Center for Strategic and International Studies

New rules for cyberwar being defined as cybersecurity risks grow

James Lewis, director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies, soberly assessed the risks to national security that lie ahead in cyberspace. “It’s primarily an espionage problem,” he said. “This is the easiest way to be a spy that has ever been invented … there’s zero chance of being caught and prosecuted if you’re smart about it.”

Lewis made that observation speaking on a panel at the International Spy Museum in Washington, D.C., held to draw attention to the growing dangers online as National Cybersecurity Month drew to a close.

Citing cyberattacks on Estonia, Lewis, the project director for the Commission on Cybersecurity for President Obama, said he anticipated more advanced attacks in future cyberwars, either by militaries or by non-state entities in the distant future.“All advanced militaries now include cyberattack capabilities.” As he put it, “you can send missiles, commando teams — or you can send hackers. And hackers are much cheaper.”

Lewis believes that those “attacks are not what we have to worry about,” however – it’s “those that disrupt critical infrastructure” that keep him up at night. “The challenge is that the Internet was built for scientists,” he said, which meant that it was built to assume trust. The U.S. has “built an exceptionally insecure environment that our military and economy now depend on.” As a result, Lewis said, “the U.S. is more vulnerable than any other country” because it has put the Internet to the best use for its economy, politics, research and military.

A central challenge in this new operational environment is that “the old Cold War notion of deterrence doesn’t work,” Lewis said. “We’ve put a lot of effort into the offensive side, but it hasn’t helped us on the cybersecurity side.” Moving forward with improving the nation’s exposure to cybersecurity risks is also challenging because of the traditional approaches to solving problems on a national scale in the U.S. “Do we wait for the market or wait for something that has a larger role for government,” asked Lewis. It’s difficult to discuss, he said, because “our ideology is to talk about a market solution, but we’re facing competitors who aren’t bound by that.”

There are also legal boundaries that must be considered in the context of new threat vectors and technologies. “The laws that we have to protect civil liberties and privacy were written 20 to 30 years ago,” said Lewis. “In the old days, you couldn’t look at traffic without understanding the content.”

Now, as he observed, the question is “How do you involve DHS? Or NSA? Some of this leads back to the FISA debate. To really defend cyberspace, you need better situational awareness. What we need to know for cybersecurity, you need to look at all the traffic coming into the U.S.” When Lewis, however, asked how many in the audience supported such a move from DHS, few hands went up, reflecting the complexity of such electronic filtering.

Cybersecurity trends: Security and compliance aren’t the same thing

When I first blogged about my experience at RSA Conference 2009, I noted that cyberwar, compliance, virtualization and cloud security were key trends at RSA. A week later, I still see that as an accurate statement, but it’s one that fails to capture a shift in the larger context of information security in 2009.

It’s not enough to be compliant anymore; organizations must actually be secure.

Security and compliance officers understand the distinction, of course, but guidance is now coming down from top scientists and, if recent legislation in Washington passes, directly from the federal government. Just read “ICE Act would restructure cybersecurity rule, create White House post” and “Kill-switch bill would add certification, licensing burdens” to see what may be coming down the pike.

I gained perspective on this trend towards actual security as opposed to rubber-stamped compliance throughout RSA. Speakers, panel sessions, analysts and informal conversations with security practitioners all reiterated that security and compliance aren’t he same thing.

Alan Paller, director of research at SANS, said he sees the shift from compliance to actual security as long overdue — and driven directly by the Department of Defense. As Paller sees it, the “20 Critical Controls,” or consensus audit guidelines (CAG), are the new gold standard for security and compliance for federal agencies, defense contractors and all other parts of the nation’s critical infrastructure.

The Commission on Cybersecurity for the 44th Presidency, headquarted at the Center for Strategic and International Studies, released a cybersecurity report that supports and extends these controls. Former USAF CIO John Gilligan has been driving discussion and implementation of these controls through the national defense infrastructure. As Paller noted in an interview, it’s key to know what metrics matter. Without guidance, “people will dashboard all the wrong data. It’s like keeping a garage clean but not bothering to lock the door.” Paller says that the SANS Institute is shifting its training for security and compliance professionals to “the controls that matter” under CAG, focusing on actual security. That means hardening software, hardware and infrastructure after taking inventory of all assets, as mandated by NERC compliance requirements. “Government agencies must be required to comply with a set of prioritized controls that actually stop attacks.”

Peter Firstbrook, a Gartner analyst for security, said he sees considerable frustration regarding the mismatch between security and compliance on the part of enterprise executives in the private sector. The trends that he sees are towards “minimizing the attack surface,” where security isn’t addressed with patches nor compliance with checklists. Organizations are doing due diligence with regards to gap analysis and taking inventory of both proprietary and protected data. That’s key, since Firstbrook has observed that malware is getting more and more intelligent. “There’s a huge infection of targeted attacks that disable endpoint security.”

Firstbrook also extended a biological metaphor to the security challenges faced by organizations in the current landscape of shifting threats: “Patches are like a visit to the ER. The key is to understand AV, software, hardware, viruses and worms as part of an ecosystem of threats and to engage in preventive ‘medicine’ beforehand. Conficker was avoidable.”