Changes: Cyber threat

Revision as of 16:32, 16 July 2011

“

We must learn to negotiate a new geography, where borders are irrelevant and distances meaningless, where an enemy may be able to harm the vital systems we depend on without confronting our military power.^[1]

”

Overview

A cyber threat can be unintentional and intentional, targeted or nontargeted, and can come from a variety of sources, including foreign nations engaged in espionage and information warfare, criminals, hackers, virus writers, and disgruntled employees and contractors working within an organization.

Unintentional threats can be caused by inattentive or untrained employees, software upgrades, maintenance procedures and equipment failures that inadvertently disrupt computer systems or corrupt data.

Intentional threats include both targeted and nontargeted attacks. A targeted attack is when a group or individual specifically attacks a critical infrastructure system. A nontargeted attack occurs when the intended target of the attack is uncertain, such as when a virus, worm, or malware is released on the Internet with no specific target

Repeatedly identified as the most worrisome threat is the "insider" — someone legitimately authorized access to a system or network. Other malefactors may make use of insiders, such as organized crime or a terrorist group suborning a willing insider (a disgruntled employee, for example) or making use of an unwitting insider (by getting someone with authorized network access to insert a disk containing hidden code, for example).

Background on cyber threats

Threats to the U.S. cyber and telecommunications infrastructure are constantly increasing^[2] and evolving as are the entities that show interest in using a cyber-based capability to harm the nation’s security interests.

Concerns have been raised since the 1990s regarding the use of the internet and telecommunications components to cause harm to the nation’s security interests. Activities producing undesirable results include unauthorized intrusion to gain access and view protected data, stealing or manipulating information contained in various databases, and attacks on telecommunications devices to corrupt data or cause infrastructure components to operate in an irregular manner.

Of paramount concern to the national and homeland security communities is the threat of a cyber-related attack against the nation’s critical government infrastructures — “systems and assets, physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health and safety, or any combination of those matters.”^[3] Early concerns noted attacks on components of the energy grid, infrastructure control systems, and military equipment as examples of telecommunications-based threats to physical infrastructures.^[4]

In response, the Department of Energy conducted an experiment in 2007 in which the control system of an unconnected generator, containing similar components as that of larger generators connected to many power grids in the nation supplying electricity, was damaged and became inoperable.^[5] While data from federal agencies demonstrate that the majority of attempted and successful cyber attacks to date have targeted virtual information resources rather than physical infrastructures,^[6] many security experts are concerned that the natural progression of those wishing to harm U.S. security interests will transition from stealing or manipulating data to undertaking action that temporarily or permanently disables or destroys the telecommunications network or affects infrastructure components.

Many security observers agree that the United States currently faces a multi-faceted, technologically based vulnerability in that "our information systems are being exploited on an unprecedented scale by state and non-state actors [resulting in] a dangerous combination of known and unknown vulnerabilities, strong adversary capabilities, and weak situational awareness."^[7] This, coupled with security observers’ contention that the United States lacks the capability to definitively ascertain perpetrators who might unlawfully access a database or cause harm to a network, leaves the nation increasingly at risk. It also causes acts or discussions related to deterring cyberattacks to be ignored or negated by entities exploiting known or newly found vulnerabilities.

Prominent national security experts have emphasized the vulnerability of U.S. infrastructures. As recently as January 2009, former Director of National Intelligence (DNI) Mike McConnell equated “cyber weapons” with weapons of mass destruction when he expressed concern about terrorists’ use of technology to degrade the nation’s infrastructure. In distinguishing between individuals gaining access to U.S. national security systems or corporate data for purposes of exploitation for purposes of competitive advantage, former Director McConnell noted that terrorists aim to damage infrastructure and that the “time is not too far off when the level of sophistication reaches a point that there could be strategic damage to the United States.”^[8]

Sources of cyber threats

There are a variety of sources of cyber threats, including^[9]:

Botnetwork operators — Botnet operators use a network, or botnet, of compromised, remotely controlled systems to coordinate attacks and to distribute phishing schemes, spam, and malware attacks. The services of these networks are sometimes made available on underground markets (e.g., purchasing a denial of service attack or servers to relay spam or phishing attacks).
Criminal groups — Criminal groups seek to attack systems for monetary gain. Specifically, organized criminal groups use spam, phishing, and spyware/malware to commit identity theft and online fraud. International corporate spies and criminal organizations also pose a threat to the United States through their ability to conduct industrial espionage and large-scale monetary theft and to hire or develop hacker talent.
Foreign nation states — Foreign intelligence services use cyber tools as part of their information gathering and espionage activities. Also, several nations are aggressively working to develop information warfare doctrine, programs, and capabilities. Such capabilities enable a single entity to have a significant and serious impact by disrupting the supply, communications, and economic infrastructures that support military power.
Hackers — Hackers break into networks for the thrill of the challenge, bragging rights in the hacker community, revenge, stalking others, and monetary gain, among other reasons. While gaining unauthorized access once required a fair amount of skill or computer knowledge, hackers can now download attack scripts and protocols from the Internet and launch them against victim sites. Thus, while attack tools have become more sophisticated, they have also become easier to use. According to the Central Intelligence Agency, the large majority of hackers do not have the requisite expertise to threaten difficult targets such as critical U.S. networks. Nevertheless, the worldwide population of hackers poses a relatively high threat of an isolated or brief disruption causing serious damage.
Hacktivists — Those who make politically motivated attacks on publicly accessible web pages or e-mail servers. These groups and individuals overload e-mail servers and hack into websites to send a political message.
Insiders — The disgruntled insider, working from within an organization, is a principal source of computer crimes. Insiders may not need a great deal of knowledge about computer intrusions because their knowledge of a victim system often allows them to gain unrestricted access to cause damage to the system or to steal system data. The insider threat also includes contractor personnel.
Phishers — Individuals, or small groups, execute phishing] schemes in an attempt to steal identities or information for monetary gain. Phishers may also use spam and spyware/malware to accomplish their objectives.
Spammers — Individuals or organizations distribute unsolicited e-mail with hidden or false information in order to sell products, conduct phishing schemes, distribute spyware/malware, or attack organizations (i.e., denial of service attack).
Spyware/malware authors — Individuals or organizations with malicious intent carry out attacks against users by producing and distributing spyware and malware. Several destructive computer viruses and worms have harmed files and hard drives, including the Melissa virus, the Explore.Zip worm, the CIH (Chernobyl) virus, Nimda worm, Code Red, Slammer worm, and Blaster worm.
Terrorists — Terrorists seek to destroy, incapacitate, or exploit critical infrastructures to threaten national security, cause mass casualties, weaken the U.S. economy, and damage public morale and confidence. However, traditional terrorist adversaries of the United States are less developed in their computer network capabilities than other adversaries. Terrorists likely pose a limited cyber threat. The Central Intelligence Agency believes terrorists will stay focused on traditional attack methods, but it anticipates growing cyber threats as a more technically competent generation enters the ranks.

Types of cyber threats

Cyber threats can take the form of:

Distributed denial of service (DDOS) attack — attackers flood network resources to render physical systems unavailable or less than fully responsive for a period of time.
Rogue device — an unauthorized device accesses the system, manipulating it or providing incorrect data to system operators.
Reconnaissance attack — probing of a system to provide attackers information on capabilities, vulnerabilities, and operation.
Eavesdropping attack — violations of confidentiality of communication within a network.
Collateral damage — unplanned side-effects of cyber attacks.
Unauthorized access attack — an attack where the adversary exercises a degree of control over the system and accesses and manipulates assets without authorization.
Unauthorized use of assets, resources, or information — an attack in which assets, services, or data are manipulated by an authorized user in an unauthorized manner.^[10] This can result in system operators being given inaccurate information from a “trusted” source, and thereby being misled into making decisions based on this data that result in impacts to the system.
Malicious code (Malware) — viruses, worms, and Trojan horses.

Impact on critical infrastructure

Cyber threats are asymmetric, surreptitious, and constantly evolving — a single individual or a small group anywhere in the world can inexpensively and secretly attempt to penetrate systems containing vital information or mount damaging attacks on critical infrastructures.

There is increasing concern among both government officials and industry experts regarding the potential for a cyber attack on a national critical infrastructure, including the infrastructure’s control systems. The Federal Bureau of Investigation has identified multiple sources of threats to our nation’s critical infrastructures, including foreign nation states engaged in information warfare, domestic criminals, hackers, and virus writers, and disgruntled employees working within an organization.

Threats to the U.S. cyber and telecommunications infrastructure are constantly increasing^[11] and evolving as are the entities that show interest in using a cyber-based capability to harm the nation’s security interests.^[12] Concerns have been raised since the 1990s regarding the use of the internet and telecommunications components to cause harm to the nation’s security interests.

Activities producing undesirable results include unauthorized intrusion to gain access and view protected data, stealing or manipulating information contained in various databases, and attacks on telecommunications devices to corrupt data or cause infrastructure components to operate in an irregular manner. Of paramount concern to the national and homeland security communities is the threat of a cyber-related attack against the nation’s critical government infrastructures — “systems and assets, physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health and safety, or any combination of those matters.”^[13]

Early concerns noted attacks on components of the energy grid, infrastructure control systems, and military equipment as examples of telecommunications-based threats to physical infrastructures.

Military

"Cyber threats generally fall within six categories:

Traditional threats typically arise from state employing recognized military capabilities and forces in well-understood forms of military conflict. Within cyberspace, these threats may be less understood due to the continuing evolution of technologies and methods. Traditional threats are generally focused against the cyberspace capabilities that enable our air, land, maritime, and space forces and are focused to deny the US military freedom of action and use of cyberspace.
Irregular threats can use cyberspace as an unconventional asymmetric means to counter traditional advantages. These threats could also manifest through an adversary's selective targeting of US cyberspace capabilities and infrastructure. For example, terrorists could use cyberspace to conduct operations against our financial and industrial sectors while simultaneously launching other physical attacks. Terrorist also use cyberspace to communicate anonymously, asynchronously, and without being tied to set physical locations. They attempt to shield themselves from US law enforcement, intelligence and military operations through use of commercial security products and services readily available in cyberspace. Irregular threats from criminal elements and advocates of radical political agendas seek to use cyberspace for their own ends to challenge government, corporate, or societal interests.
Catastrophic threats involve the acquisition, possession, and use of weapons of mass destruction (WMD) or methods producing WMD-like effects. Such catastrophic effects are possible in cyberspace because of the existing linkage of cyberspace to critical infrastructure SCADA systems. Well-planned attacks on key nodes of the cyberspace infrastructure have the potential to produce network collapse and cascading effects that can severely affect critical infrastructure locally, nationally, or possibly globally. For example, electromagnetic pulse events could cause widespread degradation and outright destruction of the electronic components that comprise cyberspace leading to the debilitating destruction of segments of the cyberspace domain in which operations must occur.
Disruptive threats are breakthrough technologies that may negate or reduce current US advantages in warfighting domains. Global research investment, development, and industrial processes provide an environmental conductive to the creation of technological advances. DOD must be prepared for the increased possibility of adversary breakthroughs due to the continuing diffusion of cyberspace technologies.
Natural threats that can damage and disrupt cyberspace include acts of nature, such as floods, hurricanes, solar flares, lightning, and tornados. These types of events often produce highly destructive effects requiring DOD to support the continuity of operations in cyberspace, conduct consequent management, and restore cyberspace capability. These events also provide adversaries the opportunity to capitalize on infrastructure degradation and diversion of attention and resources.
Accidental threats are unpredictable and can take many forms. From a backhoe cutting a fiber optic cable of a key cyberspace node, to inadvertent introduction of viruses, accidental threats unintentionally disrupt the operation of cyberspace. Although post-accident investigations show that the large majority of accidents can be prevented and measures put in place to reduce accidents, accidents must be anticipated.^[14]

References

↑ President's Commission on Critical Infrastructure Protection, Critical Foundations: Protecting America’s Infrastructures, at ix (Oct. 1997).
↑ Peter Eisler, "Reported Raids on Federal Computer Data Soar," USA Today (Feb. 17, 2009).[1] Based on data reportedly provided to USA Today, the U.S. Computer Emergency Readiness Team (US-CERT), found that known cyberattacks on U.S. government networks rose 40% in 2008 compared to 2007. While this survey focused on U.S. government computer systems, telecommunications networks are maintained by private industry, and any degradation to these services or components would necessarily have negative implications for both public and private cyber activities.
↑ 42 U.S.C. §5195c(e).
↑ Of note, many of the cyber-related incidences that were found to have negatively affected control systems connected to physical infrastructure components were resolved as being the work of current or former employees who had access to and knowledge of the architecture of the affected network.
↑ Jeanne Meserve, "Staged Cyber Attack Reveals Vulnerability in Power Grid," CNN online (Sep. 26, 2007).[2].
↑ See Center for Strategic and International Studies, Securing Cyberspace for the 44th Presidency: A Report of the CSIS Commission on Cybersecurity for the 44th Presidency 12 (2008) ("we expected damage from cyber attacks to be physical (opened floodgates, crashing airplanes) when it was actually informational").
↑ House Permanent Select Committee on Intelligence, Cyber Security: Hearing on the Nation’ s Cyber Security Risks, 110th Cong. (Sept. 18, 2008) (statement of Paul Kurtz, Former Senior Director, Critical Infrastructure Protection, White House Homeland Security Council).
↑ The Charlie Rose Show, "Interview of Mr. Mike McConnell, Director of National Intelligence," PBS, Jan. 8, 2009.
↑ GAO analysis based on data from the Director of National Intelligence, Department of Justice, the Central Intelligence Agency, and the Software Engineering Institute’s CERT Coordination Center.
↑ Joe Weiss, "Control System Cyber Vulnerabilities and Potential Mitigation of Risk for Utilities" 3-4 (Juniper Networks, Inc. 2009).
↑ Peter Eisler, "Reported Raids on Federal Computer Data Soar," USA Today (Feb. 17, 2009).[3] Based on data reportedly provided to USA Today, the U.S. Computer Emergency Readiness Team (US-CERT), a Department of Homeland Security entity, found that known cyberattacks on U.S. government networks rose 40% in 2008 compared to 2007. While this survey focused on U.S. government computer systems, telecommunications networks are maintained by private industry, and any degradation to these services or components would necessarily have negative implications for both public and private cyber activities.
↑ For more information on cyberattackers’ capabilities, see John Rollins & Clay Wilson, "Terrorist Capabilities for Cyberattack: Overview and Policy Issues" (CRS Report RL33123)[4].
↑ 42 U.S.C. §5195c(e). For more on U.S. efforts to protect critical infrastructures, see John D. Moteff, "Critical Infrastructures: Background, Policy, and Implementation (CRS Report RL30153)[5].
↑ National Military Strategy for Cyberspace Operations, at C-1, C-2.

[1] President's Commission on Critical Infrastructure Protection, Critical Foundations: Protecting America’s Infrastructures, at ix (Oct. 1997).

[2] Peter Eisler, "Reported Raids on Federal Computer Data Soar," USA Today (Feb. 17, 2009).[1] Based on data reportedly provided to USA Today, the U.S. Computer Emergency Readiness Team (US-CERT), found that known cyberattacks on U.S. government networks rose 40% in 2008 compared to 2007. While this survey focused on U.S. government computer systems, telecommunications networks are maintained by private industry, and any degradation to these services or components would necessarily have negative implications for both public and private cyber activities.

[3] 42 U.S.C. §5195c(e).

[4] Of note, many of the cyber-related incidences that were found to have negatively affected control systems connected to physical infrastructure components were resolved as being the work of current or former employees who had access to and knowledge of the architecture of the affected network.

[5] Jeanne Meserve, "Staged Cyber Attack Reveals Vulnerability in Power Grid," CNN online (Sep. 26, 2007).[2].

[6] See Center for Strategic and International Studies, Securing Cyberspace for the 44th Presidency: A Report of the CSIS Commission on Cybersecurity for the 44th Presidency 12 (2008) ("we expected damage from cyber attacks to be physical (opened floodgates, crashing airplanes) when it was actually informational").

[7] House Permanent Select Committee on Intelligence, Cyber Security: Hearing on the Nation’ s Cyber Security Risks, 110th Cong. (Sept. 18, 2008) (statement of Paul Kurtz, Former Senior Director, Critical Infrastructure Protection, White House Homeland Security Council).

[8] The Charlie Rose Show, "Interview of Mr. Mike McConnell, Director of National Intelligence," PBS, Jan. 8, 2009.

[9] GAO analysis based on data from the Director of National Intelligence, Department of Justice, the Central Intelligence Agency, and the Software Engineering Institute’s CERT Coordination Center.

[10] Joe Weiss, "Control System Cyber Vulnerabilities and Potential Mitigation of Risk for Utilities" 3-4 (Juniper Networks, Inc. 2009).

[11] Peter Eisler, "Reported Raids on Federal Computer Data Soar," USA Today (Feb. 17, 2009).[3] Based on data reportedly provided to USA Today, the U.S. Computer Emergency Readiness Team (US-CERT), a Department of Homeland Security entity, found that known cyberattacks on U.S. government networks rose 40% in 2008 compared to 2007. While this survey focused on U.S. government computer systems, telecommunications networks are maintained by private industry, and any degradation to these services or components would necessarily have negative implications for both public and private cyber activities.

[12] For more information on cyberattackers’ capabilities, see John Rollins & Clay Wilson, "Terrorist Capabilities for Cyberattack: Overview and Policy Issues" (CRS Report RL33123)[4].

[13] 42 U.S.C. §5195c(e). For more on U.S. efforts to protect critical infrastructures, see John D. Moteff, "Critical Infrastructures: Background, Policy, and Implementation (CRS Report RL30153)[5].

[14] National Military Strategy for Cyberspace Operations, at C-1, C-2.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

@@ Line 71: / Line 71: @@
 "Cyber threats generally fall within six categories:
-** '''Traditional threats''' typically arise from state employing recognized military capabilities and forces in well-understood forms of military conflict. Within [[cyberspace]], these threats may be less understood due to the continuing evolution of technologies and methods. Traditional threats are generally focused against the [[cyberspace]] capabilities that enable our air, land, maritime, and space forces and are focused to deny the US military freedom of action and use of [[cyberspace]].
+* '''Traditional threats''' typically arise from state employing recognized military capabilities and forces in well-understood forms of military conflict. Within [[cyberspace]], these threats may be less understood due to the continuing evolution of technologies and methods. Traditional threats are generally focused against the [[cyberspace]] capabilities that enable our air, land, maritime, and space forces and are focused to deny the US military freedom of action and use of [[cyberspace]].
-** '''Irregular threats''' can use [[cyberspace]] as an unconventional asymmetric means to counter traditional advantages. These threats could also manifest through an adversary's selective targeting of US [[cyberspace]] capabilities and [[infrastructure]]. For example, [[terrorist]]s could use [[cyberspace]] to conduct operations against our financial and industrial sectors while simultaneously launching other [[physical attack]]s. [[Terrorist]] also use [[cyberspace]] to communicate [[anonymous]]ly, asynchronously, and without being tied to set physical locations. They attempt to shield themselves from US law enforcement, [[intelligence]] and military operations through use of commercial [[security]] products and services readily available in [[cyberspace]]. Irregular threats from criminal elements and advocates of radical political agendas seek to use [[cyberspace]] for their own ends to challenge government, corporate, or societal interests.
+* '''Irregular threats''' can use [[cyberspace]] as an unconventional asymmetric means to counter traditional advantages. These threats could also manifest through an adversary's selective targeting of US [[cyberspace]] capabilities and [[infrastructure]]. For example, [[terrorist]]s could use [[cyberspace]] to conduct operations against our financial and industrial sectors while simultaneously launching other [[physical attack]]s. [[Terrorist]] also use [[cyberspace]] to communicate [[anonymous]]ly, asynchronously, and without being tied to set physical locations. They attempt to shield themselves from US law enforcement, [[intelligence]] and military operations through use of commercial [[security]] products and services readily available in [[cyberspace]]. Irregular threats from criminal elements and advocates of radical political agendas seek to use [[cyberspace]] for their own ends to challenge government, corporate, or societal interests.
-** '''Catastrophic threats''' involve the acquisition, possession, and use of [[weapons of mass destruction]] ([[WMD]]) or methods producing [[WMD]]-like effects. Such catastrophic effects are possible in [[cyberspace]] because of the existing linkage of [[cyberspace]] to [[critical infrastructure]] [[SCADA]] [[system]]s. Well-planned [[attack]]s on key [[node]]s of the [[cyberspace]] [[infrastructure]] have the potential to produce network collapse and cascading effects that can severely affect [[critical infrastructure]] locally, nationally, or possibly globally. For example, [[electromagnetic pulse]] events could cause widespread [[degradation]] and outright destruction of the [[electronic component]]s that comprise [[cyberspace]] leading to the debilitating destruction of segments of the [[cyberspace]] domain in which operations must occur.
+* '''Catastrophic threats''' involve the acquisition, possession, and use of [[weapons of mass destruction]] ([[WMD]]) or methods producing [[WMD]]-like effects. Such catastrophic effects are possible in [[cyberspace]] because of the existing linkage of [[cyberspace]] to [[critical infrastructure]] [[SCADA]] [[system]]s. Well-planned [[attack]]s on key [[node]]s of the [[cyberspace]] [[infrastructure]] have the potential to produce network collapse and cascading effects that can severely affect [[critical infrastructure]] locally, nationally, or possibly globally. For example, [[electromagnetic pulse]] events could cause widespread [[degradation]] and outright destruction of the [[electronic component]]s that comprise [[cyberspace]] leading to the debilitating destruction of segments of the [[cyberspace]] domain in which operations must occur.
-** '''Disruptive threats''' are breakthrough technologies that may negate or reduce current US advantages in warfighting domains. Global research investment, development, and industrial processes provide an environmental conductive to the creation of technological advances. [[DOD]] must be prepared for the increased possibility of adversary breakthroughs due to the continuing diffusion of [[cyberspace]] technologies.
+* '''Disruptive threats''' are breakthrough technologies that may negate or reduce current US advantages in warfighting domains. Global research investment, development, and industrial processes provide an environmental conductive to the creation of technological advances. [[DOD]] must be prepared for the increased possibility of adversary breakthroughs due to the continuing diffusion of [[cyberspace]] technologies.
-** '''Natural threats''' that can damage and disrupt [[cyberspace]] include acts of nature, such as floods, hurricanes, solar flares, lightning, and tornados. These types of events often produce highly destructive effects requiring [[DOD]] to support the continuity of operations in [[cyberspace]], conduct consequent management, and restore [[cyberspace]] capability. These events also provide adversaries the opportunity to capitalize on [[infrastructure]] [[degradation]] and diversion of attention and resources.
+* '''Natural threats''' that can damage and disrupt [[cyberspace]] include acts of nature, such as floods, hurricanes, solar flares, lightning, and tornados. These types of events often produce highly destructive effects requiring [[DOD]] to support the continuity of operations in [[cyberspace]], conduct consequent management, and restore [[cyberspace]] capability. These events also provide adversaries the opportunity to capitalize on [[infrastructure]] [[degradation]] and diversion of attention and resources.
-** '''Accidental threats''' are unpredictable and can take many forms. From a backhoe cutting a [[fiber optic cable]] of a key [[cyberspace]] [[node]], to inadvertent introduction of [[virus]]es, accidental threats unintentionally [[disrupt]] the operation of [[cyberspace]]. Although post-accident investigations show that the large majority of accidents can be prevented and measures put in place to reduce accidents, accidents must be anticipated.<ref>[[National Military Strategy for Cyberspace Operations]], at C-1, C-2.</ref>
+* '''Accidental threats''' are unpredictable and can take many forms. From a backhoe cutting a [[fiber optic cable]] of a key [[cyberspace]] [[node]], to inadvertent introduction of [[virus]]es, accidental threats unintentionally [[disrupt]] the operation of [[cyberspace]]. Although post-accident investigations show that the large majority of accidents can be prevented and measures put in place to reduce accidents, accidents must be anticipated.<ref>[[National Military Strategy for Cyberspace Operations]], at C-1, C-2.</ref>
 == References ==