Critical government, military, and civilian networks have been repeatedly infiltrated to steal our intellectual property and national secrets. So, how do we build a modern, national cyber security policy as we enter into the 44th Presidency? The Center for Strategic and International Studies' report weighed in on this topic, but I think they missed the point in their technical recommendations.
Before I go further, I should introduce myself. I'm Ashar Aziz, FireEye's CEO and founder. I'll be chiming in to write about the big picture security issues that are facing CIO/CISO's, businesses, our national cyber infrastructure, and essentially anyone who does anything on the Internet these days.
UPDATE: This post was much more extensive than I first planned, so here's a short cut to the Recommendations for the 44th Presidency if you're short for time!
Prior to FireEye, I founded a company in the area of datacenter automation and virtualization that became part of Sun Microsystems where I was CTO of the company's N1 program. Before that, I spent a dozen+ years at Sun as a distinguished engineer focused on networking and network security (a bit on my research here).
Recent attacks on United States cyber infrastructures reveal the extent to which both U.S. government and private sector computer networks are vulnerable to intrusion. Below are just three high profile cyber attacks that highlight the threats to our national security.
- Penetration of a power company’s SCADA network handing over control of the power grid
- Intrusions into Pentagon & Central Command computers used by forces in Iraq / Afghanistan
- Theft of Space Shuttle launch plans and over 20 gigabytes of compressed Mission Control data
In addition to the threat against national security, everyone who uses the Internet is at risk to attacks targeting credit card and identity data, which has already resulted in billions of lost dollars due to cyber crime against e-commerce retail and financial services sites. U.S. corporations face online fraud risks as well as attacks targeting their confidential financials, research, and product data.
Given this backdrop, it is encouraging to see that there has been a lot of recent attention paid to the poor state of national cyber security, here in the U.S. and in the rest of the global online community. President-elect Barack Obama’s incoming administration has promised to pay special attention to this national security issue, potentially directly coordinated by the White House.
The major areas of cyber insecurity in the Internet community today are caused by the two related areas of cyber crime and cyber warfare. Cyber crime is a major underground activity, with myriads of illegal business models flourishing. Global cyber crime is a significant and largely un-policed problem costing legitimate businesses billions of dollars both in terms of lost revenue as well as theft of products and services. Meanwhile, cyber warfare is emerging as an effective military tactic to disrupt and disable enemy operations. Take the two recent distributed denial of service (DDoS) attacks on the countries of Estonia and Georgia, which not only cut them off from communicating with the world, but impacted their financial system. Malware intrusions into U.S. Department of Defense computers illustrates that even the United States is not immune to cyber attacks. Cyber warfare tactics are rapidly developing and while its use is still in relative infancy it is time the U.S. took bold action to securing our infrastructure.
CSIS Reports on Cyber Security for the 44th Presidency
The Center for Strategic and International Studies' (CSIS) Commission on Cyber Security for the 44th Presidency recently detailed the magnitude and severity of the cyber security problem. The CSIS commission report highlighted the urgent need for federal government action on cyber security and the organization of government to face this threat head-on.
While I am encouraged by the Commission’s focus on this national security issue, I am disappointed by its technical recommendations to improve U.S. cyber security. In one key recommendation, the Commission advocates widespread use of digital IDs and strong authentication protocols as the main technical thrust for improving cyber security. While strong authentication is always a desirable element in securing computer networks, very significant risks will still remain even if all users of critical infrastructures, military users and even ordinary citizens adopt digital IDs. In focusing on digital IDs, the Commission ignores more comprehensive cyber security initiatives and has gone with a textbook answer to address one basic aspect of overall national cyber security. This textbook recommendation for improving computer network security is dated in today’s threat climate, where criminals actively hunt down valuable digital identity data like credit card Track 1 and 2 data, social security numbers and birth dates. The Commission largely ignores the reality of how cyber crime operates at present and how cyber warfare may be conducted in the future.
The Nexus of Cyber Crime, Cyber Warfare and Stealth Malware
Cyber crime operates today through a pervasive infrastructure created by "stealth malware." Today, stealth malware is the primary method used to infect millions of consumer and enterprise PC systems and organizes them into botnets. Stealth malware does not spread due to weak user authentication on the Internet, but rather spreads due to weaknesses and vulnerabilities in widely used end-system software, such as operating systems, browsers and mainstream applications. It also spreads due to vulnerabilities introduced by human behavior and the inability of a large number of users to understand what constitutes risky online behavior. This human vulnerability is routinely exploited via social engineering tactics. It is common to combine social engineering tactics to exploit software vulnerabilities as well, although both vulnerabilities are also exploited independently in order to spread stealthy malware.
Stealth malware is largely impervious to the use or lack of strong user or device authentication protocols, because it compromises the endpoint software itself. Once an endpoint’s locally running software is compromised by malware, no transaction conducted by that end system is truly secure, even if the end system has digital IDs and uses them in the context of strong authentication protocols. This is because authentication protocols and systems are designed to protect against attacks on network communication channels, not from untrustworthy software running on the end system itself. For example, using a cyber warfare scenario, a test attack on systems that control the power grid used targeted Web malware to infiltrate the power company’s network. Even if the grid operators were using digital IDs and had strong authentication protocols to the SCADA systems that control the power grid, the attack would still have succeeded because the malware would be running on systems trusted to perform access and control of the power grid.
It is stealth malware that poses the greatest risk to U.S. cyber security both in the context of contemporary cyber crime and in future cyber warfare scenarios. This is not a theoretical risk. It is a fully manifested threat, where the vast majority of U.S. corporations, millions of Internet end users, and large numbers of Federal and State entities have systems that are currently compromised and under the control of cyber criminal organizations operating over the Internet from various parts of the world.
These cyber barbarians have successfully penetrated all existing cyber gateways and have performed takeovers of vast swaths of U.S. computing infrastructure, both in commercial and government networks. Any recommendation on improving U.S. cyber security that ignores this pervasive malware infrastructure is ignoring the massive elephant in the room. U.S. cyber security efforts must begin with addressing this pervasive infrastructure of cyber crime, not come back to it as an afterthought!
The CSIS Commission's report acknowledges that a large number of U.S. computers were hijacked to aggregate various botnets run by Russian cyber criminal gangs and used in the cyber attack on Estonia. However, the Commission fails to note that there is no national cyber security surveillance mechanism that would even alert U.S. government authorities that a large portion of the U.S. civilian computing infrastructure is being actively used in the context of a cyber attack on another nation. The same issue arises should U.S. critical infrastructures be targeted in a future cyber warfare scenario. What is the cyberspace equivalent of the surveillance component of NORAD that would give warnings or indications of such a cyber attack? At present, real-time national visibility into the dynamic infrastructure of cyber warfare and cyber crime is virtually non-existent.
The exposure to stealthy malware infections numbers in millions of users every day. Therefore, the risks of cyber crime and cyber warfare due to stealth malware infiltrations measure many orders of magnitude greater than risks due to poor user or device authentication.
The Srizbi Botnet and Worldwide Cyber Crime
In the context of cyber crime, it is worth recounting a recent cyber incident, which illustrates the deep connection between cyber crime and the pervasive stealth malware infrastructure of botnets. FireEye researchers discovered that many of the world’s largest botnets had their control servers hosted at a San Jose-based firm, McColo Corporation. (Prior research posts: McColo hosting W32/Dedler C&C, McColo hosting Srizbi C&C, McColo (still) hosting Rustock C&C, and The McColo/Russia/Rustock connection)
By creating and sharing key findings (see Srizbi & Rustock: Family Feud or Sibling Rivalry? or McColo Hosts Rogue.AntiVirus2009) with the broader Internet community and working directly with members of the press and various ISPs, FireEye provided the proof points to shutdown ISP access to McColo. This included, among other botnets, one of the world’s largest botnets known as Srizbi. FireEye’s technology enabled our malware research team to initiate cyber operations that confirmed McColo’s violations and knock the Srizbi botnet out of commission. During the time that this botnet was out offline, worldwide spam levels dropped more than 50 percent. According to a Washington Post report based on online fraud tracking firm 41st Parameter data, world-wide fraud levels at online retailers also dropped precipitously when this botnet was out of service. This illustrates the deep nexus between stealth malware created botnets and global cyber crime.
Eliminating Software and Human Vulnerabilities: No Easy Near Term Fix
Since malware spreads due to software vulnerabilities, it may be tempting to assume that once these last few pesky software bugs are fixed, there will be no further risk of software vulnerability exploitation by malware and this is just a temporary problem. Therefore, all we have to do is tell the mainstream software companies to start producing secure software products and we can all be done with this problem.
Unfortunately, this would ignore the reality of commercial software development using contemporary software development techniques. It is presently infeasible to develop defect-free software and in particular defects that are classified as serious software vulnerabilities. Therefore the problem of malware exploitable software vulnerabilities is unlikely to disappear any time in the near future.
Nor should the problem of social engineering be underestimated. End user training will help, but this problem also is very difficult to completely eradicate, as social engineering attacks can be devilishly sophisticated and it is difficult to ensure that large numbers of human beings with widely varying levels of technical experience and knowledge will never make mistakes.
The Need for Urgent Action
The U.S. Department of Homeland Security (DHS) has analyzed the very grave effect of major cyber attacks on U.S. critical infrastructures such as the power grid. (CNN.com Video Report) The economic impact of a severe and prolonged power outage is greater than that of the Great Depression. Given the current fragility of the U.S. economy, another major economic jolt to the U.S. economy may make the situation unrecoverable for a very long time. On a more regular basis, cyber espionage efforts most likely sponsored by nation-state rivals on U.S. military and civilian organizations are active and relentless. Internet-based cyber crime is siphoning billions out of an already wounded economy and financial industry. And this situation is not getting better, as cyber criminals emboldened by their successes and ill-gotten gains widen their victim net and increase the sophistication and lethality of their attacks.
Given this serious situation, the 44th President has to provide urgent leadership and a plan to enhance U.S. cyber security. It is imperative that the actions the government undertakes are significant and comprehensive in light of existing 'on-the-ground' realities.
Recommendations for Cyber Security in the 44th Presidency
- Create Cabinet-level Position — Create a Cabinet-level position and team to coordinate national efforts around cyber security. This cyber security team should conduct an immediate review of the state of cyber security of all Federal networks and computer systems, prioritized by the departments with the most classified and sensitive data. Following a Congressional review of the security audit findings, the National Institute of Standards and Technology (NIST) should lead the effort of building a blueprint for securing Federal computing infrastructures against this threat.
- Conduct a Federal Threat Assessment — NIST should create a high priority task force to review the technical requirements for both end point and network-based security to guard federal systems against the threat of stealthy malware and cyber crimes. Any government agency, such as the National Security Agency (NSA), that has the technical capability to assist should also be urgently tasked to participate in the creation of these technical requirements. NIST should facilitate industry participation in the review of these technical requirements. It is imperative that workings of this task force be an open process so that input from all parts of industry and academia can be incorporated.
- Issue Presidential Mandate — All Federal government departments and agencies should be instructed to comply within one year to these NIST-developed anti-malware security standards.
- Strengthen U.S. Cyber Military — There should be a review of the vulnerability of U.S. military’s network to stealth malware attacks. The recent successful infiltration of malware into U.S. military systems around the world illustrates that military networks are quite vulnerable to malware attacks. In a network-centric war fighting paradigm, a vulnerable network can be an Achilles’ heel. All U.S. DoD network security around such stealth malware attacks should be strengthened by inclusion of NIST‘s technical recommendations.
- Protect Critical Infrastructure — Systems that control critical infrastructures, such as utilities, power grids, major financial services and stock trading systems should also be required to comply with the technical standards on protection from stealth malware cyber attacks.
- Develop Certification Process — NIST should create a vendor neutral certification program to rate the ability of different vendors’ products to effectively protect against stealthy malware infiltration. This is important because security vendor marketing is typically in overdrive when it comes to hyping up the capabilities of their products to defend against various cyber threats. Most end users lack the sophistication to put these hyped-up claims to test. A government-sponsored and vendor-neutral certification program will help significantly in cutting through this vendor hype and guide end users to purchase the most effective systems from a security perspective. NIST should continuously update the certification process and the products’ security ratings as the malware and threat climate inevitably evolves.
- Bolster Cyber Law Enforcement — The President-elect should create an organization (either under the FBI or a dedicated Cyber Law Enforcement Organization) to actively combat cyber crime with much greater inclusion of cyber operations as an element of active cyber crime interdiction mechanisms. FireEye was temporarily able to put out of commission one of the world’s largest cyber crime infrastructures (the Srizbi botnet) and that event had an immediate impact on global cyber crime. Cyber operations such as these are more properly coordinated and led by federal and international law enforcement. At present, no law enforcement agency exists that appears to have the charter to lead active interdictions of cyber crime via Internet cyber operations. Law enforcement interdiction activities are currently focused in the physical domain. Cyber-domain activities are primarily focused around post-crime forensic analysis. If a law enforcement organization existed that had the personnel with the appropriate training and the charter to perform interdiction oriented cyber operations, there would be a very significant dent in cyber crime. Techniques, tactics and rules of cyberspace interdiction would need to be developed for law enforcement. This would yield very tangible results in the battle against cyber crime.
- Build Cyber Space Situational Awareness — The U.S. government should create a global cyber security situational awareness system to provide ongoing and real-time surveillance and insights into attacks in the cyber domain. There is a challenge in the design and construction of such a system. The challenge is the tension between government initiated surveillance and data monitoring and the right to privacy that is afforded to U.S. citizens. This right to privacy essentially limits what government authorities can or cannot monitor, especially in ISP networks that route traffic to corporate and residential users. However given the appropriate technical architecture, the description of which is beyond the scope of this article, it should be possible to design a system that does not compromise U.S. citizens’ right to privacy and a U.S. government surveillance and warning capability that has real-time insight into the stealth malware infrastructure of cyber crime and cyber warfare. Such a real-time situational awareness infrastructure would be beneficial for both law enforcement and U.S. military needs.
- Secure Private Infrastructure — U.S. corporations, especially government contractors, risk divulging sensitive financial data and intellectual property risking national security as well as massive economic disruptions. By infiltrating private networks, attackers have gained classified product plans, quarterly financial results prior to the general public, and other sensitive data. Therefore, in order to safeguard their internal information, all U.S. companies should be required to comply with NIST developed standards for enterprise security from cyber criminal stealth malware attacks.
- Involve Internet Service Providers — ISPs (and Network Service Providers) should be required to provide protections to consumers from the threat of malware infiltrations and associated cyber crimes. Specifications should be developed for ISP oriented anti-malware systems that prevent ISP customers, such as residential end users, from malware infections. Providing free antivirus to ISP customers has proven insufficient to protect against stealth malware, because contemporary malware has a large degree of resistance to detection by antivirus technology. Therefore this ISP specification should be geared to solve the contemporary problem of stealth malware and botnets.