Systemic cybersecurity risk
-
Upload
ian-brown -
Category
Technology
-
view
2.782 -
download
3
description
Transcript of Systemic cybersecurity risk
![Page 1: Systemic cybersecurity risk](https://reader034.fdocuments.in/reader034/viewer/2022042606/54784f29b4af9f32408b4a3b/html5/thumbnails/1.jpg)
Cyber(in)security: systemic risks and responses
Dr Ian Brown
Oxford University
![Page 2: Systemic cybersecurity risk](https://reader034.fdocuments.in/reader034/viewer/2022042606/54784f29b4af9f32408b4a3b/html5/thumbnails/2.jpg)
![Page 3: Systemic cybersecurity risk](https://reader034.fdocuments.in/reader034/viewer/2022042606/54784f29b4af9f32408b4a3b/html5/thumbnails/3.jpg)
Non-systemic risks Cyber graffiti: defacement of Web sites
for propaganda and bragging Cyber fraud: so far largely containable
within financial system (low $bns) “Terrorists get better returns from
much simpler methods such as car bombs. Cyber terror is too low key: not enough dead bodies result, and attacks are too complex to plan and execute.” (Dr Juliette Bird, NATO)
![Page 4: Systemic cybersecurity risk](https://reader034.fdocuments.in/reader034/viewer/2022042606/54784f29b4af9f32408b4a3b/html5/thumbnails/4.jpg)
Cybercriminals and “patriots”
Market participants - custom virus writers, bot herders, mafias
Nation state attacks (Estonia, Georgia) – how far were “patriotic hackers” coordinated by state?
![Page 5: Systemic cybersecurity risk](https://reader034.fdocuments.in/reader034/viewer/2022042606/54784f29b4af9f32408b4a3b/html5/thumbnails/5.jpg)
“Pure” cyber war“The ‘Korean’ cyber incidents … were annoying and for some
agencies, embarrassing, but there was no violence or destruction... Cybercrime does not rise to the level of an act of war, even when there is state complicity, nor does espionage – [which] are the activities that currently dominate cyber conflict... Estonia and Georgia … came under limited cyber attack as part of larger conflicts with Russia, but in neither case were there casualties, loss of territory, destruction, or serious disruption of critical services. ” (Lewis, 2009: 2—3).
“At best, these operations can confuse and frustrate operators of military systems, and then only temporarily. Thus, cyberwar can only be a support function for other elements of warfare” (Libicki, 2009: xiv—xv)
![Page 6: Systemic cybersecurity risk](https://reader034.fdocuments.in/reader034/viewer/2022042606/54784f29b4af9f32408b4a3b/html5/thumbnails/6.jpg)
Cyber espionage/sabotage
TITAN RAIN: Incursions into DoD, German chancellory, Whitehall, NASA, Lockheed Martin…
Google attack aimed at “high-tech information to jump-start China's economy and the political information to ensure the survival of the regime” –James Lewis
“[I] listened and lip-synced to Lady Gaga’s ‘Telephone’ while exfiltrating possibly the largest data spillage in American history” -SPC Bradley Manning
Stuxnet/Flame/DuQu
![Page 7: Systemic cybersecurity risk](https://reader034.fdocuments.in/reader034/viewer/2022042606/54784f29b4af9f32408b4a3b/html5/thumbnails/7.jpg)
US offensive operations 231 offensive ops in 2011 – “to manipulate,
disrupt, deny, degrade, or destroy information resident in computers or computer networks, or the computers and networks themselves”
$652m project GENIE to place tens of thousands of “covert implants” each year in computers, routers & firewalls – through equipment interception, access, and hacking (TAO)
TURBINE can manage millions of implants for intelligence gathering and active attack
![Page 8: Systemic cybersecurity risk](https://reader034.fdocuments.in/reader034/viewer/2022042606/54784f29b4af9f32408b4a3b/html5/thumbnails/8.jpg)
Implants in the supply chain
![Page 9: Systemic cybersecurity risk](https://reader034.fdocuments.in/reader034/viewer/2022042606/54784f29b4af9f32408b4a3b/html5/thumbnails/9.jpg)
NSA/CIA/FBI/DoD Trusted Partners Bloomberg 14/6/13: “Thousands of technology,
finance and manufacturing companies are working closely with U.S. national security agencies, providing sensitive information and in return receiving benefits that include access to classified intelligence”
“Some U.S. telecommunications companies willingly provide intelligence agencies with access to facilities and data offshore that would require a judge’s order if it were done in the U.S.”
![Page 10: Systemic cybersecurity risk](https://reader034.fdocuments.in/reader034/viewer/2022042606/54784f29b4af9f32408b4a3b/html5/thumbnails/10.jpg)
NSA partners
![Page 11: Systemic cybersecurity risk](https://reader034.fdocuments.in/reader034/viewer/2022042606/54784f29b4af9f32408b4a3b/html5/thumbnails/11.jpg)
How can the democracies…
Design and execute strategic responses that carefully target threats, avoiding where possible tactical arms races?
Get the best return on their security investment?
Enhance the soft power potential of the Internet as a platform for democracy?
![Page 12: Systemic cybersecurity risk](https://reader034.fdocuments.in/reader034/viewer/2022042606/54784f29b4af9f32408b4a3b/html5/thumbnails/12.jpg)
Strategic goals Availability & integrity of critical services (CNI) Protection of confidential information Manageable levels of fraud …all in cost-effective form, where costs include
inconvenience, enhancement of fear, negative economic impacts & reduction of liberties (John Mueller, The quixotic quest for invulnerability, 2008)
![Page 13: Systemic cybersecurity risk](https://reader034.fdocuments.in/reader034/viewer/2022042606/54784f29b4af9f32408b4a3b/html5/thumbnails/13.jpg)
![Page 14: Systemic cybersecurity risk](https://reader034.fdocuments.in/reader034/viewer/2022042606/54784f29b4af9f32408b4a3b/html5/thumbnails/14.jpg)
![Page 15: Systemic cybersecurity risk](https://reader034.fdocuments.in/reader034/viewer/2022042606/54784f29b4af9f32408b4a3b/html5/thumbnails/15.jpg)
![Page 16: Systemic cybersecurity risk](https://reader034.fdocuments.in/reader034/viewer/2022042606/54784f29b4af9f32408b4a3b/html5/thumbnails/16.jpg)
Counter-terrorism and mass surveillance ~5000 Americans surveilled under Presidential Surveillance
Programme 2001-2005; led to <10 warrants per year “[T]here is not a consensus within the relevant scientific
community nor on the committee regarding whether any behavioral surveillance … techniques are ready for use at all in the counterterrorist context”; –US National Research Council (2008) p.4
“Fifty-four times this and the other program stopped and thwarted terrorist attacks both here and in Europe—saving real lives” -Rep. Mike Rogers
Bulk phone record access “has not played a significant role in preventing any terrorist attacks to this point” -Former Acting CIA Director Mike Morrell to US Senate Judiciary Committee
![Page 17: Systemic cybersecurity risk](https://reader034.fdocuments.in/reader034/viewer/2022042606/54784f29b4af9f32408b4a3b/html5/thumbnails/17.jpg)
Reducing systemic risk Isolate critical systems from public
Internet and each other, and set much higher security standards
Enhance risk management, robustness and continuity planning in Critical National Infrastructure systems
Use Content Distribution Networks and other load balancing systems to increase performance and resilience of public-facing systems
![Page 18: Systemic cybersecurity risk](https://reader034.fdocuments.in/reader034/viewer/2022042606/54784f29b4af9f32408b4a3b/html5/thumbnails/18.jpg)
Redistributing liability ENISA and UK House of Lords S&T Committee:
should liability be shifted to some combination of software vendors, ISPs and financial institutions?
Most software licences disclaim all liability Intended to incentivise much more secure
system engineering (e.g. least-privilege processes, enforced by formally verified security kernel)
![Page 19: Systemic cybersecurity risk](https://reader034.fdocuments.in/reader034/viewer/2022042606/54784f29b4af9f32408b4a3b/html5/thumbnails/19.jpg)
Conclusions Security interventions need to be carefully
targeted to minimise costs and maximise long-term RoI
Reducing vulnerabilities and increasing availability is key long-term security response
Liability redistribution is mechanism to force key actors to internalise external costs
New mechanisms needed for verification of security properties of systems
![Page 20: Systemic cybersecurity risk](https://reader034.fdocuments.in/reader034/viewer/2022042606/54784f29b4af9f32408b4a3b/html5/thumbnails/20.jpg)
Better security engineering Least-privilege processes, enforced by formally
verified security kernel Verification of device security before providing
network connectivity Two-factor authentication Full Disk Encryption esp. for removable media Perimeter controls to block sensitive data exfiltration Air-gap most sensitive systems eg SCADA;
separate public-facing websites from internal systems
![Page 21: Systemic cybersecurity risk](https://reader034.fdocuments.in/reader034/viewer/2022042606/54784f29b4af9f32408b4a3b/html5/thumbnails/21.jpg)
Cross-government action Fund security R&D with INFOSEC agency
participation Use procurement, licensing and standardisation
power to require significantly higher security standards in systems and services
Use diplomacy to pressure state actors behind Russian Business Network, DDoS attacks, classified network incursions etc.
![Page 22: Systemic cybersecurity risk](https://reader034.fdocuments.in/reader034/viewer/2022042606/54784f29b4af9f32408b4a3b/html5/thumbnails/22.jpg)
Costs of cybercrime
Ross Anderson, Chris Barton, Rainer B� ohme, Richard Clayton, Michel J.G. van Eeten, Michael Levi, Tyler Moore, Stefan Savage (2012) Measuring the Cost of Cybercrime, Workshop on the Economics of Information Security:•“while terrorists try to be annoying as possible, fraudsters are quite the opposite and try to minimise the probability that they will be the targets of effective enforcement action.” (p.26)•“we should perhaps spend less in anticipation of computer crime (on antivirus, firewalls etc.) but we should certainly spend an awful lot more on catching and punishing the perpetrators.” (p.26)•“cybercrime is now the typical volume property crime in the UK, and the case for more vigorous policing is stronger than ever.” (p.26)
![Page 23: Systemic cybersecurity risk](https://reader034.fdocuments.in/reader034/viewer/2022042606/54784f29b4af9f32408b4a3b/html5/thumbnails/23.jpg)
Strategic impact Do security systems support or subvert the emergence of
democracy in authoritarian states? Do systems damage the values the “war on terror” is supposed
to be defending, e.g. by censoring websites or undertaking warrantless wiretaps?
“Techniques that look at people's behavior to predict terrorist intent are so far from reaching the level of accuracy that's necessary that I see them as nothing but civil liberty infringement engines.” –Jeff Jonas, Chief Scientist, IBM Entity Analytics
![Page 24: Systemic cybersecurity risk](https://reader034.fdocuments.in/reader034/viewer/2022042606/54784f29b4af9f32408b4a3b/html5/thumbnails/24.jpg)
Techie mumbo-jumbo
Distributed Denial of Service (DDoS) Botnets (Secure Computing estimated
150k new zombies per day Q2 2008) Phishing (spear, rock), pharming … generally we already see a strong
response from CERTS, vendors, ISPs
![Page 25: Systemic cybersecurity risk](https://reader034.fdocuments.in/reader034/viewer/2022042606/54784f29b4af9f32408b4a3b/html5/thumbnails/25.jpg)
EU Charter of Fundamental Rights
Art. 7: Everyone has the right to respect for his or her private and family life, home and communications.
Art. 8: Everyone has the right to the protection of personal data concerning him or her.
Art. 10: Everyone has the right to freedom of thought, conscience and religion.
Art. 11: Everyone has the right to … receive and impart information and ideas
Art. 12: Everyone has the right to freedom of peaceful assembly and to freedom of association
![Page 26: Systemic cybersecurity risk](https://reader034.fdocuments.in/reader034/viewer/2022042606/54784f29b4af9f32408b4a3b/html5/thumbnails/26.jpg)
Trapping the bot herders? Extremely difficult to track and successfully
prosecute bot herders Do we need Louis Freeh’s packet license-
plates? Better alternatives?
Arrest when extortion demands are paid? Increase bandwidth to and globally replicate key
services using Akamai, anycast and related technologies?
Crowdsourced security (StopBadware)?
![Page 27: Systemic cybersecurity risk](https://reader034.fdocuments.in/reader034/viewer/2022042606/54784f29b4af9f32408b4a3b/html5/thumbnails/27.jpg)
Phishing Symantec alone
blocking 8m e-mails daily in 2006
Similar criminal ecology to DDoS - custom virus writers, botnet herders, site operators, spammers, mules
96.6% of attacks are on financial services insitutionsSource: Anti-Phishing Working Group May 2007 report
![Page 28: Systemic cybersecurity risk](https://reader034.fdocuments.in/reader034/viewer/2022042606/54784f29b4af9f32408b4a3b/html5/thumbnails/28.jpg)
Taking down the phishers?
Targeted financial services institutions can ask hosts to take down sites
Some hosts still unresponsive
Phishers moving to botnet hosts and more sophisticated frauds (escrow, “sales reps”)
Source: R. Clayton & T. Moore (2007)