Carnegie Mellon CyLab 4720 FORBES AVENUE CIC BUILDING PITTSBURGH, PA 15213 PH: 412.268.1870 FX: 412.268.7675 www.cylab.cmu.edu

Cyber Security in the Three Times: Past, Present & Future

CERT 20th Anniversary Seminar Series Pittsburgh, Pennsylvania, 7/22/08 Cyber Security in the Three Times Agenda • Speaker’s Bio • CyLab’s Mission • Global Economy & Cyberspace • Glimpses Into the 21st Century Threat Matrix • Cyber Risks Timeline • Elements of A Holistic Program • Ruminations & Conclusions

Richard Power, Carnegie Mellon CyLab 2008 2 Harnessing the Future to Secure the Present Richard Power • CyLab Distinguished Fellow • Director of Global Security Intelligence for Deloitte Touche Tohmatsu (2002-2005) • Editorial Director for Computer Security Institute (1994-2002) • Author of Five Books, Including – Secrets Stolen/Fortunes Lost: Preventing Intellectual Property Theft & Economic Espionage in the 21st Century, (w/ Christopher Burgess) – Tangled Web: Tales of Digital Crime from the Shadows of Cyberspace • Author of War & Peace in Cyberspace, monthly column for Computer Fraud and Security Journal (w/ Dario Forte)

Richard Power, Carnegie Mellon CyLab 2008 3 CyLab’s Mission CyLab is … • A bold and visionary effort, which establishes public-private partnerships to develop new technologies for measurable, available, secure, trustworthy, and sustainable computing and communications systems as well as to educate individuals at all levels. • A dynamic matrix, in which great works are accomplished, great minds come together, and great careers are launched. • A vital resource for government and business to draw on in addressing cyber risks that threaten national and economic security. • A world leader in both technological research and the education of information assurance professionals, CyLab harnesses the future to secure the present.

Richard Power, Carnegie Mellon CyLab 2008 4 Harnessing the Future to Secure the Present

One of the world’s premier centers for Unique comprehensive approach cyber security, dependability and privacy • Multi-disciplinary, university-wide • Largest U.S. university-based cyber – Faculty and researchers from six security research & education program colleges of Carnegie Mellon • Computer Emergency Response Team – 50+ faculty/researchers and (CERT) 130+ graduate students • National Science Foundation (NSF) • Funded by private and public funds CyberTrust Center – Budget of approximately $12M in • Key partner in NSF-funded Center fiscal year 2007 for Team Research in Ubiquitous Secure – Supported by 50 member private Technology companies and government research • National Security Administration (NSA) funds Center of Academic Excellence in • Global educational partnerships & initiatives: Information Assurance Education e.g., Taiwan, India, Portugal, Singapore, Greece, Japan, etc.

Richard Power, Carnegie Mellon CyLab 2008 5 6 Benefits of CyLab Partners Program The Four R’s of CyLab Partner Program Benefits -- • Research – Leverage CyLab researchers and facilities for your R&D • Recruitment – Get inside track on hiring CyLab graduates to build your technology team • Reputation – Embellish your image by association with leading research center • Return on Investment – Cost-savings & boost in reputation translate into immediate ROI

Richard Power, Carnegie Mellon CyLab 2008 7 The Web of Life

“All things are connected like the blood that unites us all. Man did not weave the Web of Life, he is merely a strand in it. Whatever he does to the Web he does to himself.”

Chief Seattle,1854

Richard Power, Carnegie Mellon CyLab 2008

8 Growth of the Global Economy Everyone & Everything Everywhere is Connected …

2001: 34 nations sign “Free Trade Americas” pact for massive free-trade zone of 800 million people from Alaska to Argentina. 1999: Euro, a common currency for 11 European nations. “Biggest economic event we’ll see in our lifetime.” 1998: Asian economic crisis impacts the world. 1995: General Agreement on Tariffs and Trade (GATT) signed. 1994: North American Free Trade Agreement (NAFTA) signed. 1992: Treaty on European Union (EU) signed. 1989-1991: Collapse of Soviet Union, German reunification.

9 Growth of Cyberspace Everyone & Everything Everywhere is Connected …

• Radio -- 35 Years to Reach 50 Million People • TV -- 15 Years to Reach 50 Million People • WWW – 5 Years to Reach 50 Million People

Richard Power, Carnegie Mellon CyLab 2008 10 As They Evolve, They Increasingly Interpenetrate

1980s

Global Economy Cyberspace

1990s

Global Economy Cyberspace

21st Century

Global Economy Cyberspace

Secrets Stolen/Fortunes Lost, Synergy Press, 2008 11 In 21st Century, They Occupy Same Space & Share Risk

1980s

Global Economy Cyberspace -- Competitors -- Hackers -- Espionage 1990s -- Data Theft

Global Economy Cyberspace

21st Century

Global Economy Cyberspace --- Hackers -- Competitors Secrets Stolen/Fortunes Lost, -- Data Theft -- Espionage Synergy Press, 2008 12 Yoga of the Three Times

In the 8th Century, this teaching was written down by Yeshe Tsogyal, Tibetan yogini and consort of the great sage, Padma Sambhava; it was then “hidden away amidst a cache of precious things” to be read by seekers of the future – • The yoga of the past not being practiced, memory of the past remains latent. • The Future, not being welcomed, isis completelycompletely severedsevered byby thethe mindmind fromfrom thethe present.present. • The Present not being fixable remains in the state of voidness

(Tibetan Book of the Great Liberation, Ed. & Trans. by W.Y. Evans-Wentz, Oxford University, 1954)

Richard Power, Carnegie Mellon CyLab 2008 13 Glimpses into the 21st Century Threat Matrix

On the dark side of cyberspace -- a rapidly expanding spectrum of risks & threats, ever-evolving in sophistication …

• Every technological advance for mobile workers offers new opportunities for cyber criminals and industrial spies • Rise of organized crime in Eastern Europe was predicted 14 years ago, and yet, it has grown powerful & pervasive • Not just petty crime, recent headlines highlight attacks on national security, financial markets & power grids • Meanwhile, perennial threats, like the disgruntled or dishonest insider, continue unabated

Richard Power, Carnegie Mellon CyLab 2008 14 Glimpses into the 21st Century Threat Matrix A random sampling from 30 days of newspaper headlines underscores the scope of the challenge •Bank: Rogue trader hacked • Former New Jersey system administrator computers (CNN, 1-27-08) gets 30 months in prison for ‘logic bomb’ (SC Magazine 1-9-08) •Hackers darken cities, CIA says • Engineer: I stole IDs from hotel computers (Security Focus, 1-21-08) (Miami Herald, 1-9-08) • China has penetrated key U.S. • Mass hack infects tens of thousands of sites databases (SC Magazine, 1-18-08) (Computerworld, 1-7-08) • Wi-fi users, beware: Hot spots are weak • FAA: Boeing's New 787 May Be Vulnerable to Hacker Attack (Wired, 1-4-08) spots (Wall Street Journal, 1-16-08) • eBay goes far to fight fraud – all the way to • New mass hack strikes sites, confounds Romania (L.A. Times, 12-26-07) researchers (Computerworld, 1-14-08) • Pune woman $12mn cyber theft (DNA, 12-28-07) •Former Cox employee who shut downRichard Power,911 Carneggetsie jail Mellon time CyLab (SC 2008 Magazine, 1-11-08) 15 Glimpses into the 21st Century Threat Matrix Another random sampling from recent newspaper headlines underscores the scope of the challenge •Crimeware server exposes breadth • Rare SCADA vulnerability discovered (SC of data theft (GCN, 5-6-08) Magazine 5-9-08) •Hackers' posts on epilepsy forum • Technology, media firms overconfident, cause migraines, seizures (SMH, 5- unprepared for breaches: Deloitte survey (SC Magazine, 2-7-08) 8-08) • Hackers Focus on VoIP Accounts (WebPro •Hacktivists collect fingerprint of News, 5-12-08) fingerprint collector (Register, 3-30- • Hackers May Have Stolen Millions of Cards 08) (Newsday 5-15-08) •Hackers Hijack a Half-million Sites • Hackers catch ride on Grand Theft Auto IV In Latest Attack (Computerworld, 5-13- downloaders (Computer Weekly, 5-15-08) 08) • Russia’s state hackers target Radio Free Richard Power, Carnegie Mellon CyLab 2008 Europe in Prague (Sunday Herald, 5-10-08) •FBI Worried as DoD Sold 16 C t f it N t ki G (CSO Glimpses into the 21st Century Threat Matrix A random sampling from 30 days of newspaper headlines underscores the scope of the challenge •Spam Blockers Losing Ground on • Former Employee Allegedly Deleted Organ Sophisticated Attackers (6-08) Bank Data (6-26-8) • More Than 630,000 Laptops Lost at Airports •Software Engineer First to be Each Year (6-30-08) Sentenced Under Economic • S.F. officials locked out of computer network Espionage Act (6-18-08) (7-15-08) •Citibank Server Breach Likely • New trojan in the wild targeting multimedia Source of Compromised ATM Cards files (SC Magazine, 7-14-08) (6-18-08) • Hackers break 3G iPhone lock (7-13-08) •Stolen Computer Holds Outsourced • Hackers Steal Millions From 7-Eleven ATM Human Resources Data (6-23-08) (AP, 7-3-08) Richard Power, Carnegie Mellon CyLab 2008 •Marshall Islands hit by 'zombie' 17 attack (6 25 08) Glimpses into the 21st Century Threat Matrix

Trends for 2008-2009 (it’s only going to get worse) -- • Increased professionalism and commercialization of malicious activities • Threats tailored for specific regions, Increasing numbers of multi-staged attacks • Attackers targeting victims by first exploiting trusted entities • Convergence of attack methods • Automated evasion process • Advanced Web threats – laundering origins through the Web • Diversification of bot usage (Symantec Internet Threat Report 2007)

Richard Power, Carnegie Mellon CyLab 2008 18 Glimpses into the 21st Century Threat Matrix

Trends for 2008-2009 (it’s only going to get worse) -- • Ratio of non-malicious to malicious software reaching tipping point, levels of malicious code & unwanted programs will exceed number of legitimate software; security techniques will switch from blacklisting to whitelisting • Forty-three percent of enterprises have little or no measures in place to address permissions or restrictions on removable media, less than 17% have related end-point security measures; attackers may introduce malicious code at one point or another during manufacture or distribution • More advanced botnet threats that employ stealth methods such as steganography, allowing bot masters to exploit public forums and search engines • As US national elections draw near, an increase in phishing, scams and malicious code targeting candidates, campaigns, etc. (Symantec Internet Threat Report 2008)

Richard Power, Carnegie Mellon CyLab 2008 19 Cyber Risks Timeline: 1996 US Senate Permanent Investigations Subcommittee Hearings on “Security In Cyberspace” “Human beings are building systems, • Senator Sam Nunn (D-GA) presiding • Witnesses included deploying them and breaking into – Keith Rhodes (GAO) them. So it is human beings that we –Jim Christy (DoD) have to reach in terms of training, – Peter Neumann (SRI) awareness, and understanding their – John Deutch (CIA) – Roger Molander (RAND) responsibility, not only to their – Jamie Gorelick (DoJ) corporations, or to their own job – Richard Pethia (CERT) security, but to their country, and to – Senator Patrick Leahy (D-VT) – Senator John Kyl (R-AZ) the world.” – Richard Power (CSI) – Testimony of Richard Power

Richard Power, Carnegie Mellon CyLab 2008 20 Cyber Risks Timeline: 1995-2002

CSI/FBI Computer Crime & Security Survey •Intent – To Raise Awareness – Encourage Reporting of Cyber Crimes to Law Enforcement – Inspire In-Depth Research • Methodology – Non-Scientific • Trends – External Attacks on the Rise – Perpetrators Not Only Insiders or Juveniles – Significant Financial Losses

Richard Power, Carnegie Mellon CyLab 2008 21 Internet As Frequent Point of Attack: 1996-2002

% of Respondents

80 74 70 70 59 57 60 54 54 52 51 50 47 1996 44 1997 38 39 38 40 35 1998 33 31 1999 28 2000 30 24 22 2001 18 20 2002 12 10 2002: 414 Respondents/82% 2001: 384 Respondents/72% 0 2000: 443 Respondents/68% INTERNAL REMOTE INTERNET 1999: 324 Respondents/62% 1998: 279 Respondents/54% SYSTEMS DIAL-IN 1997: 391 Respondents/69% 1996: 174 Respondents/40%

CSI/FBI 2002 Computer Crime and Security Survey Source: Computer Security Institute 22 Financial Losses Summary: 1997-2002

Total dollar losses: 1997: 249 respondents, US$100,119,555 1998: 241 respondents, US$136,822,000 1999: 163 respondents, US$123,779,000 2000: 273 respondents, US$ 265,589,940 2001: 196 respondents, US$ 377,828,700 2002: 223 respondents, US$ 455,848,000

Grand total: US$ 1,459,755,245

CSI/FBI 2002 Computer Crime and Security Survey Source: Computer Security Institute 23 FalseFalse NotionsNotions aboutabout CyberCyber CrimeCrime && CyberCyber SecuritySecurity

9Cyber crime costs are exaggerated -- WRONG 9Cyber crime is a rare occurrence -- WRONG 9Insiders 80% of problem, outsiders are only 20% -- WRONG 9Problem is mostly juvenile hackers -- WRONG 9Economic espionage is done almost exclusively by the turning of insiders – WRONG 9Security technology = security -- WRONG 9Security policies & awareness posters = security -- WRONG 9Budget $$$ = security -- WRONG 9Security technology, policies, awareness posters & budget $$$ = security -- WRONG

Richard Power, Carnegie Mellon CyLab 2008 24 Cyber Risks Timeline In the late 1990s, “Current & Future Danger: A Primer on Cyber Crime & Information Warfare” Articulated Four Areas of Greatest Concern, They are Still the Four Areas of Greatest Concern: • Electronic Commerce Crime • Economic Espionage • Infrastructure Attacks • Personal Cyber Insecurity

Richard Power, Carnegie Mellon CyLab 2008 25 9/11:9/11: LessonsLessons Learned?Learned? Those Who Cannot Remember the Past are Condemned to Repeat It

• False Meme: “The World Changed on 9/11.” – Some people simply woke up to the reality of the world in which we lived in on 9/10 • False Meme: “9/11 was the Result of Intelligence Failures.” – Plenty of pre-9/11 intelligence, but what happened to it? • Fear is Not Awareness – Missed opportunity to raise awareness and education not only for the US populace, but the world …

Richard Power/Dario Forte, Computer Fraud & Security Journal (2006) 26 Cyber Risks Timeline From Salgado in 1997 to TJX in 2006 … • Carlos Salgado (1997) – 86,326 credit cards from 1,214 institutions – Based on average credit card fraud losses—e.g., $1,836 for fraudulent credit application—potential impact could have been $1 billion – Cost of card reissue alone: $125 per card, $10,780,750 • TJ Maxx (2007) – A hacker or hackers stole data from at least 45.7 million credit and debit cards of shoppers at off-price retailers including T.J. Maxx and Marshalls in a case believed to be the largest such breach of consumer information. (MSNBC, 3-30-07)

Richard Power, Carnegie Mellon CyLab 2008 27 Cyber Risks Timeline Blacknet was a hoax, but Phonemasters wasn’t… • Accessed telephone networks of AT&T, British Telecommunications, GTE, MCI, Southwestern Bell and Sprint • Broke into credit-reporting databases of Equifax and TRW, and Nexis/Lexis databases • Eavesdropped on phone conversations, compromised secure databases and redirected communications • Accessed national power grid, air traffic control system and a digital cache of unpublished phone numbers at the White House • Customers included private investigators, so-called ‘information brokers,’ and by way of middlemen, the Sicilian Mafia • Price list included personal credit reports for $75; state motor vehicle records, $25; records from the FBI’s Crime Information Center, $100; address or phone number of any celebrity or important person, $500.

Richard Power, Carnegie Mellon CyLab 2008 28 Cyber Risks Timeline The Scope of Eastern European & Asian Cybercrime • “The chain of command of a cybercrime • “The notorious [RBN] has suddenly picked gang is not unlike the Mafia, an evolution up from its St. Petersburg digs and that shows how online crime is becoming a diversified, spreading its unwholesome broad, well-organized endeavor. (IDG, 7-15- activity to new chunks of IP addresses, with 08) RBN-like activity almost immediately • “Moroccan and European intelligence appearing on newly registered blocks of authorities continue to identify significant Chinese and Taiwanese IP addresses …” links between eCrime targeting Western (e-Week, 11-8-07 ) financial institutions and active terrorist cells • “The FBI estimates all types of computer in Morocco.” (ISIGHT Partners, 5-20-08) crime in the U.S. costs industry about $400 • “Likely that the use of Russian and Eastern billion… A growing worry is that cybercrooks European ‘botnet’ (large quantities of could target emergency services for malware-infected computers) for political extortion purposes…” (Reuters, 9-15-06) purposes will increase, due to their low cost, • “The number of people engaged in cyber the difficulty in tracing their owners … (ISN, crime as a full-time ‘profession’ in Eastern 3-15-08) Europe and, especially, in Asia is skyrocketing.” (SANS, 8-14-06) Richard Power, Carnegie Mellon CyLab 2008 29 Warnings Unheeded, Lessons Unlearned

A Decade Passed Between Salgado’s Almost Completely Ignored Cyber Caper & the TJ Maxx Blockbuster;

Over A Decade has Passed Since the First Warnings of the Rise of Eastern European Organized Cyber Crime …

Richard Power, Carnegie Mellon CyLab 2008 30 Warnings Unheeded, Lessons Unlearned

Here are Some Important Questions –

What Could Governments & Businesses Have Done? What Should Governments & Business Have Done? What Next Generation Risks & Threats Are We Ignoring Now?

Richard Power, Carnegie Mellon CyLab 2008 31 Personal Cyber Insecurity

Wireless, Broadband, etc. Turn Home PCs into Both Targets & Bases • Identity theft • Financial fraud th In 20 Century, Privacy was • Cyber vandalism Something You Had to Protect… • Cyber stalking In the 21st Century, Privacy is • Cyber voyeurism Something You Have to Create • Recon for physical theft • Recon for physical violence • Character assassination • Intel gathering for blackmail • Intel gathering for social engineering attacks • “John Deutch” factor Richard Power, Carnegie Mellon CyLab 2008 32 CyberCyber RisksRisks TimelineTimeline Ten Years in the Wilderness – A Decade After Nunn Hearings • Bad Software (Microsoft is Not “the Evil Empire” But…) – 2006: Bill Gates -- Man of The Year (Again) • “Microsoft perceives its customers to be developers, Apple perceives it customers to be end users” • Only one US corporation that existed in 1900 still existed in 2000 (GE), but in 3000, there will be two (GE & Microsoft) • Bill Gates belongs on TIME cover for his humanitarian efforts • Bill Gates does not belong keynoting RSA Conference -- three years in a row – 2003: CTO Loses Job for Blast at Microsoft • Dan Geer, CTO for @Stake (which consults for Microsoft) fired for report calling Windows a national cyber security threat • Signed by seven researchers, report said dominance of Microsoft software on PCs has made networks susceptible to "massive, cascading failures," & that the complexity of the software made it particularly vulnerable to virus & other attacks

Richard Power/Dario Forte, Computer Fraud & Security Journal (2006) 33 CyberCyber RisksRisks TimelineTimeline Ten Years in the Wilderness – A Decade After Nunn Hearings • Lack of Progress and/or Continuity in Government – “Last year CSIA encouraged Congress & the Administration to raise the profile of information security; improve information sharing, threat analysis, & contingency planning; & to prioritize & fund research & development….Unfortunately there is no forward momentum or clear set of priorities for action in 2006.” (CISA, 2006) –“For Chertoff to create a high-level cybersecurity position but neglect to fill that position after a year indicates that the Bush administration places a higher value on physical security than it does on the nation's information infrastructure. Meanwhile, the country lacks a leader with the clout to coordinate communications in the event of a massive IT disruption.” (Information Week, 7-06) – “The Homeland Security Department is not ready for a cyberattack or a natural disaster that causes a major Internet disruption, according to a Government Accountability Report released today.” (FCW, 7-28-06)

Richard Power/Dario Forte, Computer Fraud & Security Journal (2006) 34 OneOne StepStep Forward,Forward, TwoTwo StepsSteps BackBack oror ……

Five Expert Views – Becky Bace (Infidel/Trident) – Rik Farrow (www.spirit.com) – Justin Peltier (Peltier Associates) – Keith Rhodes (US GAO) – Gene Spafford (CERIAS)

In general, in terms of cyber security and cyber crime, would you say one step forward two steps back or two steps forward one step back? Or would you characterize it some other way?

Richard Power/Dario Forte, Computer Fraud & Security Journal (2006) 35 OneOne StepStep Forward,Forward, TwoTwo StepsSteps BackBack oror ……

Becky Bace, Infidel/Trident

“…seriously behind the power curve….cybersecurity and cybercrime suffer from the ‘one generation trailing’ problem - by definition, both are reactive disciplines, especially in the commercial arena - funding is applied to the problem only after someone has divined that there is a problem…

Another aspect that is frustrating to me personally is the lack of attention paid to security education. I can't think of any area that has more strategic impact on our industrial base and national security, yet public funding is consistently underbudgeted, mistargeted and misspent.”

Richard Power/Dario Forte, Computer Fraud & Security Journal (2006) 36 OneOne StepStep Forward,Forward, TwoTwo StepsSteps BackBack oror ……

Rik Farrow, www.spirit.com

“Have there been any steps forward at all? Identity theft is still on the rise, a large part of it due to identity info stolen via keystroke monitors or phishing/scam sites. This information is traded in large online bazaars, and it appears that law enforcement is doing little to stop this…. Has software security gotten any better? Nope….

Things have not gotten better. Instead, we continue to see a bandaid style approach – ‘Here, let me sell you our anti-virus/anti-spyware/compliance-monitoring/firewall/NIPS/HIPS’…”

Richard Power/Dario Forte, Computer Fraud & Security Journal (2006) 37 OneOne StepStep Forward,Forward, TwoTwo StepsSteps BackBack oror ……

Justin Peltier, Peltier Associates

“One forward and two back…. Too many security technologies are entrenched in the corporate environment and not enough innovation is taking place. Most organizations are rolling out the same technologies that have failed time and time again, while the attackers are gaining complexity and new attacks at an almost monthly basis.

As long as security is mostly defined by one large enterprise firewall and a poorly configured IDS/IPS system, the attackers will still have an edge.”

Richard Power/Dario Forte, Computer Fraud & Security Journal (2006) 38 OneOne StepStep Forward,Forward, TwoTwo StepsSteps BackBack oror ……

Keith Rhodes, formerly US GAO, now Verizon

“While our attack morphologies are getting much better (one step forward) the attack vectors are increasing in number and speed due to everyone having high speed internet access from their home (one step back) and due to the code getting buggier and buggier (one step back).

So, if my math is correct, that's one step forward, two steps back.”

Richard Power/Dario Forte, Computer Fraud & Security Journal (2006) 39 OneOne StepStep Forward,Forward, TwoTwo StepsSteps BackBack oror ……

Gene Spafford, CERIAS, Purdue University

“It's almost like we are making no steps.

We have kept adding new technologies that are dangerous, seen our decision-makers choosing the path of least cost but significant danger, and they have consistently applied band-aides for the most current threat but failed to heed long-term advice, or provide investment for research to really break out of the rut they have gotten into.

Overall, I'm not very optimistic about the future.”

Richard Power/Dario Forte, Computer Fraud & Security Journal (2006) 40 BeginnerBeginner’’ss MindMind

• “In the beginner’s mind there are many possibilities, but in the expert’s there are few.” • “The goal is always to keep our beginner’s mind.” • “If you discriminate too much, you limit yourself.” • “If your mind is empty, it is already ready for anything; it is open to everything.” • “This is the real secret of the arts: always be a beginner.” Shunryo Suzuki-Roshi

Richard Power, Carnegie Mellon CyLab 2008 41 InformationInformation OperationsOperations Goals of Information Operations

• “The objective for all IO is to dominate the information battlefield by attacking the enemy’s information resources and decision-making capabilities while protecting your own resources and capabilities from all adversaries. • “In other words, IO has two very simple goals: – Goal #1: Optimize the decision making of the friendly guys – Goal #2: Degrade the decision making of the bad guys – That’s IO in a nutshell.” Col. Lawrence D. Dietz, US Army (Retired)

Richard Power, Carnegie Mellon CyLab 2008 42 InfrastructureInfrastructure Attacks:Attacks: WhatWhat && HowHow

Mostly Privately Owned, Relied On for Public Good… • Information & Communications: Phones, Internet • Physical Distribution: Air traffic, rail, pipelines • Energy: Gas, oil, electric power industries • Banking & Finance: Banks, financial services, mutual funds, stock & commodities exchanges • Vital Human Services: Water supply, emergency services, vital records Same Skills, Exploits, Modus Operandi, Opportunities are Seized by Common Cyber Criminals, (including badly designed software & lack of preparedness in government & business) -- Only Better Financed, Better Equipped, And Operating With Relative Impunity

Richard Power, Carnegie Mellon CyLab 2008 43 GlimpsesGlimpses intointo thethe 2121st CenturyCentury ThreatThreat MatrixMatrix

Imagine if… • On 911, the last image people saw on their TVs was the WTC collapsing and then the phones went dead and the power grid failed

Imagine if… • On 911, after the initial attacks, as all flights were grounded, those planes still in the air could not land because of a series of attacks on the air traffic control system

Richard Power, Carnegie Mellon CyLab 2008 44 AlAl--QaedaQaeda TargetedTargeted InfrastructureInfrastructure

“Routed thru switches in Saudi Arabia, Indonesia and Pakistan …” “Studied emergency telephone systems, electrical generation and transmission, water storage and distribution, nuclear power plants and gas facilities. “Some probes suggested planning for a conventional attack. But others homed in on a class of digital devices that allow remote control of services such as fire dispatch and of equipment such as pipelines. “More information about those devices -- and how to program them -- turned up on al Qaeda computers seized this year. “Most significantly, perhaps, U.S. investigators have found evidence in the logs that mark a browser's path through the Internet that al Qaeda operators spent time on sites that offer software and programming instructions for the digital switches that run power, water, transport and communications grids.” (Washington Post, 6-26-02)

Richard Power, Carnegie Mellon CyLab 2008 45 LebanonLebanon 20062006 “What Hezbollah did was to monitor our radio and immediately send it to their Al-Manar TV, which broadcast it almost live, long before the official Israeli radio.” Hezbollah appears to have divided a three mile- wide strip along the Israeli-Lebanese border into numerous “killing boxes”. Each box was protected in classic guerrilla fashion with booby-traps, land mines, and even CCTV cameras to watch every step of the advancing Israeli army. (London Times, 8-27-06)

Israel…hacked into the television station of Hezbollah, Hezbollah monitors Israeli and international emblazoning images on the screen showing pictures of television news footage of scenes from corpses and claiming the Shiite militant group's leader rocket landings inside Israel and has used Hassan Nasrallah was a liar….Israel also hacked into the broadcasts the past few weeks to more FM radio stations and instead of normal programs a accurately target installations in the Jewish two-minute recording was repeatedly broadcast… state…(World Net Daily, 8-14-06) (Agence France-Presse, 8-2-06)

Richard Power, Carnegie Mellon CyLab 2008 46 GlimpsesGlimpses intointo thethe 2121ST CenturyCentury ThreatThreat MatrixMatrix

WhoWho && Why:Why: UsualUsual (&(& Unusual)Unusual) Suspects?Suspects? • Jihadists – Economic & Psychological Blow • Nation States (Hegemons & Rogues) – Distract & Debilitate Adversary • Bizarro World (Cults & Loners) – Hasten Apocalypse, Tear Down Social Order • Criminal Elements – Extortion, Reprisal • Corporate and/or Internal Political Enemies – Foil Competitors, Subvert Democratic Institutions

Richard Power, Carnegie Mellon CyLab 2008 47 TruthTruth isis StrangerStranger ThanThan FictionFiction

1984: “Shoko Asahara had a one-room yoga school, a handful of devotees, and a dream: world domination. A decade later, Aum Supreme Truth boasted 40,000 followers in six countries and a worldwide network ...” (David E. Kaplin, Cult At The End of the World)

1995: Aum Shinrikyo (Supreme Truth) cult carried six packages onto Tokyo subway trains … releasing deadly Sarin gas killing 12 persons and injuring more than 5,000. … first major attack using chemical weapons by a terrorist organisation … (History of War)

2000: Japan’s Defense Agency delayed deployment of a new computer system after discovering that it used software developed by members of Aum Shinri Kyo. The Defense Agency was only one of 90 government organizations and private companies that unknowingly ordered software produced by the cult. (BBC, 3-1-00)

2006: Japanese security officers raided 25 offices of the doomsday cult … after its founder lost a last appeal against his death sentence. (The Australian, 9-16-06) Richard Power, Carnegie Mellon CyLab 2008 48 TruthTruth isis StrangerStranger ThanThan FictionFiction

Theodore John Kaczynski, a.k.a. the Unabomber, mathematician, genius, loner and Luddite

1978 – 1995: 15 bombings throughout the USA, killing 3 and wounding 23

4-24-95: New York Times receives a letter from the Unabomber, promising to stop sending bombs if a 29,000- to 37,000-word article written by the group is printed

9-19-95: Washington Post prints the Unabomber's 'manifesto' in an eight-page supplement

4-3-96: Kaczynski, living as a recluse in a one-room cabin, turned in by his brother who thought Kaczynski's writings bore a striking resemblance to the Unabomber's manifesto

Richard Power, Carnegie Mellon CyLab 2008 49 CouldCould thethe FirstFirst CyberCyber WarWar BeBe Domestic?Domestic?

Avi Rubin:

"There are many things that we teach in Security 101 that were not understood by the developers of these machines…Within an hour of looking at the source code in the Diebold machines, we knew were looking at very bad code…”

(CBS, 1-3-03)

Richard Power/Dario Forte, Computer Fraud & Security Journal (2006) 50 CouldCould thethe FirstFirst CyberCyber WarWar BeBe Domestic?Domestic? Examples of problems reported by GAO Three fundamental points emerge from the include… NYU threat analysis… • Computer systems that fail to encrypt • All three voting systems have data files containing cast votes, allowing significant security and reliability them to be viewed or modified without vulnerabilities, which pose a real danger detection by internal auditing systems; to the integrity of national,state,and local • Systems that could allow individuals to elections. alter ballot definition files so that votes • The most troubling vulnerabilities of cast for one candidate are counted for each system can be substantially another; remedied if proper countermeasures are • Weak controls that allowed the implemented at the state and local level. alteration of memory cards used in • Few jurisdictions have implemented optical scan machines, potentially any of the key countermeasures that impacting election results. could make the least difficult attacks (US GAO, 10-05) against voting systems much more difficult to execute successfully. (Brennan Center, NYU, 6-06) Richard Power/Dario Forte, Computer Fraud & Security Journal (2006) 51 HegemonHegemon Consider the implications of these three news stories … • China Economy to Overtake U.S. by 2035, Research Institute Says (Bloomberg, 7-9-08) • The 1.4 Trillion Dollar Question – “… the vast trade surplus—$1.4 trillion and counting, going up by about $1 billion per day—that the Chinese government has mostly parked in U.S. Treasury notes…” Atlantic Monthly, Jan-Feb. ’08) • China Corners Market in a High-Tech Necessity – China supplies about 95 percent of world's consumption of “rare earths” (IHT, 1-22-06)

Richard Power, Carnegie Mellon CyLab 2008 52 HegemonHegemon In relation to these three news stories … More Congressional Computers Hacked from China (The Hill, 6-21-08) • China Emerges As Leader in Cyberwarfare – Accused of Hacking Pentagon & Both British & German governments (CSM 9-14-07) • Almost half of malicious sites tied to 10 networks – 6 of 10 are Based in China (The Register, 6-24-08)

Richard Power, Carnegie Mellon CyLab 2008 53 HegemonHegemon

19th Century Empire was built largely on Sea Power 20th Century Empire was built largely on Air Power … Will 21st Century Empire be won with Cyber Power?

Richard Power, Carnegie Mellon CyLab 2008 54 CorporateCorporate CompetitorsCompetitors

Recent High-Profile Stories Hint at Corporate Cyber War: • Haephrati: Top Israeli blue chip companies, including a high-tech giant that trades in New York, are suspected of using illicit surveillance software to steal information from their rivals and enemies. The list of victims is equally impressive…(MSNBC, Associated Press, 6-1-05) • HP: With Hewlett-Packard insiders and contractors facing fraud and conspiracy charges, a spotlight is being shone on the shady world of corporate intelligence. … a boardroom leak investigation that involved spying, accessing phone and fax records using false pretenses, and running a sting operation on a reporter, former HP chairwoman Patricia Dunn and four others were charged last week with fraud and conspiracy. (Information Week, 10-9-06)

Richard Power, Carnegie Mellon CyLab 2008 55 Secrets Stolen/Fortunes Lost Secrets Stolen/Fortunes Lost: Preventing Intellectual Property Theft & Economic Espionage in the 21st Century • Synergy Press (Elseveir) • ISBN 978-1-59749-255-3 My Co-Author: Christopher Burgess • Senior Security Advisor, Cisco Systems • Thirty years as a Covert Officer in the CIA • Served as Senior Operations Officer and Chief of Station • Awarded Distinguished Career Intelligence Medal

Secrets Stolen/Fortunes Lost, Synergy Press, 2008 56 Secrets Stolen/Fortunes Lost The Challenge • Insiders & Competitors – The Two Most Tangible, Most Common & Most Destructive Threats • State Entities – The Most Sophisticated & Most Formidable Threat • Counterfeiters, Pirates & Criminals – The Most Insidious & Most Pervasive Threat The Strategy • Elements of A Holistic Approach • How to Sell Your Program

Secrets Stolen/Fortunes Lost, Synergy Press, 2008 57 Secrets Stolen/Fortunes Lost Industrial Age Motives w/ Information Age Methods --

• “Michael Haephrati, a software developer, created a clever managed service whereby he would provide custom Trojan software to these private investigators who would then use social engineering techniques to get the targets to install the Trojan on internal systems. For a $2,000 fee Haephrati would host any stolen documents and key stroke logs on servers in Germany and the UK. • “The police discovered the scheme when Haephrati's first wife took her computer in to them under suspicion of it being infected. Sure enough, it was, and the Israeli police tracked down the hosting servers and discovered thousands of documents from dozens of Israeli companies stored there.

Secrets Stolen/Fortunes Lost, Synergy Press, 2008 58 Secrets Stolen/Fortunes Lost Using Trojan Horses Instead of Turning Insiders --

• “After three years four of the PI’s that used Michael Haephrati's Trojan software to gather competitive intelligence for their clients have finally been sentenced. • “Eventually Haephrati and his current wife were extradited from England and supposedly sentenced to jail terms. … [Haephrati] claimed that there was no jail time, and that he was completely free. As a matter of fact he was going to continue to offer his Trojan Horse service but this time he would only work with ‘law enforcement agencies.’ • “What about the executives at Bezeq, Tami4, Pelephone, Cellcom, and the other companies that hired Private Investigators to engage in these activities?” (Network World, 4-30-08)

Secrets Stolen/Fortunes Lost, Synergy Press, 2008 59 Elements of Security Mitigate Risks & Threats

Scope of Risks & Threats

Information Personnel Security Security Physical Security

Secrets Stolen/Fortunes Lost, Synergy Press, 2008 60 When Integrated, They Further Mitigate Risks & Threats

Scope of Risks & Threats

Personnel Security

Physical Cyber Security Security

Secrets Stolen/Fortunes Lost, Synergy Press, 2008 61 Awareness & Intel Optimize Mitigating Factors

Scope of Risks & Threats

Personnel Awareness Security Intel & Education

Physical Cyber Security Security

Secrets Stolen/Fortunes Lost, Synergy Press, 2008 62 AwarenessAwareness && Education:Education: ModelModel forfor GlobalGlobal ProgramProgram

• Specifications: • Five Subject Areas: – Adaptable to All Industries – Cyber Security & Sectors – Information Age Espionage – Multi-Cultural, Multi-Lingual – Cyber Crime – Delivery System & Format for – Emergency Preparedness & Guidance on All Aspects of an Response Organization’s Security: Personnel, – Personnel Security Physical, Cyber, etc. – Physical Security • Goals: – Economic • Four Target Groups: – Efficient – Total Workforce – IT Professionals – Effective – Human Resources & Operations

Richard Power, Carnegie Mellon CyLab 2008 – Executives & Support Staff 63 AwarenessAwareness && Education:Education: ModelModel forfor GlobalGlobal ProgramProgram

• Practical Message for Entire • Intensive Technical Training Workforce for IT Professionals – Practical Help for Both Work & – Quarterly Home Life – Regional – Monthly E-mail Newsletter – Expert Instructors from Outside – New Hire Orientation Presentation – Attacks & Countermeasures – E-Learning Module – Incident Response, IDS, etc. – Annual Global Security Day – Certification Training – Translated into Local Languages

Richard Power, Carnegie Mellon CyLab 2008 64 AwarenessAwareness && Education:Education: ModelModel forfor AA GlobalGlobal ProgramProgram

• Intensive Training for Human • Executive Leadership & Staff Resources & Operations – Executive Security Standards Professionals • Information Security • Personnel Security – Quarterly • Physical Security – Regional – Bi-Weekly Intel Briefing – Expert Instructors from Outside • 1 page organized into 5 sections – Crisis Management » Europe, Middle East & Africa » Asia-Pacific – Business Continuity »Americas » Global » Cyberspace • Includes threats & relevant initiatives

Richard Power, Carnegie Mellon CyLab 2008 65 AwarenessAwareness && Education:Education: SecretsSecrets ofof SuccessSuccess

• Intent – Engage – Enlighten – Empower • Content – Intriguing Themes – Credible Sources – Plausible Scenarios – Relevant to Both Current Events & Personal Life

Richard Power, Carnegie Mellon CyLab 2008 66 Secrets Stolen/Fortunes Lost Elements of A Holistic Program -- • Personnel Security: Implement a "Personnel Security" program that includes both background investigations & termination procedures. • Physical Security: Do not overlook the "Duh" factor. • Information Security: Recruit people with academic training (e.g., CyLab) & professional certification (e.g., CISSP, CISM, etc.) Adopt best practices. Establish a baseline. • Industry Outreach: Actively participate in industry working groups appropriate to your sector & environment. Sponsor research and education (e.g., CyLab) • Government Liaison: Leverage your tax dollars.

Secrets Stolen/Fortunes Lost, Synergy Press, 2008 67 Secrets Stolen/Fortunes Lost Elements of A Holistic Program -- • Intelligence: You need both business & security intelligence. Someone must be looking at both streams, with particulars of your enterprise in mind. • Awareness & Education: Train your workforce on an ongoing basis about the threats of economic espionage, intellectual property theft, counterfeiting & piracy, & countermeasures • Organization: Where security reports within an organization is the most vital issue. • Legal Strategies: Don't let a small legal mind make decisions about big legal issues.

Secrets Stolen/Fortunes Lost, Synergy Press, 2008 68 Conclusions 21st Century Risks & Threats Demands A Holistic Approach

• No nation can go it alone • No corporation can go it alone • No individual or family can go it alone • A holistic approach integrates many elements -- • Both strategic & tactical • Both technical & non-technical • Both professional & public

Richard Power, Carnegie Mellon CyLab 2008 69 Conclusions Four 21st Century Cyber Security Imperatives • Holistic Approach: Cyber Security, Physical Security & Personnel Security must be integrated – certainly at the operational level, preferably at the organizational level • Culture of Security: Security Awareness & Education must be revolutionized – to communicate the holistic approach, and to engage and empower the individual • Intelligent Approach: Intelligence and Risk Analysis must look at cyber security from the outside in, as well of from the inside out; e.g., dig into the front page stories and look for the cyber security implications, study the geopolitical and economic trends and look for the cyber security dimensions; do not limit your thinking to bits and bytes, or policies and standards, or attacks and countermeasures. • Harnessing the Future to Secure the Present: Academic research into new technologies must receive unprecedented funding to lead in the development of strategies and solutions for mobility, secure home computing, critical infrastructure protection and other vital areas of concern

Richard Power, Carnegie Mellon CyLab 2008 70 Conclusions Your Most Dangerous Adversary …

In the Shadows of Cyberspace, Your Most Dangerous Adversary is Not the Hacker or the Spy or the Cyber Criminal or the Disgruntled Insider or even the Cyber Terrorist.

Whether You Operate in the Corporate World or inin thethe Government,Government, YourYour MostMost DangerousDangerous Adversary is Weak Leadership.

Richard Power/Dario Forte, Computer Fraud & Security Journal (2006) 71 Conclusions Your Most Dangerous Adversary … If Your Leaders are Small-Minded and Self-Serving, No Amount of Timely Intelligence, Sophisticated Technology, and World-Class Expertise Will Protect Your People, Your Secrets, Your Organizations, or Your Country.

Richard Power/Dario Forte, Computer Fraud & Security Journal (2006) 72 Conclusions

Issues to Pursue Moving Forward ƒ IT Supply Chain Security ƒ Not just IT supply chain, every supply chain – because the IT chain impacts them all ƒ Look for opportunistic random distribution ƒ Virtual Worlds ƒ Not just money laundering ƒ Covert communication channel ƒ Incredible access into the minds of individuals & groupings, to exploit, target, shape them ƒ Governance ƒ What should be discussed in the Board Room ƒ Climate Change ƒ The intersection of security & sustainability

Richard Power, Carnegie Mellon CyLab 2008 73 Contact Information Richard Power • e-mail: [email protected] • web: http://www.cylab.cmu.edu • snail mail: Carnegie Mellon University, NASA AMES Research Park, Building 23 (MS21-11) Moffett Field, California, 94035-1000 • telephone: 650-335-2813

Richard Power, Carnegie Mellon CyLab 2008 74