Cyber insecurity

Without better security on public safety computer networks, hackers could steal sensitive data — or bring down entire systems.

Around 5 p.m. on August 16, computers began crashing at cnn facilities in New York and Atlanta. Computers on Capitol Hill, ABC and The New York Times were also hit.

A fast-moving worm burrowing into some versions of Windows operating systems was believed to be responsible. Thousands of computers around the world were compromised, including those in public safety agencies responsible for emergency response and communications.

Although this breach was benign, motivated more by mischief than malice, it’s not a stretch to envision a well-trained terrorist cell with a high level of competency in applying information technology simultaneously penetrating the server closets of the nation’s metropolitan subway systems, say, disabling automatic train protection systems, causing high-speed train collisions in Boston, New York and San Francisco. Or perhaps the attack would render the faa’s air traffic control system inoperative, disable 911 emergency call systems, tamper with the power grid, or contaminate blood bank records.

According to The Washington Post, there have been reports that some members of al-Qaida have probed for

Look, Ma, no WANs
"The state of cyber security as it relates to homeland protection is pretty poor," says Michael A. Vatis, an attorney with Steptoe & Johnson llp in New York and former executive director of the Markle Task Force on National Security in the Information Age, a group of senior business executives, former government officials, technologists and lawyers who recommend ways in which the government could more effectively use information and technology to combat terrorism while preserving civil liberties.

Vatis says the whole issue has been under-emphasized by dhs, which has been unable even to retain the top official for its cyber security operation since the department’s inception.

The exposures that exist for local and regional public safety agencies are similar to those that exist in the business sector. Agencies could see their networks shut down or drastically impeded by viruses, worms and denial-of-service attacks, which would likely dramatically affect those agencies’ ability to perform their public safety missions, including responding to a physical terrorist attack.

"State and local safety agencies have not done much to prepare for cyber attacks," says Doug W. Jacobson, an associate professor of computer and electrical engineering at Iowa State University and director of the Information Assurance Center there.

Threats exist not just to internal proprietary data, which terrorists could penetrate to mine information about homeland defense response plans, but to an attack against the physical infrastructure itself.

"A worst-case scenario," Jacobson says, "would be a cyber attack combined with a conventional attack, where the goal of the cyber attack would be to hamper efforts to respond to the conventional attack and could also be used to misinform or mislead the public and the responders."

One of the issues with cyber attacks is that they’re difficult to train for. It’s hard to have a state or regional tabletop exercise to test cyber preparedness.

"We don’t fully understand the interdependencies between different elements of the infrastructure and how they are dependent on the cyber infrastructure," Jacobson says.

Another reason more hasn’t been done sooner is that safety agencies often have limited control over network resources.

"Most security measures are put in place a piece at a time," Jacobson says. "The biggest problem with cyber is that 85% of the cyber infrastructure is owned by the private sector."

Vatis believes more hasn't been done in terms of cyber security because for four years the bulk of security resources have been allocated to physical attack.

"Cyber security is a complicated issue, the solutions are relatively expensive and tend to get deprioritized, but beyond that, dhs and the federal government in general have paid too little attention to improving cyber security since 9-11, with almost all attention devoted to physical terrorism," he says.

Some believe that cyber attacks on local and regional public safety agencies are inevitable.

The intentional exposure, destruction or manipulation of sensitive data on an agency’s system, which results in the disruption of vital services, destruction of infrastructure or even in the loss of human life, is not a matter of "if" but "when," says Al Marcela, a member of the fbi’s National InfraGard Program, which brings together it professionals from the public, private and academic sectors to conduct critical threat assessments of computer systems infrastructures.

An Information Age "Ice Age"

Current software engineering techniques are unable to even guarantee correctness, much less security. Protection mechanisms are largely limited to standard-issue firewalls, intrusion-detection systems, anti-virus software, biometrics, sound access policies, password enforcement and training.

Vatis says guidance from dhs for local and regional agencies would be helpful, as would federal funding.

Many public safety agencies operate on tight budgets and most are under-funded. Any money spent on technology and specifically technological security is minimal, Marcela says.

He says that for the majority of public safety agencies across the country, cyber security is, at best, at the basic level and in great need of review and strengthening in light of the potential threats posed by these agencies’ increasing reliance on information technology delivery systems and information technologies in general.

"Small local, rural and community-based agencies probably have not extended nor elevated their basic internal control structures, if they even exist, to ward off a concentrated, 21st-century cyber attack," Marcela says. 

Beyond basic controls, not many other remedies are available.

"A lot of it will come down to training and understanding how to operate under cyber attack," Jacobson says.

Jacobson is directing in one such effort at Iowa State’s Information Assurance Center, called the Internet-Scale Event and Attack Generation Environment (or ISEAGE, pronounced ice-age). ISEAGE’s developers hope to establish a world-class research and education facility to enhance the current state-of-the-art in information assurance by creating a virtual Internet for the purpose of researching, designing and testing cyber defense mechanisms. The one-of-a-kind facility will be the catalyst for bringing together top researchers from several disciplines for a common goal of making computing safer.

"Unlike computer-based simulations, real attacks will be played out against real equipment," Jacobson says.

ISEAGE, which will contain a warehouse of attack tools able to simulate point-to-point and distributed attacks against test configurations, will provide a controlled environment where real-world attacks can be played out against different configurations of equipment.

While projects like ISEAGE may be essentially reactive in nature, other efforts tend toward the proactive. One DePaul University project, the Computer Information and Network Security Center, hopes to find a way to harden computer and network software during the development phase, not after they’re already in production.

One CINSC research goal involves "trusted computing," which deals with fundamental issues of how to make computer languages and software development provably safe.

"This is in some sense a Holy Grail, but we expect our work to make computers and networks more secure by creating a solid foundation of security, before the first line of code is written," says Jacob D. Furst, an associate professor of computer science, telecommunications and information systems at Depaul University and director of its Information Assurance Center.

A companion DePaul network security project relates to creating more-sophisticated firewalls to help automatically protect private networks. This research could lead to firewalls capable of evaluating whether traffic from a public network to a private network is malicious. 

Furst believes enhanced firewalls could be hooked up to a database of known bad IP addresses and vulnerabilities lists to make real-time, predictive decisions about incoming traffic.

Another effort involves security requirements in software engineering and privacy issues related to data-mining and recommender systems. 

"As with all basic research, it's risky to predict exactly how it might eventually fit into homeland protection, although it is easy to imagine a number of probable applications." 

Furst says his research into secure programming languages could result in provably secure operating systems for control of critical systems, such as air traffic or power grids, systems that can be reasonably self-contained and have relatively simple requirements.

Deception in cyberspace
One radical new idea deals with something called "cyber decoys," a concept devised by J. Bret Michael, a computer scientist at the Naval Postgraduate School in Monterey, Calif.

"Cyber decoys provide a means for automating, to a degree, counterintelligence activities as well as responses to cyber attacks," Michael says.

Software decoys augment the two current strategies for defending against cyber attack: identifying and fixing known vulnerabilities, and detecting attacks before they inflict damage.

"Neither of these tactics is sufficient to ensure either the survivability or the intrusion-tolerance of critical information systems, which must tolerate and survive attacks perpetrated by highly trained aggressors, who unlike script-kiddies, continually customize their arsenals to avoid detection," Michael says.

Instead, Michael has introduced a different approach founded on the notion of intelligent software decoys, which have both protective and counterintelligence elements.

When an attacker intrudes into a computer system, the owner of that system needs to know something about the attacker in order to develop a tailored response, Michael says. "Applying a one-size-fits-all response, such as always terminating interaction with the attacker, can be ineffective."

The decoy consists of one or more software wrappers placed around a unit of software, with each wrapper consisting of a set of rules for detecting and responding to suspicious behavior. Instead of indicating to the attacker that they have been detected, the decoy keeps the attacker occupied by creating the illusion that the attack is progressing as expected, using techniques ranging from fake error messages to redirecting the interaction to a virtual sandbox, Michael says.

The goal is threefold: to gather information about the nature of the attack, adjust the system’s defenses based on this information, and cause the attacker to waste resources, he explains. "We want to make attackers believe they are successful so that they reveal their sources, methods and identity."

Why bother?
Some might wonder why terrorists would bother to attack civic emergency communication systems, which are notoriously flimsy if not altogether inadequate all on their own. Emergency communications in New York City on Sept. 11, 2001, failed utterly, according to Jim Dwyer and Kevin Flynn in their compelling new book "102 Minutes": "A cascade of lapsed communications . . . cost lives. The police helicopters reported the deterioration of the two towers and specifically predicted the collapse of the north tower. The fire commanders had no link to these helicopters or reports, but for that matter, they had few or no links to their own troops. The interagency radios were sitting on shelves and in the trunks of cars, unused."

The same was true in Oklahoma City, in the aftermath of the Murrah Federal Building bombing. For many years, Oklahoma City has had an inter-hospital communication system, featuring a common radio frequency, known as the Hospital Emergency Administrative Radio System, or hear, which was designed for use in response to disasters, and therefore rarely invoked.

"Unfortunately, the hear system had seldom been tested, and when it came time for hospitals to use the system, only three of the 15 area hospitals found their systems working," says Richard C. Larson, professor of civil and environmental engineering at the Massachusetts Institute of Technology.

With the hear system down and phones congested, it was nearly impossible to learn which hospitals were at capacity. Consequently, law enforcement officers had to be pulled from other pressing duties and dispatched on "rubber net" to drive to hospitals to determine which hospitals had available beds.

As a result of the hear system’s critical failure, a test of the communication system among Oklahoma City hospitals is now conducted daily.

"The lesson is, it is not sufficient to have an emergency system in place," Larson says. "Rather it is necessary to maintain the system and train personnel thoroughly and frequently in its use."