Digital Dependence: Cybersecurity in the 21St Century

Digital Dependence: Cybersecurity in the 21st Century

Melissa E. Hathaway Senior Advisor, Belfer Center for Science and International Affairs Harvard University Presented as part of Project Minerva 14 October 2010

Sunday, November 28, 2010 October 29, 1969: The First Transmission

❖ http://www.picsearch.com/info.cgi?q=1969%20Internet&id=PVUGViNVCGnNvPh-pX1_sm_AoVagXS4c9lomC0G41zY

Sunday, November 28, 2010 Timeline of Digital Dependence

1971—Creeper Worm demonstrates mobility and self- replicating 1978: TCP-IP Commitment 1979—Intel introduces programs on becomes to anonymity universally- 8088 CPU and ARPANet ushers in the new era and open 1974—Development of the accepted global of the microprocessor. systems Graphical User Interface standard to supply (GUI) at the Xerox Palo Alto network layer and Research Center (PARC) transport layer ARPANet 1972: File Transfer functionality 1981: IBM personal Transmisison and TCP (packet switch) computer

1969 1970 1972 1973 1974 1977 1978 1979 1981 1982

1973: Collaboration of ARPANet Virtual 1977: Emergence of 1982: AT&T Scientists Communication Smaller divestiture in with Europe Computers (Tandy return for and Apple 1979: First opportunity to Computers) commercially go into 1970—Intel introduces 1973: Motorola invented automated cellular computer ﬁrst 1k DRAM the ﬁrst cellular portable network (the 1G business generation) was launched chip. telephone to be 1977: Microsoft commercialized in Japan by Nippon Forms Telegraph Telephone

❖ http://books.google.com/books?id=a-YDAAAAMBAJ&pg=PA11&lpg=PA11&dq=computerized+detente+john +markoff&source=bl&ots=w2lZQuT6ro&sig=3M268mjIqFSq-HXLTFffD- NmYdk&hl=en&ei=AHq8S5iAA4aM8gTwrOn5Bw&sa=X&oi=book_result&ct=result&resnum=3&ved=0CAsQ6AEwAg#v=onepage&q=computerized%20detente %20john%20markoff&f=false

❖ Mobile platforms emerge with the birth of personal computer and cellular voice communications

❖ ARPANet enabled global data communications

❖ AT&T divestiture signaled ﬁrst market force tensions -- innovation at the expense of national security and the beginning of loss of interest in State inﬂuence of core infrastructure (control)

1983: DNS Registry lays foundation for expansion of Internet 1988: Digital (ensure interoperability) 1990: CERN Equipment Corp. develops HTML White Paper on code and software 1983: DoD Begins using Firewalls (world wide web is MilNet--mandates possible) TCP-IP for all 1985: Microsoft 1988: DoD Funds unclassified systems Windows; Utility Carnegie Mellon (ARPANet Continues for of Computer Easier Academic Community CERT-CC for Consumer under NSF leadership) IT Shifts Power; State begins to cede control to the 1983 1985 1988 1989 1983: Wargames Private Sector 1988: Internet Worm (Morris) 1983: First 1985: Generic Infection affects 10% Rise of Internet Innovation Virus Emerges top-level domains of the Internet’s (Risk/ were officially computers 1989: DoD Corporate Vulnerabilities) implemented Information Management (.com, .gov, (Disrupts Internet for Days) (CIM) Initiative to identify .mil, .edu) and implement 1983: Ameritech management efciencies in launches first 1G DoD information systems Cellular Network in (Foreshadow of COTs) Chicago

❖ World Wide Web enables expanded and user-friendly information sharing on the Internet

❖ DoD becomes the early adopter of the technology

❖ Private sector driving innovation and adoption with value proposition of productivity and eﬃciency and consumer usability of technology

❖ Foreshadow the potential for e-commerce with .com domain and emergence of world wide web

❖ First demonstration of vulnerability and exploitation possibilities and subsequent emergence of a new market (e.g., Firewall, anti-virus software, IDS and IPS)

Organized Electronic Crime Infrastructure Instant Messaging Emerges 1995: AOL Phishing Attacks for 1993: WWW with passwords and 1991: National Mosaic Browser -- Credit Card Academy of Sciences: Internet adoption Information Computers at Risk advances Report 1994: $10M Stolen 1993: MILNET from Citibank 1995: The Net becomes NIPRNET

1991 1992 1993 1994 1995

1992: OSD Issues 1991: First 1995: Evident Surprise Policy 1994: VCJCS Directs IW Wargame GSM network 3600.2 launches in Joint Warfare DEPSECDEF and IC Information Capability Assessment Agree to Coordinate IW Policy Finland giving Warfare way to 2G cellular Networks Government shifts to COTS 1994: Nokia proof -- send data over cell 1992: Sneakers phone (Wi-Fi possible)

1999: US Space Command 1996: ITU works on 1997: Framework for Assigned military Standard (H-323) for Voice Electronic Global Cyber Ofense-Defense over Internet Protocol Commerce (policy) Mission Responsibility (voice and data over single 1998: Internet Encourage Corporation of Assigned network reduces International infrastructure costs) Names and Numbers Net Centric Warfare Concept adoption of DNS (ICANN) Established emerges

1996: Defense Science Board Paper: 1997: Google 1998: PDD-63 Critical 1999: Melissa Virus Information Search Engine Infrastructure Sets Stage for Rapid Warfare -Defense invented Protection Policy Infections

1996 1997 1998 1999

1996: OSD Issues 1997: 802.11 Policy Shift Begins: 3600.1 International Trust Model breaking down 1999: In-Q-Tel Information Operations Standard agreed to established to Broadening the Deﬁnition (Wi-Fi global) help to Engage during Peace 1998: DoD creates Government 1997: Eligible Receiver Exercise JTF-CND to address innovate Focus DOD and IC on Vulnerabilities of Threats to DoD US Infrastructure & Foreign IO Programs networks 1996: US relaxes 1999: export controls on DCI agrees to use same 1997: President’s Commission on 1998: Solar Sunrise: encryption products deﬁnitions Critical Infrastructure Protection DoD penetrations to foster global Signing out DCID 7-3 electronic commerce (Nation is Vulnerable) realized

❖ Rapid infections on Internet realized; policymakers begin to discuss and write about problem

❖ Organized electronic crime infrastructure emerges--anonymity provides safe have for criminals-- e-commerce trust model begins to break down

❖ Data over wireless emerges as next market wave and voice over Internet presents a second market disruption to “traditional voice carriers”

❖ Relaxation of export controls (crypto) along with promotion of international adoption of DNS encourages the world to depend upon the Internet

❖ Need for “controls” on interoperability and stability of the Internet is recognized with establishment of ICANN

2001: Launch of ﬁrst pre- 2002: Department of Homeland commercial trial 3G Security Assumes Global Understanding of network (packet-switch) Critical Infrastructure Protection Critical Infrastructure by Nippon Telegraph Mission Vulnerability Telephone 2003: CA State Data Breach Law 2000: HTML businesses must report breach of PII accepted as 2001: DoD international Quadrennial 2002: Social Networking Standard ISO: 15445 Defense Review Technology takes oﬀ with 2003: Linked-In Renews Focus Friendster business application Y2K On Information of social networking Operations

2000 2001 2002 2003

2001: Wikipedia 2002: US Strategic created 2000: National Command Assigned 2003: DoD Academy of military Cyber Transformation Sciences: 2001: Council of Ofense-Defense Planning Guidance Trust in Europe, Cybercrime Mission formalizes Net Cyberspace Convention (Treaty) Responsibility Centric Warfare

2001: Nuclear Posture 2002: DOD 3600.1 policy is 2003: Beta version of 2000: DDOS Review calls for re-issued with new deﬁnition Skype released Attacks against replacement of Nuclear for Information Operations (voice over Internet e-commerce Weapons with Non- revolution) kinetic Weapons

❖ World wide recognition of convergence of Internet with critical infrastructures because of Y2K computer programming error and that problem cannot be solved without a private-public partnership

❖ International awareness on threat of cybercrime -- but not fully embraced

❖ 9/11/01 refocused mission toward physical security vice electronic security and blurred mission responsibility with stand-up of Department of Homeland Security

❖ Recognition that the government must embrace innovation wave

❖ Social Networking technology emerges with fast consumer adoption rates, foreshadows next “rich” target for exploitation

2005: Choice Point First Breach of 2007: USAF 2008: President announces Personal Identiﬁable Establishes a Cyber modernization program (Smart Information (PII) Command Grid, Next Gen FAA, Health- IT, Broadband to America) 2007: Comprehensive 2005: NERC National Cybersecurity Identity announces standards Initiative (CNCI) 2008: Theft Georgia-Russia for cybersecurity Regularly Conﬂict Occurring for reliability of 2007: TJ Maxx demonstrate cyber in 2008: bulk-power systems 2006: Breach warfare NMS for Operations RBS World Pay FacebookIn Cyberspace (exploit Wi-Fi) $9M stolen in 30 minutes, 49 cities

2004 2005 2006 2007 2008 2004: DoD IO 2008: 2006: 2007: Estonia DDOS Roadmap programs Cable cut(s) in Congressional highlights use of force more than $1B in Mediterranean: Testimony NSA (wartime applications with new funds to dramatically slow down outlines closer conscripted computers) normalize IO Internet and Egypt coordination affected badly (need for with DHS 2007: Joint Staff, resilience) 2004: EW Roadmap to (NTOC) National Military focus DOD’s efforts to 2006: Hengchun Strategy for provide electronic attack Earthquake Cyberspace Operations 2008: Conficker Worm options (Taiwan) afects requires unprecedented undersea cables International and Internet for 49 2007: Live Free or Die Hard Cooperation & Operational days Response

❖ Doctrine and rhetoric publicly address use of Internet for oﬀensive means; Estonia and Georgia events demonstrate ﬁrst use of Internet as a means for warfare

❖ Recognition that other key infrastructures (power) are now more vulnerable due to dependence on Internet infrastructure

❖ Conﬁcker Worm highlights need for international cooperation and necessity of private sector information sharing

❖ CNCI policy illuminates need for stronger defensive posture and cooperation, cross-cueing, and leverage of mission authorities (Title: 6, 10, 18, 32, 44, 50)

❖ Cybercrime and cyber espionage can no longer be ignored

❖ Cable cut(s) in the Mediterranean demonstrates importance of undersea cables and resilience

May 2010: NATO Strategic Concept 2009: Heartland Review highlights Cyber Payments Breach Move to Cloud April 2010: UK Data Computing: Efciency (Payment Card Protection Law: 500K and Cost Savings Industry) Sterling Fine for lost protected data October 2010: 2009: Cyberspace Policy NATO Declares Cyber Review: Cyber is Economic 2009: Operation April 2010: Court Rules in Defense a Priority and National Security Aurora coordinated Favor of Comcast; Net Priority attack on many high Neutrality debate heats up proﬁle companies on Internet regulation targeting their intellectual property Market 2009 2010 Shift Advanced Persistent Threat January 2010: Intel Stuxnet Proliferation of Corporation SEC Handheld wireless 2009: National Research Filing (Risk Factor) devices (Mobility) Council Report: Cyber Attack Capabilities January 2010: TX Bank sues May 2010: Stand-up of US Customer over Cyber Command 2009: 4G ofered via Cyber-Theft WiMAX standard (Sprint); speed improvement of 10 2010: Smokescreen on-line fold virtual reality game guides teenagers through dangers of social networking

❖ Google incident -- tipping point in US policy and serves as catalyst for corporate awareness

❖ Cybercrime and cyber espionage are aﬀecting bottom line and risk factors of major corporations

❖ Legislation and regulation are emerging as mechanisms to assert “control”, manage risk and build security back into the infrastructure

❖ Nations realize lack of resilience is national and economic security risk

❖ Stuxnet targets control system (product) functionality, putting critical infrastructures at risk around the world

❖ Government intervention has become more pronounced and pervasive – and censorship and surveillance practices are on the rise

Source: http://www.nixoncenter.org/publications/Perspectives/Cohenvol.3_8.htm

❖ Begin an honest conversation about what is happening in the United States to our long- term strategic posture (denial will not lead to recovery)

❖ Reconcile the tension between economic recovery and national security needs

❖ Retard the quick-to-adopt movement of all critical infrastructures to rely on Internet based protocols and technology

❖ Enlist and incentivize the private sector to understand and address the vulnerabilities and innovate our way through a solution

❖ Engage Congress to clarify and legislate new authorities

❖ Review regulatory authorities (FCC, FTC, SEC, FERC) and demand coordination across Internet jurisdictional overlap; Legislation has not kept pace with technology, making regulation diﬃcult

❖ State US policy of what is tolerable (crime, espionage, and armed aggression) and impose costs if threshold is crossed