news / tech talk

Is the U.S. prepared for a major cyber attack?

by Lee LeClair
04/16/2010
As seen in Inside Tucson Business

I am going to resist writing an article on the iPad - there is plenty of material available on that already. Instead, let's talk about the much heavier subject of cyberwarfare. Ever since August 2008, when a cyberattack on Georgia's government, media, and banking sites occurred just prior to an armed incursion from Russia the reality of cyberwarfare has been near the top of the to-do list for governments everywhere. So during the first chaos of real battle, the general population and government had to deal with non-functioning sites for news, information, money, and government operations.

Analysis after that attack highlighted that determining the identity of who is responsible for a cyberattack is very difficult. Less than a month later in September 2008, North Korea purportedly used SpearPhishing attacks on specific South Korean military officials whose emails were actively harvested for attack purposes (http://goo.gl/wpqW). Spear phishing is a specialized form of attack in which specific individuals are targeted and sent customized emails that often contain malware or link to sites that contain malware designed to steal their information or otherwise compromise their computer. Spear phishing is much more difficult to detect than broad-based phishing attacks because the emails are typically customized to the individual receiving them.

This year targeted attacks that appear to have originated in China were directed at more than twenty high profile US companies from multiple sectors including the Internet (most famously Google), finance, technology, media, and chemical sectors (see http://goo.gl/g0Xz). These were mostly intended to steal information rather than damage and disrupt but one can see where attacks could accomplish both goals by stealing information and depositing disruptive malware programs.

The response from the US military has been the creation of a new Cyber Command to combat the cyber threat offensively and defensively; Congressional hearings are underway to choose a commander for this group. Lt. General Keith Alexander is one of the leading nominees though there are concerns since he is also the head of the National Security Agency (NSA) and some believe that being in both positions could provide too much cyber power for one individual. Lt. General Alexander has already publicly stated his position that knowing the specific identity of one's attacker should not be necessary to begin taking immediate action just as police and soldier's do not need to know the exact identity of who is shooting at them.


In real terms, what might take place with a cyberattack on a country? Just as with Russia and Georgia, targets would likely include commercial, government, media, and financial sites. The goal being to disrupt communications, functions, and operations as well as generation of public panic to further divert military and civil operations. For example, much of the Department of Defense relies upon a web-based system which most military and civil personnel must use to book their travel. The potential is obvious. In addition, targeting infrastructure like the electrical power grid seems like it might be extremely helpful to an enemy; imagine the chaos of huge tracts of homes and businesses as well as government offices without power. Similarly, targeting banks, media outlets, mobile telephony providers, etc. would be panic inducing as general communications would appear to be broken down in a coordinated fashion.

Is the nation prepared? It hardly seems like it as most commercial and government agencies continue to get poor grades from publicized IT security reviews. Even attacks on tech savvy commercial entities like Google often seem successful. The difficulty in dealing with attacks is the complex nature of defense. Often organizations can detect and deal with outright and obvious attacks like some denial-of-service attacks with their routers, firewalls, and intrusion detection systems, but it's more difficult to stop a spear phishing attack on specific, important, and usually non-technical individuals via email. Other attacks use an organizations applications and exploit a flaws in the actual code of the application - something most firewalls are powerless to stop. What will it take to beef up our cyber defenses? Unfortunately, there is no silver bullet - it takes more than technical appliances like firewalls, spam filters, and antivirus software to "just deal with it" for security issues. It requires training, education, and awareness at all levels of an organization as well as clear processes and understandable policies in as well as some of that gee whiz technology all working together. I hope we have it in us to get it together or it will be a rude awakening indeed when a major cyber attack hits.

Lee Le Clair is the CTO at Ephibian. His Tech Talk column appears the third week of each month in Inside Tucson Business.