Can the U.S. prevent a digital sneak attack?
How vulnerable is America's tech infrastructure? Security experts gathered in New York City to discuss cyber threats -- and how to stop them.
NEW YORK -- Stuxnet was only the beginning.
As the United States' technology infrastructure ages, and Internet connectivity becomes ubiquitous, America's largest companies -- and government agencies -- are under fire from cyber attackers around the world.
But this isn't like conventional warfare: the days of nation-versus-nation are over. In the Digital Era, espionage is a shadowy game of rapidly changing affiliations where the attacks are swift, anonymous and devastating. So how can the U.S. stay ahead?
Experts gathered here at Bloomberg's 2012 Cybersecurity Conference to discuss exactly that. Northrup Grumman's Christopher Valentino, Raytheon's Jeff Snyder, former U.S. Air Force military intelligence officer Cedric Leighton and Trend Micro vice president Tom Kellermann discussed how secure American companies really are (not really), discussed where the threats will come from next (where you least expect) and what can be done about it (read on!).
We are the battlefield
The first problem: warfare is no longer relegated to soldiers on a distant battlefield. In the age of connectivity, individuals have the potential to become collateral damage.
"Everybody is not only vulnerable, but also on the front line," Leighton said. "It's not a uniformed services issue, it is everyone's issue."
Cyberattackers are looking to disrupt daily lives -- which means companies and institutions must think of "critical infrastructure" in personal terms. "They're targeting what you're doing," Leighton said.
And it's not entirely clear who "they" is. One thing we learned from the Sept. 11 terrorist attacks, Kellermann said, is that non-state actors can attack critical infrastructure.
Take the Stuxnet worm, for example -- its creator certainly didn't expect it to become ammunition in bigger war, altered to suit the intentions of other actors, he said. Integrity attacks such as this are quite worrisome, and the worst threats are those that manipulate data to turn the database on itself, violating the trust that the system operator worked so hard to build with its customers, Kellermann said.
"As soon as you use one of these weapons once, everybody's game changes," moderator and Bloomberg News reporter Michael Riley said.
Leighton, with a twinkle in his eye, took it a step further: "What if Joseph Goebbels, master [Nazi] propagandist, had access to the Internet? What could he manipulate?"
Take the financial sector, for example. It's the most secure of them all, according to Kellermann, but that's because major players are dealing with the most severe threats. It's the nature of their business.
"You can't unwind transactions," he said. "Transactions are time-stamped. Being able to manipulate time is the most dangerous thing, to me, in that sector."
And all it takes is undermining confidence in a market to shake it, causing widespread, long-term economic effects that affect an economy's integrity.
The financial services sector isn't the only one, either: consider the effects on the pharmaceutical industry. The chemical industry. The transportation industry.
Train cars full of explosive chemicals are traveling across the U.S. every day. What could happen to those rail switches when a conductor forgets to patch his laptop?
"We're entirely too dependent on technology," Valentino admitted. There's nothing wrong with using simple manual processes to build in redundancies.
Part of the challenge is its breadth, Kellermann said. According to Interpol, even the biggest organized crime syndicates have business divisions for cyber. When a company or country finds itself at war over the wires, can it fight against anonymous enemies it doesn't understand?
Is 21st century warfare simply swinging blindly in the dark?
"Nation-states don't have control over non-state actors to contain behavior during periods of conflict," Kellermann said. "Who's in control, with a lack of attribution?"
The attacks may not be direct, either. A military's operations can be undermined when a cyber attacker compromises a civilian contractor.
"If game theory is turned on its head or made irrelevant from the sheer number of actors on the stage, then you've got a serious control problem," Leighton said.
And control is everything. Cyber attackers may not be able to physically occupy a country, but they can influence and change behavior -- often through fear, Leighton said. For example, consider the differences in governing style between the U.S. and China.
"You have to look at China as, from a historical standpoint, a country that seeks to influence [and not occupy]," he said. "The advent of the Internet is perfect for Chinese policy."
A new point of view
With these myriad threats, how should a government or corporation react? By thinking like the enemy, panelists agreed.
"You've got to think like the enemy," Leighton said. "You've got to think like a hacker."
It starts by respecting where the Internet is headed and how hackers will operate within that environment. Is there a way to prioritize security so that you let cyber burglars break into the house -- only to find themselves stuck in the damp basement with your pet Rottweilers?
Government agencies have traditionally had difficulty doing this, Valentino said.
"They fail to identify what's really critical," he said. Like money and food and the means with which to get that to people.
You can't get rid of all vulnerabilities, Snyder added. You have to swallow that reality and move on. "Recognize that every perimeter is penetrable," he said. "What is the next phase?" That's why Intel bought MacAfee -- because the future is in hosting critical applications at the processor level.
Companies need to have a better attitude about security, Kellermann said.
"For too long, organizations viewed security as an expense, rather than a functionality to sustain critical infrastructure," he said. "There's a lot of plausible deniability."
According to a recent McAfee survey, more than half of companies experienced a breach and didn't immediately report it or fix it because of potential impact on industry reputation.
"That's mind-boggling," Kellermann said.
The bottom line? Companies and organizations need to bear arms against cyber attackers -- because disaster is only a matter of time, and no government superhero will come to the rescue when it does.
"Cyberspace is not civilized," Kellermann said. "Only you can save you from this invisible threat. Recognize and appreciate it."
Leighton put it in more colorful terms. The looming threat of a cyber attack is less like Pearl Harbor -- the Japanese didn't occupy Hawaii; they were never there -- and more like Singapore, he said. There, the Japanese easily took the city-state by riding in on bicycles, through the jungle -- all "because the guns were pointed in the wrong direction."
"Think about how vulnerable we are to the modern-day bicycle riders through the jungle in Malaysia," Leighton said. "Only it's the whole world."