America the Vulnerable

Just finished reading, America the Vulnerable – Inside the new threat matrix of Digital Espionage, Crime, and Warfare (wow that’s a mouthful), by Joel Brenner. It is a book on the information security challenges that American government and organisations are facing. As suggested by the title of the book it covers the issues of:

• Digital espionage –against American government departments to steal classified information and organisation for competitive advantage (obtaining intellectual property). The book is mostly focused on the threat from China and Russia.
• Digital crime – the rise of organised crime groups using the Internet for criminal enterprises (from botnets, stealing banking details, credit card information etc), with most of the examples in the book being of Russian or other Eastern European threat sources.
• For want of a better phrase – “cyber warfare” – the use of the Internet and technology to conduct warfare (i.e. attacking critical infrastructure by compromising its integrity or availability). The author points out that the cyber / information warfare is a grey area in terms of the current legal definition of war and that binary notion of either we are at war or in a period of peacetime is too coarse grained and does not the reality of the modern world. A secondary related point is that it’s very difficult to attribute an attack to a particular individual let alone a country. It is alleged that some attacks such as Operation Aurora were sponsored by the Chinese government but most of the evidence could be regarded as purely circumstantial. The focus is on China but the examples of incidents and potential threats also cover Iran and Russia. 

The book provides insight into the overall trends in these areas and the nature of the problems. Some might say the threats discussed in the book are over hyped to push a particular agenda (because the book is written by the former NSA Senior Counsel and National Counter-Intelligence Executive) – however, I think it’s a generally accurate and balanced picture of the state of affairs. 

One point raised throughout the book is around how personal privacy is being eroded due to the dual-use nature of information technology with so many of the services we use on a daily basis collecting, aggregating and analysing the information we provided in return for access to the service.  The author goes on to say that the problem of an increasingly transparent world, also affects intelligence agencies as the assassination of Mahmoud Al-Mabhouh proved.

To paraphrase an oft repeated maxim in the information security arena – system security should not depend on the secrecy of the implementation or its components. Why is this important? Well in today’s transparent world you can glean a great deal of information about an organisation from public sources.

The book discusses a growing problem of attacks against the IT infrastructure of large organisations by organised crime groups and also by other actors for the purpose of economic espionage. The book mentions indirect attacks where an organisation is attacked because they are linked to the actual target. In particular the author mentions the possibility of foreign nations targeting legal firms because they tend have highly sensitive and valuable information on their clients business (think everything from funding information for private companies, intellectual property, etc). Having worked in the E-Discovery sector, I would posit that they would also target organisations (managed service providers, outsourcing companies etc) that provide services to legal firms.

The last section of the book covers actions that the government and private sector should undertake to improve security. While most of the suggestions seem sensible but as I’m sure the author realises there are some significant problems with some of the recommendations:

Require ISPs to notify customers whose machines have been infected and form part of a botnet

The key problem is that it’s not necessarily that easy to identify machines that are part of a botnet.
It costs money to run a service to detect and notify customers – that time and money could be spent by ISP on other things. Unless a particular botnet is generating excessive traffic and somehow affecting the ISPs bottom line or reputation and they have support from other organisations (law enforcement, hosting providers etc) they are unlikely to want to get involved.
If the machine belongs to the average consumer (as opposed to a corporation) they are unlikely to posses the knowledge to clean up their computer.

Feasibility of an alternative Internet architecture

The author suggests a change in the Internet architecture to increase security. When the protocols and technologies that underpin the Internet were designed they authors did not quite envision just how popular it would become. Furthermore, since it grew out of a DARPA funded project that mostly academic organisations were using it was based largely on being able to trust those you were communicating with. The author acknowledges that this would be a “hugely expensive change” but thinks its worthwhile researching alternatives. I agree with both these statements but I think hugely expensive is an understatement – you only need to look at IPv6 and DNSSEC to understand why changes to fundamental protocols of the Internet are hard. Just look at the Wikipedia page for IPv6 and look at the history of its development and the current deployment figures – it took a long time develop the standard and current deployment is pretty disappointing. It’s not just the myriad of networking devices that need to support the protocol (routers, firewalls, IDS/IPS, customer premises equipment etc) but also applications – yes there are transition technologies but they don’t solve all the issues.