Tuesday, August 12, 2014

Nationalizing Cybersecurity?

Last week the Langner Group published a blog post by Perry Pederson talking about the need for nationalizing cybersecurity for critical infrastructure. Perry very clearly outlined the reasons why individual companies did not have the resources to take on nation state backed entities in the cybersecurity realm. Citing the ‘provide for the common defense’ clause {§8} in the US Constitution he argues that at some level cyber defense is purely governmental function.

In a brief twitversation I asked where the line should be drawn between national cyber defense and daily operations security and that is the topic that I would like to look at today.

National Defense

In a classical sense a nation state provides for the common defense in a couple of ways. First it maintains a military of sufficient size, equipment and training that potential adversaries are forced to decide that attacking the state would cost more than the potential benefits. Where potential adversaries are right at the border in neighboring states fortifications are constructed and manned to ensure that there will be enough delay of the enemy forces to allow the full strength of the military to rally to the defense of the point of attack while remaining prepared for attack at other points along the border.

On the other hand nation states also under take diplomacy as a means of reducing tensions with potential adversaries to lessen the need for taking up arms.

In extremis nation states conduct pre-emptive attacks on their adversaries so that they can set the time and place for armed conflict to best suit their needs and capabilities. Establishing a well understood capability to conduct pre-emptive strikes provides potential adversaries with an additional incentive to use diplomacy to address tensions that could lead to armed conflict.

Cyber Defense

Until recently cyber defense was more of a police type action against individuals rather than a military type activity against nation states. Individual owners of cyber infrastructure took minimal security protections to ensure that the common criminal had to have a minimal level of skill and ingenuity to gain access to the owner’s cyber infrastructure. In the event of a break in police were notified, rudimentary investigations were conducted, and the occasional high-profile arrest and subsequent conviction of the cyber criminal served as a deterrent of sorts to further cyber crime.

As more wealth has been moved into the cyber realm criminals have become more sophisticated in their abilities to attack that wealth. In response the owner’s capability to defend against breaches has become more complex; the law enforcement effort has become more sophisticated; and the courts’ response has become more intense.

Enemies not Criminals

Since the public discovery of Stuxnet just a little over two years ago it has become apparent that the nation state has discovered the capability of surreptitiously attacking an adversary’s critical infrastructure. Nation states have the resources to pull together a comprehensive development team to fashion and operate cyber tools and techniques to execute attacks that are practically undetectable in the short term.

The cyber attack objectives of these nation state actors may include the gathering of intelligence (spying) that has been a common tool of statecraft and warfare for millennia, gaining a political or economic advantage by destabilizing critical infrastructure in an adversarial state, stealing technological innovation to allow for economic advancement at reduced cost, or just weakening an adversary as a prelude to a physical attack.

The point that Pederson makes so clearly in 7 points is that in an unequal contest between a nation state and most private sector owners, the private sector will almost certainly loose. Now this is bad for the economy if it is just the random facility that is attacked, but nation states will be conducting targeted attacks ultimately against critical infrastructure facilities. The only other target of worthy of their effort is the military and suppliers of the military.

What does the Government Defend?

It is quite clear that the Government does not have the unlimited funds to provide for an absolute defense of all cyber assets within the country. It will have to pick and choose those cyber assets which provide some level of existential threat to the country if damaged or destroyed. This is the essential definition of ‘critical infrastructure’. A political decision will have to be made about what requires protection, what needs protections and what cannot be protected.

Since cyber operations are an integral part of the operational and management of most all critical infrastructure (I would say all but someone would come up with some off-the wall counter example to prove me wrong) does this mean that the Government will have to take complete control of an enterprise to defend it against a nation state attack? There are many people that would make that argument, but any real assessment of the situation would show that the government does not have the manpower, expertise or will to manage all aspects of the varied infrastructure that goes into providing critical support for the day-to-day operation of the country.

So the government, if it is to be even moderately successful at defending critical infrastructure against catastrophic cyber attack, is going to have to carefully pick and choose the cyber battles that it chooses to fight. To do that it is going to have to understand exactly what portions of the national infrastructure require national defense. This understanding has both strategic and tactical implications.

Under strategic considerations it must be remembered that all infrastructure is critical at some level; see the old story about the want of nail. The government (and that includes the governed) will have to prioritize the national cyber defense to what can be afforded (to spend) and what can’t be afforded (to loose). And it must be remembered that those priorities will change frequently as the economy grows and contracts and as adversaries change.

On the tactical level is not necessary to defend every inch of the cyber coastline. The national level cyber defense only requires that only those portions of critical infrastructure that pose the threat of catastrophic failure (call it Catastrophically Critical Infrastructure or CCI) if attacked on the cyber battlefield need the limited attention and resources of the Government defense. The Government will find it less expensive and more effective to respond to non-catastrophic damage to critical cyber infrastructure than to try to defend it all.

How do you defend CCI?

Once CCI are identified the planning for the cyber defense of CCI will begin by prioritizing the protection of CCI assets based upon their critical failure nodes (CFN); a CFN is any operation where a minimal change in control could cause a catastrophic incident.  The most critical failure nodes will get first attention. This will be determined by looking at the level of catastrophe that would result from the worst case failure of the node and the likelihood that a cyber attack could cause the failure of that node.

Once the CFN are identified then the cyber failure modes for those nodes would have to be identified. This would be done in a cooperative effort between the Government and the owner of the CFN; the fewer cyber protective resources available to the owner the more those resources would have to be supplied by the Government. The cost of reliance on Government resources would be the partial loss of control over the use and employment of those assets. This potential loss of control would be the incentive for business owners to develop their own cyber protective resource capability because the Government use of those resources would not necessarily align with the business interests of the owner.

For the highest risk CFN, the government would retain the ability to monitor the cyber protective resources to detect probing and attacks on those resources. The purpose of the monitoring capability would detect the early stages of a cyber attack with the intent to trace them back to their origins. Political, electronic or physical counter-attacks would then be used to dissuade adversaries from pursuing their attacks.

The Government would also share information about attacks against CFN with other CFN defenders so that they could use that information to improve the defenses of their cyber assets.

Protecting the Rest of Critical Infrastructure

While the Government has the highest level of interest in protecting CFN, the protection of all critical infrastructure is of legitimate concern to the Government. Instead of the Government taking an active role in the defense of non-CCI facilities, the Government would require the identification and minimum protection of CFN at non-CCI facilities. It would also require reporting of all attempts to compromise those protections, which the Government would then investigate and take appropriate actions against the perpetrators.

The protection of all non-catastrophic failure nodes would be the sole responsibility of the owner of the facility. Owners most Government regulated facilities would be required to report detected cyber attacks to a Government agency that would then investigate those suspected attacks with the view towards identifying the perpetrators and the techniques that they used.

Broad Outline

This is, of course, only the broad outline of how the Government could address the protection of critical infrastructure against cyber attacks. As it becomes more and more obvious that nation states are undertaking cyber operations against their adversaries, it becomes clearer that the Government needs to be actively involved in the defense of the most critical infrastructure from such operations.

Serious discussion needs to begin on how this type of defense of private sector facilities can be best implemented.


Jake Brodsky said...

The popular view of cyber security is that evil hackers living in their mother's basements might unleash terrible things if they were to focus on infrastructure SCADA.

That's the myth. The reality is that it's the insiders that cause the most headache. With the notable exception of Stuxnet, the worst accidents to date were caused by people behaving poorly using inside resources and inside information.

So what can Government do about this at ANY level?

NOTHING. This is a personnel matter. It is not something we can protect from the outside.

Anonymous said...

Although government may have a role, I am not sure what makes someone think that they will be effective taking an active role in protection of critical privately owned systems. There are many good people working in government but organizationally it barely functions competently for most of its current responsibilities.

/* Use this with templates/template-twocol.html */