Skip to main content

Toward a Safer and More Secure Cyberspace (2007) / Chapter Skim
Currently Skimming:

2 What Is at Stake?
Pages 19-50

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.


From page 19...
... Information technology is used to execute the principal business processes both in government and in many of the largest sectors of the economy, including financial services, health care, utilities, transportation, and services. Indeed, the architecture of today's enterprise IT systems is the very embodiment of the critical business logic in complex enterprises.
Read the entire page →
From page 20...
... Understanding context, personal information appliances will make appropriate information available on demand, enabling users to be more productive in both their personal and professional lives. And, as has been true with today's desktops and mainframes, interconnections among all of these now-smart objects and appliances will multiply their usefulness many times over.
Read the entire page →
From page 21...
... A single data stream that is compromised by an eavesdropper may lead system operators and those who depend on the system to be concerned that all data streams are potentially compromised. In such cases, the potential harm from any of these incidents goes far beyond the actual corrupted database or compromised data stream, since enormous amounts of effort need to be made to ensure that other databases or data streams have not been corrupted or compromised.
Read the entire page →
From page 22...
... Key elements of information technology fall into three major categories: the Internet; embedded/ real-time computing (e.g., avionics systems for aircraft control; air traffic control; Supervisory Control and Data Acquisition [SCADA] systems controlling the distribution of electricity, gas, and water; the switching systems of the conventional telecommunications infrastructure; bank teller machine networks; floodgates)
Read the entire page →
From page 23...
... But the Internet is a densely connected network of networks that automatically routes around portions that become unavailable,3 which means that a large number of important nodes would have to be destroyed simultaneously to bring it down for an extended period of time. Destruction of some key Internet nodes could result in reduced network capacity and slow traffic across the Internet, but the ease with which Internet communications can be rerouted would minimize the long-term damage.4 An attack that comes through the wires rather than via physical attack can have much higher leverage.
Read the entire page →
From page 24...
... denoting specific Internet nodes. A relatively small number of "root name servers" underpins the DNS.
Read the entire page →
From page 25...
... Another possible attack on embedded/real-time computing would be an attack on the systems controlling elements of the nation's critical infrastructure -- for example, the electric power grid, the air traffic control system, the railroad infrastructure, water purification and delivery, or telephony. For example, attacks on the systems and networks that control and manage elements of the nation's transportation infrastructure could introduce chaos and disruption on a large scale that could drastically reduce the capability of transporting people and/or freight (including food and fuel)
Read the entire page →
From page 26...
... 2.3.3 Attacks on Dedicated Computing Facilities In many of the same ways that embedded computing could be attacked, dedicated computers such as desktop computers could also be corrupted in ways that are hard to detect. One possible channel comes from the use of untrustworthy IT talent by software vendors.8 The con 7 For example, the cause of the blackout of August 2003 -- lasting 4 days and affecting 50 million people in large portions of the midwestern and northeastern United States and Ontario, Canada -- was traced to a sequence of cascading failures initiated by the shutdown of a single 345 kV transmission line.
Read the entire page →
From page 27...
... Reports of American citizens having been successfully recruited by foreign terrorist organizations add a degree of believability to the scenario of domestic IT talent's being used to compromise systems for terrorist purposes. 9 For example, the Slammer worm attack reportedly resulted in a severe degradation of the Bank of America's automatic teller machine network in January 2003.
Read the entire page →
From page 28...
... id=498245. 13 Gartner Press Release, "Gartner Says Nearly $2 Billion Lost in E-Commerce Sales in 2006 Due to Security Concerns of U.S.
Read the entire page →
From page 29...
... Cyberattacks conducted as part of a multipronged attack scenario that also includes physical attacks, rather than cyberattacks alone, could have the most catastrophic consequences.14 For example, cyberattacks conducted as part of a larger scenario could result in greater opportunity to widen the damage of a physical attack (e.g., by providing false information that drives people toward, rather than away 14 National Research Council.
Read the entire page →
From page 30...
... In the view of the Com mittee on Improving Cybersecurity Research in the United States, the premise could reasonably be questioned, but stipulating the premise for the moment, such rhetoric does raise an interesting question: How might an observer dis tinguish which of the following statements is true: "There are no serious vul nerabilities in today's information technology" or "There are serious but unseen vulnerabilities"? A story from the early days of computer security is a good place to begin.
Read the entire page →
From page 31...
... The cybersecurity community knows of incidents (such as rapidly propagating viruses without destructive payloads and the active compromise of many network connected computers that can be used to launch a variety of distributed attacks) that are consistent with the likely tactics of intelligent hostile parties.
Read the entire page →
From page 32...
... 16 • he PITAC report noted that the th Annual Computer Virus Preva T lence Survey 00 of ICSA Labs (formerly known as the Interna tional Computer Security Association) reports that the monthly percentage of personal computers infected by a virus grew from 1 percent in 1996 to over 10 percent in 2003.
Read the entire page →
From page 33...
... See ICSA Labs, 0th Annual Computer Virus Prevalence Survey 00 (2005)
Read the entire page →
From page 34...
... 26 For example, the 2006 Javelin Strategy and Research report on identity fraud estimated the total cost of ID fraud in 2004 at $56.6 billion. Approximately 9 percent of these cases were attributable to phishing, hacking, computer viruses, or spyware on home computers; another 6 percent resulted from data breaches at businesses holding personal information.
Read the entire page →
From page 35...
... This magnitude is hard to estimate, but one widely cited article from 2002 claims that "only about 10% of all cybercrimes committed are actually reported and fewer than 2% result in a conviction." The article offers two reasons for this: institutions feel that they have more to lose by reporting computer security breaches, and they assume that law enforcement will provide little or no assistance.28 2.6 AN OMINOUS FUTURE The committee believes that security will be a continuing issue because there will always be incentives to compromise the security of deployed systems, and that these incentives will only increase over time as organizations and individuals increasingly depend on information technology. Personal gain, organized crime, terrorism, and national interests are superseding personal fame and curiosity as incentives for cyberattacks, and thus the threat picture is coming to include increasingly sophisticated actors who possess significant resources to execute attacks.
Read the entire page →
From page 36...
... • BI Computer Crime Survey: Conducted in 2005, the purpose of this survey F is to "gain an accurate understanding of what computer security incidents are being experienced by the full spectrum of sizes and types of organiza tions within the United States."1
Read the entire page →
From page 37...
... I Labs Annual Computer Virus Prevalence Survey: Conducted every year from 1996 through 2004, the objectives of this survey are "to examine the prevalence of computer viruses in mid- and large-sized organizations; de scribe the computer virus problem in computer networks, including desktop computers; application and file servers; and perimeter devices such as firewalls, gateways, and proxy servers; and observe trends in computer virus growth, infection methodologies, and attack vectors."3 The 10th annual report, published in 2005, is available at http://www.icsalabs.com/icsa/docs/ html/library/whitepapers/VPS2004.pdf. 1Federal Bureau of Investigation, 2005 FBI Computer Crime Survey, Washington, D.C., p.
Read the entire page →
From page 38...
... • he great difficulties of associating individuals with specific de T structive or hostile actions, coupled with an uncertain and ambigu ous legal and policy framework for dealing with such incidents (especially when they involve communications and information passed across national boundaries) , make it highly unlikely that
Read the entire page →
From page 39...
... .30 David Dagon of the Georgia Institute of Technology has reported that the total number of compromised computers is in the tens or hundreds of millions,31 and the Messaging Anti-Abuse Working Group estimated that in 2006, about 7 percent of all Internet-connected computers (some 47 million) had been compromised.32 The size of individual botnets has grown as well, with some reports suggesting the existence of botnets with as many as hundreds of thousands or even 1.5 million zombies.33 A similarly profound shift is likely as computing becomes increas 29 Symantec Corporation, Symantec Internet Security Threat Report: Trends for January 0– June 0, Vol.
Read the entire page →
From page 40...
... An individual compromised computer (a zombie or a bot ) can be used for many purposes, but the threat from botnets arises from the sheer number of com puters that a single malevolent party can control -- often tens of thousands and as many as a million.
Read the entire page →
From page 41...
... If continued expansion of the use and benefits of IT is to be realized, the information technology systems and networks must be adequately protected. Otherwise, individuals and organizations throughout society
Read the entire page →
From page 42...
... Today, the most salient cybersecurity threat emanates from hackers and criminals, although there is growing realization that organized crime is seeing increasing value in exploiting and targeting cyberspace. Thus, most cybersecurity efforts taken across the nation in all sectors -- both in research and in deployment -- are oriented toward defending against these low- and mid-level threats.
Read the entire page →
From page 43...
... Major nation-states, for example, are financed by national treasuries; they can exploit the talents of some of the smartest and most motivated individuals in their national populations; they often have the luxury of time to plan and execute attacks; and they can draw on all of the other resources available to the national government, such as national intelligence, military, and law enforcement services. Organized crime syndicates, such as drug cartels, may operate hand in hand with some governments; when operating without government cooperation, their human and financial resources may not be at the level available to governments, but they are nevertheless quite formidable.
Read the entire page →
From page 44...
... The compiler itself must be secure, for it could introduce object code that subversively and subtly modifies the functionality represented in the source code. A particular sequence of instructions could exploit an obscure and poorly known characteristic of hardware functioning, which means that programmers well versed in minute behavioral details of the machine on which the code will be running could introduce functionality that would likely go undetected in any review of the code.
Read the entire page →
From page 45...
... 119-126 in Proceedings of the 18th Annual Computer Security Applications Conference, December 9-13, 2002, Las Vegas, Nev.: IEEE Computer Society. Available at http://www.acsa-admin.org/2002/papers/ classic-multics.pdf.
Read the entire page →
From page 46...
... Yet, doing nothing until perfect security can be deployed is surely a recipe for inaction that leaves one vulnerable to many lower-level threats. High-end cyberattackers -- and especially major nation-state adversaries -- are also likely to have the resources that allow them to obtain detailed information about the target system, such as knowledge gained by having access to the source code of the software running on the target or the schematics of the target device or through reverse-engineering.
Read the entire page →
From page 47...
... Many hackers are motivated by the fame that they gain from defeating technological security mechanisms (sometimes by social engineering means rather than by technology exploitation)
Read the entire page →
From page 48...
... Similarly, in the shadowy world of cyberthreat and cybersecurity, a hostile party with the capability to exploit a vulnerability might be well advised to wait until the time is right for it to launch an attack. In fact, one might well imagine that such a party would conduct exercises to probe weaknesses and lay the groundwork for an attack, without actually taking overly hostile action.
Read the entire page →
From page 49...
... By contrast, information about the high-end threat emanating from organized crime and hostile nation-states is not easily available. With a lack of specific information, the high-end threat can be easily dismissed by systems owners and operators as one that is hypothetical and undocumented (at least in a public sense)
Read the entire page →
From page 50...
... 0 TowARd A SAFeR And moRe SeCuRe CyBeRSPACe short timescale, potentially leading to what some dub a "digital Pearl Harbor" (that is, a catastrophic event whose occurrence can be unambiguously traced to flaws in cybersecurity) -- and that the nation's IT vendors and users (both individual and corporate)
Read the entire page →

Key Terms

  • computer security
  • internet security
  • computer virus
  • security survey
  • icsa labs

  • annual computer
  • security threat
  • symantec internet
  • organized crime
  • report noted

  • prevalence survey
  • computer crime
  • global security
  • personal information
  • virus prevalence

  • internet crime
  • pitac report
  • law enforcement
  • national computer
  • fbi computer

  • computer emergency
  • labs report
  • symantec corporation
  • physical damage
  • dedicated computing

  • root name
  • response team
  • emergency response
  • federal bureau
  • desktop computers


    • This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
    More information on Chapter Skim is available.