ON THE LOOKOUT FOR DATA ON CYBER-ATTACKS

Businesses might be grumbling, either softly or loudly, but they are starting to step in line with Homeland security. Initiatives now being implemented range from a national cyberspace threat reduction program to new container regulations for maritime shipping.

In February of 2003, the White House released the National Strategy to Secure Cyberspace, a 76-page document outlining five different priorities, including National Security Threat and Vulnerability Reduction. A program springing from this priority calls upon business partners to share information with the federal government about cyber-attacks.

Some companies, however, still seem reluctant to share all they know, says John Watters, president and CEO of iDefense, one of the key private sector organizations involved in the program.

Barriers are complex

The security threat reduction program is already in gear, along with programs around three of the four other cyber-security initiatives, according to Watters. The only priority still on hold is National Security and International Security Cooperation.

Under the security threat reduction program, the National Cyber Security Division (NCSD) of the Department of Homeland Security is using the Computer Emergency Response Team (CERT) Coordination Center run by Carnegie Mellon University as an interface to try to find out more information about cyber-threats, Watters adds.

Through the program, about 500 subscribers in the Department of Defense (DoD) receive daily bulletins about emerging vulnerabilities in software code, as well as any security exploits hackers are using to take advantage of those weaknesses. Subscribers also receive the software code used in the security breaches, along with links to software patches for fixing the vulnerabilities.

Watters’ company monitors and analyzes the data, in an effort to detect patterns in the timing of vulnerabilities and exploits — and to get a sense of the hackers’ identities and motives.

Under an associated awareness program, some of the accumulated data gets boiled down into security tips, which are then available to the general public on the CERT Web site. So far, the tips have ranged in topic from spam prevention to anti-virus software.

Why does the federal government want more cyber-attack reports from private industry? Essentially, the government wants to gather as much data as it can, for quicker response to new threats. “Exploits keep emerging faster and faster, as soon as new vulnerabilities come out,” Watters says.

Who are the perpetrators, and what do they want? “Organized crime, particularly in Russia, is probably the biggest chunk of it,” Watters adds. As for motives, he points to consumer identity theft and credit card fraud.

Other experts mention additional groups that are also active in Internet hacking. Attacks run the gamut from “concerted threats to (script) kiddies” who pull pranks, says Michael R. Higgins, managing director of technology risk management for Tekmark Global Solutions.

“For the most part, government is still experiencing a continuation of ‘port scanning,’ in which hackers are simply probing networks, to see where everything is placed. This isn’t an attack yet. It’s pre-attack,” Higgins says.

Types of cyber-disasters

It’s obvious to experts that actual attacks are already being carried out against businesses and even against consumers. The federal government is also at risk, suggests Carl Herberger, information security specialist at SunGard Availability Services.

“Nation-states are putting lots of money into training professionals to be able to take down an adversary’s public information system. This is no longer simply about certain countries only. It’s about nearly every country,” Herberger says.

Herberger adds that cyber-attacks can be even more harmful than physical disasters such as hurricanes and earthquakes, which are typically limited geographically. He divides cyber-disasters into four different categories:

• Malicious code disasters — caused by viruses, worms and other malicious software programs.

• Network disasters — where hackers take control of hardware devices on enterprise networks.

• “Poor security” disasters — typically resulting from a lack of employee awareness about proper procedures. Sharing password information with other people is one example of this sort of practice.

• Criminal disasters — generally insider-based. “Here, the attacker is usually either ‘after someone’ or ‘after some money,’” Herberger says.

Meanwhile, the NCSD still does not receive as much “info sharing” about cyber-attacks as it would like, according to Watters. “There’s still an air of skepticism,” he says.

“The threats are certainly out there, but the info sharing isn’t quite there yet,” Higgins concurs. “Collaboration is essential, however.”

Higgins contends that private companies and government agencies have somewhat different reasons for not wanting to fully disclose their experiences in cyberspace. “As businesses see it, ‘The government is still the government.’ Some are afraid, perhaps, that something they say will spark a security audit of their companies,” he says. “People also fear that competitors and customers will find out that they are not as good at security as they would like to be.”

Government agencies, on the other hand, are sensitive to public opinion, and with good reason, Higgins indicates. “Government gets embarrassed. If there’s any sort of (incursion) against a government agency, even the most benign, it makes front page news — even if the agency involved was the lowly ‘department of manhole covers,’ or something.”

Information sharing works best, he suggests, when participants are guaranteed full anonymity. Moreover, most info sharing, at present, is a one-way street. Right now, subscribers to the security threat program are still limited to the U.S. military. “The NCSD, though, is now trying to determine methodologies for additional disclosures,” Watters says.

Watters cites lack of trust as the biggest inhibitor to info sharing. As one antidote, he says, the program will strive to gain greater respect from private industry through the “products,” or reports, it produces.

Shippers face new regulations

Meanwhile, on July 1, international shippers are due to start complying with the latest regulations from the International Maritime Organization (IMO)-ISPS. The new rules require all ships and containers to have shipping plans in place. Furthermore, all manifests must be broadcast to the U.S. Coast Guard at least 24 hours before containers arrive at the U.S. border. Citing costs of compliance, some shippers are worried that they will not be ready on time.

Eventually, the shippers will start using containers that feature computer-based RFID (radio frequency identification) and GPS (global positioning system) technologies, says Jonathan Tull, president of Homeland Security Research, an independent market research firm.

“Some will make the deadline, and others won’t,” Tull says. “If you don’t comply, however, you will get stopped (for inspection), and this will delay shipment of your container. Those who don’t comply by July 1 will ultimately be forced by economic pressures to comply anyway.”

Tull foresees similar factors at work in terms of future deployment of wireless RFID technology, for describing the contents of containers, and GPS, for pinpointing the container’s location.

“Companies that use these technologies will become the preferred shippers,” Tull says. “The Wal-Marts of this world want to work with shippers whose cargo arrives on time — not with people who are three weeks late.”