Some members of Congress and the White House want to mandate certain “cybersecurity practices” because they believe private sector companies are not doing enough to protect systems. Push-back from business stalled the legislation before the recent election.
Now, a series of high-profile attacks is being used to bolster the argument that the U.S. government needs more authority over private sector systems as well as access to data that might indicate incursions. Several U.S. banks have struggled to counter distributed denial of service (DDoS) attacks that have knocked websites offline or disrupted service to customers. Separately, General Keith Alexander, director of NSA and Cyber Command, and Defense Secretary Panetta have made news with their alarm about recent attacks on the Saudi Arabian Oil Company (Aramco) and Qatar’s natural gas producer, Rasgas. Panetta blamed Iran, and called the Aramco attack “a significant escalation of the cyber threat.”
But do these attacks really signal a new level of threat? Are they precursors of cyber warfare or the covert use of cyber attacks by nation states? Or are they simply the reflection of a globally connected network that is increasingly sophisticated and susceptible, with targets all around the globe?
My guess is that it is the latter. A virus named Shamoon was identified as responsible for the Aramco and Rasgas attacks. It does not steal data, but deletes it and causes computers to shut down. While Panetta claimed the attacks were so sophisticated that they would have required the expertise of the Iranian government, various researchers, including Kaspersky Labs, analyzed the code and claimed it was unsophisticated and likely developed by amateurs. Morever, it was not a purely external attack. The New York Times reported that researchers who analyzed the Aramco attack concluded that it involved an insider with privileged access.
Over the past several years, there have been equally serious attacks on systems around the globe. The information and communication technologies that have enabled a globally-connected economy, spurred productivity, and raised GDP in developing countries have also created an enormous opportunity for criminals. They compromise systems, steal data, and run illegal schemes—and get away with it. Criminals are always looking for a way to make money or wreak havoc without getting caught, and the Internet has enabled a sort of “perfect crime.”
Tracking and tracing cybercriminal activity quickly gets bogged down in legal restrictions and complexities caused by the borders of nation-states. Of the 250-plus countries and territories connected to the Internet, only about 50 have harmonized cybercrime laws, and few countries adequately train law enforcement and forensic experts to conduct cybercrime investigations. Thus, cooperation and assistance is difficult and the existing legal framework for getting such assistance internationally is archaic. It takes months when minutes matter.
Criminals understand this. They know which jurisdictions have no laws, lack trained law enforcement, or have little interest in cyber investigations. They reside in these jurisdictions or use them as havens to store stolen data, malware templates, and code changes that keep criminal operations resilient against counter measures. It is not uncommon for a cybercriminal to reside in one country, have drop zones or caches in several other countries, and attack victims using a botnet comprised of compromised computers spread around the globe.
The workings of the Internet are complicated and even one communication can involve numerous parties, such as Internet service providers, cable and telephone companies, backbone providers, domain name service providers, and Internet Exchange Points. Tracking and tracing is not as simple as contacting the phone company for traffic records. It requires swift cooperation from forensic experts, providers, and law enforcement, and common provisions in legal frameworks. Today, this is a tedious and time-consuming process.
Congress, the Administration, and business leaders need to understand that cybersecurity will never get better until we can track cyber criminals, catch them, extradite and prosecute them, and convict them. Sending criminals to jail is a deterrent. It is how we lowered the incidence of street crimes, fraud, murder, and rape.
What we need is less scare-mongering from our leaders and finger-pointing at national adversaries, and more cold-blooded recognition that the most valuable initiatives would be in the realm of coordinated cybercrime laws and trained law enforcement. Until such action is taken, the bad guys will continue to win, we will continue to be harmed, and few will be held accountable, even nation states.
As business leaders this week explore the possibilities for innovation at Techonomy 2012, they need to understand not only the risks of our inter-networked society, but also the realities of how we might counter them. Pointing fingers at certain nations will achieve less than working with all nations to address cybercrime.
Jody Westby is CEO of Global Cyber Risk and provides consulting services in the areas of privacy, security, cybercrime, and IT governance. She was a speaker at Techonomy 2012 in Tucson, Ariz. Click here for a complete video archive of Techonomy 2012.