WHITE PAPER

Perspectives on Cybersecurity
The Rapidly Evolving Risks, the Implications and the Path Forward October 2011

Introduction
Todays cybersecurity landscape is changing rapidly. Conventional security standards and practices cannot keep up with the frequency and sophistication of attacks. Between May and July 2011, the industry and governments experienced a sharp increase in cyber attacks against a number of large, technically savvy organizations: Sony revealed several major customer data thefts occurred, which affected more than 100 million user accounts (77 million PlayStation Network users and 24.6 million PC games customers).1 RSA, a company that makes one of the industrys most widely-distributed two-factor authentication SecurID tokens, suffered an attack that resulted in RSA replacing 40 million of its tokens.2 In an attack directly related to the RSA breach, defense contractors Lockheed Martin and L-3 Communications were hit by sophisticated attackers who used counterfeit RSA tokens to impersonate the access codes of targeted employees.3 The International Monetary Fund suffered cyber attacks in June, but it did not disclose the nature of attacks or whether a security breach actually happened.4 Citibank reported that credentials for 200,000 users were stolen, including names, account numbers and email addresses.5 Infragard, an FBI-lead partner organization, was compromised by hackers in Connecticut and Atlanta, revealing passwords of hundreds of industry and law enforcement users.6 The identities of border patrol agents in Arizona were released in protest of Arizonas immigration enforcement policies by hacktivists (defined as one who uses computers and networks as a means of protesting political ends).7 Websites operated by organizations such as the CIA, the U.S. Senate, PBS and Citibank have been defaced in high-profile attacks by a hacking group called LulzSec (hacking for laughs).8 STUXNET, one of the most sophisticated computer viruses on record, specifically targeted and severely damaged an Iranian nuclear facility and signaled the future of cyberwar attacks on critical infrastructure.9
1 http://online.wsj.com/article/SB10001424052748704436004576299491191920416.html 2 http://www.businessweek.com/news/2011-06-07/emc-unit-rsa-to-replace-security-tokens-after-databreach.html 3 http://www.wired.com/threatlevel/2011/05/l-3/ 4 http://gcn.com/articles/2011/06/14/imf-hacked-foreign-government-suspected.aspx 5 http://www.theregister.co.uk/2011/06/09/citibank_hack_attack/ 6 http://www.huffingtonpost.com/2011/06/21/lulzsec-hack-fbi-partner-infragard-ct_n_881038.html 7 http://www.azcentral.com/news/articles/2011/06/23/20110623lulzsec-hacks-into-arizona-dps-system-abrk23ON.html 8 http://www.huffingtonpost.com/2011/06/20/lulzsec-anonymous-war-_n_880637.html 9 http://en.wikipedia.org/wiki/Stuxnet

Cyberspace is inextricably woven throughout the fabric of society. Treating the security of cyberspace separately from the physical world can be misleading, particularly considering the range of critical infrastructure applications that require digital communications. Each group that is involved with cyberspace has a role to play in increasing cybersecurity.

Page 1

WWW.LEVEL3.COM

Summary
Cyberspace is inextricably woven throughout the fabric of society. It extends from the public Internet, through both wired and wireless telecommunications networks, and into every home and business that uses digital voice, video and data. Treating the security of cyberspace separately from the physical world can be misleading, particularly considering the range of critical infrastructure applications such as transport, energy distribution, and finance that require digital communications. Because it is ubiquitous, cyberspace is vulnerable to attacks by malicious parties from anywhere around the world. Ensuring cybersecurity is essential for society because the costs of ignoring it are too high. Also, due to the evolving sophistication of attackers, the tools, policies and procedures effective against attacks yesterday may continue to become obsolete. Therefore, any new cybersecurity framework needs to avoid rigid procedures. Innovation and rapid response to threats should be rewarded. Appropriate incentives (both rewards and punishments) are needed for each segment of cyberspace. Because new threats are constantly developing into new, potentially unrecognizable attacks, any legislative or policy initiatives designed to combat these threats must be flexible and adaptable to encourage a high level of innovation. Level 3 Communications believes all entities individuals, corporate, government and non-government need to contribute towards securing vital infrastructure. Responsibilities exist for individual end users, end-user organizations, broadband service and Internet service providers as well as government agencies. Hardware and software vendors providing products that comprise network infrastructure also need to help protect cyberspace. These vendors must communicate vulnerabilities more rapidly to qualified recipients (such as the government and major Internet carriers) and perform more comprehensive testing prior to product release. Once all of the major cyberspace participants invest in cybersecurity, it is conceivable that the overall number of damaging attacks could be reduced. Cybersecurity, which consists of protecting computer systems and networks from malicious software and attacks by outside parties, has become essential for modern civilization. As more types of critical infrastructure depend on software for global commerce, national security, emergency response, distribution of electricity, transportation and other critical services, the potential for large-scale cyber attacks becomes ever greater. Individuals, corporations and government agencies at local, state and federal levels all need to develop and implement plans to protect their systems and networks from malicious software and external attacks. Each group that is involved with cyberspace has a role to play in increasing cybersecurity: End users must ensure that their devices are free of malware, software intended to penetrate and compromise security. Broadband access providers should monitor traffic and help defeat malicious attacks at their sources. Equipment and software providers must improve their development, testing and patching procedures and be more forthcoming about latent defects in products when they are discovered. Carriers should provide more information to government agencies and each other about potential network vulnerabilities and recurring

Ensuring cybersecurity is essential for society because the costs of ignoring it are too high. Innovation and rapid response to threats should be rewarded.

Page 2

sources of attacks. Government agencies should be directed to disseminate information about potential cyber threats to network providers, thereby enabling more timely and effective responses to attacks. And finally, critical infrastructure providers outside the telecommunications industry should receive government and industry support to develop more extensive cybersecurity plans and capabilities. Legislation currently pending before Congress and Executive Branch initiatives has the potential to significantly improve the overall level of cybersecurity throughout government agencies and general public. These regulations can be more effective by removing barriers to allow greater communication between private network providers and government agencies. Also, greater emphasis should be placed on developing defensive strategies against unknown and emerging attacks, while less focus is needed for the formal security and certification processes. Threats against critical cyberspace infrastructure will continue to increase in scope and severity in coming years. Legislation encouraging network providers and government agencies to improve communication and focus on outcomes instead of processes will increase the chances for success against malicious actors.

Greater emphasis should be placed on developing defensive strategies against unknown and emerging attacks, while less focus is needed for the formal security and certification processes.

Level 3 Purpose
This white paper is not intended to be an all encompassing review of the issues and policies surrounding cybersecurity. The intention is to: Summarize Level 3 Communications policy concerning the responsibilities of communications carriers, corporations, government and other segments of the U.S. Internet community. Emphasize the importance of productive relationships and efficient, multilateral communication between service providers and government agencies on issues ranging from threat identification and evaluation to interoperability between services and hardware. Provide Level 3 perspectives on proposed legislation affecting cybersecurity policy. Share Level 3 experience and learning in cybersecurity issues dealing with international governments, customers and end users.

Assessment of Evolving Threats

To understand cybersecurity challenges some common attacks and obstacles are described below.

EVOLVING SOURCES OF THREATS

The complexity of attacks against targets in cyberspace is constantly increasing. As threats are discovered and counteracted, new threats are developed by a range of perpetrators. Most attacks come from one these sources: Foreign Governments: Many governments have cyberwarfare and cyberintelligence agencies focused on gathering information from entities outside their borders,

Page 3

WWW.LEVEL3.COM

The complexity of attacks against targets in cyberspace is constantly increasing. As threats are discovered and counteracted, new threats are developed by a range of perpetrators.

including government and military agencies, commercial enterprises, non-profit organizations and individuals. Some of these attacks are brute force, whereas others are so subtle the victim never becomes aware of the data theft. A foreign nations motivation goes beyond military intelligence. Some countries operate cyber-intelligence agencies to collect intellectual property for commercial competitive advantage. Organized Crime: Earlier attacks were targeted at individuals, who were persuaded to buy worthless items or provide credentials required for accessing bank accounts. Recently, the focus has moved to corporate targets, where larger returns can be achieved. Crime syndicates are international and specialized; it is not uncommon for groups from around the world to join together for a specific attack and then to dissolve once the exploit has been completed. Hacktivists: Hacker activists are entities using hacking techniques for social or political activism. Frequently cooperating in groups with a shared purpose, hacktivists target corporations or non-profit organizations that supply products or behave in ways that are disagreeable to the hacktivists. Victims come from a wide spectrum of society. Usually, the goal is to embarrass people or deface websites. Recently, many hacktivist organizations have turned to Distributed Denial of Service (DDoS) attacks intended to disrupt their targets commercial operations in an attempt to influence policies. Hacking Universities: These are informal, underground schools that teach hacking techniques. Legitimate universities are teaching cybersecurity students courses in hacking and countermeasure design. Professional Hackers: These are experienced hackers who get paid for developing and launching attacks against targets. Many of them sell their services to the highest bidder, whether its a government agency, a corporation looking to test their own defenses or an organized crime syndicate. Others are more selective in their approach; so-called white hats are focused on improving cybersecurity for specific organizations or the Internet at large. Recreational Hackers: Many hackers get their start pursuing hacking for recreational purposes, particularly young people who may have limited resources and restrictions on their Internet usage. Their goal can range from curiosity to harmless fun, to serious attempts at penetrating hardened websites. While these hackers are capable of significant exploits, they can be a distraction from more experienced attackers who can cause greater damage. Prudent cybersecurity plans take recreational hackers into consideration, but success in thwarting these types of attacks should not be considered to be an indicator of the cybersecurity plans ability to deflect advanced attacks.

EVOLVING USES OF TECHNOLOGY

Technical innovation can provide better solutions for cybersecurity, such as more computing power for packet inspection within firewalls. But it can also create new areas where attacks can be a threat. Some of the new technologies that pose an increasing challenge for cybersecurity include: Cloud Computing: In place of using dedicated hardware servers to provide websites and other processing functions, enterprises are increasingly using cloud computing resources. The key benefit of a cloud is virtualization. Hardware resources are dynamically allocated to software processes as needed, as opposed to a fixed configuration of software on each hardware server. Attackers see cloud computing companies as prime targets to gain access to multiple companies at once.

Page 4

 Mobile Devices: Many people today carry mobile telephones and tablet computers that have more processing power than previous desktop computers. Coupled with their always-connected state, these devices are literally millions of potential sources of new threat sources and targets for attack. DDoS Attacks: While there is nothing new about DDoS attacks, some technical evolution is under way. The availability of botnets for hire is increasing the severity of DDoS attacks. Botnets simultaneously bring millions of traffic sources online with the intent of overwhelming websites. They can be controlled using encrypted proprietary communications channels to precisely orchestrate their behavior. As botnets become more sophisticated, they become harder to defeat and more dangerous to victims. Technical Tradeoffs: As users migrate to high-speed network connections and faster processors, they also expect quicker Internet response times. Technologies, such as deep packet inspection, can parse individual packets looking for virus and other malware signatures. In spite of the increasing levels of processor performance, tradeoffs must still be chosen between network speed and cybersecurity.

EVOLVING TYPES OF ATTACKS

Several new attack types have been successfully developed by malicious agents. Here are a few examples: Spear Phishing is a variant of phishing, where users are lured to give out personal data, such as credit card and bank account numbers, through websites and email that appeared legitimate. In this attack, specific individuals are targeted based on their access to information, technology or levels of administrative access within targeted organizations. For example, a system administrator for a major financial institution would be specifically targeted with messages or website referrals that appeared to be coming from close friends or coworkers. To gain the information needed to prepare these false messages, attackers often leverage information extracted from the targets contact lists and online social networking profiles. This precise targeting of specific individuals is what adds the spear concept to basic phishing. Zero-Day Attacks exploit latent defects that existed in a product when it was first delivered to market. These attacks may be simple tools to gain unauthorized control of compromised systems by utilizing malicious code. As a result, there has been an increase in professional researchers who identify and develop methods and tools that take advantages of security weaknesses in applications, systems or networks (called vulnerabilities or exploits) . And, a vibrant online market exists to sell these methods and tools to criminal syndicates who use them to attack networks for financial gain, such as stealing company proprietary data or financial information from end users. Advanced Persistent Threats (APT) represent a cyber attack which is focused on obtaining specific types of information, such as business plans, identities of dissidents or government secrets. An APT is often the work of a group which has demonstrated capabilities in persistently attacking a specific entity with precision. Common targets include government agencies, media and social or culturally based activist organizations. The scope of APTs can vary widely, ranging from telephone or data communication intercepts, to malware and virus attacks. The most successful attacks are designed to avoid detection by the victim and penetrate hardened targets in a methodical fashion. The STUXNET worm described earlier is an APT, used in several zero-day exploits, which targeted a brand of industrial control equipment known to be used in Iranian uranium enrichment facilities.

Technical innovation can provide better solutions for cybersecurity, such as more computing power for packet inspection within firewalls. But it can also create new areas where attacks can be a threat.

Page 5

WWW.LEVEL3.COM

Cybersecurity Roles and Responsibilities

An effective cybersecurity program must include range of stakeholders who share responsibility for security. There is no single point in the cyber ecosystem where all protection activities are concentrated, as there are too many possible attack vectors. Attacks that exploit weaknesses in one area can be thwarted by protections within another layer. For example, if a virus happens to bypass the defenses erected by a broadband provider, users could be shielded by security software running on their own devices. Todays Internet is formed through connections between millions of discrete devices, which provide various capabilities for different parties. Security behaviors can be grouped into broad categories: end users (both individuals and enterprises), broadband access providers, equipment and software providers, carriers, government, and critical infrastructure providers.

An effective cybersecurity program must include range of stakeholders who share responsibility for security.

ROLES OF USERS
End users make up the largest group of Internet participants. Individual users and sophisticated enterprise users connect to the Internet through networks supplied by carriers and access providers. The best security practice is for users to ensure their devices and networks are free of viruses and botnets. In most cases, these tasks are best performed automatically with virus protection programs and software update utilities. Any changes in Internet user behavior needs to address privacy concerns of individuals and enterprises. A federal law forcing users to submit to intrusive device security scans may be rejected by the public and the courts. Instead, regulations must identify unacceptable behaviors and appropriate remedies. For example, user devices may not be allowed to send more than a specified number of ping requests to an IP address each minute. If exceeded, the remedy would be a temporary disconnection of the device.

ROLES OF BROADBAND ACCESS PROVIDERS

Broadband access providers play a crucial role in connecting all types of users to carrier backbones. This category includes local suppliers of digital subscriber line (DSL) and cable modem services, which may serve a few neighborhoods or span across multiple states. These networks are in a unique position of being able to detect and prevent malicious traffic on computers, which is typically the largest source of botnet traffic. Backbone network carriers are challenged to prevent the propagation of malicious traffic from broadband access providers due to several factors: identifying the source of malicious traffic; the volume of traffic that must be monitored; and their caution in terminating a connection that may carry both legitimate and illegitimate traffic. Traffic from malicious sources is better filtered if those sources are confined to individual network connections. A potential solution for controlling malicious traffic from unsuspecting users is called the clean pipe method, enforced by broadband providers. It requires users to have working anti-virus software on their PCs and up-to-date patches, which will prevent general access to the Internet until the machine is properly

Page 6

protected. In addition, clean pipe methods can also detect malicious activity and reactively restrict the user on the Internet, providing the user with a method to clean their machine. This practice will decrease the amount of malicious traffic that flows over a network. However, an interesting legal issue could arise: Is it permissible for an access provider to deny customers access if they do not meet the carriers clean pipe criteria? Legislation may be needed to regulate criteria requirements and to support carrier enforcement.

ROLES OF EQUIPMENT AND SOFTWARE PROVIDERS

Carriers, broadband access providers and users depend on a collection of suppliers to provide the hardware and software used to build networks. System components from PCs to routers to virus protection software are available. As most carriers act as system integrators, they depend heavily on these suppliers. They select best-of-breed components and combine them to provide comprehensive solutions. Unfortunately, some hardware and software equipment contain defects, which makes systems vulnerable to attacks. Many of these are zero-day defects, while others are introduced by faulty patches or software upgrades applied to existing code that attempt to alter the structure of that code. Improvements clearly need to be made in commercial software development, testing and release. Already, carriers and other system users are strongly encouraging technology suppliers to improve software development methods, yet software product continue to yield significant number of security flaws that pose security threats to infrastructure. Alongside the need to reduce defects in commercial products, carriers would benefit from prompt notification of defects after discovery. Today, many suppliers hesitate to announce product issues until a remedy is developed and tested. If critical infrastructure providers and government agencies were notified at the time of discovery, they could institute their own remedies. By rerouting sensitive traffic away from vulnerable systems or intensifying the monitoring of systems with known defects to catch intrusions, significant damage could be avoided. Early notification of product defects might negatively affect equipment and software suppliers due to the competitive market. Confidential information about latent defects should only be used for the defense of critical infrastructures so that technology suppliers do not fear notifying users of product defects when they are discovered. Suppliers intellectual property needs to be protected. A government agency could be given a mandate to implement the necessary regulations for distributing product defect information. Sanctions for any person or enterprise that compromise the confidentiality of the defect report also must be enforced.

Carriers play a key role in cybersecurity, but should not be the sole focus of security initiatives.

ROLES OF CARRIERS
Carriers play a key role in cybersecurity, but should not be the sole focus of security initiatives. Carriers can improve network security for users by providing safe, secure mechanisms for domain name system (DNS) lookups. Accurate

Page 7

WWW.LEVEL3.COM

lookups are important to all kinds of web users. DNS translates URLs, or domain names, into a machine-readable IP address. Any incorrect or malicious DNS database entries can severely affect websites. If a malicious DNS entry redirected a banking websites users to another site, similar in appearance, the malicious website operators could capture users data, such as user names and passwords, for their own use. Carriers also have the responsibility to provide physical security for equipment installations and other facilities. Major facilities are engineered for continuous availability, and usually include redundant signal paths, power sources and interconnection points. One common misconception is that Tier 1 network backbone carriers are ideally positioned to serve as the primary focus of cybersecurity efforts, particularly those aimed at filtering malicious traffic. This view is based on three assumptions: Carriers have easy access to data packets transmitted over their networks (which carriers do not); carriers can discern what information is contained within each packet (difficult to impossible in the era of widespread encryption); and carriers can do something about malicious content that is detected (of which carriers can filter, but only at basic levels). Given todays network designs, traffic flow rates, regulatory environment and technical resources, the practical way to increase cybersecurity is a cooperative effort at all levels of the Internet, among users (individual and enterprise), broadband access providers, carriers and government agencies. Cybersecurity attacks and threats should be communicated with other carriers and the government. Presently, there are three obstacles preventing carriers from making these disclosures. 1. The Competitive Environment: Carriers must be equally forthcoming with disclosures or all will refrain. 2. Fear of Reprisal or Retaliation: Carriers are reluctant to disclose serious breaches in order to avoid later being discredited or disqualified for future government or commercial business. 3. Anti-Competitive Behavior: Discussions between competitors could be construed as anti-competitive behavior, subjecting them to lawsuits under anti-trust provisions in the law. To overcome these obstacles legislation should require all carriers to disclose security breaches. This would level the competitive playing field and help prevent unfair retaliation against carriers for disclosures. To address the third obstacle, legislation should be developed to explicitly permit (or even require) cooperation for reporting attacks and potential threat vectors. Precedents for cooperative multi-vendor information sharing already exist in the information technology industry and include successful cross-vendor information sharing and compliance. Some anti-spam and virus protection organizations regularly share news about new computer viruses, and voice telecommunications carriers share information about toll-fraud attacks.

One common misconception is that Tier 1 network backbone carriers are ideally positioned to serve as the primary focus of cybersecurity efforts. The practical way to increase cybersecurity is a cooperative effort at all levels of the Internet.

ROLE OF GOVERNMENT
Government agencies at the federal, state and local level have significant interest and responsibility for cybersecurity. Governments need to protect their internal networks and external websites, and must help protect the public infrastructure, including the Internet. In fulfilling this role, agencies need to work

Page 8

cooperatively with private network providers to develop and implement effective cybersecurity policies. These policies must support the narrow goal of protecting governmental infrastructure and the broader goal of increasing communication security and public safety. The federal government can contribute to increased cybersecurity by improving information flow among carriers and other parties about threats and vulnerabilities. The two-way information flow between carriers and the government about actual and suspected threats must improve. New legislation should require significantly improved communication between these organizations. Several different types of information would be beneficial to both carriers and government agencies: Knowledge about common sources (by geographic location and/or IP address) for threats and attacks. Historical data about threats and related solutions. Descriptions of new attack technologies and vectors, including the means of infection and the targeted systems. Any exploits that target carrier-grade networking equipment could be a priority, as these can impact connectivity to many customers simultaneously. Advance warning about software flaws uncovered during testing by equipment and software suppliers or zero-day exploits discovered in the wild (exploits that are actively being used). Guidelines recommending minimum-security configurations and procedures. More extensive or different technologies could be implemented, but the minimum set of procedures must be met. A government-industry sharing database that provides real-time information of attack signatures, sources and other security-related data. There is already a precedent for cooperative information sharing between telecommunications carriers for fighting toll fraud. An organization called the Communications Fraud Control Association (CFCA) maintains a Fraud Alert Library. This library offers members up-to-the-minute information about the latest scams, evolving investigations and cases, compromised calling card and authorization codes, and other related fraud matters. When long-distance telephony providers identify a source of fraudulent telephone calls, information about the suspected perpetrator is shared. This information sharing helps in three major ways: It alerts carriers to suspected sources and mechanisms for fraud; it can potentially increase evidence used by law enforcement; and it helps to reduce the amount of fraud on other carriers networks. These same benefits would result from sharing cybersecurity information. Another precedent is information sharing taking place between anti-virus vendors, which provides companies greater awareness of emerging threats. Currently, most government agencies purchase network services from carriers on a piecemeal basis. They rely on the carriers to design overall system connectivity on an incremental basis, as contracts are won or lost. This approach leaves much to be desired. Overall efficiency and security of networks serving the government are not based on a cohesive master architecture. This needs to be re-examined. The Federal Government should take the lead in defining an

The federal government can contribute to increased cybersecurity by improving information flow among carriers and other parties about threats and vulnerabilities.

Page 9

WWW.LEVEL3.COM

overall architecture for communications between agencies and for interfaces to non-government parties. Government agencies could also benefit from establishing their own autonomous system number (ASN) that could act as a peering separation layer between government agencies and the rest of the Internet. The peering layer could easily be utilized as a unified, protective barrier, ensuring all threats are uniformly analyzed and appropriate responses are created. One possible benefit of this arrangement would be to spur innovation among technology vendors to help implement this enhancement on a carrier scale.

ROLES OF CRITICAL INFRASTRUCTURE PROVIDERS

Technical assistance could improve cybersecurity for critical infrastructure providers by helping them develop a mature, comprehensive and agile plan that reacts to threats from many sources.

A variety of private enterprises provide infrastructure that supply items that are critical to modern society, including communications, energy, healthcare, finance, food and water. Virtually all of these providers depend on modern communications for routine daily operations and data transfers. The government, in turn, depends on these private networks; therefore, ensuring a high level of cybersecurity for critical infrastructure network providers should be a priority for all levels of government. Beyond the networks used by telecommunications carriers, autonomous control networks are common within large infrastructure enterprises. Automated systems are used to regulate the supply of electricity within the power distribution grid, convey financial transactions between banks, and control devices used to deliver healthcare and produce food. These systems and the connecting networks need to be secured against cyber attacks. This includes ones similar to the STUXNET infestation, which targeted industrial control systems not normal computer workstations, servers or IP networking equipment. Technical assistance could improve cybersecurity for critical infrastructure providers by helping them develop a mature, comprehensive and agile plan that reacts to threats from many sources. Since the primary business of many of these providers is not related to networking, outside cybersecurity design and implementation would be advantageous. Government agencies should develop the framework necessary to gather assistance from industry experts.

LEVEL 3S PERSPECTIVE
As a large global provider of network infrastructure and services, Level 3 has a broad view of issues impacting cybersecurity. We believe it is the responsibility of service providers and government agencies at federal, state and local levels to communicate openly regarding cybersecurity issues. Through cooperative efforts between carriers and the government, and among carriers themselves, cybersecurity can be improved on many levels. Level 3 believes legislative efforts need to focus on creating a flexible, powerful framework for identifying, communicating and defeating cybersecurity threats. Because the frontline in this battle is constantly shifting, legislation that mandates specific methods for dealing with threats typically becomes obsolete before put into practice. A better policy would establish a set of clear goals, reporting rules and appropriate sanctions for cybersecurity requirements. Currently, cooperation between carriers and government agencies is hampered

Page 10

by a lack of suitable policies. At minimum, we believe any new cybersecurity legislation needs to address the following issues: Carriers need to know their intellectual property will be safeguarded and they will not face lawsuits or prosecution under anti-trust regulations for sharing cybersecurity information. Carriers also need to be confident that any reports of security breaches will not be used against them, particularly with respect to current or future federal business contracts. Cybersecurity data needs to be distributed from carriers to government as well as from government to carriers. Clarified jurisdiction and reporting requirements for federal agencies will help streamline carrier responsibilities and improve response times to cybersecurity attacks.

Legislation and Policy

Currently, numerous cybersecurity legislative and executive proposals are being considered by the U.S. Senate and House of Representatives. All of these proposals share certain themes derived from studies of previous legislation and regulations outcomes. To explore these proposals further, we grouped our findings into four categories: Results of prior initiatives; proposals Level 3 believes are on target; proposals that need more analysis; and areas not addressed.

Level 3 believes legislative efforts need to focus on creating a flexible, powerful framework for identifying, communicating and defeating cybersecurity threats.

PREVIOUS OR EXISTING EFFORTS

The Trusted Internet Connection (TIC) mandate, originally announced by the Office of Management and Budget (OMB) in 2007, was developed to reduce the number of Internet portals used by the Federal Government from approximately 4000 down to 50. At each portal, several functions were required, including firewall, anti-virus, anti-spam and intrusion detection. TIC also requires migration to Internet Protocol version 6 (IPv6), which greatly expands the address range of IP and supports billions of additional devices. The Block 3 enhancement to the Department of Homeland Securitys (DHS) Einstein project appears to be more promising in efforts to promote cybersecurity concerns. It offers both intrusion prevention and detection and the reporting capabilities of the previous versions, Blocks 1 and 2. Block 3 is designed to detect and re-route suspicious traffic using hardware and software installed in the carriers facility. Because it is mandatory for all federal civilian agencies, Block 3 version will likely raise the overall level of cybersecurity throughout the government. The National Cyber Incident Response Plan (NCIRP) was developed by the DHS under presidential directive. It defines the process and procedures needed to be followed when a cyber attack is uncovered. This includes sending relevant information to the U.S. Computer Emergency Readiness Team (US-CERT). Some of the information is then shared to help develop countermeasures such as antivirus software. The Federal Information Security Management Act (FISMA) enacted in 2002 has not produced the results originally anticipated. It has been successful in raising awareness of the main tenets of cybersecurity. However, the reporting and personnel certification requirements emphasize planning over action to thwart cyber attacks. Meeting FISMA requirements is an objective rather than a starting

Page 11

WWW.LEVEL3.COM

point for cybersecurity implementation. This is underscored by the increase FISMA compliance within government agencies with little or no corresponding addition in broad measures of cybersecurity. FISMA could be improved by incorporating a set of best practices for the protection of management and back-office network environments and systems. This would help both government agencies and private network providers better understand how to develop systems that are less vulnerable to cyber attack. The DHS has established the Critical Infrastructure Partnership Advisory Council (CIPAC) to facilitate effective coordination of infrastructure protection programs between the federal, private, state, local, territorial and tribal sectors. The CIPAC represents a partnership between government and critical infrastructure/key resource (CIKR) owners and operators. It provides a forum to engage in a broad spectrum of activities to support and coordinate critical infrastructure protection.

Disclosure of summaries of security plans to the general public has merits. It helps reassure the public the government and critical infrastructure providers are making substantial changes improve overall cybersecurity.

KEY POINTS OF CONCURRENCE IN PROPOSED LEGISLATION

The following describes some of the provisions Level 3 believes should be included in legislation: A nationwide system of breach reporting is needed by government and critical infrastructure providers. This will provide a richer data set for analysis of current and potential threats, as well as support the development of better algorithms for attack detection and prevention. The proposed new penalties for cyber criminals appear to offer more effective consequences. By applying stiffer penalties, deterrence and benefits of prosecution are increased.

AREAS FOR FURTHER STUDY IN PROPOSED LEGISLATION

Some areas of proposed legislation require clarification or potential revision to make them more closely aligned with the overall goal of enhancing cybersecurity. Level 3 proposes the following be considered for possible revision in the proposed legislation: The definition for the term security breach needs further clarification, particularly when mandatory breach reporting requirements are being woven into the proposed legislation. Level 3 submits the following definition for consideration: An unauthorized acquisition of and access to unencrypted or unredacted computerized data that materially causes or is reasonably likely to cause substantial economic loss. Disclosure of summaries of security plans to the general public has merits. It helps reassure the public the government and critical infrastructure providers are making substantial changes improve overall cybersecurity. Summary plans should include very abstract descriptions with an emphasis on principles and goals. Actual technologies and methods should not be disclosed. This will help retain cybersecurity solutions for longer periods of time. Current FISMA regulations provide a framework designed to enhance cybersecurity. There are a number of solid, practical rules included that make sense for any modern networking organization. Unfortunately, the detail required for documenting and certifying procedures is time-consuming, costly and can compete for resources to

Page 12

design and implement cybersecurity measures. Further, the documentation requirements tend to incent maintaining the status-quo, instead of encouraging and rewarding innovations that could help enhance security. An adequate supply of trained, qualified personnel to design, implement and monitor security systems and procedures is a requirement for any successful cybersecurity operation. The proposed legislation actually may decrease the staffing levels at carriers due to the continuing education and recertification obligations required. Level 3 believes more than 20 percent of available staff hours will be consumed by certification, making those personnel unavailable for active cybersecurity efforts. Modifications to reduce required formalized training and certification should be considered. Carriers must also be encouraged to employ qualified individuals and support them with continuing education.

OMISSIONS
More emphasis on communication and action regarding actual and potential threats within proposed legislation could further enhance cybersecurity benefits for all stakeholders. Level 3 urges consideration be given to the following. Higher standards of accountability need to be developed and enforced to ensure that hardware and software suppliers develop and implement effective cybersecurity product controls. Manufacturers should be held responsible for developing and executing effective hardware and software security test plans prior to manufacturing release. The White House director of cybersecurity policy should define security and validation requirements for hardware and software vendors. At a minimum, these requirements could be used as criteria for future government purchase decisions. Private enterprises (including carriers and broadband access providers) would also be able to evaluate suppliers based on their compliance with these published requirements. The White House cybersecurity coordinator or director of cybersecurity policy must formalize a national vulnerability disclosure policy for carriers and their vendors. It needs to clarify the types of information required to be disclosed as well as the rules to be used for distributing the information. Many different types of infrastructure have been identified as critical infrastructure in various pieces of existing and proposed legislation. Establishing a prioritized list of these items to help guide actions of first responders in the event of a large-scale attack would be beneficial. Information about threats and attacks detected or suspected from carriers is routinely shared with the government, and is a well-established feature of proposed legislation. This could be improved by requiring the sharing of information between government and carriers. The National Cybersecurity and Communications Integration Center (NCCIC) should be mandated to provide public databases to distribute current and past threat data with carriers and other critical infrastructure providers. Additional information including the identities of suspected attackers and methods for dealing with threats should also be added. Different levels of access privileges may need to be enabled for the database, with backbone Internet carriers and broadband access providers having the greatest level of access, and commercial enterprises and other end users having limited access privileges.

The proposed legislation actually may decrease the staffing levels at carriers due to the continuing education and recertification obligations required.

Page 13

WWW.LEVEL3.COM

More emphasis on communication and action regarding actual and potential threats within proposed legislation could further enhance cybersecurity benefits for all stakeholders.

Regulations should give broadband access providers greater responsibility for detecting threats and stopping them. This will help overall cybersecurity goals by helping thwart attackers closer to their source and preventing the attacker traffic from integrating with other traffic. These regulations should be enforced through incentives for strong security measures taken by broadband access providers and by sanctions for failure to meet minimum standards. For access providers hoping to implement a clean pipe strategy (i.e. only providing network access to users who have installed effective anti-virus software on their devices), a legal framework needs to be established. It should include a clarification of the types of acceptable rules providers can establish. Liability protection for carriers denying service to users whose machines do not meet clean-pipe requirements also needs to be addressed. System logs record a great deal of valuable data that can be used to perform forensic analysis after a cyber attack has occurred and for monitoring network health on a long-term basis. Gathering and analyzing log data from a range of different network devices and providers would create a rich data set for research and analysis. Unfortunately, data logs are captured by devices from different manufacturers and deployed by individual carriers. This causes incompatibilities and inconsistencies, which makes comparisons between logs extremely difficult. A standardized log format developed by NIST or another suitable entity would greatly increase the potential for data sharing. To stimulate use of a standard format, legislation requiring carriers to routinely deliver copies of log files to a central repository could be enforced. This should be managed by a federal agency, such as the NCCIC. The White House cybersecurity coordinator has significant influence on the federal administrations cybersecurity conduct and on regulations developed by various federal agencies. Due to the level of responsibility, Senate confirmation should be required.

Future Directions in Cybersecurity

Beyond the current legislative and regulatory initiatives, significant developments will shape the landscape of cybersecurity for years to come. The following four paragraphs address several of these developments and potential impacts on government networks as well as the public Internet.

IPV6 MIGRATION
As the September 2012 federal agency deadline approaches for IPv6 implementation, several issues must be addressed. First, any vulnerabilities arising from publishing addresses inside the DNS network will need to be corrected. Second, when more devices are issued with native IPv6 addresses and connected directly to the Internet (bypassing the Network Address Translation servers commonly used to protect IPv4 systems today), new mechanisms will need to be developed for ensuring device cybersecurity. And third, the added complexity required to simultaneously handling two protocol stacks (IPv4 and IPv6) within web servers and other devices will require extra vigilance in design and increased testing to prevent new vulnerabilities.

IDENTITY MANAGEMENT
Secure, flexible identity management can be easily deployed across multiple platforms with support from carriers. By placing credential servers with the

Page 14

network core, personnel can be verified across multiple agencies networks. This portability provides greater mobility for staff and improves agencies abilities to redistribute staff during network outages and public emergencies. Additionally, centralizing these functions could reduce overheads and lower costs.

FISMA REVISIONS
Future revisions to FISMA should focus on protecting systems against current and emerging attack vectors. This will help ensure response plans are developed to protect against specific threats. Once agencies start to implement incident response capabilities, those judged to be superior can be shared. Through information sharing and continuous improvement, the overall level of cybersecurity will increase for all federal agencies.

FUTURE RULEMAKING
More complex viruses, worms and other malware are continuously developed at rapid speeds. To keep pace, advanced innovation is needed throughout the cybersecurity industry. Rules and regulations must be flexible to avoid interfering with the development of effective countermeasures. Level 3 agrees with DHS Secretary Janet Napolitano, who said, "We believe that any government rules for cyberspace should identify where we want to be, not proscribe exactly how to get there, and should allow ample space for innovation. They should also be clear, fair and broadly supported, and respect and reflect the diversity of the society in which we live."

Cybersecurity cannot be achieved through simplistic, rigid rules. Effective defense against cyber attacks requires flexibility to adapt to an evolving array of threats.

Conclusion
Cybersecurity cannot be achieved through simplistic, rigid rules. Effective defense against cyber attacks requires flexibility to adapt to an evolving array of threats. Cybersecurity adversaries utilize multifaceted approaches to compromise critical infrastructures. The cybersecurity industry must begin working together as a unified force to prevent these attacks. Legislation supporting increased two-way communications between service providers and government agencies encourages all Internet participants to accept appropriate responsibilities. It avoids burdensome certification and documentation requirements and can help increase overall levels of security. Although the threat of malicious cyber attacks and malware will never completely disappear, effective regulations and policies can make government and public networks safer and more secure.

2011 Level 3 Communications, LLC. All Rights Reserved. Level 3 Communications, Level 3 and the Level 3 Communications logo are registered service marks of Level 3 Communications, LLC in the United States and/or other countries. Level 3 services are provided by wholly owned subsidiaries of Level 3 Communications, Inc. Any other service, product or company names recited herein may be trademarks or service marks of their respective owners.

Appendix: Defining Cybersecurity and Other Terms

Level 3 broadly defines cybersecurity as the ongoing development and maintenance of the security of all computers and systems in a network environment. This definition may include related broad-based topics like social, political and

Page 15

WWW.LEVEL3.COM

legislative concerns. In contrast, the focus of the traditional information assurance industry is protection of any given datas confidentiality, integrity and authentication. Another way to understand the difference is that cybersecurity aims to prevent attacks from accessing or destroying sensitive data, whereas information assurance is focused on encrypting data and recovering from system failures and attacks. Cybersecurity rules are formulated in FISMA and developed in Einstein; information assurance rules are based on HIPAA (Health Insurance Portability and Accountability Act of 1996) and the Sarbanes-Oxley Act of 2002. A working knowledge of several key telecommunications and data networking terms and concepts is helpful in understanding the content within this paper. The following glossary should help define the key terms used in the document. Access Provider: An enterprise that supplies network connections and Internet access to households, organizations and enterprises on a retail basis. Also known as ISPs (Internet service providers) and broadband access providers. Can take many forms, including local telephone co-ops, community services and cable TV providers. APT (Advanced Persistent Threat): Sophisticated malware or other cyber attack targeted at a specific objective, such as disabling a certain website or obtaining particular information. Differs from many other attacks that merely seek financial gain from victims at random. ASN (Autonomous System Numbers): A globally unique number that identifies each of the Autonomous Systems (AS) that are connected to make up the Internet. Each AS must have a single, consistent policy that is used for routing packets, and must be under the control of a single entity, such as a carrier or a large corporation. An AS can peer with another AS by exchanging routing information, which allows data traffic to flow directly between the systems. Attack Vectors: Mechanisms or routes that are used to gain unauthorized access into a computer system. Examples include Internet connections, email attachments, USB thumb drives, and many others. Backbone: International network of high-speed communication links and highperformance routers that provides connections between different portions of the Internet. Botnet: Group of user devices or servers that have been infested with malware that gives an external party the ability to control some or all functions of the devices. Botnets made up of large numbers of compromised user PCs are frequently used to carry out DDoS attacks. Carriers: National and international providers of Internet backbone services. May connect directly to large customers, but focus primarily on high-speed connections to access providers. Clean Pipe: Cybersecurity principle wherein all devices connected to a specific network (or pipe) demonstrate to be free of malware. Cloud Computing: Software design concept where strict associations between software modules and hardware platforms is replaced with a flexible, distributed pool of computing resources that can be quickly allocated to tasks to meet rapidly shifting processing loads. Control Families: Groups of protocols or procedures that provide related forms of protection against external threats. NIST has developed a reference list of control

Page 16

families including items such as Access Control, Physical and Environmental Protection, Identification and Authentication, and several others. Cyber Attack: Malicious attempt by an outside party (often of criminal background) to gain control of a system, obtain unauthorized information or interfere with the normal behavior of the system. Cybersecurity: A condition of being safe from unauthorized access to private information and protected against malicious use of networked devices; also, the actions taken to achieve this state. DDoS (Distributed Denial of Service) Attack: Cyber attack that utilizes multiple coordinated processes to flood a targeted IP address with large numbers of pings or other packets, thereby causing the target to malfunction or to be unable to respond to requests from normal users. Deep Packet Inspection: Technique used in firewalls and other devices where each IP packet is subject to rigorous screen for malware, including all or most types of embedded protocols. DNS (Domain Name System): Functional component of World Wide Web that converts user-readable URLs (Uniform Resource Locators) into numeric IP addresses required for Internet transport. Corruption of the DNS database can cause devices to unknowingly connect to malicious servers. FISMA (Federal Information Security Management Act of 2002): Federal law that defined cybersecurity requirements to be followed by each federal agency, including risk assessment, security planning and required certifications for systems and personnel. Hosting: Providing a processing platform, including hardware and software, that allows an application to run. For example, web hosting provides a server and related software necessary to support the delivery of web pages in response to user requests. IANA (Internet Assigned Numbers Authority): Organization that oversees the assignment of numerical values that must be globally unique on the public Internet, such as IP addresses and ASNs. Identity Management: Process for verifying users and issuing them credentials necessary to access specific systems and information. Commonly used in large organizations. Internet Protocol (IP): Part of the TCP/IP family of protocols describing software that tracks the Internet address of nodes, routes outgoing messages and recognizes incoming messages. Intranet: Private IP-based network that may or may not connect to the public Internet though a firewall. IPSec: Set of secure IP transport technologies that use cryptography to prevent unauthorized parties from reading packet contents. IPv4 and IPv6: Current and emerging versions of Internet Protocol. IPv4 supports vast majority of users and servers on todays Internet. IPv6, which has been defined for more than a decade, is increasingly being used to support new users due to the scarcity of new addresses in IPv4 needed to support new users and servers. All access providers must migrate to IPv6 by September 2012, as outlined in the Trusted Internet Connection mandate from the Office of Budget and Management.

Page 17

WWW.LEVEL3.COM

ISP (Internet Service Provider): Company or organization that provides network access to the Internet for individuals and enterprises, generally on a monthly fee basis. Kill Switch: Informal name for a network feature that provides the ability to completely isolate one portion of a network from another, often along lines that correspond to national boundaries. Malware: Generic name for software with a malicious intent, comprising trojans, viruses, worms and other algorithms designed to cripple, control or steal information from targeted systems. NCIRP (National Cyber Incident Response Plan): Document developed by the DHS to define the roles and responsibilities of government agencies and private industry in the event of a significant cyber attack. Packet: A variable-length data container, consisting of a header and a payload, which can be transported over an IP network. Ping: Short control message used to verify connectivity between two devices on a network. Devices can suffer from degraded performance when attempting to respond to a large number of simultaneous ping messages. Provider Edge: Point that defines the limit of a given carriers network, where connections are made to other carriers or to customer provided equipment. Provider edge devices supply connectivity and packet forwarding functions that bring data into and out of a providers network. PSTN (Public Switched Telephone Network): Global telecommunications network that connects voice and data circuits among hard-wired, mobile and other devices that use numeric dialing. Router: In IP networks, a device that examines the addressing information contained in each IP packet header to determine where to transmit packets through the network along towards their ultimate destinations. Scareware: Web-browser pop-ups and email messages that provide false security alerts to users in order to convince them to download and install useless or harmful anti-malware utilities. Frequently used to distribute trojans. Server: Generically, any hardware or software device that provides services to another device or user. For Internet applications, web servers fulfill requests for data that are made from end users operating web browsers. SSL (Secure Sockets Layer): Predecessor to the TSL (Transport Security Layer) that is used to provide secure, encrypted communications between devices over the Internet or any other network. STUXNET: One of the most sophisticated APTs encountered to date, this worm was apparently intended to disrupt the operation of centrifuges used to enrich uranium at facilities located in Iran. Stuxnet reportedly utilized four unknown zero-day vulnerabilities along with an advanced mechanism for propagation through portable USB thumb drives. TIC mandate (Trusted Internet Connection): Set of rules issued by OMB for all civilian federal agencies that was intended to increase the overall level of cybersecurity and to simplify and control the interface between federal networks and the Internet. Tier 1 Carriers: Large, self-sufficient network providers that provide data transport primarily over facilities that are owned and operated by the carrier. Tier 1 carriers

Page 18

provide direct connections to multiple Autonomous Systems and are typically international in scope. Trojan: Named after the infamous Trojan horse described in Virgils epic poem, this is a form of malware that hides inside a purportedly useful program such as a free anti-virus scanning utility. A trojan propagates by prompting unsuspecting users to download and install the program. Virus: Form of malware that is typically transmitted through user actions such as opening an email attachment or visiting a specific website. Like their biological namesake, computer viruses often include a means to replicate within an infected system in order to infect new host devices. Worm: Form of malware that autonomously propagates among systems that are connected by a common network, such as a shared corporate network. Zero Day: System vulnerability that was present in a software system when initial released; could also be considered a latent security weakness that can be exploited by a malicious attacker.

Page 19