Appendix E High-grade Threats
lt is impossible to build systems that are guaranteed to be invulnerable to a high-grade threat, that is, a dedicated and resourceful adversary capable of and motivated to organize an attack as an industrial rather than an individual or small-group enterprise. Such activities have historically been conducted by the intelligence-gathering activities of governments and have generally posed a threat to the confidentiality of information. The rapidly decreasing cost of computer resources, the rapid spread of computer technology, and the increased value of information-based assets make it likely that high-grade threats will be encountered from other sources and with aims other than traditional espionage. A high-grade threat is distinguished from the common "hacker" or criminal by the following characteristics:
-
The threat has extensive resources in money, personnel, and technology. In particular, the threat is able to construct or acquire, by legitimate or clandestine means, a duplicate of the system under attack. The attack team can then conduct extensive analysis and experimentation without the risk that their activities will alert the administrators of the target system. The attacker may also have more powerful computer resources.
-
The threat is patient and motivated. The attack resembles an entrepreneurial enterprise in that the equivalent to risk capital is raised in advance and invested in anticipation of a major future reward. The attack is conducted as a full-time, organized effort with a multidisciplinary staff, each of whom is eager to "break" the system.
-
The threat is capable of exploiting a successful attack for maximum long-term gain. In particular, the attacking team is able to take
-
extraordinary measures to keep the existence of a successful attack secret from the target.
-
The threat is adept in circumventing physical and procedural safeguards and has access to clandestine technology.
-
The threat will deliberately seek the most obscure vulnerability hidden in the darkest corner of the system—on the grounds that this is the one that will permit the maximum long-term exploitation.1
The designers, implementors, and administrators of high-grade countermeasures must begin with the requirement that their system be safe from hacker or criminal attacks and then work to counter the specialized threat of large-scale, long-term, highly covert assaults. Hacker and criminal attacks must be prevented to preclude the high-grade attacker from obtaining "inside information" about the target system from cheap (if short-lived) penetrations and to ensure that the operation of the system is as stable as possible.
The functionality of system elements engineered to high-grade security standards must be even more modest than the functionality that is affordable for elements engineered to withstand hacker and criminal attacks. High-grade countermeasure engineering has traditionally been associated with communications security devices and subsystems; the committee anticipates that it will, in the future, be applied to selected computer security functions such as reference monitors. In particular, this committee does not foresee that it will ever be feasible to apply high-grade countermeasures to a multitude of system elements, since technical advances that benefit the designer of countermeasures often benefit the attacker even more.2 This circumstance has important implications for the system-wide trade-offs that have to be made when a high-grade threat is considered.
The inevitability of "tunneling" attacks has to be taken into account and the analysis and control carried down to the lowest possible layer of abstraction. A tunneling attack attempts to exploit a weakness in a system that exists at a level of abstraction lower than that used by the developer to design and/or test the system. For example, an attacker might discover a way to modify the microcode of a processor that is used when encrypting some data, rather than attempting to break the system's encryption scheme. The requirement that tunneling attacks be anticipated can substantially increase the cost of high-grade countermeasures, because it can preclude the use of offshore components (in the case of national security systems) or components made by commercial rivals (in the case of industrial systems.)
A higher emphasis on reliability is required, because a high-grade threat must be assumed to have the ability to monitor system behavior and take advantage of component failures. This raises cost and
lengthens the schedule in several ways; for example, adding redundancy increases both hardware and software costs.
Finally, the knowledge that a high-grade threat is waiting to attack a system or component leads developers of high-grade countermeasures to surround their system development with the most extreme forms of secrecy, so as to deny the attacker lead time in analyzing the design and developing attacks.
Because of the extreme cost, short ''security life," and difficult tradeoffs associated with high-grade countermeasures, operations that assess a high-grade threat as possible but not likely should seriously consider strategies that focus on recovery from, rather than prevention of, attack.