As part of my research for the International Studies Association (ISA) conference in March (see here) I have been looking into issues, technologies, and metric data on cyber security issues. The results are, for the common person, terrifying, and for the more informed person, still disturbing.
Trending data provided by Verizon shows that the overwhelming majority of attacks are focused in the retail sector. 55% of reported data breaches came from retail or food and beverage industries. Interestingly enough, there is relatively little activity in the financial sectors, although Verizon does point out that this may be due to the financial sector generally having stronger controls in place to protect data than the retail sector does.
See the full documentVerizon 2010 Data Breach Report (PDF)
Richard Clarke reports in his new book ‘Cyberwar’ (Amazon) that governments are most certainly not immune to these attacks either, although they are a smaller portion of the total cyber attacks numbers. He points to Russia using DDoS (Distributed Denial of Service) attacks to shut down Georgian critical infrastructure when invading the country, preventing the Georgian military, economy, and government from responding.
Asymmetricthreat.net, through CACI, has provided another report point the finger at China as the party responsible for repeated high level coordinated Cyber attacks which either have attempted to or have in the past cracked secure systems.
These documents are just some of the papers and websites which I have been looking through, and yet already, the disturbing outline has developed. ARPA net, the original incarnation of the internet, was created to serve as a network where the users had implicit trust agreements with each other. That is no longer the case. As the network grew and technology advanced, the basic idea of anonymity remained. It became far easier to for users intent on malicious activity to engage in such activity without giving away their identity.
While there are many merits to the argument for maintaining cyber anonymity as a necessity – for protection of individuals from unnecessary snooping, for those government activities which are necessary but must be deniable, for whistleblowers (i.e. wikileaks) – as well as others, there still remains some point which the argument for identification of malicious intruders remains. There should be a method to backtrack an identity in a case of known security breaches, and there should be a way to punish those who engage in illegal activities. But when we delve into that issue, it is a lot murkier than expected.
The first is that hackers have gotten very good at using layers of activity to mask their activities. If one were to take a quick look into things such as the TOR network, you can see why backtracking is such an issue. Other problems include ISP borders – the digital ‘land’ where one ISP’s network ends and the other begins. ISPs would need to organize instant coordination methods in order to effectively track cyber criminals, something which is very possible, but still needs to be done. State boundaries also have to be considered – can and should the US prosecute a cyber criminal based in China or Russia, or should those people be accountable to their own governments. Would their own governments even prosecute them (the likely answer is no, they would be offered jobs).
Couple those issues with the fact that many vulnerabilities in data systems are not known until they are exploited (either internally by a firm’s risk management team, external contractors, or malicious attackers), then one can begin to see the scope of the problem which the cyber landscape faces.
Some of the most important efforts to combat the problems of cyberspace are happening currently, and they are promising. ICANN has been working on IPv6 and DNSSEC deployment, the Black Hat Abu Dhabi conference just wrapped up with Dan Kaminsky, a renowned researcher, releasing phreebird – an easy DNSSEC deployment tool, NIST and the GAO are releasing ongoing reports on creating standards and highlighting successes and failures, and private firms and researchers across the globe are developing solutions to the growing pile of cyber security problems.
While these developments are all indeed promising, what remains is the actual implementation.
- Dan Kaminsky Releases Phreebird for Easy DNSSEC (circleid.com)
- NYIT Combats Worldwide Security Issues at Cyber Security Conference (eon.businesswire.com)
- Australian military network faces rising cyber attacks (topinews.com)
- State-Sponsored CyberAttacks Expected To Rise (it.slashdot.org)