In his book, Cyberwar, former US presidential adviser on cybersecurity Richard Clarke lays out the case for militarisation of the net. He points to conflicts in Estonia and South Ossetia where conventional attacks coincided too closely with the cyber to be coincidence. And in North Korea where, for a country with scarcely a power grid, he says they have 1000 military hackers.
And then there’s Stuxnet, a suspected Israel-US operation to knock out Iran’s nuclear program.
How prepared is Australia for all-out cyberwar?
James Turner, IBRS: Considering the experiences we've seen over the past 18 months – Stuxnet, Project Aurora, WikiLeaks – what are the implications for Australia and what can we actually do?
Graham Ingram, AusCERT: I’d like to get an awareness of the size of the problem. Unless you’ve identified and accepted that this is where you’re at, it’s very hard to fix.
Keith Price, AISA: This is a never ending universe. There’s always something new – we saw companies such as RSA, who make encryption products, get breached.
Loke-Yeow Wong, ArcSight/HP:
I spent the first 10 years of my career with end-users, taking care of security for companies and the most recent eight years as a vendor. Hopefully I can take back ideas.
Eric Byres, Tofino Security: As a Scada [supervisory control and data acquisition] engineer, what can we do to make these systems work for people in the trenches? I’m interested in ways to solve what is a pretty serious issue.
Marcus Sachs, Verizon: Cyberspace, while it’s man-made, is not optimised for warfare and the question is do we want it to be or is it better optimised for economic value, which hopefully is the latter of the two? The two may coexist but it would be better if we chose.
Alastair McGibbon, Surete: What are the social policy and military issues of cyberwar? Whether it’s a tool used by nations and others, there is a threat.
Tim Scully, Stratsec/BAE: Industry is the force to make a difference in cyber security in Australia. Government has a critical role but it can’t do what needs to be done. And it’s time to wrest cyber security from techies.
Brendan Griffin, Bank of Queensland:
We need the internet to be consistent and have integrity, and the recent events of the RSA breach bring that into question. What components of the internet infrastructure can we continue to rely on or where do we start to lose that trust?
Darren Pauli, SC Magazine: I’d like to be personally convinced that cyberwar is real or is it a fallacy?
Hugh Njemanze, ArcSight/HP: Many of our customers are government agencies and financial institutions and the oil industry who are concerned about Scada; so that’s about 80 percent. We have been working with them for 10 years and we’re very interested in what works for you, what doesn’t work, what you see as the gaps to be addressed by vendors, how can you improve your confidence about what you’re up against. We have ideas about how to make it easier, for example, for agencies to collaborate. It’s easy to deploy tools to security organisations knowing you can never be bulletproof but the challenge is, I have information, other agencies have information, and we can’t share because we’re not used to opening our kimonos. There is a lot of risk and vulnerability in sharing information but if we could be more confident while sharing information that would change.
JT: Alastair, what’s your take on the implication for Australia, where the purpose for the internet has shifted from where it was used for research to discovering e-commerce to becoming the battlefield? AM: It’s a realisation that the internet is a reflection of society and humanity. We must have the same level of trust online as we do offline and prepare for failure because it is inevitable. If we are nations engaged in this behaviour – and every one does it whether it’s eavesdropping or more aggressively – we need to understand what the consequences of our actions are.
MS: WikiLeaks has changed the rules. We used to think of information as something to be put in different places behind firewalls on separate machines accessed by those with clearances. But how to communicate, knowing adversaries are in the middle watching and there’s nothing you can do?
GI: I don’t believe cyber warfare exists but it’s on the drawing board. I’ve thought of it as offensive but I’m starting to see what happens when government defends these changes to block, stop, try to prevent it. But who are you defending it from – your citizens?
MS: Cyberspace is man-made, which means it’s man-changeable. Do we want it to be a domain for war? We can optimise protocols for offence, defence. We could build it where you can’t have conflict but you could have e-commerce or social exchange. Our generation sits where we can make that choice because we are at the beginning of cyberspace and what we want it to be.
JT: How feasible is it though to say, right, we’re a commerce-only zone, no warfare is going to happen here? MS: That’s one of the biggest problems because there are political forces that want it to be a conflict area.
HN: So if that’s a continuum, where do you think we are now?
MS: In the middle because we haven’t thought about what we want this to be?
HN: Which direction is it going?
MS: Towards the conflict side – because of political overtures.
HN: Are there going to be specific changes?
MS: In militarising it? We’ve already had a few examples – Stuxnet, WikiLleaks. While I don’t like to point to Georgia and Estonia as being warlike, others do.
HN: Right, but those seem like specific abuses of the system, not someone reshaping the system. Are there things happening that will change the system?
MS: BGP redirection – hijack a route or hijack a country and bring all that information cell by cell, filter it, change it, give it all back, change the TTLs so you don’t see that it happened. We know that, we see that happening.
JT: China did it recently didn’t they? MS: Yes, they did, so have other countries – China gets caught at it.
HN: Has the political climate enabled more of this so it can’t happen?
MS: Correct – because we don’t have the science mindset of how to research thinking of networks to network and to come up with ways to build cyberspace.
GI: It’s always nice to have the battlefield without civilians and out of the cities where the war process slows. On the internet you can’t avoid that; one of the political issues is collateral damage.
MS: What’s very irritating to my friends at Fort Meade is I’ll point out that the internet is private property and can detect evil. If a nation is warlike, machines detect it as crime and we know about it. The private sector can prevent countries from conducting cyberwar – where else does that ever happen?
TS: Information stolen is an aspect of computer-network operations, or cyber warfare – so computer- network defence, attack where people are denying, destroying, degrading, disrupting a system and the one we’ve seen for years is exploitation. A concern is funds given to government are weighted to the Defence Signals Directorate.
AM: The only ones in the debate are very well-funded defence and intelligence establishment, who hijacked it, and/or IT security people. And yet it’s a social and a policy issue and we failed
GI: Is cyber warfare declared or a guerrilla war and espionage, the Cold War that’s on the internet?
TS: If government builds an armed force it will prepare for war even though it might not happen for 20 years. Is computer-network exploitation or cyber espionage warfare? No. Has warfare been engaged? Yes – Estonia, Georgia. The second or third time Estonia was attacked it got over it by rerouting to US servers. But if we focus on cyber warfare it will be the militaries of the world that dominate the internet.
GI: The Estonian defence people didn’t get involved because they didn’t know what to do. It was the ISP CERTs that brought Cisco in. The military is fighting network engineers defending companies’ profits. Network engineers around the world come together and say, “we’re going to stop it”.
EB: Stuxnet probably was an offensive worm, if what everybody guesses or assumes that it was directed at the towns on the nuclear site; it was an alternative to a cruise missile. I’m not sure we don’t have some low-level undeclared warfare going on right now.
Nate Cochrane, SC Magazine: In the Antarctic Treaty, it was decided this area was too precious in which to fight. But it would be obvious there’s a war going on, there’s no deniability in that battlefield. Should there be a treaty denying weaponisation or militarisation of cyberspace and does the deniability of fighting a war online make such a treaty almost impossible to police?
MS: The 1648 Treaty of Westphalia agreed that wars will be conducted between nations. Since then, we’ve had three generations of warfare. The first was the Napoleonic Wars; second gen took us to WWI. Fourth-gen warfare says we go back to a pre-Westphalia era, such as terrorism. Does the internet optimise fourth-generation warfare, can you have stateless actors who don’t belong to the military, conducting themselves as though they are the same as a nation? I think that’s where we’re going. It could be individuals, clubs, terrorist groups. Nations with militaries will have no role to play.
HN: Or their role might be to blend in with the rabble-rousers.
MS: Their role will be to find relevance and continue to say, “Me too, me too, cyber warfare includes us” but it doesn’t.
GI: But don’t you also think at the moment one of the focuses of the military defence and national security is to secure the internet?
MS: So that it can still belong to the countries, to end up a third-gen Westphalia war. They don’t want to give it up to a fourth generation stateless war.
TS: To secure economic viability, our right to speech, vote, choice, all that sort of stuff, you have to secure the national security elements.
GI: National security doesn’t usually involve outsiders – how do you have that approach when what you’re securing is not owned by government but it now says those ugly, dirty things that enterprise are running, you are responsible for securing those for national security.
TS: When I was in the DSD a government agency I put on a pedestal had three in their IT security team: two in HR and a passionate CIO with the ear of the department secretary.
NC: Brendan’s our banking expert here – how does it work in your shop?
BG: I’m interested in this theory any government agency keeps the service pure for its intention. I don’t buy that argument from what we’re seeing. GovCERT, AusCERT, there are services out there to provide information but there’s a conflict of interest between DSD, the US agencies and their strong desire to take an offensive stance against the likes of Wikileaks and the information they published. I’m yet to see the information and support coming from those agencies that says we’re about keeping this service pure and protected, rather than we’re serving the national interest first.
KP: It’s about control. Cyber warfare is an overdone term used by a very few. I see parallels to the Cold War where we had to invent the Gulf of Tonkin incident. You see Verizon working with the US Government so that you can [eavesdrop] any conversation and that's scary.
AM: We’re talking as if the nation state is the evil one, and can I say the corporates haven’t always stood or walked in lightness themselves. So there is a role to play for good government.
TS: The Attorney-General and CERT Australia has a pittance compared to Defence and they’re out there engaging with industry and with the public. The Department of Broadband Communications has no funding and they’re the ones who touch the people in Australia.
GI: Australia’s cyber crime investigators can’t fund investigations, travel to each other – and these are our frontline.
TS: Government is good at marshalling the stakeholders to make something happen – the fires in Victoria, the floods in Queensland. That’s how they should operate in cyber security as well.
NC: What role does government have when critical infrastructure is owned by private interests? Eric, from a Scada perspective, how much guidance do owners of critical infrastructure get from government and does it seek central failings?
EB: Government dabbled in the North American energy field and that was a trainwreck. But in oil and gas, it's thankfully out of the picture and those organisations’ preparedness is better because they’re solely responsible. What Idaho National Labs does is first- class, providing for Scada operators, particularly Tier Two because they are in trouble; they don’t have any concept of risk, never mind cyber risk. Brendan, you said you’re a risk officer – there are companies that wouldn’t even know what that is.
GI: When I visited Marcus I saw the Telecom ISAC [Information Sharing and Analysis Centre]. During the Cuban missile crisis President Kennedy directed military, government and industry work together to secure the US communications system. That is the closest I’ve seen to a true collaboration and where we need to go – government should be about protecting systems and citizens.
DP: Brendan, how much assistance do you get from government to secure your systems and customers?
BG: I interviewed 12 water and transport operators in Victoria this time last year, just before Stuxnet, and they weren’t talking to each other or government. Until there was an incident, they weren’t willing to talk about it. We don’t share information, we don’t trust anyone and I think sharing is the most valuable tool we have.
TS: US agencies are very open about saying, “Yeah, we got hacked and this is what happened to us”. A company is not going to say that because of their reputation, the impact on their competitiveness. It gets to the point about legislation.
MS: Each US state has its own laws about breach reporting – so for companies that operate nationally it’s confusing: whose law do you follow and if you’re running a cloud where is that? The White House proposed to overrule the states. The bigger question is, so what if you report a breach? That’s fine if customers get notified but does that make you secure or does it get us any closer to catching criminals? The answer to both of those is no.
NC: In Australia, because we have no mandatory disclosure, it’s very difficult even to get people to admit to a breach. We often find out an Australian company was breached because they have an overseas presence that discloses it.
MS: Kennedy set in motion the linking of telephone networks between the US and USSR so the leaders could talk in time of crisis. Then IBM wanted to link its mainframes and that set the groundwork for the internet. The Russian state-owned phone company and the private US carrier had to agree on connections and the governments to logistics of tolling calls, charging and diplomacy. I’m vice chair of the Communications Sector Coordinating Council; we have private-sector people embedded with offices inside the Federal Government where they work face-to-face.
JT: How long did it take to set up? MS: Forty years but we have not evolved it to the internet. Does it now involve PC makers, banks, infrastructures? Having senior private sector people working physically inside government works for telecom but will it work for the internet? That is to be seen.
EB: Is it the internet or each of the sectors as well? MS: Perhaps financial services are similar but we don’t see them embedded with Treasury. There’s a desire to have government network operators, technical people, on ad hoc forums but that doesn’t happen.
JT: So is there cyber war, yes or no, depends on how you define it. What can Australia do to defend itself? Is it the Government’s job to protect organisations from attacks, whether we call it cyber war or cyber crime?
EB: Australia is a leader in Scada policy, it shows up in meetings like the American Petroleum Institute. So Australia can influence best practices; for the money the US throws, Australia does a better job. NC: Are there protocols, specifications or methodologies that you can point to?
KP: Idaho National Laboratory sets a lot of standards and guidelines. The National Institute of Science and Technology guidance in the US provides a lot of foundations. Is it because they recognised through their industry assessments there were gaping holes?
EB: You’re referring to Australia – yes. I honestly don’t know why Australia punches far above its weight. But it’s very simple things, like just reporting practices, not complex technology.
AM: Government has stayed out of the cyber crime area; we have to get involved in what role governments should play to protect systems.
JT: When I was in Northern Ireland the IRA was bombing pubs to intimidate people but it required a government response because people couldn’t defend themselves and no organisation would step up.
AM: The motivation of a criminal is financial but politically motivated activities sit on one side.
NC: That’s a Western approach. I’ve been in Russia and sometimes you can’t tell where police and military end and criminal gangs begin – from the beat cop passport scam to the South Ossetian campaign spurring jingoistic actors on your behalf, giving you deniability. GI: Packets don’t have attribution...
JT: ...Bullets and bombs don’t have attribution, either...
GI: ...governments rely on attribution to determine its responses. Ali Imanat from UK Payments said particularly useful was Britain's £640 million ($980 million) e-crime unit. Britain understands the consequences.
AM: What's embarrassing is the UK had the National High-Tech Crime Unit and they rolled it into Serious Organised Crime Agency. Australia had the Australian High-Tech Crime Centre. You don’t dissolve DSD and start it up again five or six years later with less money. If you call any policing agency today in Australia to report a cyber crime it starts that game of pass-the-parcel.
TS: It’s ridiculous that if it came from a nation it’s up to Defence because you can’t be certain it’s correct. And it’s hard to find out if the bad guy is on your system and see what they’re exfiltrating because they’re encrypting.
JT: Brendan, what’s the impact on you as a bank when you’re under attack and attribution is the last thing on your mind and you’re going ‘who do we talk to?’
BG: We don’t care if it’s war or crime – we look to our trusted partners because they’ve got the intelligence of what’s happened and until we have honest conversations with other corporations we rely on them.
GI: A law enforcement officer is the only one who can put on a telephone or data intercept, unless it’s certain the Chinese or whoever have done this, or run controlled operations creating false bank accounts and false identities on these organisations.
TS: Police are not going to respond if there’s not a prosecution . . .
JT: Is that because they don’t have the resources to spread around?
GI: At commissioner level e-crime is seen as a priority and investigators say the same. But at the deputy commissioner level, they ask, how can I say crimes were reduced? Police metrics of success must change. If you saw an operation the AFP recently did – I can’t talk about what it was – but they disrupted operations of the miscreants, shutting down the flow of money.
AM: Law enforcement is a stiff broom that moves crime to a spot that’s away from the rest of us and that’s the attitude law enforcement needs to take when it comes to online crime. But law enforcement hasn't been a powerful lobby because they’ve been dysfunctional internally. And the most likely place for a citizen to go to is their local police – whether it has jurisdiction is neither here nor there.
MS: Everyone wants critical infrastructure to be secure so do you fine them if they’re not or do you build incentives through which they grow into security because it eases their burden?
KP: Government needs either a bigger stick or start having other incentives. The problem we’ve got is a lot of people aren’t even aware of the problem or aren’t making the investments in order to get themselves more secure.
TS: Two or three years ago I was in the camp of no legislation. I ran operations, I wasn’t overly concerned with policy but I got engaged in the policy committees and there was a lot of debate about regulation. The ISP Code of Conduct is a classic case...
MS: Thank you for giving us that...
TS: ...An ISP has thousands of endpoints and yet we do nothing to secure them. The I-Code should be regulated. ISPs say it’s too hard but you can do it: when you subscribe to an ISP they give you a security package, you pay for it, but if you don’t update it they cut you off.
MS: Let’s say someone connects to an ISP and they’re massively impacted, we have a choice – allow them to continue on the internet and cause harm or put them in a walled garden until they patch? GI: Walled gardens would have been a good discussion to have three years ago. Now, the user can’t do anything about malware.
EB: The idea of information sharing and bringing in players with common interests, that’s something that the Commonwealth could do.
AM: Bureaucrats say we’re already doing that, trusted information sharing, and the reality is it is not working; talk to Brendan he says no one really talks to each other.
MS: We look at ISPs as the client connection and the 'core'. If it’s run more securely and economically against another core that isn’t so secure, could you choose as an ISP whose core you run across?
KP: You pay a premium for clean- pipe services from provider A that provider B doesn’t have, so you pay $10 more and they filter them out.
MS: Or if you want a dirty pipe you pay a lot of money, you want a clean pipe you pay less because you’re not getting the filth. But no one's thought of inverting price structure.
TS: The days that you could provide security at the network are gone because it’s an endpoint problem.
MS: Well, security is not network- centric any more.
GI: No, it’s application and user.
TS: We have a fortress mentality where we throw anti-virus, intrusion-prevention systems, secured our routers etc.
GI: But the Government is saying, to deliver their services we want you to be online. Agencies are bluffing people, saying your transaction is secure because our end-systems, our databases are secure.
AM: I bang on about citizens reporting an issue to an authority because until we know what happened we can’t do anything.
MS: Ask a technician what is the internet, the answer will be wires and switches but ask anyone else, it is Google, Twitter, Facebook and applications. Society is more interested in the content.
BG: Corporations aren’t taking responsibility. You sign up for a hotmail account these days it’s still not going over SSL by default.
KP: Directors have a duty of care because their obligation is to be aware of the risks. GI: We are conditioning users to give more information online and that’s what attackers want.
AM: I have a “Wildebeest Mentality” theory that if I run in a herd lions pick out a few on the edges. But it doesn’t work now: they can pillage as many passwords, credit cards, bank logins as they can get their hands on. Criminals are highly efficient at stripping data but surprisingly inefficient at using it.
NC: The criminal cares more. Look at the PlayStation Network crack. Sony had unpatched, randomly patched servers, some holding credit card data for 10 years, in plain text in the clear and they just didn’t care. If organisations cares more about data they’re taking and not just pass it off and leave it on random servers we’d be better off.
L-YW: If you drive in China or India you notice there are no regulations, everybody just drives how they want. But they don’t have a high volume of accidents, because they’re self-governing. So this notion of individual accountability, endpoint protection is probably the way to go with the internet.
TS: In government, I worried about lions; in industry, my clients just say stop them from getting in.
JT: Predators only start to turn on each other when they’ve started to run out of food. So there’s plenty more feeding yet to happen before the predators start turning on each other.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
