Center for the Study of American Government
The Johns Hopkins University
Defending Cyberspace:
Protecting Individuals, Government Agencies and
Private Companies Against Persistent and Evolving Threats
BY Thomas H. Stanton
Center for the Study of American Government
The Johns Hopkins University
Washington, D.C. Center
1717 Massachusetts Avenue, NW
1
2
Defending Cyberspace: Protecting Individuals, Government Agencies and Private Companies Against Persistent and Evolving Threats
by Thomas H. Stanton
Foreword
On May 8 and 7, 2008, cybersecurity experts, staff from Capitol Hill, academics, and a variety of stakeholders met
in Washington, DC, to share information about the growing threat of cyberattacks and cyberespionage in the United
States and worldwide. The conference on Defending Cyberspace 2008 was produced by the Park City Center for Public
Policy and Imadgen, LLC. The Park City Center for Public Policy (www.parkcitycenter.org) is a bi-partisan, non-profit
organization founded on the principle that the most effective policy solutions are created through a collaborative process
and tested in the real-world. Imadgen, LLC (www.imadgen.com) is a strategic management consulting firm with
specialized practices in cyber security and identity management. Defending Cyberspace was co-hosted by the Johns
Hopkins University, the National Association of Manufacturers, and the Information Technology Association of America.
Speakers included several former state Governors, CEOs, and current and past federal officials serving at the policy level.
The Johns Hopkins Washington, D.C. Center offers a range of advanced academic programs leading to M.A. and M.B.A.
degrees. The Johns Hopkins M.A. in Government Program offers concentrations in security studies, legal studies,
and political communication. The courses are designed to give students comprehensive knowledge of governmental
institutions, their political development, and how they interact in the policy-making process. With this knowledge,
students are better equipped to examine governmental and social institutions, assess prospects for reform, effect change,
and become tomorrow’s leaders.
Students may also pursue a Certificate in National Security Studies, which offers a unique approach to the study of
the vital national security field by bringing together experts from science, engineering, international relations, political
science, and public policy. The certificate is tailored to the needs of professionals who seek to broaden their knowledge of
this field without committing to the full degree program.
Center for the Study of American Government
The Johns Hopkins University
Defending Cyberspace:
Protecting Individuals,
Government Agencies and
Private Companies Against
Persistent and Evolving Threats
I. The Evolving Threat
It’s a conspiracy of apathy. For the criminals, this is great news. They stand blinking into the dawn of a
golden age of criminal enterprise. Like Barbary Pirates in the 18th century, and like Colombian drug
cartels in the 1970s, malicious hackers will run amok, unfettered, unafraid and perhaps even protected.
Only they won’t use muskets or mules. They’ll use malicious code to run syndicates that will be both less
violent and more scalable than in the past. Scott Berinato, “Who’s Stealing Your Passwords? Global
Hackers Create a New Online Crime Economy,” www.cio.com, September 17, 2007
Business Week journalist Keith Epstein started to do a story on what he expected would be the “cyber-industry
complex,” contractors and policymakers who boosted each other’s fortunes by hyping the threat. As he explored
further Epstein realized that the opposite was true: business executives and federal policymakers are seriously
underestimating the threat of cyber intrusions.1
This is a report on the growing threat of cyberattacks to individuals, government agencies, and private
companies. It draws on insights gained at a Washington, DC conference on Defending Cyberspace 2008,
co-hosted by the Johns Hopkins University, the National Association of Manufacturers, the Information
Technology Association of America, Imadgen LLC, and the Park City Center for Public Policy. The agenda for
that conference is reproduced in Appendix A. This report focuses on cyberdefenses rather than on the equally
important tasks of prosecuting cybercrime or conducting operations otherwise to bring down cybercriminals.2
The report looks first at the nature of the threat and then at reasons why it has been so difficult to mount an
effective defense. A major reason has been a lack of awareness by many leaders in both the public and private
sectors. Dr. John Hamre of the Center for Strategic and International Studies told the conference, “If I could
walk in to a CEO and say this is your pricing data that we found in a machine in X country, you have a problem,
1 Brian Epstein, remarks, Defending Cyberspace 2008 Conference, Washington, DC, May 6, 2008. Mr. Epstein’s reports on cybersecurity include
a cover story, Brian Grow, Keith Epstein, and Chi-Chu Tschang, “The New E-Spionage Threat: a Business Week Investigation,” Business Week, April
21, 2008, pp. 30-41.
2 The issue of cybercrime prosecution is addressed e.g., in U.S. Government Accountability Office, Cybercrime: Public and Private Entities Face
Challenges in Addressing Cyber Threats, GAO=07-705, June 2007.
1
Defending Cyberspace: Protecting Individuals, Government Agencies and Private Companies Against Persistent and Evolving Threats
by Thomas H. Stanton
2
they will do something. But we have not done that. …We have just not engaged in the dialogue with business
in the right way.”
In contrast to other forms of theft or attack, it often can be difficult for a victim to realize that a cyberintrusion
is occurring. The most effective cyberattack may surreptitiously obtain information or commit other harm
without the victim knowing until much later. Indeed there is evidence that some of the recent drop off in
reported incidents reflects the increased cunning of the attackers rather than a reduction in the number of
intrusions.3 Among the most important losses that a cyberattack can cause are loss of intellectual property such
as plans, proprietary processes and trade secrets, financial manipulation, and overt harm such as an effort to
shut down cyberdependent systems. Only the last can be clearly related to a cyberattack, and even then the
vulnerabilities might have been caused well before the overt attack occurs.
The report then looks at the elements of effective defense against cyberattack. Cybercriminals and nation states
constantly improve the sophistication, scale and nature of their intrusions. Perhaps most importantly, an effective
defense cannot afford to be static in the face of evolving threats: protection needs to come in layers that are
constantly reviewed and upgraded. Defenders must share information and resources to protect one another and
the networks that join them. Another critical issue involves the cost of good cyberprotection. In the vernacular, to
become cost-effective, cybersecurity must be “baked in” rather than “bolted on” to each relevant process or activity.
Protective measures such as user authentication must become part of the organizational culture.
After looking at the elements of effective defense, the report suggests next steps for individuals and leaders in
business and government. One of the critical issues facing policymakers and business leaders is how to make
cyberdefenses attractive without imposing restrictions that stifle creativity and make organizational processes
more rigid without providing offsetting benefits. Top managers and policymakers cannot usefully make such
tradeoffs without being informed enough to understand their implications. Becoming fully aware of the threat
is the first and most important step.
The question then becomes how best to distribute responsibility for cyberdefenses between individuals and
organizations on the one hand and government on the other. Our political system fosters fragmented responses
rather than centralized coordinated action. This has both strength and weakness with respect to cybersecurity.
The strength is that many different organizations and approaches have emerged to perform important functions
in cybersecurity, such as sharing information about threats and promising practices and, in some industries,
active collaboration to assure minimum standards of protection. The weakness results from the dynamics
of cybersecurity: often the security of responsible individuals and firms depends critically on addressing
vulnerabilities in systems of weaker entities. Uncoordinated action can leave these weaker entities vulnerable,
and thereby potentially add to the vulnerability of others.
While government can help, whether by creating positive incentives, by using its purchasing power, or by
imposing requirements, the primary responsibility for cyberdefense continues to rest with individuals and
organizations, which ignore vulnerabilities at their peril. The report concludes by suggesting areas of further
study to attempt to determine the tools of government that are most suitable for promoting a common defense
and the areas where particular tools are best applied.4 Once we have created a sound plan, we must commit
resources, individually and collectively, to make effective cyberdefenses a reality.
3 Aaron Turner, “The Business of Cybervulnerabilities,” http://www.dtic.mil/ndia/2008dib_cip/Turner.pdf, accessed August 12, 2008.
4 See, Lester M. Salamon, Editor, Tools of Government: A Guide to the New Governance, Oxford University Press, 2002.
Center for the Study of American Government
The Johns Hopkins University
II. Nature of the Threat
[This] represents the shift taking place in Internet crime, from software-based attacks to a service-based
economy. Electronic crime has evolved, from an episodic problem, like bank robberies carried out by small
gangs, to a chronic one, like drug trafficking run by syndicates. Scott Berinato, “Who’s Stealing Your
Passwords? Global Hackers Create a New Online Crime Economy,” www.cio.com, September 17, 2007
China’s strategy…if I could be so bold, they sort of have a privateer’s mentality. They seem to have a very large
number of highly trained people with sophisticated tools, who seem to work in small freelance groups. Alan
Paller, “Cyberthreats,” The Diane Rehm Show, June 25, 2008
Whenever there is political tension, there is a cyber aftermath. Cybersecurity Expert Gadi Evron, quoted in
“Digital Fears Emerge After Data Siege in Estonia” New York Times, May 29, 2007
In military terms, cyberspace is a domain, comparable to the maritime domain. Threats in cyberspace, as on
the ocean, can come from pirates intent on private gain or from nation states or subnational groups intent on
political or economic gain. Just as countries rushed to build a large naval capability, the United States and other
countries are doing so in cyberspace.5 Consider first the types of cyberattack and then the potential sources.
Types of Cyberattack
Cyberspace lends itself to a wide variety of kinds of attack. At the moment, there are several basic methods and
many variations of each. New forms of attack emerge with great frequency. One form of cyberattack is direct,
such as intruding into a computer or computer network to steal information or manipulate data or disable
or deface a website or to pose enough of a threat that the target may be willing to pay protection money. The
ability to manipulate data is a new and worrying development. One can imagine the consequences of altering
a bank system to make improper payments. The military and others could worry if an intruder altered GPS
(global positioning coordinates) of a guidance system. Another direct attack comes from websites that contain
malicious software (so-called “malware”) which an unsuspecting person downloads from a site. Aaron Turner
of Idaho National Laboratories estimates that perhaps 30 percent of search results create exposure to sites with
the potential to download malware.
A second form of attack proceeds indirectly through multiple other computers that are taken over with
intrusive code known as a “bot” (short for robot) and coordinated by a so-called “bot herder” in a “botnet.” The
bot herder can direct the computers in a botnet to send e-mail messages simultaneously to target computers,
websites and servers. The bot herder can use the botnet to send huge volumes of spam, potentially to hundreds
of thousands of consumers. Another more destructive use is to send so many e-mail messages that they
overwhelm the capacity of a website or server and potentially take it out of service. This kind of attack is called a
“distributed denial of service” attack.6
A third form of attack, known as “phishing,” relies on the user of a computer to respond to a deceptive website
or e-mail message and voluntarily submit confidential financial or business information. A consumer may
be directed to a website that purports to be the consumer’s bank, for example. Nine out of ten phishing sites
5 Clay Wilson, “Information Operations, Electronic Warfare, and Cyberwar: Capabilities and Related Policy Issues,” Congressional Research
Service, March 20, 2007; “US reveals plans to hit back at cyber threats: The US Air Force Cyber Command is just as interested in attack as defence,
according to a senior general,” ZDNet.co.uk, April 2, 2008, http://news.zdnet.co.uk/security/0,1000000189,39378374,00.htm, accessed August
13, 2008. But see, Pamela Hess, “Pentagon puts hold on USAF cyber effort,” Associated Press, August 13, 2008.
6 See, e.g., Roger A. Grimes, “Bots and DDoS attacks: a primer; Knowing the inner workings of botnets and their attack styles can help you
formulate a defense -- or outlast an attack,” InfoWorld, February 23, 2007, http://www.infoworld.com/article/07/02/23/09OPsecadvise_1.html,
accessed November 7, 2007.
3
Defending Cyberspace: Protecting Individuals, Government Agencies and Private Companies Against Persistent and Evolving Threats
by Thomas H. Stanton
4
may be directed at the financial services sector.7 Or, an e-mail message can be tailored to the expectations of
an unsuspecting recipient. This kind of targeted attack is called “spear-phishing.” For example, an executive of
defense contractor Booz Allen Hamilton received an e-mail message purporting to come from a colleague at
the Pentagon with an attachment listing weapons that India sought to purchase. In fact the message was a fake
that would have downloaded malware onto the executive’s computer if he had opened the attachment: “Had
the Booz Allen executive clicked on the attachment, his every keystroke would have been reported back to a
mysterious master at the Internet address cybersyndrome.3322.org, which is registered through an obscure
company headquartered on the banks of China’s Yangtze River.”8
Finally, a fourth form of attack is emerging, based on building vulnerabilities into hardware systems. Experts
increasingly believe that manufacturers of computers and other IT-based systems can build vulnerabilities into
the hardware and associated systems that allow cyberattacks to elude defensive software that the user might add
afterwards.
While concrete examples are not public, Richard Clarke, a former national security advisor to President Clinton, in
his book, Your Government Failed You, provides a foretaste of this form of attack. His example concerns malware
built into digital picture frames sold at electronics stores across the country, including, he says, Best Buy:
“When you connected the digital picture frame to your computer to download your photos, the picture
frame uploaded a program onto your computer that disabled antivirus programs, found all of your
passwords, and sent them to China. The picture frame was, of course, made in China.”9
While supply chain controls can protect against many vulnerabilities built into systems, this form of attack may
well become more prevalent in the future.
In contrast to physical attacks, the perpetrator of a cyberattack may not be known for certain. This is the
problem of attribution, knowing where an attack came from:
“So there are really two aspects of attribution. There’s a technical attribution problem which is
what’s the last box of origin or where is the box physically located? The box might be located on an
educational network or a commercialized PC in some other country, but then there is the problem of
actor attribution, whose fingers are on the keyboard. And that gets into who’s causing that box to be a
problem for you, and they may be sitting somewhere else.”10
That can make it difficult to determine whether the source of an attack is a criminal organization, a government,
or some other type of bad actor.
A report published by the SANS Institute, a leading source for information security training, certification and
research, provides a useful summary of the types of devices that intruders use to obtain information, control
computers or cause disruption.11 This is presented in Figure 1, on the following page. Such summaries are likely
to need updating from time to time as attacks vary their form and become more sophisticated.
7 Catherine A. Allen, “Detecting and Containing Attacks: A Compliance View,” The Santa Fe Group, presentation to the Defending Cyberspace
Conference, May 7, 2008.
8 Brian Grow, Keith Epstein, and Chi-Chu Tschang, “The New E-Spionage Threat: a Business Week Investigation,” Business Week, April 21, 2008,
p. 33.
9 Richard A. Clarke, Your Government Failed You: Breaking the Cycle of National Security Disasters, HarperCollins, 2008, p. 315.
10 China’s Proliferation Practices, and The Development of Its Cyber and Space Warfare Capabilities, Hearing before the U.S.-China Economic
and Security Review Commission, May 20, 2008, p. 75. Testimony of …
11 Aman Hardikar, “Malware 101 – Viruses,” April 12, 2008, Table 2, p. 9, available at http://www.sans.org/reading_room/whitepapers/incident/, accessed August 17, 2008.
Center for the Study of American Government
The Johns Hopkins University
Potential Sources of Attack: Cybercriminals
Early privateers often worked on a business model common to the sixteenth and seventeenth centuries: they
obtained royal charters and agreement from the crown that they could keep a percentage of spoils that they
captured on the high seas.12 Today’s pirates also use up-to-date business models. As one bank security professional
officer describes cybercrime organizations, “[T]hey’re better run and managed than many organizations. They’re
properly funded, they have a clear goal, they’re performance driven, focused on a single mission. It’s like an MBA
case study of success.”13
Cybercriminals frequently operate in networks. They screen members of the network and enforce codes of
conduct. Entry-level hackers are recruited to join the network. The complexity of information technology
makes it useful for attackers to work in teams of individuals, each of whom specializes in penetrating certain
kinds of systems.
Members may go to secure chat rooms and buy and sell access to services, including, for example, access
to computers that a bot herder has enlisted as bots. Subscribers may be offered 30 days of access to botinfected computers that the subscriber can mine for financial data. Depending what kind of information
the unsuspecting computer owner might enter within the 30 day period, the subscriber might gain not only
financial information (credit card numbers, etc.) but also details about the identity of the computer owner. The
subscriber then could sell the information on the black market or use it himself.
Figure 1
Types of Malware
T yp e
P r o p e rt y
E xa m p le s
Virus
Copies itself to other files; Needs
a host file to propagate and
execute.
CIH, Virut, Redlof, Autorun.abt,
Peacomm, NewHeur_PE
Worm
Exploits the vulnerabilities that
are present and can spread over
the network.
Code red, Netsky, Stration, Sasser,
Bagle, Skipi, no_virus
Logic Bomb
Triggers a specific code on
meeting conditions as per the
logic written by its author.
Michelangelo
Backdoor
Listens on certain ports so that
the attacker can gain access
through them later.
Xhaker, sub7, Beast, Ginwui,
Rexob, Hupigon
Trojan
Deceptive program that spoofs a
harmless or useful program; but,
actually stores other malware.
Limbo/NetHell, Pidief, ZeuS/PRG
, Banker.bdn, PGPCoder, Torpig,
Gozi
Spyware
Software used to spy on victim’s
activities and also used to steal
sensitive information.
WhenUSave, PuritySCAN
Virtumonde, SecurityToolbar
12 Thus, the United States Constitution, Article I, Section 8, authorizes the Congress, “To declare war, grant letters of marque and reprisal, and
make rules concerning captures on land and water.”
13 Quoted in Scott Berinato, “Hacker Economics 2: The Conspiracy of Apathy,” www.cio.com, October 8, 2007.
5
6
Defending Cyberspace: Protecting Individuals, Government Agencies and Private Companies Against Persistent and Evolving Threats
by Thomas H. Stanton
T y pe
P r o p e rt y
E xa m p le s
Rootkit
Set of programs that alter the OS
functionality to hide themselves.
LRK, AFX, SInAR, Rustock,
Mebroot
Bot / Botnet
Program that does the work on
behalf of its master. A master
may control millions of such
bots and can use them for
malicious purposes.
Agobot, Slackbot, Mytob, Rbot,
SdBot, poebot, IRCBot, VanBot,
MPack, Storm
The new system of selling services rather than products such as stolen information has advantages to both
parties. The vendor essentially acts as a middle man. He need not handle stolen information. It is the subscriber
that decides what use to make of it. In a country with lax cybercrime laws such as Russia, the vendor may be left
alone because he has not actually caused anyone any harm.
The subscriber also gains from the transaction. He purchases access to the identity of the computer owner, and
not merely a stolen credit card number.
“For example, a credit card number alone might be worth $5, but add the three- or four-digit
security code associated with that card and the value triples. Add billing address, phone number,
cardholder names and so forth which allow a buyer to create new lines of credit and the value can
reach into the hundreds of dollars.
“Grab the primary and secondary authentication forms used for financial services login in
addition to all that, and you’ve hit the jackpot: a real person’s full financial identity. Everything
that person had entered into forms online would create an avatar that could be used in the real
world to buy goods, apply for credit and passports, buy cell phones, open new bank accounts and
manipulate old ones. A dossier like that would be one of the most valuable commodities available
on the information black market.”14
Access to newly infected computer would be rented at much higher prices, perhaps $ 1,000 each, than access to
computers that had already been rented out to other subscribers. The subscriber purchases access to multiple
machines as a way of balancing risk: some owners of infected computers might enter more valuable financial
information into their computers than others.
Other subscribers may want to rent access to large numbers of infected computers for other criminal purposes.
Thus, a subscriber might request access to perhaps 20,000 computers for one hour on a Saturday afternoon. The
subscriber then mobilizes the computers, linked in a botnet, to direct a huge volume of e-mail messages to a target
such as, say, an offshore gambling site. This is a classic distributed denial of service attack. The volume of e-mail
14 Scott Berinato, “Who’s Stealing Your Passwords? Global Hackers Create a New Online Crime Economy,” www.cio.com, September 17, 2007,
http://www.cio.com/article/135500/Who_s_Stealing_Your_Passwords_Global_Hackers_Create_a_New_Online_Crime_Economy?contentId
=135500&slug=&page=2&, accessed 08-07-2008.
Center for the Study of American Government
The Johns Hopkins University
traffic is large enough to bring down the servers of the target. The subscriber then contacts the target company and
makes a simple proposition: he is willing to offer protection in return for a payment of, say, a million dollars.15
The beauty of the new business model is its flexibility. Buyers and sellers come together in an active market.
Buyers may purchase software, support services, or access to specific targeted computers, besides being able
to subscribe to botnets. Vendors also offer so-called “executive phishing services,” which provide information
about key executives and the types of queries that would be most likely to appeal to the target and allow the
download of malware to infiltrate systems and obtain confidential information.
Each customer has its own criminal purposes that can be satisfied through selective purchases or rentals, as
the case may be. The sellers offer both core products and services, and also ancillary support services, tailored
to their customers’ needs. Vendors also may adopt a form of risk-based pricing: if a customer uses products or
services in a way that attracts unwelcome attention and requires countermeasures, the price is higher than for a
customer who regularly is discrete.
Relying on cyberspace to communicate allows cybercriminals to adopt flexible organizations that often are
international in scope. Consider the Russian Business Network, a syndicate of cybercriminals:
“In one sense, RBN (Russian Business Network) does not exist. It has no legal identity; it is not
registered as a company; its senior figures are anonymous, known only by their nicknames. Its
web sites are registered at anonymous addresses with dummy e-mails. It does not advertise for
customers. Those who want to use its services contact it via internet messaging services and pay
with anonymous electronic cash.”16
The Russian Business Network has been extremely profitable. One major phishing scam tricked gullible internet
users into entering personal financial information such as bank account details and garnered $150 million in
2006. When public exposure became too great, the Russian Business Network simply closed its St. Petersburg
cyberaddresses and shifted their location, possibly to somewhere in China.17
Cybercriminals seem to have adopted the latest organizational models, using cyberspace to help flatten their
organizational hierarchies:
“Cybercrime requires less personal contact, less need for formal organization, and no need for
control over a geographical territory. Therefore, some researchers argue that the classical hierarchical
structures of organized crime groups may be unsuitable for organized crime on the Internet.
Consequently, online criminal activity may emphasize lateral relationships and networks instead of
hierarchies.”18
The creation of markets offering the sale or rental of tools to accomplish acts of cybercrime helps extend
the reach of criminals that earlier might have worked alone or who might have used other methods.19 The
prevalence of intellectual property crimes involving theft of confidential information is unknown, but some
15 Stephen Spoonamore, a cybersecurity consultant, provided this example on the Diane Rehm Show, “Cyber Threats,” June 25, 2008.
16 “A walk on the dark side: These badhats may have bought your bank account,” The Economist, August 30, 2007, http://economist.com/displaystory.cfm?story_id=9723768, accessed 11/08/2007; Gregg Keizer, “Russian Hackers Behind Attack PDFs: The Russian Business Network, a notorious hacker gang, is responsible for ongoing spam attacks using malicious PDF files,” Computerworld, October 25, 2007, http://www.pcworld.
com/article/id,138892/article.html, accessed 11/07/2007.
17 Gregg Keizer, “Russian Hackers Go Dark to Relocate, Computer World,” Computerworld, November 08, 2007, http://www.pcworld.com/
article/id,139465-page,1-c,privacysecurity/article.html, accessed 08-13-2008.
18 Clay Wilson, “Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress,” Congressional Research Service,
January 29, 2008, p. 30.
19 See, e.g., Julian E. Barnes, “P.& G. Said to Agree to Pay Unilever $10 Million in Spying Case,” New York Times, September 7, 2001, http://query.
nytimes.com/gst/fullpage.html?res=9A0CE1DB1039F934A3575AC0A9679C8B63&sec=&spon=&pagewanted=print, accessed 08-14-2008
7
8
Defending Cyberspace: Protecting Individuals, Government Agencies and Private Companies Against Persistent and Evolving Threats
by Thomas H. Stanton
believe it to be a serious issue. When undertaken as a cybercrime and done carefully, theft of intellectual
property can leave no traces.20
Potential Sources of Attack: Nation States and Their Surrogates
It can be difficult to distinguish an attack by a nation-state from an attack by its surrogates. Easy availability of
support from cybercriminals further complicates efforts to ascertain the real source of an attack. Conversely,
it appears that nation states can develop systems for cyberattacks, use them, and then offer them in the
criminal market to help recoup the costs. While the following examples concern Russia and China, it must be
understood that cyberintrusions are a global phenomenon. “U.S. counterintelligence officials reportedly have
stated that about 140 different foreign intelligence organizations regularly attempt to hack into the computer
systems of U.S. government agencies and U.S. companies.”21
In August 2008 Russia and Georgia, once a Soviet republic, went to war over South Ossetia, an ethnic enclave
within Georgia’s borders. Apparently for the first time, the war was preceded by cyberattacks, in this case against
Georgia. Servers were taken down that largely prevented the Georgian government from communicating by the
Internet either with its citizens or internationally. The attacks disabled Georgia’s foreign ministry website except
for a collage that compared the Georgian president with Adolf Hitler. The source of the attacks was not clear.
The Russian government denied it was responsible, and suggested that people unhappy with Georgia’s attack on
South Ossetia might have initiated the cyberattacks. Some experts saw the attacks as reflecting the methods and
coming from computers controlled by the Russian Business Network.
Because Georgia is not overly dependent on the Internet for commercial and other operations, it suffered little
harm except to government websites. However, experts were quick to point out how cyberattacks offer an
inexpensive and effective complement to other forms of warfare.22 One lesson was how hard it can be to identify
the source of a cyberattack. Not only was one of the attacking computers located in the United States, an ally of
Georgia, but also surrogates outside of the Russian government itself were able to help if not conduct the entire
attack by themselves.
This was not the first time that serious international attacks occurred that could not be attributed conclusively
to Russia rather than to Russia’s surrogates. An attack on Estonia in spring 2007 was much more devastating
than the 2008 cyberattack on Georgia. Unlike Georgia, Estonia was heavily dependent on the Internet for
commerce, and for dealings with the government such as voting and paying taxes. The Estonia incident
occurred after the country’s government decided to move a statue commemorating the Soviet defeat of Nazi
Germany from a central location to a suburb. There were massive distributed denial of service attacks, on
government sites and bank, newspaper, and other commercial sites, which came close to shutting down the
country’s Internet infrastructure.
It appears that criminal organizations helped carry out the attack. Experts speculate that up to a million
computers were enlisted for the attacks and that the attackers rented time on botnets to supplement their
strength. Indeed, as the New York Times reports, “the attackers’ time on the rented servers expired, and the
20 “Corporate espionage: Not if, but when,” ZDNet.co.uk, March 11, 2008, http://resources.zdnet.co.uk/articles/features/0,1000002000,39365959,00.htm, accessed 08-13-2008
21 Clay Wilson, “Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress,” Congressional Research Service,
January 29, 2008, p. 12.
22 John Markoff, “Before the Gunfire, Cyberattacks,” New York Times, August 13, 2008, http://www.nytimes.com/2008/08/13/
technology/13cyber.html?_r=2&sq=russia%20georgia%20ossetia&st=cse&oref=slogin&scp=17&pagewanted=print&oref=slogin, accessed
08-13-2008; Kim Hart, “Long Time Battle Lines Are Recast in Russia and Georgia’s Cyberwar,” Washington Post, August 14, 2008, p. D-1.
Center for the Study of American Government
The Johns Hopkins University
botnet attacks fell off abruptly.” The Internet also allowed the attackers to enlist other supporters. Even before
the attacks began Russian-language forums and chat groups offered “detailed instructions on how to send
disruptive messages, and which Estonian Web sites to use as targets.”23
Other attacks, such as the Booz Allen Hamilton spear-phishing incident above, can be traced back to computers
located in China. Again, it is difficult to determine the extent that such attacks are backed by the government
and the extent that they represent the work of surrogates or specific groups within the government such as the
People’s Liberation Army.
General James E. Cartwright, then the commander of the United States Strategic Command, told the U.S.-China
Economic and Security Review Commission in 2007 that China actively probes computer networks of federal
agencies and private companies. These intrusions help the Chinese with, “identifying weak points in the networks,
understanding how leaders in the United States think, discovering the communication patterns of American
government agencies and private companies, and attaining valuable information stored throughout the networks.”
General Cartwright observed that this reconnaissance is comparable to strategic intelligence in pre-electronic
days, except that “in today’s information environment, the exfiltration that once took years can be accomplished
in a matter of minutes in one download session.”24
A massive case of cyberespionage occurred in Germany in 2007. German intelligence officials found that
computers in the Chancellor’s Office, and the Foreign, Economics, and Research ministries had been
compromised. Mounting what the officials called “the biggest digital defense ever mounted by the German
state,” German officials prevented some 160 gigabytes of data from leaving the compromised computers; the
German government has no idea how much information had already been taken before the intrusions were
detected in May 2007. While the German government did not describe the content of the stolen information, it
appears that the secrets related to leading-edge economic information. Germany is the world’s leading exporter
(ahead of China), especially in high-technology manufactured products. The stolen information was tracked
to three sites in China. “The scale and the nature of the data being stolen suggest, the investigators say, that the
operation must have been steered by the State and, in particular, the People’s Liberation Army.”25
A German reporter for the weekly newsmagazine Der Spiegel first broke the story of the Chinese cyberattacks
to obtain German economic information.26 The same reporter also covered the 2008 China earthquakes and
pointed out shortcomings in government building codes that allowed many schools to collapse with tragic
result. At that point the China state security service posted a photo of the Spiegel reporter and his home address
on the Internet stating that he was hostile to China. It took the intervention of the German Ambassador to get
the posting removed. This cyberattack is an example of how a nation state can post information on the Internet
to create a climate for private citizens, or others masquerading as private citizens, to conduct a physical attack
on a specified target.
Cyberspace lends itself to such collaboration between government and private actors. In the cyberattacks on
Georgia, for example, a Russian language website, stopgeorgianow.ru offered software that Russia’s supporters
could use for distributed denial of service attacks. This allowed private attackers more easily to supplement the
large-scale attacks being conducted as a part of Russia’s conflict with Georgia. 27
23 Mark Landler and John Markoff, “Digital Fears Emerge After Data Siege in Estonia” New York Times, May 29, 2007.
24 U.S.-China Economic and Security Review Commission, 2007 Report to Congress, June 2007.
25 Roger Boyes, “China accused of hacking into heart of Merkel administration,” Timesonline, August 27, 2007, at http://timesonline.co.uk/
tol/news/world/europe/article2332130.ece, accessed August 27, 2007.
26 ������������������������������������������������������������������������������������������������������������
„Prinzip Sandkorn: Unternehmen aus der Volksrepublik greifen Hochtechnologie-Produkte aus Deutschland an,“ Der Spiegel, August 27, 2008.
27 Mark Landler and John Markoff, “Digital Fears Emerge After Data Siege in Estonia” New York Times, May 29, 2007.
9
10
Defending Cyberspace: Protecting Individuals, Government Agencies and Private Companies Against Persistent and Evolving Threats
by Thomas H. Stanton
The expense of intrusion
It is simply impossible to determine the economic costs of cyberintrusions directed against companies or
government organizations in the United States. The Congressional Research Service concluded in 2004 that
a limited amount of survey data were available that even the compilers described as being anecdotal.28
There are good reasons why statistical data are simply unavailable. One involves the source of information:
many firms and organizations have strong incentives to conceal information about cyber-attacks. Thus,
in its semi-annual survey of incidents, Symantec notes that different sectors may face different reporting
requirements. Symantec singles out government as one sector that is most likely to report breaches. By contrast,
“organizations that rely on consumer confidence may be less inclined to report such breaches for fear of
negative consumer, industry, or market reaction.”29
Secondly, as the Congressional Research Service concluded in 2004, there are significant uncertainties and
measurement difficulties that limit the ability to specify the dollar amount at risk from particular breaches.
“[A]ssigning an overall figure to the cost of cyber-attacks remains highly speculative.”30
There is no reason to believe that better data are available today. Indeed, the problem of measuring the harm
caused by cyberintrusions probably has grown much worse. Cyberattacks designed to obtain confidential
information have become increasingly sophisticated. That means that the amount of damage from lost
intellectual property may well be even less susceptible to measurement than before.
Even though the numbers cannot be accurately estimated, the nature of the threat is large and growing.
Available statistics are not reassuring. For example, the Privacy Rights Clearinghouse, a nonprofit consumer
rights organization, reports that over 230 million data records of U.S. residents were compromised through
security breaches since January 2005.31 The New York Times reports that “a consensus estimate among experts
is that 11 percent of the more than 650 million computers connected to the Internet are infected” with so-called
bots that can be used for espionage or destructive attacks.32 Other estimates, such as by Greg Garcia, Assistant
Secretary for Cybersecurity and Communication in the Department of Homeland Security, are even higher.33
The National Research Council reviewed available studies and concluded in 2007:
“The documentation of the nature of cybersecurity incidents provided in these reports is fragmented
and incomplete…Yet, the available data are sufficient to make assertions about the seriousness of the
threat that are more than just statements taken on faith….Taken together, they paint a clear picture of
growing impacts, including lost production, operational disruptions, and direct economic costs from
fraud and lost business, measured on the scale of several billions of dollars annually. The impact is
already very large and growing, and the threat is expanding.”34
28 Brian Cashell, William D. Jackson, Mark Jickling, and Baird Webel, “The Economic Impact of Cyber-Attacks,” Congressional Research Service, April 1, 2004.
29 “Symantec Global Internet Security Threat Report: Trends for July–December 07,” Volume XII, Published April 2008, p. 12.
30 Brian Cashell, William D. Jackson, Mark Jickling, and Baird Webel, “The Economic Impact of Cyber-Attacks,” Congressional Research
Service, April 1, 2004. For one example of a study that attempts to deal with some of the methodological issues, see, Scott Dynes, Eva Andrijcic, M.
Eric Johnson, “Costs to the U.S. Economy of Information Infrastructure Failures: Estimates from Field Studies and Economic Data,” Forthcoming
in Proceedings of the Fifth Workshop on the Economics of Information Security, Cambridge University, undated, 2006.
31 Privacy Rights Clearinghouse, http://www.privacyrights.org/, accessed August 17, 2008.
32 New York Times, “Wake up your Computer,” January 12, 2007.
33 “We also see that on any given day, there are an estimated 40% of the 800 million computers connected to the internet worldwide are bots
[in] bot nets, …which are designed to distribute spam, steal personal information, conduct denial of service attacks.” Greg Garcia, Assistant Secretary Assistant Secretary for Cybersecurity and Communication in the Department of Homeland Security, remarks, Defending Cyberspace 2008
Conference, Washington, DC, May 7, 2008.
34 National Research Council, Toward a Safer and More Secure Cyberspace, 2007 (prepublication manuscript), p. 2-17.
Center for the Study of American Government
The Johns Hopkins University
The threat of destructive programs is potentially large and particularly hard to measure. Because a
destructive program is largely a single-strike weapon, adversaries may wait for an opportune moment,
whether political, economic, or military, to launch an attack. The cost of compromised systems becomes clear
mostly in retrospect, if then.
III. Barriers to Effective Response
You are fighting a war. It is an advanced persistent threat. It never goes away, the tools change
everyday. You do one thing the enemy does another. You do another thing, they do another. It is a
continuous thing that will not go away in my lifetime. That’s why it is called an advanced persistent
threat… Thomas W. Shelman, Defending Cyberspace 2008 Conference, May 7, 2008.
To be honest, most CEOs don’t understand cyberspace and most IT guys don’t know how to talk to them
about it either. Dr. John Hamre, Defending Cyberspace 2008 Conference, May 7, 2008.
Mounting an effective response to the proliferation of cyberattacks has not been easy. Some of the barriers to
effective response relate to the way that technology facilitates constant evolution of the forms of cyberattack.
Other barriers relate to the difficulty of making potential victims aware of their vulnerabilities and the need to
improve their defenses. Even if they become aware, victims may believe it is easier to cope with attacks than to
bear the expense of improving their information systems and defenses.
Another issue relates to the focus of many effective attacks, which use weak partners or weak systems of a
company or agency as the entry point to infect systems that otherwise may be well defended. This “weak link”
problem can greatly increase the cost of defense. Moreover, the weak-link problem may mean that the system
that is vulnerable doesn’t belong to the organization that will bear the major costs of an attack. This leads then
to the need for common defense in many cases and the difficulty that organizations often have in working
together to achieve common goals.
Complacency
The threshold problem is that many forms of malware, and especially those forms designed to steal intellectual
property, are not detected without making a special effort. Thomas Shelman of Northrop Grumman
Information Technology, who has spoken to hundreds of corporate chief information officers (CIOs), is
concerned about the lack of awareness: “I worry about corporate America because they think that they are safe.
The smartest CIOs and these aren’t bad people, these are good people, they are great leaders, but they don’t
know. They don’t know the vulnerabilities.”35
35 Thomas W. Shelman, remarks, Defending Cyberspace 2008 Conference, Washington, DC, May 7, 2008.
11
12
Defending Cyberspace: Protecting Individuals, Government Agencies and Private Companies Against Persistent and Evolving Threats
by Thomas H. Stanton
Then when a possible intrusion is discovered, the CIO has a significant incentive to apply the least burdensome
solution and declare the problem over. Again Mr. Shelman:
“The typical CIO goes through a learning process, and I went through this learning process. And
the first part of it ....starts with denial, you say my firewalls protect me I am okay. Then you go
through this thing where you are in shock and say I can’t believe that that’s happening. At some
point you think you have the problem fixed because you put the fire fighting team on it and you go
do something and maybe you disconnect from the internet, reset everyone’s passwords and say, I am
okay. Well, no, you still didn’t get it.”36
By contrast, Mr. Shelman believes that many parts of government, and especially the Department of Defense,
do understand the nature of cyberthreat and the need to detect threats and deal with them both preventatively
and in an effective response. The question for many government agencies, as discussed below, is whether they
have the resources and have assigned cyberdefenses a high enough priority in allocating their resources.
The Problem as an Advanced Persistent Threat
Constant improvements in information technology benefit not only companies and governments, but also
attackers. Professional use of targeted attacks to harvest trade secrets and national secrets are superseding amateur
attacks that had used viruses and worms to cause destruction. Bots are the current scourge; the next form of attack
is just over the horizon.
That means that cyber defense must be a continuing process rather than a one-time cure. For every defensive
measure, attackers, whether nation-states or criminals, can develop countermeasures. Intruders constantly
adopt new sophisticated approaches, such as so-called client-side attacks that involve e-mail, instant messaging,
media streaming, and other interactions with a hostile server. They also defend themselves better against
countermeasures, for example with so-called “fast-flux service networks” of compromised computer systems
that change their architecture constantly so as to make it hard to track their operations.37 This constant
evolution of attack methods means that defense too is a continuing effort.
The Costs of Defense
To build an effective defense requires effort and resources. Companies often do not see the value of
expending such effort and resources. If the perceived costs of intrusion are small, a firm may simply pass on
the costs in its prices. Or a bank or other firm may be able to limit its exposure by setting contractual limits
on its liability to its customers for losses from third-party fraud.
This relates to what economists call “externalities.” The party that bears the costs of an intrusion, in terms of
ID theft, theft of proprietary information, or a distributed denial of service attack, for example, may not be the
party whose weak defenses allowed the breach to occur. The costs of shoring up a weak defense may fall on a
party that is not harmed much at all by the initial intrusion.
A classic example of externalities would be a destructive attack to bring down a piece of critical infrastructure
such as an electric power system. The power system might go out of business at a cost to its owners, but the
36 Ibid.
37 For examples of the arms race between cyberattackers and defenders, see, e.g., Scott Berinato, “Hacker Economics 2: The Conspiracy of
Apathy,” www.cio.com, October 8, 2007; and Scott Berinato, “Hacker Economics 3: MPACK and the Next Wave of Malware,” www.cio.com,
October 8, 2007..
Center for the Study of American Government
The Johns Hopkins University
costs to all people and organizations from the power failure could possibly end up being very much greater.38
The particular power company itself might not see enough economic value in upgrading its defenses to a high
enough level, unless there were a common effort, for example through regulatory requirements that prevented
competitors that spent less on cyberdefense from taking economic advantage.
The problem of “weak links” can create externalities. In other words, successful cyberintrusions often occur
through legacy systems at a firm or agency or through the weakly defended systems of a business partner,
whose systems provide a conduit for the intruder to bypass the defenses of an otherwise well defended firm
or agency. One can imagine a small business, for example, that partners with a large company that possesses
strong defenses. The small business might simply not have the financial strength to bring itself up to the same
standards that its larger partner can meet.
The Difficulty of Achieving Joint Action
In short, there are many reasons to believe that joint action is needed to deal with many aspects of
cyberdefenses. While individual efforts are important, joint effort is also needed, both to enhance protection
and to reduce the collective cost of improved cybersecurity. For example, a joint effort can:
• Establish minimum standards so that firms and their business partners, or government agencies and
their partners, do not place each other’s systems at risk;
• Encourage expanded availability of certification so that companies and agencies can properly assess
the quality of their cyberdefenses and the quality of partners’ systems;
• Provide appropriate incentives so that organizations that can improve cybersecurity at least cost, such
as Internet Service Providers (ISPs) or banks or telecommunications companies, provide appropriate
levels of protection for their customers rather than requiring customers to undertake individual
efforts at a much greater total cost;
• Protect critical infrastructure, whether owned by the public or private sector;
• Share information about the nature and possible timing of major threats; and
• Provide effective support to assist firms or agencies to recover from the effects of a cyberattack.
These benefits of joint action are clear. However, it can be difficult to translate the need for cooperation
into effective action. For example, an earlier Johns Hopkins report on identity management systems
seemed optimistic that parties might find a way to come to agreement on common standards, certification
procedures, and interoperable systems.39 However, that has not happened. There always are tradeoffs, among
parties who benefit or lose from a particular proposal, and among desired levels of protection compared
to potential risks. The latter is especially problematic in the cyber domain because of the difficulty of
understanding the actual level of risk that accompanies each level of protection.
Some economic sectors may be more resistant to adoption of cyberprotection than others. The underlying
industrial organization of each particular sector may exert a strong influence on the rate of adoption of
common standards. To take a different example from the healthcare sector, the disparate interests of many
38 For a striking example of a successful destructive intrusion into a power generator, see, CNN, “Mouse click could plunge city into darkness,
experts say,” September 27, 2007, http://www.cnn.com/2007/US/09/27/power.at.risk/#cnnSTCVideo, accessed August 17, 2008.
39 This is discussed in Thomas H. Stanton, “Improving Federal Relations with States, Localities, and Private Organizations on Matters of
Homeland Security: The Stakeholder Council Model,” Chapter 13 in Thomas H. Stanton, ed., Meeting the Challenge of 9/11: Blueprints for Effective
Government, M.E. Sharpe Publishers, 2006.
13
14
Defending Cyberspace: Protecting Individuals, Government Agencies and Private Companies Against Persistent and Evolving Threats
by Thomas H. Stanton
different actors have impeded adoption of healthcare information technologies and standards despite the
major benefits that this could provide to the sector as a whole.40
Overlaid on these issues are legal issues: to what extent do the antitrust laws allow competing companies
to collaborate on cyberdefenses? To what extent do federal laws protect companies that share information
about cybervulnerabilities with the federal government? Is that protection assured, or might it depend on
the discretion of a federal official to decide whether or not to share something? What is the legal liability of a
company that discloses that it has been successfully attacked? And what is the legal liability of a company that
fails to disclose a successful attack, and to whom does it have a duty to disclose, and how much information?
Increasing amounts of information are available to assist firms in establishing policies to deal with such
questions.41 On the other hand, the federal government has not yet created a legal framework for many issues.
Some 38 states, following the lead of California that enacted such a law in 2003, have enacted disclosure laws
that require companies to notify consumers whose personal information has been compromised. Federal
legislation is pending but has not yet been enacted.
Internal and external organizational issues also play a role. Many companies and agencies relegate issues of
cybersecurity to the chief information officer or to a chief information security officer who reports to the CIO.
This level of a company may be too low to allow for consideration of the kinds of tradeoffs that are needed to
decide how much and what kind of cybersecurity to adopt. For example, a large number of cyberincidents can
be traced back to a company or agency insider; yet, the CIO alone may not be in a good position to opine about
many of the personnel-related security measures, discussed below, that could help bolster cyberdefenses.
Externally, many organizations may find it difficult to collaborate with one another. As the Government
Accountability Office reports,
“…private sector officials stated that their organizations continued to be hesitant to share information
on vulnerabilities and threats because of the fear that such sharing might negatively affect their
financial bottom line. For example, private sector officials stated that it was difficult to share unfiltered
information with their respective infrastructure sector ISAC [information sharing and analysis center]
because a competitor operated the ISAC…”42
Within the federal government, collaboration may be especially hard to achieve across organizational
boundaries.43 With some exceptions directly relevant to cyberdefense, this has proved to be especially true in
national security and national intelligence.
Given these obstacles, what will it take to improve our defenses, for people, organizations, and the country,
against cyberattack?
40 “Since 2003 we have witnessed a national effort to advance health IT through a newly developed public-private standard-setting process. This
process has proved (1) complex and burdened by too many goals, (2) easy for entrenched interests to dominate, and (3) reluctant to frame issues
dealing with disruptive technology aimed at consumers.” David C. Kibbe and Curtis P. McLaughlin, “Alternative: Hanging out the Unmentionables
for Better Decision Making in Health Information Technology,” Health Affairs, September/October 2008; vol. 27, no. 5, pp. 396-398; see also, Carol
C. Diamond and Clay Shirky, “Health Information Technology: A Few Years Of Magical Thinking?” Health Affairs, September/October 2008, vol.
27, no. 5, pp. 383-390.
41 See, e.g., Tim Proffitt,” Creating and Maintaining Policies for Working with Law Enforcement,” the SANS Institute, http://www.sans.org/
reading_room/whitepapers/incident/32803.php, accessed August 17, 2008.
42 U.S. Government Accountability Office, Cyber Analysis and Warning: DHS Faces Challenges in Establishing a Comprehensive National Capability, GAO-08-588, July 31, 2008, p. 44.
43 See, e.g., Thomas H. Stanton, “Improving Collaboration By Federal Agencies: An Essential Priority For The Next Administration,” working
paper, National Academy of Public Administration, August 2008, http://www.napawash.org/pmc/papers/collaboration.html, accessed August 17,
2008.
Center for the Study of American Government
The Johns Hopkins University
IV. Building an Effective Defense
Our approach in the Department of Defense is based on defense-in-depth. In other words, we do not believe
that there is any one thing that you can do to go out and buy cyber security. We believe it spans the spectrum
of technology, tactics, techniques, procedures, policy, and most importantly, it requires a culture change.
China’s Proliferation Practices, and The Development of Its Cyber and Space Warfare Capabilities,
Hearing before the U.S.-China Economic and Security Review Commission, May 20, 2008, pp. 51-52.
Testimony of Col. Gary D. McAlum, Director of Operations, Joint Task Force for Global Network
Operations, U.S. Strategic Command, May 20, 2008.
The control of the information resource and flexibility for the business to get the job done are of paramount
importance. Each one must be satisfied while not overpowering the other. Sara Sinclair, et al., “Information
Risk in Financial Institutions: Field Study and Research Roadmap,” 2008
Effective cyberdefense requires both individual and joint efforts. On the one hand, each person and
organization must be responsible for its own security. Government and other collective efforts cannot substitute
for individual action. On the other hand, collective action also is needed. People and organizations need to
work together, to share promising practices, raise standards of weak partners with vulnerabilities that endanger
more secure organizations, and provide testing, certification, and other support that is done more effectively
and economically on a collective basis. Effective defense involves a range of actions that, taken together, could
greatly enhance protection, both individually and collectively. Some sectors, such as financial services or
defense and national security, seem much farther along in fostering collective action than others.
Develop a Culture of Cybersecurity Awareness
Both individuals and organizations need to adopt a culture of security awareness. Too many individuals still fail
to take basic security precautions when going on the Internet. While government has tried to make people more
aware, individuals must bear some of the responsibility for protecting themselves.44 This includes antivirus
protection and firewalls as well as increased awareness of Phishing and other scams.
For organizations an enterprise-wide sensitivity to security issues is essential. The risk of vulnerability to
cyberattack can be seen as a subset of overall enterprise risk management. Note in the following definition how
the obligation to ensure appropriate risk management is placed on top management:
“Enterprise risk management is a process, effected by an entity’s board of directors, management and
other personnel, applied in strategy setting and across the enterprise, designed to identify potential
events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity objectives.”45
For cybersecurity, as with other risks that potentially go to the core of mission assurance, the right “tone at
the top” of the enterprise is critical. It is top management that can decide on the risk appetite of the enterprise
and that must make decisions about tradeoffs between security and other aspects of mission success. The most
successful companies manage these tradeoffs in a way that attempts to optimize security and mission assurance
without impeding the shorter term effectiveness of the enterprise.
44 Brian Krebs, “’A Lot of People Just Don’t Take the Basic Precautions,’” Washington Post, August 19, 2008, p. A11.
45 Committee of Sponsoring Organizations, Executive Summary, Enterprise Risk Management — Integrated Framework, September
2004, p. 2, available at http://www.coso.org/documents/COSO_ERM_ExecutiveSummary.pdf, accessed August 19, 2008.
15
16
Defending Cyberspace: Protecting Individuals, Government Agencies and Private Companies Against Persistent and Evolving Threats
by Thomas H. Stanton
The CIO cannot make the needed tradeoffs and cannot set the appropriate tone at the top. General Robert Elder
of the United States Air Force Cybercommand believes that the Chief Operating Officer (COO) of a company
or agency must be responsible for mission assurance, including cybersecurity.46
This can be seen in the problem that statistically “trusted insiders” pose the most significant threat to an
organization’s cybersecurity.47 Catherine Allen, Chairman and CEO of the Santa Fe Group, notes that insider
fraud often is committed by new employees and usually by people with no prior convictions.48 Examples
abound. In the year 2000 a hacker in Australia caused a computerized waste-management system to dump
millions of gallons of raw sewage into rivers and parks. The hacker was a former employee of the company that
had installed the system.49 Sometimes the vulnerability occurs from insider negligence rather than malice, as
when the Department of Veterans Affairs reported that computer equipment containing personally identifiable
information on approximately 26.5 million veterans and active duty members of the military was stolen from
the home of a VA employee.
To deal with the problem of vulnerabilities created by insiders requires a change in organizational culture
so that each person in the organization understands the nature of security requirements and their validity.
The human relations office will need to help to build security compliance into the system for evaluating
employee performance. The administrative office will need to work with the CIO to implement appropriate
controls such as identity management systems for access to physical locations and to information systems.
A company interdepartmental committee will need to struggle with the question of “need to know” and the
means of adjusting employees’ access to specific information as they shift positions or leave the company. All
of this requires a tone at the top that emphasizes the importance of security and encourages members of the
organization to report issues and suggest solutions.50
Finally, both individuals and organizations need to become aware of the need for back-up measures and
suitable recovery plans. Cybersecurity is not the only reason to establish a recovery plan. The possibility of
physical loss of a system, natural disasters such as Katrina, homeland security events, and cyberattacks all
provide good reason to create redundancies in information systems and continuity of operations generally.
Individuals are well advised to back up their hard drives, a small cost compared to the potential impact on the
career of someone who relies on a computer for work. Companies and agencies are increasingly establishing
so-called “hot sites” to allow for continuity of operations in the event of a problem. Many firms, especially in the
financial sector are adopting two “hot sites” to back themselves up. The financial sector is especially attentive to
continuity of operations planning. The federal bank regulators, acting through the Federal Financial Institutions
Examination Council (FFIEC), set continuity of operations standards and enforce them.51 Again, as with other
aspects of mission assurance, prudent steps are a simple part of doing business in the Internet age.52
46 Lt. General Robert J. Elder, “Cyberdomain Protection and the National Defense,” presentation to the National Defense Industrial Association
conference on the Defense Industrial Base Critical Infrastructure Protection, April 8, 2008.
47 Eric A. Fischer, Creating a National Framework for Cybersecurity: An Analysis of Issues and Options, Congressional Research Service, February
22, 2005, p. 22; John Rollins, Terrorist Capabilities for Cyberattack: Overview and Policy Issues, Congressional Research Service, January 22, 2007, p.
19.; ZDNet.co.UK, “The top five internal security threats: It’s widely known that internal staff are the biggest threat to IT security, but what specifically should an employer watch out for?” March 6, 2008, http://resources.zdnet.co.uk/articles/features/0,1000002000,39363097,00.htm, accessed
August 20, 2008 .
48 Catherine A. Allen, “Detecting and Containing Attacks: A compliance View,” The Santa Fe Group, presentation to the Defending Cyberspace
Conference, May 7, 2008.
49 Ibid., p. 13.
50 M. Eric Johnson and Eric Goetz, “Embedding Information Security Into the Organization,” IEEE Security and Privacy, May/June 2007.
51 See, e.g., Federal Financial Institutions Examination Council, “Business Continuity Planning,” part of the FFIEC IT Examination Handbook,
March 2008, http://www.ffiec.gov/ffiecinfobase/booklets/bcp/bus_continuity_plan.pdf, accessed August 20, 2008.
52 For a useful overview of relevant literature, see, e.g., Stacy Jordan, “Mining gold…A primer on incident handling and response,” June 23,
2008, http://www.sans.org/reading_room/whitepapers/incident/32818.php, accessed August 20, 2008.
Center for the Study of American Government
The Johns Hopkins University
The Economics of Cybersecurity: Bake it in; Don’t Bolt it on
Once a culture of cybersecurity is established, the economics can be appropriately understood. “Bake it in;
don’t bolt it on,” is an expression that summarizes the inclusion of cybersecurity in business decisions. Building
considerations of cybersecurity into each business activity can reduce costs and increase effectiveness.
Take, for example, the process of mergers and acquisitions. Given the vulnerability of “weak links” to
cyberattack, consideration of cyber security during the planning process can help to shore up the most
significant vulnerabilities before they cause harm. Indeed, a good review of cybervulnerabilities before an
acquisition may be an important factor in setting the price. The same is true of relations with business partners.
Screening potential partners for vulnerabilities before linking systems with one another can help to build an
appropriate level of protection into the relationship from the beginning. Again, due diligence in this regard may
factor into pricing; a more secure partner is worth more than one that creates unacceptable vulnerability.
Day-to-day operations also require consideration of cybersecurity. Creation of a sound process for taking
account of cybervulnerabilities can help to reduce the burdens (i.e., costs, in terms of dollars and management
flexibility) of cybersecurity while enhancing the level of protection. Instead of imposing rigid rules,
management may be able to devise more flexible approaches to cybersecurity that maintain security while
allowing managers the freedom to carry out their work. However, this requires that security professionals
develop increased “soft” interpersonal skills so that they can articulate technical issues and explore tradeoffs and
options with company managers.53 The cultural change will need to work both ways, including both security
professionals and line managers so that they can fruitfully talk with one another.
The issue of building cybersecurity into regular business operations is of strategic importance to an enterprise:
“In today’s Web 2.0 world, people require instantaneous access to information. They demand instant
connectivity. That creates a natural tension with the cyber security folks. So as you try to make a more
secure environment to conduct military operations and support military operations, adequate security
measures needed to be factored in to the equation. There is some inherent tension in that effort that
we’re experiencing in the DOD as we try to find the right balance.” 54
Consider the relations of the Department of Defense with its contractors. One approach to cybersecurity would
be to create a separate network between DOD and trusted partners. As is true of the Internet in countries such
as South Korea and Japan, members of the network might pay a user fee that could pay for monitoring and
enforcement. Members of the network would be licensed and required to meet specified standards. They and
their partners would be checked to assure that those standards were being met. In other words, recognizing the
vulnerabilities of the Internet, DOD would simply move relations with its business partners into a separate and
more secure domain.55
This approach raises a number of issues. DOD units frequently must interface with other nonsecure partners.
For example, in the course of tsunami relief in South and Southeast Asia, U.S. naval vessels needed to link
to nonprofit organizations and foreign government organizations. This creates the need for a so-called DMZ
(demilitarized zone) so that relations with insecure partners may proceed while protecting more secure
networks. Second, the building of a separate secure network creates burdens on day-to-day work of the
53 Alex Clayton, “Successfully Building Security into Business Projects,” the SANS Institute, http://www.sans.org/reading_room/whitepapers/
leadership/32863.php, accessed August 20, 2008.
54 Col. Gary D. McAlum, Director of Operations, Joint Task Force for Global Network Operations, U.S. Strategic Command, “China’s Proliferation Practices, and The Development of Its Cyber and Space Warfare Capabilities,” Hearing before the U.S.-China Economic and Security Review
Commission, May 20, 2008.
55 Lt. General Robert J. Elder, “Cyberdomain Protection and the National Defense,” presentation to the National Defense Industrial Association
conference on the Defense Industrial Base Critical Infrastructure Protection, April 8, 2008.
17
18
Defending Cyberspace: Protecting Individuals, Government Agencies and Private Companies Against Persistent and Evolving Threats
by Thomas H. Stanton
Department of Defense and its partners. The building of redundant systems entails significant costs, both
in dollars and in loss of workplace flexibility. Another problem involves the small business partners of large
defense contractors. Because of the “weak-link” problem, large contractors may need to build up the security of
their smaller partners who cannot afford to do it by themselves. What are the tradeoffs between spending effort
and resources to upgrade small business partners versus dealing mostly with larger firms instead?
Some in DOD would prefer instead to find more flexible ways to build cybersecurity into regular operations.
Under this conception people with different levels of clearance would have access to different portions of stored
information. This approach would require identity management, screening for a few key attributes, and tags on
data to allow access according to the clearance level of the requester. The underlying idea is that the benefits of
collaboration are so great that one should not confine collaboration unnecessarily or rigidly.56
Approaches to baking in cybersecurity will vary according to available technology, resources, and preferences of
top management. The nature of tradeoffs will continue to evolve, as will the nature of costs that must be paid for
mission assurance and cybersecurity. Ultimately, as Chris Rouland of IBM ISS puts it, “Our strategy is we have
to figure out how you do business with an infected computer. How do you secure a transaction with an infected
machine? Whoever figures out how to do that first will win.”57
Finally, the federal government needs to increase the level of its funding for unclassified IT research. Richard
Clarke notes that much of the research should focus on how to write computer code that does not contain
errors, adding that “current tools that find vulnerabilities…identify only about one-third of the total that are
eventually found; moreover, these tools are also available to our adversaries.” 58
Share Threat Information and Best Practices
Thus far, the discussion of protective measures has concerned individual action by people and organizations
and the creation of trusted partnerships and networks of trusted partners. However, it is clear that economies of
scale exist in cyberdefenses that deserve to be shared. A number of organizations exist to share information and
best practices. These include:
• Th
e United States Computer Emergency Readiness Team (US-CERT), a partnership between the
Department of Homeland Security and the public and private sectors, which helps to develop and
promote the use of appropriate technology and systems management practices to resist attacks on
networked systems, to limit damage, and to ensure continuity of critical services.59
• Th
e CERT coordination center of Carnegie-Mellon University, which is a federally funded research and
development center (FFRDC) originally established by the Defense Advanced Research Projects Agency
(DARPA). It responds to major security incidents and analyzes product vulnerabilities and is now part of
the larger US-CERT Program.
• I nfraGard, which is a partnership between the FBI and the private sector, is an association of businesses,
academic institutions, state and local law enforcement agencies, and other participants dedicated to
56 David Wennergren, Deputy Chief Information Officer, Networks and Information Integration at the Department of Defense, briefing, Center
for Strategic and International Studies, July 28, 2008.
57 Scott Berinato, “Hacker Economics 3: MPACK and the Next Wave of Malware,” www.cio.com, October 08, 2007.
58 Richard A. Clarke, Your Government Failed You: Breaking the Cycle of National Security Disasters, HarperCollins, 2008, p. 316.
59 U.S. Government Accountability Office, Cyberanalysis and Warning: DHS Faces Challenges in Establishing a Comprehensive National Capability, GAO-08-588, July 2008.
Center for the Study of American Government
The Johns Hopkins University
sharing information and intelligence to prevent hostile acts against the United States. InfraGard Chapters
are geographically linked with FBI Field Office territories.”60
• I nformation Sharing and Analysis Centers (ISACs) serving major critical infrastructure sectors,
including information technology, communications, electricity, supply chain management, water, surface
transportation, and public transit. The ISACs operate with varying degrees of effectiveness. They “enable
industry experts to establish working relationships, build trust, share sensitive vulnerability, threat, and
mitigation information, conduct informed analysis, and collaborate with other sectors and government in
an organized manner.”61
•N
IST National Vulnerability Database, which “is the U.S. government repository of standards based
vulnerability management data. This data enables automation of vulnerability management, security
measurement, and compliance. NVD includes databases of security checklists, security related software
flaws, misconfigurations, product names, and impact metrics.”62 The database reports on some 30,000
vulnerabilities and has about 50 million hits each year.63
• The SANS Institute is a cooperative research and education organization that serves over 165,000 security
professionals worldwide, including auditors, network administrators, and chief information security officers,
who share lessons and solutions. Free SANS resources include the Internet Storm Center (an Internet early
warning system), weekly news and vulnerability digests, flash security alerts and over 1,200 research papers.
• Th
e Transglobal Secure Collaboration Program (TSCP) is a government-industry partnership serving
the aerospace and defense sector. Through adoption of common standards it helps members to mitigate
risks related to compliance, complexity, cost and IT needed for collaboration and sharing of sensitive
information in international defense and aerospace programs. Members include BAE Systems, Boeing,
EADS, Raytheon, Lockheed Martin, Northrop-Grumman, Rolls-Royce, the Netherlands Department of
Defence, the U.S. Department of Defense and the U.K. Ministry of Defence,
Numerous other organizations also help to promote collaboration among public and private sector users
of the Internet.
That said, and recognizing the high quality of many collaborative efforts, knowledgeable people continue to call
for improved collaboration, especially between the public and private sectors. Former Governor John Engler,
now President and CEO of the National Association of Manufacturers, suggests a three-part approach to
improved communication between the private sector and government:
“For industry and government to work in coordination, creating an effective cyberdefense strategy, we
believe three goals are essential.
• “Open communication between government and industry on the nature of threats and the
speed with which they evolve;
• “True collaboration through work on best practices and the tools of technology;
• “A government that follows through with clear points of contact and incentives – government
incentives for industry to protect itself. I would include shields from liability in this area, as well.”64
60 “What is Infragard?” http://www.infragard.net/about.php?mn=1&sm=1-0, accessed August 20, 2008.
61 John T. Sabo, President, Information Technology-Information Sharing and Analysis Center (IT-ISAC) Before the Committee on Oversight and
Government Reform Subcommittee on Information Policy, Census, and National Archives, United States House of Representatives, October 23, 2007.
62 The National Vulnerability Database, “About NVD,” http://nvd.nist.gov/about.cfm, accessed August 20, 2008.
63 Daniel J Chenok, Chair, Information Security and Privacy Advisory Board, “Bridging the Gap Between Government and Industry: The
Private-Public Link,” presentation to the Defending Cyberspace Conference, May 7, 2008.
64 John Engler, Opening Comments, Defending Cyberspace Conference, Washington, D.C, May 8, 2008.
19
20
Defending Cyberspace: Protecting Individuals, Government Agencies and Private Companies Against Persistent and Evolving Threats
by Thomas H. Stanton
The United Kingdom provides perhaps the best recent example of clear communication between government
and the private sector about threats. In late 2007 the Director-General of M.I.5, the UK’s internal security
agency sent a warning to 300 CEOs and heads of security at banks, accounting firms, and law firms, warning
them that they were under attack from “Chinese state organisations” :
“The document gives warning that British companies doing business in China are being targeted
by the Chinese Army, which is using the internet to steal confidential commercial information….
Another source familiar with the MI5 warning said…that known attacks had not been limited to large
firms based in the City of London. Law firms and other businesses in the regions that deal even with
only small parts of Chinese-linked deals are being probed as potential weak spots… The MI5 letter
includes a list of known “signatures” that can be used to identify Chinese Trojans and a list of internet
addresses known to have been used to launch attacks.”65
This warning had critical characteristics that made it useful: it was precise about the likely set of vulnerable
firms and the electronic indicators that firms should consider especially dangerous.
The United States does not have an internal security agency. However, it sometimes is possible for U.S.
intelligence sources to provide assistance. Thus, in January 2008 a CIA analyst issued a warning to 300 U.S.
and international security officials from government and from electric, water, oil, and gas companies who were
attending a conference. Tom Donahue, the CIA’s top cybersecurity analyst, said that utility companies outside
the United States had been subjected to cyberattacks. In one case the attack resulted in a power outage that
affected multiple cities. The identity of the attackers was not known, Donahue said, but it was known that the
attackers made extortion demands. “’We suspect, but cannot confirm, that some of the attackers had the benefit
of inside knowledge,’” Donahue said. He did not specify where or when the attacks took place, their duration or
the amount of money demanded.” 66
It is clear that such warnings can greatly assist both government and the private sector to take significant
preventative steps. As the various public-private working groups and other organizations build personal trust, it
may be possible to share information more extensively. This is an issue that deserves further study to determine
the conditions under which the most effective collaboration can take place without sacrificing other values.
Always in this area, tradeoffs must be understood and designed to optimize the benefits and costs.
Often, understanding the nature of the underlying problem is necessary to solve the problem that presents itself.
Thus, rapid turnover of cybersecurity officials has reduced the ability of DHS to maintain trusted collaborative
relationships with other organizations.67 One may not be able to solve the collaboration problem without
addressing the underlying human resources issue.
65 Rhys Blakely, Jonathan Richards, James Rossiter and Richard Beeston, “ MI5 alert on China’s cyberspace spy threat,” The Times, December 1,
2007,
http://business.timesonline.co.uk/tol/business/industry_sectors/technology/article2980250.ece, accessed 08-05-2008.
66 Ellen Nakashima and Steven Mufson, “Hackers Have Attacked Foreign Utilities, CIA Analyst Says,” Washington Post, January 19, 2008, p.
A04.
67 U.S. Government Accountability Office, Information Security: Despite Reported Progress, Federal Agencies Need To Address Persistent
Weaknesses, GAO-07-837, July 2007; U.S. Government Accountability Office, Information Security: Progress Reported, but Weaknesses at Federal
Agencies Persist, GAO-08-571T, March 12, 2008.
Center for the Study of American Government
The Johns Hopkins University
Require Partners to Meet Key Standards
The importance of assuring the security of trusted partners has already been noted. A good example of joint
establishment and management of standards comes from the payment card industry. In 2006 American
Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc., established the
PCI Security Standards Council. The council develops PCI Security Standards, including: the Data Security
Standard (DSS), Payment Application Data Security Standard (PA-DSS), and Pin-Entry Device (PED)
Requirements. It manages the standards, provides education, and promotes awareness of the standards.
“All of the five founding members have agreed to incorporate the PCI DSS as the technical
requirements of each of their data security compliance programs. Each founding member also
recognizes the QSAs and ASVs certified by the PCI Security Standards Council as being qualified to
validate compliance to the PCI DSS….Other industry stakeholders are encouraged to join the group
and review proposed additions or modifications to the standards.”68
The payment card industry is economically much more concentrated than other industries. Also, payment
transactions must be interoperable across payment systems, which creates some interdependence among
companies. These factors make it easier for the PCI Security Standards Council to operate, compared to other
industries with larger numbers of companies that vary significantly in size and capacity from one another and
that do not need to rely on collaboration across the industry to succeed. For such industries, to the extent that
they represent critical infrastructure, federal intervention may be necessary.
Governor Engler and the National Association of Manufacturers believe that one effective tool for the federal
government would be to build cybersecurity requirements into federal procurement standards: “Government
can use its market power, instead of its regulatory power by more prominently including security, along with
cost, into its procurement process.”69
This is an important approach for many industries whose level of cybersecurity is essential not only for the
particular economic sector, but also for government agencies that the industries relate to. The Department of
Defense, for example, is beginning to incorporate increasingly stringent cybersecurity performance standards
into its procurement requirements. This can supplement the role of public-private organizations, such as the
Transglobal Secure Collaboration Program (TSCP) in setting standards for the defense industrial base.70
However, much of the rest of government is not yet at work to use its procurement power to raise standards
of cybersecurity. Many agencies themselves continue to have spotty records with respect to vulnerability to
cyberattack.71 For example, the current governmentwide initiative to reduce the number of federal Internet
connections and standardize their levels of security has met with a range of responses, from agencies that
appear ready or nearly ready to adopt Trusted Internet Connections (TICs) to those that have a long way to go.72
Richard Clarke makes several recommendations:
• All federal networks should use two-factor authentication systems and everyone interacting with
federal networks also be required to use authentication;
68 “About the PCI Security Standards Council,” https://www.pcisecuritystandards.org/about/index.shtml, accessed August 20, 2008.
69 John Engler, Opening Comments, Defending Cyberspace Conference, Washington, D.C, May 8, 2008
70 See, www.tscp.org.
71 U.S. Government Accountability Office, Information Security: Despite Reported Progress, Federal Agencies Need To Address Persistent
Weaknesses, GAO-07-837, July 2007; U.S. Government Accountability Office, Information Security: Progress Reported, but Weaknesses at Federal
Agencies Persist, GAO-08-571T, March 12, 2008.
72 http://www.whitehouse.gov/omb/egov/documents/2008_TIC_SOC_EvaluationReport.pdf, accessed September 27, 2008.
21
22
Defending Cyberspace: Protecting Individuals, Government Agencies and Private Companies Against Persistent and Evolving Threats
by Thomas H. Stanton
• All data, e-mails and laptops should be encrypted; and
• The size of the OMB staff enforcing federal IT security should be expanded substantially from the
current two people and be given authority to require agencies to upgrade their security standards. 73
Also, many government agencies do not assure the performance of their partners. The Office of Management
and Budget reviewed the compliance of 25 federal agencies with the Federal Information Security Management
Act of 2002. OMB reported that, in Fiscal Year 2007, it asked agency inspectors general to confirm “whether the
agency ensures information systems used or operated by a contractor of the agency or other organization on
behalf of the agency meet the requirements of FISMA, OMB policy, and NIST guidelines.” OMB found that the
number of inspectors general answering that question as “almost always” decreased from 2006 to 2007 from 15
agencies to 12 agencies.74
There is a clear need for government to be more forceful in using its purchasing power to raise the quality of
cybersecurity in critical industries. But to be credible, each agency must ensure that it, rather than its business
partner, is not the weak link.
Create Incentives for Critical Sectors to Improve Cybersecurity
Government can apply various tools to help create incentives. One approach is to use grant funds to encourage
adoption of standards. To be effective, the requirement for federal partners to adopt standards likely must
be built into federal grant programs that support much larger activities than mere cybersecurity alone. One
positive example, from a different homeland security sphere was the SAFECOM Interoperable Wireless
Communications Program of the Department of Homeland Security. By leveraging federal grant funds for first
responders, especially in major urban areas, DHS was able to encourage adoption of standards for interoperable
digital two-way wireless communications products.75
Another area where grants have been beneficial relates to the continuing federal need for employees with
high technical skills and knowledge of cybersecurity. The Scholarship for Service program provides grants to
students who commit to work for the federal government in return for their grants.76 Again, this grant program
is likely effective because of the difference it can make in encouraging behavior, here the opportunity to
introduce highly skilled graduates to federal service.
Another major tool of government is regulation.77 As Governor Engler and others have pointed out, regulation is a
cumbersome process that generally lags behind market developments. The lag is especially substantial in the fastmoving world of information technology and cybersecurity. That said, regulation may be an important tool for
economic sectors that are especially critical and manifest an industrial organization that might preclude companies
from adopting adequate cybersecurity on their own. One justification for setting minimum standards is that
companies should not benefit competitively from skimping on IT security, including cybersecurity. Otherwise,
without standards and regulatory supervision, the result could be a race to the bottom.78
73 Richard A. Clarke, Your Government Failed You: Breaking the Cycle of National Security Disasters, HarperCollins, 2008, p. 316.
74 Office of Management and Budget, Fiscal Year 2007 Report to Congress on Implementation of
The Federal Information Security Management Act of 2002, p. 6.
75 http://www.safecomprogram.gov/SAFECOM/
76 https://www.sfs.opm.gov/StudentBrochureWeb.pdf.
77 See, generally, Malcolm K. Sparrow, The Regulatory Craft, Brookings, 2000
78 Stephen Malphrus, Board of Governors of the Federal Reserve System, remarks to the Conference on Defending Cyberspace, May 8, 2008.
Center for the Study of American Government
The Johns Hopkins University
The electric power industry would appear to be such a critical infrastructure sector. Early in 2008 the Federal
Energy Regulatory Commission issued eight standards for electric utilities, including identity controls, training,
security perimeters, physical security of critical cyber equipment, and incident reporting and recovery. Given
the mixed record of the electric power industry in assuring system reliability, additional standards could well be
warranted, as well as assurance that any standards in fact are promptly implemented.
Another area where regulation is likely warranted relates to internet service providers (ISPs). Richard
Clarke recommends that, “The Federal Communications Commission should require internet service
providers to take specific measures to reduce spam, worms, viruses, denial-of-service attacks, phishing,
botnets, and other malicious activity.”79 This is a critical area where appropriate regulations can place much
of the burden of improved cybersecurity onto the industry that is best positioned to deal effectively with
it. It makes much more sense for ISPs to apply protective measures than for millions of individuals and
enterprises to attempt to replicate that protection on a computer-by-computer basis.
Mr. Clarke also believes that the federal bank regulators should require two-factor authentication for all
online banking and stock trading. There is at least anecdotal evidence that online banking is inadequately
protected, and this recommendation too would seem to be cost-effective.80
Once again, careful analysis is needed to select those sectors where regulation is needed because (1) the sector is
critical to the well being of the United States, and (2) the industrial organization of the industry or other factors
preclude industry wide adoption of appropriate standards. Then careful thought is needed to design regulations,
and enabling legislation if necessary, to attempt to shift regulatory responsibilities to those firms that are best
placed to assure minimum standards of cybersecurity in the most cost effective manner. Other important issues
involve the need to optimize tradeoffs of security against other important values such as innovation.
Merely to list these factors indicates how difficult a legislative or regulatory process can be. Regulation is
fundamentally a political issue. Different types of firms attempt to shape the contents of regulations – always in
the name of protecting consumers and markets – to shift burdens to their competitors.81
79 Richard A. Clarke, Your Government Failed You: Breaking the Cycle of National Security Disasters, HarperCollins, 2008, p. 316.
80 Scott Berinato, “Hacker Economics 2: The Conspiracy of Apathy,” www.cio.com, October 8, 2007; and Scott Berinato, “Hacker Economics 3:
MPACK and the Next Wave of Malware,” www.cio.com, October 8, 2007.
81 Bruce M. Owen and Ronald Braeutigam, The Regulation Game: Strategic Use of the Administrative Process, Ballinger Publishers, 1978.
23
24
Defending Cyberspace: Protecting Individuals, Government Agencies and Private Companies Against Persistent and Evolving Threats
by Thomas H. Stanton
V. Conclusion
This review of cybersecurity suggests that, threats to cybersecurity are real and significant, both for individuals
and for firms and government agencies. The form of cyberattacks is constantly evolving. Perpetrators are
developing increasingly sophisticated forms of harmful attack, whether for theft of intellectual property, fraud,
or political purposes. Cyberattacks are especially pernicious because perpetrators of the most effective attacks
may seek deliberately to hide the success of the attack so as to obtain much greater benefit than if the attack
were discovered.
The findings of this report lead to recommendations82:
1. Cyberdefense is not a problem solely for government to solve; firms and individuals in the private
sector must recognize their responsibility for protecting their intellectual property and other assets
from cyberattack.
• Individuals and firms need to increase their awareness of the threat of cyberattack
• Organizations must build cybersecurity into their daily activities and a culture of cybersecurity
• S ecurity should become an integral part of systems and processes: bake it in, don’t try just to bolt
it on.
• Because attackers try to exploit weak links in security, organizations need to require their
business partners to meet appropriate standards.
2. That said, government must play an important role in encouraging coordinated improvement in both
government and the private sector.
3. Government and the private sector need to improve the sharing of information on many levels,
including best practices and alert warnings.
• Economies of scale in cyberdefense mean that effective information sharing can reduce cost for
all participants.
• Information sharing often requires personal trust; organizations such as the Department of
Defense find it easier to build trust relationships with business partners than organizations with
frequent turnover of personnel such as DHS.
4. The government’s approach of looking at cybersecurity in terms of critical infrastructure sectors
makes sense, given the different nature of each sector, in terms of industrial organization and current
regulatory context. However, some sectors lag seriously behind others in their vulnerability to
cyberattack.
• Research grants and training should recognize the importance of each sector adopting norms
of responsible behavior and changing the cultures of individual organizations, and not merely
encourage adoption of software and hardware tools to prevent cyberattacks.
82 One other important set of issues relates to the need to engage in diplomatic and other means of increasing international cooperation to
counter global cybercrime organizations. At the Conference on Defending Cyberspace, May 8, 2008, Michael Aisenberg stressed both the importance and promising prospects for such efforts. For example, he points out that parts of the Chinese government are likely to be open to partnering with organizations in the United States to reduce the level of global cyberattacks, especially given the significant number of such attacks that
originate in each country.
Center for the Study of American Government
The Johns Hopkins University
5. Careful analysis is needed to develop an effective layered defense for the country as a whole, through
a combination of approaches. Important tradeoffs exist, between security and other values such as
innovation, flexibility to carry out the organization’s mission, and cost. So far, this type of analysis has
been lacking for many aspects of cybersecurity.
6. Some private actors, such as internet service providers, are in a position to implement improvements in
cybersecurity at much less cost than if the burden were placed on all of their customers. Government
should play a role in helping to assure that responsibility for cybersecurity shifts to those places that are
best able to implement it cost-effectively.
7. There is a role for government to apply several tools of government, including grants, requirements in
procurement contracts, and regulation.
• Setting requirements in procurement contracts is potentially very effective, especially in sectors
such as defense and national security where government is able to bear some of the cost of the
improved cybersecurity standards that it requires.
• Where grant programs are large enough to make a difference, grants also can play a role in
promoting improved cybersecurity. Grants are likely to be most useful in focused areas such
as encouraging a stream of graduates with technical knowledge of cyberdefense to enter public
service.
• Because of the weak link problem, regulation may be required to address shortcomings in
cybersecurity in a number of economic sectors.
8. The next administration needs to make cybersecurity a major priority, especially because of the
nation’s increased vulnerability at a time of growing financial weakness. This should be a part of
enhancing the capacity in the Executive Office of the President to lead the government in addressing
such critical issues.83
Needed now is to make these lessons and recommendations more concrete in their application. This should
include a compilation of promising practices to help inform the nation’s cyberstrategy: a review of approaches
by government and the private sector that have been most effective in promoting cybersecurity, with an
analysis of the conditions under which each approach works best. But study alone is not enough. With
increased leadership from the Executive Office of the President, and from leaders in the private sector, the
public and private sectors must work together to devise effective cyberdefense plans, especially for critical
sectors that currently lag in cybersecurity, and then implement them. While this effort will involve a significant
commitment of resources, the alternative could be much more costly for us all.
83 Thomas H. Stanton, “Improving Managerial Capacity of the Federal Government: A Public Administration Agenda for the Next President,”
Public Administration Review, in press; and Thomas H. Stanton, Working Paper, “Improving Collaboration by Federal Agencies: An Essential
Priority for the Next Administration,” August 2008, available at http://www.napawash.org/about_academy/ImprovingCollaborationbyFederalAgencies.pdf, accessed September 28, 2008.
.
25
26
Defending Cyberspace: Protecting Individuals, Government Agencies and Private Companies Against Persistent and Evolving Threats
by Thomas H. Stanton
Acknowledgements
The author wishes to thank the many people who provided insights for this report and the conference
sponsors that helped to fund this study. Special thanks go to Michael Aisenberg, Catherine A. Allen, Liesyl
Franz, Gov. James Geringer, Gary Glickman, Gov. Jim Hodges, James Lewis, Mary Mitchell, Frank Reeder,
Marc-Anthony Signorino, James Souby, Thomas Stack, and Keith Ward. The author is solely responsible for
this report and its contents.
Center for the Study of American Government
The Johns Hopkins University
Appendix A
Defending Cyberspace 2008 Conference Agenda
May 6-7, 2008
Washington, DC
8:30 – 8:45 AM
8:45 – 9:15 AM
Introduction
The Advanced Persistent Threat –
Industry View
Jim Souby
President, Park City Center for Public Policy
Opening Remarks
An overview of the growing threat of cyber
espionage to corporate America. The attacks,
perpetrated by organized foreign and domestic
entities, threaten our economic well being and
our global innovative advantage. Defending
against these attacks requires new technologies
to be implemented individually and collectively.
Corporations need to address critical legal, audit
and technology-based issues to ensure their
future viability.
John Engler
President & CEO,
National Association of Manufacturers,
and former Governor, Michigan
8:45 – 9:45 AM
The Advanced Persistent Threat
Cyber attacks threaten governments, corporations
and individuals to extract financial or strategic
information. Using increasingly sophisticated
methods, sometimes combined with coercion
and more traditional corporate espionage, hostile
organizations gain access to critical intellectual
property, trade and national secrets.
This information, in the wrong hands, threatens
our national security and our industrial future
– their officers and directors, their shareholders
and their customers. Once attacked, government
organizations and corporations are understandably
reluctant to discuss the impact on their business or
mission. Those that do speak publicly talk only in
the most general terms.
Thomas W. Shelman
President, Defense Group, Northrop Grumman
Information Technology
9:15 – 9:45 AM
The Advanced Persistent Threat –
Government View
Greg Garcia
Assistant Secretary for Cyber Security and
Communication, National Protection and Programs
Directorate, Department of Homeland Security
9:45 – 10:00 AM
Break
10:00 – 11:00 AM
Detecting and Containing Attacks –
Technology View
This panel of experts explores where the attacks are
coming from, how they are being done, and what
can be done to detect and defeat them. They will
discuss the escalating nature of the attacks and the
need for leadership, diligence and perseverance on
the part of CEOs, CIOs, and CISOs.
Jeremy Grant (Moderator)
Senior Vice President, Stanford Group Company
Greg Wilshusen
Director, Information Security Issues, Government
Accountability Office
Michael Aisenberg
Counselor to the President of Information &
Infrastructure Technologies, Inc.
Valerie Abend
Deputy Assistant Secretary for Critical Infrastructure
Protection and Compliance Policy, U.S. Department
of the Treasury
27
28
Defending Cyberspace: Protecting Individuals, Government Agencies and Private Companies Against Persistent and Evolving Threats
by Thomas H. Stanton
11:00 AM – Noon
1:30 – 2:30 PM
Detecting and Containing Attacks –
Compliance View
Current Methods for Information
Sharing
The panel will drill down into the complexities
of dealing with the attacks, both publicly and
organizationally. Issues that will be discussed
include: International Trade • Director & Officer
Liability • Offshore Outsourcing • Supply Chain
Management.
Cathy Allen (Moderator)
Chairman and CEO, The Santa Fe Group
David Bartlett
Senior Vice President Levick Strategic
Communications, LLC
Steve Malphrus
Staff Director for Management, Board of Governors
of the Federal Reserve System
Randy V. Sabett, J.D., CISSP
Sonnenschein Nath & Rosenthal LLP
Noon – 1:30 PM
Keynote Luncheon
Gary Glickman
President, Imadgen, LLP
Keynote:
John J. Hamre
President & CEO, Center for Strategic and
International Studies
Topics include: Current Cyber Security Initiatives
• Limitations Among Business and Government
• IT Sector Coordinating Council • Information
Sharing and Analysis Centers (ISACs) for IT,
Communications, and Other Sectors • Partnership
for Critical Infrastructure Security (PCIS) •
National Infrastructure Protection Centre (NIPC)
• DoD Initiatives for Information Sharing •
Information Sharing and Security Initiatives within
Key Network Operations Centers Serving the
Government and Private Sectors.
Phil Bond (Moderator)
President and CEO, Information Technology
Association of America
Alan Wade
Founder, Wade Associates, Inc.
Ken Watson
Chair, Partnership for Critical Infrastructure
Security and Senior Manager, Critical Infrastructure
Assurance Group, Cisco Systems, Inc.
2:30 – 3:15 PM
View from the Privacy Community
Cyber espionage targets are not limited to company
sensitive financial and product information, but
to customer and employee personal information
as well. Building defenses against cyber attacks
helps protect this information from unauthorized
use. However, the maintenance and storage of this
information, how it is used and how trade-offs
between privacy and security must be addressed are
part of any solution. These experts will discuss how
industry guidelines can help build trust between
government, industry, employees and customers.
Ari Schwartz
Deputy Director, Center for Democracy and
Technology
Rich Baich, CISSP, CISM
Principal, Deloitte & Touche LLP
Center for the Study of American Government
The Johns Hopkins University
3:15 – 3:30 PM 4:15 – 5:15 PM Break
Developing an Action Plan
3:30– 4:15 PM
Bridging the Gap Between
Government and Industry
What is the role of government in helping to protect
our industrial base against foreign and domestic
cyber attacks? Our Federal government is taking
substantive action to safeguard national security.
Exercises such as Cyber Storm II demonstrate how
government plans to react to a real attack. The
Department of Defense, the intelligence agencies
and the Department of Homeland Security plan to
invest over $6 Billion in building our cyber defense
networks. How can this investment be leveraged to
help protect the US corporate base? And similarly,
how can information gleaned from corporate
attacks be funneled back to the government to
improve their own readiness?
David Hoffman (Moderator)
Group Counsel & Director of Security & Privacy
Policy, Intel Corporation
Jacob Olcott
Staff Director, Subcommittee on Emerging Threats,
Cybersecurity, Science & Technology, Committee on
Homeland Security, U.S. House of Representatives
Dan Chenok
Chair of the Information Security and Privacy
Advisory Board and Senior Vice President & General
Manager, Pragmatics, Inc.
This is a “call for action” session that will present
and discuss methods to address confidentiality
and secrecy, cross-agency information sharing
and planning, best practices, promising solutions
and their adequacy to combat cyber threats. What
community-wide solutions could be put in place? •
What public/private processes are indicated? • What
legislative/policy changes appear necessary? • How
can a bridge be built between the public and private
sectors? • What are the objectives? • Who can lead?
• Federal and Private Roles and Responsibilities
• What will it take? Planning – Time – People –
Training – Investment – Infrastructure • Need for
legislation/Change to the Sarbanes-Oxley Act •
Suggested Strategic/Policy Action Agenda • How do
we communicate? • How do we define “success”?
Facilitators:
Governor Jim Geringer,
Director, ESRI
Tom Stanton
Fellow, Center for the Study of American
Government, Johns Hopkins University
5:15 – 5:30 PM Closing Remarks and Next Steps
29
Center for the Study of American Government
The Johns Hopkins University
31
32
Defending Cyberspace: Protecting Individuals, Government Agencies and Private Companies Against Persistent and Evolving Threats
by Thomas H. Stanton
Center for the Study of American Government
The Johns Hopkins University
Washington Center
1717 Massachusetts Avenue, NW