In the Crossfire International Cooperation and Computer Crime Stewart Baker
Waterloo Mt. Tambora
1817
6 th century BC
Stability and speed Stability Speed A B C
What Point B Looks Like
Stability and speed Stability Speed A B C
What Point C Looks Like
Have we reached Point C for information technology? What the CSIS report found
Summary Attacks are already heavy Adoption of security measures lags The many roles of governments – Regulator – Policeman – Attacker
1. Attacks are already heavy 60% reported theft-of-service cyberattacks – Low: Germany, UK (42%) – High: India (83%), Brazil (77%), France (76%) 29% reported multiple large-scale denial of service attacks each month, and nearly two-thirds of those reported an impact on operations – High: France (60%), India (50%) 89% report infection with viruses or other malware 70+% report a wide range of other attacks – E.g., phishing and pharming. More sophisticated attacks like DNS poisoning or SQL injection are less common, but still widespread – more than half of respondents report these attacks
2. Adoption of security measures lags behind the threat Basic, key security measures are not widely adopted – Fewer than 60% patched and updated software on a regular schedule – User name and password the most common form of login/authentication – more than three-quarters of SCADA/ICS systems are connected to an IP network or the Internet nearly half of those admitted that these connections create unresolved security issues Security measure adoption rates vary widely by country
Security measure adoption rate More than two dozen different security measures -- technologies, policies and procedures Security Information and Event Management tools Network access control measures Intrusion prevention systems Database security and access controls Data leak prevention tools Intrusion detection systems Firewalls to public network Firewalls between systems Application whitelisting Role and activity anomaly detection Standardized desktop Use threat monitoring service Encryption for – Online transmission to network Laptop hard drives Individual s Data in databases Data while in network storage Tapes, portable media Authentication by – User name and password Token Biometrics Regular patches and updates Threat information sharing Restrict or ban USB sticks
China leads in adopting security measures
3. The many roles of governments Regulators – Regulation seen as generally positive 74% have implemented new measures as a result of regulation 58% say regulation has “sharpened policy and improved security” 28% say it has “diverted resources from improving security to recording/reporting incidents or other forms of compliance” – Audit frequency varies widely Policemen – Widespread skepticism about governments’ ability to protect networks Attackers, infiltrators and adversaries
Regulator: auditing to enforce compliance varies widely
Policeman: Little faith in laws against cyber- attack
Attacker: 60% believe governments are already attacking their country
Attacker: Many report government-style attacks Half report “stealthy infiltration by high-level adversary … like in Ghostnet” Half report DDOS attacks by “high-level adversaries” including governments:
Attacker: United States and China are most feared; Russia is third
China the outlier Chinese executives report -- – Uniquely close cooperation with officials – High levels of regulation and auditing – Very robust confidence in government – Much higher adoption of security measures China is taking concerted steps to bolster its industries’ defenses Are the steps effective? – Chinese companies report low to average levels of attack and damage – China does appear better protected than other large developing countries, such as India and Brazil
Changing the Trajectory
Is there a broader solution? Deterrence depends on attribution – Attribution is not possible today – Can’t depend on international cooperation as long as attribution is not possible – Technology has been tilted against attribution An end to anonymity on the serious Internet? – Code – Devices – Routing
The End