Around the world, cyber attacks are an increasing problem, with both the government and the private industry struggling to defend against it. Governments are beginning to understand the impact of these attacks – whether it is on their infrastructure or against the private companies under their jurisdiction, and governments are taking steps towards creating cyber strategies. For instance, the UK recently released a new strategy document delineating a future approach towards cyber security. Capitol Hill is also pushing cyber security legislation to the top of the agenda, and the US Department of Defence has declared that real-life military retaliation can be a valid response to cyber-attacks. How should these nations address the cyber-threats and protect their citizens?
Step One: Setting Priorities
Crafting such a strategy means focusing on three key areas: protecting government systems, protecting national infrastructure, and finally, establishing systems, controls and processes to help the private sector to operate safely in cyberspace. Along those lines, the strategy should incorporate the following activities:
1. Centralising all outbound (especially Internet) communications of government organisations under a single authority. The authority’s responsibility should be two-fold: one, to create robust monitoring and attack detection capabilities. The capabilities should span all communication layers, and in particular, the web applications themselves. Second, the authority should set security standards which bind any government-affiliated organisations when adding new public-facing connections.
2. Protecting national communication backbones against denial-of-service attacks. In particular:
• Ensuring enough internal redundancy
• Maintaining enough redundancy with respect to out-of-country communication lines
• Timely detection of various types of attacks (even including the physical tampering of communication lines)
3. Engaging in a comprehensive and ongoing risk management process. National infrastructure systems (eg traffic control, train systems, and power grids) should first be evaluated according to their potential risk. As a second step, a thorough technical evaluation of the security posture of involved systems should be performed. Any further investment in protective controls should be guided by the results of the risk assessment process, directing resources at those places that are at highest risk or at a risk or at a worse security posture.
4. Performing hacker intelligence. Analysing hacker activity – such as hacker tools, attack origins, and attractive targets – provides the authority to detect substantial attack campaigns against nation-based computers in a timely manner. Based on the data, the authority can also guide on the creation of proper defence mechanisms.
5. Creating processes and tools for analysing information. Receiving data from the private sector, and especially network carriers, can enhance the data analysed by the authority’s hacker intelligence. Further collaboration can include the detection of attacks that stem from the country and rooting out these machines on a regular basis.
Step Two: Refine Current Crime Laws
Cyber-crime legislation should be integrated with physical crime laws. For example, the US cyber security proposal suggests applying the Racketeer Influenced and Corrupt Organisations Act (RICO) – the racketeering laws used to convict organised crime – to cyber-gangs. Governments should embrace this initiative, but also take it one step further by not restricting the crime origin. When RICO was first introduced, it did not specify the Internet since no one could have imagined its existence. Today, we cannot imagine what will be in two or more decades – let us prepare in advance.
Step Three: Apply Regulations
The country should also ensure that citizens’ data – whether it is account numbers, health information or other Personal Identifying Information – is securely stored. This means defining exactly what constitutes sensitive information data and establishing requirements for security controls. Compliance laws must all encompass more than just customer information. They should also take into account Intellectual Property (IP). The perpetrators of IP-theft are often business competitors and nation-states, and since the victimised companies will require the assistance of their country, they therefore should be obliged to adhere to compliance standards.
The US cyber security proposal has taken a positive step by suggesting the standardisation of the data breach notification process. The problem is that this proposal lacks specifics and should contain more details on implementing the actionable steps to protect data and the intellectual property. The importance of such laws and standards is difficult to overstate. For instance, the US Securities and Exchange Commission (SEC) has recognised the impact of data loss to the business and a recent guideline now obliges the disclosure of data breaches. Further, If we look at the Payment Card Industry Data Security Standard (PCI DSS) as an example, studies have shown that businesses that have adopted PCI DSS have experienced a much lower rate of data breaches. Many US states in fact use PCI DSS as their de facto standard for their data privacy and security initiatives, simply because of its effectiveness and prescriptive nature. Countries, as a whole, can apply this model to all legislation on a nation-level.
Step Four: Apply the Above
We are starting to see nations take the first steps in developing sound cyber-security strategies. In 2011, the European Network Security Agency (ENISA) organised the first EU-US cyber security exercise in order to coordinate how the EU and US would engage with each other in the event of cyber-attacks. Concerned with the growth of botnets, ENISA has also published recommendations on mitigating and preventing the threat of bots.
The collaboration of governments and the security community has also begun to garner more attention. An example of this cooperation was the takedown of the Coreflood botnet, a joint effort that involved federal agents and Internet service providers. The collaboration between government agencies and the private sector has proven to be successful. It is now our turn, as citizens, to ensure that the government will not abuse the authority that such a cyber-security strategy may give it. The takedown of Coreflood had allowed US federal agencies to actively and directly communicate with infected computers. Yet, it has also shown the power that these agencies can have over our computing devices – at any point in time.
Noa Bar-Yosef is a senior security researcher with the Imperva Application Defense Center. She conducts research on database and Web application vulnerabilities. Previously, she has held TA positions in courses on programming and network security at Tel Aviv University and Open University. She has also been a software engineer with educational software vendor Sunburst Technology. Bar-Yosef holds a Masters of Science degree (specialising in information security) from Tel-Aviv University, School of Computer Science and a Bachelors of Science degree from The Hebrew University, School of Computer Science. During her work at Imperva Noa has discovered multiple vulnerabilities in various commercial applications and worked with software vendors on their resolutions. She also presented at a number of conferences including Infosec Canada (2008), SECRYPT 2007 (Spain).