|
Server : Apache/2.4.62 System : FreeBSD fbsdweb2.web.rcn.net 14.1-RELEASE FreeBSD 14.1-RELEASE releng/14.1-n267679-10e31f0946d8 GENERIC amd64 User : www ( 80) PHP Version : 8.3.8 Disable Function : NONE Directory : /domains/roger.dnai/2008book/ |
Upload File : |
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><!-- InstanceBegin template="/Templates/2008template.dwt" codeOutsideHTMLIsLocked="false" -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<!-- InstanceBeginEditable name="doctitle" -->
<title>CSDR 2008: Vulnerabilities and Dependencies in Cyber-Space</title>
<!-- InstanceEndEditable -->
<link rel="stylesheet" href="/2002Book/emx_nav_right.css" type="text/css">
<link rel="stylesheet" href="/css/rome08.css" type="text/css" />
<style type="text/css">
<!--
.style5 {font-weight: bold;
color: #000000;
font-family: Arial, Helvetica, sans-serif;
font-size: large;
}
.style7 {font-size: 2px}
.style8 {font-family: Arial, Helvetica, sans-serif}
.style17 {
font-size: x-small;
font-weight: bold;
}
.style18 {font-size: x-small}
.style217 {font-family: Verdana, Arial, Helvetica, sans-serif}
.style219 {font-style: normal; font-weight: normal; font-family: Verdana, Arial, Helvetica, sans-serif; }
.style19 {font-size: 11px}
.style20 {
color: #006699;
font-size: large;
}
.style21 {font-size: small}
.style22 {font-family: Arial, Helvetica, sans-serif; font-size: small; }
-->
</style>
<style type="text/css">
<!--
.style23 {font-size: medium}
.style24 {font-size: large}
.style25 {
color: #006699;
font-weight: bold;
font-style: italic;
}
.style26 {
color: #006699;
font-size: medium;
font-weight: bold;
}
.style27 {
color: #006699;
font-size: medium;
}
.style293 {
font-size: large;
color: black;
}
-->
</style>
<!-- InstanceBeginEditable name="head" --><!-- InstanceEndEditable -->
</head>
<body>
<!-- Start of StatCounter Code -->
<script type="text/javascript">
var sc_project=3086157;
var sc_invisible=0;
var sc_partition=27;
var sc_security="33bf0688";
</script>
<script type="text/javascript" src="http://www.statcounter.com/counter/counter_xhtml.js"></script><noscript><div class="statcounter"><a class="statcounter" href="http://www.statcounter.com/"><img class="statcounter" src="http://c28.statcounter.com/3086157/0/33bf0688/0/" alt="free website hit counter" /></a></div></noscript>
<!-- End of StatCounter Code -->
<div class="skipLinks">skip to: <a href="#content">page content</a> | <a href="../book2007TEST/2002Book/pageNav">links on this page</a> | <a href="#globalNav">site navigation</a> | <a href="#siteInfo">footer (site information)</a> </div>
<div id="masthead">
<div id="globalNav" style="margin-top:15px;"> <div id="globalLink">
<a href="/index.html" id="gl1" class="glink"><span class="style18"><span class="style19">Home</span></span></a><a href="/index.html#about" class="glink"><span class="style18"><span class="style19">Contact Us</span></span></a><a href="/2008book/joulwan.html" id="gl2" class="glink"><span class="style18"><span class="style19">Rome '08</span></span></a><a href="/2007book/joulwan07" id="gl2" class="glink"><span class="style18"><span class="style19">Paris '07</span></span></a><a href="/2006book/jung.htm" id="gl2" class="glink"><span class="style18"><span class="style19">Berlin '06</span></span></a><a href="/2005book/alliotmarie.htm" id="gl2" class="glink"><span class="style18"><span class="style19">Paris '05</span></span></a><a href="/2004book/PeterStruckKeynote.htm" id="gl3" class="glink"><span class="style18"><span class="style19">Berlin '04</span></span></a><a href="/moscow03/weissingerbaylon.htm" id="gl4" class="glink"><span class="style18"><span class="style19">Moscow '03</span></span></a><a href="/berlin02/scharping.htm" id="gl5" class="glink"><span class="style18"><span class="style19">Berlin '02</span></span></a><a href="/2001Book/workshop2001.htm" id="gl6" class="glink"><span class="style18"><span class="style19">Helsinger '01</span></span></a><a href="/2000Book/workshop2000.htm" id="gl6" class="glink"><span class="style18"><span class="style19">Berlin '00</span></span></a><a href="/99Book/workshop1999.htm" id="gl6" class="glink"><span class="style18"><span class="style19">Budapest '99</span></span></a><a href="/98Book/workshop98.htm" id="gl6" class="glink"><span class="style18"><span class="style19">Vienna '98</span></span></a><a href="/97Book/workshop97.htm" id="gl6" class="glink"><span class="style18"><span class="style19">Prague '97</span></span></a><a href="/96Book/Workshop96.htm" id="gl7" class="glink"><span class="style18"><span class="style19">Warsaw '96</span></span></a>
<a href="/95Book/95Workshop.htm" id="gl8" class="glink"><span class="style18"><span class="style19">Dresden '95</span></span></a></div>
</div>
</div>
<div id="pagecell1" style="top:65px;">
<div id="breadCrumb" style="text-align:center;">
<img src="/images/header.gif" alt="Center for Strageic Decision Research: Celebrating over 25 years of international dialogue. International workshop on global security." width="618" height="99" style="padding:20px 10px;" />
</div>
<div id="pageNav">
<div id="sectionLinks">
<p align="center" class="style17">Table of Contents<br>
25th International Workshop - Rome '08</p>
<p align="center" class="style17">
<a href="/2008book/weissinger-preface.html">Preface- Dr. Roger<br>Weissinger-Baylon<br>Workshop Chairman<br></a>
<a href="/2008book/weissinger-overview.html">Workshop Chairman's Overview - Dr. Roger Weissinger-Baylon</a>
<a href="/2008book/joulwan.html">Opening Dinner Debate - <br>General George Joulwan<br>Former SACEUR</a>
<p>
<p align="center" class="style17">Part One<p>
<p align="center" class="style17">
<a href="/2008book/la-russa.html">Italian Defense Minister<br />
Ignazio La Russa
</a>
<a href="/2008book/browne.html">British Defense Minister<br />
The Rt Hon Des Browne
</a>
<a href="/2008book/gonul.html">Turkish Defense Minister<br />
Vecdi G�n�l
</a>
<a href="/2008book/di-paola.html">NATO Military Committee Chairman<br />
Admiral Giampaolo Di Paola
</a>
<a href="/2008book/zappata.html">Admiral Luciano Zappata<br />
Dep Supreme Allied
Commander Transformation
</a>
<a href="/2008book/camporini.html">Italian Chief of Defense<br />
General Vincenzo Camporini
</a>
<a href="/2008book/zappa.html">Alenia Aeronautica Chairman<br />
Dr. Giorgio Zappa
</a>
<br>Part Two<br>
<p align="center" class="style17">
<a href="/2008book/baramidze.html">Georgian Vice Prime Minister<br />
Giorgi Baramidze
</a>
<a href="/2008book/chizhov.html">Russian Amb to EU<br />
Vladimir Chizhov
</a>
<br>Part Three<br>
<p align="center" class="style17">
<a href="/2008book/eldon.html">British Amb to NATO<br />
Stewart Eldon
</a>
<a href="/2008book/akram.html">Pakistan's Amb to U.N.<br />
Munir Akram
</a>
<a href="/2008book/de-la-sabliere.html">French Amb to Italy<br />
Jean-Marc de la Sabli�re
</a>
<a href="/2008book/tkeshelashvili.html">Georgian Foreign Minister<br />
Eka Tkeshelashvili
</a>
<a href="/2008book/stefanini.html">Italian Amb to NATO<br />
Stefano Stefanini
</a>
<a href="/2008book/buzhinsky.html">Lt Gen Evgeniy Buzhinsky<br />
Russian Min of Defense
</a>
<a href="/2008book/winid.html">Polish Amb to NATO<br />
Boguslaw Winid
</a>
<br>Part Four<br>
<p align="center" class="style17">
<a href="/2008book/tegnelia.html">DTRA Director<br />
Dr. James Tegnelia
</a>
<a href="/2008book/rood.html">U.S. Under Sec of State<br />
John Rood
</a>
<a href="/2008book/joseph.html">Former Under Sec of State<br />
Amb Robert Joseph</a>
<a href="/2008book/berdennikov.html">Russian Amb-at-large<br />
Grigory V. Berdennikov
</a>
<a href="/2008book/benkert.html">U.S. Asst Sec of Defense<br />
Joseph Benkert
</a>
<a href="/2008book/flory.html">NATO Asst Sec Gen<br />
Peter Flory
</a>
<a href="/2008book/sedivy.html">NATO Asst Sec Gen<br />
Jiri Sedivy
</a>
<a href="/2008book/pfirter.html">OPCW Dir Gen<br />
Amb Rogelio Pfirter
</a>
<br>Part Five<br>
<p align="center" class="style17">
<a href="/2008book/lather.html">SHAPE Chief of Staff<br />
General Karl-Heinz Lather
</a>
<a href="/2008book/fitzgerald.html">Admiral Mark. P. Fitzgerald
<br />
Allied Joint Force Command Naples
</a>
<a href="/2008book/ildem.html">Turkish Amb to NATO<br />
Tacan Ildem
</a>
<a href="/2008book/schuwirth.html">Fmr SHAPE Chief of Staff<br />
General Rainer Schuwirth
</a>
<a href="/2008book/acosta.html">Global Impact CEO<br />
Ms. Renee Acosta
</a>
<a href="/2008book/soligan.html">Lt Gen James Soligan<br />
Allied Command-Transformation
</a>
<a href="/2008book/bagnall.html">Former UK Vice Chief of Defense Staff<br />
ACM Sir Anthony Bagnall
</a>
<br>Part Six
<p align="center" class="style17">
<a href="/2008book/volkman.html">U.S. Dir of Internat. Coop.<br />
Alfred Volkman
</a>
<a href="/2008book/tozzi.html">Major General Claudio Tozzi<br />
Italian Defense Ministry
</a>
<a href="/2008book/homberg.html">EADS Senior Vice Pres<br />
Thomas Homberg
</a>
<a href="/2008book/shephard.html">Northrop Grumman VP<br />
Mr. Timothy Shephard
</a>
<a href="/2008book/buckley.html">Thales Senior VP<br />
Dr. Edgar Buckley
</a>
<a href="/2008book/harris.html">Lockheed Martin Global Pres.<br />
Dr. Scott A. Harris
</a>
<a href="/2008book/schneider.html">AFCEA CEO<br />
Kent Schneider
</a>
<a href="/2008book/patterson.html">Mr. David Patterson<br />
Univ of Tennessee
</a>
<p align="center" class="style17">Part Seven
<p align="center" class="style17" style="margin-bottom: 0;">
<a href="/2008book/grimes.html">U.S. Asst Sec of Def<br />
Hon. John G. Grimes
</a>
<a href="/2008book/lentz.html">U.S. Dep Asst Sec of Def<br />
Robert Lentz
</a>
<a href="/2008book/aaviksoo.html">Estonian Defense Minister<br />
Jaak Aaviksoo
</a>
<a href="/2008book/bloechl.html">Microsoft, Managing Dir.<br />
Tim Bloechl
</a>
<a href="/2008book/wolf.html">Lt Gen Ulrich Wolf<br />
NATO CIS Service Agency Dir
</a>
<a href="/2008book/monteforte.html">Italian Milrep to NATO<br />
Vice Adm Ferdinando Sanfelice di Monteforte
</a>
<a href="/2008book/lintonen.html">Finnish Amb to UN<br />
Kirsti Lintonen
</a>
<a href="/2008book/silvestri.html">Dr. Stefano Silvestri<br />
Istituto Affari Internazionali
</a>
<a href="/2008book/yousfi.html">Algerian Amb to UN<br />
Youcef Yousfi
</a>
<a href="/2008book/karem.html">Egyptian Amb to EU<br />
Mahmoud Karem
</a>
<a href="/2008book/tarasyuk.html">Former Ukrainian Foreign Minister<br />
Borys Tarasyuk
</a>
</div>
</div>
<div id="content">
<div class="story">
<h2 class="workshop_year">Rome '08 Workshop</h2>
<!-- InstanceBeginEditable name="Main Content" -->
<h1>
Vulnerabilities and Dependencies in Cyber-Space </h1>
<h2 style="margin-bottom: 0;">
The Honorable John G. Grimes</h2>
<h2 style="margin-top: 0; margin-bottom: 0;">U.S. Assistant Secretary of Defense </h2>
<h2 style="margin-top: 0;"><img src="images/grimes.jpg" alt="The Honorable John G. Grimes" width="114" height="139"></h2>
<p style="margin-bottom: 0;"> </p>
<p style="margin-top: 0;">
Last year, when I spoke at the workshop, I focused on the global society
dependency on the Internet and how threats to our networks could cause
major disruptions. Activities across the global economy, government operations,
business operations, airlines, air traffic control, and military operations—are
just a few examples of how dependent we have become on this infrastructure,
on the Internet. </p>
<p>
As I also mentioned last year, and more so now, criminals, terrorists,
state and non-state actors, are using IT Network technology for their purposes
which are not always for good reasons. At the opening of the workshop,
General Camporini mentioned that “the terrorists get more leverage from
IT and the Internet than we do.” The fact that he made IT a major point
in his presentation, to include network exploitation, tells you it is on
the minds of military leaders. General Camporini also mentioned attribution.
The attribution of an attack is hard to determine. The attack last year
on Estonia’s Internet infrastructure used botnets (robots on the network)
to take over computers and use them to attack other computers. Who did
it? Was that a criminal act or was it an article 5 like act, intentional
war? </p>
<p>
On the NATO side, at the Riga and Bucharest summits, NATO communiqués recognized
the criticality of cyber security to the Alliance. After the events in
Estonia, the NATO Consultation, Command and Control Board (NC3 board) which
Peter Flory chairs, formalized some of the cyber security processes that
address policy, technology and cyber defense operations. NATO also has
an operations center headed by General Wolf, the director of the CIS Service
Agency, to defend NATO’s networks and systems. </p>
<p>
Cyber space is where IT is happening. The Internet continues to be a changing
influence. The value of IT enabled global trade is estimated at 30% of
the global GDP. That is 14 trillion dollars in global economic value that
would have been lost without the Internet technology that most of us have
in our homes, at work, and even in our pockets (wireless, the BlackBerry
or Smart Phone, and other equivalent personal digital assistants). As more
IT services and capabilities go online, more markets open up and new technologies
fuel creative business models that dictate the need for robust cyber security
solutions. </p>
<p>
What do we need to be aware of when we talk about cyberspace? A few points
can help bring things into focus: </p>
<UL>
<LI>
First, what kinds of vulnerabilities and dependencies do we face in cyberspace? </LI>
<LI>
Second, how are networks and computers being compromised—what are attackers
doing? </LI>
<LI>
Finally, what is being done now, and what can be done down the road to
increase security? </LI>
</UL>
<h2>VULNERABILITIES AND DEPENDENCIES IN CYBER-SPACE—WHAT DO WE FACE IN CYBER-SPACE? </h2>
<p>
Let us consider the nature of the problem: When cyber activity is detected,
is it a crime or an act of war? Who decides? How? </p>
<p>
A good example is the Estonian incident of April 2007 in which: </p>
<UL>
<LI>
Hackers used the denial of service attack against the nation of Estonia; </LI>
<LI>
The attack was focused on ministries, banks, newspapers, TV/radio and the
Parliament in order to bring the country down on its knees; </LI>
<LI>
Websites were knocked offline, emergency telephone lines were inoperable; </LI>
<LI>
Botnets were used; </LI>
</UL>
<p>
Fortunately, Estonia was able to recover very quickly thanks to its Computer
Emergency Response Team (CERT) but I am not sure that every nation has
all those capabilities.
</p>
<p>
What do cyber-aggressors have in common? </p>
<UL>
<LI>
About 90% of the attacks focus on home users. This is a global threat but
with low value in our minds. </LI>
<LI>
70% of the data breaches are in finance, government, and education. This
is a corporate threat with medium value. </LI>
<LI>
Less than 1% of the attacks focus on specific targets for military and
corporate espionage such as nuclear command and control, or corporate strategic
plans or programs. This is a cyber war threat of high value targets. </LI>
</UL>
<h2>HOW DO SYSTEMS GET COMPROMISED? </h2>
<h2>Gaining Unauthorized Access to Computer Systems </h2>
<p>
Attackers seek to gain unauthorized access to our computer systems through
known security holes in the software. Security flaws in web browsers and
servers make it possible to exploit web-based applications, particularly
on interactive sites using databases and scripts to generate content. As
we move to a Service Oriented Architecture (SOA) and get away from the
database architectures, we will have much better security in our networks
for sharing information. This is already the case for Google and for the
financial markets, which have already moved in that direction. </p>
<p>
Security flaws that make it possible to push malicious software to computers
are causing widespread problems. In fact, one in four home computers are
infected with spyware, key-loggers or other malicious code, called MalWare.
Recent reports by Google’s security team indicate that 1.3% of search results
link to sites infected with MalWare . This means that about 59 million
web pages have been intentionally damaged. The trend for new attacks has
been going up very fast. There have been about 375 attacks per day over
the last two years, and 72% of the PCs that do not have anti-virus protection
have MalWare in them. The proliferation of MalWare is approaching epidemic
levels, and it is a major concern to our government networks. </p>
<h2>Socially Engineered Deception and Cyber Crime </h2>
<p>
Attackers often use fake emails or web sites to steal information and compromise
users’ computers. How does it work? A type of attack called “spear phishing”
using emails targeted at specific users tries to get them to visit malicious
web sites. These emails appear to be from a known or trusted source, from
a trusted acquaintance, agency or business with a serious subject like
would be for instance “Official information for UBS client.” These emails
entice users to go to realistic websites, causing their computers to be
attacked. The web sites push out MalWare, which is set up as a “back door”
on the computer for later attacks. </p>
<p>
These socially engineered schemes are a growth industry for organized crime
because they are effective, profitable and they work. Criminals craft emails
that appear to be from courts of law, businesses, prospective employers,
respected civic organizations and more. Sources indicate that since February
07, two groups are behind 95% of these attacks. They are increasingly focused
on financial information, institutions and transactions. </p>
<p>
There is also something quite disturbing called “e-currency” which is a
slightly different problem from the other Information Assurance/Cyber issues.
E-currency has its roots in the early days of the World Wide Web and has
a direct impact on economic and national security. Risk assessment tied
to e-currency is very complex. Transactions are difficult to track, accessible
anywhere and fit well into the illicit movement of money—there is no way
to dispute charges or rescind payment. Why do we care? Because terrorists
can move and access money with virtually no accountability, creating tremendous
opportunities for illicit activity. </p>
<h2>Global Supply Chain Manipulation </h2>
<p>
Globalization of the supply chain processes and products is another major
concern. The offshore global supply chain of computer H/W & S/W is particularly
vulnerable to manipulation. An in-depth approach for managing product integrity
will be required for ensuring the protection of H/W and S/W IT products.
Let me give you a few examples: </p>
<p>
<I>Example 1.</I> On February 29, 2008, the U.S. FBI’s Cyber Division, the U.S.
Immigration and Customs Enforcement, the U.S. Customs and Border Protection
and the Royal Canadian Mounted Police cracked a case that identified about
3,500 counterfeit Cisco network components. This led to 10 convictions
and $1.7 million in restitution. The retail value of the counterfeit gear
was $3.5 million. </p>
<p>
<I>Example 2. </I>On January 4, 2008, two brothers in the U.S. were indicted under
allegations that they purchased and imported counterfeit computer network
hardware from China, then sold them to retailers across the country. Some
items were sold to the military, the FAA, the FBI, as well as several defense
contractors, universities and financial institutions that procured them
through a third party computer retailer. </p>
<p>
The Defense Industrial Base (DIB) will need to focus on the industry protection
of U.S. government sensitive information on their networks. </p>
<h2>IMPROVING CYBER OR INTERNET SECURITY </h2>
<p>
What are the near term solutions? </p>
<p>
<B>A Shift from from IPv4 to IPv6.</B>The transition from Internet Protocol version
4 (IPv4) to Internet Protocol version 6 (IPv6) will dramatically improve
security and scalability. The European Commission is looking to get 25%
of businesses, public authorities and households on IPv6 by 2010.<B> </B></p>
<p>
<B>Partnerships—International Cooperation.</B> </p>
<p>
<I>ITU:</I> The International Telecommunication Union is working to improve collaboration
between industry and government; establishing computer security incident
response teams, information sharing and analysis centers and warming, advice
and reporting points. </p>
<p>
<I>ICANN:</I> The Internet Corporation for Assigned Names and Numbers is working
to enforce domain name registration among registrants identified as having
registered web site generating illicit traffic. Nearly 90% of illicit sites
are tied to approximately 20 registrants. </p>
<p>
<I>NATO:</I> The Estonian Cyber Center of Excellence focuses on training, tools
and procedures related to improving cyber security and responsiveness. </p>
<p>
<I>The Council of Europe:</I> The Convention on Cyber Crime is the first and only
legal instrument addressing cyber attacks. It applies only to signatory
nations, which are 38 Council members, plus the U.S., Canada, Japan, South
Africa, and Montenegro. </p>
<p>
<I>ENISA:</I> The European Network and Information Security Agency is looking
at the policies and regulations that exist across EU Member States, the
measures operators take and the technologies available to improve the resilience
(availability and integrity) of communication networks. </p>
<h2>WRAP-UP </h2>
<p>
The global information infrastructure is under siege every single day—it
is being hit constantly, probed for weaknesses and openings where bad actors
can gain unauthorized access. Cyber attacks are getting much more focused,
and the level of sophistication we are seeing is growing. These cyber security
challenges are coming at the same time as the network environment is rapidly
expanding, sheer computing capacity is accelerating, and network costs
are dropping. </p>
<p>
At a recent Massachusetts Institute of Technology workshop on the issue
of cyber security, some of the core issues that were discussed have relevance
here. Let me share three of them in closing: </p>
<UL>
<LI>
Does the spread of information warfare capabilities impact the stability
of the international system? </LI>
<LI>
Can we create a shared model or concept of escalation levels with related
cyber actions that will enjoy international recognition? </LI>
<LI>
Are cyber agreements really possible given the challenges of enforcement? </LI>
</UL>
<p>
The need to cooperate and collaborate and share cyber security information
at the national, regional and international level must take place through
international partnerships and initiatives that are enforceable before
we face a global 9/11. </p>
<!-- InstanceEndEditable --></div>
</div>
<div class="style8" id="siteInfo"> <a href="#">Top of page </a> | <a href="../index.html">Home</a> | ©2009
Center for Strategic Decision Research</div>
</div>
<br>
</body>
<!-- InstanceEnd --></html>