What’s worse: U.S. security officials say the country’s cyberdefenses are not up to the challenge. In part, it’s due to a severe shortage of computer security specialists and engineers with the skills and knowledge necessary to do battle against would-be adversaries. The protection of U.S. computer systems essentially requires an army of cyberwarriors, but the recruitment of that force is suffering.

“We don’t have sufficiently bright people moving into this field to support those national security objectives as we move forward in time,” says James Gosler, a veteran cybersecurity specialist who has worked at the CIA, the National Security Agency and the Energy Department.

If U.S. cyberdefenses are to be improved, more people like Gosler will be needed on the front lines. Gosler, 58, works at the Energy Department’s Sandia National Laboratory in Albuquerque, N.M., where he focuses on ways to counter efforts to penetrate U.S. data networks. It’s an ever-increasing challenge.

“You can have vulnerabilities in the fundamentals of the technology, you can have vulnerabilities introduced based on how that technology is implemented, and you can have vulnerabilities introduced through the artificial applications that are built on that fundamental technology,” Gosler says. “It takes a very skilled person to operate at that level, and we don’t have enough of them.”

Gosler estimates there are now only 1,000 people in the entire United States with the sophisticated skills needed for the most demanding cyberdefense tasks. To meet the computer security needs of U.S. government agencies and large corporations, he says, a force of 20,000 to 30,000 similarly skilled specialists is needed.

Some are currently being trained at the nonprofit SANS (SysAdmin, Audit, Network, Security) Institute outside Washington, D.C., but the demand for qualified cybersecurity specialists far exceeds the supply.

“You go looking for those people, but everybody else is looking for the same thousand people,” says SANS Research Director Alan Paller. “So they’re just being pushed around from NSA to CIA to DHS to Boeing. It’s a mess.”

The Center for Strategic and International Studies highlights the problem in a forthcoming report, “A Human Capital Crisis in Cybersecurity.”

According to the report, a key element of a “robust” cybersecurity strategy is “having the right people at every level to identify, build and staff the defenses and responses.”

The CSIS report highlights a “desperate shortage” of people with the skills to “design secure systems, write safe computer code, and create the ever more sophisticated tools needed to prevent, detect, mitigate and reconstitute from damage due to system failures and malicious acts.”

The cyber manpower crisis in the United States stands in sharp contrast to the situation in China, where the training of computer experts is a top national priority. In the most recent round of the International Collegiate Programming Contest, co-sponsored by IBM and the Association for Computing Machinery, Chinese universities took four of the top 10 places. No U.S. university made the list.

The Chinese government, in fact, appears to be systematically building a cyberwarrior force.

“Every military district of the Peoples’ Liberation Army runs a competition every spring,” says Alan Paller of SANS, “and they search for kids who might have gotten caught hacking.”

One of the Chinese youths who won that competition had earlier been caught hacking into a Japanese computer, according to Paller, only to be rewarded with extra training.

“Later that year, we found him hacking into the Pentagon,” Paller says. “So they find them, they train them, and they get them into operation very, very fast.”

Some members of Congress, eager to follow China’s example, are now promoting a U.S. Cyber Challenge, a national talent search at the high school level. The aim is to find up to 10,000 potential cyberwarriors, ready to play both offense and defense.

“The idea is for schools around the country to field teams, and the teams would compete against one another,” says Sen. Thomas Carper, a Delaware Democrat who is one of the backers of the effort. He sees the challenge as an opportunity “not only for them to hone their skills on being able to hack into other systems, particularly those of folks we may not be fond of, but also to use what they learn to strengthen our defenses.”

In order to protect a computer system, one needs to know how someone might attack it. Last year’s preliminary Cyber Challenge game was won by a 17-year-old from Connecticut — Michael Coppola — who was smart enough to hack into the game computer and add points to his own score.

“There’s actually a flaw within that Web application,” Coppola says. “Using that, I was able to execute commands on the computer running the scoring software, and I was able to add points and basically do whatever I wanted.”

It was certainly an unconventional approach, but the competition judges were so impressed by Coppola’s ability to hack into the computer game that they actually rewarded him for changing his score.

“It’s cheating,” Michael says, “but it’s like the entire game is cheating.”

Indeed. People who know how to cheat will soon be on the front lines of cyber defense, because the best way to defend a computer system from attack is to figure out how an adversary would be able to hack into it.

Now 18, Coppola is himself looking to a career in cybersecurity.

Source

On foreign media reports saying no evidence linked the North to the attacks, Jeong Seok-hwa, investigation director at the Cyber Terror Response Center in charge of the investigation, said, “No country including the U.S. could identify the origin of the DDoS attacks that occurred a year ago. Thankfully, the discovery by Korean investigation agencies has been the most credible so far.”

On how he was sure that it was Pyongyang, Jeong said, “It might be too early to conclude this, but the facts so far have shown that the IP address used for the attacks was the same one rented by North Korea’s Posts and Telecommunications Ministry from a Chinese Internet provider.”

“The attack was waged by dozens of people, not one individual,” he added.

According to the National Police Agency, the cyber center in October last year found that the attacks originated from the IP of the North’s ministry.

A lieutenant on the investigation team was promoted to inspector in recognition of this discovery. He refused to disclose more, however, saying “Giving out more details will compromise our national strategy,” but added, “It was possible thanks to the technical capability we’ve accumulated for more than 10 years since the cyber center’s launch.”

Amid rising fears over a second cyber attack from the North, Jeong said, “Attack rumors were prevalent in April and May, but nothing really happened. But there certainly is the possibility of another attack. One of the servers that made the attack order seems to have copied all files saved on zombie PCs, or those in charge of the attack.”

This indicates that zombie PCs analyzed the files South Koreans frequently use to make more of them when starting an attack.

On preventing a cyber attack, Jeong said, “We cannot prevent zombie PCs from multiplying even with the latest vaccine program. The government must distribute free firewall programs (used for protection in Internet banking services).

With the investigation over last year’s cyber attacks ongoing, Jeong pledged to find the culprit. “We’ve done everything we can within the country. Since the attack originated from China, which is beyond our investigative jurisdiction, we will collaborate with China to find who did it,” he said.

Source

General Keith Alexander cautioned that Pentagon systems are “probed by unauthorized users approximately 250,000 times an hour, over six million times a day.” The remarks by Alexander, who is also at the helm of the main US spy organizations, the National Security Agency, was made in a Thursday address to a major Washington policy think tank, the Center for Strategic and International Studies.

“Our nation’s interests are in jeopardy,” he said citing “tremendous vulnerabilities” and threats from a “growing array of foreign actors, terrorists, criminal groups and individual hackers.”

Alexander emphasized that his main priority was to develop a real time picture of threats to US military networks and devising rules to fight back by conducting cyber attacks against enemies.

Alexander said that US military “depends on its networks for command and control, communications, intelligence, operations and logistics.”

“We at the Department of Defense have more than seven million machines to protect linked-in 15,000 networks,” he noted.

Source

“Why is the country with the best technology for online surveillance of its citizens’ communications taking other nations to task over censorship and free speech?” Mr Ranum, chief security officer of Tenable Network Security, challenged a packed forum at AusCERT 2010.

“For years, the US has embraced portions of the hacker community into our labs to build cyber-weapons, and there’s government funding connections between our offensive weapons writers and our defensive weapons writers.

“We own the search engines everybody uses, and the incredibly valuable data they produce.

“So it’s bizarre that in the recent exchange of accusations over China targeting dissident supporters of the Dalai Lama, no country asked the US to rein in its own cyber-hackers.”

Mr Ranum said it wasn’t necessary for US authorities to engage in cyber-spying or collect information from botnets because “by law, every carrier in the US has to back up all their systems so the FBI can do wiretaps”.

“And the FBI has a back door into Google so they don’t have to hack into accounts belonging to ‘terrorists’ or ‘dissidents’ — it’s done through a search warrant or via a wireless wiretap.

“This violates our constitution but the (new) federal laws have been upheld because they’re seen as doing something about terrorism.”

And while the difference between dissidents and terrorists is unclear apart from the methods they employ, “the way governments react is remarkably similar”.

“China is targeting dissidents and we’re targeting our own citizens — and that’s a good way of creating dissidents,” he said.

“The next scene in the cyberwar involved censorship, and of course Chine practices censorship — every government does, even if only to prevent an under-18 year old boy from seeing a pair of naked breasts.

“It’s fascinating that the US secretary of state Hillary Clinton called on Beijing to let the internet be free, as she is a supporter of censorship.

“Ms Clinton supports Californian legislation, which has been overturned as unconstitutional several times, aimed at preventing underage people playing Grand Theft Auto.”

The financially strapped state government continues to spend tens of millions fighting itself in court on the issue, he said.

“Speech maybe nowhere near as free in China as it is in America, but every US ISP has to keep a variety of transactional data (about users) in case the government wants it. So which country has greater cyberwar anti-dissident capabilities?”

Mr Ranum said China’s great firewall looked tame in comparison.

“Hypocrisy is the enemy of democracy,” he said.

“If you want to protect your kids from Grand Theft Auto, you take away their console. Or you say, ‘I told you not to play that, go mow the lawn’.”

Attempts to regulate morality through censorship of pornography also involved huge costs to the public — which paid for the competing arms of government, justice department and the supreme court.

“In order to protect young Americans’ fragile eyeballs, our government passes laws (against pornography) and then other branches say ‘No, that’s unconstitutional’, and appeal,” he said.

“Millions of dollars are being spent litigating this, but there wasn’t a public uprising saying ‘We don’t want to see breasts’, okay.”

More concerning was the 2008 US Defence Department plan to shut down the global whistleblowers site, WikiLeaks, exposed through documents published on the site itself last week. –> http://file.wikileaks.org/file/us-intel-wikileaks.pdf

“Because WikiLeaks was hosting leaked documents, Defence considered the site was a threat to US national security, and proposed hacking it in order to close it down,” he said.

“But if the government can’t keep its own classified information secret, that’s the government’s problem — don’t blame WikiLeaks.”

Mr Ranum also pointed to an FBI leak to a journalist over Titan Rain, which alleged some 180,000 Chinese “cyberwarriors” had launched 90,000 attacks against US interests last year.

“If so, that’s an incredibly lame attempt,” he said. “The rate was only half an attack per cyberwarrior. They should have downloaded better attack tools.”

Source

Officials from the 68th NWS recently held a groundbreaking ceremony to officially commence construction. It is scheduled to be completed this fall.

“This building will be the first of its kind in the nation, as well as the first step in the new warfare, cyber warfare,” said Col. Bradford Shwedo, 68th NWS commander.

Air Force officials chose Lackland AFB to be the hub of cyber command operations. One reason was because of its proximity to other cyber-related commands such as the National Security Agency’s Texas Cryptologic Center; the Air Force Intelligence, Surveillance, and Reconnaissance Agency; the 67th Network Warfare Wing; the Joint Information Operations Warfare Command; and the Air Force Cryptologic Support Group.

The facility’s construction is one of the base realignment and closure projects being managed and executed through AFCEE and constructed by TolTest, Inc.

The BRAC commission is a federal entity set up to review the assets and property of military installations, close excess bases and realign operations and resources to maximize tax payer dollars.

The building, which will serve as an office building for 400 employees, will be designed and constructed in accordance with Leadership in Energy and Environmental Design requirements. LEED is a goal-oriented approach to the design, construction, and operation of “green” buildings. LEED certification requires the facilities built have environmentally friendly features, use recyclable materials when possible, and use energy efficient lighting and appliances.

“We are excited about the opportunity to design and construct the intelligence operations center for the Air Force Reserve Command and the Air Force Space Command, which will be essential to the execution of their cyber warfare capabilities,” said AFCEE project manager Mark Stough.

Source

Scott Charney, vice president of Microsoft’s Trustworthy Computing Group, spoke at the Worldwide Cybersecurity Summit in Dallas last week and said there needs to be a distinction between cybercriminals merely stealing money and cyberwar, possibly conducted by nation-states, that is aimed at crippling a target in another country, such as a power grid or an oil pipeline.

An Associated Press report on the conference, which was picked up by the Seattle Post-Intelligencer newspaper, quotes Charney as saying that international treaties designed to fight cyberwar are difficult to establish because of the murky nature of what “cyberwar” is.

The United Nations last month rejected a Russian proposal for a new cybercrime treaty, leaving in place a 2001 treaty that Russia opposes because it gives foreign governments too much leeway to pursue cybercriminals across borders.

“Lots of times, there’s confusion in these treaty negotiations because of lack of clarity about which problems they’re trying to solve,” Charney said.

In a paper that accompanied his talk, Charney also wrote that if the concern is that countries need to brace for a cybersecurity “Pearl Harbor,” that it needs to be made clear on what type of attacks governments can respond. “If the concern is an electronic Pearl Harbor, perhaps part of the response is an electronic `Geneva Convention’ that protects the rights of noncombatants.”

The notion of an electronic Pearl Harbor has come up before on this blog. I wrote about it after attending the RSA Conference 2010 in San Francisco in March. There a panel of cybersecurity experts warned that a cyberattack could occur that could cripple U.S. infrastructure if we’re not prepared for it.

Richard Clarke, a national security advisor to the previous three U.S. presidents, also proposed a cyber security treaty, but lumped together criminal cyber attacks and state-sponsored attacks.

“You could have an international treaty that puts an obligation on every country to police its own cyberspace,” he said. It wouldn’t matter if a foreign government launched an attack or whether individual criminals did, he said; if it was traced to their country, they’d have to do something about it.

I think that’s where the murkiness problem comes in. Charney says the confusion occurs when we lump together criminal activity and government sanctioned — or at least condoned — cyberwar, including possible terrorism.

I think a government or military response to a cyber threat should be reserved for attacks on infrastructure (taking down an electrical grid by a computer is the same as bombing the transmission towers) and on attacks by nations against others and a treaty to establish the rules of engagement is warranted. But responses to criminal cyber attacks should be left to law enforcement agencies and, in fact, in those instances, cooperation agreements between law enforcement organizations in each country would be beneficial as well.

Source

Since Tuesday, the NSA has been conducting its 10th annual Cyber Defense Exercise, a competition that pits students from a series of military academies against each other–and against the competition’s leaders at NSA–in a bid to see who has the best cyberdefense skills. The idea? To “build and defend computer networks against simulated intrusions by the National Security Agency/Central Security Services Red Team.”

The competition will last until Friday when that Red team, or “red cell,” as it’s known, will cease its attacks on the students’ newly-built networks. The goal is to help the students learn about the topic of Information Assurance, and how it is used to protect the most vital information systems in the United States and Canada. As they work, the students must defend their networks and offer up consistent reports on what they’re doing and on the attacks they’re identifying.

This year, eight academies are competing: the United States Military Academy (West Point); the United States Naval Academy; the United States Air Force Academy; the United States Coast Guard Academy; the United States Merchant Marine Academy; the Naval Postgraduate School; the Air Force Institute of Technology; and the Royal Military College of Canada.

The exercise is being hosted by Lockheed Martin in Greenbelt, Md., and during the four days of the competition, NSA and U.S. Department of Defense personnel are acting as evaluators–even as the NSA’s red team challenges the students with constant network attacks, all of which must be “publicly-available, well-documented vulnerabilities.” The competition takes place on a closed network that does not access the Internet.

At the Air Force Academy, one of the instructors helping the students learn how to construct cyberdefenses–and prepare for the NSA’s exercise, is Air Force Capt. Michael Henson. He agreed to answer some questions from CNET about the competition, which has been won by West Point for the last three years. However, the Air Force Academy won in 2006, and Henson surely believes that his charges will take the crown in 2010.

Source

Lt. Gen. Keith Alexander, who is the Obama administration’s nominee to take on additional duties as head of the new Cyber Command, also said the U.S. should not be deterred from taking action against countries such as Iran and North Korea just because they might launch cyber attacks.

“Even with the clear understanding that we could experience damage to our infrastructure, we must be prepared to fight through in the worst case scenario,” Alexander said in a Senate document obtained by The Associated Press.

Alexander’s answers reflect the murky nature of the Internet and the escalating threat of cyber terrorism, which defies borders, operates at the speed of light and can provide deep cover for assailants who can launch disruptive attacks from continents away, using networks of innocent computers.

The three-star Army general laid out his views on Cyber Command and the military’s role in protecting computer networks in a 32-page Senate questionnaire. He answered the questions in preparation for a Senate Armed Services Committee hearing Thursday on his nomination to head Cyber Command.

U.S. computer networks are under constant attack, and President Barack Obama last year declared that the cyber threat is one of nation’s most serious economic and national security challenges.

Alexander offered a limited but rare description of offensive U.S. cyber activities, saying the U.S. has “responded to threats, intrusions and even attacks against us in cyberspace,” and has conducted exercises and war games.

It’s unclear, Alexander added, whether or not those actions have deterred criminals, terrorists or nations.

In cyberspace, he said, it is difficult to deliver an effective response if the attacker’s identity is not known.

But commanders have clear rights to self-defense, he said. He added that while “this right has not been specifically established by legal precedent to apply to attacks in cyberspace, it is reasonable to assume that returning fire in cyberspace, as long as it complied with law of war principles … would be lawful.”

Senators noted, in their questions, that police officers don’t have to know the identity of a shooter in order to shoot back. In cyberspace, the U.S. may be able to counter a threat, rebuff an electronic probe or disable a malicious network without knowing who is behind the attack.

The nation’s ability to protect its networks and launch counterattacks, however, is shrouded in secrecy. Alexander gave the panel a separate classified attachment that provided more details on how and when the military would launch cyber attacks and under what legal and command authorities.

Among the classified responses was his answer to whether the U.S. should first ask another government to deal with a cyber attack that came from within its borders.
He repeatedly stressed that any U.S. response to a cyber attack must be authorized by the president and must conform to international law and guiding military principles. Those guidelines require that the reaction be deemed militarily necessary and in proportion to the attack.

Noting that there is no international consensus on the definition of use of force, in or out of cyberspace, Alexander said uncertainty creates the potential for disagreements among nations.

Alexander echoed other experts who warn that the U.S. is unprepared for a cyber attack. He said the first priority is to make sure the nation can defend its networks, which are now a “strategic vulnerability.”

Alexander said the biggest challenge facing the development of Cyber Command will be improving the defense of military networks, which will require better real-time knowledge of intrusions.

He added that it will be difficult for the military to gain superiority in cyberspace, but the goal is “realistic.”
Alexander, 58, is a native of Syracuse, N.Y., and a graduate of the U.S. Military Academy.

Source

The Russian Association of Electronic Communications was established in 2006 to speed Russia’s integration into the global internet economy. The association has more than 35 members, including leading Russian ISP Mail.Ru, social network outfits, news agencies ITAR-TASS and RIA Novosti, and net security firm Kaspersky Lab. RAEC has set out an ambitious programme to shape Russian internet regulations, provide mediation in copyright and e-commerce disputes, promote internet security and help support the development of legitimate IT businesses in Russia.

Dmitry Zakharov, director of comms at RAEC, told El Reg that the prevalence of cybercrime activities in Russia is hurting the country’s image abroad.

“The problems at the moment is that we are not able to offer talented technology people jobs. so they get involved in illegal activity,” Zakharov said. “Not many want to be gangsters but Russia is relatively young as a capitalist economy and there are not enough normal and civilised occupations.”

Anywhere between 10,000 – 20,000 people are estimated to work in the underground economy in Russia, assisting illicit activities including selling scareware, bank fraud, pushing pharmacy spam and worse.

“The problem is economic,” said Zakharov. “We have to offer jobs. Those that remain will be persued if they still want to act like criminals.”

A carrot and a stick approach is needed. RAEC is backing the establishment of a Russian Silicon Valley (Technopark) project, near Moscow, that it’s hoped will offer thousands of legitimate jobs in technology within five years. Those that stay in the black economy need to be prosecuted, and this requires new legislation.

“We have some laws that describe hacking actions, like taking commercial data, but they are not good enough,” Zakharov said. “The law is not clear on definitions.”

Copyright protection laws are also needed and codes of conduct for ISPs are also needed, Zakharov said, adding that RAEC is in discussion with internet firms about “lowering” copyright violations while laws in the area undergo development.

An example of internet law changes in Russia comes from recently applied regulations to tighten up domain registrations. From 1 April, copies of passports or legal registration papers for business are needed to register a .ru domain. Previously domains were set up without any checks, a shortcoming that played into the hands of spammers.

“Spamming domains don’t live long,” Zakharov explained. “The tighter regulations prevent cybercriminals from holding money in anonymous accounts, used to register many domains at once for spamming or other illegal activity. It [the tighter regulation] is an effective measure.”

Rogue hosting organisations, most notoriously the Russian Business Network, have set up shop in Russia and reportedly suffered little or no interference for many months, at least according to many Western information security experts. RBN was eventually broken up in late 2007.

Another more recent example is neighbouring Ukraine is Innovative Marketing Ukraine, which built its wealth marketing scareware until it was shut down last year.

A RAEC analyst said that Western perceptions that RBN, for example, is a single cybercrime entity are all wrong. He described it as the most popular so-called bullet-proof hosting firm, used by many disparate organisations for various criminal purposes.

RAEC’s line was it was only when complaints in more or less the right form were made to Russian authorities that RBN was shut down. The trade organisation argues that information is not been passed between Russian authorities and those in the West, who often have very different ideas of what’s going on. Russian authorities, for example, know much about the identity of prolific spammer in Spamhaus’ ROKSO list. The reason he is not in jail is because his crimes took place outside Russia and no victims have come forward to complain to local authorities.

The trade group, which has begun talking about its work to Western media for the first time over recent weeks, wants to help break down international barriers which allow cybercrime and possibly corruption to flourish unchecked.

Zakharov admitted the possibility that individual corrupt officials in St Petersburg might have been bribed by RBN, but argued repeatedly that “top level government people want cybercrime shut down”.

“Politicians don’t want to see Russia seen as a home for hackers and criminal country because this hurts the economy and Russia’s reputation,” Zakharov explained. “We want to go international and show Russia is not the safe haven for criminals or spammers.

“This is a governmental-backed project. The government are very aware of the cybercrime problem and trying to do many things to curtail it.”

Source

Is the U.S. the nation most vulnerable to cyberattack?

They’re also an “existential threat” to the U.S., a top FBI official said last week.

Unlike older e-mail and network-borne worms and viruses, targeted attacks are stealthier and can give adversaries a way to break into an enterprise network — and stay hidden there for a long time. Typically, the goal behind such attacks is to snoop and to steal sensitive information.

State-sponsored groups with deep technical skills and computing resources have been directing such attacks against government and military targets for several years now. But the increasing number attacks, and the fact that they have begun to spill over into the commercial arena, have prompted some people to speculate about whether the U.S. is in the midst of a cyberwar.

Not war — yet

The consensus: Not yet. Instead, the targeted attacks highlight what’s called the advanced persistent threat (APT) facing U.S commercial entities. The attacks typically rely on sophisticated social engineering techniques to exploit previously unknown security vulnerabilities, and they’re difficult to fend off because they’re designed to elude the signature-based malware-detection tools traditionally deployed at most companies.

Most attacks use social engineering to trick people with access to key information into opening tainted e-mails or other communications.

The malicious messages are crafted to look as if they’re from someone the recipient knows and has been communicating with, said Paul Wood, a senior intelligence analyst in Symantec Corp.’s MessageLabs Intelligence unit. They can even be inserted into an ongoing e-mail exchange, gaining authenticity because they include familiar subject headers and references to ongoing conversations.

Who’s most at risk? Company directors, vice presidents, managers and executive directors — especially at smaller companies, according to MessageLabs. Because larger companies tend to be better protected than smaller ones, cybercriminals aim for small firms that might be suppliers or business partners to big ones, Wood said.

Dealing with these threats requires a new ways of thinking, said Sean Arries, a researcher at Terremark Worldwide Inc., a Miami-based provider of IT infrastructure services. Because the attacks often take advantage of zero-day threats for which no defense exists, blocking them with signature-based anti-malware tools is almost impossible, he said.

Detection is key

As a result, companies need to strengthen their ability to detect intrusions and respond quickly, Arries said. Since targeted attacks are designed to siphon out data via the network, keeping a close eye on network traffic can help detect anomalies. A gusher of data going out over the network is a warning sign that something’s amiss.

Source