68 comms SECURITY

fragile web
As society becomes reliant on the Internet, the need
to secure it has grown urgent. but the vulnerability of
cyberspace may be intrinsic, writes David sandham

Engineering & Technology 22 November - 5 December 2008 www.theiet.org/engtechmag

068-071_ET_issue20.indd 68 12/11/08 15:29:59

 69
‘There is concern
ENGINEERING’s
GRAND cHALLENGE
about the level of
SECURE CYbERSPACE access obtained that
would allow an
adversary to become
disruptive at a time and
place of their choosing’

COMMUNICATIONS networks
underpin modern society like
the nervous system of a living
organism. The public switched
telephone network, the Internet,
VoIP, cable television,
submarine cables, and satellite
communications form the major
information pathways that keep
society functioning.
This system is under daily
attack. Viruses, unauthorised
access, security breaches, spam,
phishing, illicit electronic
surveillance, denial of service
attacks and cyber terrorism are
on the increase. The very inter-
connectedness that the modern
world depends upon has become
one of its major weaknesses.
Recent events illustrate the
threat to commercial and govern-
ment networks, and the informa-
tion that flows over them.
“I’m not sure that most
law-abiding citizens understand
the magnitude of the threat
from cyber-criminals,” says
Colonel Gary A McAlum,
formerly Chief of Staff, Joint
Task Force for Global Network
Operations at the US Strategic
Command, who recently joined
Deloitte Touche Tohmatsu, a
global financial services
company. “There is a thriving
cyber-crime market for personal
and financial information.”
In March, thieves stole
4.2 million credit and debit card
numbers from Hannaford and
Sweetbay, supermarket chains
in north east US and Florida,
respectively. The cyber-crimi-
nals put software on computers
to capture credit-card informa-
tion. The breach went
undetected for three months
and led to about 1,800 frauds.
Ironically, on the day it was
discovered, Hannaford received
a certificate saying it was fully
compliant with the Payment
Card Industry standard, which
obliges retailers to encrypt data
sent over publicly accessible
networks, but not over private
lines. Both supermarket chains
thought they were safe. But the
cyber-criminals intercepted
unencrypted credit-card data as
it travelled from shop tills to
corporate servers, from where it
would have been encrypted and
routed to credit-card company
servers for authorisation.
The extent of the problem
is hard to measure, because
reporting is largely voluntary.
Victims of cyber-crime don’t
like to discuss it, because hacked
systems damage reputations
and cost customers. The US
Treasury Department has
estimated the annual profits
from cyber-crime at $105bn.
“I believe that is on the low end,”
says McAlum.
WAR
In addition to organised crime,
there are other murky presences
lurking in cyberspace: spies.
intelligence agencies, the
shadowy groupings that assist
them, and the military of several
nations, are all interested in
mining information from the
networks of target countries.
“A significant amount of data
[has been taken] from federal
networks over the past few
years. I don’t think we will ever
know the true extent of how
much and exactly what was
taken,” says McAlum. “There
is also a significant concern
about the level of access
obtained in some cases that
would allow a potential adver-
sary to become disruptive at a
time and place of their choosing.
This is a huge concern.”
Cyber skirmishes have
already begun. In 1998 the
Internet Black Tigers, a
guerrilla organisation, flooded
Sri Lankan embassies with
800 emails a day for two weeks.
The first cyber war between
nations may have occurred last
year, when the digital infrastruc-
ture of public institutions in
Estonia, including the parlia-
ment, ministries, banks,
newspapers, broadcasters and
telecommunications companies,
was attacked. Estonian
networks were blasted with up
to 90Mbit of traffic a second for
up to ten hours. Most of the
traffic was part of a distributed
denial of service (DDoS) attack,
in which a network of
computers, perhaps one million
strong, was hijacked and used to
flood the Estonian networks
with requests for services such
as web-page transfers. The
attacks happened after Estonia
offended Russia by relocating a
Russian Second World War
memorial. The attacks origi-
nated from computers allegedly
traced to Russia, but the Russian
government has denied any
involvement.
This year’s conflict between
Russia and Georgia had a
cyber-war component. DDoS
attacks disrupted access to
many Georgian websites,
including that of the Ministry
of Foreign Affairs. 

www.theiet.org/engtechmag 22 November - 5 December 2008 Engineering & Technology

068-071_ET_issue20.indd 69 12/11/08 15:31:27

70 comms SECURITY
The Russia/Georgia conflict was waged in cyberspace as well as in the streets
F The United States is also
under continual attack. In a
recent statement to Congress,
Jim Lewis, of the Center for
Strategic and International
Studies, said: “Cybersecurity is
now one of the most important
national security challenges
facing the US...this is not some
hypothetical catastrophe. We are
under attack and taking
damage.”
More than 30 nations are now
believed to have information
warfare programmes. And
individuals with technical
expertise have found their
power to disrupt their enemies
transformed in cyberspace.
In March 2000, a disgruntled
Australian employee used the
Internet to release one million
litres of raw sewage into the
river and coastal waters of
Queensland. The same year, a
university student in the
Philippines created the ‘Love
Bug’ virus, which caused
damage estimated at up to
$15bn world-wide – or about
as much as a major hurricane
disaster.
The problem is growing fast.
Mikko Hyppönen, chief
researcher at antivirus
software company F-Secure
Corporation, says: “We are now
seeing tens of thousands of
unique malware samples each
corbis
day. It was nothing like this even
three years ago.”
Engineering & Technology 22 November - 5 December 2008 www.theiet.org/engtechmag
068-071_ET_issue20.indd 70
SOLUTIONS
The US National Academy of
Engineering has recognised the
importance of securing
cyberspace by declaring it one
of 14 Grand Challenges for
Engineering, alongside issues
such as providing energy from
fusion, preventing nuclear
terror and making clean water
accessible to all. It is right to
focus on the problem, especially
because it cannot be overcome
by a single approach. It’s just not
that simple.
As Hyppönen says: “The
power and growth of cyberspace
is due to it being an open system.
‘Open’ doesn’t always equal
‘secure’. How can you secure
cyberspace? Close it – but then
you might also end up killing it.”
Complete solutions, even if
they could be built, could have
unwanted consequences. In
today’s open cyberspace, anyone
or anything can connect to the
Internet. It might be possible to
introduce controls that
guarantee that all the endpoints
in the network are known to be
‘safe’. But that would destroy the
Internet as it is today, reducing
it to a closed system.
The US government has
proposed another solution using
‘key escrow’, in which informa-
tion is handled under the same
kind of public-key cryptography
that protects Web commerce, but
government agencies hold a
‘We cannot secure
cyberspace any
more than we can
completely secure
the oceans or the
spare key that they can use to
decrypt any message they want.
It’s the kind of ‘solution’ that
holds the seeds of its own
destruction – it wouldn’t be used
by those it seeks to expose, and
also raises tremendous civil
liberties issues.
“Cyberspace cannot be
secured 100 per cent without
radical and fundamental
changes in the architecture and
implementation of governance
models that would never fly,”
says McAlum. “We cannot
secure cyberspace any more
than we can completely secure
the oceans or the airspace.”
Toralv Dirro, security analyst
at McAfee, says: “Because of its
nature, cyberspace is very diffi-
cult, maybe even impossible, to
secure. There is no real central
instance controlling it, each
country has different laws that
apply, and it is growing at a rapid
pace. The best hope is to make
some vital parts as safe as
possible, to allow business to be
done in a reasonably secure
manner, and to protect the users
as well as possible.”
Dr Guy Bunker, chief scien-
tist of security software and
services company Symantec
Corporation, says: “Cyberspace
as we know it is, in some places,
very insecure. So it is relatively
simple for fraudulent behaviour
to occur. We could secure it very
rapidly, but that would shut it
down for most people.”
ARMS RACE
Most experts agree that there is
no single answer to securing
cyberspace. Instead, think
evolution. Think arms race.
Progress will come by
incremental improvements to
many technologies.
The traditional model of
cyber-security is to use a perim-
eter defence, the classic firewall.
But perimeters often have holes.
Today, a perimeter defence is
seen as just one component of a
multi-layered defence: it will not
keep out a determined adver-
sary, but reduces minor threats
so that effort can be concen-
trated on more sophisticated
exploits or insider threats.
Today, machines get their own
firewalls. Host-based intrusion
airspace’
Colonel Gary A McAlum,
Deloitte Touche Tohmatsu
prevention systems run on a
remote desktop or mobile laptop,
protecting the machine
wherever it goes. Instead of
hiding behind the castle walls,
and only being safe there,
individual machines are given
their own armour.
Cyberspace security has also
become an active, rather than
passive, discipline. Instead of a
guard patrolling a perimeter
fence, think of a roving investi-
gator seeking out threats before
they cause damage. Hackers are
lured out of hiding by tempting
them with ‘honeypots’ and
‘honey-clients’, apparently
unprotected machines that can
be used to detect threats.
However, it takes two to make an
arms race. Advanced viruses
fight back by constantly
changing their attributes to
outwit security technology.
Clever hackers learn to side-step
honeypots.
Malicious software (malware)
is becoming so prevalent that it
is beginning to outnumber legit-
imate software. At that point, it
is easier to create ‘white lists’ of
legitimate software than to
maintain the blacklists of
malware. Hyppönen recom-
mends a blend of whitelists and
blacklists for best effect.
INTELLIGENCE
Fighting a war demands a
good map of the battlefield.
Symantec runs a Global
Intelligence Network that has
more than 40,000 sensors around
the world and more than
two million dummy email
accounts – all of which are
monitored all day, every day.
Hundreds of millions of users
contribute statistics on
malware.
“This means that outbreaks
can be readily spotted and
contained,” says Bunker. “It also
means that new virus or
malware definitions can be
quickly and effectively written
and rolled out to prevent the
infection spreading.”
McAlum would like to see
more than just lots of sensors.
“There are sensors all over
the place and most feed back to a
particular security information
management application or a
12/11/08 15:31:31
 71
EXPLoITING WEB 2.0
Facebook is becoming
increasingly popular as a
target for virus attacks.
Some Facebook users are
currently receiving a mes-
sage that appears to be
from a ‘friend’. Upon click-
ing the link, they are redi-
rected to an enticing
video. The video will not
play, and they are told
they need to update
Adobe Flash. It’s a virus.

derivation of such a system,” he

says. “What I’d like to see is If you lose your laptop, you
could lose a lot more than
more effort placed on capabili-
just the hardware
ties that provide a holistic
picture of the enterprise that is
more than just an integration of
existing views and [which] helps
develop the risk picture based
on current threats, vulnerabili-
ties, and anomalous activities.
And I think there needs to be a
‘cause-effect’ aspect that helps
leadership understand the
impact of actions they may take,
for example blocking a port or
disabling a service.”
Cyberspace will get more
secure as software learns more
about how we behave. Suppose
an employee, who typically uses
a company database to access
individual customer records,
suddenly looks at the top 1,000
customers: software could be
written to highlight this
anomaly. Or suppose an Internet
user goes to a website he or she
has not visited before: software
could warn them that they may
have misspelled the address,
helping counter malware
infections caused by downloads
from web pages masquerading
as popular sites. Dirro believes
that behaviour-based technology
is “very important, the next
big thing”. reputations can be inflated. it has started encrypting chink in cyberspace’s armour –
Take an online auction seller customer credit-card data as ordinary people and their
TRUST – BUT VERIFY who sells and promptly delivers soon as the card is swiped. ordinary working practices.
Companies today tend to rely on 100 pencils at £1 each, gaining a Other low-technology activity, According to a study by
implicit trust to control access great reputation. They then such as creating information- Compuware, only 1 per cent
to their networks: employees are offer a car for £100,000, and sharing mechanisms between of recent corporate data losses
given a username and password abscond with the payment. The affected groups such as banks, were due to hackers. The biggest
and then expected to do the right reputation system was who are notoriously shy about culprits were negligent
thing. This will change. perverted to abet the crime. revealing their cyber-crime employees, with outsourcing and
Companies will keep closer tabs Systems will get smarter. losses, could also help. Just malicious employees being
on what their employees are “Neural networks and other locking equipment up can help among the other causes of
doing and how they are doing it. artificial intelligence technolo- a lot: laptop computers and significant breaches. Worryingly,
Behaviour-based technology gies have a place in learning PDAs are increasingly a target of the 1,112 practitioners
“can look at things such as what is good, bad or indifferent for thieves who want them for surveyed, 79 per cent said their
typing speed or style as an about networks and systems to as much for the value of the organisation had experienced at
additional means of help administrators make intel- data they may carry as for what least one data breach.
authentication,” says Bunker. ligent decisions to enable them they might get by selling the Dirro of McAfee thinks that
Advanced reputation services to fix problems,” Bunker says. hardware down the pub. what’s needed to secure cyber-
may also help secure But let’s not get “In many cases, particularly space for the long run is
cyberspace. carried away. A lot of when it comes to industrial progress on many fronts,
“Reputation-based progress can be made espionage, employees of partic- including technology, aware-
technology helps by getting on with the ular companies may be targeted ness, legal redress and human
people browse the drudge work of imple- for the opportunity to snatch a behaviour.
Internet safely and menting current laptop,” warns McAlum. Given the complexity of the
engenders trust between security techniques. The As the UK civil service is issue, is there any sign that we
consumers and Hannaford super- learning, you shouldn’t leave are winning the cyber-security
businesses, as well as market chain says that laptops on a train, or put war yet?
between businesses,” since its security unencrypted data on a CD in the “No,” says McAlum.
says Bunker. However, breach earlier this year, post. Perhaps this is the biggest “We’re not even close.” 

www.theiet.org/engtechmag 22 November - 5 December 2008 Engineering & Technology

068-071_ET_issue20.indd 71 12/11/08 15:31:39