Leadership and Responsibility for Cybersecurity Melissa E. Hathaway Melissa Hathaway According to Darwin, “it is not the most intellectual of the is President of Hatha- species that survives; it is not the strongest that survives; but way Global Strategies, LLC and former Act- the species that survives is the one that is able best to adapt ing Senior Direc- and adjust to the changing environment in which it finds tor for Cyberspace, 1 U.S. National Secu- itself.” We have certainly adapted to the Internet and the rity Council. Hathaway technology that underpins it. In fact, we have made it an served as Cyber Coor- dination Executive and integral part of just about everything in our life; and in many Director of the Joint ways we take it for granted that it will always work twenty-four Interagency Cyber Task Force in the Office hours a day, seven days a week. There are approximately 2.5 of the Director of billion Internet users around the world of which nearly half National Intelligence. 2 Previously, Hathaway are below the age of twenty-five. Yet, there is another set of was a Principal with actors that have adapted more successfully: criminals, spies, Booz Allen & Hamil- and some clever guys. Media headlines announce daily that ton, Inc. our bank accounts are being robbed, our intellectual prop- erty is being illegally copied, and our critical infrastructures are penetrated and could stop working at any moment. The very fabric that contributes to nearly 40 percent of the productivity growth of the global economy also facilitates an equally robust underground economy.3 These messages appear to fall on deaf ears as our corpo- rate and political leaders continue to talk about the troubled environment, yet too few are adapting to or assuming the [71] LEADERSHIP AND RESPONSIBILITY FOR CYBERSECURITY responsibility for resolving it. Instead, liferate undetected from network to our leaders appear to be paralyzed by network. The code was designed to the prolonged economic recovery and illegally copy information and, when are in denial of the security needs of our possible, transfer it to servers under infrastructures and enterprises. Why? foreign control. Because of the difficulty in balancing The DoD code-named the discovery parallel demands: economic recovery of, and recovery from, this incident and growth vis-à-vis national securi- “Operation Buckshot Yankee.” Gov- ty and infrastructure protection. This ernment leaders wanted to learn the tension is further exacerbated by the extent of the penetration and whether competition for resources, lagging pol- the networks could still be “trusted.” icy implementation, and an ill-defined Thousands of man-hours were expend- technology roadmap to address security ed to hunt and isolate the infections. shortfalls as we adopt and embed the The DoD developed and deployed next-generation technology into our technology to detect and close commu- infrastructures and enterprises. nication channels, as well as to eradicate Policy makers, legislators, and busi- the infections. The total operational nessmen should assess the gap between and capital cost has yet to be publicly the current defense posture and our disclosed. needed front line defense in the face From a policy perspective, the Sec- of an increasingly sophisticated range retary of Defense and the Chairman of of actors. This paper describes a series the Joint Chiefs of Staff announced a of case studies that highlight the lack temporary abandonment of the use of of attention being paid to this seri- portable media/storage devices. This ous problem and the subsequent policy affected department performance, and technology solutions that are being enterprise agility, and for some, the brought to bear to close the gap. ability to execute their missions. From a technology perspective, it required Operation Buckshot Yankee. a change in architecture. Prior to this In the fall of 2010, Deputy Secre- event, the DoD focused its defensive tary of Defense William Lynn stated posture from an outside-in, defense- that the Department of Defense (DoD) in-depth strategy. And even though had “suffered a significant compro- in 2007, the Comprehensive National mise of its classified military computer Cybersecurity Initiative (CNCI) articu- networks.”4 The penetration occurred lated and funded defensive programs in 2008 and was delivered via trust- along four attack vectors—insider access, ed uniformed military personnel who proximity access, remote access, and were using USB mass-storage devices to supply chain access—the DoD had not move important operational informa- yet implemented technology to detect tion between unclassified and classified and deny tainted technology brought systems in support of U.S. Central into the enterprise by way of trusted Command’s military operations. The insiders.5 Operation Buckshot Yankee devices at issue contained a malicious required the DoD to begin to configure computer code, which was able to pro- its sensors to look for and alert anoma- [72] Georgetown Journal of International Affairs HATHAWAY International Engagement on Cyber 2012 lous behavior inside its networks. It also help enhance “trust” for financial or required the DoD to implement a data other private Internet transactions by loss prevention program to block illegal confirming that something or some- data loss. one is genuine.7 These certificates have The DoD continues to suffer from become the de-facto credential used for more than 6 million probes per day secure online communications and with an untold number of success- sensitive transactions, such as online ful intrusions against their unclassified banking or accessing corporate email networks.6 Who is being held account- from a home computer. able for the DoD’s cyber posture? Is it In March 2011, RSA informed its the DoD Chief Information Officer, customers of a breach of its corpo- the Director of the Defense Informa- rate network, which could reduce the tion Services Agency, or the Com- effectiveness of its SecurID two-factor mander of United States Cyber Com- authentication token.8 RSA’s SecurID mand? Actually, it is a combination two-factor authentication system is a of these individuals and offices and widely used digital certificate system for many more. Ultimately, however, the remote access logins to corporate net- overall defensive posture for the DoD works through virtual private networks rests in the hands and responsibility of and by many financial institutions the Secretary of Defense. And while he including the United States Federal may have been embarrassed by a for- Reserve Bank. On 21 May 2011, a lead- eign country being able to penetrate ing U.S. defense contractor, Lockheed the armor of the classified networks, Martin, had its networks penetrated. neither the DoD nor any of its leaders The perpetrators used duplicates of appear to have suffered any real penal- RSA’s SecurID tokens to gain access ties or repercussions. If we are to adapt to Lockheed’s internal network.9 After and adjust, we must require greater this breach and several others resulting accountability and demand leaders who from the SecurID issue, RSA leadership will take charge rather than sit back and stated it would replace tokens, upon react only when necessary. customer request but not necessarily free of charge.10 Certificate Authorities. In 2011, Another certificate authority pro- governments and corporations alike vider was penetrated in June 2011. observed a new trend that threatened DigiNotar’s corporate network servers their ability to trust Internet transac- were successfully penetrated and hack- tions: the targeting, penetration, and ers gained administrative rights to its compromise of companies that pro- system. An audit was ordered by its duce security products. In particular, parent company, Vasco, in July 2011 the weak security postures of certifi- and the auditors discovered that the cate authorities, including Commodo, cryptographic keys had been compro- DigiNotar, and RSA, were exploited, mised and rogue certificates had been causing a wave of other crimes and issued.11 The Dutch government was consequences. Digital certificates rep- among DigiNotar’s key customers. resent a second form of identity to These compromises represent “a [73] LEADERSHIP AND RESPONSIBILITY FOR CYBERSECURITY threat to one of the most fundamen- the basic investment required to secure tal technologies used to secure online their own infrastructures and enter- communications and sensitive transac- prises. They are not even implement- tions.”12 The impact of these events is ing the minimal information security multifold. First, it calls into question procedures and controls outlined in the validity of two-factor authentica- the Consensus Audit Guidelines or the tion. Clearly, the cryptographic keys National Institute of Standards and can be compromised and therefore, Technology (NIST) 800-53, Recom- whoever has the “keys to the king- mended Security Controls for Federal dom” can impersonate something or Information Systems and Organiza- someone and compromise the integ- tions.14 Security vendors should use rity of that remote transaction. Second, these available resources and imple- these companies sell security; it is their ment a policy that recognizes that some brand. If a security company is unwill- data should not be accessible via the ing to invest in its own security, then Internet and publicly acknowledge the why should others invest in theirs? need for and implement better infor- Finally, the incidents caused harm. mation security controls. DigiNotar closed its doors after filing From a technology perspective, these bankruptcy, and RSA suffered a loss of companies have discovered that they nearly $66 million and a diminished need to install new technologies and reputation.13 One could even debate employ more vigilant processes in their whether RSA’s lack of full disclosure enterprises to detect anomalous behav- of the extent of their breach and com- ior and continuously monitor their promise of their product’s integrity enterprises for good and bad activ- could lead to actions being filed against ity.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages10 Page
-
File Size-