What Has Changed - in Cyber Security - Since 9/11? : Part OneThursday, October 13th 2011 @ 10:46 PM (not yet rated)
A month ago, the USA observed the 10th anniversary of 9/11.
It was a remembrance of a terrible, traumatic event that continues to haunt and frighten most Americans - and hundreds of millions of others around the world. A few may still celebrate the devastation of 9/11, but none of those who do can be sane.
In truth, 9/11 was a tipping point that in itself killed 2,977 innocent people and further polarized East and West.
It plunged America, Iraq, Afghanistan and a whole host of allies and affiliates into a long and continuing war. To date, depending on what source you quote, as many as a million people have died in Iraq alone. We probably won't know the full cost in lives or dollars for decades.
Despite the devastation (or perhaps because of it), almost right after 9/11 Al Qaeda was rumoured to be planning an attack on America and its allies through the Internet. Bin Laden himself spoke of "bleeding America to the point of bankruptcy..." through Cyber attacks on infrastructure, banks and more.
Was Al Qaeda capable of a concerted Cyber attack back then? Apparently not, as they seemingly put more effort into physical assaults.
But a new generation of would be terrorists is developing around the world. Some will join Al Qaeda or other anti-American (and anti-Canadian) groups.
Given that, will they able to mount Cyber Attacks now? Pundits have claimed that such groups are too small and too disorganized.
I wonder though, are they less capable and less organized than say... Anonymous or Lulzsec? Because if they aren't, then the risk of Cyber terrorism remains (continuing physical threats and attacks notwithstanding).
In fact, while most large scale attacks (and large scale impacts) are blamed on nation states, it has been clear for some time that terrorist organizations - and individuals with a grudge - are also involved.
More, that word "terrorist" means any "radical who employs terror as a weapon..." People don't have to be killed (although they can be and sadly are), they just have to be scared for a terrorist to be effective.
Are you scared by the attacks on banks, Sony, RSA, personal accounts, military systems, defence contractors....and the Government of Canada?
I am also worried that it is all going to get worse because, we are actually facing a range of potential terrorists in all of this:
- People, like Anonymous, who want to protest and "shake things up" (some do not like the terrorist label applied to Anonymous, so lets say that the semantics are debatable for now)
- Others who want to steal information and then
- Some who simply want to kill us.
9/11 was 10 years ago.
In the years before and since, many young people have grown up angry at the West and I fully expect many of them (even some who live in the West; perhaps especially them) will be launching more Cyber Attacks. That doesn't mean the era of suicide attacks is over, it means that (IMHO) the newest generation of educated terrorists will work to cause harm and foster fear, through Cyber space.
I cite the justifications presented by the fellow who has laid claim to the Diginotar attacks as the first bit of evidence in what I expect will be long list.
Given all of this, what we need to ask is what has changed in Cyber Security since 9/11 and most importantly, have we done enough to improve our situation?
Clearly these are big questions and I won't be able to consider them fully in one blog post. Instead, I am going to start by touching on 3 key areas, threats, policy and technology in 3 separate posts (and I will also update the Cyber War is Now! series as I go).
Scott and I will also touch on the topic in the podcast (starting a bit in 5). However, I encourage you to open a discussion or leave comments or questions - as the matter is important to all of us.
So, lets move on...
In the summer of 2001 attacks on DNS servers were the “in thing" as hackers began to investigate Internet infrastructure and all of its vulnerabilities.
As well, US and Chinese hackers spent months engaged in the defacing of opposing government Web sites. So, the Chinese hackers would mess up a site and the American hackers (all patriots on both sides obviously) would retaliate.
It seems a bit silly now, until you realize that it is actually a precursor to the much more serious attacks of the past few years.
But the big news in IT security the summer of 2001 (before 9/11) was the Code Red Worm which infected about 500,000 MS IIS servers and displayed the message
" HELLO! Welcome to http://www.worm.com! Hacked By Chinese!"
Now, of course, infected computers display the message
" HELLO! We want to be clear that you have definitely NOT been hacked by Chinese! Maybe it was the Russians?
Also, need gold or want to level up in WoW , click here." ;-)
Or for a more serious take on that, click HERE...
Since then though, we have experienced a very serious evolution in the overall threat-scape including:
- An enormous (and for a while, overwhelming) surge in Spam and the development of massive, worldwide botnets (like Bredolab which at last count was estimated to have infected in excess of 30 MILLION PCs to send some 4 BILLION pieces of Spam a day);
- Massive infections of Malware on virtually every and any device with a CPU - even SmartPhones;
- Deliberate exposure of vulnerabilities in key technologies and tools (e.g. SSL);
- The development, promotion and proliferation of free (often FOSS) “ethical” hacking tools like BackTrack or Firesheep;
- The rapid (and seemingly unstoppable) upsurge of Cyber crime as a business (and I include organized crime and government sponsored proxy attacks in this), worldwide with:
- Harvesting of personal information for use in Spam campaigns, phishing, identity theft and more;
- Phishing - morphing into targeted "Spear Phishing" (attacks on individuals) along with other forms of fraud (it ain’t just Nigerians asking for our money now);
- New "pay as you attack" crime-ware like Zeus and SpyEye;
- Search engine hijacking and poisoning;
- Attacks on social networking and blogging sites resulting a whole range of problems from defacement of data to corporate data loss;
- Massive, well organized Cyber attacks and data theft – often seemingly directed by nation states and executed by either zealots or “hackers for hire” to make it hard to find an audit trail and the
- Blackmail of potential victims (businesses and individuals) – “you want we should not hack you and destroy all your information, give us the money”…and much more.
- A whole range of very bold blended attacks (e.g. malware + phishing + social engineering) on corporations, governments and even individuals. This whole mess just seems to get more serious each time we turn around and the bad guys are patient, they can keep trying new things while we are often locked in “react mode”;
- Attacks on analog systems via vulnerabilities in programmable logic controllers (PLC) - think StuxNet or this more recently. With the prevalence of digital control over analog systems (manufacturing, power plants, hospitals, labs, etc.) this suggests a whole range of new problems that we are simply not ready for;
- And on and on and on it goes...
So, generally the threat-scape is more much more complex, attackers are more organized and exploits often result in greater expense for the victims (think Sony) since 9/11. Overall, the threats keep coming and morphing - on top of all the old school stuff, including physical attacks.
It is getting pretty hard to keep up.
In this regard, I would say we are worse off than we were 10 years ago …and I don’t think too many security folks would disagree (post your comments! ;-).
So, what is the good news? Well, there has been some progress in building a foundation for prevention and detection of attacks. A mix of improved governance (through standards and law), techniques, technologies and a (paltry) improvement in end user security awareness are helping.
We are also building our own “army” (or Navy as I will explain in a bit) with the current generation of graduates coming forth with a good understanding of vulnerability assessments, pen testing, hacking techniques and tools and a willingness to fight the good fight (for a decent wage
Still, in some ways, I liken the current situation to the state of affairs at the start of WWII in the Battle of the North Atlantic.
At the outset of the war, the Allies were being hammered - losing ships, materiel and people on a daily basis – as the German U Boat fleet attacked with relative impunity.
It was a very real crisis and the outcome of the war hung in the balance for almost 2 years. The initial impulse was to take purely defensive measures and just keep taking body blows.
Then the Allies rallied, coming up with new strategies and methods of defence along with several new technologies (like ship borne Radar). Perhaps most important, the Allies developed a common and pragmatic strategy, in which Canada had a very important role.
In the duration, the Royal Canadian (RCN) itself went from a handful of ships (about a dozen) and crew to a disciplined, well trained and organized fighting force of over 100,000 and some 400 ships. As a matter of fact, by the end of the war, Canada had the 3rd largest navy in the world, with primary responsibility for escort and protection of Atlantic convoys and the hunting (and destruction) of U-boats.
We also went from a defensive, isolated and reactionary mindset (often disastrously ineffective) to an assertive, organized, collaborative and pro-active attitude – and we won the Battle of Atlantic (and the war).
If we are in a new war (and I think we are then there may be a lesson in this, our own history. 10 years after 9/11, in Cyber Security, we need to become better organized, recognizing that we are in trouble and (in many ways) are losing the war.
We need to use the tools we have to better effect and continue to look for ways to improve (better processes, anyone?).
We also need to be more organized and pro-active in our approach to the problems we face (because they are only going to multiply if we bunker).
We need a common Cyber Security strategy and law – at the national level - and we need it soon.
More, those of us with some experience (and still much to learn) should take on the role of mentors to foster the next generation of security professionals (much as the officers of the tiny RCN did with the 100.000+ new recruits...in WWII).
So, 10 years on...should we already know and do all of this? Yes. And sometimes we do. But a tragedy of such epic proportions as 9/11 should teach us more ...and we should try harder... as history does tend to repeat itself.
Next, in Part Two of this series I will look at Governance and then the state of Cyber Security technology including what we have now that we didn’t have (or didn’t use) in 2001.
For now, as usual, please post comments, suggestions or just shout out. I would love to hear from you.