At the Nexus of Cybersecurity and Public Policy Some Basic Concepts and Issues (2014) / Chapter Skim
Currently Skimming:
4 Enhancing Cybersecurity
4 Enhancing Cybersecurity
Pages 53-92
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 53... ...
In other cases, security risks can be mitigated with some degree of effort and expense -- these costs should be factored into the decision. But what should not happen is that security risks be ignored entirely -- as may sometimes be the case.
|
From page 54... ...
Detecting that one has been the target of a hostile cyber operation is also the first step toward taking any kind of specific remedial action. Detection involves a decision that something (e.g., some file, some action)
|
From page 55... ...
With a wellconstructed algorithm, hashes of two different bit sequences are very unlikely to have the same hash value. 3 Department of Homeland Security, National Cyber Security Division, Computer Emergency Readiness Team (US-CERT)
|
From page 56... ...
(And as detection capabilities improve, adversaries will take steps to mask such signs of coordinated efforts.) An assessment addresses many factors, including the scale of the hostile cyber operation (how many entities are being targeted)
|
From page 57... ...
In some cases, hardware-based security features are feasible -- implementing such features in hard ware is often more secure than implementing them in software, although hardware implementations may be less flexible than com parable software implementations. • Eliminating or blocking known but unnecessary access paths.
|
From page 58... ...
One can thus imagine a hostile operation that is launched under the auspices of Elbonia, by a Ruritanian citizen sitting in a Darkistanian computer laboratory, that penetrates computers in Agraria as intermediate nodes in an attack on com puters in Latkovia. In general, "attribution" of a hostile cyber operation could refer to an identifica tion of any of three entities: • A computer or computers (called C)
|
From page 59... ...
It takes time -- days, weeks, perhaps months -- to assemble forensic evidence and to compare it to evidence of previous operations, to query nontechnical intel ligence sources, and so on. In a national security context, policy makers faced with responding to a hostile cyber operation naturally feel pressure to respond quickly, but sometimes such pressures have more political than operational significance.
|
From page 60... ...
This principle, when systematically applied, is the primary underpinning of the protection system. It forces a system-wide view of access control, which, in addition to normal operation, includes initialization, recovery, shutdown, and maintenance.
|
From page 61... ...
• Psychological acceptability: It is essential that the human interface be designed for ease of use, so that users routinely and automatically apply the pro tection mechanisms correctly. More generally, the use of protection mechanisms should not impose burdens on users that might lead users to avoid or circumvent them -- when possible, the use of such mechanisms should confer a benefit that makes users want to use them.
|
From page 62... ...
Several factors account for this phenomenon: • Potential conflicts with performance and functionality. In many cases, closing down access paths and introducing cybersecurity to a system's design slows it down or makes it harder to use.
|
From page 63... ...
Because certain users have privileges that others lack, someone who is not authorized to perform a given action may seek to usurp the authentication credentials of someone who is so authorized so that the unauthorized party can impersonate an authorized party. A user may be authorized by virtue of the role(s)
|
From page 64... ...
If a user is locked out of his account because of a forgotten password, a password recovery system can send a text message to the user's cell phone with a special activation code that can be used to reset the password. Although anyone can request a reset link for my user name, only I have access to the specific cell phone on which the activation code is received.
|
From page 65... ...
The answer is that a trusted certificate authority stands behind the association between a given encryption key and the party to which it belongs. Certificate au thorities play the role of trusted third parties -- trusted by both sender and receiver to associate and publish public keys and names of potential message recipients.
|
From page 66... ...
Stronger Authentication for the Internet As discussed in Chapter 2, digital information is inherently anonymous, which means that specific mechanisms must be in place to associate a given party with any given piece of information. The Internet is a means for transporting information from one computer to another, but today's Internet protocols do not require a validated identity to be associated with the packets that are sent.
|
From page 67... ...
In addition, strong authentication, especially if implemented at the packet level, raises a number of civil liberties concerns, as described in Chapter 5. Forensics In a cybersecurity context, the term "cyber forensics" refers to the art and science of obtaining useful evidence from an ostensibly hostile cyber event.
|
From page 68... ...
But to the extent that prevention or mitigation of damage is the goal of law enforcement authorities
|
From page 69... ...
Such issues become much more complicated if it is necessary to perform cyber forensics on IT systems and networks outside the victim's legitimate span of control. For example, if an adversary has conducted a hostile operation from the computer belonging to an innocent third party that has no relationship to either adversary or victim, conducting forensics on that computer without the third party's knowledge or permission raises a number of legal and policy problems.
|
From page 70... ...
For example, Internet protocols for transmitting information are designed to account for the loss of intermediate nodes -- that is, to provide redundant paths in most cases for information to flow between two points. A second approach to achieving resilience is to design a system or network without a single point of failure -- that is, it should be impossible to cause the system or network to cease functioning entirely by crippling or disabling any one component of the system.
|
From page 71... ...
. Recognizing the limitations of passive defense measures as the only option for responding to the cyber threat, the Department of Defense issued in 2011 its Department of Defense Strategy for Operating in Cyberspace, which states that the United States will employ "an active cyber defense capability to prevent intrusions onto DoD networks and systems," defining active cyber defense as "DoD's synchronized, real-time capability to discover, detect, analyze, and mitigate threats and vulnerabilities."8 The DOD does not describe active cyber defense in any detail, but the formulation above for "active cyber defense" could, if read broadly, include any action outside the DOD's organizational span of control, any non-cooperative measure affecting or harming an attacker's IT systems and networks, any proactive measure, or any retaliatory measure, as long as such action was taken for the purpose of defending DOD systems or networks from that attacker.
|
From page 72... ...
All of these actions raise legal and policy issues regarding their propriety. Disruption Disruption is intended to reduce the damage being caused by an adversarial cyber operation in progress, usually by affecting the operation of the computer systems being used to conduct the operation.
|
From page 73... ...
At the same time, the FBI provided related information to its overseas law enforcement counterparts. Preemption Preemption -- sometimes also known as anticipatory self-defense -- is the first use of cyber force against an adversary that is itself about to conduct a hostile cyber action against a victim.
|
From page 74... ...
The potential victim considering preemption must thus be able to target the adversary's cyber assets that would be used to launch a hostile operation. But the assets needed to launch a cyberattack are generally inexpensive and/or easily concealed (or made entirely invisible)
|
From page 75... ...
It has been signed using some cryptographic key, but the suspicious ISP must know who owns that key. To this end, it is necessary to have a global key distribu tion and validation scheme, which is called a public-key infrastructure, or PKI.
|
From page 76... ...
Many actors make decisions that affect cybersecurity: technology vendors, technology service providers, consumers, firms, law enforcement, the intelligence community, and governments (both as technology users and as guardians of the larger social good)
|
From page 77... ...
Many similar examples also have economic roots. Is the national cybersecurity posture resulting from the investment decisions of many individual firms acting in their own self-interest adequate from a societal perspective?
|
From page 78... ...
Many organizations also obtain cybersecurity services from third parties, such as a security software vendor that might be bribed or otherwise persuaded to ignore a particular virus. Service providers are potential security vulnerabilities, and thus might well be intermediate targets in an offensive operation directed at the true (ultimate)
|
From page 79... ...
. Thus, if the available information on a cyber event seems to point to its being a hostile action taken by a nation-state, it will be interpreted that way even if that nation-state has taken few such actions in the past.
|
From page 80... ...
As a result, cybersecurity measures are all too often disabled or bypassed by the users they are intended to protect. Because the intent of security is to make a system completely unusable to an unauthorized party but completely usable to an authorized one, desires for security and desires for convenience or ease of access are often in tension -- and usable security seeks to find a proper balance between the two.
|
From page 81... ...
4.2.3 Law U.S. domestic law, international law, and foreign domestic law affect cybersecurity in a number of ways.
|
From page 82... ...
. Finally, national security law may affect how the United States may itself use cyber operations in an offensive capacity for damaging adversary information technology systems or the information therein.
|
From page 83... ...
International Law International law does not explicitly address the conduct of hostile cyber operations that cross international boundaries. However, one international agreement -- the Convention on Cybercrime -- seeks to harmonize national laws that criminalize certain specifically identified computerrelated actions or activities, to improve national capabilities for investigating such crimes, and to increase cooperation on investigations.19 That convention also obliges ratifying states to create laws allowing law enforcement to search and seize computers and "computer data," engage in wiretapping, and obtain real-time and stored communications data, whether or not the crime under investigation is a cybercrime.
|
From page 84... ...
A second important example of an implicit relationship between hostile cyber operations and international law is that of cyber exploitation by one nation to acquire intelligence information from another. Espionage is an illegal activity under the domestic laws of virtually all nations, but not under international law.
|
From page 85... ...
Other nontechnical factors may also play into the assessment of a cyber incident, such as the state of political relations with other nations that are capable of launching the cyber operations involved in the incident. Once the possibility of a cyberattack is made known to national authorities, information must be gathered to determine perpetrator and purpose, and must be gathered using the available legal authorities.
|
From page 86... ...
government that fuses information on the above factors and integrates the intelligence, national security, law enforcement, and privatesector equities regarding the significance of any given cyber incident.20 Whatever the mechanisms for aggregating and integrating information related to a cyber incident, the function served is an essential one -- and if the relationships, the communications pathways, the protocols for exchanging data, and the authorities are not established and working well in advance, responses to a large unanticipated cyber incident will be uncoordinated and delayed. 4.2.5 Deterrence Deterrence relies on the idea that inducing a would-be intruder to refrain from acting in a hostile manner is as good as successfully defending against or recovering from a hostile cyber operation.
|
From page 87... ...
In a national security context, when the misdeed in question affects national security, the penalty can take the form of diplomacy such as demarches and breaks in diplomatic relations, economic actions such as trade sanctions, international law enforcement such as actions taken in international courts, nonkinetic military operations such as deploying forces as visible signs of commitment and resolve, military operations such as the use of cruise missiles against valuable adversary assets, or cyber operations launched in response. In a cyber context, the efficacy of deterrence is an open question.
|
From page 88... ...
Indeed, many factors other than technology affect the security of a system, including the system's configuration, the cybersecurity training and awareness of the people using the system, the access control policy in place, the boundaries of the system (e.g., are users allowed to connect their own
|
From page 89... ...
What does the discussion above imply for the development of cybersecurity metrics -- measurable quantities whose value provides information about a system or network's resistance to a hostile cyber operation? Metrics are intended to help individuals and companies make rational quantitative decisions about whether or not they have "done enough" with respect to cybersecurity.
|
From page 90... ...
• Outcome metrics reflect the extent to which the system's cybersecurity properties actually produce or reflect desirable cybersecurity outcomes. In a cybersecurity context, an outcome measure might be the annual losses for an organization due to cybersecurity incidents.
|
From page 91... ...
Cybersecurity risks will be on the rise for the foreseeable future, but few specifics about those risks can be known with high confidence. Thus, it is not realistic to imagine that one or even a few promising approaches will prevent or even substantially mitigate cybersecurity risks in the future, and cybersecurity research must be conducted across a broad front.
|
From page 92... ...
Specifically, IT vendors must be willing to regard security as a product attribute that is coequal with performance and cost; IT researchers must be willing to value cybersecurity research as much as they value research into high-performance or cost-effective computing; and IT purchasers must be willing to incur present-day costs in order to obtain future benefits.
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.