Cyberterrorism

Deterrence and preemption have been a part of our national security strategy to deal with cyber attacks since the 1950’s; to what extent can we now rely primarily on these two doctrines to secure our nation against the sophisticated cyber threats we face each and every day?

According to a recent report published by the Cyber Secure Institute titled: Cyberwarfare and Cyberterrorism: The Need for a New U.S. Strategic Approach, these strategies are not well suited for today’s digital world. Furthermore realities of the cyber realm undermine the credibility of response. Modestly sophisticated cyberattacks leave almost no trace, no return address. Most cyberattacks today utilize networks of bots from around the world.

The 2010 Quadrennial Defense Review
represents an important step toward fully institutionalizing the ongoing reform and reshaping America’s military – shifts that rebalance the urgent demands of today and the most likely and lethal threats of the future.

For the first time this QDR places the current conflicts at the top of the Department’s budgeting, policy, and program priorities. The QDR recognizes the need to prepare for a broad range of security challenges on the horizon while keeping priorities in line with the lessons learned and capabilities gained from the wars in Iraq and Afghanistan.

The Pentagon’s review emphasizes the need for proactive engagement with countries whose military is the only institution with the capacity to respond to a large-scale natural disaster.

The QDR highlights the following responsibilities and objectives (Additional information on each is provided below):

• Defend the United States and Support Civil Authorities at Home
• Succeed in Counterinsurgency, Stability, and Counterterrorism Operations
• Prevent Proliferation and Counter Weapons of Mass Destruction
• Operate Effectively in Cyberspace

McAfee Labs 2010 Threat Predictions

McAfee Labs recently released this report , which “foresees an increase in threats related to social networking sites, banking security, and botnets, as well as attacks targeting users, businesses, and applications.” While the report warns that networking sites will be facing more complicated threats and anticipates Adobe software taking the top spot for targeting by cybercriminals, it also predicts more successes in the struggle against all types of cybecrime.

McAfee Labs has released a number of technical white papers, which can be found here.

Cybersecurity: Continued Efforts Are Needed to Protect Information Systems from Evolving Threats

According to this latest Government Accountability Office (GAO) report, “Pervasive and sustained cyber attacks continue to pose a potentially devastating threat to the systems and operations of the federal government. In recent months federal officials have cited the continued efforts of foreign nations and criminals to target government and private sector networks.” Additionally, “terrorist groups have expressed a desire to use cyber attacks to target the United States.”

The GAO examined cyber threats to federal information systems and cyber-based critical infrastructures, control deficiencies at federal agencies that make these systems and infrastructures susceptible to cyber threats, and opportunities that exist for improving federal cybersecurity.

In a new report, the Government Accountability Office (GAO) has called for a reassessment of the current sector-specific DHS Cyber Infrastructure Protection planning approach, which "leaves the nation in the position of not knowing precisely where it stands in securing cyber critical infrastructures."

From the report: "The nation's critical infrastructure sectors (e.g., energy, banking) rely extensively on information technology systems. [...] GAO was asked to determine the extent to which sector plans have been updated to fully address DHS's cyber security requirements and assess whether these plans and related reports provide for effective implementation."

Capability of the People's Republic of China to Conduct Cyber Warfare and Computer Network Exploitation

The U.S.-China Economic and Security Review Commission recently commissioned the Northrop Grumman Corporation to produce this document as an investigation into the capability of the People's Republic of China to conduct cyberwar and computer network exploitation on U.S. systems.

"The government of the People’s Republic of China (PRC) is a decade into a sweeping military modernization program that has fundamentally transformed its ability to fight high tech wars. The Chinese military, using increasingly networked forces capable of communicating across service arms and among all echelons of command, is pushing beyond its traditional missions focused on Taiwan and toward a more regional defense posture. This modernization effort, known as informationization, is guided by the doctrine of fighting 'Local War Under Informationized Conditions', which refers to the PLA’s ongoing effort to develop a fully networked architecture capable of coordinating military operations on land, in air, at sea, in space and across the electromagnetic spectrum."

Cyberdeterrence and Cyberwar

The RAND Corporation has just published this report on cyberwar and cyberdeterrence which it prepared for the U.S. Air Force.

"Future wars are likely to be carried out, in part or perhaps entirely, in cyberspace. It might therefore seem obvious that maneuvering in cyberspace is like maneuvering in other media, but nothing would be more misleading. Cyberspace has its own laws; for instance, it is easy to hide identities and difficult to predict or even understand battle damage, and attacks deplete themselves quickly. Cyberwar is nothing so much as the manipulation of ambiguity. The author explores these in detail and uses the results to address such issues as the pros and cons of counterattack, the value of deterrence and vigilance, and other actions the United States and the U.S. Air Force can take to protect itself in the face of deliberate cyberattack."

DHS Secretary Janet Napolitano today kicked off National Cybersecurity Awareness Month October 2009 by announcing DHS' new authority to hire Cybersecurity Professionals over the next three years to promote the agency's mission to protect the nation's cyberinfrastructure, systems, and networks. Here are some additional resources for the cybersecurity professional or the public in general to begin the celebration of this event:

See the DHS sponsored U.S. Computer Emergency Readiness Team (US-CERT).

Visit the National Cyber Security Alliance website.

Access the Multi-State Information Sharing and Analysis Center (MS-ISAC).

And don't forget the NIST Computer Security Resource Center, the nation's premier cyber security research organization.

Please also re-visit the President's Cyberspace Policy Review.

Do you work in law enforcement? If so, for the cost of transportation alone, you can enroll in a Department of Justice-funded training course on cyber security and digital evidence handling. The Mississippi-based National Forensics Training Center provides meals and lodging to students free of charge.

Small Business Information Security: The Fundamentals

"In the United States, the number of small businesses totals to over 95% of all businesses. The small business community produces around 50% of our nation's Gross National Product (GNP) and creates around 50% of all new jobs in our country. Small businesses, therefore, are a very important part of our nation's economy. They are a significant part of our nation's critical economic and cyber infrastructure. Larger businesses in the United States have been actively pursuing information security with significant resources including technology, people, and budgets for some years now. As a result, they have become a much more difficult target for hackers and cyber criminals. Consequently, the hackers and cyber criminals are now focusing their unwanted attention on less secure small businesses. Therefore, it is important that each small business appropriately secure their information, systems, and networks. This Interagency Report (IR) will assist small business management to understand how to provide basic security for their information, systems, and networks."