Vulnerabilities / Threats
2/17/2011
06:57 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

RSA: Defining Cyberwar And Rallying Defenders

We may not know exactly what cyberwar means but we know we have to work together to prepare our defenses.

Inside DHS' Classified Cyber-Coordination Headquarters
(click image for larger view)
Slideshow: Inside DHS' Classified Cyber-Coordination Headquarters

General Keith Alexander, Commander of U.S. Cyber Command and Director of the National Security Agency, did not mince words in his keynote presentation at the RSA Conference on Thursday.

"Securing our nation's network is a team sport," he declared. "We all have to work together to make this happen. We need your help."

The word mincing occurred the day before, on Wednesday, during a panel discussion on the definition of cyberwar.

The panelists -- former Department of Homeland Security chief Michael Chertoff, former NSA Director and Director of National Intelligence Mike McConnell, and BT CTO Bruce Schneier, along with moderator James Lewis, Director of the technology and public policy program at the Center for Strategic and International Studies -- demonstrated a surprising degree of unanimity about the problems that come with referring to any computer-driven conflict as a cyberwar.

Chertoff acknowledged there's a difference between war and cyber threats, suggesting a line should be drawn between espionage and physical destruction. At the same time, he said cyber conflicts could produce consequences as substantial as the repercussions of warfighting.

Schneier observed that war is sexy term. "It's being talked up because that's what sells," he said. He also observed that overstating the threat was a good way for government agencies to secure funding, a claim that Chertoff and McConnell seemed to ready to challenge, though neither really engaged with a counter-argument.

Schneier pointed to comments made on Tuesday by Microsoft's Scott Charney as an apt description of the issue. Charney observed that security professionals face an ongoing problem trying to figure out who should respond to cyber attacks because they often don't know who is attacking and why. Is the attack coming from a foreign military, a criminal hacking group, a disgruntled former employee or meddling kids? Answering that question makes a difference in how the government or private sector organizations respond, but it's not always easy to come up with an answer.

Thus we have ongoing jurisdictional confusion and gaps in responsibility when it comes to cyber defense.

"The categories we're used to don't really work with this kind of threat," observed Chertoff, who argued that it's misleading to talk about a single fix. He advised breaking cybersecurity down into discrete problems, like protecting the supply chain and securing the financial system, rather than searching for a monolithic solution.

Schneier questioned whether war is really the right metaphor for cyber conflicts, noting that as a society we're terrible at actually declaring war during an armed conflict but too quick to do so when it's not really a war, like the "war" on drugs.

The problem with relying on war as a metaphor is that cyber defense isn't always delivered in the context of a war. "Things you'd accept during a war you wouldn't accept from the police," he said.

The consensus seemed to be that cybersecurity will require high-level policy initiatives to establish norms for dealing with the spectrum of cyber incidents.

"We're at the brink of a cyberwar arms race because we're not dealing with this at a high enough level," said Schneier.

McConnell suggested such policies will be driven by disaster. "Look at history," he said. "We wait for a catastrophic event then overreact."

Alexander, during his speech, clearly had a more proactive solution in mind. In keeping with the remarks of William Lynn III, Deputy Secretary of Defense, who spoke on Tuesday at the security conference, Alexander pushed for partnerships, for private industry to work with the public sector to protect critical infrastructure and networks. And he called for better education, in terms of academics and public awareness.

"We need to create, with your help, a public demand for secure technology," he said.

If there were any security vendors in the audience opposed to the idea of creating demand for their products, they did not make their objections known.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1032
Published: 2014-09-17
Cross-site scripting (XSS) vulnerability in the Euroling SiteSeeker module 3.x before 3.4.5 for EPiServer allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party inf...

CVE-2012-1417
Published: 2014-09-17
Multiple cross-site scripting (XSS) vulnerabilities in Local Phone book and Blacklist form in Yealink VOIP Phones allow remote authenticated users to inject arbitrary web script or HTML via the user field to cgi-bin/ConfigManApp.com.

CVE-2012-1506
Published: 2014-09-17
SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows remote authenticated users to execute arbitrary SQL commands via the hspSummaryId parameter to plugins/ajaxCalls/haltResumeHsp.php. NOTE: some of these details are obtained from th...

CVE-2012-1507
Published: 2014-09-17
Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) newHspStatus parameter to plugins/ajaxCalls/haltResumeHsp.php, (2) sortOrder1 parameter to templates/hrfunct/emppop.php, or (3) uri parameter to index...

CVE-2012-2583
Published: 2014-09-17
Cross-site scripting (XSS) vulnerability in Mini Mail Dashboard Widget plugin 1.42 for WordPress allows remote attackers to inject arbitrary web script or HTML via the body of an email.

Best of the Web
Dark Reading Radio