Perimeter
2/17/2010
10:11 PM
50%
50%

Will Cyber Shockwave Make Some Waves?

With March Madness coming up, I recently spent the morning in some rather distinguished company simulating the effect of a March Madness smartphone app that turned out (within the confines of the simulation) to be malware.

With March Madness coming up, I recently spent the morning in some rather distinguished company simulating the effect of a March Madness smartphone app that turned out (within the confines of the simulation) to be malware.Cyber Shockwave assembled a group that was tasked to play top-level government officials in a National Security Council meeting. The eye-catching thing about the exercise, hosted by the Bipartisan Policy Center, was that the panel members were all prominent former holders of top-level government jobs. Stewart Baker, who worked on cybersecurity at the DHS through last year, played Cyber Coordinator. Deputy Commander of the U.S. European Command Charles F. Wald played Secretary of Defense. Director of National Intelligence John Negroponte played Secretary of State. And so on for a cast of 10.

For me, and I think everyone else in the room, a couple of things became very clear very quickly. First, if the lights are going to go out in North America (as they were in Eastern cities during the second hour of the exercise), then they will be out long before anyone in the White House has any idea what they want to do about it. The president will be urging calm, which I'll bet will just work like magic.

Second, in any situation where serious harm was being done to electronic and electrical infrastructures, the only effective response would be to declare it an act of war or, failing that, for the president to make a significant grab for additional executive powers under Article 2 of the Constitution. Calling it an act of war is likely to be impossible in any normal sense, because attributing a cyberattack to a specific nation state would be next to impossible in the short term. Consider recent events: Was the Chinese state behind the Aurora attacks? If so, then it's arguably an act of war, a state-sponsored incursion on our domestic territory.

As for the executive power grab, well, there won't really be any good alternative. Something definitive will have to be done, it will involve the private companies that own the digital infrastructure, and it will involve compelling them to do what they won't do voluntarily for fear of subsequent legal liability for their actions.

Those two things came across loud and clear and, while I'm not sure the scenario of smartphones bringing down the cell phone system was all that horrifying, the idea of executive rule by fiat was indeed a bit creepy. I should add, too, that the overall scenario had a lot of intellectual weight behind it because the several sponsors -- which included General Dynamics (and specifically involved some of the forensics heavy hitters in their Advanced Information Systems division), Georgetown University (and experts from their Institute for Law, Science and Global Security, SMobile, Symantec, Paypal -- helped build aspects of the scenario and keep it within the realm of the credible.

For me, though, there was a third realization. The unspoken, unquestioned common assumption on the panel seemed to be that policy about technological infrastructure and the security of that technological infrastructure could be readily decoupled from knowledge of the technology itself. Obviously, policy can't get mired in details. But, on the other hand, digital infrastructure is shaped by how it is implemented and managed -- and policy responds to that shaping. So my take is that even at the highest levels, somebody in the room should probably know what he or she is talking about when it comes to, say, how viruses propagate. The Secretary of Defense, somewhere back in time, went through boot camp. Who in the room knows the basics on how packets are routed? Right now, nobody. And it just is never going to be the head of the DHS. And nobody seems to have had Howard Schmidt's cell phone number when the attacks on Google were announced.

Anyway, a lot of what was in play at Cyber Shockwave were policy concerns. Should the government lay out a declarative policy on the circumstances in which it would retaliate against an attacking nation or terrorist organization? That sort of knotty concern. Not necessarily things that you or I are likely to get much say about. But how we improve attribution of attacks to their perpetrators and the question of how easily subverted (or, as in this scenario, Trojan Horse) software is kept off the networks are two areas that the security community can potentially address. I doubt, frankly, that we can do much about either without some degree of government regulation -- vendors don't have much incentive to do things that improve the overall security of the Internet, a point made quite convincingly by former Secretary of Homeland Security Michael Chertoff, who played National Security Adviser in the simulation. How do we get regulation that works well? It just might be time to send an email or two to our representatives.

In the meanwhile, CNN taped the event and will air it Saturday and Sunday, so you can check it out for yourself.

Robert Richardson is director of the Computer Security Institute. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

CVE-2014-2716
Published: 2014-12-19
Ekahau B4 staff badge tag 5.7 with firmware 1.4.52, Real-Time Location System (RTLS) Controller 6.0.5-FINAL, and Activator 3 reuses the RC4 cipher stream, which makes it easier for remote attackers to obtain plaintext messages via an XOR operation on two ciphertexts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.