The U.S. military wants to exert more influence over the protection of power grids, transportation networks and financial network systems, a Pentagon official says in a broad-ranging essay published in Foreign Affairs.

In cyberwar, who’s in charge?

To do so the Pentagon is urging that its defense expertise be put in play beyond the .mil domain to include .gov and .com and wants policy makers to figure out how best to do that.

The reasons are that the military relies on these networks to deal with suppliers and that these networks could become military targets, says William J. Lynn III, undersecretary of defense, in the essay called “Defending a New Domain.”

Because the military relies on these networks, the expertise it has developed should be made available to them, he says, but he doesn’t describe exactly how that would happen in practice.

“The best-laid plans for defending military networks will matter little if civilian infrastructure — which could be directly targeted in a military conflict or held hostage and used as a bargaining chip against the U.S. government — is not secure,” he says. “The Defense Department depends on the overall information technology infrastructure of the United States… The Pentagon is therefore working with the Department of Homeland Security and the private sector to look for innovative ways to use the military’s cyberdefense capabilities to protect the defense industry.”

Some of these defenses are being developed by the National Security Agency and include blending U.S. intelligence capabilities with network security so that networks can react to threats detected by other means than network intrusion-detection tools.

“The National Security Agency has pioneered systems that, using warnings provided by U.S. intelligence capabilities, automatically deploy defenses to counter intrusions in real time,” Lynn says.

“They work by placing scanning technology at the interface of military networks and the open Internet to detect and stop malicious code before it passes into military networks.”

The Pentagon is also relying on Defense Advanced Research Projects Agency (DARPA) to come up with ways to blunt the capabilities of intruders. DARPA is trying to figure out a new basic design for Pentagon networks that would result in a generation-long overhaul to make hardware, software and computer languages less susceptible to cyber attack, he says.

Gaining the authority to impose military security on civilian assets is still in its infancy. “The U.S. government has only just begun to broach the larger question of whether it is necessary and appropriate to use national resources, such as the defenses that now guard military networks, to protect civilian infrastructure,” Lynn says.

“Information networks connect a variety of institutions, so the effort to defend the United States will only succeed if it is coordinated across the government, with allies, and with partners in the commercial sector.”

[Via:Networkworld]

Power Plant Control Room

Just hours before reports emerged that hackers were for the first time attempting to take over specific infrastructure plants, a former CIA director told ABC News that weaknesses in critical infrastructure systems in the U.S. were among the country’s greatest threats to national security.

“One of [the greatest threats] is the vulnerability of our electricity grid to hacking and to physical attack on things like transformers,” former CIA Director John Woolsey said Tuesday. “We have 18 critical infrastructures in the United States: water, food, sewage, etc. All of the 17 others depend on the electrical grid.

“So the vulnerability of that grid to things like hacking is a very serious problem,” he said.

The same day, officials at the Department of Homeland Security confirmed a report by The Associated Press that last month hackers targeted critical infrastructure systems with malicious computer code. While it is hardly the first time hackers have attempted to gain access to infrastructure systems, experts said it was first time they employed a certain type of “worm,” called Stuxnet, that was created to seize complete control of a specific critical infrastructure location.

“Most of the activities we have seen over the past several months has involved intrusions into enterprise or corporate networks that’s the front office area of a control plant or power plant — those intrusions aren’t coming in,” Sean McGurk, director of control system security at the National Cyber Security Division, told ABC News. “The activity we have seen most recently that is most interesting, has to do with actually accessing control networks… Now the control networks are those networks that actually perform the physical functions, whether its building automobiles, generating power or purify water.”

McGurk said the attack was unique mostly because it was “very targeted, very sophisticated.”

But often, the more complex the attack is, the more bread crumbs are left for investigators to trace back to its source.

“Attribution is really the key that we are focusing on right now,” McGurk said. “Often these malicious attackers will leave footprints behind by which we are able to identify the activity, because this code is very complex and they’ve used multiple layers of encryption.”

Though most of the recent cyber attacks on infrastructure have taken place abroad, the DHS also confirmed that it has been deployed Cyber Emergency Response Teams more than a dozen times to help wage the digital war in the U.S. The teams have conducted 50 assessments and helped investigate 13 cyber security incidents so far, the AP reported.

America’s electricity infrastructure, often referred to as a “grid,” is composed of more than 5,300 power plants across the nation — including nuclear power plants — which send electricity down thousands of miles of complex distribution lines to more than 140 million customers, according to the National Infrastructure Protection Plan as posted on the DHS website. To coordinate the massive effort, several computer systems are employed.

“The electricity infrastructure is highly automated and controlled by utilities and regional grid operators using sophisticated energy management systems that are supplied by supervisory control and data acquisition (SCADA) systems to keep the system in balance,” the report said.

CLICK HERE to download a PDF of the DHS’ National Infrastructure Protection Plan.

Up to 85 percent of the nation’s critical infrastructure is operated by private companies, according to the AP. Vulnerabilities often appear to hackers due to out-dated security measures, McGurk said. The DHS’ Cyber Emergency Response Teams were created to provide on-site incident response in addition to analysis in cooperation with the private companies.

Electricity is just one of the 18 “critical infrastructure and key resources sectors” identified by the DHS, also including water, finance and communications systems.

Many of these systems — like electricity and information technology systems — are interdependent, cyber security and communications assistant secretary Greg Garcia told attendees during the 2008 National Cyber Security Awareness Month.

“IT systems and networks, as you all know, are the nervous system of our country’s critical infrastructure,” Garcia said. “So just think of it. We depend on information technology for seemingly everything. Like managing food processing, water purification, electricity generation and distribution. Online banking, telephone transmission. Filing your news stories on time, reporters. Dispatching emergency services and keeping our nation safe.

“So protecting cyberspace in my view is as important to our national interests as protecting our land and our sea borders,” he said.
[Via:ABC]

NATO is considering the use of military force against enemies who launch cyber attacks on its member states.

The move follows a series of Russian-linked hacking against Nato members and warnings from intelligence services of the growing threat from China.

A team of Nato experts led by Madeleine Albright, the former US secretary of state, has warned that the next attack on a Nato country “may well come down a fibre-optic cable”.

A report by Albright’s group said that a cyber attack on the critical infrastructure of a Nato country could equate to an armed attack, justifying retaliation.

“A large-scale attack on Nato’s command and control systems or energy grids could possibly lead to collective defence measures under article 5,” the experts said.

Article 5 is the cornerstone of the 1949 Nato charter, laying down that “an armed attack” against one or more Nato countries “shall be considered an attack against them all”.

It was the clause in the charter that was invoked following the September 11 attacks to justify the removal of the Taliban regime in Afghanistan.

Nato is now considering how severe the attack would have to be to justify retaliation, what military force could be used and what targets would be attacked.

The organisation’s lawyers say that because the effect of a cyber attack can be similar to an armed assault, there is no need to redraft existing treaties.

Eneken Tikk, a lawyer at Nato’s cyber defence centre in Estonia, said it would be enough to invoke the mutual defence clause “if, for example, a cyber attack on a country’s power networks or critical infrastructure resulted in casualties and destruction comparable to a military attack”.

Nato heads of government are expected to discuss the potential use of military force in response to cyber attacks at a summit in Lisbon in November that will debate the alliance’s future. General Keith Alexander, head of the newly created US cyber command, said last week there was a need for “clear rules of engagement that say what we can stop”.

The concerns follow warnings from intelligence services across Europe that computer-launched attacks from Russia and China are a mounting threat. Russian hackers have been blamed for an attack against Estonia in April and May of 2007 which crippled government, media and banking communications and internet sites.

They also attacked Georgian computer systems during the August 2008 invasion of the country, bringing down air defence networks and telecommunications systems belonging to the president, the government and banks.

Alexander disclosed last week that a 2008 attack on the Pentagon’s systems, believed to have been mounted by the Chinese, successfully broke through into classified areas.

Britain’s Joint Intelligence Committee cautioned last year that Chinese-made parts in the BT phone network could be used to bring down systems running the country’s power and food supplies.

Some experts have warned that it is often hard to establish government involvement. Many Russian attacks, for example, have been blamed on the Russian mafia. The Kremlin has consistently refused to sign an international treaty banning internet crime.

More than 75,000 computer systems at nearly 2,500 companies in the United States and around the world have been hacked in what appears to be one of the largest and most sophisticated attacks by cyber criminals discovered to date, according to a northern Virginia security firm.

The attack, which began in late 2008 and was discovered last month, targeted proprietary corporate data, e-mails, credit-card transaction data and login credentials at companies in the health and technology industries in 196 countries, according to Herndon-based NetWitness.

News of the attack follows reports last month that the computer networks at Google and more than 30 other large financial, energy, defense, technology and media firms had been compromised. Google said the attack on its system originated in China.

This latest attack does not appear to be linked to the Google intrusion, said Amit Yoran, NetWitness’s chief executive. But it is significant, he said, in its scale and in its apparent demonstration that the criminal groups’ sophistication in cyberattacks is approaching that of nation states such as China and Russia.

The attack also highlights the inability of the private sector — including industries that would be expected to employ the most sophisticated cyber defenses — to protect itself.

“The traditional security approaches of intrusion-detection systems and anti-virus software are by definition inadequate for these types of sophisticated threats,” Yoran said. “The things that we — industry — have been doing for the past 20 years are ineffective with attacks like this. That’s the story.”

The intrusion, first reported on the Wall Street Journal’s Web site, was detected Jan. 26 by NetWitness engineer Alex Cox. He discovered the intrusion, dubbed the Kneber bot, being run by a ring based in Eastern Europe operating through at least 20 command and control servers worldwide.

The hackers lured unsuspecting employees at targeted firms to download infected software from sites controlled by the hackers, or baited them into opening e-mails containing the infected attachments, Yoran said. The malicious software, or “bots,” enabled the attackers to commandeer users’ computers, scrape them for log-in credentials and passwords — including to online banking and social networking sites — and then exploit that data to hack into the systems of other users, Yoran said. The number of penetrated systems grew exponentially, he said.

“Because they’re using multiple bots and very sophisticated command and control methods, once they’re in the system, even if you whack the command and control servers, it’s difficult to rid them of the ability to control the users’ computers,” Yoran said.

The malware had the ability to target any information the attackers wanted, including file-sharing sites for sensitive corporate documents, according to NetWitness.

Login credentials have monetary value in the criminal underground, experts said. A damage assessment for the firms is underway, Yoran said. NetWitness has been working with firms to help them mitigate the damage.

Among the companies hit were Cardinal Health, located in Dublin, Ohio, and Merck, according to the Wall Street Journal. A spokesman for Cardinal said the firm removed the infected computers as soon as the breach was found.

Also affected were educational institutions, energy firms, financial companies and Internet service providers. Ten government agencies were penetrated, none in the national security area, NetWitness said.

The systems penetrated were mostly in the United States, Saudi Arabia, Egypt, Turkey and Mexico, the firm said.

WASHINGTON — On a Monday morning earlier this month, top Pentagon leaders gathered to simulate how they would respond to a sophisticated cyberattack aimed at paralyzing the nation’s power grids, its communications systems or its financial networks.

The results were dispiriting. The enemy had all the advantages: stealth, anonymity and unpredictability. No one could pinpoint the country from which the attack came, so there was no effective way to deter further damage by threatening retaliation. What’s more, the military commanders noted that they even lacked the legal authority to respond — especially because it was never clear if the attack was an act of vandalism, an attempt at commercial theft or a state-sponsored effort to cripple the United States, perhaps as a prelude to a conventional war.

What some participants in the simulation knew — and others did not — was that a version of their nightmare had just played out in real life, not at the Pentagon where they were meeting, but in the far less formal war rooms at Google Inc. Computers at Google and more than 30 other companies had been penetrated, and Google’s software engineers quickly tracked the source of the attack to seven servers in Taiwan, with footprints back to the Chinese mainland.

After that, the trail disappeared into a cloud of angry Chinese government denials, and then an ugly exchange of accusations between Washington and Beijing. That continued Monday, with Chinese assertions that critics were trying to “denigrate China” and that the United States was pursuing “hegemonic domination” in cyberspace.

These recent events demonstrate how quickly the nation’s escalating cyberbattles have outpaced the rush to find a deterrent, something equivalent to the cold-war-era strategy of threatening nuclear retaliation.

So far, despite millions of dollars spent on studies, that quest has failed. Last week, Secretary of State Hillary Rodham Clinton made the most comprehensive effort yet to warn potential adversaries that cyberattacks would not be ignored, drawing on the language of nuclear deterrence.

“States, terrorists and those who would act as their proxies must know that the United States will protect our networks,” she declared in a speech on Thursday that drew an angry response from Beijing. “Those who disrupt the free flow of information in our society or any other pose a threat to our economy, our government and our civil society.”

But Mrs. Clinton did not say how the United States would respond, beyond suggesting that countries that knowingly permit cyberattacks to be launched from their territories would suffer damage to their reputations, and could be frozen out of the global economy. … Continue Reading