shareware programs, such as those for sharing music files. An appealing Web page might attract many viewers in a short period of time, and viewers could be compromised simply by viewing the page. Shareware programs might contain viruses or other “malware.” In principle, channels for distributing operating systems upgrades could be corrupted as well, but because of their critical nature, these channels are in general much more resistant to security compromise.

It is likely that Internet-connected computer systems that provide critical functionality to companies and organizations are better protected through firewalls and other security measures than is the average system on the Internet. Nevertheless, as press reports in recent years make clear, such measures do not guarantee that these large systems are immune to the hostile actions of outsiders.9

2.4
POTENTIAL CONSEQUENCES OF EXPLOITS

The possible consequences of successful exploits of cyber vulnerabilities cover a broad spectrum, from causing annoyance to an individual to causing catastrophic consequences for society. It is, of course, possible that the existence of a vulnerability—even if widespread—will not lead to

access. Reports of American citizens having been successfully recruited by foreign terrorist organizations add a degree of believability to the scenario of domestic IT talent’s being used to compromise systems for terrorist purposes.

9

For example, the Slammer worm attack reportedly resulted in a severe degradation of the Bank of America’s automatic teller machine network in January 2003. See Aaron Davis, “Computer Worm Snarls Web: Electronic Attack Also Affects Phone Service, BOFA’s ATM Network,” San Jose Mercury News, January 26, 2003; available at http://www.bayarea.com/mld/mercurynews/5034748.htm+atm+slammer+virus&hl=en.

Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

disaster (see Box 2.1), but making this possibility the basis for an effective cybersecurity response is clearly not a sensible thing to do today.

  • If a virus attacks a home computer and erases all of the files on it, the consequences range from mere annoyance to emotional trauma (e.g., if irreplaceable pictures were stored). If the user had made a recent backup, the hassle factor involved in recovering the files may be only a matter of an hour or two—though removing the virus may be more involved than that. If the “home” computer involved belongs to a small business, critical business records could be lost.

  • If a cybersecurity breach enables a hostile party to impersonate an individual, the result may be highly problematic for the individual. Victims of identity theft suffer for years under a cloud of uncertainty about their finances and credit records even as they try to clear their records.10 No one dies because someone has impersonated him or her, although the compromise of personal information such as home addresses can certainly lead to serious harm.11 If the identities of many individuals are compromised and identity theft results, serious economic losses to financial institutions may occur.12

  • If consumers are not confident of online security, they will be more reluctant to engage in online activities and electronic commerce. For example, the Gartner Group estimated that $1.9 billion in e-commerce sales would not occur in 2006 because of consumer concerns about the security of the Internet.13

  • If a company’s trade secrets or confidential business plans are compromised, its viability as a business entity may be placed at risk (most likely if it is a small company) or its competitiveness in the

10

The term “identity,” as used in “identity theft,” is somewhat misleading in this context. Some observers point out that in a deep philosophical sense, an individual’s identity is inextricably associated with that individual. They thus suggest that a more precise term may be “credential theft” or “theft of personal information,” either of which allows the possessor of the credential or personal information to impersonate the individual to whom that credential refers or with whom that personal information is associated. However, customary usage refers to “identity theft,” and in the interests of clarity for the reader, this report continues that usage.

11

In 1989, actress Rebecca Schaeffer was stalked and murdered by a fan who allegedly retrieved her name and address from the California motor vehicle department. Her death inspired the passage of the federal Driver’s Privacy Protection Act of 1994, 18 U.S.C. 2721.

12

Gartner Press Release, “Gartner Says Number of Phishing E-Mails Sent to U.S. Adults Nearly Doubles in Just Two Years,” November 9, 2006; available at http://www.gartner.com/it/page.jsp?id=498245.

13

Gartner Press Release, “Gartner Says Nearly $2 Billion Lost in E-Commerce Sales in 2006 Due to Security Concerns of U.S. Adults,” November 27, 2006; available at http://www.gartner.com/it/page.jsp?id=498974.

Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

marketplace reduced. Millions of dollars might be lost, but people rarely die from the theft of trade secrets.

  • If the fly-by-wire controls of a modern passenger airplane are compromised, the pilot might lose control and be unable to land safely. Hundreds of lives aboard the plane may be placed at risk.

  • If the computer systems controlling the operation of a railroad are compromised, extensive physical damage may be caused in train crashes.

  • If electronic medical records are compromised by the unauthorized alteration of data, medical and pharmaceutical decisions that rely on the integrity of those data are placed at risk, and improper treatment may result. If these alterations are not detected, thousands of lives may be placed at risk.

  • If the Department of Defense’s logistics systems are compromised, large-scale military deployments could become quite difficult or impossible to conduct in a timely manner.

  • If the communications systems used by emergency responders in a city are compromised so that communications capabilities are greatly diminished, police, fire, and medical personnel would be crippled in responding to emergencies.

  • If the computerized controls for an industrial plant are compromised, an adversary might be able to cause a major industrial accident. For example, if a chemical plant near a major metropolitan area were involved, a Bhopal-like accident might occur.

  • If the electric power grid is compromised and attackers are able to cause blackouts over a wide area, public safety may be endangered through collateral consequences, such as rioting and looting. Widespread blackouts that last for more than a few days—entirely possible if the appropriate attack strategy is used—go beyond mere nuisance and begin to threaten economic livelihoods and personal health and safety on a large scale.

Even worse, the latter scenarios cannot be considered in isolation. Indeed, if launched as part of a broader terrorist attack, they might be accompanied by physical “kinetic” attacks on vital national interests, either domestically or abroad. Cyberattacks conducted as part of a multi-pronged attack scenario that also includes physical attacks, rather than cyberattacks alone, could have the most catastrophic consequences.14 For example, cyberattacks conducted as part of a larger scenario could result in greater opportunity to widen the damage of a physical attack (e.g., by providing false information that drives people toward, rather than away

14

National Research Council. 2003. Information Technology for Counterterrorism: Immediate Actions and Future Possibilities. The National Academies Press, Washington, D.C.

Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

BOX 2.1

Lack of Exploitation Does Not Indicate Nonvulnerability

Skeptics have often asked the following question: If information technology is so vulnerable, why hasn’t there been a “digital Pearl Harbor” yet? The rhetorical logic is that since a digital Pearl Harbor hasn’t happened yet, the nation’s cybersecurity posture must not be as bad as is claimed. In the view of the Committee on Improving Cybersecurity Research in the United States, the premise could reasonably be questioned, but stipulating the premise for the moment, such rhetoric does raise an interesting question: How might an observer distinguish which of the following statements is true: “There are no serious vulnerabilities in today’s information technology” or “There are serious but unseen vulnerabilities”?

A story from the early days of computer security is a good place to begin. An experimental time-sharing system at a major university, to which users could connect using dial-up modems, was subject to attack by hackers who would try to bring the system down. Using these dial-up connections, the hackers were successful from time to time. The system administrators responded to this threat by changing the system command structure. In particular, they added a command, called CRASH, that any user could invoke. The command was documented as follows: “If you use this command, you will crash the system. Everyone will lose their work, and be really mad at you. Please don’t do this.” This security innovation turned out to be successful, because the existence of the CRASH command took all the intellectual challenge out of crashing the system, and the system administrators—themselves of a hacker mind-set—understood the motivations of their adversaries very, very well.

Obviously, such an approach would not work today. But this story illustrates the point that nondisaster does not necessarily mean that no vulnerabilities are present. Given the existence of systemic vulnerabilities and the capability to exploit them, which essentially every cybersecurity expert recognizes, the question neces-

from, the point of attack); interfering with timely responses to an attack (e.g., by disrupting the communications systems of first responders); or increasing terror in the population through misinformation (e.g., by providing false information about the nature of a threat). And, of course, it is possible for information technology controlling the operation of physical systems to cause physical damage to those systems.

Note also that the nation’s information technology might be either a target of an attacker or a weapon for an attacker to use. In the first case, an element of the IT infrastructure itself (e.g., the means for people to communicate or to engage in financial transactions) might be a target to be destroyed. In the second case, the target of an adversary might be another kind of critical infrastructure (e.g., the electric power grid), and the adversary could either launch or exacerbate the attack by exploiting the IT infrastructure.

Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

sarily turns to one of motivation. Why might a hostile party with the capability to exploit a vulnerability not do so?

It is instructive to consider an analogous situation in the intelligence community. Sensitive and important information about Nation A may be gathered by (adversary) Nation B from a well-placed but covert source. Under what circumstances might Nation B refrain from using that information against Nation A? The answer depends on the value that Nation B places on protecting the source of the information versus the value that it places on using the information at that time. Protecting sources and methods is a task of paramount importance in the intelligence community, because many sources and methods of collecting intelligence would be difficult to replace if their existence became known—and thus, certain types of information are not used simply because their use would inevitably disclose the source.

Similarly, in the shadowy world of cyberthreat and cybersecurity, a hostile party with the capability to exploit a vulnerability would be well-advised to wait until the time was advantageous for it to launch an attack. In fact, one might well imagine that such a party would conduct exercises to probe weaknesses and lay the groundwork for an attack without actually taking overly hostile action. For example, such a party might use a virus that simply replicated itself but did not carry a payload that did any damage at all to prove to itself that such an attack was possible in principle.

The cybersecurity community knows of incidents (such as rapidly propagating viruses without destructive payloads and the active compromise of many network-connected computers that can be used to launch a variety of distributed attacks) that are consistent with the likely tactics of intelligent hostile parties. And it knows of intelligent parties whose intentions toward the United States are hostile. These factors do not constitute a logical proof of extensive cyberthreat, but they do underlie the committee’s judgment that the vulnerabilities with which it is concerned are not merely theoretical.

Taken together, these scenarios suggest that a lack of security in cyberspace has three potential consequences. First is the threat of catastrophe—a cyberattack, especially in conjunction with a physical attack, could result in thousands of deaths and many billions of dollars of damage in a very short time. Second is frictional drag on important economic and security-related processes. Today, insecurities in cyberspace systems and networks allow adversaries (in particular, criminals) to extract enormous sums of money in fraud and extortion—and force businesses to expend additional resources to defend themselves against these threats. If cyberspace does not become more secure, tomorrow’s businesses will continue to face similar pressures, and most likely on a greater scale. Third, concerns about insecurity may inhibit the use of information technologies in the future and thus lead to self-denial of the benefits they bring, benefits

Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

that will be needed for the national competitiveness of the United States as well as for national and homeland security.

2.5
THE MAGNITUDE OF THE THREAT AGAINST TODAY’S TECHNOLOGIES

The previous sections in this chapter describe what might be possible through a cyberattack. In the absence of quantitative threat information, these possibilities might well be regarded as speculative or isolated instances. But nearly all indicators of frequency, impact, scope, and cost of cybersecurity incidents show a continuously worsening picture. This is true whether one considers the losses due to IT-based fraud and theft, identity theft and attacks on personal information, incidence of viruses and malicious code, number of compromised systems, or other types of impact. The discussion below reviews some of the publicly available evidence about the impacts of cyberattacks.

In February 2005, the President’s Information Technology Advisory Committee (PITAC) released a report entitled Cybersecurity: A Crisis of Prioritization containing several data points indicating the size and scope of the threat, drawn from various sources.15 Reexamining those data points and a number of others 2 years later offers a point of direct comparison for measuring recent trends in cybersecurity:

  • The PITAC report noted that in the Deloitte 2004 Global Security Survey, 83 percent of financial service organizations experienced compromised systems in 2004. This compares with 28 percent in 2005 and 82 percent in 2006. In 2003, the figure was 39 percent.16

  • The PITAC report noted that the 9th Annual Computer Virus Prevalence Survey 2003 of ICSA Labs (formerly known as the International Computer Security Association) reports that the monthly percentage of personal computers infected by a virus grew from 1 percent in 1996 to over 10 percent in 2003. The 10th Annual Computer Virus Prevalence Survey 2004 reports a continued increase of 0.8 percent, approaching 12 percent.17

15

President’s Information Technology Advisory Committee. February 2005. Cyber Security: A Crisis of Prioritization, National Coordination Office for Information Technology Research and Development, Washington, D.C.; available at www.nitrd.gov/pitac/reports/20050301_cybersecurity/cybersecurity.pdf.

16

Deloitte, Global Security Survey, annual reports on the global financial services industry, 2002 to 2006. The 2006 report explained the huge differences as resulting from changes in the respondent pool, specifically their size and geographic distribution; see Deloitte, 2006, 2006 Global Security Survey, Deloitte Touche Tohmatsu, p. 26; available at http://www.deloitte.com/dtt/cda/doc/content/us_fsi_150606globalsecuritysurvey(1).pdf.

17

ICSA Labs, 9th Annual Computer Virus Prevalence Survey 2003 (2004); and ICSA Labs, 10th Annual Computer Virus Prevalence Survey 2004 (2005); see http://www.icsalabs.com/icsa/icsahome.php.

Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
  • The PITAC report noted that the January to June 2004 Symantec Internet Security Threat Report showed that the rate of computers incorporated into bot armies rose from under 2,000 per day to over 30,000. Symantec’s January to June 2006 report shows a rising rate of compromised computers, from over 40,000 to over 60,000, with an average over the period of 57,717.18

  • The 2003 ICSA Labs report noted that 92 of 300 respondents (31 percent) reported virus disasters. The 2004 ICSA Labs report shows an increase of 6 percent over 2003, from 92 of 300 to 112 of 300 respondents.19

  • The PITAC report noted that the ICSA Labs surveys show an upward trend for each of the past 9 years for cost, downtime, and days to recover from significant virus events. This trend continued in 2004, with a 25 percent increase in recovery time over the 2003 figure and a significant jump in cost related to recovery.

  • New vulnerabilities reported to the Computer Emergency Response Team Coordination Center (CERT/CC) more than doubled again from the 3,780 recorded in 2004 to 8,064 recorded in 2006.20

  • The Symantec report noted that in the first half of 2004, the average time between the public disclosure of a vulnerability and the release of an associated exploit was 5.8 days. The report showed that in the first half of 2006, an average exploit time was 3 days, continuing the trend of quicker exploitation and cutting exploit time by almost half.21

Since the release of the PITAC cybersecurity report, a number of other reports have highlighted the increasing sophistication of attacks. Overall, these reports suggest that less-sophisticated attacks are now being

The 2003 rate is 108/1,000, or 10.8 percent. The 2004 rate is 116/1,000, or 11.6 percent.

18

Symantec Corporation, Symantec Internet Security Threat Report: Trends for January 06-June 06, Vol. X, September 2006. The report warns that new methodologies were implemented to obtain and record attack data, including bot activity. It says that as a consequence of these changes “any comparison with the attack data gathered in previous periods would be invalid.” See p. 40.

19

The ICSA Labs report defines a virus disaster as an incident in which 25 or more personal computers or servers are infected at the same time with the same virus, or an incident causing significant damage or monetary loss to the organization. See ICSA Labs, 10th Annual Computer Virus Prevalence Survey 2004 (2005), p. 1.

20

Computer Emergency Response Team Coordination Center, CERT Statistics; available at http://www.cert.org/stats/.

21

The Symantec report for January-June 2006 (Vol. X) also notes that vendors are dramatically reducing the patch development and release time, so that the overall window of exposure fell from 60 days in January 2006 to 28 days in June 2006. See Symantec Corporation, Symantec Internet Security Threat Report: Trends for January 06-June 06, Vol. X, September 2006, pp. 58-59.

Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

thwarted by the increased use of virus protection software, spyware, and spam filters and other security products, but the attacks that are succeeding have greater impact—and are more difficult to protect against. For example, the Deloitte 2006 Global Security Survey noted the “exponential increase in the sophistication of threats and their potential impact across an organization.”22 The 2006 E-Crime Watch Survey found that 55 percent of all organizations in the survey had at least one incident of an insider attack, up from 39 percent the previous year.23 The Symantec Internet Security Threat Report, Volume X, published in September 2006, concludes that “the threat environment continues to be populated by lower-profile, targeted attacks as cyber criminals identify new ways to steal information or provide remote access to user systems. The attacks propagate at a slower rate in order to avoid detection and increase the likelihood of successful compromise before security measures can be put in place.”24

The documentation of the nature of cybersecurity incidents provided in these reports is fragmented and incomplete. For example, the Department of Justice notes that there is “currently [in February 2006] no national baseline measure … on the extent of cybercrime.”25 Yet, the available data are sufficient to make assertions about the seriousness of the threat that are more than just statements to be taken on faith. (Box 2.2 lists some of more significant sources.) Some efforts focus on counting the frequency, nature, and trends of attacks. Others focus on measuring the impacts and costs of incidents by surveying organizations and individuals. Taken together, they paint a clear picture of growing impacts, including lost production, operational disruptions, and direct economic costs from fraud and lost business, measured on the scale of several billions of dollars annually.26 The impact is already very large and is growing, and the threat is expanding.

It is also likely that the reported level of security incidents understates

22

Deloitte, 2006 Global Security Survey (2006), p. 13.

23

CSO magazine, U.S. Secret Service, CERT Coordination Center, Microsoft Corp., 2006 E-Crime Watch Survey; available at http://www2.csoonline.com/info/release.html?CID=24531.

24

Symantec Corporation, Symantec Internet Security Threat Report: Trends for January 06-June 06, Vol. X, September 2006, p. 4.

25

Department of Justice, Bureau of Justice Statistics, National Computer Security Survey Announced, February 9, 2006; available at http://www.ojp.usdoj.gov/bjs/pub/press/ncsspr.htm. The survey is also supported by a number of trade associations and industry groups.

26

For example, the 2006 Javelin Strategy and Research report on identity fraud estimated the total cost of ID fraud in 2004 at $56.6 billion. Approximately 9 percent of these cases were attributable to phishing, hacking, computer viruses, or spyware on home computers; another 6 percent resulted from data breaches at businesses holding personal information. Assuming that the average cost of an incident of computer-based ID fraud is comparable with the cost of other kinds of ID fraud (an assumption that seems roughly consistent with other data presented in the report), these cases account for $8 billion to $9 billion in losses.

Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

the actual level. For example, the 2006 CSI/FBI Computer Crime and Security Survey found that the negative publicity from reporting incidents to law enforcement is a major concern of many organizations, noting that only 25 percent of firms report incidents to authorities.27

Some incidents would routinely go unreported for benign reasons (e.g., they were not severe enough). But there is also a systematic bias against reporting, because targets of cyberattacks such as government agencies and large corporations are often concerned that widespread disclosure of their victimization would shake public confidence in their operations and integrity. Whether they are concerned about embarrassment, loss of confidence, giving competitors an advertising advantage over them, or drops in market share, agencies and corporations have few incentives to report these events in a public forum. In some cases, successful cyberattacks may never be noticed at all (as might be the case if valuable secrets were stolen).

How significant is the underreporting? This magnitude is hard to estimate, but one widely cited article from 2002 claims that “only about 10% of all cybercrimes committed are actually reported and fewer than 2% result in a conviction.” The article offers two reasons for this: institutions feel that they have more to lose by reporting computer security breaches, and they assume that law enforcement will provide little or no assistance.28

2.6
AN OMINOUS FUTURE

The committee believes that security will be a continuing issue because there will always be incentives to compromise the security of deployed systems, and that these incentives will only increase over time as organizations and individuals increasingly depend on information technology. Personal gain, organized crime, terrorism, and national interests are superseding personal fame and curiosity as incentives for cyberattacks, and thus the threat picture is coming to include increasingly sophisticated actors who possess significant resources to execute attacks. Moreover, threats evolve (both on their own and as defenses against them are discovered), and new vulnerabilities often emerge as innovation changes underlying system architectures, implementation, or basic assumptions.

See Javelin Strategy and Research, Identity Fraud Survey Report, Consumer Version, January 2006; available at www.javelinstrategy.com/products/AD35BA/27/delivery.pdf.

27

Lawrence A. Gordon, Martin P. Loeb, William Lucyshyn, and Robert Richardson, 2006 CSI/FBI Computer Crime and Security Survey, Computer Security Institute, 2006; available at http://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2006.pdf.

28

Chris Hale, “Cybercrime: Facts and Figures Concerning the Global Dilemma,” Crime and Justice International, 18(65): 5-6, 24-26, September 2002.

Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

BOX 2.2

Major Sources of Data Characterizing the Cyberthreat

There are many sources of data characterizing the nature of the cybersecurity threat. The sources of data and analysis described in this box are (or are planned to be) updated on an ongoing (e.g., annual) basis. (In a few instances reports have been issued consistently for more than 10 years.) Sponsoring organizations include academic institutions, federal agencies, and a range of private-sector companies working either alone or in collaboration.

The first two sources listed here focus on the frequency of incidents and the type of attacks observable through the monitoring of Internet traffic. The others are surveys measuring the scope, impact, and cost of incidents to organizations and firms, although the purpose, scope, and methods of these surveys vary considerably.

  • CERT/CC Statistics: The Computer Emergency Response Team Coordination Center (CERT/CC) has collected statistics on vulnerabilities and incidents since 1988. CERT is a center of Internet security expertise located at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University. In addition to maintaining incident and vulnerability statistics, CERT/CC works with US-CERT to coordinate defense against and response to cyberattacks. Further information is available at http://www.cert.org/stats/cert_stats.html.

  • Symantec Internet Security Threat Report: First published in January 2002 by Riptech, Inc. (acquired by Symantec in July 2002), this report has been published twice annually since 2002, for a total of 10 reports. Using network data collected by sensors monitoring network activity globally, these reports summarize and analyze network attack trends, vulnerability trends, and malicious code trends. Metrics used to measure the “threat landscape” have continued to evolve along with the types of attacks. All of the reports are available at http://www.symantec.com/enterprise/threatreport/index.jsp.

  • E-Crime Watch Survey: This annual survey, started in 2004, is conducted by CSO (Chief Security Officer) magazine in cooperation with the U.S. Secret Service’s Electronic Crimes Task Force, CERT/CC, and Microsoft Corporation. The purpose of the survey is to identify electronic-crime trends and techniques and to gather data on their impact. The 2006 report is available at http://www.cert.org/archive/pdf/ecrimesurvey06.pdf.

  • FBI Computer Crime Survey: Conducted in 2005, the purpose of this survey is to “gain an accurate understanding of what computer security incidents are being experienced by the full spectrum of sizes and types of organizations within the United States.”1

Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
  • Internet Fraud Crime Report: Prepared by the National White Collar Crime Center and the Federal Bureau of Investigation (FBI), the 2005 edition is the fifth annual compilation of “information on complaints received and referred by the Internet Crime Complaint Center (IC3) to law enforcement or regulatory agencies for appropriate action.”2 The report outlines many of the current trends and patterns in Internet crime; it is available at http://www.ic3.gov/media/annualreport/2005_IC3Report.pdf.

  • CSI/FBI Computer Crime and Security Survey: Conducted by the Computer Security Institute (CSI) with the participation of the San Francisco, California, FBI Computer Intrusion Squad, this survey is now in its 11th year, having produced a report every year since 1996. Its primary focus is on the economic impacts of incidents, the economic decisions that organizations make regarding computer security, and how they manage risk associated with security breaches. See http://www.gocsi.com/.

  • Deloitte’s Global Security Survey: Published annually since 2003, this survey reports on the outcome of focused discussions with information technology executives from the global financial services institutions designed to identify perceived levels of risks, the types of risks that are the focus of concern, the resources being used to mitigate these risks, the security technologies being employed, and the value gained from the security investments made. The 2006 report is available at http://www.deloitte.com/dtt/cda/doc/content/Deloitte%202006%20Global%20Security%20Survey(2).pdf.

  • ICSA (formerly known as the International Computer Security Association) Labs Annual Computer Virus Prevalence Survey: Conducted every year from 1996 through 2004, the objectives of this survey are “to examine the prevalence of computer viruses in mid- and large-sized organizations; describe the computer virus problem in computer networks, including desktop computers; application and file servers; and perimeter devices such as firewalls, gateways, and proxy servers; and observe trends in computer virus growth, infection methodologies, and attack vectors.”3 The 10th annual report, published in 2005, is available at http://www.icsalabs.com/icsa/docs/html/library/whitepapers/VPS2004.pdf.

  

1Federal Bureau of Investigation, 2005 FBI Computer Crime Survey, Washington, D.C., p. 1. Key findings of this report may be found at http://www.fbi.gov/page2/jan06/computer_crime_survey011806.htm; the entire report is available at http://www.digitalriver.com/v2.0-img/operations/naievigi/site/media/pdf/FBIccs2005.pdf.

  

2National White Collar Crime Center, Federal Bureau of Investigation, The Internet Crime Complaint Center 2005 Internet Crime Report: January 1, 2005–December 31, 2005, Washington, D.C., p. 3.

  

3ICSA Labs, 10th Annual Computer Virus Prevalence Survey 2004, 2005, p. 3.

Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
2.6.1
The Evolution of the Threat

In 1992, the World Wide Web had not yet been invented. Cybersecurity efforts were focused primarily on enhancing the security of individual, un-networked systems. Even then, security had been raised as an important issue (as discussed in Section 10.1). But 15 years later, information technology has advanced dramatically in almost all fields—except for cybersecurity. Consider that in the past 15 years:

  • The increasingly ubiquitous interconnection of the world’s computers provides many avenues for cyberattackers to exploit, and these will only proliferate.

  • Increasing standardization and homogeneity of communications protocols, programming interfaces, operating systems, computing hardware, and routers allow for a single developed attack to be used against vast numbers of systems.

  • Distinctions between data and program have been eroded. “Active content” is now quite common in programming paradigms; pictures, word processing files, and spreadsheets can and often do contain programs embedded within them in order to increase their functionality. (For example, a spreadsheet can contain macros that are integral to the use of that spreadsheet.) The consequence is that the computing environment is no longer under the complete control of the user of these files.

  • As systems evolve they tend to become more complex. The greater the complexity, the more difficult it is to verify the operation of the system before it is put into use, and the more difficult it may be to detect that the system’s defenses have been penetrated. Dramatic increases in complexity make the jobs of both attacker and defender more difficult, but the increase in difficulty affects the defender much more than the attacker.

  • User demands for backward compatibility often mean that older and less secure components cannot be replaced with newer components that reduce or mitigate the old vulnerabilities. Furthermore, the complexities of the ensuing extra software to accommodate compatibility tend to introduce further flaws.

  • Use of Web-based services (see Section 8.4.3) proliferates the opportunities for adversaries to attack important service providers. Web services may depend on other Web services, so the ability to predict, or even comprehend, the impact of attacks may be very low.

  • The great difficulties of associating individuals with specific destructive or hostile actions, coupled with an uncertain and ambiguous legal and policy framework for dealing with such incidents (especially when they involve communications and information passed across national boundaries), make it highly unlikely that

Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

adversaries will suffer significant negative consequences for their actions, thus increasing the likelihood that others will take actions with similar intent.

Widespread networking of computers was a signal event in the evolution of information technology, with significant implications for cybersecurity. As one example, consider the problem of botnets. A botnet (also known as a zombie-net) is a collection of computers on a network that are under the remote control of an unauthorized party, often obtained through the use of a worm or a Trojan horse that exploits some system vulnerability. (Box 2.3 describes botnets in greater detail.)

Botnets are one of the most pernicious Internet security problems today (that is, in mid-2007). For example, Symantec reported that in the first 6 months of 2006, it identified 6,337 command-and-control servers (i.e., botnet controllers) and 4,696,903 individual computers that had been compromised (“zombied”) at some point during that time period.29 Some reports indicate that approximately 250,000 new compromises occur daily, although this figure includes a large number of compromises occurring on previously compromised systems (i.e., a vulnerable computer is likely compromised by multiple botnets).30 David Dagon of the Georgia Institute of Technology has reported that the total number of compromised computers is in the tens or hundreds of millions,31 and the Messaging Anti-Abuse Working Group estimated that in 2006, about 7 percent of all Internet-connected computers (some 47 million) had been compromised.32 The size of individual botnets has grown as well, with some reports suggesting the existence of botnets with as many as hundreds of thousands or even 1.5 million zombies.33

A similarly profound shift is likely as computing becomes increas-

29

Symantec Corporation, Symantec Internet Security Threat Report: Trends for January 06-June 06, Vol. X, September 2006; available at http://www.symantec.com/specprog/threatreport/ent-whitepaper_symantec_internet_security_threat_report_x_09_2006.en-us.pdf.

30

Rick Wesson, “Abuse and the Global Infection Rate,” presentation at Defcon, August 14, 2006; more information is available at http://www.defcon.org/html/defcon-14/dc-14-speakers.html.

31

David Dagon, “The Network Is the Infection,” available at http://www.caida.org/projects/oarc/200507/slides/oarc0507-Dagon.pdf.

32

Byron Acohido and Jon Swartz, “Malicious-Software Spreaders Get Sneakier, More Prevalent,” USA Today, April 23, 2006; available at http://www.usatoday.com/tech/news/computersecurity/infotheft/2006-04-23-bot-herders_x.htm.

33

In late 2005, a man was indicted by a federal grand jury on charges that he had compromised nearly 400,000 Windows computers (see Robert Lemos, “Suspected Bot Master Busted,” SecurityFocus, November 3, 2005; available at http://www.securityfocus.com/news/11353). Also in late 2005, Dutch prosecutors alleged that three suspects had compromised 1.5 million computers as part of a worldwide botnet (see Toby Sterling, “Dutch Say Suspects Hacked 1.5M Computers,” Associated Press newswire, October 20, 2005; available at http://www.usatoday.com/tech/news/computersecurity/2005-10-20-dutch-hack_x.htm).

Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

BOX 2.3

On Botnets

Botnets (also known as zombie-nets) are collections of compromised computers that are remotely controlled by a malevolent party. A compromised computer is connected to the Internet, usually with an “always-on” broadband connection, and is running software introduced by the malevolent party. Malevolent software can be introduced through a number of channels; they include clicking on a link that takes the user to a certain Web page, downloading an attachment that executes a program, forcing entry into a computer through an unprotected port (e.g., one typically used for file sharing across the Internet), and so on. Using up-to-date security software such as antivirus programs and firewalls helps to reduce the threat of such “malware,” but today most personal computers—even protected ones—are at least somewhat vulnerable to such threats.

An individual compromised computer (a zombie or a bot) can be used for many purposes, but the threat from botnets arises from the sheer number of computers that a single malevolent party can control—often tens of thousands and as many as a million. (Note also that an individual unprotected computer may be part of multiple botnets as the result of multiple compromises.) When the zombied computers are connected to the Internet through broadband connections, the aggregate bandwidth of the botnets is enormous (e.g., a small botnet of 1,000 zombies times a 300 kilobit Digital Subscriber Line connection is 300 megabits per second). A further property of botnets is that they can be controlled remotely by an adversary, which means that the apparent perpetrator of a hostile act is a zombie computer—making it difficult to trace a hostile act to its initiator. Indeed, an adversary may be located in a nation other than the home country of the zombies.

Typically, an adversary builds a botnet by finding a few machines to compromise. The first hostile action that these initial zombies take is to find other machines to compromise—a task that can be undertaken in an automatic manner. But botnets are capable of undertaking a variety of other actions that have significant impact on the botnet operator’s target(s). For example, botnets can be used to conduct the following actions:

  • Distributed denial-of-service attacks. A denial-of-service attack on a target renders the target’s computer resources unavailable to service legitimate requests by requesting service itself and blocking others from using those resources. But if these requests for service come from a single source, it is easy to simply drop all service requests from that source. However, a distributed denial-of-service attack can flood the target with multiple requests from many different machines, each of which might, in principle, be a legitimate requester of service.

  • Spam attacks. Botnets can be used to send enormous amounts of spam e-mail. Since spam is illegal in many venues and is regarded as antisocial by most, it is in a spammer’s interest to hide his or her identity. Some botnets also search for e-mail addresses in many different locations.

  • Traffic-sniffing attacks and key-logging. A zombie can examine clear-text data passing by or through it. Such data might be sensitive information such as usernames and passwords, and it might be contained in data packets or in various input channels, such as the keyboard channel.

Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
  • Click fraud. A great deal of advertising revenue comes from individuals clicking on ads. A botnet can easily be used to generate a large volume of clicks on ads that do not correspond to any individual’s legitimate interest in those ads. Further, because each zombie appears to be legitimate, it is difficult for the party being defrauded to know that a botnet is being used to perpetrate click fraud.

  • Probes. It is widely reported that only a few minutes elapse between the instant that a computer attaches to the Internet and the time that it is probed for vulnerabilities and possibly compromised itself. Without botnets in operation, finding open and vulnerable machines would be a much more difficult process.

  • Acting as hosts for information exfiltration. Botnets could be used as recipients of clandestinely gathered information—a kind of “dead drop” for Trojan horses planted to gather information secretly that mask the ultimate destination of such information.

Botnets would be (and are) a logical vehicle of choice for many malevolent parties. Botnets can be dormant for a long time before being activated. Once activated, the botnet owner or operator can stay in the background, unidentified and far away from any action, while the individual bots—mostly belonging to innocent parties—are the ones that are visible to the party under attack. And botnets are highly flexible, capable of being upgraded on the fly just like any other piece of software.

Thus, it is not surprising to see that botnets can be used as the basis of an underground service to unethical end users. A botnet owner could rent the botnet to Party A to send spam, Party B to extort money from an online business, and Party C to sniff traffic and collect online identification credentials. A typical price might be “$0.50 per zombie per hour of use.” Today, it is known that botnets are used for criminal purposes such as cyber-extortion, but the extent to which they are used by terrorists or adversary nations is unknown.


SOURCE: Adapted in part from Honeynet Project and Research Alliance, “Know Your Enemy: Tracking Botnets,” March 13, 2005; available at http://www.honeynet.org.

ingly pervasive and embedded in all manners of devices. These embedded computers are themselves likely to be in communication with one another when they are in range (with all of the security issues that such communication implies). They are also likely to be much larger in number: an ordinary room at home could conceivably contain tens or hundreds of such devices. These developments—pervasive computing and adaptive (dynamic) ubiquitous networked systems—will call for the development of new security models and architectures.

If continued expansion of the use and benefits of IT is to be realized, the information technology systems and networks must be adequately protected. Otherwise, individuals and organizations throughout society

Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

will deem it unacceptably risky to increase their reliance on insecure technologies. Even today, cybersecurity issues have not been addressed adequately, and individuals and organizations throughout society find themselves under an increasingly dark and threatening cloud. In short, cybersecurity is increasingly important, both as a pillar of today’s critical computing and communications applications and as an enabler of future advances in computing and information technology.

2.6.2
The Broad Range of Capabilities and Goals of Cyberattackers

The committee believes that a very broad spectrum of actors, ranging from lone hackers at one extreme to major nation-states at the other, pose security risks to the nation’s information technology infrastructure. Organized crime (e.g., drug cartels) and transnational terrorists (and terrorist organizations, some of them state-sponsored) occupy a region between these two extremes, but they are closer to the nation-state than to the lone hacker.34

Attackers have a range of motivations. Some are motivated by curiosity. Some are motivated by the desire to penetrate or vandalize for the thrill of it, others by the desire to steal or profit from their actions. And still others are motivated by ideological or nationalistic reasons.

Today, the most salient cybersecurity threat emanates from hackers and criminals, although there is growing realization that organized crime is seeing increasing value in exploiting and targeting cyberspace. Thus, most cybersecurity efforts taken across the nation in all sectors—both in research and in deployment—are oriented toward defending against these low- and mid-level threats.

Much more work remains to be done to address even these lower-level threats. The state of security practice today is such that even casual attackers can find many vulnerabilities to exploit. The deployment of even quite unsophisticated cybersecurity measures can make a difference against casual attackers. Thus, the cybersecurity posture of the nation could be strengthened if individuals and organizations collectively adopted “best practices” that are known to improve cybersecurity.

The research and development (R&D) activities addressed in much of this report will ultimately lead to significant progress against these low- to mid-level threats. However, against the high-end attacker, efforts oriented

34

In certain ways, it could be argued that organized crime constitutes a more potent threat than many nation-states do. One reason is that the resources available to organized crime syndicates for supporting cyberthreat activities may exceed those available to a nation-state. A second reason is that the operations of nation-states are often constrained within a bureaucratic context that may be more cumbersome than in a syndicate.

Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

toward countering the casual attacker or even the common cybercriminal amount to little more than speed bumps. The reason is that the high-end cyberthreat, as described below, is qualitatively different from other threats.

First and foremost, high-end actors usually have enormous resources. Major nation-states, for example, are financed by national treasuries; they can exploit the talents of some of the smartest and most motivated individuals in their national populations; they often have the luxury of time to plan and execute attacks; and they can draw on all of the other resources available to the national government, such as national intelligence, military, and law enforcement services. Organized crime syndicates, such as drug cartels, may operate hand in hand with some governments; when operating without government cooperation, their human and financial resources may not be at the level available to governments, but they are nevertheless quite formidable. State-sponsored terrorist groups by definition obtain significant resources from their state sponsors.

As a result, the high-end cyberattacker can be relatively profligate in executing its attack and in particular can target vulnerabilities at any point in the IT supply chain from hardware fabrication to user actions (Box 2.4). In particular, the resources of the high-end cyberattacker facilitate attacks that require physical proximity. For example, a major nation-state threat raises questions about the nations in which it is safe to design software or to manufacture chips.35

The availability of such resources widens the possible target set of high-end attackers. Low- and mid-level attackers often benefit from the ability to gain a small profit from each of many targets. Spammers and bot harvesters are the best examples of this phenomenon—an individual user or computer is vulnerable in some way to a spammer or a bot harvester, but the spammer or bot harvester profits because many such users or computers are present on the Internet. However, because of the resources available to them, high-end attackers may also be able to target a specific computer or user whose individual compromise would have enormous value (“going after the crown jewels”). In the former case, an attacker confronted with an adequately defended system simply moves on to another system that is not so well defended. In the latter case, the attacker has the resources to escalate the attack to a very high degree—perhaps overwhelmingly so.

It is also the case that the resources available to an adversary—especially high-end adversaries—are not static. This means that for a sufficiently valuable target, a high-end adversary may well be able to deploy

35

Defense Science Board. 2005. High Performance Microchip Supply, Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics, Washington, D.C., February; available at http://www.acq.osd.mil/dsb/reports/2005-02-HPMS_Report_Final.pdf.

Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

BOX 2.4

Possible Points of Vulnerability in Information Technology Systems and Networks

An information technology system or network has many places where an operationally exploitable vulnerability can be found; in principle, a completely justifiable trust in the system can be found only in environments that are completely under the control of the party who cares most about the security of the system. As discussed here, the environment consists of many things—all of which must be under the interested party’s control.

The software is the most obvious set of vulnerabilities. In a running operating system or application, exploitable vulnerabilities may be present as the result of faulty program design or implementation, and viruses or worms may be introduced when the system or network comes in electronic contact with a hostile source. But there are more subtle paths by which vulnerabilities can be introduced as well. For example, compilers are used to generate object code from source code. The compiler itself must be secure, for it could introduce object code that subversively and subtly modifies the functionality represented in the source code. A particular sequence of instructions could exploit an obscure and poorly known characteristic of hardware functioning, which means that programmers well versed in minute behavioral details of the machine on which the code will be running could introduce functionality that would likely go undetected in any review of the code.

The hardware constitutes another set of vulnerabilities, although less attention is usually paid to hardware in this regard. Hardware includes microprocessors, microcontrollers, firmware, circuit boards, power supplies, peripherals such as printers or scanners, storage devices, and communications equipment such as network cards. On the one hand, hardware is physical, so tampering with these components requires physical access at some point in the hardware’s life cycle, which may be difficult to obtain. On the other hand, hardware is difficult to inspect, so hardware compromises are hard to detect. Consider, for example, that graphics display cards often have onboard processors and memory that can support an execution stream entirely separate from that running on a system’s “main” processor. Also, peripheral devices, often with their own microprocessor controllers and programs, can engage in bidirectional communications with their hosts, providing a possible vector for outside influence. And, of course, many systems rely on a field-upgradable read-only memory (ROM) chip to support a boot sequence—and corrupted or compromised ROMs could prove harmful in many situations.

The communications channels between the system or network and the “outside” world present another set of vulnerabilities. In general, a system that does not interact with anyone is secure, but it is also largely useless. Thus, communications of some sort must be established, and those channels can be compromised—for example, by spoofing (an adversary pretends to be the “authorized” system), by jamming (an adversary denies access to anyone else), or by eavesdropping (an adversary obtains information intended to be confidential).

Operators and users present a particularly challenging set of vulnerabilities. Both can be compromised through blackmail or extortion. Or, untrustworthy operators and users can be planted as spies. But users can also be tricked into actions that compromise security. For example, in one recent exploit, a red team used inexpensive universal serial bus (USB) flash drives to penetrate an organization’s

Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

security. The red team scattered USB drives in parking lots, smoking areas, and other areas of high traffic. In addition to some innocuous images, each drive was preprogrammed with software that would collect passwords, log-ins, and machine-specific information from the user’s computer, and then e-mail the findings to the red team. Because many systems support an “auto-run” feature for insertable media (i.e., when the medium is inserted, the system automatically runs a program named “autorun.exe” on the medium) and the feature is often turned on, the red team was notified as soon as the drive was inserted. The result: 75 percent of the USB drives distributed were inserted into a computer.

Given the holistic nature of security, it is also worth noting that vulnerabilities can be introduced at every point in the supply chain: that is, systems (and their components) can be attacked in design, development, testing, production, distribution, installation, configuration, maintenance, and operation. On the way to a customer, a set of CD-ROMs may be intercepted and a different set introduced in its place; extra functionality might be introduced during chip fabrication or motherboard assembly; a default security configuration might be left in an insecure state—and the list goes on.

Given the dependence of security on all of these elements in the supply chain, it is not unreasonable to think of security as an emergent property of a system, as its architecture is implemented, its code instantiated, and as the system itself is embedded in a human and an organizational context. In practice, this means that the actual vulnerabilities that a system must resist are specific to that particular system embedded in its particular context. This fact should not discourage the development of generic building blocks for security that might be assembled in a system-specific way, but it does mean that an adversary could attack many possible targets in its quest to compromise a system or a network.


SOURCES:

Information on compilers based on Ken Thompson, “Reflections on Trusting Trust,” Communications of the ACM, 27(8): 761-763, August 1984. See also P.A. Karger and R.R. Schell, “Thirty Years Later: Lessons from the Multics Security Evaluation,” pp. 119-126 in Proceedings of the 18th Annual Computer Security Applications Conference, December 9-13, 2002, Las Vegas, Nev.: IEEE Computer Society. Available at http://www.acsa-admin.org/2002/papers/classic-multics.pdf.

Information on USB drive: See Steve Stasiukonis, “Social Engineering, the USB Way,” Dark Reading, June 7, 2006. Available at http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1.

Information on chip fabrication based on Defense Science Board, High Performance Microchip Supply, Department of Defense, February 2005; available at http://www.acq.osd.mil/dsb/reports/2005-02-HPMS_Report_Final.pdf.

additional resources in its continuing attack if its initial attacks fail. In other words, capabilities that are infeasible for an adversary today may become feasible tomorrow. This point suggests that systems in actual deployment must continually evolve and upgrade their security.

A corollary issue is the value of risk management in such an environment. If indeed an adversary has the resources to increase the sophistica-

Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

tion of its attack and the motivation to keep trying even after many initial attempts fail, it raises the question of whether anything less than perfect security will suffice. This question in turn raises understandable doubts about the philosophy of managing cybersecurity risks that is increasingly prevalent in the commercial world. Yet, doing nothing until perfect security can be deployed is surely a recipe for inaction that leaves one vulnerable to many lower-level threats.

High-end cyberattackers—and especially major nation-state adversaries—are also likely to have the resources that allow them to obtain detailed information about the target system, such as knowledge gained by having access to the source code of the software running on the target or the schematics of the target device or through reverse-engineering. Success in obtaining such information is not guaranteed, of course, but the likelihood of success is clearly an increasing function of the availability of resources. For instance, a country may obtain source code and schematics of a certain vendor’s product because it can require that the vendor make those available to its intelligence agencies as a condition of permitting the vendor to sell products within its borders.

Concerns about a high-end cyberattacker surfaced publicly in congressional concerns about the Department of State’s use of computers manufactured in China (Box 2.5). Although there is no public evidence that the nondomestic origin of IT components has ever compromised U.S. interests in any way, there is concern that it might in the future, or that such compromises in the past may have gone undetected.

Second, high-end attackers sometimes do not wish their actions to be discovered. For example, they may hope that their adversaries do not gain a full picture of their own capabilities or do not take defensive actions that might reduce their capabilities in the future.36 (See Box 2.6.) In such situations, and unlike a successful hacker who seeks glory and fame in the eyes of his or her peers, the successes of high-end cyberattackers may well never be known outside a very small circle of individuals. A related point is that sophisticated attackers are very well capable of appearing to be less skilled hobbyist-hackers, when in fact they are actually laying the groundwork for future attacks. Put differently, under such circumstances, it might well be surprising to see actual direct evidence of the high-end attacker, since such evidence would likely be masked. Indirect evidence and inference thus become necessary to make the case that such an attacker even exists, even though such a case is necessarily weaker from an evidentiary standpoint.

36

This is not to say that a high-end attacker would never want to be discovered. In some cases, an attacker may find it desirable to leave some evidence behind so that the damage that an attack causes cannot be attributed to an error or a glitch but instead points to the fact that the attacker is present and is a force to be reckoned with.

Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

BOX 2.5

Foreign Sourcing of Information Technology Used in the United States

In March 2006, the U.S. Department of State announced that it would purchase 16,000 Lenovo computers and related equipment for use throughout the department. (Lenovo, Inc., is the Chinese company to which IBM sold its laptop and desktop personal computer [PC] business in 2005. Lenovo was incorporated in Hong Kong but is currently headquartered in the United States, and is reported to have ties to the Chinese government as well.) About 900 of the 16,000 PCs were designated for use in the network connecting U.S. embassies and consulates. In May 2006, and after objections had been raised in the U.S. Congress concerning the use of computers made by Lenovo in a classified network, the State Department agreed not to use Lenovo computers for such classified work.

The use of computers made by a Chinese company for classified work was bound to raise a number of security concerns. But the State Department–Lenovo incident is symptomatic of a much larger issue. As computers and other information technology (IT) systems are assembled with components manufactured or provided by vendors in many nations, even an “American” computer is not necessarily “Made in the USA” in anything but name. Similar concerns arise with software components or applications that have been designed or coded or are maintained overseas but are being used in the United States.

The nations that supply IT components include many—not just China—that might well have an interest in information on U.S. national security or economic matters. In addition, as “American” companies increasingly send some of their work offshore or use foreign citizens in the United States to work on IT, it is easy to see many possible avenues of foreign threat to the integrity of the security of information technology used in the United States.

Of course, the committee also recognizes that threats to the integrity of information technology used by the United States do not emanate from foreign sources alone, and there is no evidence known today that the nondomestic origin of IT components has compromised U.S. interests in any way. But there is concern that compromises might occur in the future, or that such compromises in the past may have gone undetected. (As a saying in the intelligence community goes, “We have never found anything that an adversary has successfully hidden.”)

Third, the high-end cyberattacker is generally indifferent to the form that its path to success takes, as long as that path meets various constraints such as affordability and secrecy. In particular, the high-end cyberattacker will compromise or blackmail a trusted insider to do its bidding or infiltrate a target organization with a trained agent rather than crack a security system if the former is easier to do than the latter. Many hackers are motivated by the fame that they gain from defeating technological security mechanisms (sometimes by social engineering means rather than by technology exploitation).

Fourth, the motivation of a high-end cyberattacker is unambiguously

Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

BOX 2.6

The Silence of a Successful Cyberattack

Given the existence of systemic vulnerabilities and a party with the capability and intent to exploit them, it is important to consider the motivations of such a party. In particular, it is important to ask why a hostile party with the capability to exploit a vulnerability would not do so.

Consider first an analogous situation in the intelligence community. Say that sensitive and important information about Nation A is gathered by (adversary) Nation B from a well-placed but covert source. Under what circumstances might Nation B refrain from using that information against Nation A? The answer depends on the value that Nation B places on protecting the source of the information versus the value it places on using the information at that time. “Protecting sources and methods” is a task of paramount importance in the intelligence community, because many sources and methods of collecting intelligence would be difficult to replace if their existence became known—and thus, certain types of information are not used simply because their use would inevitably disclose the source.

Similarly, in the shadowy world of cyberthreat and cybersecurity, a hostile party with the capability to exploit a vulnerability might be well advised to wait until the time is right for it to launch an attack. In fact, one might well imagine that such a party would conduct exercises to probe weaknesses and lay the groundwork for an attack, without actually taking overly hostile action. For example, such a party might use a virus that simply replicated itself but did not carry a payload that did any damage at all in order to prove to itself that such an attack is possible in principle.

The cybersecurity community knows of incidents (such as rapidly propagating viruses without destructive payloads and the active compromise of many network-connected computers that can be used to launch a variety of distributed attacks) that are consistent with the likely tactics of intelligent hostile parties. And it knows of intelligent parties whose intentions toward the United States are hostile. These factors do not constitute a logical proof of a high-end cyberthreat, but they do underlie the committee’s judgment that the vulnerabilities with which it is concerned are not merely theoretical.

and seriously hostile. For example, a high-end cyberattacker may use IT in an attack as a means to an end and not as an end itself for a high-impact attack, much as the terrorists on September 11, 2001 (9/11), commandeered four airplanes to use as weapons. That is, for a high-end adversary, a cyberattack may be most effective as an amplifier of a physical attack.37

Fifth, as a military strategy (a point relevant mostly to nation-states),

37

National Research Council. 2003. Information Technology for Counterterrorism: Immediate Actions and Future Possibilities. The National Academies Press, Washington, D.C.

Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

offensive operations in cyberspace—especially against U.S. national interests—may offer considerable advantages for adversaries.38 The United States is, as a nation, far more dependent on information technology than its potential adversaries are, and thus a hostile nation-state might well seek to exploit this asymmetry. Preparations for conducting cyberwarfare can be undertaken with minimal visibility, thus complicating the efforts of the United States to gather intelligence on the scope and nature of potential threats. Finally, in cyberwarfare, the advantages tend to favor attackers over defenders. For these reasons, adversary nation-states are likely to have strong incentives for developing capabilities to exploit weaknesses in the U.S. cybersecurity posture.

How likely is it that a high-end cyberthreat will emerge? Today, it is primarily knowledge of the threat emanating from hobbyists and sophisticated hackers that is widespread and that largely drives present cybersecurity efforts. Losses from these threats are known, though not with any kind of precision, and widespread real-life experience demonstrates their significance to business operations.

By contrast, information about the high-end threat emanating from organized crime and hostile nation-states is not easily available. With a lack of specific information, the high-end threat can be easily dismissed by systems owners and operators as one that is hypothetical and undocumented (at least in a public sense); such owners and operators thus might contend that there is an inadequate business case for the further investments that would be needed to counter the high-end threat. However, some analysts, notably those with access to classified information, assert in the strongest possible terms that the high-end cyberthreat is here today, that it is growing, and that the incidents reported publicly only hint at the severity and magnitude of that threat.39

Although the Committee on Improving Cybersecurity Research in the United States itself contained members with varying views on the seriousness or immediacy of the nation-state threat, the committee as a whole concluded that high-level threats—spawned by motivated, sophisticated, and well-resourced adversaries—could increase very quickly on a very

38

Military analysts in the People’s Republic of China are known to be considering such matters. See, for example, L. Qiao and X. Wang, Unrestricted Warfare, 1999, PLA Literature and Arts Publishing House, Beijing, People’s Republic of China; available at http://www.terrorism.com/documents/TRC-Analysis/unrestricted.pdf.

39

See, for instance, Bill Gertz, “Chinese Hackers Prompt Nave College Site Closure,” The Washington Times, November 30, 2006, available at http://www.washtimes.com/national/20061130-103049-5042r.htm; Dawn S. Onley and Patience Wait, “Red Storm Rising: DOD’s Efforts to Stave Off Nation-State Cyberattacks Begin with China,” Government Computer News, August 21, 2006, available at http://www.gcn.com/print/25_25/41716-1.html; and Nathan Thornburgh, “Inside the Chinese Hack Attack,” Time, August 25, 2005, available at http://www.time.com/time/nation/article/0,8599,1098371,00.html.

Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

short timescale, potentially leading to what some dub a “digital Pearl Harbor” (that is, a catastrophic event whose occurrence can be unambiguously traced to flaws in cybersecurity)—and that the nation’s IT vendors and users (both individual and corporate) would have to respond very quickly if and when such threats emerged. Therefore, a robust research program that addresses both current and future possible threats driven by the high-end threat is necessary to provide the technological underpinnings of such a response. Moreover, it suggests a research agenda that is necessarily broader and deeper than would otherwise be the case if the threat were known with high confidence to be limited to that posed by hackers and ordinary criminals.

Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 19
Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 20
Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 21
Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 22
Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 23
Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 24
Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 25
Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 26
Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 27
Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 28
Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 29
Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 30
Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 31
Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 32
Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 33
Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 34
Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 35
Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 36
Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 37
Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 38
Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 39
Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 40
Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 41
Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 42
Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 43
Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 44
Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 45
Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 46
Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 47
Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 48
Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 49
Suggested Citation:"2 What Is at Stake?." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 50
Next: 3 Improving the Nation's Cybersecurity Posture »
Toward a Safer and More Secure Cyberspace Get This Book
×
Buy Paperback | $67.00 Buy Ebook | $54.99
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

Given the growing importance of cyberspace to nearly all aspects of national life, a secure cyberspace is vitally important to the nation, but cyberspace is far from secure today. The United States faces the real risk that adversaries will exploit vulnerabilities in the nation’s critical information systems, thereby causing considerable suffering and damage. Online e-commerce business, government agency files, and identity records are all potential security targets.

Toward a Safer and More Secure Cyberspace examines these Internet security vulnerabilities and offers a strategy for future research aimed at countering cyber attacks. It also explores the nature of online threats and some of the reasons why past research for improving cybersecurity has had less impact than anticipated, and considers the human resource base needed to advance the cybersecurity research agenda. This book will be an invaluable resource for Internet security professionals, information technologists, policy makers, data stewards, e-commerce providers, consumer protection advocates, and others interested in digital security and safety.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    Switch between the Original Pages, where you can read the report as it appeared in print, and Text Pages for the web version, where you can highlight and search the text.

    « Back Next »
  6. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  7. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  8. ×

    View our suggested citation for this chapter.

    « Back Next »
  9. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!