Vulnerabilities / Threats
2/17/2011
06:57 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

RSA: Defining Cyberwar And Rallying Defenders

We may not know exactly what cyberwar means but we know we have to work together to prepare our defenses.

Inside DHS' Classified Cyber-Coordination Headquarters
(click image for larger view)
Slideshow: Inside DHS' Classified Cyber-Coordination Headquarters

General Keith Alexander, Commander of U.S. Cyber Command and Director of the National Security Agency, did not mince words in his keynote presentation at the RSA Conference on Thursday.

"Securing our nation's network is a team sport," he declared. "We all have to work together to make this happen. We need your help."

The word mincing occurred the day before, on Wednesday, during a panel discussion on the definition of cyberwar.

The panelists -- former Department of Homeland Security chief Michael Chertoff, former NSA Director and Director of National Intelligence Mike McConnell, and BT CTO Bruce Schneier, along with moderator James Lewis, Director of the technology and public policy program at the Center for Strategic and International Studies -- demonstrated a surprising degree of unanimity about the problems that come with referring to any computer-driven conflict as a cyberwar.

Chertoff acknowledged there's a difference between war and cyber threats, suggesting a line should be drawn between espionage and physical destruction. At the same time, he said cyber conflicts could produce consequences as substantial as the repercussions of warfighting.

Schneier observed that war is sexy term. "It's being talked up because that's what sells," he said. He also observed that overstating the threat was a good way for government agencies to secure funding, a claim that Chertoff and McConnell seemed to ready to challenge, though neither really engaged with a counter-argument.

Schneier pointed to comments made on Tuesday by Microsoft's Scott Charney as an apt description of the issue. Charney observed that security professionals face an ongoing problem trying to figure out who should respond to cyber attacks because they often don't know who is attacking and why. Is the attack coming from a foreign military, a criminal hacking group, a disgruntled former employee or meddling kids? Answering that question makes a difference in how the government or private sector organizations respond, but it's not always easy to come up with an answer.

Thus we have ongoing jurisdictional confusion and gaps in responsibility when it comes to cyber defense.

"The categories we're used to don't really work with this kind of threat," observed Chertoff, who argued that it's misleading to talk about a single fix. He advised breaking cybersecurity down into discrete problems, like protecting the supply chain and securing the financial system, rather than searching for a monolithic solution.

Schneier questioned whether war is really the right metaphor for cyber conflicts, noting that as a society we're terrible at actually declaring war during an armed conflict but too quick to do so when it's not really a war, like the "war" on drugs.

The problem with relying on war as a metaphor is that cyber defense isn't always delivered in the context of a war. "Things you'd accept during a war you wouldn't accept from the police," he said.

The consensus seemed to be that cybersecurity will require high-level policy initiatives to establish norms for dealing with the spectrum of cyber incidents.

"We're at the brink of a cyberwar arms race because we're not dealing with this at a high enough level," said Schneier.

McConnell suggested such policies will be driven by disaster. "Look at history," he said. "We wait for a catastrophic event then overreact."

Alexander, during his speech, clearly had a more proactive solution in mind. In keeping with the remarks of William Lynn III, Deputy Secretary of Defense, who spoke on Tuesday at the security conference, Alexander pushed for partnerships, for private industry to work with the public sector to protect critical infrastructure and networks. And he called for better education, in terms of academics and public awareness.

"We need to create, with your help, a public demand for secure technology," he said.

If there were any security vendors in the audience opposed to the idea of creating demand for their products, they did not make their objections known.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, you were supposed to display UNICODE characters!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.