Vulnerabilities / Threats
2/17/2011
06:57 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

RSA: Defining Cyberwar And Rallying Defenders

We may not know exactly what cyberwar means but we know we have to work together to prepare our defenses.

Inside DHS' Classified Cyber-Coordination Headquarters
(click image for larger view)
Slideshow: Inside DHS' Classified Cyber-Coordination Headquarters

General Keith Alexander, Commander of U.S. Cyber Command and Director of the National Security Agency, did not mince words in his keynote presentation at the RSA Conference on Thursday.

"Securing our nation's network is a team sport," he declared. "We all have to work together to make this happen. We need your help."

The word mincing occurred the day before, on Wednesday, during a panel discussion on the definition of cyberwar.

The panelists -- former Department of Homeland Security chief Michael Chertoff, former NSA Director and Director of National Intelligence Mike McConnell, and BT CTO Bruce Schneier, along with moderator James Lewis, Director of the technology and public policy program at the Center for Strategic and International Studies -- demonstrated a surprising degree of unanimity about the problems that come with referring to any computer-driven conflict as a cyberwar.

Chertoff acknowledged there's a difference between war and cyber threats, suggesting a line should be drawn between espionage and physical destruction. At the same time, he said cyber conflicts could produce consequences as substantial as the repercussions of warfighting.

Schneier observed that war is sexy term. "It's being talked up because that's what sells," he said. He also observed that overstating the threat was a good way for government agencies to secure funding, a claim that Chertoff and McConnell seemed to ready to challenge, though neither really engaged with a counter-argument.

Schneier pointed to comments made on Tuesday by Microsoft's Scott Charney as an apt description of the issue. Charney observed that security professionals face an ongoing problem trying to figure out who should respond to cyber attacks because they often don't know who is attacking and why. Is the attack coming from a foreign military, a criminal hacking group, a disgruntled former employee or meddling kids? Answering that question makes a difference in how the government or private sector organizations respond, but it's not always easy to come up with an answer.

Thus we have ongoing jurisdictional confusion and gaps in responsibility when it comes to cyber defense.

"The categories we're used to don't really work with this kind of threat," observed Chertoff, who argued that it's misleading to talk about a single fix. He advised breaking cybersecurity down into discrete problems, like protecting the supply chain and securing the financial system, rather than searching for a monolithic solution.

Schneier questioned whether war is really the right metaphor for cyber conflicts, noting that as a society we're terrible at actually declaring war during an armed conflict but too quick to do so when it's not really a war, like the "war" on drugs.

The problem with relying on war as a metaphor is that cyber defense isn't always delivered in the context of a war. "Things you'd accept during a war you wouldn't accept from the police," he said.

The consensus seemed to be that cybersecurity will require high-level policy initiatives to establish norms for dealing with the spectrum of cyber incidents.

"We're at the brink of a cyberwar arms race because we're not dealing with this at a high enough level," said Schneier.

McConnell suggested such policies will be driven by disaster. "Look at history," he said. "We wait for a catastrophic event then overreact."

Alexander, during his speech, clearly had a more proactive solution in mind. In keeping with the remarks of William Lynn III, Deputy Secretary of Defense, who spoke on Tuesday at the security conference, Alexander pushed for partnerships, for private industry to work with the public sector to protect critical infrastructure and networks. And he called for better education, in terms of academics and public awareness.

"We need to create, with your help, a public demand for secure technology," he said.

If there were any security vendors in the audience opposed to the idea of creating demand for their products, they did not make their objections known.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0640
Published: 2014-08-20
EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote authenticated users to bypass intended restrictions on resource access via unspecified vectors.

CVE-2014-0641
Published: 2014-08-20
Cross-site request forgery (CSRF) vulnerability in EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote attackers to hijack the authentication of arbitrary users.

CVE-2014-2505
Published: 2014-08-20
EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote attackers to trigger the download of arbitrary code, and consequently change the product's functionality, via unspecified vectors.

CVE-2014-2511
Published: 2014-08-20
Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum WebTop before 6.7 SP1 P28 and 6.7 SP2 before P14 allow remote attackers to inject arbitrary web script or HTML via the (1) startat or (2) entryId parameter.

CVE-2014-2515
Published: 2014-08-20
EMC Documentum D2 3.1 before P24, 3.1SP1 before P02, 4.0 before P11, 4.1 before P16, and 4.2 before P05 does not properly restrict tickets provided by D2GetAdminTicketMethod and D2RefreshCacheMethod, which allows remote authenticated users to gain privileges via a request for a superuser ticket.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.