Cyberterrorism and US Infrastructure. Is the US Government able to protect its citizens from cyber attacks?

Contents

Executive Summary

Introduction

Report of Findings
History Overview
Tier 1 ISP/Backbone History
SCADA History
Current Threats
Current Remediation
Cybersecurity Information Sharing Act of 2015
Cybersecurity National Action Plan
Increasing the cyber workforce
Solutions and Recommendations
Resolving the skills shortage

Conclusion

References

Executive Summary

Security in the United States has always been a slow, reactionary process. For instance, the Transportation Security Administration (TSA) did not exist until after 9/11 occurred. It usually takes a catastrophe for our government to prioritize constructive and meaningful progress. Our SCADA systems and Tier 1 Backbone of the Internet are no exception. The Internet wasn’t designed with security in mind, so now the United States is in a race to become cyber-secure before the next disastrous event.

The United States government is struggling to proactively protect itself and find/train skilled individuals to help protect Americans online. The United States has no shortage of enemies, and those enemies now have skilled cyber-warriors probing through the systems of the federal government and American private companies. Nation-states, cyberterrorists, hacktivists, and criminal organizations are all potential actors that could destroy or manipulate the systems we depend on for financial gain, fame, or to make a political message.

An amalgam of patchwork legacy systems, unjustifiable ignorance, and rapidly changing technology have left the United States susceptible to cyberattacks against the most vulnerable segments of our infrastructure. This paper outlines the history of the Tier 1 Backbone and the SCADA systems, highlights the current threats to these systems, and then finally proposes solutions to these vulnerabilities.

Introduction

From the development of the ARPANET to today, the United States of America has been very slow in responding to, combating, and preventing attacks on our government networks and critical infrastructure. While small steps have been taken to help combat these issues, there is plenty of room for improvement and a lot of ground to make up. Countries like Russia, China, and North Korea are far more secure in regards to their computer networks. This isn’t completely due to capabilities, but rather less total reliance, more focused education for cyber warriors, and the ability - in the case of China - to shut down the internet if necessary.

Securing the nation’s backbone is possibly the most important step in securing the United States from malicious Internet traffic. With the amount of Internet traffic increasing on a daily basis, the security of the backbone should be the number one priority for the United States government and the Internet Service Providers that control and monitor the backbone. When the most important utilities that we as a country depend on are left unsecure, United States citizens are now left vulnerable to threats unlike anything seen before. Leon Panetta, the former Secretary of Defense and Director of the Central Intelligence Agency, warned people of, “Simultaneous attacks on "critical infrastructure" in the future … [which] could result in a “Cyber Pearl Harbor" (Panetta, 2012). This includes the Supervisory Control and Data Acquisition (SCADA) system and the Internet backbone.

The SCADA system controls and monitors dozens of essential utilities in everyday American life. The system controls everything from floodgates to the amount of electricity flowing through power lines to railway transport systems. Securing the nation’s power grid is part of the critical defense strategy. There are three regional power grids: East, West, and Texas. The SCADA systems were initially “proprietary private networks designed and hardened to protect from inappropriate interference from outside unauthorized interaction”, but the providers have switched over to the public Internet to save money (Hurley, Payne, & Anderson, 2013, p. 4). The providers did this without considering the risk of opening up the power grids, which leaves the grids open to attacks. We are completely dependent on these systems, and if they were to be hijacked, the physical, economic, and ecological damage could be apocalyptic.

On a daily basis, the United States government and private companies are attacked by both foreign and domestic threats. In 2013, the NSA facility in Utah was attacked 20 million times daily; now in 2016, the data center receives around 300 million daily attacks. It’s hard to fathom the enormity of that number. With more malware being created every day, the reality of cyberwarfare and cyberattacks is ever increasing. Nation-states like China and North Korea have been the United States’ known enemies in the cyber arena, but now the next area of concern is cyberterrorism. Groups like ISIS, Al Qaeda, Syrian Free Army, and Hamas have been working towards cyber-weaponization for years now. Some are getting closer to having capabilities either through paying freelance hackers or training their own warriors.

Report of Findings

History Overview

Throughout the recent history of this country, the United States has been involved, willingly and unwillingly, in cyberwarfare. When discussing the vulnerabilities of SCADA and the T1 backbone of the Internet, one first needs to go back in time about 30 years to understand how the United States got to this point.

1982: During the Cold War, the U.S. reprogrammed computer equipment intended for a Soviet gas pipeline and caused the pipeline to explode.

1988: A Cornell University student created the first worm that crippled 10% of the 88,000 computers on the Arpanet. This worm lead to the Defense Advanced Research Projects Agency (DARPA) coordinating an effort with Carnegie Mellon University to create the CERT Coordination Center.

1997: The NSA conducted tests to determine the vulnerabilities of government computers. These tests revealed that systems across the country could be hacked or disrupted with ease. In response, the Department of Defense created the Joint Task Force on Network Defense to defend the department’s networks and systems.

2003: The “Slammer worm” disabled computerized safety monitoring system at the Davis-Besse nuclear power plant in Ohio. The Department of Homeland Security created the National Cyber Security Division that year. President George Bush laid out a National Strategy to Secure Cyberspace to “protect the nation's computer and information systems from a cyberattack.”

2008: An employee at the U.S. Central Command put a flash drive into a laptop and unleashed Operation Buckshot Yankee. This was one of the biggest breaches in U.S. computer history and prompted the Department of Defense to change its cyber defense strategy.

2010: U.S. Cyber Command went operational, and Stuxnet, Flame and Duqu were discovered in Iran and other Middle Eastern countries. The Pentagon declared cyberspace the “new domain of warfare.”

2012: U.S. Department of Homeland Security announced that spear phishing attempts had penetrated the computer systems of U.S. gas pipeline systems.

There have been slow improvements with the creation of U.S. Cyber Command and the Department of Homeland Security taking responsibility in securing our infrastructure, but there is still a long road ahead for the United States to be safe and secure in cyberspace.

Tier 1 ISP/Backbone History

The Tier 1 network is the largest tier of networks provided by Internet Service Providers (ISPs) and is divided into global and regional sections for Tier 1 ISPs. In order for countries around the world to communicate with each other, there needs to be an international backbone to provide efficient connection to people in North America to Europe, Asia and Australia, Africa, and Latin and South America. The Internet is expanding exponentially. By the year 2020, the projections show roughly 25 billion devices will be connected to the internet. The physical media of the backbones are mostly fiber optic cables. According to NTT Communications, “Tier 1 ISPs own the operating infrastructure, including the routers and other intermediate devices (e.g., switches) that form the backbone, which is interconnected with other tier 1 ISPs via private peering in a ‘settlement-free’ interconnection” (Winther, 2006, p. 4). The ISPs at Tier 1 provide the best network quality strength because they have the most direct control over traffic that flows in the private peering connections. These companies have large customer bases, high traffic volumes, and a lot of support inside of the network with routers and autonomous systems. Some companies that are Global Tier 1 ISPs include: AT&T, Level 3, Sprint, and Teleglobe. Lower Tier ISPs depend on the Tier 1 ISPs to deliver and properly manage private peering infrastructure in order to provide quality service to its customers. The smaller companies on Tier 2 and Tier 3 work out service-level agreements to provide a more cost-effective shared connection with bigger Tier 1 providers in order to compete and utilize resources more effectively.

Abbildung in dieser Leseprobe nicht enthalten

Paul Barford (Artist). (2015 September 15). Map of United States Internet Backbone [digital image]. Retrieved from https://www.technologyreview.com/s/540721/first-detailed-public-map-of-us-internet-backbone-could-make-it-stronger/

Due to the size of the backbone, there are many vulnerabilities that our enemies can exploit. Neither the Internet nor the backbone was created with security in mind. For starters, spoofing the Border Gateway Protocol (BGP) is a huge issue that is almost impossible to prevent, and these routers are vital to transfer data from one network to another. Another area of concern with the Internet backbone is Fiber Tapping. This attack consists of using a tap on the wire without breaking the connection. Once someone taps the fiber optic cable, they can extract information from the light that is emitted from the cable. This attack is detectable, but if the attackers does this correctly, they may not raise any alarms (Internet Backbone Security, 2014, p. 4).

SCADA History

Supervisory Control and Data Acquisition (SCADA) systems are “control systems that cover a large geographic area” (SANS, 2014). They can also be referred to as Industrial Controls Systems (ICS). In the 1920s, SCADA systems were used to control local substations from a single power plant. Now, SCADA systems are highly sophisticated operations that control assets across a large geographical range. They monitor everything from fuel levels for water pumps, electrical generator data, sector gates that are used to control floodgates and water levels, natural gas pipelines, railway systems, wastewater collection, and more (WaterWorld, p. 17). In order to communicate across such vast distances, power lines were installed between substations.

In the 1990s, “Internet-based technologies started making their way into ICS designs” (Stouffer, Falco, & Kent, 2006, p. 31). This meant that the legacy systems, the older systems that ran on proprietary hardware and software, were no longer secure. When systems were updated, the companies that managed the ICS/SCADA systems added remote access so engineers could monitor the systems without having to travel to these locations, and “these connections were implemented without a full understanding of the corresponding security risks” (Stouffer, Falco, & Kent, 2006, p. 45). According to NIST:

Industrial Control Systems (ICS) have different performance and reliability requirements and use operating systems and applications that may be considered unconventional to typical IT personnel. Furthermore, the goals of safety and efficiency can sometimes conflict with security in the design and operation of control systems (e.g., requiring password authentication and authorization should not hamper emergency actions for ICSs.) (p. 31)

Control systems are time-sensitive, and delays could result in loss of equipment, productivity, and/or life. These systems must run predictably and continuously. Outages of systems must be planned weeks ahead of time, and everything is thoroughly tested in a sandbox environment since systems are tough to start and stop. Safety and continuity are the two largest concerns in SCADA systems.

Current Threats

Current terrorist groups have two goals: eliminating Western society and instilling fear in populations using tactics like bombings, kidnappings, beheadings, and even plane hijackings. The next frontier for their terror campaigns is cyberspace. Daesh - AKA "Islamic State in Iraq and al-Sham (ISIS)” or “The Islamic State in Iraq and the Levant (ISIL)” - has become a recent villain in state politics. In December 2015, Daesh hackers tried to penetrate computers that regulate the nation’s electricity grid, U.S. officials say” (Marks, 2015). According to Richard Clarke, “We're troubled by the fact that a number of people related to Al Qaeda -- including Khalid Sheikh Mohammed, who was recently arrested and was the chief operating officer -- a number of these people have technical background. Khalid Sheikh Mohammed studied engineering at [a] university [in] North Carolina. He was employed for a while at a water ministry in the nation of Qatar in the Persian Gulf. Recently, a student at the University of Idaho was arrested by the FBI for alleged terrorist connections, and he was studying in a Ph.D. program on cyber security” (Clarke, 2003).

Terrorist groups represent just one threat our country’s cyber infrastructure. Nation-states like China, Russia, North Korea, and Iran are also looking for ways to get an advantage against the United States. Iran hacked into infrastructure in New York and had control of a dam just outside of a suburb of New York City (Prokupecz, Kopan, & Moghe, 2015). They could control the gates of the dam but nothing else. Nations realize that they have a weapon against the United States when they can hack into critical infrastructure and wreak havoc or install a backdoor to use against us at a later date.

Current Remediation

Fortunately, the United States government is beginning to understand the full impact of how cyberterrorism can impact the American economy and society. Steps the government have taken include executive orders and a few pieces of federal legislation.

Executive Order 13636 requires the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence to establish a process to rapidly disseminate reports to proper authorities. The executive order assists owners and operators of critical infrastructure in protecting their systems with classified technical and cyber information sharing that can provide security services for companies or service providers that may need them. The executive order prioritizes critical infrastructure and provides the proper clearance to appropriate personnel to expedite the process between entities (The White House, n.d.). The executive order helped establish the Cybersecurity Framework to reduce the cyber risk to critical infrastructure. While the standard is voluntary, it is a step in the right direction to provide appropriate guidance. Government agencies have a tendency to guard collected information closely, so the framework creates an openness of information sharing across all federal agencies (National Institute of Standards and Technology, 2014).

Cybersecurity Information Sharing Act of 2015

With this act it requires the Director of National Intelligence and the Department of Homeland Security (DHS), Defense, and Justice to develop procedures to share cyber threat information with private entities that are under threat. Private entities may monitor and operate defensive measures on their own systems and, with consent, the systems of other private or government entities. The DHS is required to detect risks in network traffic in transit to or from an agency system and prevent or modify the traffic to remove cyber risks. Lastly, DHS must develop a strategy to ensure a cyber threat affecting critical infrastructure entities will not result in a regional or national catastrophe or threaten national security (Burr, 2015)

Cybersecurity National Action Plan

President Barack Obama has called for a 35% increase in cybersecurity budget to secure an additional $ 19 billion in funding. $ 3.1 billion to retire, replace, and modernize legacy Information Technology systems across the government. The Chief Information Security Officer for the federal government will oversee this modernization and be responsible for coordinating cyber strategy, policy, and operations across the entire federal domain. A big area of concern is the hiring of new cybersecurity experts to secure federal agencies across the board. With the input of experts and our own consensus we feel that this budget increase may be late to the game to combat cybercriminals and other nation states which have controlled the cyberspace for decades (Office of the Press Secretary, 2016).

Increasing the cyber workforce

According to Courtney Kube of NBCNEWS.com, “[Former Secretary of Defense Chuck] Hagel announced that the size of the U.S. cyber defense workforce will grow to more than 6,000 by 2016, and a senior defense official said that the fiscal year 2015 cyber budget will exceed $5 billion” (Kube, 2014). There is a massive shortage of skilled cyber professionals that want to enter the public sector. This is requiring the U.S. Government and agencies to be creative. As a result, private companies are leading the charge in cybersecurity and not the government.

Solutions and Recommendations

Now the question becomes how do we mitigate these risks? Proactive, preventative measures are key. Fiber optic cables and other physical equipment should be correctly secured with proper physical and technical security measures. This could include burying the cables under concrete and encrypting the traffic that flows through the cables. This renders the data useless to anyone who taps the cables (Winther, 2006). The United States government should step in and help Tier 1 providers with regulation and enforcement in order to avoid mishaps. Continuous real-time monitoring, policy enforcement, encryption for fiber optic cables and border gateway protocols, and, of course, user education are all proactive, progressive steps towards thwarting potential attacks (Internet Backbone Security, 2014).

Putting a logical checkpoint for traffic is a reasonable step to protecting the United States and its citizens. Protecting Tier 1 Internet Service Providers, the companies that connect 90% of the US Internet traffic, would provide security for most of cyberspace. Another recommendation is to proactively search out the bad traffic and either delete it or hold the traffic to inspect it. The idea of having a fully automated scanner check all traffic without latency is called “deep packet inspection” (Clarke, 2010, pp. 161-162). This scanner solves the problem of privacy and security.

To protect the SCADA system, the prudent recommendation is requiring electric companies to remove the path from the controls to the Internet, encrypting the signals, and putting the same kind of “deep-packet inspections” as the backbones, all under threat of severe penalties from the government (Clarke, 2010, p. 169).

In addition, the United States needs to secure the power grid by creating regulations that would allow power companies to make it impossible to gain unauthorized access to the control networks of the power grid, including outside internet access. On top of that, a hacker would need to have authenticating signals and codes to hack into the network, making it harder and less likely a cyber-warrior would even try attacking the power grid. Lastly, upgrade defense capabilities for all the Department of Defense networks. You can do this by authentication, guarding the end points by installing firewalls, encrypting files, and monitor network traffic.

Resolving the skills shortage

An excellent way to create a foundation for a more cyber-secure nation would be to start cybersecurity education in high school and offering more money for colleges to fund and increase cybersecurity programs for Bachelor's and Master’s degrees. Cybersecurity awareness is the most essential part of any plan in regards to cybersecurity. No technical control can help the biggest weakness in a security plan: people. The more education citizens have, the more secure the nation can be.

One option is to expand the Hire our Heroes national initiative to push the hiring of vets for not only private sector jobs but for public service cybersecurity positions. On the dhs.gov site it states, “Currently, the initiative has a FedVTE (Federal Virtual Training Environment) where they offer 800 hours of training on cybersecurity topics” (Touhill, 2015). This should be expanded and advertised heavily by the government. Offering large grants, scholarships, and re-training programs at universities for veterans to transition into the workforce as skilled cyber warriors could be a major opportunity to snatch up transitioning military personnel. Incentivizing this program by increasing the pay scales for skilled cyber professionals will also help persuade civilians to consider transitioning from the private sector to public sector opportunities.

Conclusion

Recent presidents have taken strides to combat cyberwarfare against the United States. Governmental agencies have begun to work with private companies through partnerships that allow collaboration unlike anything previously seen in the arena of cyberspace in the United States. The nation can combine the public and private sectors to reduce our vulnerabilities, lessen the impact of cybercrime on our economy, and work to hold government enemies responsible for their actions in cyberspace.

References

Burr, S. R. (2015, October 28). S.754 - Cybersecurity Information Sharing Act of 2015. Washington, D.C. Retrieved from https://www.congress.gov/bill/114th-congress/senate-bill/754

Clarke, R. (2010). Cyber War. New York, NY: Harper-Collins.

Clarke, R. (2003, March 18). Interviews - Richard Clarke. Retrieved from http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/interviews/clarke.html

Eidam, E. (2016, March 4). RSA 2016: Feds Tackle IT, Cybersecurity Workforce Shortage. Retrieved from http://www.govtech.com/federal/RSA-2016-Feds-Tackle-IT-Cybersecurity-Workforce-Shortage.html

GCN Staff. (2013, June 3). 30 years of risky business: A cybersecurity timeline. Retrieved from GCN: https://gcn.com/articles/2013/05/30/gcn30-timeline-cybersecurity.aspx

Homeland Security Committee. (2015, June 25). Critical Infrastructure Protection Act (CIPA) Passage Out Of Homeland Security Committee Is Decisive Step To Protecting The Nation. Washington, D.C. Retrieved from https://homeland.house.gov/press/critical-infrastructure-protection-act-cipa-passage-out-homeland-security-committee/

How Vulnerable is U.S. Infrastructure to a Major Cyber Attack? (n.d.). Retrieved from Popular Mechanics: http://www.popularmechanics.com/military/a4096/4307521/

Hurley, D. C., Payne, J. F.X., & Anderson, M. T. (2013). Critical Infrastructure: Electric Power. Fairfax: Armed Forces Communication and Electronics Association Cyber Committee. Retrieved from http://www.afcea.org/committees/cyber/documents/AFCEA_Critical_Infrastructure_Final.pdf

Internet Backbone Security. (2014, October 14). Retrieved from wicksnet: a collection of information security research and penetration testing techniques: https://wicksnet.wordpress.com/tag/internet-backbone-security/

Kube, C. (2014, March 28). U.S. Cyber Defense Force to Hit 6,000 by 2016, Hagel says. Retrieved from NBC News: http://www.nbcnews.com/news/us-news/u-s-cyber-defense-force-hit-6-000-2016-hagel-n66571

Marks, J. (2015, December 29). ISIL aims to launch cyberattacks on U.S. Retrieved from Politico: http://www.politico.com/story/2015/12/isil-terrorism-cyber-attacks-217179#ixzz48ZNzUYjH

National Institute of Standards and Technology. (2014, February 12). Framework for Improving Critical Infrastructure Cybersecurity. Gaithersburg, Maryland, United States of America. Retrieved from http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

Office of the Press Secretary. (2016, February 9). FACT SHEET: Cybersecurity National Action Plan. Washington, D.C.

OPSEC Professionals. (n.d.). Cyber Capabilities and Intent of Terrorist Forces. Retrieved from http://www.opsecprofessionals.org/articles/cybercap.html

Panetta, L. (2012). Cyber Pearl Harbor. New York City, New York, United States of America. Retrieved from http://www.bbc.com/news/technology-19923046

Prokupecz, S., Kopan, T., & Moghe, S. (2015, December 22). Former official: Iranians hacked into New York dam. Retrieved from CNN: http://www.cnn.com/2015/12/21/politics/iranian-hackers-new-york-dam/

Rowen, B. (n.d.). Cyberwar Timeline. Retrieved from http://www.infoplease.com/world/events/cyberwar-timeline.html

SANS. (2014, August). An Abbreviated History of Automation and Industrial Controls Systems and Cybersecurity. SANS. Retrieved from https://ics.sans.org/media/An-Abbreviated-History-of-Automation-and-ICS-Cybersecurity.pdf

Simonite, T. (2015, September 15). First Detailed Public Map of the U.S. Internet Backbone Could Make It Stronger. Retrieved from MIT Technology Review: https://www.technologyreview.com/s/540721/first-detailed-public-map-of-us-internet-backbone-could-make-it-stronger/

Stouffer, K., Falco, J., & Kent, K. (2006). Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security: Recommendations of the National Institute of Standards and Technology. Gaithersburg: National Institute of Standards and Technology. Retrieved from https://www.dhs.gov/sites/default/files/publications/csd-nist-guidetosupervisoryanddataccquisition-scadaandindustrialcontrolsystemssecurity-2007.pdf

The White House. (n.d.). Foreign Policy: Cybersecurity. Retrieved from The White House: https://www.whitehouse.gov/issues/foreign-policy/cybersecurity

Touhill, G. (2015, November 24). ‘Hire Our Heroes’ offering free Cybersecurity Training to Veterans through FedVTE. Retrieved from Department of Homeland Security: https://www.dhs.gov/blog/2015/11/24/hire-our-heroes-offering-free-cybersecurity-training-veterans-through-fedvte

WaterWorld. (n.d.). SCADA Solution Helps Control Nation's Largest Pumping Station. WaterWorld. Retrieved from WaterWorld: http://www.waterworld.com/articles/print/volume-30/issue-11/urban-water-management/scada-solution-helps-control-nation-s-largest-pumping-station.html

Winther, M. (2006). Tier 1 ISPs: What They Are and Why They Are Important. Framingham: International Data Corporation.