Professional Documents
Culture Documents
Perspectives on Cybersecurity
The Rapidly Evolving Risks, the Implications and the Path Forward October 2011
Introduction
Todays cybersecurity landscape is changing rapidly. Conventional security standards and practices cannot keep up with the frequency and sophistication of attacks. Between May and July 2011, the industry and governments experienced a sharp increase in cyber attacks against a number of large, technically savvy organizations: Sony revealed several major customer data thefts occurred, which affected more than 100 million user accounts (77 million PlayStation Network users and 24.6 million PC games customers).1 RSA, a company that makes one of the industrys most widely-distributed two-factor authentication SecurID tokens, suffered an attack that resulted in RSA replacing 40 million of its tokens.2 In an attack directly related to the RSA breach, defense contractors Lockheed Martin and L-3 Communications were hit by sophisticated attackers who used counterfeit RSA tokens to impersonate the access codes of targeted employees.3 The International Monetary Fund suffered cyber attacks in June, but it did not disclose the nature of attacks or whether a security breach actually happened.4 Citibank reported that credentials for 200,000 users were stolen, including names, account numbers and email addresses.5 Infragard, an FBI-lead partner organization, was compromised by hackers in Connecticut and Atlanta, revealing passwords of hundreds of industry and law enforcement users.6 The identities of border patrol agents in Arizona were released in protest of Arizonas immigration enforcement policies by hacktivists (defined as one who uses computers and networks as a means of protesting political ends).7 Websites operated by organizations such as the CIA, the U.S. Senate, PBS and Citibank have been defaced in high-profile attacks by a hacking group called LulzSec (hacking for laughs).8 STUXNET, one of the most sophisticated computer viruses on record, specifically targeted and severely damaged an Iranian nuclear facility and signaled the future of cyberwar attacks on critical infrastructure.9
1 http://online.wsj.com/article/SB10001424052748704436004576299491191920416.html 2 http://www.businessweek.com/news/2011-06-07/emc-unit-rsa-to-replace-security-tokens-after-databreach.html 3 http://www.wired.com/threatlevel/2011/05/l-3/ 4 http://gcn.com/articles/2011/06/14/imf-hacked-foreign-government-suspected.aspx 5 http://www.theregister.co.uk/2011/06/09/citibank_hack_attack/ 6 http://www.huffingtonpost.com/2011/06/21/lulzsec-hack-fbi-partner-infragard-ct_n_881038.html 7 http://www.azcentral.com/news/articles/2011/06/23/20110623lulzsec-hacks-into-arizona-dps-system-abrk23ON.html 8 http://www.huffingtonpost.com/2011/06/20/lulzsec-anonymous-war-_n_880637.html 9 http://en.wikipedia.org/wiki/Stuxnet
Cyberspace is inextricably woven throughout the fabric of society. Treating the security of cyberspace separately from the physical world can be misleading, particularly considering the range of critical infrastructure applications that require digital communications. Each group that is involved with cyberspace has a role to play in increasing cybersecurity.
Page 1
WWW.LEVEL3.COM
Summary
Cyberspace is inextricably woven throughout the fabric of society. It extends from the public Internet, through both wired and wireless telecommunications networks, and into every home and business that uses digital voice, video and data. Treating the security of cyberspace separately from the physical world can be misleading, particularly considering the range of critical infrastructure applications such as transport, energy distribution, and finance that require digital communications. Because it is ubiquitous, cyberspace is vulnerable to attacks by malicious parties from anywhere around the world. Ensuring cybersecurity is essential for society because the costs of ignoring it are too high. Also, due to the evolving sophistication of attackers, the tools, policies and procedures effective against attacks yesterday may continue to become obsolete. Therefore, any new cybersecurity framework needs to avoid rigid procedures. Innovation and rapid response to threats should be rewarded. Appropriate incentives (both rewards and punishments) are needed for each segment of cyberspace. Because new threats are constantly developing into new, potentially unrecognizable attacks, any legislative or policy initiatives designed to combat these threats must be flexible and adaptable to encourage a high level of innovation. Level 3 Communications believes all entities individuals, corporate, government and non-government need to contribute towards securing vital infrastructure. Responsibilities exist for individual end users, end-user organizations, broadband service and Internet service providers as well as government agencies. Hardware and software vendors providing products that comprise network infrastructure also need to help protect cyberspace. These vendors must communicate vulnerabilities more rapidly to qualified recipients (such as the government and major Internet carriers) and perform more comprehensive testing prior to product release. Once all of the major cyberspace participants invest in cybersecurity, it is conceivable that the overall number of damaging attacks could be reduced. Cybersecurity, which consists of protecting computer systems and networks from malicious software and attacks by outside parties, has become essential for modern civilization. As more types of critical infrastructure depend on software for global commerce, national security, emergency response, distribution of electricity, transportation and other critical services, the potential for large-scale cyber attacks becomes ever greater. Individuals, corporations and government agencies at local, state and federal levels all need to develop and implement plans to protect their systems and networks from malicious software and external attacks. Each group that is involved with cyberspace has a role to play in increasing cybersecurity: End users must ensure that their devices are free of malware, software intended to penetrate and compromise security. Broadband access providers should monitor traffic and help defeat malicious attacks at their sources. Equipment and software providers must improve their development, testing and patching procedures and be more forthcoming about latent defects in products when they are discovered. Carriers should provide more information to government agencies and each other about potential network vulnerabilities and recurring
Ensuring cybersecurity is essential for society because the costs of ignoring it are too high. Innovation and rapid response to threats should be rewarded.
Page 2
sources of attacks. Government agencies should be directed to disseminate information about potential cyber threats to network providers, thereby enabling more timely and effective responses to attacks. And finally, critical infrastructure providers outside the telecommunications industry should receive government and industry support to develop more extensive cybersecurity plans and capabilities. Legislation currently pending before Congress and Executive Branch initiatives has the potential to significantly improve the overall level of cybersecurity throughout government agencies and general public. These regulations can be more effective by removing barriers to allow greater communication between private network providers and government agencies. Also, greater emphasis should be placed on developing defensive strategies against unknown and emerging attacks, while less focus is needed for the formal security and certification processes. Threats against critical cyberspace infrastructure will continue to increase in scope and severity in coming years. Legislation encouraging network providers and government agencies to improve communication and focus on outcomes instead of processes will increase the chances for success against malicious actors.
Greater emphasis should be placed on developing defensive strategies against unknown and emerging attacks, while less focus is needed for the formal security and certification processes.
Level 3 Purpose
This white paper is not intended to be an all encompassing review of the issues and policies surrounding cybersecurity. The intention is to: Summarize Level 3 Communications policy concerning the responsibilities of communications carriers, corporations, government and other segments of the U.S. Internet community. Emphasize the importance of productive relationships and efficient, multilateral communication between service providers and government agencies on issues ranging from threat identification and evaluation to interoperability between services and hardware. Provide Level 3 perspectives on proposed legislation affecting cybersecurity policy. Share Level 3 experience and learning in cybersecurity issues dealing with international governments, customers and end users.
Page 3
WWW.LEVEL3.COM
The complexity of attacks against targets in cyberspace is constantly increasing. As threats are discovered and counteracted, new threats are developed by a range of perpetrators.
including government and military agencies, commercial enterprises, non-profit organizations and individuals. Some of these attacks are brute force, whereas others are so subtle the victim never becomes aware of the data theft. A foreign nations motivation goes beyond military intelligence. Some countries operate cyber-intelligence agencies to collect intellectual property for commercial competitive advantage. Organized Crime: Earlier attacks were targeted at individuals, who were persuaded to buy worthless items or provide credentials required for accessing bank accounts. Recently, the focus has moved to corporate targets, where larger returns can be achieved. Crime syndicates are international and specialized; it is not uncommon for groups from around the world to join together for a specific attack and then to dissolve once the exploit has been completed. Hacktivists: Hacker activists are entities using hacking techniques for social or political activism. Frequently cooperating in groups with a shared purpose, hacktivists target corporations or non-profit organizations that supply products or behave in ways that are disagreeable to the hacktivists. Victims come from a wide spectrum of society. Usually, the goal is to embarrass people or deface websites. Recently, many hacktivist organizations have turned to Distributed Denial of Service (DDoS) attacks intended to disrupt their targets commercial operations in an attempt to influence policies. Hacking Universities: These are informal, underground schools that teach hacking techniques. Legitimate universities are teaching cybersecurity students courses in hacking and countermeasure design. Professional Hackers: These are experienced hackers who get paid for developing and launching attacks against targets. Many of them sell their services to the highest bidder, whether its a government agency, a corporation looking to test their own defenses or an organized crime syndicate. Others are more selective in their approach; so-called white hats are focused on improving cybersecurity for specific organizations or the Internet at large. Recreational Hackers: Many hackers get their start pursuing hacking for recreational purposes, particularly young people who may have limited resources and restrictions on their Internet usage. Their goal can range from curiosity to harmless fun, to serious attempts at penetrating hardened websites. While these hackers are capable of significant exploits, they can be a distraction from more experienced attackers who can cause greater damage. Prudent cybersecurity plans take recreational hackers into consideration, but success in thwarting these types of attacks should not be considered to be an indicator of the cybersecurity plans ability to deflect advanced attacks.
Page 4
Mobile Devices: Many people today carry mobile telephones and tablet computers that have more processing power than previous desktop computers. Coupled with their always-connected state, these devices are literally millions of potential sources of new threat sources and targets for attack. DDoS Attacks: While there is nothing new about DDoS attacks, some technical evolution is under way. The availability of botnets for hire is increasing the severity of DDoS attacks. Botnets simultaneously bring millions of traffic sources online with the intent of overwhelming websites. They can be controlled using encrypted proprietary communications channels to precisely orchestrate their behavior. As botnets become more sophisticated, they become harder to defeat and more dangerous to victims. Technical Tradeoffs: As users migrate to high-speed network connections and faster processors, they also expect quicker Internet response times. Technologies, such as deep packet inspection, can parse individual packets looking for virus and other malware signatures. In spite of the increasing levels of processor performance, tradeoffs must still be chosen between network speed and cybersecurity.
Technical innovation can provide better solutions for cybersecurity, such as more computing power for packet inspection within firewalls. But it can also create new areas where attacks can be a threat.
Page 5
WWW.LEVEL3.COM
An effective cybersecurity program must include range of stakeholders who share responsibility for security.
ROLES OF USERS
End users make up the largest group of Internet participants. Individual users and sophisticated enterprise users connect to the Internet through networks supplied by carriers and access providers. The best security practice is for users to ensure their devices and networks are free of viruses and botnets. In most cases, these tasks are best performed automatically with virus protection programs and software update utilities. Any changes in Internet user behavior needs to address privacy concerns of individuals and enterprises. A federal law forcing users to submit to intrusive device security scans may be rejected by the public and the courts. Instead, regulations must identify unacceptable behaviors and appropriate remedies. For example, user devices may not be allowed to send more than a specified number of ping requests to an IP address each minute. If exceeded, the remedy would be a temporary disconnection of the device.
Page 6
protected. In addition, clean pipe methods can also detect malicious activity and reactively restrict the user on the Internet, providing the user with a method to clean their machine. This practice will decrease the amount of malicious traffic that flows over a network. However, an interesting legal issue could arise: Is it permissible for an access provider to deny customers access if they do not meet the carriers clean pipe criteria? Legislation may be needed to regulate criteria requirements and to support carrier enforcement.
Carriers play a key role in cybersecurity, but should not be the sole focus of security initiatives.
ROLES OF CARRIERS
Carriers play a key role in cybersecurity, but should not be the sole focus of security initiatives. Carriers can improve network security for users by providing safe, secure mechanisms for domain name system (DNS) lookups. Accurate
Page 7
WWW.LEVEL3.COM
lookups are important to all kinds of web users. DNS translates URLs, or domain names, into a machine-readable IP address. Any incorrect or malicious DNS database entries can severely affect websites. If a malicious DNS entry redirected a banking websites users to another site, similar in appearance, the malicious website operators could capture users data, such as user names and passwords, for their own use. Carriers also have the responsibility to provide physical security for equipment installations and other facilities. Major facilities are engineered for continuous availability, and usually include redundant signal paths, power sources and interconnection points. One common misconception is that Tier 1 network backbone carriers are ideally positioned to serve as the primary focus of cybersecurity efforts, particularly those aimed at filtering malicious traffic. This view is based on three assumptions: Carriers have easy access to data packets transmitted over their networks (which carriers do not); carriers can discern what information is contained within each packet (difficult to impossible in the era of widespread encryption); and carriers can do something about malicious content that is detected (of which carriers can filter, but only at basic levels). Given todays network designs, traffic flow rates, regulatory environment and technical resources, the practical way to increase cybersecurity is a cooperative effort at all levels of the Internet, among users (individual and enterprise), broadband access providers, carriers and government agencies. Cybersecurity attacks and threats should be communicated with other carriers and the government. Presently, there are three obstacles preventing carriers from making these disclosures. 1. The Competitive Environment: Carriers must be equally forthcoming with disclosures or all will refrain. 2. Fear of Reprisal or Retaliation: Carriers are reluctant to disclose serious breaches in order to avoid later being discredited or disqualified for future government or commercial business. 3. Anti-Competitive Behavior: Discussions between competitors could be construed as anti-competitive behavior, subjecting them to lawsuits under anti-trust provisions in the law. To overcome these obstacles legislation should require all carriers to disclose security breaches. This would level the competitive playing field and help prevent unfair retaliation against carriers for disclosures. To address the third obstacle, legislation should be developed to explicitly permit (or even require) cooperation for reporting attacks and potential threat vectors. Precedents for cooperative multi-vendor information sharing already exist in the information technology industry and include successful cross-vendor information sharing and compliance. Some anti-spam and virus protection organizations regularly share news about new computer viruses, and voice telecommunications carriers share information about toll-fraud attacks.
One common misconception is that Tier 1 network backbone carriers are ideally positioned to serve as the primary focus of cybersecurity efforts. The practical way to increase cybersecurity is a cooperative effort at all levels of the Internet.
ROLE OF GOVERNMENT
Government agencies at the federal, state and local level have significant interest and responsibility for cybersecurity. Governments need to protect their internal networks and external websites, and must help protect the public infrastructure, including the Internet. In fulfilling this role, agencies need to work
Page 8
cooperatively with private network providers to develop and implement effective cybersecurity policies. These policies must support the narrow goal of protecting governmental infrastructure and the broader goal of increasing communication security and public safety. The federal government can contribute to increased cybersecurity by improving information flow among carriers and other parties about threats and vulnerabilities. The two-way information flow between carriers and the government about actual and suspected threats must improve. New legislation should require significantly improved communication between these organizations. Several different types of information would be beneficial to both carriers and government agencies: Knowledge about common sources (by geographic location and/or IP address) for threats and attacks. Historical data about threats and related solutions. Descriptions of new attack technologies and vectors, including the means of infection and the targeted systems. Any exploits that target carrier-grade networking equipment could be a priority, as these can impact connectivity to many customers simultaneously. Advance warning about software flaws uncovered during testing by equipment and software suppliers or zero-day exploits discovered in the wild (exploits that are actively being used). Guidelines recommending minimum-security configurations and procedures. More extensive or different technologies could be implemented, but the minimum set of procedures must be met. A government-industry sharing database that provides real-time information of attack signatures, sources and other security-related data. There is already a precedent for cooperative information sharing between telecommunications carriers for fighting toll fraud. An organization called the Communications Fraud Control Association (CFCA) maintains a Fraud Alert Library. This library offers members up-to-the-minute information about the latest scams, evolving investigations and cases, compromised calling card and authorization codes, and other related fraud matters. When long-distance telephony providers identify a source of fraudulent telephone calls, information about the suspected perpetrator is shared. This information sharing helps in three major ways: It alerts carriers to suspected sources and mechanisms for fraud; it can potentially increase evidence used by law enforcement; and it helps to reduce the amount of fraud on other carriers networks. These same benefits would result from sharing cybersecurity information. Another precedent is information sharing taking place between anti-virus vendors, which provides companies greater awareness of emerging threats. Currently, most government agencies purchase network services from carriers on a piecemeal basis. They rely on the carriers to design overall system connectivity on an incremental basis, as contracts are won or lost. This approach leaves much to be desired. Overall efficiency and security of networks serving the government are not based on a cohesive master architecture. This needs to be re-examined. The Federal Government should take the lead in defining an
The federal government can contribute to increased cybersecurity by improving information flow among carriers and other parties about threats and vulnerabilities.
Page 9
WWW.LEVEL3.COM
overall architecture for communications between agencies and for interfaces to non-government parties. Government agencies could also benefit from establishing their own autonomous system number (ASN) that could act as a peering separation layer between government agencies and the rest of the Internet. The peering layer could easily be utilized as a unified, protective barrier, ensuring all threats are uniformly analyzed and appropriate responses are created. One possible benefit of this arrangement would be to spur innovation among technology vendors to help implement this enhancement on a carrier scale.
Technical assistance could improve cybersecurity for critical infrastructure providers by helping them develop a mature, comprehensive and agile plan that reacts to threats from many sources.
A variety of private enterprises provide infrastructure that supply items that are critical to modern society, including communications, energy, healthcare, finance, food and water. Virtually all of these providers depend on modern communications for routine daily operations and data transfers. The government, in turn, depends on these private networks; therefore, ensuring a high level of cybersecurity for critical infrastructure network providers should be a priority for all levels of government. Beyond the networks used by telecommunications carriers, autonomous control networks are common within large infrastructure enterprises. Automated systems are used to regulate the supply of electricity within the power distribution grid, convey financial transactions between banks, and control devices used to deliver healthcare and produce food. These systems and the connecting networks need to be secured against cyber attacks. This includes ones similar to the STUXNET infestation, which targeted industrial control systems not normal computer workstations, servers or IP networking equipment. Technical assistance could improve cybersecurity for critical infrastructure providers by helping them develop a mature, comprehensive and agile plan that reacts to threats from many sources. Since the primary business of many of these providers is not related to networking, outside cybersecurity design and implementation would be advantageous. Government agencies should develop the framework necessary to gather assistance from industry experts.
LEVEL 3S PERSPECTIVE
As a large global provider of network infrastructure and services, Level 3 has a broad view of issues impacting cybersecurity. We believe it is the responsibility of service providers and government agencies at federal, state and local levels to communicate openly regarding cybersecurity issues. Through cooperative efforts between carriers and the government, and among carriers themselves, cybersecurity can be improved on many levels. Level 3 believes legislative efforts need to focus on creating a flexible, powerful framework for identifying, communicating and defeating cybersecurity threats. Because the frontline in this battle is constantly shifting, legislation that mandates specific methods for dealing with threats typically becomes obsolete before put into practice. A better policy would establish a set of clear goals, reporting rules and appropriate sanctions for cybersecurity requirements. Currently, cooperation between carriers and government agencies is hampered
Page 10
by a lack of suitable policies. At minimum, we believe any new cybersecurity legislation needs to address the following issues: Carriers need to know their intellectual property will be safeguarded and they will not face lawsuits or prosecution under anti-trust regulations for sharing cybersecurity information. Carriers also need to be confident that any reports of security breaches will not be used against them, particularly with respect to current or future federal business contracts. Cybersecurity data needs to be distributed from carriers to government as well as from government to carriers. Clarified jurisdiction and reporting requirements for federal agencies will help streamline carrier responsibilities and improve response times to cybersecurity attacks.
Level 3 believes legislative efforts need to focus on creating a flexible, powerful framework for identifying, communicating and defeating cybersecurity threats.
Page 11
WWW.LEVEL3.COM
point for cybersecurity implementation. This is underscored by the increase FISMA compliance within government agencies with little or no corresponding addition in broad measures of cybersecurity. FISMA could be improved by incorporating a set of best practices for the protection of management and back-office network environments and systems. This would help both government agencies and private network providers better understand how to develop systems that are less vulnerable to cyber attack. The DHS has established the Critical Infrastructure Partnership Advisory Council (CIPAC) to facilitate effective coordination of infrastructure protection programs between the federal, private, state, local, territorial and tribal sectors. The CIPAC represents a partnership between government and critical infrastructure/key resource (CIKR) owners and operators. It provides a forum to engage in a broad spectrum of activities to support and coordinate critical infrastructure protection.
Disclosure of summaries of security plans to the general public has merits. It helps reassure the public the government and critical infrastructure providers are making substantial changes improve overall cybersecurity.
Page 12
design and implement cybersecurity measures. Further, the documentation requirements tend to incent maintaining the status-quo, instead of encouraging and rewarding innovations that could help enhance security. An adequate supply of trained, qualified personnel to design, implement and monitor security systems and procedures is a requirement for any successful cybersecurity operation. The proposed legislation actually may decrease the staffing levels at carriers due to the continuing education and recertification obligations required. Level 3 believes more than 20 percent of available staff hours will be consumed by certification, making those personnel unavailable for active cybersecurity efforts. Modifications to reduce required formalized training and certification should be considered. Carriers must also be encouraged to employ qualified individuals and support them with continuing education.
OMISSIONS
More emphasis on communication and action regarding actual and potential threats within proposed legislation could further enhance cybersecurity benefits for all stakeholders. Level 3 urges consideration be given to the following. Higher standards of accountability need to be developed and enforced to ensure that hardware and software suppliers develop and implement effective cybersecurity product controls. Manufacturers should be held responsible for developing and executing effective hardware and software security test plans prior to manufacturing release. The White House director of cybersecurity policy should define security and validation requirements for hardware and software vendors. At a minimum, these requirements could be used as criteria for future government purchase decisions. Private enterprises (including carriers and broadband access providers) would also be able to evaluate suppliers based on their compliance with these published requirements. The White House cybersecurity coordinator or director of cybersecurity policy must formalize a national vulnerability disclosure policy for carriers and their vendors. It needs to clarify the types of information required to be disclosed as well as the rules to be used for distributing the information. Many different types of infrastructure have been identified as critical infrastructure in various pieces of existing and proposed legislation. Establishing a prioritized list of these items to help guide actions of first responders in the event of a large-scale attack would be beneficial. Information about threats and attacks detected or suspected from carriers is routinely shared with the government, and is a well-established feature of proposed legislation. This could be improved by requiring the sharing of information between government and carriers. The National Cybersecurity and Communications Integration Center (NCCIC) should be mandated to provide public databases to distribute current and past threat data with carriers and other critical infrastructure providers. Additional information including the identities of suspected attackers and methods for dealing with threats should also be added. Different levels of access privileges may need to be enabled for the database, with backbone Internet carriers and broadband access providers having the greatest level of access, and commercial enterprises and other end users having limited access privileges.
The proposed legislation actually may decrease the staffing levels at carriers due to the continuing education and recertification obligations required.
Page 13
WWW.LEVEL3.COM
More emphasis on communication and action regarding actual and potential threats within proposed legislation could further enhance cybersecurity benefits for all stakeholders.
Regulations should give broadband access providers greater responsibility for detecting threats and stopping them. This will help overall cybersecurity goals by helping thwart attackers closer to their source and preventing the attacker traffic from integrating with other traffic. These regulations should be enforced through incentives for strong security measures taken by broadband access providers and by sanctions for failure to meet minimum standards. For access providers hoping to implement a clean pipe strategy (i.e. only providing network access to users who have installed effective anti-virus software on their devices), a legal framework needs to be established. It should include a clarification of the types of acceptable rules providers can establish. Liability protection for carriers denying service to users whose machines do not meet clean-pipe requirements also needs to be addressed. System logs record a great deal of valuable data that can be used to perform forensic analysis after a cyber attack has occurred and for monitoring network health on a long-term basis. Gathering and analyzing log data from a range of different network devices and providers would create a rich data set for research and analysis. Unfortunately, data logs are captured by devices from different manufacturers and deployed by individual carriers. This causes incompatibilities and inconsistencies, which makes comparisons between logs extremely difficult. A standardized log format developed by NIST or another suitable entity would greatly increase the potential for data sharing. To stimulate use of a standard format, legislation requiring carriers to routinely deliver copies of log files to a central repository could be enforced. This should be managed by a federal agency, such as the NCCIC. The White House cybersecurity coordinator has significant influence on the federal administrations cybersecurity conduct and on regulations developed by various federal agencies. Due to the level of responsibility, Senate confirmation should be required.
IPV6 MIGRATION
As the September 2012 federal agency deadline approaches for IPv6 implementation, several issues must be addressed. First, any vulnerabilities arising from publishing addresses inside the DNS network will need to be corrected. Second, when more devices are issued with native IPv6 addresses and connected directly to the Internet (bypassing the Network Address Translation servers commonly used to protect IPv4 systems today), new mechanisms will need to be developed for ensuring device cybersecurity. And third, the added complexity required to simultaneously handling two protocol stacks (IPv4 and IPv6) within web servers and other devices will require extra vigilance in design and increased testing to prevent new vulnerabilities.
IDENTITY MANAGEMENT
Secure, flexible identity management can be easily deployed across multiple platforms with support from carriers. By placing credential servers with the
Page 14
network core, personnel can be verified across multiple agencies networks. This portability provides greater mobility for staff and improves agencies abilities to redistribute staff during network outages and public emergencies. Additionally, centralizing these functions could reduce overheads and lower costs.
FISMA REVISIONS
Future revisions to FISMA should focus on protecting systems against current and emerging attack vectors. This will help ensure response plans are developed to protect against specific threats. Once agencies start to implement incident response capabilities, those judged to be superior can be shared. Through information sharing and continuous improvement, the overall level of cybersecurity will increase for all federal agencies.
FUTURE RULEMAKING
More complex viruses, worms and other malware are continuously developed at rapid speeds. To keep pace, advanced innovation is needed throughout the cybersecurity industry. Rules and regulations must be flexible to avoid interfering with the development of effective countermeasures. Level 3 agrees with DHS Secretary Janet Napolitano, who said, "We believe that any government rules for cyberspace should identify where we want to be, not proscribe exactly how to get there, and should allow ample space for innovation. They should also be clear, fair and broadly supported, and respect and reflect the diversity of the society in which we live."
Cybersecurity cannot be achieved through simplistic, rigid rules. Effective defense against cyber attacks requires flexibility to adapt to an evolving array of threats.
Conclusion
Cybersecurity cannot be achieved through simplistic, rigid rules. Effective defense against cyber attacks requires flexibility to adapt to an evolving array of threats. Cybersecurity adversaries utilize multifaceted approaches to compromise critical infrastructures. The cybersecurity industry must begin working together as a unified force to prevent these attacks. Legislation supporting increased two-way communications between service providers and government agencies encourages all Internet participants to accept appropriate responsibilities. It avoids burdensome certification and documentation requirements and can help increase overall levels of security. Although the threat of malicious cyber attacks and malware will never completely disappear, effective regulations and policies can make government and public networks safer and more secure.
2011 Level 3 Communications, LLC. All Rights Reserved. Level 3 Communications, Level 3 and the Level 3 Communications logo are registered service marks of Level 3 Communications, LLC in the United States and/or other countries. Level 3 services are provided by wholly owned subsidiaries of Level 3 Communications, Inc. Any other service, product or company names recited herein may be trademarks or service marks of their respective owners.
Page 15
WWW.LEVEL3.COM
legislative concerns. In contrast, the focus of the traditional information assurance industry is protection of any given datas confidentiality, integrity and authentication. Another way to understand the difference is that cybersecurity aims to prevent attacks from accessing or destroying sensitive data, whereas information assurance is focused on encrypting data and recovering from system failures and attacks. Cybersecurity rules are formulated in FISMA and developed in Einstein; information assurance rules are based on HIPAA (Health Insurance Portability and Accountability Act of 1996) and the Sarbanes-Oxley Act of 2002. A working knowledge of several key telecommunications and data networking terms and concepts is helpful in understanding the content within this paper. The following glossary should help define the key terms used in the document. Access Provider: An enterprise that supplies network connections and Internet access to households, organizations and enterprises on a retail basis. Also known as ISPs (Internet service providers) and broadband access providers. Can take many forms, including local telephone co-ops, community services and cable TV providers. APT (Advanced Persistent Threat): Sophisticated malware or other cyber attack targeted at a specific objective, such as disabling a certain website or obtaining particular information. Differs from many other attacks that merely seek financial gain from victims at random. ASN (Autonomous System Numbers): A globally unique number that identifies each of the Autonomous Systems (AS) that are connected to make up the Internet. Each AS must have a single, consistent policy that is used for routing packets, and must be under the control of a single entity, such as a carrier or a large corporation. An AS can peer with another AS by exchanging routing information, which allows data traffic to flow directly between the systems. Attack Vectors: Mechanisms or routes that are used to gain unauthorized access into a computer system. Examples include Internet connections, email attachments, USB thumb drives, and many others. Backbone: International network of high-speed communication links and highperformance routers that provides connections between different portions of the Internet. Botnet: Group of user devices or servers that have been infested with malware that gives an external party the ability to control some or all functions of the devices. Botnets made up of large numbers of compromised user PCs are frequently used to carry out DDoS attacks. Carriers: National and international providers of Internet backbone services. May connect directly to large customers, but focus primarily on high-speed connections to access providers. Clean Pipe: Cybersecurity principle wherein all devices connected to a specific network (or pipe) demonstrate to be free of malware. Cloud Computing: Software design concept where strict associations between software modules and hardware platforms is replaced with a flexible, distributed pool of computing resources that can be quickly allocated to tasks to meet rapidly shifting processing loads. Control Families: Groups of protocols or procedures that provide related forms of protection against external threats. NIST has developed a reference list of control
Page 16
families including items such as Access Control, Physical and Environmental Protection, Identification and Authentication, and several others. Cyber Attack: Malicious attempt by an outside party (often of criminal background) to gain control of a system, obtain unauthorized information or interfere with the normal behavior of the system. Cybersecurity: A condition of being safe from unauthorized access to private information and protected against malicious use of networked devices; also, the actions taken to achieve this state. DDoS (Distributed Denial of Service) Attack: Cyber attack that utilizes multiple coordinated processes to flood a targeted IP address with large numbers of pings or other packets, thereby causing the target to malfunction or to be unable to respond to requests from normal users. Deep Packet Inspection: Technique used in firewalls and other devices where each IP packet is subject to rigorous screen for malware, including all or most types of embedded protocols. DNS (Domain Name System): Functional component of World Wide Web that converts user-readable URLs (Uniform Resource Locators) into numeric IP addresses required for Internet transport. Corruption of the DNS database can cause devices to unknowingly connect to malicious servers. FISMA (Federal Information Security Management Act of 2002): Federal law that defined cybersecurity requirements to be followed by each federal agency, including risk assessment, security planning and required certifications for systems and personnel. Hosting: Providing a processing platform, including hardware and software, that allows an application to run. For example, web hosting provides a server and related software necessary to support the delivery of web pages in response to user requests. IANA (Internet Assigned Numbers Authority): Organization that oversees the assignment of numerical values that must be globally unique on the public Internet, such as IP addresses and ASNs. Identity Management: Process for verifying users and issuing them credentials necessary to access specific systems and information. Commonly used in large organizations. Internet Protocol (IP): Part of the TCP/IP family of protocols describing software that tracks the Internet address of nodes, routes outgoing messages and recognizes incoming messages. Intranet: Private IP-based network that may or may not connect to the public Internet though a firewall. IPSec: Set of secure IP transport technologies that use cryptography to prevent unauthorized parties from reading packet contents. IPv4 and IPv6: Current and emerging versions of Internet Protocol. IPv4 supports vast majority of users and servers on todays Internet. IPv6, which has been defined for more than a decade, is increasingly being used to support new users due to the scarcity of new addresses in IPv4 needed to support new users and servers. All access providers must migrate to IPv6 by September 2012, as outlined in the Trusted Internet Connection mandate from the Office of Budget and Management.
Page 17
WWW.LEVEL3.COM
ISP (Internet Service Provider): Company or organization that provides network access to the Internet for individuals and enterprises, generally on a monthly fee basis. Kill Switch: Informal name for a network feature that provides the ability to completely isolate one portion of a network from another, often along lines that correspond to national boundaries. Malware: Generic name for software with a malicious intent, comprising trojans, viruses, worms and other algorithms designed to cripple, control or steal information from targeted systems. NCIRP (National Cyber Incident Response Plan): Document developed by the DHS to define the roles and responsibilities of government agencies and private industry in the event of a significant cyber attack. Packet: A variable-length data container, consisting of a header and a payload, which can be transported over an IP network. Ping: Short control message used to verify connectivity between two devices on a network. Devices can suffer from degraded performance when attempting to respond to a large number of simultaneous ping messages. Provider Edge: Point that defines the limit of a given carriers network, where connections are made to other carriers or to customer provided equipment. Provider edge devices supply connectivity and packet forwarding functions that bring data into and out of a providers network. PSTN (Public Switched Telephone Network): Global telecommunications network that connects voice and data circuits among hard-wired, mobile and other devices that use numeric dialing. Router: In IP networks, a device that examines the addressing information contained in each IP packet header to determine where to transmit packets through the network along towards their ultimate destinations. Scareware: Web-browser pop-ups and email messages that provide false security alerts to users in order to convince them to download and install useless or harmful anti-malware utilities. Frequently used to distribute trojans. Server: Generically, any hardware or software device that provides services to another device or user. For Internet applications, web servers fulfill requests for data that are made from end users operating web browsers. SSL (Secure Sockets Layer): Predecessor to the TSL (Transport Security Layer) that is used to provide secure, encrypted communications between devices over the Internet or any other network. STUXNET: One of the most sophisticated APTs encountered to date, this worm was apparently intended to disrupt the operation of centrifuges used to enrich uranium at facilities located in Iran. Stuxnet reportedly utilized four unknown zero-day vulnerabilities along with an advanced mechanism for propagation through portable USB thumb drives. TIC mandate (Trusted Internet Connection): Set of rules issued by OMB for all civilian federal agencies that was intended to increase the overall level of cybersecurity and to simplify and control the interface between federal networks and the Internet. Tier 1 Carriers: Large, self-sufficient network providers that provide data transport primarily over facilities that are owned and operated by the carrier. Tier 1 carriers
Page 18
provide direct connections to multiple Autonomous Systems and are typically international in scope. Trojan: Named after the infamous Trojan horse described in Virgils epic poem, this is a form of malware that hides inside a purportedly useful program such as a free anti-virus scanning utility. A trojan propagates by prompting unsuspecting users to download and install the program. Virus: Form of malware that is typically transmitted through user actions such as opening an email attachment or visiting a specific website. Like their biological namesake, computer viruses often include a means to replicate within an infected system in order to infect new host devices. Worm: Form of malware that autonomously propagates among systems that are connected by a common network, such as a shared corporate network. Zero Day: System vulnerability that was present in a software system when initial released; could also be considered a latent security weakness that can be exploited by a malicious attacker.
Page 19