Inside the network: Refining a cyber security culture 

Warfare has always been a case of technological “follow the leader” ever since sharp sticks replaced rocks. Military leaders in the developed world have long placed current cyber threats on a spectrum of technological development. They know they are already under attack, and that they must adapt and adjust systems to cope with evolving threats. However, many decision makers in government and industry have frozen their perception of the technological threat at a previous stage, leaving their organizations dangerously vulnerable.

The consequences of network protection failure are immediate, global and irreversible. As vice president of Information Security Solutions for Raytheon Company’s Intelligence and Information Systems, Steve Hawkins has a wide window to the cyber threat environment.

Stage 1: Evolution
According to Hawkins, today’s managers have done well coping with yesterday’s challenges as, “everybody went out and did their firewalls and anti-viruses, the pretty basic ‘protect the castle’ kind of approaches, and I think all that is good because that will address 80 percent of the threats, all the low end types of threats that could cause you issues.” Hawkins says off-the-shelf, standard IT security practices protect against those types of risks. But that was yesterday.

The big change is the location of the threat. Today, the enemy is inside the gates. “Where some are starting to move – and they need to consider it more – is the fact that you will not keep the threat out of your system. A zero day set of malware will go right past your anti-virus.”

As a top defence contractor, Raytheon must be at the forefront of threat protection, Hawkins said. “I think we go well beyond what most private, commercial companies do, just because of the criticality of the systems we deliver.” The company now takes the view that when intrusive code gets into the network, the most realistic metric is the measurement of how long that potential malware actually resided on the network – how long did it take to get it out?

“What we do is monitor the command and control channels. If there is something in there, it is trying to get something back out. You can see it trying to go back out. So, detect them and then eradicate them,” Hawkins explained. “If you went back maybe five years ago, something might stay on a system for two months. Today, we have the time down to almost zero. Today, the reality is that something is going to slip through and that means you need the tooling, the sensors, inside to detect things that get through. When you do eradicate the threat, keep the metrics on time to eradicate, and get them down to under a minute – literally, how many seconds it took.”

Stage 2: Perception
The WikiLeaks data spill and the Stuxnet attack on Iran may not have changed the reality of the cyber threat environment but senior executives should recognize that perceptions of their reaction of the threat will change – their stakeholders now have a different scale with which to measure failure.

Hawkins believes incidents like Stuxnet and WikiLeaks, while very different, together show the potential impact of a networked world, “and the fact that a whole range of threats exists, all the way from thoroughly low end hackers, the teenagers that we all think about who are quite skilled, all the way up to what’s rumoured to be nation-state involvement with quite a bit of complexity.”

The cyber threat to our countries, Hawkins said, now goes beyond nation states or terror groups. “It literally drives all the way into organized crime, individuals out there for monetary reasons or just for fun,” he said. “It really runs the entire range of possibility and it is all built around a fairly low entry to learn the skills, to get started. I would say very sophisticated threats can probably be put in place for a few million dollars.”

Then there is the human threat. Pvt. Bradley E. Manning of the United States Army was charged in July 2010 with the unauthorized release of classified information. What is now called Cablegate was the public release of a quarter of a million classified messages between U.S. diplomatic missions and the State Department. There was an immediate and detrimental impact on governments around the world, Canada’s included. Suddenly SIPRNet, the closely protected computer networks that connect the U.S. military and government, didn’t look so secret any more.

What’s the not-so-secret message from the Cablegate debacle for senior executives? “I’m not one who looked at the situation and said, ‘we’re doing too much information sharing’,” Hawkins said. “I think that is the immediate knee-jerk reaction that I’ve heard floating around. The fact is we are doing too much information sharing without the proper controls. So, somebody shouldn’t be able to have access to things they should not have their hands on. What you need is the type of solutions in place that can validate policies and verify who should be getting the shared information.”

The leadership must protect against the insider threat, and not just the malicious threat, Hawkins advised, but make sure users are following policy. “Those policies will determine the security of your system, because anybody can open an email or go to a website that has malware, maybe new malware that gets past all the protection systems. But if you can train your users and have policies and monitor them to make sure they are doing the right things from a security standpoint, then you make your system a lot more secure.”

Stage 3: Proliferation
The August 2008 war between Georgia and Russia took cyberwar to a new level, as Russian hackers, official or unofficial, “prepared the battlefield” by hammering Georgian government websites and Internet links. The Stuxnet worm refined that blunt instrument into a razor-sharp tip, aimed to specific capabilities of a specific government.

“What is the kind of attack that constitutes war? Most countries respond if attacked. I think each and every country is probably working their way through defining what puts the well-being of their citizens in jeopardy, what responses are acceptable and who has to approve them,” Hawkins said.

During the Cold War, policymakers were very concerned about the existence, deployment, testing and, ultimately, use of nuclear weapons. Various doctrines emerged that, in effect, constructed a signalling system of escalating cause and effect between potential adversaries.

“There were lots of concepts of operation that said detonating some form of nuclear device, even if its intention was not to kill people but to disrupt electromagnetically, called for a response with your own weapons. Cyber could fit that doctrine. When you think about it, it’s a disabling type of capability in a world of networked command-and-control and weapons systems,” Hawkins said.

Stage 4: Cooperation
In just a few decades, the Internet joined up the world. Few institutions of any weight or standing have not placed great dependency on this invisible, virtual structure. While the Internet itself is based on standards, there are no standards for security. By way of analogy, in the early days of aviation, boarding an airliner was easy. As vulnerabilities attracted threats, security standards evolved.

“We are networked worldwide so we are going to need computer and network defence cooperation worldwide,” Hawkins said. Roles and responsibilities will vary from organization to organization but everyone should be looking to the most advanced cyber security cultures for their leadership. “In our country, at any rate, the military can’t run commercial networks. It’s not their job, but other operators should be looking at the military and intelligence community technology,” Hawkins said.