Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Symantec: Cyberdefence and security policy, Concepts and considerations for government policy

February 2011 by Symantec

The threat posed by the abuse of computer systems is changing rapidly. Over the last two decades, hacking has evolved from an activity largely viewed as a nuisance, to a serious and large-scale criminal endeavour.

It is now entering a third, and even more dangerous phase, one were an attack on a computer system could amount to nothing less than a terrorist strike, or an act of war. There have already been incidents.

Attacks against internet infrastructure in Estonia, during the spring of 2007, are widely seen by some as an early incident of cyber warfare, although no country has been formally identified as being behind the attacks.

Similar incidents have taken place in Lithuania and Georgia; in the case of Georgia, a cyber attack came immediately before an actual, military incident. Even large-scale attacks against companies, such as the incident that affected Google in January this year, are allegedly going beyond the realm of ordinary “cybercrime”
The risks posed by the militarisation of cyberspace have already come to the notice of Western governments. Cyber security is no longer the localised concern of computer-security offices or CERTs (Computer Emergency Response Teams), but is now being discussed by generals and national security and counter-intelligence agencies.

In May this year, the US Army appointed its first general responsible for cyber warfare, and defence experts are actively debating at what point a cyber attack on the West would justify a military response.

Subhead – the scale of the threat

Governments, though, also need to harden their electronic defences against possible, or even probable, cyber attacks. The security of military and government installations is closely tied to the security of national infrastructure, including communications, transport, and the utilities.

Attacks on key economic targets, such as the banking system, could lead to economic disruption on a scale that might well be greater than could be achieved by a physical terrorist attack. In turn, one could envisage cyber attacks that could lead to large-scale disruptions and possibly even fatalities, depending on the system that would be attacked.

Analysts examine many scenarios, ranging from a cyber attack that is an end in itself, all the way to a cyber-attack that is a precursor to a physical terrorist or military assault against what would inevitably be a much weaker target.

Research carried out by Symantec found that 13 per cent of all security breaches in 2009 were directed against government systems, with 20 per cent against education, 15 per cent against healthcare and 10 per cent against financial services systems.

Attacks against national or government assets usually fall into two categories: attacks against infrastructure and attacks against information. Attacks can also be combined. Even when infrastructure is the final target, a degree of information compromise often forms part of the attack. Hackers might also combine attacks, in order to increase the element of surprise.

Attacks against national information assets can be either be intelligence based — the collection of sensitive information — or set out to destroy sensitive information, or disable the infrastructure holding the information.

As well as the conventional, “massive” attacks against national infrastructure, which work by trying to overwhelm IT systems by the sheer weight and volume of malware or hacking attempts ranged against them, hackers may also make use of targeted attacks.

Targeted attacks aim at specific objectives – a particular system or even data within it, or even individuals — rather than simply infecting computers at random. They might use some form of social engineering, such as “phishing” or targeting social networking sites, to increase their chances of success.

Security researchers have also recently identified another form of attack, known as Advanced Persistent Threats (APT). These targeted, stealthy attacks set out to steal confidential information after taking a foothold inside an organisation’s IT systems. The attack aims to maintain that foothold for as long as possible, as it collects intelligence.

Attacks on infrastructure are still quite new, but there have been reports of experimental cyberattacks on power generators. These have the potential to cause substantial damage.

There have also been reported cases of accidental incidents that have affected SCADA (Supervisory Control and Data Acquisition) systems. These instances might not be malicious, but suggest that SCADA systems are potentially at risk of failure caused by vulnerabilities in the IT infrastructure. These failures could be triggered not only accidentally, but also intentionally.

Subhead – planning a response

The scale of the threat posed, either by direct electronic attacks against infrastructure, or against information assets, means that securing those assets is becoming a critical component of any national security strategy.

A major information security incident can affect the strategic assets of a country and its ability to command and coordinate its military forces, or it can provide vital intelligence to an adversary about the capabilities, intentions and actions of friendly forces. Even in a conventional military conflict, electronic information could be a decisive factor.

With national security at risk, a national, government-led response is needed. Cyberdefence goes beyond an IT-driven, CERT-like alert capability.

Instead, governments should take a proactive approach, gathering intelligence on possible attacks and attackers, and deploy countermeasures. Control of the information space becomes a strategic priority both for the attacker and for the defender.

Authorities will also need to take steps to ensure that the IT that supports government and military operations, as well as national critical infrastructure, is resilient enough to continue to operate after a successful penetration of their electronic defences.

To do so, authorities need to understand that cyber security is no longer simply a question of spam messages and frozen personal computers, but a threat that is affecting the national security and defence capabilities of a country.

This means that security arrangements need to go beyond network protection measures such as anti-virus and firewall software. Businesses and government bodies will need multiple layers of protection in order to detect, stop and prevent attacks.

Nor is the issue simply one of technology: the best protection technologies will not be effective, unless they are backed by robust security policies. Governments also need to support their cyber security measures with intelligence and counter intelligence.

Furthermore, international collaboration needs to be part of the response, too. Cyber attacks do not respect borders, and it is increasingly hard to identify exactly where an attacker is based.

Finally, given the way that both economies and critical national infrastructure depend, at least in part, on private companies, governments need to strengthen their ties with the corporate sector.

This includes protecting companies with a critical, national role, and taking steps to reduce the dangers of corporate networks falling victim to attackers who, in turn, use them to strike against government targets. Countries at risk of cyber-attack need to adopt a policy of defence in depth that covers both the public and private sector.

Subhead - Conclusions

Protecting critical national infrastructure and government systems should be a priority for Western economies. The threat of criminally motivated attacks has been joined by some new and very real risks
Guarding against such attacks needs a different approach to the technology-led response adopted to protect against hackers and criminal gangs.

Governments will need to improve internal collaboration – between law enforcement agencies, the military and intelligence and counter-intelligence agencies, and with the private sector. This is especially the case for industries of national importance – from banking to transportation and utilities – where the infrastructure is, for the large part, in private hands.

Governments will also need to improve co-operation with each other, to share intelligence on cyber attacks and to co-ordinate both diplomatic and possibly, military responses as well as technology-focused countermeasures. Actions being taken by NATO and the European Union suggest that these moves in this direction have already begun.

However, authorities also need to understand that it is impossible to protect against every single threat; the military maxim is “he who defends everything, defends nothing”.

As there is no defence that can never be defeated, defence in depth is vital to the security of national information assets and infrastructure. But governments also need to set priorities, deciding which assets need the strongest defences, and which, in an emergency, could be sacrificed.

Doing this safely also means creating resilient systems that can withstand a degree of damage from a cyber attack, and developing contingency plans that allow the business of government to continue, if a system is breached or brought down. Data security and data recovery becomes paramount components of such strategy.

Above all, governments need to take the risks of cyber attacks seriously, and to put in place measures to prevent, detect, and respond to them.


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts