National Cyber Systems Security Review Discussion

  • December 2019
  • PDF

This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA


Overview

Download & View National Cyber Systems Security Review Discussion as PDF for free.

More details

  • Words: 3,038
  • Pages:
NAT I O NA L C Y B E R S YST E M S I N F R A ST R U C T U R E S E C U R I T Y R E V I E W C O NC E P T PA P E R

T R U ST WO RT H Y & RESILIENT CYBER SYSTEMS SECURIT Y REVIEW The U.S. national cyber systems infrastructure is comprised of the following system components: (1) manufactured computer hardware; (2) manufactured and custom computer software; (3) network servers, routers, and software; (4) the network infrastructure including satellites, land lines, switching stations and data messaging protocols; (5) various levels of information services (IS) and network administration; (6) human operators; (7) human and machine receivers of data produced by the system; and (8) data stores that include the hardware, software and the stored data accessible to the cyber system. This cyber systems infrastructure has been built-up piecemeal over the past 40 years, with the primary growth in the system over the past 20 years. To be trustworthy and resilient to collapse, each system component must be maintained and regularly replaced by a new upgrade of the system component (e.g. moving from IPv4 to IPv6 minimum Internet protocols; 64-bit chip/OS architecture). Human operators require ongoing training to be able to operate the cyber systems infrastructure securely. T H E P R I M A RY SOUR CES OF INSECURE CYBER SYSTEMS The estimated ongoing operating and maintenance (O&M) costs and repair and replacement (R&R) costs for the nation’s cyber infrastructure is $248 billion annually.1 On an annual basis, the deferred O&M and R&R costs are approximately $126 billion. The size and ongoing nature of these deferred investments in adequate O&M and R&R result in a highly vulnerable system that is prone to compromise and partial system collapse for a variety of known and unknown factors. Probabilistic annualized threat estimates of partial cyber system collapse from mishaps due to human error 40%; deliberate attack of the national infrastructure 30%; and emergent causes (black swans) are 20% 2 and faults in the national electricity grid 10%. Sources of threats to the national infrastructure are global and follow a power distribution in number and severity of system related threats over time (i.e. only a few threats will be severe and large scale). C Y B E R S YST E MS SECURIT Y REVIEW FINDINGS The network configuration (e.g. Internet or intranet connectivity) is not necessarily the most vulnerable component of the U.S. cyber systems infrastructure. Total system vulnerability results from the combination of the probability for disruption from each component of the system. With their contributions to a probabilistic forecast of system disruption, human operators, manufactured and custom computer software, and manufactured computer hardware each contribute more relative vulnerability than does the network infrastructure. Human operators often are inadequately trained and do not routinely perform even minimal ongoing O&M to the software and hardware under their control or use. Even with adequate O&M, some hardware and software is so out-of-date due to lack of timely R&R, that adequate security cannot be maintained. The fact that this outdated hardware and/or software is connected to the network and that human operators may not address even minimal O&M requirements creates a situation of heightened vulnerability to other network users whether this is a highly secured or unsecured network. Lack of adequate investments in O&M and R&R are the primary limiting factors for protecting the nation’s cyber infrastructure from mishaps, deliberate attacks, and collapses. The opportunity cost of not making these annualized investments in adequate O&M and R&R may result in an Incremental Capital Output Ratio (ICOR) that equates to a loss of about $500 billion in GDP annually, on average.3 There is a statistically higher probability for catastrophic damage to sectors of the nation’s economy from cyber system infrastructure collapse due to inadvertent system failures than in deliberate malicious attacks against the national cyber systems infrastructure. 1

All numbers in this draft are placeholders, requiring additional analytical work for accuracy.

2

Emergent behavior is difficult to predict from an analysis of the system and its components.

3

A metric that measures the marginal amount of investment capital necessary for an improvement in the national economy’s level of production efficiency.

LYLE A. BRECHT --- DRAFT --- 410.963.8680 --- CAPITAL MARKETS RESEARCH --- Friday, June 12, 2009

PAGE 1 OF 6

NAT I O NA L C Y B E R S YST E M S I N F R A ST R U C T U R E S E C U R I T Y R E V I E W C O NC E P T PA P E R

Network vulnerability is exacerbated by out-of-date computer hardware, routers, and operating system software being connected via an Internet based on out-of-date data messaging protocols, user anonymity, and often user-choice of level of network security engaged. Thus, practically speaking, the network’s vulnerability is often determined by the lowest common denominator of capabilities determined by out-of-date computer hardware, routers, operating system software, end-user training, and Internet messaging protocols. The single greatest bang-for-the-buck from a cyber systems infrastructure perspective would be to upgrade minimum Internet data messaging protocols to IPv6. However, with this Internet upgrade all computers and routers connected to the Internet should be required to be minimum 64 bit chip/operating system architectures. It is unlikely that for the foreseeable future an affordable one-time fix to the national cyber systems infrastructure’s vulnerabilities will be found. Successive waves of new technology will be required to stay ahead of the curve to prevent inadvertent system failures and collapses due malicious attacks. Maintaining a less vulnerable national cyber system infrastructure requires the capability and intention to rapidly adopt new technology and maintain minimum network connectivity standards. Normal new technology adoption cycles are typically 1530 years. A great deal of additional security could be established if these technology adoption cycles were reduced to 7-10 years for system components of the national cyber systems infrastructure. However, the inherent vulnerabilities of the U.S. national electricity grid to withstand powerful solar storms 4 and EMP (electromagnetic pulse) attack5 disruption or shutdown due to inherent system design limitations, as well as from human error introduces another significant level of risk.6 The national cyber system infrastructure relies on clean, dependable electricity sources to function at all. R E C O M M E N DATIONS TO UPGR ADE THE SECURIT Y OF THE NATIONAL C Y B E R S YST E M INFR ASTRUCTURE Implement the National Unified Smart Grid Initiative. This will bring the U.S. electricity grid up to standards necessary to withstand powerful solar storms and EMP (electromagnetic pulse) attack disruption or shutdown, to reduce transmission losses, and to enable lower EROI (energy return on investment) energy sources that reduce GHG (greenhouse gas) emissions to be connected to the national grid. Set up a national Internet Connectivity Registry and require an annual connectivity fee be paid either by user or by connection device. Set standards for all Internet connectivity, e.g. require all connection devices to be capable of IPv6 data protocol operations. Provide rebates of the annual connectivity fee to all users who upgrade their hardware and software to IPv6 compatibility. Every two years, add additional connectivity standards that reduce system vulnerabilities. Continue to provide connectivity fee rebates to those users who upgrade their cyber systems technology. Set up the National Cyber Systems Threat Center in the ODNI to set standards and fee. 4

The consequences of a future solar storm like the Carrington Event of August-September 1859 are extensive and involve a range of potential economic impacts not unlike a major Force 5 hurricane or tsunami that could cripple the present national electricity grid for an extended period. See National Research Council, “Severe Space Weather Events--Understanding Societal and Economic Impacts Workshop Report” (NASA, 2008). See Dr. William R. Graham, et. al., “Report of the Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack, Volume 1: Executive Report (2004).” 5

6

The national grid, 164,000 miles of high-voltage transmission lines and 5,000 local distribution networks is outdated, highly vulnerable, inefficient, and unsuitable for fluctuating renewable power sources.

LYLE A. BRECHT --- DRAFT --- 410.963.8680 --- CAPITAL MARKETS RESEARCH --- Friday, June 12, 2009

PAGE 2 OF 6

NAT I O NA L C Y B E R S YST E M S I N F R A ST R U C T U R E S E C U R I T Y R E V I E W C O NC E P T PA P E R

TO:

MELISSA HATHAWAY

FROM:

LYLE BRECHT ([email protected] - 410.963.8680)

DATE:

FRIDAY, JUNE 12, 2009

SUBJECT: CYBERSPACE POLICY REVIEW MEMORANDUM

Melissa, thank you and your team for assembling an excellent report. Many in government and the private sector do not yet realize that we now have the possibility of threats not just from weapons of mass destruction, but from knowledge-enabled mass destruction (KMD) weapons. Cyber weapons are potentially so powerful that accidents, abuses, and deliberate malicious attacks are capable of producing circumstances whereby, for example, instead of global GDP going from $60 to $240 trillion (in $2005 purchasing power parity) by 2050, it declines to $6 trillion. Your report and its recommendations move us in the direction of addressing this new threat (and global networked information society opportunity). Thank you! From this vantage, the report, however, may not highlight in sufficient detail three areas of concern and potential for high level policy coordination across the cyberspace domain: Military Use of Cyberspace. You may have seen the NYT article on May 28th, “Pentagon Plans New Arm to Wage Wars in Cyberspace.” 7 What caught my attention is the notion that cyberspace is considered just another war-fighting domain by the Pentagon: e.g. “We need to be able to operate within that domain just like on any battlefield, which includes protecting our freedom of movement and preserving our capability to perform in that environment.” While the blowback from such loose ‘calculated ambiguity’ talk may be unwanted (e.g. loss of credibility and needed cooperation with the private sector and another very expensive arms race, this time in cyberspace), there are two conceptual problems with this approach to cyber defense/warfare: With cyber weapons, there presently is no countervailing strategic ‘game’ doctrine for cyberspace, like MAD (mutual assured destruction), that has the potential to actually ‘deter’ First Use. The notion that the doctrine of nuclear deterrence can be retrofitted and used to

7

http://www.nytimes.com/2009/05/29/us/politics/29cyber.html?_r=1&th&emc=th

LYLE A. BRECHT --- DRAFT --- 410.963.8680 --- CAPITAL MARKETS RESEARCH --- Friday, June 12, 2009

PAGE 3 OF 6

NAT I O NA L C Y B E R S YST E M S I N F R A ST R U C T U R E S E C U R I T Y R E V I E W C O NC E P T PA P E R

deter cyber attacks is absurd.8 Because cyberspace threats can be initiated easily by privatized transnational groups, without the knowledge of national governments by rogue elements within the state, and the originating location of the attack readily masked and even transposed to a predetermined DNS, the threat of nuclear armageddon in response appears both unwarranted and unproductive; The notion of attacks and counterattacks in the digital environment are not directly transferable from the analogue environment of conventional war fighting. For example, the development and deployment of offensive weapons in cyberspace have a higher probability of mimicking HIV i.e. the release into the environment a wild-strain retrovirus that cannot be effectively inoculated against than of deterring attacks or ‘punishing’ supposed attackers; NSA Use of Cyberspace. My concern is the NSA move from passive listening to communication signals (analogue and digital) and data mining to an active gathering of data in cyberspace through the use of digital agents released into the wild. While I recommended the use of digital agents across the data sets owned by the intelligence community post 9/ 11 to address certain information pooling problems, 9 there is a potential problem with the use of such digital agents to collect data across all of cyberspace. The potential for a serious problem is in the capture of the digital agent by a hostile force and the alteration of the code to infect NSA data stores, as well as other government or private sector data stores. With the potential for self-replication, and modification of basic code sets, once these sophisticated agents are released in the wild, it may not either be affordable or feasible to turn them off easily; Lack of a Clearly Articulated Process to Develop Capital Budgets for Protecting Cyberspace. In the report, you make a solid case for a central coordinating function in the White House, and the President has wisely de-

Gen. Kevin Chilton, the head of U.S. Strategic Command, said “I think you don’t take any response options off the table from an attack on the United States of America,” Chilton said. “Why would we constrain ourselves on how we respond?.... “I think that’s been our policy on any attack on the United States of America.... “And I don’t see any reason to treat cyber any differently.” (“U.S. General Reserves Right to Use Force, Even Nuclear, in Response to Cyber Attack,” Global Security Newswire May 12, 2009). 8

9

Unclassified: http://www.pdfcoke.com/doc/9862402/Homeland-Security-Data-System-Schematic-August-2 002

LYLE A. BRECHT --- DRAFT --- 410.963.8680 --- CAPITAL MARKETS RESEARCH --- Friday, June 12, 2009

PAGE 4 OF 6

NAT I O NA L C Y B E R S YST E M S I N F R A ST R U C T U R E S E C U R I T Y R E V I E W C O NC E P T PA P E R

cided to appoint this coordinator. However, what concerns me is the process whereby budgets are decided and funds employed to implement policy across multiple, often competing jurisdictional boundaries. What I am imagining is a PRA (probability risk assessment) methodology applied across the cyberspace domain that helps to establish high level policy discourse to set budget priorities analytically.10 But, maybe more importantly, my hope is that the use of PRA across the entire cyberspace domain will highlight private sector capital investment requirements and spur federal policy that supports making these investments in a timely fashion. 11 Otherwise, my concern is that the policy coordinating function will fail against agency budgeting by the politically powerful for ideas that are topical (or popular), the private sector will be left to their own devices, and we will be in reactive mode as crises (real or perceived) materialize. As outlined in my previous brief that I sent you for the 60-day review12 my suspicion is that if a PRA was performed for the cyberspace domain, we would discover that: ~90% of cybersecurity resides in the private sector and the task will be to establish polices that promote rapid technology adoption and capital investment at scale; more than 80% of the annual $20 billion military budget for cyber warfare might be best allocated toward defensive cyber weapons and much of that should be allocated to infrastructure upgrades and end user training. Thus, much of the cyber warfare outsourcing work by the Pentagon may not be well formulated nor money well-spent; the greatest achilles heel to cyberspace may be the current design and physical shape of the national electricity grid, problems that will not be solved by Band-Aids, and that the grid’s digital switches need to

Probabilistic Risk Assessment (PRA) is an analytical process that begins with two system design counterfactuals: (1) the magnitude (severity) of the potential adverse consequences of system failures; and (2) the likelihood (probability) of the occurrence of each potential consequence. The objective is not as a predictive exercise, but as a disciplined descriptive process that may identify and highlight budget requirements for a secure national cyberspace environment. 10

My thought is that strategic policy analysts such as at BAH and SCIC might be able to perform this work. 11

12

Unclassified: http://www.pdfcoke.com/doc/12659947/National-Cyber-Systems-Security-Review-Discussion

LYLE A. BRECHT --- DRAFT --- 410.963.8680 --- CAPITAL MARKETS RESEARCH --- Friday, June 12, 2009

PAGE 5 OF 6

NAT I O NA L C Y B E R S YST E M S I N F R A ST R U C T U R E S E C U R I T Y R E V I E W C O NC E P T PA P E R

be secured not only from anomalies, but also from solar storm spikes and EMP in order to be secure; we probably do not yet have our arms around the full range of large scale structural risks of cyberspace.13 Essentially, its like 1980 and the USEPA has noticed that enforcement of NPDES permits for point source pollution is not producing clean water. The bigger problem than the 40,000 point source attacks in cyberspace, is non-point pollution-like potential for system collapse from Black Swan-like sources, an emergent problem based on that we are dealing with a complex system whose behavior and expression of full properties over time are non-linear. Thus, many of the policy frameworks, policy coordination, and cyberspace protective initiatives identified or proposed in the Report do not go far enough to address the threats to cyberspace that may/will be encountered over time. Melissa, I hope that some of this might be helpful to you and whomever becomes the White House cyberspace security coordinator as you recommend in your report.

Lyle Brecht

A recent example of not addressing structural risk is the use of CDO (collateralized debt obligations) financial instruments by Wall Street. These instruments’ individual risk was hedged via complex. financially engineered derivatives, but the structural risk to the entire CDO market was not managed. Thus, the Federal government has pledged, lent, provided guarantees, and provided tax relief to the tune of $12,800 billion since 2008, and the collapse of the CDO market has produced $50,000 loss of value in financial assets worldwide to date. 13

LYLE A. BRECHT --- DRAFT --- 410.963.8680 --- CAPITAL MARKETS RESEARCH --- Friday, June 12, 2009

PAGE 6 OF 6

Related Documents