MODELLING CYBER SECURITY: APPROACHES, METHODOLOGY, STRATEGIES
NATO Science for Peace and Security Series This Series presents the results of scientific meetings supported under the NATO Programme: Science for Peace and Security (SPS). The NATO SPS Programme supports meetings in the following Key Priority areas: (1) Defence Against Terrorism; (2) Countering other Threats to Security and (3) NATO, Partner and Mediterranean Dialogue Country Priorities. The types of meeting supported are generally “Advanced Study Institutes” and “Advanced Research Workshops”. The NATO SPS Series collects together the results of these meetings. The meetings are co-organized by scientists from NATO countries and scientists from NATO’s “Partner” or “Mediterranean Dialogue” countries. The observations and recommendations made at the meetings, as well as the contents of the volumes in the Series, reflect those of participants and contributors only; they should not necessarily be regarded as reflecting NATO views or policy. Advanced Study Institutes (ASI) are high-level tutorial courses to convey the latest developments in a subject to an advanced-level audience. Advanced Research Workshops (ARW) are expert meetings where an intense but informal exchange of views at the frontiers of a subject aims at identifying directions for future action. Following a transformation of the programme in 2006 the Series has been re-named and reorganised. Recent volumes on topics not related to security, which result from meetings supported under the programme earlier, may be found in the NATO Science Series. The Series is published by IOS Press, Amsterdam, and Springer Science and Business Media, Dordrecht, in conjunction with the NATO Public Diplomacy Division. Sub-Series A. B. C. D. E.
Chemistry and Biology Physics and Biophysics Environmental Security Information and Communication Security Human and Societal Dynamics
Springer Science and Business Media Springer Science and Business Media Springer Science and Business Media IOS Press IOS Press
http://www.nato.int/science http://www.springer.com http://www.iospress.nl
Sub-Series E: Human and Societal Dynamics – Vol. 59
ISSN 1874-6276
Modelling Cyber Security: Approaches, Methodology, Strategies
Edited by
Umberto Gori University of Florence, Italy Department of Political Science and Sociology CSSI (Centre for Strategic and International Studies) ISPRI (Institute of Forecasting Studies and International Research)
Amsterdam • Berlin • Tokyo • Washington, DC Published in cooperation with NATO Public Diplomacy Division
Proceedings of the NATO Advanced Research Workshop on Operational Network Intelligence: Today and Tomorrow Venice, Italy 5–7 February 2009
© 2009 The authors and IOS Press. All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, without prior written permission from the publisher. ISBN 978-1-60750-074-2 Library of Congress Control Number: 2009940564 Publisher IOS Press BV Nieuwe Hemweg 6B 1013 BG Amsterdam Netherlands fax: +31 20 687 0019 e-mail:
[email protected] Distributor in the USA and Canada IOS Press, Inc. 4502 Rachael Manor Drive Fairfax, VA 22032 USA fax: +1 703 323 3668 e-mail:
[email protected] LEGAL NOTICE The publisher is not responsible for the use which might be made of the following information. PRINTED IN THE NETHERLANDS
v
Chief Editor: Umberto Gori Text Editor: Margot J. Wylie Editor’s note: The views in each independent article of this publication are those of the respective author and the editor is in no way responsible for the individual authors’ opinions and statements. This publication is a product of the NATO ARW “Operational Network Intelligence: Today and Tomorrow”, but does not necessarily reflect the views of NATO.
This page intentionally left blank
Modelling Cyber Security: Approaches, Methodology, Strategies U. Gori (Ed.) IOS Press, 2009 © 2009 The authors and IOS Press. All rights reserved.
vii
Introduction Umberto Gori University of Florence Co-director of the NATO ARW
Securing cyberspace, however it is defined, is an extremely difficult strategic challenge that requires cooperation between the public and private sectors, military and civilian, of our societies. Cyberterrorism and cybercrime are on the rise. Almost all observers, with rare exception, share this view. The most important activities in the world today rely upon computers. It is therefore necessary to fully understand the characteristics, principles and challenges that underlie the development of secure information systems. Security should be considered within the entire context of information systems development and not in isolation. However, as it has been said by Dr. Mouratidis (1), information systems engineering and security engineering research communities traditionally work independently. “As a result of this situation, security is usually considered after the analysis, design and implementation of the system has been completed. Security mechanisms are enforced into the system without considering the overall design and this usually results in problematic systems and security vulnerabilities”. One should not forget that the security of a system is only as strong as its weakest part. Internet, which is now used as a weapon in the hands of terrorists and criminals, was not designed or created to withstand an environment under attack. Its protocols derive from the protocols of Arpanet, which was used by only a few scientists and researchers in a spirit of intellectual and scientific cooperation. Its evolution contributed to exceptional progress in many fields, social and technical, of human activity. At the same time, however, its impressive interconnectedness is now the major cause of its vulnerability. Other causes of vulnerability are software flaws, users’ behaviour, an inadequate number of cyber security specialists, the insufficient amount of money allocated to activate countermeasures, and the lack – in my opinion – of a comprehensive and multidisciplinary approach to cope with the cyber threats. There is broad consensus that new methods for designing and engineering more secure systems are urgently needed. This implies more public intervention to fund research, as private companies usually neglect this type of investment. Another action to be taken is the internationalisation of efforts. Only international cooperation is likely to reduce, if not eliminate, the consequences of malicious attacks. According to a Symantec report, the year 2008 was dominated by new web infections (one new infected webpage discovered every 4.5 seconds), by malicious email attachments (five times more in comparison to the year before), by new ‘scareware’, i.e. fake antivirus software websites (five identified every day) which deceive users – myself included – and by spam (97% of business email) (2). In other words, the more technology advances, the greater the increase in the number of threats. Another source, CERT/CC – the Computer Emergency Response Team Coordination Center – has identified thousands of computer vulnerabilities which only increase exponentially year after year. According to a publication of IBM, in the first half of
viii
2005 there were more than 237 million attacks to information security all over the world. States cannot control cyber crime at the individual state level and therefore international cooperation is highly needed. Some believe that privateering can be a solution to cyberspace threats, though this is not without complications (3). The situation is similar to the time when weak states had to rely on privateers, namely pirates with government sanction (Letter of Marque). Actually, most states, today, do not have the possibility to cope with the exponential rise of cyber threats and the excessive costs for countermeasures. The main characteristics, or properties, of security are: confidentiality, authentication, integrity, access control, non-repudiation, and availability. Normally, at least thus far, security is mainly considered a technical challenge, but other aspects should be considered. The human and social factors, for instance, may also have a significant impact on security. After all, security is a game of action and reaction. Technology has altered and corroded the State’s authority and strengthened nonstate actors, in particular transnational crime and terrorist organisations. Cybercriminals and cyberterrorists have already “crossed over into the spectrum of information warfare”. As a consequence, states cannot control cybercrime at the individual state level. Internet offers an ideal opportunity for cybercriminals to make money, organise attacks, infect our democratic institutions and our economies, while remaining in perfect anonymity. It is therefore imperative to elaborate measures, both national and international, against high-tech criminal behaviour. Because our traditional laws are devised to protect physical property and physical ‘goods’, and not the virtual assets of the world of computers, our juridical systems need to be revised as well. The internet allowed Islamic terrorism not only to become a global phenomenon but also to create a virtual community corresponding to the Umma of Salafism. In other words, as everybody can see, cyber-threats are likely to be a major problem in the years to come. Of the ten information warfare trends discussed by K. J. Knapp and W. R. Boulton (4), I would like to mention only five: the various dangerous forms of cyber weapons, such as ‘e-bombs’; how the private sector and the non-critical infrastructures are the primary target, and how, should the critical and/or military targets be hit, avoiding heavy retaliation ought to be a consideration as well; that cyber technology is increasingly used in influencing public perception; that cyber technology is increasingly used in corporate espionage; that cyber technology is increasingly used against individuals and small business. Our NATO Advanced Research Workshop Operational Network Intelligence: Today and Tomorrow, held at the Italian Navy Arsenal in Venice in February 2009, tried to take all of these problems into account and to rethink present strategies and identify urgent measures to be taken in order to minimise the strategic and economic impacts of cyber attacks. The book is divided into three parts. The first section addresses various conceptual approaches to security, and the issues connected to the conceptualisation of such; several actual methods employed for security purposes, beginning with the concept of cryptography and how it is applied; and the description of other security methods/systems. The section concludes with two articles that illustrate concrete examples of actual security approaches. In the introductory article, Niv Ahituv explains why an open information society (OIS) is inevitable and how shared information may lead business to evolve toward one of two possible extremes: global monopolies or a much more creative and sophisticated
ix
form of management. OIS may also generate a magnified version of “1984”, or a better and improved process of recruitment and human communications. The essay by Ari Vidali explores some of the root causes of the usability problem and how proper security practices are consistently being ignored or circumvented by the users. After all, the security of any information system is only as strong as its weakest link, i.e. human beings. The question is whether it is possible to reconcile maximum security, which requires a ‘closed system’, and maximum utility, which requires ‘openness’. Some very concrete proposals are put forward. Haris Mouratidis describes a methodology that takes both the technical and social aspects of security into consideration, arguing that a security focus should be introduced throughout the development lifecycle. He believes that Secure Software Engineering (SSE) “is concerned with the unification of any area of research that can contribute to the development of knowledge (theoretical and practical), principles, practices as well as the establishment of a research agenda regarding secure software systems development”. In other words, SSE should become a real discipline. Serena Lisi, a former student of mine, deals with an interesting problem: how to reconcile two different approaches to the theory of codes, the technological and the cultural and allegorical ones. She is of the opinion that the two approaches are progressively merging together to create a new integrated and fuzzy approach along the line of thought of Burt Kosko, the well-known scholar author of Fuzzy Thinking: The new Science of Fuzzy Logic. On the same subject, but from a mathematical and a revolutionary point of view, Gerardo Iovane demonstrates, with fascinating and sophisticated reasoning, that the sequence of prime numbers is deterministic, and not stochastic, as everybody has believed for several centuries. But the genetics of primality shows us a potential and intrinsic weakness of current security systems, since numerical security keys are based on prime numbers. The reaction to this threat – Iovane says – must be synergic. The conclusion is alarming: since we will probably have more accurate and rapid algorithms to generate numeric keys to crack code and data encryptions in the near future, it is high time to find new strategies, both technological and social. Otherwise, “the progress of knowledge could itself become a Trojan horse and defeat us”. Dario Sgobbi, of the Italian Navy, contributes two essays to this book. His coauthors are Guglielmo Morgari (for the first paper) and Marco Paggio (for the second). The first contribution, which requires a sound knowledge of mathematical concepts, deals with asymmetric (public-key) algorithms. A possible classification of the various cryptographic techniques is presented, with particular emphasis on the RSA (an acronym from the names of R. Rivest, A. Shamir and L. Adleman) and Diffie-Hellman systems. It is worth mentioning here that Shor’s algorithm (a quantum algorithm for integer factorisation) is important because it can – at least in theory – be used to ‘break’ the public-key cryptography. In addition, elements of complexity theory are discussed, as the evaluation of the complexity of an attack shows the concrete possibility of the same. The second paper deals with the security process, and analyses some classifications and properties of two technologies, which enhance the process itself: the Intrusion Detection System (IDS) and the Intrusion Prevention System (IPS). In his essay, Paolo Campobasso warns that information warfare has moved beyond the military dimension and has begun to threaten the commercial world as well. In particular, the banking and services industries have at the same time become targets and “innocent” technical supporters of cyber terrorism. Therefore, there is great need for
x
international response through close cooperation with the military and law enforcement agencies on all levels. The paper by Esti Peshin presents an approach to protect Critical National Infrastructures via unidirectional connectivity, namely connecting them with less secure networks via real time physical unidirectional gateways (using a single fibre optic cable). This system eliminates the risks due to the standard incomplete IT security measures. A case of critical infrastructure protection concerns the electricity distribution network. It is the case discussed by Pascal Sitbon in his paper, which deals with the security approach taken by the ERDF of Electricité de France for its pilot project of 300,000 smart metering points in view of the general deployment of the system in the country. It is worth mentioning that the world’s largest smart meter deployment (to over 27 million customers) was undertaken in Italy by ENEL between 2000 and 2005. Obviously, due to the widespread distribution of this electronic device, there is an elevated possibility of cyber attacks, similar to the one made against the AMM (Automated Meter Management) of ENEL. The conclusion by the author is that all metering actors should be involved in a global security approach as early as possible. The second section concentrates on terrorist attacks and attacks on critical infrastructures and concludes with various police and military force operations and approaches. Anat Hochberg-Marom presents a marketing strategy to contrast the global terror of Al-Qaeda’s leaders. On the basis of her quantitative-statistical content analysis of the statements of Al-Qaeda’s leaders, she finds that they adopt a ‘nihilistic-destructive’ approach and aim to destroy the Dar al Harb. The Jihad is considered the highest religious value (rated 41%), whereas the Ummah is rated only 25%. As radical movements behave as rational actors, it is possible to use rational models and theories to study their strategies and reduce their nefarious influence. A counter-marketing warfare is highly needed. Another paradigm for countering Jihadism is offered by Antonio Guido Monno, more or less on the line described by Hochberg-Marom. His approach, however, far from being quantitative and statistical, reflects a sound historical knowledge of the Islamic culture, and advocates a strategy of defence against Islamic ‘fundamentalism’ that implies the use of scholars and experts of the Islamic world directly in the field of cyber-counterintelligence. Although cultures are not transmitted easily, it is possible to counter the “jihadist” interpretations of the Quran, which are not consistent with the tenets of classical Islamic theology. Claudio Cioffi-Revilla uses deterrence theory to examine whether deterrence is feasible in cyber space (“Cyberia”). After discussing the conditions that make deterrence reliable, and introducing some key innovations made possible by computational social science (such as genetic algorithms), the author concludes that “the value of a deterrence strategy for ensuring cyber security seems to decline with the decrease of the formal organisational level of the potential attacker”. In other words, deterrence seems viable if the potential attacker is a State. In other cases, if the threatening actor is an individual or a clandestine organisation, the best strategy seems to be a preventive one. The paper by Maurizio Agazzi defines our time as the collective intelligence era in which an enormous quantity of information is shared through Internet platforms. Starting from this idea, the author focuses his research on the illegal underground economy and the malicious use of web-forums by cyber-criminals. Phishing generator toolkits,
xi
password recovery tools, encryption and compression utilities, mobile viruses, credit card information, identity theft information, and so forth, are some of the goods and services which are traded from servers located in countries which do not contrast cyber-crime activities. In particular, malicious botnet applications are some of the greatest threats, as exemplified by the case in Estonia. A prospective real-time system based on the artificial neural network model could perhaps be effective in identifying attacks right from the initial stages on the condition that a supranational coordination be possible. Y. Elovici and A. Shabtai deal with the protection of critical information infrastructures (CIIs) from malware. These attacks may be conducted in the initial stages of conventional wars to achieve a strategic advantage in command and communication capabilities. The authors describe three alternative approaches to secure the networks: detection of malware by the network service providers (NSP) to prevent innocent users from being exploited and used as launch pads for attacks on CCIs; protection of the CIs overlay network; detection of hidden botnets. The centralisation of the protection of the CCIs is the strategy used in Italy, Domenico Vulpiani and Sergio Staro say in their paper. In fact, it is the Postal and Communications Police Service (a specialised Agency of the Italian State Police) which has the exclusive competence of protecting the critical information infrastructures of the country. For this purpose, a National Cyber Crime Centre for the protection of CIIs was instituted in 2005. Moreover, this body is also entrusted with the prevention of and response to the various forms of cyber crime, such as common crimes, organised crime and terrorism. The role of the Carabinieri Corps in the fight against cyber terrorism is described by Giovanni Cataldo. Specialised units of the Corps are trained to use the latest telecommunications interception technology. Obviously, no police force or intelligence agency is exclusively in charge of monitoring Internet sites. An Anti-terrorism Strategic Analysis Committee, whose members are officials from the security and intelligence forces, meets every week to decide synergic counter-measures. The transition from cyber crime and cyber terrorism to something similar to a cyber war is examined by Ferdinando Sanfelice di Monteforte, who, starting from the NATO Declaration on Alliance Security of April 2009 that defines cyber attacks the “new, increasingly global threats”, refers to the recent attacks on Estonia and Georgia that were supposedly delivered by a State actor. The train of thought is complementary to the one suggested by Cioffi-Revilla, but whereas this author defines the technical rules of a possible retaliation, the Admiral examines the political conditions and effects of the same. We come, at this point, to the last section of the ARW, which focuses on the European measures and several related legal issues. The first paper in this section deals with the role of Europe in matching today’s asymmetric threats. In the first part, Giancarlo Grasso underlines how the philosophy of the European Union is aimed at reconciling two apparently opposite concepts such as security and privacy. The protection of human rights is one of the fundamental values at the basis of EU material constitution. In the second part, the author emphasises the necessity to pass from interoperability to network centric systems in the struggle against terrorism. Here, and in some other cases, the paper has a normative approach, though also it underlines some EU achievements (e.g., EDA, FRONTEX, ESRIF, etc). The second essay of the section is authored by Alessandro Gazzini and Andrea Rigoni. It adds new valuable information with regard to the steps taken by the EU to
xii
ensure information sharing among its Member States. Examples, such as ENISA (European Network and Information Security Agency), NEISAS (National and European Information Sharing and Alerting System), CIWIN (Critical Infrastructure Warning Information Network) and so forth, are considered by the authors, who also describe the many benefits of information sharing both for the Member States and private stakeholders. In short, information sharing (IS) is mentioned by the EU as “one of the key elements of a successful critical information infrastructure protection strategy”. Clearly, bi-directional trust is the pre-condition for IS to work successfully. The last two contributions have a legal approach. The paper by Eneken Tikk deals with the antinomy privacy-security and how it is managed in the EU context. Another point discussed regards the difficulty of transmitting the personal data of EU citizen to the NATO or non-EU States due to the stringent European legislation in the field. Another problem to be solved concerns the necessity to demonstrate the relevance for NATO that a given cyber incident has in order to activate the proper measures of the Alliance. Despite some difficulties, more cooperation between EU and NATO is highly needed. Hence, the paper is in some way complementary to the two previous ones. Last, and hopefully not the least, the essay by Ivo Paparela creatively expresses, in a non traditional form, his question as to whether the legislation in the NATO countries, and in particular in Eastern European countries, is adequate and capable of supporting law enforcement agencies in their fight against cyber criminals. The conclusions, after having conducted research on some legislations on cyber activities, are – according to the author – pessimistic, though provisory. The reasoning seems to be correct, but he who writes these lines wants to emphasise that the responsibility for some statements in this essay is solely that of the author. Some final proposals were elaborated in our Workshop. Each participant was asked to propose two or three concrete solutions in the area they personally felt was of critical importance. What follows is a compendium of their proposals and ideas. Many conference participants presented more than one proposal, often in more than one area of cyber security. Therefore, the proposals have been arranged according to argument in order to facilitate comprehension and identify common themes, the compilation and organisation of which has been arranged by Margot J. Wylie, BSc. at the University of Florence, one of our most brilliant students to whom I want to express here all my gratitude and appreciation. The proposals may be divided into general work areas, such as: research, the legislative and regulatory measures, co-operation, strategies, technical and economic measures. All recognised that to face the multifaceted problem of cyber security it was necessary to work on different layers, not only in their field of research and development, but also in all areas that are touched by questions of cyber security. As far as research is concerned, several proposals regarded specific suggestions of methodology and approach. Essentially, a multidisciplinary approach was suggested in reference to the study of cyber security and crime. One suggestion specifically advocated the combination of methodologies, such as mathematical programming, objectoriented and agent-based modelling, and fuzzy logic with risk management tools, such as fault tree analysis, failure modes and effect analysis (FMEA), etc. to identify, monitor or predict possible disruption factors related to operational or social networks. Another was based on implementing marketing and management tools and concepts to better understand and analyse the global terror phenomenon and terrorist organisations and their use of the Internet.
xiii
Other proposals regarded the creation of multidisciplinary research centres and projects with experts coming from all sectors. From the presentation and discussions held during the conference, it became very clear that there is great need for collaboration between various areas and sectors of society when facing questions of cyber security. Several suggestions highlighted the need for the creation of an international network of cyber security centres of excellence. Others recommended that NATO hold a leading and important role in stimulating joint research projects and centres and that private, academic, law enforcement agencies, and military resources should be involved in such projects with the objective of developing active information defence and protection measures. Other suggestions emphasised the need to create a merger between private and public institutions, and form serious, lasting forms of co-operation with research centres and universities. Some research proposals focused on the specific objective of gathering information on cyber events. The finality of these proposals revolved primarily around obtaining the data necessary for gaining a clear understanding and picture of the global incidence of cyber crimes and threats, especially in regards to the protection of critical infrastructures. Although, as some participants observed, there are already existing initiatives that collect, aggregate and analyse cyber threats as part of an early warning system (see www.itu.int/cybersecurity), there are many possibilities to extend or expand the reach and the entity of such initiatives. In fact, it was suggested that an international observatory or observatories be created within NATO or the EU framework that would be able to systematically record cyber events. Should more than one observatory or centre be constituted, NATO would be able to compile all reports of threat analysis from the various centres thus rendering the comparison of the threats and threat levels between member States possible. Several other proposals were of a specifically more academic or cultural nature. While it is evident that technical and legal measures are of paramount importance, not to mention co-operation and preparing viable and practical approaches in response to eventual real threats, the cultural aspect was certainly not ignored. Several proposals took a preventative approach, underlining the necessity of understanding the mechanisms and reasons for which people are drawn to visit extreme or radical websites and the motivations behind why they ultimately join extremist or radical groups, hence becoming threats in both our physical and virtual space. The creation of a research institute, possibly even of a virtual nature, composed of three to four interconnected centres was suggested. The purpose of such an institute would be to monitor websites in order to understand what people are looking for or doing with a particular site itself. The scientists and academics involved ought to be comprised of specialists not only Western in origin, but also those from the regions from which extremist or radical cyber activity originates. From the information gathered and the conclusions made by the centres, preventative solutions aimed at facing threats even before they became serious would be possible. Proactive cultural activities and measures could then be realistically realised to stop or reduce the dissemination and propagation of radicalism. It was also suggested that the centres of the research institute divide among them the topics relevant to cyberspace and send monthly reports to NATO and the interested states and governments. On a general note, it was suggested that a culture of security ought to be fostered at the university level and that security considerations ought to be inserted in any project right from the beginning.
xiv
Other proposals were of an overlapping nature that seemed to interconnect the concepts of legislation, cooperation and the division of competence, wherein legislation not only addresses both the general and specific areas of cyber-security, but it is also delegated to various levels of government. Various forms of cooperation are proposed, as are assorted combinations of actors to be involved in such cooperation. The need for the implementation of a certification process of IT/SW products was addressed by several participants in the conference. It was suggested that legislation be created to ensure best practice. It was also suggested that incentives be created to stimulate all solution providers to take security requirements into account and to follow best practice. Creating forms of sponsorship to ensure security measures from the beginning in solution development was suggested as well. In discussing the content and management of websites, it was recognised that a legal problem exists when defining radical and extremist expressions on the Internet. How does a State or group of States, such as the EU or NATO, define these terms and give them parameters? How does one decide what is considered to be ‘unacceptable’? Several solutions were proposed regarding this issue. It was suggested that the EU legislation on incitement to hate and violence be integrated into the national legislation of each Member State. When dealing specifically with the removal of websites, Member States ought to agree on a notice and take down procedure. In cases where laws already exist, it must be implemented and it needs to be effective. A possible solution to issues regarding legislative gaps, i.e. when no legal justification exists to remove or shut a website down, was to invite moderators of radical or extremist websites to discuss content and ask them to filter their information. Making an inventory of all legislation and other legally binding acts regarding cyberspace and more specifically cyber-criminality that currently exist within the EU and NATO countries could possibly be a starting point for any initiative in the legislative field. It presents not only the possibility of determining what measures do and do not exist, but it offers the possibility of comparing the existing measures and their effectiveness as well. It was also suggested that candidate countries (for instance, Albania and Croatia) be subject to a special audit in order to determine the level at which their internal legislation corresponds or not to the EU acquis on cyberspace and cyber criminality. This point was made with the reserve that excessive legislative standardisation and homogenisation be avoided. The need to legislate and create regulatory institutions in the field of cyber security was discussed at length: it was recognised at the same time that an important division of competence must not be disregarded. In fact, it was pointed out that two fields of competence exist, as do two institutions. While NATO is, and ought to continue to be, responsible for operational and technical issues, the EU Commission is the body that is responsible for the regulatory aspects of cyber security. It ought to create regulatory institutions and set up security standards, modify laws and create them, where needed. The EU ought to work on the financial and legal aspects connected to the creation of these structures and inform the citizens of all matters connected to such activity. What is essential, however, in perpetuating and sustaining cohesive and coordinated action is the close co-operation between NATO and the EU. The proposal, therefore, suggested that an apposite roundtable be created around which EU Commission and NATO representatives are equally represented and whose objective would be to ensure that the two institutions work more closely together and to guarantee a cohesive and rational development of the respective competencies.
xv
In regards to information sharing, one specifically regarded the necessity of developing policies and legislation at the EU level in order to ‘neutralise’ competitive behaviours when dealing with security information exchange platforms and forums, without which exchange of information would most likely fail or lack in content. Co-operation was a dominant theme throughout the conference: It was understood that in order to fight cyber terrorism and crime, there must be co-operation. Suggestions ranged from proposals to involve each country’s respective politicians and policymakers when speaking of the security sector (to be managed within the EU context), to creating forms of co-operation to bring military and police forces together (within the NATO environment). On a broad scale, the EU and NATO organisations would need to remain in close contact. Other proposals emphasised the need to enhance co-operation not only between the respective governments, armed services and universities, but between these sectors themselves. In all of these proposals, however, it was underlined that individual roles must remain delineated and separate wherein the military must maintain its sphere of competence, the government must maintain its role and so forth. To promote clarity and facilitate co-operation, it was proposed that an organisation or organisations on the civilian level comparable to those existing within the government or military be established. A further proposal focused on security issues arising in the so-called ‘last mile’, in other words, security issues related to end user use. In fact, while large companies have the money to invest in the R&D of security systems to protect their business, small to medium sized companies or peripheral offices without the money to invest in security often remain, if not unprotected, highly exposed and vulnerable to attack. Another weak point in end user use for small to mid-sized companies is the constant contact with local IT maintenance companies that work unsupervised in the vast majority of cases. The suggestion that was made was to give this last mile more attention and, under the supervision of NATO, invest in creating a common policy. A workshop could be formed on the creation of inexpensive and certified common tools for the companies and entities exposed or at risk. It is important to note that, due to market mechanisms connected to the rules of competition, without the organisation and guidance of a public entity or the establishment of a public framework, such as could be done with the EU or NATO, economic agents will not come together to resolve these security issues. The concept of information sharing was a common theme in the proposals that were made by the conference participants. While it was recognised that various experiences in security issues ought to be shared and divulged via solutions such as an interoperability platform based on web 2.0 or through the creation of Wiki on topics such as vulnerabilities, cyber incidents, and technical solutions, it was recognised that security concerns had to be respected when developing these systems or platforms. It was suggested that there be various phases of information sharing, beginning with less confidential material. A proposal was made to create a protected network specifically intended to link key players together and permit the safe transmission of classified information within the context of multi-level co-operation. Internet surveillance was an important theme, addressed by several conference members. Surveillance, however, was tightly coupled with the concept of increasing public awareness of cyber security and giving the public a space to communicate with the authorities on questions of cyber security. One suggestion to increase public awareness was to establish an international security awareness day that would involve all levels, including small to medium enterprises.
xvi
As for cyber security itself, it was generally perceived that our ‘virtual’ boundaries are not as well protected as our physical boundaries and, therefore, it was suggested that measures be implemented to carefully monitor traffic over national, EU and NATO network exchange nodes. In that cyber space ought to be considered a public space, proposals were also made to actively monitor the internet, just as the streets are (a pilot study in Netherlands has already had some success). The surveillance proposal focused on involving end users in publicly policing our virtual community through the creation of a reporting centre responsible for monitoring suspicious activity on the Internet. All information gathered could then be passed on to NATO from the various reporting centres and systematically compare the information collected from each Member State. One proposal focused on the need to develop theoretical and practical models on radicalisation using actual law enforcement case files (as was mentioned by a conference participant, a separate ARW is dealing with just this topic). The model could then be used to improve the analysis capabilities by creating analytical tools which could be distributed to Member States by NATO. NATO itself could be the forum within which various experience and the effectiveness of each Member State’s tools are exchanged. When speaking of actual strategies and practical approaches to address cyber security issues, cyber attacks or threats of any sort, it was recognised by many conference participants that role models and strategies have to be created, that EU and NATO countries must be prepared to face future threats from ‘virtual’ space. Diverse solutions on how to prepare and be prepared on a practical level were proposed. The need to maintain an awareness of what is being done in the rest of the world or in the multitude of sectors that are daily faced with questions of security was pointed out by one conference member. One proposal advocated the establishment of a response convention that would be able to be activated in the eventuality that a given country were attacked, a convention that would put response plans in place and that would stimulate the exchange of information on a tactical level. Another proposal urged the creation of exercises and drills to increase response capability by preparing response teams and operators for extreme situations. It was also pointed out that many of the proposals and actual policies focus on the response to attacks and take a defensive approach. It was suggested that a think tank be instituted to develop offensive measures and, as a first step, learn the processes of deradicalisation. Of the proposals made, many were technical in nature. In this broad category, it was possible to identify such themes as: the development of IT security systems and solutions, the use of hackers in systems tests, and, from a more economic perspective, the reduction in costs and time employed in the development sector. In the proposals that dealt with systems and solutions development, it was generally recognised that today’s networking is still based on protocols that are fundamentally not secure (ISPEC and IPv6 being the evolution of TCP/IP), and therefore, a new and secure network protocol that incorporates security measures right from the initial development stage is in order. At the same time, it was pointed out that the file systems normally used to store and manage information, even in classified environments, do not guarantee the security of the information itself. It was proposed that a secure system be developed wherein security is considered throughout the development stages. It was agreed that encryption methods ought to play an important role in securing not only the storage and management of information, but also its transmission over the
xvii
network. The development of electronic labelling technologies was also suggested for the secure transmission of information over the networks. One proposal specifically referred to finding new methods to increase the level of security of end users. While it is known that many advances have been made in biological parameters, not only was it suggested that the area of human emotions be explored, it was also suggested that the use of images ought to be researched to see how these might be applied and used in increasing the level of security in end user access. It was also recognised that there ought to be set security standards and certification processes. In the meantime, however, there ought to be an immediate, if temporary, solution in assuring that our systems and network solutions are safe. One of the recurrent themes in the proposal session was that the security level of all systems and network solutions must be tested. The dominant idea was to involve or use hackers to test whether information systems are secure or not, be that via red teaming or launching a challenge to hackers to try and penetrate the test networks of a distributed and open source model. A variation of this theme was to create technical groups whose scope is to systematically attack systems in order to reveal any weak points that may exist. Last but not least, practical aspects of an economic nature were addressed in several proposals regarding the fields of research and development. While it was clear that investments needed to be made in IT technology and research and that security measures and requirements ought to be incorporated right from the outset, it was also pointed out that both the costs and time invested in the research and development of actual IT security solutions and in the evaluation of such solutions had to be reduced. At the end of this brief presentation of the main results of this Workshop, I feel it my duty to give my thanks to a group of colleagues and friends. First of all, I want to express my gratitude to Dr. Shai Blitzblau, University of Tel Aviv and co-director of the ARW, whose scientific and impressive technical know-how was indispensable for the success of the conference. His ideas and long experience animated the workshop. It only grieves me that, due to his overwhelming activities, he could not produce an essay for this book in due time. Thanks also go to my friend Paolo Lezzi, who, from his office of Maglan Group in Milan, helped in the difficult task of organising the event. I owe heartfelt gratitude to Margot J. Wylie, already mentioned, for her intelligent, painstaking and enthusiastic work of synthesising the discussions held during the sessions. Without her contribution this presentation would have been much more difficult. Moreover, she is also to be credited for revising all the papers from a linguistic and publishing point of view. My debt of gratitude also goes to my young colleague Ilaria Maltagliati, who assisted me in the long months of preparation of the meeting with intelligence, spirit of initiative, and enthusiasm. The same should be said of Serena Lisi, one of the authors in this book, whose artistic temperament and vivacious eclecticism contributed to the publicity campaign and formalities of the initiative. Both of them are working in the University Centre of Strategic and International Studies (CSSI). Some other friends deserve to be mentioned here: Renate Cuda Sommerfeld, Jacqueline Marchal, Anna Maria Petruccelli, Reut Rahav, Pietro Stopponi, whose suggestions and clerical assistance during the meeting contributed to the success of the ARW. Obviously, my thanks go to the key speakers who animated the discussions of the (about) eighty participants coming from fifteen countries of the world, and, in particular, to those of them – the major part – who put down in writing their ideas, and made this book possible.
xviii
Last, but not least, my deep gratitude goes to the Defence General Staff, and in particular to the Italian Navy which accepted to accommodate the ARW in its ancient and historical dockyard in Venice, and which offered an invaluable logistical support. My gratitude also to the sponsors – Unicredit, Waterfall Solutions, Ispri/Cerpre, Agricola snc. – which contributed to make the costs of such an expensive city as Venice affordable. All sectors of the society were represented at a very high level around the table: from the university, industry, banks, the military, police forces, computer scientists, lawyers, mathematicians, technicians, and so forth. Against the same threats they felt themselves a community: the only way to face terrorism and crime. Thanks to all of them.
Umberto Gori University of Florence, August, 2009
Notes (1) Secure Information Systems Engineering: A Manifesto, in: “International Journal of Electronic Security and Digital Forensics”, vol. I, issue 1, 2007, pp. 27–41. (2) Tanji Michael, INFOSEC privateering as a Solution to Cyberspace Threats, in: “Journal of Cyber Conflict Studies”, vol. 1, issue 1, pp. 4–10. (3) Green Cloud Security, White Paper Top 7 Security Threats in 2009, 2008–2009. (4) Kenneth J. Knapp and William R. Boulton, Ten Information Welfare Trends, in: L. J. Janczewski and A. M. Colarik, Cyber Warfare and Cyber Terrorism, IGI Global, Hershey, PA, 2008, pp. 17–25.
Suggested Readings • • • • • • • •
Cyber Security: A Crisis of Prioritization, Report to the President, NCO/IT R&D, 2005, pp. 58. W. Stallings, Cryptography and Network Security: Principles and Practice, 4th Ed., Prentice Hall, Upper Saddle River, N.J., pp. 592. H. Jahankhani, Evaluation of cyber legislation: trading in the global cyber village, in: Int. J. Electronic Security and Digital Forensics, Vol. I, No. 1, 2007, pp. 1–11. D. L. Watson, Stealing corporate secrets using open source intelligence (the practitioner’s view), in: op. cit., pp. 71–75. S. Ahsan, IT enabled counter terrorism infrastructure: issues and challenges, in: op. cit. M. Watney, State surveillance of the internet: human rights infringement or esecurity mechanism?, in: op. cit., pp. 42–47. L. Yang and S.H. Yang, A framework of security and safety checking for internet-based control systems, in: op. cit., vol. I, No.1/2, 2007, pp. 185–200. N. Stakhanova, S. Basu, J. Wong, A taxonomy of intrusion response systems, in: op. cit., pp. 169–184.
xix
• • •
M. P. Gallaher, A.N. Link, B.R. Rowe, Cyber Security – Economic Strategies and Public Policy Alternatives, E. Elgar Publishing, Cheltenham, UK and Northampton, MA, USA, 2008, pp. 266. L. J. Janczewski and A. M. Colarik, Cyber Warfare and Cyber Terrorism, IGI Global, Hershey, PA, 2008, pp. 529. N. Carr, The Big Switch: Rewiring the World, from Edison to Google, W. W. Norton & Company, New York, 2009, pp. 276.
This page intentionally left blank
xxi
Contents Introduction Umberto Gori
vii
Section 1. Approaching Security Section 1.1. Conceptual Approaches to Security Thoughts on the Open Information Society: Does the Concept of “Privacy of an Organisation” Exist? Niv Ahituv Striking the Balance: Security vs. Utility Ari Vidali Secure Software Engineering: Developing the New Generation of Secure Systems by Introducing a Security Focus Throughout the Development Lifecycle H. Mouratidis
5 11
29
Section 1.2. Current Methods Applied to Security A Fuzzy Approach to Security Codes: Cryptography Between Technological Evolution and Human Perception Serena Lisi
43
Cryptography and Security: Evolutionary Information Theory and Prime Numbers Genetics Gerardo Iovane
52
A Note on Public-Key Cryptosystems and Their Underlying Mathematical Problems Dario A.M. Sgobbi and Guglielmo Morgari
59
Intrusion in a Mission Critical Network: A Tutorial on Intrusion Detection Systems and Intrusion Prevention Systems Dario A.M. Sgobbi and Marco Paggio
68
A World-Wide Financial Infrastructure to Confront Cyber Terrorism Paolo Campobasso A Pragmatic and Foolproof Approach for Connecting Critical/Industrial Networks to External Less Secure Networks Esti Peshin A Cyber Security Approach for Smart Meters at ERDF Pascal Sitbon
75
79 93
xxii
Section 2. Understanding Terrorism and Its Interaction with Critical Infrastructures Section 2.1. Facing Terrorist Attacks and Attacks to Critical Infrastructures Al-Qaeda: Its Global Marketing Strategy Anat Hochberg-Marom
109
A New Paradigm for Countering Jihadism Antonio Guido Monno
114
Modelling Deterrence in Cyberia Claudio Cioffi-Revilla
125
The Cutting Edge of Cyber Network Development – A Paradigm to Translate and Predict the Network Strategies of Avant-Garde Cyber Criminals Maurizio Agazzi Protecting Critical Infrastructures from Cyber Attacks Involving Malware Y. Elovici and A. Shabtai
132 140
Section 2.2. Police and Military Force Operations and Approaches Protecting Critical Information Infrastructures: Domestic Experience and Competencies of the Postal and Communication Service of the Italian National Police Domenico Vulpiani and Sergio Staro
153
Fighting Terrorism in Cyberspace Giovanni Cataldo
160
Cyberspace Control: How to Avert a Cyber World War Ferdinando Sanfelice di Monteforte
165
Section 3. European Measures and Legal Aspects The Role of Europe in Matching Today’s Asymmetric Threats Giancarlo Grasso
173
Information Sharing in the Context of European Union Critical Information Infrastructure Protection Alessandro Gazzini and Andrea Rigoni
182
Defining Critical Information Infrastructure in the Context of Cyber Threats: The Privacy Perspective Eneken Tikk
189
Crimen Ex Machina: A Legal Approach Ivo Paparela
199
Curricula Vitae of the Authors
205
xxiii
List of Participants. NATO ARW – Operational Network Intelligence: Today and Tomorrow
209
Subject Index
213
Author Index
215
This page intentionally left blank
Section 1 Approaching Security
This page intentionally left blank
Section 1.1 Conceptual Approaches to Security
This page intentionally left blank
Modelling Cyber Security: Approaches, Methodology, Strategies U. Gori (Ed.) IOS Press, 2009 © 2009 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-074-2-5
5
Thoughts on the Open Information Society: Does the Concept of "Privacy of an Organisation" Exist? Professor Niv AHITUV1 Academic Director, Netvision Institute for Internet Studies Tel Aviv University Abstract. It is argued that computer networks proliferate to such an extent that individuals and organisations, for the most part, might as well give up in their efforts to protect most of their databases. Moreover, most of the information required for management decision-making processes is open and readily available on the web. As for individuals, it is not certain whether privacy is what they are looking for. The virtual community networks and the global social networks (e.g., Facebook, Linkedin, Youtube, and blogging) provide counter-privacy-seeking examples. Electronic information and on-line data analysis are accessible to everybody, be it an individual, a firm or a government. This eventuality heralds the dawn of a new era for society -- the open information society (OIS). This article focuses on organisations rather than on individuals. It explains why an open information society is inevitable and how this stage of societal development has almost been reached. In particular, the implications for organisation management are discussed. The assertion presented is that shared information may lead businesses to evolve toward one of two possible extremes: global monopolies or a much more creative and sophisticated form of management. As far as relationships between individuals and organisations are concerned, the OIS may generate either a new form of feudalism, in which the organisation fully controls its employees ("1984" augmented with information technology), or better and improved processes of recruitment and human communications. With regard to the protection and the search for information, it is better to focus on tightening security for a very limited segment of the organisational information thus freeing up resources that may then be directed toward "legal" searches in open information depositories. Keywords. Privacy, Privacy of an Organisation, Open Information Society, Information Security
Introduction In the not-too-distant future, it will be hard to find a company that doesn't embrace the Open Information Society (OIS) framework [1, 2, 3, 4]. Any company that tries to ignore it is guaranteeing its own extinction. The purpose of this article is to attempt to analyse the implications that the OIS has on businesses and organisations.
1
[email protected] 6
N. Ahituv / Thoughts on the Open Information Society
1. Trend-setters Like it or not, business and industry usually set a lot more trends than governments or private individuals. Logic dictates that legislatures should shape the framework for what is considered acceptable behaviour in a democratic society, but reality is a different ball game. The private sector believes in the free market; if there's a good idea out there, business will jump on the bandwagon. Government and the public sector, on the other hand, nearly always lag behind. They are so concerned with politically and administratively doing the right thing and so preoccupied with the bureaucratic mechanisms that they have built by themselves that they display an inherent conservatism at nearly every step of the way. For many companies, the OIS is a lot more than a distant and future vision; it has already happened, and it's helping them carve and expand market niches while their competition falters. Take some of the leading airline companies, for example. They now encourage customers to take advantage of e-ticketing since they have realised that it is less expensive for them, in terms of the costs associated with checking in and the commissions paid to travel agencies. Not only have they offered reduced prices for etickets, but as an incentive they have also opened separate check-in lines for customers with electronic tickets, promising that the process is more expeditious.
2. The Innovators Excluding NASA, which spends billions of dollars in research areas that no business could ever even afford to contemplate, and a few industrial sectors in which R&D is largely government-funded (such as aerospace, nanotechnology and nuclear energy), most technological innovations come from the private sector. Relatively unencumbered by political constraints, the business world examines a situation with a critical eye as to what is possible and what may be profitable. Lawmakers, on the other hand, tend to be conventional and it is tough to convince them that change is occurring as rapidly as it is. While they ought to be the ones paving the way for the OIS, realism forces us to understand and accept that, due to the respective characteristics of legislators and the legislative process and the economy today, the business world will lead the way. Evolving information technology offers too many examples to count, where technological progress has outstripped the laws that govern it. All one has to do is look at what happens when people start to do business electronically. Good old-fashioned signatures have become a thing of the past, and now it has become difficult to prove in court that commitments were made. A large number of countries have recently instated laws to deal with the legitimacy and authenticity of electronic signatures. However, such laws and regulations would have never been created had a true need not emerged from the private sector. One might then ask, what happens when a computerised inventory control system and an online ordering system make a decision together to ship merchandise from the vendor’s warehouse to the customer’s storage centre? Since no human being was involved in the decision to ship goods, who is responsible in the event of a dispute? Moreover, suppose the vendor and the customer reside in different countries and the warehouse is located in a third country; which legal system will be enforced should
N. Ahituv / Thoughts on the Open Information Society
7
there be a dispute? In the event that the merchandise is downloaded electronically, such as music or software, how do the custom authorities collect the tax, or how does the national bureau of statistics analyse the annual balance of payments (import–export) rates? It's important to understand that only a handful of big companies can afford to sit back and wait for the government to blaze a trail through the technological wilderness. While lawmakers struggle to comprehend and adequately respond to this rapidly shifting reality, big business is pushing forward and contributing to this daily changing reality. This in turn creates further difficulties for legislators in their endeavours to legislate. The current lag that exists between the creation of legislative boundaries and standards and the actual current situation means that a lot of time and money are being wasted. The only alternative would be to stop the clock on change, and this is clearly not in the interest of the business world. In most cases, businesses operate in order to turn a profit. They make decisions on the basis of economics, not a love of high-tech "toys." Therefore, they cannot be halted and their commercial initiatives cannot be suspended.
3. The Key: Good Communications The mere act of acquiring PCs, servers and other computer hardware doesn't guarantee a rosy future for any company, just as having an excellent product isn't always enough to ensure success. The key to success is twofold: good communications among all of those computers, and learning how to integrate and exploit the data accumulated on them. As increasing numbers of companies computerised their internal distribution systems, they turned to and began to focus on their relations with the outside world. This holds true for Electronic Data Interchange, hereinafter EDI. When this technology began to show promise in the late 1980s, a few large corporations tentatively embraced it. However, only when companies like Eastman Kodak, IBM and GM announced that EDI was mandatory for anyone who sought to do business with them did it get its first serious boost. Today, of course, governments use it (e.g., e-government applications), and laws regarding this new style of completing transactions have been either instated or tabled. Nobody disputes, however, that big business got EDI off of the drawing board and into the warehouse or the virtual retail store long before legislators began to regulate it. What was one of the first organisations in Britain to address the complex issues of standardising coding guidelines? None other than an alliance of retailers, wholesalers and manufacturers who had set standards for product coding and scanning. Government didn't do it. Individuals didn't do it. Business - large and small - did it, and the world followed suit. EDI and its offspring, B2B, B2C, B2P, G2B and e-government make sense. If a hotel provides each of its regular suppliers with daily occupancy rates, then the greengrocer and the dairy supplier can ship the appropriate amounts of food items to meet the day's demand. Such automatic supply agreements must, of course, be based on careful advance calculations, and the hotel must have ways of overriding standard supply orders in the event of, say, a Polynesian theme night, which might boost the need for certain tropical fruits and other foodstuffs.
8
N. Ahituv / Thoughts on the Open Information Society
This override capability could be called Management by Exception. In other words, once the hotel's food and beverage manager gets the formula ironed out with each supplier, s/he would not need to place daily supply orders. The goods would arrive almost automatically in the amounts needed for any given day. Only when the manager wanted to change something about the standard procedure would s/he need to communicate - electronically, of course - with the suppliers to notify them of the day's exception. Such exceptions flow in both directions. The food and beverage manager might notify the poultry supplier of a large vegetarians' conference, and the fresh fruit supplier might notify the hotel that the raspberry season has ended. However, this electronic communication puts an end to the "privacy" of the hotel, since dozens of suppliers along the chain of supply are becoming intimately familiar with the hotel level of occupancy and financial success.
4. B2B: A Step in the Right Direction Once a company embraces e-commerce, it is well on its way toward adapting a broad range of other technological developments. When British department store chain Marks & Spencer (M&S) told its suppliers in the early 1990s that it wanted to conduct product design via an electronic network, each supplier had to either adapt or find new clients. For Delta Textiles Ltd., an Israeli fashion underwear manufacturer worth $200 million in sales a year that sells 35% of its total production to the London-based Marks & Spencer, the choice was clear: it began to examine the two CAD systems selected by M&S and to accommodate its own internal systems for working electronically with its largest client. Until the new system was set up, Delta's design team members shuttled back and forth between Tel Aviv and London every month to present the latest style ideas to M&S buyers. As soon as the new system was operational, a Delta team in Tel Aviv and an M&S team in London were able to spend as much time as was needed working "together", eliminating the need to leave the office, at least on a frequent basis. However, it is clear to everyone that for such cooperation to work, Delta’s design records must be exposed to M&S buyers. At the same time, those buyers can access the electronic files of Delta’s competitors. Therefore, a lot of trust is required if there is a true desire to maintain such cooperation.
5. If You Can't Beat 'Em, Join 'Em The greatest shortfall of businesses that embrace OIS and all its components may lie in the billions of dollars that are spent annually trying to plug the holes that form in the walls of secrecy surrounding their operations. Like the little Dutch boy with his finger in the dike, they already realise that the holes can not be plugged forever nor can all of them be sealed off; there will always be leaks, so why waste so much money and manpower fighting them? Industrial espionage poses a far greater threat to "secret" information than do hackers. Hackers get more publicity, because they seek access to this information for the thrill of it, and half of that thrill comes from boasting about it afterwards the real threat
N. Ahituv / Thoughts on the Open Information Society
9
comes from those who infiltrate a system, leave no footprints, and learn all sorts of secrets with the intent to use them to change the competitive playing field. This activity used to be called industrial espionage, but now it is generally referred to as information-gathering, or data mining. Simply put, anybody who does not do his/her utmost to find out what others do not want him/her to know runs the risk of losing competitiveness and being left behind. In fact, today it does not necessarily require that illegal action be taken to find information on your competitors; Google and other data depositories can provide you with almost all you need. For example, Google Trends can provide a lot of open, free and analysed information on business organisations. Since knowledge will eventually be open to all in an OIS, the swift reaction to new realities will be a prerequisite for survival. Companies will have to establish or enhance their scouting departments, since even the slightest delay or oversight could be crucial to their continued success. The upper echelons of a business will have to take an active role in scouting and using technology. Scouts provide management with frequent reports on potentially adaptable technologies and business intelligence. Management will have to set the company's priorities and determine how to allocate resources between promising ventures.
6. Prioritising Information Security Measures With the whole world looking into their computer databanks, companies will have to make careful decisions about what information to protect. Protection will be much more difficult than it is today. Although it will still be possible to keep particularly sensitive data out of the public's reach, the steps that need to be taken to protect it will not only cause inconvenience even for the people who are supposed to have access, but the cost of taking these measures will be near to prohibitive. In an OIS, the management of any given company will need to adjust to an environment in which their every move can be observed by the public in general, and especially by their competitors. This new reality will force companies to focus on products and innovations that produce immediate payoffs, requiring companies to invest to obtain the high levels of creativity and originality needed to create such products. The pursuit of such short-term, dynamic goals requires organisations to adapt to more flexible production and marketing facilities. Companies will need to be willing and able to switch their production lines from one product to another on short notice. Likewise, in order to meet the needs of each new product, distribution and marketing techniques will undergo rapid adjustment. It grows increasingly clear that as the OIS moves closer to becoming a reality, quick decision-making is needed. People with vision have seen this coming for years. As B2B expands into the realm of R&D, as portrayed earlier in the Marks and Spenser – Delta example, the dangers regarding information protection could become even greater. What would happen, for instance, in the case that Delta submits a design idea electronically and Fruit of the Loom - or any other underwear manufacturer that sells their products to M&S – wishes to access it electronically? And that is to say nothing of the inherent danger of having next year's fashions - complete with multimedia representations - stored on the computer of a company that may buy them... or even steal them.
10
N. Ahituv / Thoughts on the Open Information Society
One possible reaction to such a scenario is to redouble efforts to protect information. It may sound like a good plan, but it just isn't feasible. If a company is run by people who are smarter than the people running all of the competing firms, then this prescription is fine. But how often does that happen? It seems more than a little presumptuous to presume that one company can keep spies out of its own systems while getting its own spies to infiltrate everyone else's. In the real world, every company has successes and failures in the realm of intelligence-gathering. Rather than spending billions of dollars in the futile effort to keep people out of their systems, increasing numbers of companies realise they can actually turn a profit by charging access fees to outside users who want to log on to their databases. Given the choice between paying for legally obtainable information or breaking the law in order to steal it just to save the fees, the vast majority of decision makers will opt for the legal route. Take companies whose main goal is to sell information, for example. The Financial Times, Reuters, Dow Jones and many other companies have their databases open to the public. While these are often partially free, full access is offered only by paying a fee, and these companies often earn large profits from it. Fear of “electronic theft” is not that strong in these situations. Nevertheless, while governments and many individuals seem oblivious to the revolution that is changing the way we live our lives, business leaders are working overtime to shape the future. That is why they are opening their networks to the public; letting anyone access their files through Internet services; giving suppliers, clients and potential partners access to databases that used to be off-limits; and taking countless other steps to break down the barriers that used to create so much incentive for spying. And, if it makes sense, financially speaking, then big business will, indeed, lead the way to the OIS.
References [1] [2] [3] [4]
2
Niv Ahituv, “The Open Information Society”, Communications of the ACM, Vol.44, No. 6 (June 2001), pp 48-52. Niv Ahituv, A World Without Secrets: On The Open Information Society, Am Oved Publishers, Tel Aviv, Israel, 2001 (in Hebrew)2, 188 p. Tom Friedman, The World is Flat, Farrar, Straus and Giroux, New York, 2005 Richard Hunter, World without Secrets: Business, Crime, and Privacy in the Age of Ubiquitous Computing, John Wiley, 2002.
A pdf draft version in English is available upon request.
Modelling Cyber Security: Approaches, Methodology, Strategies U. Gori (Ed.) IOS Press, 2009 © 2009 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-074-2-11
Striking the Balance: Security vs. Utility Ari VIDALI CEO, ENVISAGE Technologies Corp.
Abstract. Maximum security requires, by definition, a “closed system” whereas maximum utility requires “openness.” Is it possible to reconcile these two extremes? Can a highly secure system actually be easy to use? With the exponential adoption of technology, highly interconnected computer & telecommunications systems have become an indispensable component of modern societies. Our reliance on information technology has penetrated almost every facet of daily life. Our critical services, financial systems, transportation and commerce rely upon the confidentiality, integrity and availability of these systems. Notwithstanding some promising advances, networked systems remain highly vulnerable to attack and exploitation by hackers, cyber criminals and terrorists despite the significant efforts and investments that have been put forth to detect, deter and mitigate these threats. Most experts agree that the security of any information system is only as strong as its weakest link; the human beings who create and use them. This paper explores some of the root causes of the usability problem and how proper security practices are consistently being ignored or circumvented by the very users and organizations they were designed to protect. We propose that this reality must be understood and addressed in order for systems engineers to architect effective, easy-to-use security solutions that enhance rather than limit system utility. In our paper, we propose that the security systems of the future must be highly convenient, largely transparent to end users, fully integrated across security domains, threat aware, and able to modify security policies “on the fly” in response to changing threat environments. In a culture driven by convenience, one-stop-shopping and near universal access to information, system users will continue to find ways to circumvent even basic security protocols if they are too onerous and burdensome. While highly complex, inter-connected systems will always have flaws that can be exploited; the vast majority of attacks on cyber-infrastructure are made possible because of human nature. Technology has become an indispensable tool for modern societies. Has our reliance upon technology become a two-edged sword? We argue that as hackers, cyber criminals, and terrorists become more technically sophisticated, the very technology that contributed to the rise of the western world is being exploited as one our greatest weaknesses by those with nefarious intent. Our paper concludes that to stem the tide, the security community must address some of these root causes of cyber insecurity. Keywords. Security, Cyber security, Usability, Biometrics, Authentication, Human-computer interaction
11
12
A. Vidali / Striking the Balance: Security vs. Utility
“The more secure a system is, the harder it is to use. The harder it is to use a system, the less secure it will be.” Brian R. Krause, Adducive
Introduction It is September 11th, 2013. In a dimly lit room on the outskirts of Peshawar, in Pakistan, five men stare into their computer monitors as their fingers rapidly tap on keyboards. Unbeknownst to them, their state-of-the-art equipment was funded by a relatively new drug cartel operated by Taliban warlords. With the massive financial resources derived from the burgeoning poppy trade, the cartel was able to ensure that the five had sufficient funds for their purposes. Calling themselves the New Islamic Martyrs Brigade, the five men are about to launch a cyber attack on the Western World unlike anything ever seen before. Fueled by the propaganda they have absorbed from radical Islamic websites, and violently motivated by the inflammatory rhetoric of impassioned fundamentalist clerics, they are driven by a single-minded objective: to deal a devastating blow to the very heart of western capitalism by crippling its vital information infrastructure. After a year of careful planning, preparation, complex coding and target selection they are ready. For months they had been foiled in their attempt to crack the passwords of the critical edge routers vital to their plans. The systems administrator had used strong password authentication to protect them and combined with the cryptographic strength of the authentication mechanisms, they had been delayed in their progress. Luckily for them, an audit had required a new policy of changing the password every thirty days. Harried help desk staff had provided the forgotten password to a coworker in Instant Messaging rather than walking it down two floors, and the minor breach had been exploited. A well designed and near invisible piece of code was installed on the worker’s computer and silently duplicated itself across the network capturing the keystrokes executed on the compromised machines. It sent the logs to anonymous Yahoo accounts, setup for this very purpose by the five men. Just two weeks ago, the five received, via a PGP-encrypted message, the assurances of a highly-placed leader of the Hezbollah terrorist network that their efforts would be augmented by multiple simultaneous suicide bombings. The message also included instructions for coordinating their attacks with similar cyber terror cells in Iran and Venezuela who had amassed vast botnet armies to unleash upon the west at the appointed time. The five men had no doubt that their efforts would result in the “mother of all terror incidents.” The careful planning, research, social engineering and brilliant coding had yielded not only a treasure trove of high-access accounts for vital systems, but also had allowed them to study weaknesses in the security of the systems they intended to target. At exactly 9:00 a.m. EST, an IT analyst at the New York Stock Exchange notices increased traffic on the NYSE backbone. At 9:10, all of the servers lock-up and stop functioning. At 9:45, the head of the NYSE issues a statement that all trading is suspended due to a malfunction. This is followed by statements from the NASDAQ that they too have suspended trading. As reporters investigate, rumors surface that the machines and backups have been compromised and the timetable for recovery is unknown. Investors around the world begin to panic, forcing European stock markets to close after a 12 point decline due to panic selling and the spread of rumors of a pending meltdown in Asian indices.
A. Vidali / Striking the Balance: Security vs. Utility
13
Halfway across the Globe, in London’s Heathrow airport, air traffic control notices irregularities in its state-of-the art Pegasus-ATC traffic control systems. Installed just four years ago, the systems were said to be impervious to attack. Five minutes later, during heavy traffic, none of the primary or backup systems are working. The Prime Minister is briefed and decides to re-route all incoming flights to Gatwick, but by then, it is too late as two planes that were circling the airport under heavy fog collide. There are no survivors; the death toll is 467. 10:00 a.m. EST. All of the major news networks around the globe begin reporting on an urgent warning from the Center for Disease Control about water contamination in cities across America including Los Angeles, New York, Detroit, Miami, Des Moines, Atlanta, Chicago and Philadelphia. Officials deny that the CDC has issued any such reports, yet each of the contacts that typically received press releases had received the urgent warning. Grocery stores are without bottled water within the hour. 11:00 a.m. EST. Explosions are reported at five rural elementary schools in the Midwest. Hundreds of children are injured; officials refuse to comment on the death toll, citing the need to contact affected families. Cellular phones, already taxed with traffic from earlier incidents cannot respond to the load. Anxious parents across the country rush to take their children out of school, congesting freeways and impeding rescue efforts. 12:00 p.m. EST. 15 million users of the largest Voice over IP provider in the United States cannot receive a proper dial tone; instead, they hear a pre-recorded message in broken English informing them of the impending destruction of their way of life. The botnet armies assembled by the Venezuelan and Iranian cells, exploiting a little known weakness in IPv6’s IPsec implementation that, combined with an exploit of Cisco IOS’s implementation of stateless address auto-configuration, are wreaking havoc with Cisco routers all across the Internet. Not since the Conficker worm outbreaks in 2008 and 2009 has such a rapid, widespread attack been seen. Already, 48% of the core routers on the Internet are down, locking up telecommunications across vast areas of the Internet. The general population is in a frenzy of panic. At 12:01 p.m. EST, a secure call is routed to U.S. President who is aboard AirForce One, travelling to an undisclosed location. The call, which is put through from the Situation Room, and which was originally received by the Secretary of Defense, is from a middleman in the Ukraine who relays the terrorist’s demand for an immediate withdrawal of all foreign military personnel from the Middle East, including the emptying of bases in Iraq, Afghanistan, Saudi Arabia, as well as the joint forces base of operations in Amman Jordan, which was established in 2011. In addition, all shipments of arms or aid to Israel are to immediately cease. The White House has 72 hours to comply or further attacks will occur. Back in Peshawar, the five men watch with glee as Al Jazeera reports on the devastation. They are deeply satisfied with the results of the first wave of their carefully planned attack. . .
14
A. Vidali / Striking the Balance: Security vs. Utility
1. Cyber Insecurity – A Look at the Current State of Affairs In the early 1980’s, network pioneers at DARPA1 , along with several academic institutions, developed a successful open standard for linking computer networks together. The resulting TCP and later TCP/IP protocol ushered in the Internet age. The basic concept that computer systems can be easily, cheaply and reliably linked together to exchange information has, within the span of three decades, revolutionized almost every facet of modern life and ushered in the era of pervasive computing, the Internet and the mobile communications revolution. It has been the very “openness” of these early implementations that was the driving factor in widespread adoption. And indeed, the growth of interconnected computer systems has been nothing less than staggering. Worldwide usage of networked computer systems has grown to an estimated 1.43 billion users, which amounts to 21% of the world’s total population. [1] In history, no prior technology has achieved such rapid adoption. With such interconnectedness and widespread adoption comes the possibility that these tools can be used to harm the very societies that have come to rely heavily on them. Our cyber-infrastructure -- including most of the technologies, protocols, and information systems that make up or reside in cyberspace -- was not originally designed with high security in mind. While systems security has improved, it has been added, after the fact, onto existing structures that utilise archaic authentication mechanisms which do not take into account the fallibility of human beings. This is due in part to the economics of technology development; most buyers are unwilling to spend the premium needed for true secure computing. This situation has not escaped the notice of disreputable actors who are finding ingenious ways to exploit cyber-insecurity for monetary gain or with malicious intent. According to a report released by IBM in 2005, “there were more than 237 million overall security attacks in the first half of the year.” [2] Our society’s increasing reliance on these technologies, coupled with the persistent, well publicized2 vulnerabilities within our cyber infrastructure make it relatively easy to exploit, disrupt, disable or cause mayhem on critical systems. In a recent report, the Congressional Research Service (CRC) outlined current terrorist capabilities for cyber attack and warned that terrorist organizations, state sponsors of terror and extremist groups are becoming increasingly aware of the essential role of critical information systems and will either develop their own capabilities for cyber attack, forge alliances with cyber-criminals, or hire hackers to assist them in targeting critical infrastructure. [3] The CRC cites a key report from the House Homeland Security Committee, wherein FBI officials indicated that extremists have used identity theft and credit card fraud to support recent terrorist activities by Al
1The Defense Advanced Research Project Agency is an agency of the United States Department of Defense responsible for the development of new technology for use by the military. 2A prominent example was made public at the July 2005 Black Hat computer security conference where an exploit was demonstrated to show how commonly used Internet routers could quickly be hacked. Victor Garza, Security Researcher causes furor by releasing flaw in Cisco Systems IOS, SearchSecurity.com, July 28, 2005.
A. Vidali / Striking the Balance: Security vs. Utility
15
Qaeda cells3. Finally, the report concludes that if the current trends continue, cyber attacks will certainly become “more numerous, faster, and more sophisticated”, likely outpacing the ability of government agencies and private organizations to prevent, respond to and recover from concerted attacks. Deputy Attorney General Mark Filip, in his address to the International Conference on Cyber Security, stated that “Cyber crime and cyber terrorism are issues that transcend customary bureaucratic and national boundaries, and because both public and private Internet infrastructures are "closely linked," they transcend the usual public/ private dichotomies as well.” [4] This “interlinked” system of systems allows for numerous attack vectors, ranging from a single targeted breach to a widespread coordinated cyber attack. The objectives of a cyber attack include the flowing four areas: [5] 1. 2. 3. 4.
Loss of integrity, such that information could be modified improperly; Loss of availability, where mission critical information systems are rendered unavailable to authorized users; Loss of confidentiality, where critical information is disclosed to unauthorized users; and, Physical destruction, where information systems create actual physical harm through commands that cause deliberate malfunctions.
Many experts agree that one likely scenario for a cyber attack would be its use in conjunction with a conventional physical, chemical, biological, radiological or nuclear (CBRN) terrorist attack. Such a scenario could include direct attacks against first responder communication infrastructure or 911 call centers simultaneously with the detonation of explosive devices. The Internet, which has penetrated almost all of our daily lives and is critical to the functioning of our knowledge economies, was designed for research and information sharing. Almost all but the most sensitive information systems are either directly or indirectly connected to the Internet and are therefore vulnerable to its design flaws. The continued and concerted Distributed Denial of Service(DDoS) attacks against the Net’s DNS infrastructure is troubling in that many believe those responsible are merely conducting tests and that a full scale attack is a real possibility in the near future. [6] Many of these large scale attacks exploit weakly secured workstations from around the world and transform these computers into “zombies”. These, in turn, are then aggregated into botnet armies, which can be unleashed in devastating distributed denial of service attacks. Had the users of these workstations properly secured them, such attacks would be vastly more difficult, as each workstation would have to be individually hacked.
2. Closed vs. Open Systems It has been humorously stated that a computer is in fact quite easy to secure. Why, we can simply turn it off, lock it in a steel vault, destroy any key and ensure that it is not connected to anything. Voila, we now have a highly secure computing environment!
3According to FBI Officials, Al Qaeda terrorist cells in Spain used stolen credit card information to make numerous purchases. Also, the FBI has recorded more than 9.3 million Americans as victims of identity theft in a 12-month period; June 2005. Report by the Democratic Staff of the House Homeland Security Committee, Identity Theft and Terrorism, July 1, 2005, p.10
16
A. Vidali / Striking the Balance: Security vs. Utility
Unfortunately, while the computer in this scenario is highly secure in its impenetrable steel vault, it is also completely unusable, consequently forcing anyone who needs to actually perform a productive task to seek out a machine that is significantly less secure. On the flip side, a completely unsecured computer with no authentication requirement, connected to an un-firewalled public network is almost certain to be compromised4 , thus putting the user of that machine in danger of having their identity stolen by cyber criminals, their files damaged, the system rendered inoperable, or worse, sensitive information compromised and used for illegal activities. It is logical to conclude that if people cannot use secure systems, they will seek to use systems that are less secure or will find ingenious ways to circumvent security policies. Ignoring best practices to get their work done will render the system less secure than before. For example, it is common to find that government personnel who cannot access their work email or files from home are regularly utilizing free internet email accounts such as Gmail or Yahoo to send messages and attachments to each other when they are not at their workstations. Thus, a theoretically secure system which is not usable does little to improve the situation and tends to create a false and dangerous sense of security within an organization. So how do we strike a balance between the need for trusted, secure information systems and the convenience, ease of use and usability of our information systems? We need to design security solutions that are tailored specifically to the weakest link: human beings. To do so, we must understand the limitations and motivations of average people who use security solutions.
3. Security’s Weakest Link As Bruce Schneier wrote, “Security is only as good as its weakest link, and people are the weakest link in the chain.” [7] Hackers and cyber-criminals understand this phenomenon significantly better than most technology companies. While the “human factor” is generally accepted as a significant issue by the security community, the majority of the discussions and research surrounding cyber security are focused on the technical and policy challenges of securing cyberspace5. In addition, there are a scarce number of resources, including scholarly papers, blogs, books or articles, that are devoted to the subject of the usability of security solutions. Yet this issue is arguably one of the most glaring and pervasive root causes of cyber insecurity. Given the fact that most users interact with computer security on a daily basis, Angela Sasse, comments that the current state of affairs amounts to nothing less than a major usability crisis [8] and suggests that “unusable security systems are not only expensive, but ineffective.” This is because common security mechanisms have failed to acknowledge even the most rudimentary usability and human-computer interaction design principles, such as minimizing user’s mental workloads, task context or an understanding of user motivation and self-image. Our continued reliance on password authentication as a 4In November 2002, the Honeynet Project placed unpatched Windows 2000 computers on the Internet and found that they were being compromised after just five minutes. The Honeynet Project, "Forensics" (Jan. 29, 2003); http://honeynet.overt.org/index.php/Forensics. 5 Such as: which technologies will be used, what standards will be implemented, what sorts of policies will need to be crafted to coordinate our security and law enforcement efforts nationally and internationally or the varying roles of government, academia and the private sector, in securing cyberspace.
A. Vidali / Striking the Balance: Security vs. Utility
17
common security mechanism is proof that not much has changed in the last few decades. As far back as 1999, Adams & Sasse conducted both interview and questionnaire studies with people inside and outside an international telecommunications company [9] and concluded that users: • • •
Could not cope with the proliferation of passwords, Received little instruction, training or support, and Were not motivated to behave in a secure manner.
A decade later, the average user’s exposure to password authentication is even more out of control. We are juggling everything from bill payments, eCommerce, social networking sites (like MySpace, GoogleApps, Instant Messaging) and an explosion of Web 2.0 Software as a Service (SaaS) offerings, credit and debit card PIN numbers, VoiceMail access codes, in addition to the numerous work and home related computer login accounts that most of us are required to maintain. It has been estimated that today, the number of individual username/password combinations that the average person is required to contend with regularly is in the high teens. That number is significantly more than the average person can remember without an artificial aid. Unfortunately, the aid is often writing the passwords down, storing all of them in a single location or using the same password everywhere6 , thus defeating the purpose of strong password authentication.
4. Understanding the Usability Problem Let us consider for a moment some basic principles of human memory and motivation and how these apply to security technology: Human memory has limitations: Most of us are not good at remembering the random sequences of characters required by strong password authentication methods. Humans have trouble remembering more that 7 ± 2 unrelated characters. Moreover, there is a limit to the number of passwords we can remember. Finally, unaided recall is much more difficult than cued recall, resulting in the proliferation of the “Security Question” or password reminders. While these “fixes” aid recall, they also introduce additional significant security risks. Humans don’t think randomly: We don’t do well when we are required to invent a random string of characters and commit them to memory on the spot. Pattern recognition is one of our strongest skills, so when asked to create many unique passwords, we unintentionally or intentionally introduce patterns. Human memory decays over time: We cannot recall passwords we use infrequently. Conversely, we cannot forget (on command) memorized items we no longer need. Thus, when we are forced to change our passwords, we commonly forget the new one or confuse the new one with the old. Humans are goal oriented: Security is not a goal most users strive for, rather it is seen to get in the way of their production tasks. People use technology in order to perform meaningful tasks. In this context, security is viewed as an “enabling task” or “hurdle” the user is required to overcome in order to perform their production task. “When security conflicts with a user’s production task they often respond by 6
Hackers and social engineers exploit this fact as it is much easier to direct their energies against soft targets to obtain one or two of a user’s commonly used passwords, which in turn are probably the same passwords used to access more sensitive systems at work.
18
A. Vidali / Striking the Balance: Security vs. Utility
circumventing security mechanisms, and perceive security as something that makes their life difficult.” [10] Security performance matches our motivation: Several research studies have concluded that users simply lack the motivation to expend the extra effort on security. [11] This is often due to a set of beliefs and behaviors on the part of those that do not comply with security practices. These include the notion that the threat of security is not “real”7 and therefore the extra effort is not warranted and/or that users do not believe that their actions will make any significant difference anyway, e.g. that a determined attacker will get access to their system regardless of what they do, or “no one else follows the rules, why should I?” This indicates that there is a cost/benefit equation that most users undertake when evaluating the effort they will put forth to secure their information. In this context, it is important to acknowledge that people will only expend the extra effort if they truly believe they are at risk. Humans are interpersonal: People like people, and they tend to want to be helpful to others. That is why social engineering is so effective. Also, it is this tendency which often leads to circumventing security best practices. If a colleague needs access to a file or a system, we are likely to help this person because as humans we value relationships more than organizational policies. Human nature is the reason why social engineering is such an easy and lucrative means of attack for cybercriminals. Kevin Mitnick, the famous and controversial computer hacker of the late 20th Century, was a master of social engineering techniques. In his book, The Art of Deception [12], he provided numerous examples of how he easily gained illegitimate access to computer systems using username and password combinations which he obtained by artfully duping end-users into giving him their credentials. As none of the previous points are new revelations, why is it that we continue to use standard password authentication to secure our critical systems? Consider that not only is password authentication counter-intuitive to humans, in many cases, it relies on only a single “strong” security element, the password, which as we have seen is inevitably being compromised by human behavior and limitations. If we are to strengthen cyber security, the problem must be viewed as more than a technical challenge. Security as a system must be engineered around the people who use it, the context within which it is used, and its surrounding environmental conditions. The current lack of usability and human-computer interaction principles almost guarantees that only the most sensitive data handled by the most securityconscious persons has a chance of being adequately protected. Yet even under these ideal circumstances breaches of security continue to crop up. For example, former CIA director John Deutsch, arguably a very security-conscious person with significant motivation to protect Government secrets, lost his security clearance because he wrote a classified memo on his unprotected home computer. “The U.S. Department of Defense's Inspector General blasted Deutsch for particularly egregious violations of security protocol involving his doing classified work on an unsecured home computer, while serving in DOD posts in 1993 and 1995. An investigation into similar practices by Deutsch, while director of the CIA, cost him his security clearance in 1999. ” [13]
7 In an experiment conducted in 2004, regular commuters in London where asked if they would reveal their email passwords for a bar of chocolate. A troubling 34% revealed their passwords without needing to be bribed. Over 70% revealed information about themselves that could be used by identity thieves. BBC, Tuesday, 20 April, 2004: Passwords revealed by sweet deal. http://news.bbc.co.uk/1/hi/technology/ 3639679.stm
A. Vidali / Striking the Balance: Security vs. Utility
19
5. Anatomy of Security Mechanisms The principle of strong security includes the common notion that in order to secure an information system we need a combination of multiple vectors to establish a trusted connection: • • • •
Something I am – Identification – Who you are, positive identification Something I know – Authentication – Something only you uniquely know Something I have – A token, smart card, keycard etc. Somewhere I am – Location – a physical or logical “area” from where I can access a system. (e.g. IP filtering, Internet Zones)
To be secure, a system must incorporate at least two of these vectors to establish trust. In addition, once a user is positively identified and “trusted” we must also know what actions that user is authorized to perform on the system, or in other words, his/her authorization level. Upon cursory review, password authentication conforms to security best practice by requiring two of the aforementioned vectors to authenticate a user and allow them access to an information system: 1. 2.
Something I am - username and, Something I know - password
Let us however, for a moment review standard password authentication in more detail. By accessing the login screen a user is prompted for a username and password to gain access to the system’s functions. The username supposedly serves to identify the individual seeking to gain access. In combination with the proper password, access is granted. In most cases, the username is ridiculously easy to guess as it almost universally based on publicly available information, e.g. a person’s email address, a subset thereof, their name or an abbreviation of their name. For Voicemail systems, the username is almost always the individual’s phone number or mailbox number. Some financial systems try to mitigate this fact by utilizing identifiers that are considered “more secure” such as Social Security numbers, yet even these can be relatively easy to obtain over the internet for as little as ten US dollars. Thus, one of the most critical elements of our security system can be said to be ineffective at positively identifying a user, leaving only the password to stand in the way of a determined attacker. As we have seen, passwords are significantly less secure than we would like. Likewise, because the ‘identification” component of this authentication scheme is so weak, all it takes is a name, phone number or email address for any malicious attacker to acquire enough information to initiate an attack. As if this state of affairs was not bad enough, there are numerous readily available tools that are designed to automatically exploit known weaknesses in operating systems and commonly used commercial software applications that can collect login credentials in order to assist a hacker in compromising vulnerable systems. These tools are easily available for download from the Internet and can be utilized by relatively unsophisticated attackers. In addition, password authentication is severely flawed from a usability perspective in that it requires 100% unaided recall of the non-meaningful items that make up strong passwords. Given the limitations of human memory outlined above, password authentication causes people to constantly compromise both the strength and secrecy of the password in question. It is not a stretch to conclude that both vectors (username and password) are compromised when it comes to password authentication. This traditional scheme provides near zero non-repudiation support as there is no way for the system to positively identify the user beyond checking that the username
20
A. Vidali / Striking the Balance: Security vs. Utility
and password combination matches what is stored in a database. Clearly, from a security perspective, password authentication has utterly failed to provide adequate protection for sensitive systems and yet it continues to be one of the most commonly used security methods in cyberspace. While we are not arguing that password authentication has no merit whatsoever, we are pointing out that it is an inadequate security mechanism for most systems and should be utilized only on the least critical systems. This brings us to an important conclusion: selection of the proper security system should be based upon an appropriate security risk assessment. In the U.S., before September 11th, many systems that support vital services had not been assessed for risk in the context of terrorism or cyber warfare. Today, with awareness on the rise, a number of military and sensitive governmental systems have implemented additional layers of security including the use of Common Access Cards (CAC) and or biometric security mechanisms to harden their systems.
6. Driving Principles for Usable Security To solve the usability problem, the security systems of the future must be highly convenient, largely transparent to end users, fully integrated across security domains, threat aware, and able to modify security policies “on the fly” in response to changing threat environments. Convenience and transparency are absolutely critical if we are to solve the problem. As previously stated, the less a person encounters security as a hurdle to their production task, the more effective the solution will be. An example in the physical world would be a self-locking door. For those that do not have this convenience, many forget to properly lock their doors when leaving their homes. Thus, in simple terms, our user’s behavior indicates that they need security that is quick, convenient and easy to use. They want to know that their identity, files, systems and facilities are consistently secured in a manner that maintains their privacy, yet alerts them when a potential breach has occurred. While users are understanding of the need for authentication and are willing to provide credentials, it is unrealistic to ask them to provide too many different sets of credentials during their daily workflow. Users should be required to remember as few things as possible in order to access our systems. Also, security must be contextualized with user’s production tasks and be appropriate for the sensitivity of the system and applicable threat environment. So at a minimum, future security mechanisms should: 1. 2. 3. 4. 5. 6. 7.
Positively identify a person (not a username) Require strong passphrases Be threat-aware, i.e. able to discern threats, take appropriate actions and notify appropriate user(s) or authorities of a breach. Also, they should be able to share information in order to act as a threat early warning system. Adapt in real-time – allowing for additional security to be imposed during times of increased threat, automatically add layers of security to sensitive information when an attack is perceived. Be largely transparent/convenient Be integrated – allowing user credentials to be used for physical and virtual access Be designed to safeguard our personal privacy
A. Vidali / Striking the Balance: Security vs. Utility
21
6.1. Positively Identifying a Person To establish objective trust and non-repudiation requires that we look beyond the easily compromised username for positive identification. Biometric identification does this by using one or more unique and intrinsic physical (fingerprints, iris, retina, facial or hand geometry, palm vein patterns) or behavioral traits (typing dynamics, signature recognition, voice pattern) of an individual to establish a positive identity match. The advantages of biometric identification include: • • • • •
Very easy to use/convenient – we don’t forget our fingerprints or face and, unlike tokens, these cannot be “lost” Limited Attack Surface – it is almost impossible for a remote attacker to access the information necessary to initiate a direct attack or steal the user’s identity Relatively fast – it can take under a second to verify a match Increasingly accurate – accuracy has improved significantly over the last 2 years Becoming cost effective – costs for biometric devices have come down significantly8
While biometrics has significant advantages, detractors point out that the technology is still problematic due to: • • • •
•
Inability to change a biometric – unlike a username, once a biometric signature is stolen, it is not easy to change and we only have a limited number of biometric identifiers. Greater consequences - Criminals may be incentivized to cut off user’s fingers, hands, other body parts or even kill in order to gain illicit access to secure systems. 9 Surrounding systems weak – biometrics can still be compromised via system circumvention, verification fraud and enrollment fraud. [14] Biometric verification is not 100% accurate - This is due to the need for match threshold values (similar to a metal detector) to take into account the changing characteristics of the Biometric. Faces age, fingers can be scarred and our voice may change due to a sore throat. Depending on the threshold settings, and the “noise” encountered when scanning the biometric, false verification can occur as well as false rejections. Fabricated biometrics - It is theoretically possible to recreate source biometric data from associated templates, thus possibly compromising the biometric. [15]
Nevertheless, biometric identification holds significant promise by utilizing numerous “immutable” physical and behavioral attributes, which, when fused, could
8The cost of a fingerprint sensor has fallen from around $20 dollars four years ago, to under $5 in 2007 and is being incorporated into everything from laptops and cell phones to USB keys and hard drives. 9A common story we hear regarding this objection is about the man whose new Mercedes was carjacked. The car had a biometric lock and therefore the thieves removed the man’s finger in order to start the car. Despite this popular story, many of today’s biometric devices have “live” sensors in them that would actually incentivize a criminal to keep the individual alive as long as they need access. In addition, while this information can be coerced from someone by force, so can a username, and the nature of the crime creates significant visibility for the perpetrators thus effectively removing the shield of anonymity cybercriminals hide behind.
22
A. Vidali / Striking the Balance: Security vs. Utility
form the basis for identification systems that are nigh impervious to identity theft. These multi-modal or “fused” biometrics systems are more reliable due to their ability to acquire multiple pieces of evidence to identify a person. Imagine a computer, vehicle or door that not only recognizes your face but scans your iris and asks you how your morning is going while analyzing the voice pattern of your response to positively identify you. Humans can instantly recognize each other. We do this by simultaneous synthesis of many visual, auditory and olfactory cues. In fact, our recognition is so keen that it works even when the subject in question has altered their appearance or sounds differently due to a cold. If a security system were as perceptive, it would be incredibly difficult to circumvent as an attacker would be required to fool multiple sensors simultaneously. In the future, we predict that multi-modal biometric technology will be able to mimic how humans recognize each other by fusing biometric sensors together and allowing security systems to evaluate our identity “holistically.” In this scenario, match threshold values can be consolidated across multiple vectors, enabling drastically improved recognition and the near elimination of false positives. [16] In other words, a user may have a swollen face, but the system would still recognize her because her height, iris and voice prints match. 6.2. Strong Passphrases Supporters of biometric authentication have gone so far as to suggest that the biometric is all that may be necessary to positively identify a user and allow access to a sensitive system. While highly convenient and in some cases transparent for the user, we disagree on the grounds that while current biometric technology provides a significantly stronger mechanism for positive user identification, it still has sufficient vulnerabilities that must be addressed before we can completely eliminate strong twofactor authentication. Since multi-modal biometrics are not yet cost effective for most implementations, one thing that could be done to increase the usability of most authentication systems is to eliminate the “strong password” and replace it with a the more usable “passphrase.” It is much easier for humans to both create and remember a 47 character phrase like “Securing my identity in 2009 is very important!” rather than a meaningless string of 8 random characters such as “!$3^1@Z&”. Numerous debates surround the topic of the cryptographic strength of a passphrase vs. the strong password and the related entropy10 of each. Most agree however that the longer passphrase (30 characters or more is typical) enables increased cryptographic strength, rendering many kinds of brute force attacks highly impractical. More importantly, because the passphrase is relatively easy to remember, we are far less likely to write it down.
10 Entropy is a measure of the uncertainty associated with a random variable. There are three components to entropy: the number of items chosen, the size of the set from which they are chosen, and the probability that each individual item is chosen. Since pass phrases are longer than passwords, they have the potential for higher entropy than passwords, (even if they are picked from the same character set) making them much harder to crack.
A. Vidali / Striking the Balance: Security vs. Utility
23
6.3. Threat Awareness A door is a physical barrier; if there is a lock on it, only authorized (key holders) are supposed to be allowed access. Yet, a thief can steal the key, pick the lock, break down the door or go through a window. In the physical world, we use alarm systems that include various sensors (contact, motion, and pressure) to sense unauthorized intrusions. Once an intrusion is detected, an alarm sounds and authorities are dispatched to the property. At the network level, intrusion detection/prevention systems have evolved significantly allowing for real-time responses such as blocking suspicious traffic and automatically alerting administrators. When we look at most authentication systems however, they do little to proactively sense and defend against threats or alert account owners and administrators of a possible breach. In short, most are not threat aware. At best, they lock a user account after a certain number of login attempts and require reactivation and may log unsuccessful attempts in a log file or audit trail. While this is useful for forensic analysis after the system has been compromised, this does little to prevent or deter an attacker that has already stolen valid credentials. In addition, many attacks originate from inside the network by disgruntled employees utilizing their own credentials or those stolen from colleagues. In order to secure systems from these sorts of threats, developers may be able to incorporate some of the lessons learned by the financial industry. Given the enormous costs associated with credit card fraud, many credit card companies have become adept at tracking individualized spending patterns (what cardholders typically buy, where they usually buy, average transaction sizes) and can proactively alert consumers of unorthodox spending patterns or charges originating from locations not commonly associated with the card holder. If we apply this principle to an authentication system, it would be able to perceive a threat by sensing anomalous behaviors in the user. For example, a user who is attempting to enter a building at an unusual hour or login to a system from an atypical remote location. Biometric sensors could further enhance this approach by adapting speech recognition to detect stress or fear in the user’s voice, scanning for pupil dilation or recognizing when an unknown person is standing too close to a user. 6.4. Adapt in Real-time Security systems should not only recognize threats, but also be capable of adapting to these threats in real time. When no threat indicators are present, adaptive security systems should remain relatively transparent and not interfere with user’s productive workflow. However, when a threat is identified, the system should be “smart” enough to adjust its behavior and increase its security posture in a manner commensurate with the threat it perceives. While we may be several years away from biometric fusion and artificial intelligence that is capable of judging threats based on user behaviors and situational awareness, we do have the technology today that could block access to systems for users who are being forced to reveal their credentials. Similar to a silent alarm system, a person who is under duress to reveal her password may provide a “safeword” instead. The system, upon receiving the “safeword”, would automatically secure critical or sensitive data and “pretend” to allow the attacker access to the system while notifying authorities and logging all activity on the workstation.
24
A. Vidali / Striking the Balance: Security vs. Utility
6.5. Largely Transparent and Convenient When Windows Vista was released, many of the complaints about the operating system were directed at the incessant security messages that the operating system directed at the users. One "feature" that Microsoft added to Windows Vista is the ability to stop programs from starting to begin with. This was aimed at reducing the threat of viruses and malware so common on home computers. Microsoft implemented this in the form of the User Account Control (UAC). The UAC was incredibly “chatty” and constantly asked users whether they wanted a program to continue or if it should cancel the operation. While the purpose was to warn users when an unknown or unwanted program asked to start, Microsoft coded the service to display the message repeatedly for almost any non-Microsoft program. These messages were so frequent and annoying that most users simply ignore them and become used to clicking continue to get back to their production task. Microsoft’s willful disregard for usability was further underscored by outrageous comments made at the RSA 2008, in San Francisco, where Microsoft admitted that UAC was designed, specifically, to annoy. Microsoft's David Cross stated that "The reason we put UAC into the platform was to annoy users. I'm serious," said Cross. [17] It is no surprise that soon after Vista was released, a slew of internet pages, blogs and forum posts sprang up with instructions on how to turn UAC off and according to Ars Technica’s Ken Fisher, “…one of the most popular post-Vista install activities is disabling UAC.” So what have we learned? In this case, while the concepts of threat awareness and user notification were laudable additions to the Vista OS, the implementation was an unmitigated disaster and many Vista systems became significantly less secure as a result. 6.6. Integrated Security Integrating application and network security is not a new concept; Single Sign-On does just that. Once single sign-on is in place, keeping the managed passwords can be changed to the strongest format allowed by the applications and managed automatically. If they are never known by the user, they cannot be disclosed, written down, or handled carelessly. However, if a single sign-on system is not reliable, users and administrators will not trust it, creating back doors or leaving critical systems vulnerable. In addition, many of today’s implementations are prone to creating a single point of failure or a single point to break in. Usability is security, but reliability is important for both. The ability of single sign-on to eliminate the need for numerous sets of credentials is a drastic improvement in usability and, if implemented correctly, has significant advantages for increased cyber security. If we take this concept one step further, we could include physical access as an integrated component of our authentication system. There are companies today that have created locks which can not only read credentials11, but also write data directly back to the credential. This
11
For example CoreStreet (http://www.corestreet.com) provides locks that can read and write to a token (FIPS 201 compliant smart card) thus allowing physical access privileges to be denied (without the need for changing a lock) should the user’s network and system access be revoked. The same goes for increasing a person’s access rights to facilities, for example when they have achieved security clearance. This has been a costly problem with standard locks and keys issued to employees.
A. Vidali / Striking the Balance: Security vs. Utility
25
gives administrators unprecedented access to monitor entry/exits from facilities 12 and quickly change access privileges when necessary without the expense of replacing hardware for sensitive areas. When traveling, we use an internationally accepted passport, which represents a “trusted” credential that allows us to legitimately enter or exit any country in the world. From a usability standpoint, a unique, internationally recognized, trusted token that when used in conjunction with a passphrase, biometric or other identifier gives a user access to all their accounts, their vehicle, computer, and place of work could be an interesting concept to pursue. However, for this to be feasible, we would be faced with the Herculean tasks of ensuring the token cannot be forged yet remains easy and convenient to reissue when lost or stolen. It would also be necessary to incorporate the technology within a framework of strong safeguards to protect the personal privacy of the users. No small feat. 6.7. Safeguard Personal Privacy It cannot be stressed enough that if users do not trust that their privacy is being protected, or if the actions being taken by a security system are not disclosed to the users, they will not accept such a system or will intentionally bypass the system to protect their privacy. Several studies indicate that the majority of people who find out that software operates in a covert manner to compromise their privacy will discontinue use of that software application. The most important aspect of maintaining user trust is full disclosure of what the system may track and a clear understanding of the cost benefit of the technology. 13 People are rightfully afraid of an Orwellian scenario, where every step they take in both cyberspace and the real world is monitored by “authorities” and will strongly resist any security technology that violates their privacy. Yet, it is ironic that millions of people around the world post much of their personal data daily on the internet via social networking and other sites14 and act as if they are completely unaware that most of their activities can be easily followed, for they leave digital “breadcrumbs” wherever they go. Blogs, MySpace entries, IRC traffic, credit card records, phone records, internet activity logs, financial systems and even our healthcare records are exposing our digital DNA to potential attackers. Today, these “breadcrumbs” are distributed across the hundreds of web servers, applications and the individual systems, which make aggregating this information somewhat impractical. A single unifying identifier that can link all of these disparate systems together, while highly “usable” will open a Pandora’s Box of privacy issues that our societies may never be able to solve. 12Which
we have seen could be useful in establishing normal baselines of activities in order to detect unusual patterns of behavior that would enhance our detection of anomalous events.
13There are countless examples of a user’s voluntary willingness to part with personal information in order to increase convenience. After 9/11, several companies launched registered traveler programs aimed at capitalizing on traveler’s aggravation with increased security. Once such program, “Clear” (http:// www.flyclear.com), is now operating in twenty US Airports, and in exchange for $199 per year and submitting personal information and a biometric for a background check, air travelers can access a special security lane with almost no wait time. In August 2008, a laptop with 33,000 Clear records was lost or stolen from the San Francisco Airport. Needless to say, the hard drive of that laptop was not encrypted, proving once again that human error and lack of vigilance remain primary sources of cyber insecurity. 14
It may be interesting to note that the vast majority of these users are individuals who have grown up with technology (Generation Y or the Millennials) and who don’t seem to have the same suspicions or concerns regarding the security and privacy of their personal information.
26
A. Vidali / Striking the Balance: Security vs. Utility
The privacy challenges we face are enormous and cannot be exhaustively discussed in this paper. Suffice it to say, the privacy question is of paramount importance to our security and that it has intersecting moral, policy, legal, and technology dimensions.
7. The Security System of the Future It is September 1, 2013. In a dimly lit room on the outskirts of Peshawar in Pakistan, five men stare into their computer monitors as their fingers rapidly tap the keyboards. . . Suddenly, they are startled by a loud explosion and a blinding flash of light. Before they can recover from the flash, they are laying face down with their hands zip-tied behind their backs, looking up at the threatening muzzles of silenced H&K MP5 submachine guns. The operators who wield them are the highly trained professionals of the International Cybercrime Task Force. This elite, international law enforcement unit was established by a mutual treaty and has the jurisdiction to arrest and bring criminals wanted for cybercrimes before an international tribunal. Accompanied by two armed Pakistani police officers, they make quick work of seizing the computer equipment for digital forensic analysis. For almost a year, these men have been under close watch by the International Cybercrime Coalition (ICC), an International organization founded in 2011 with participants from over 40 countries and almost all major software and networking vendors. The ICC, which is tasked with blending information from all the participating countries’ cyber-security fusion centers, is closely linked with international law enforcement agencies. The ICC, together with the cooperation of prominent technology companies, including Microsoft, McAffee, Norton, Cisco, GoogleLabs, Barracuda, SonicWall, and over 20 other leading technology providers, developed an early warning framework that could be installed on any number of devices, was threat aware and could upload new threat models in real time. The ICC was successful in developing a vast, opt-in early warning network dubbed Operation CyberShield, which was launched by creating a successful marketing campaign for security awareness. Users, many fed up with the constant spam, viruses, malware and worms infecting their computers, were informed that they could assist cyber enforcement officials by downloading the free CyberShield software package. CyberShield was designed to constantly monitor in-bound activity originating from their network connection and automatically alert users and the ICC authorities of suspicious hacking attempts on user’s computers. Within six months of international campaigning, over 5 million computers had the software installed. CISCO and Microsoft made the software an integrated option within their operating systems and numerous open source versions were released two months later. Pretty soon, the CyberShield network was growing at the rate of 10% per month. By the time the men in Peshawar began their attempts to compromise critical machines, over 48 million computers, routers and firewalls on the internet were acting as early warning systems. Unfortunately for the plotters, several of these had the CyberShield system installed. One hundred seventeen of these devices sent critical alerts to the ICC fusion center, which, upon automated cross referencing of the involved MAC & IP hacker’s source addresses, flagged the addresses for further observation. But CyberShield was not just an early warning system. As administrators and users were alerted to the threat, they activated its “HoneyPot” mode; the software spawned a virtual machine that “pretended” to be the compromised host at the mercy of its
A. Vidali / Striking the Balance: Security vs. Utility
27
attacker. CyberShield automatically redirected all traffic originating from the attacker’s network address to the HoneyPot, all the while logging the illicit activities. The tables were now turned. . . Back at the ICC fusion center headquarters, logs from the HoneyPots poured in, and within hours, cyber security analysts had identified the vulnerability and security patches that were developed by the involved vendors were automatically distributed through the CyberShield network to all of its connected machines. During this entire time, the five cyberterrorists remained blissfully unaware that their intrusion had been detected and that they were under counter-surveillance. Later that day, authorities are able to decode an encrypted message from Hezbollah terrorist leaders and were made aware of the numerous conventional attacks that were planned to coincide with a massive cyberattack planned for the 11th of September. The message referred to similar groups in Venezuela and Iran and authorities begin cyber surveillance operations targeted at those countries’ subnets, uncovering two additional cyber-cells involved in the attack. ICC authorities increased threat levels across cyberspace and coordinated with Law Enforcement in the US and the UK that were investigating Hezbollah plots. The additional information gleaned from the computer logs seized in Pakistan provided investigators significant leads that led to the arrests of several cell members in the Midwest and East Coast involved in the scheme. Numerous arrests are made the following week after additional evidence was gathered from the captured men’s homes.
Conclusion Technology has become an indispensable tool for modern societies, yet our cyber infrastructure remains highly vulnerable to attack. In this paper, we have explored some root causes of cyber-insecurity and conclude that a significant problem lies with humans. If we do not begin designing systems that squarely address human limitations and recognize that usable solutions are a crucial component of strong security, we will undoubtedly remain highly vulnerable and, within a decade, see our technology turned against us in continued, more sophisticated and damaging attacks. As we designed the scenario outlined in the introduction, it was frightening to note how many possible avenues of cyber attack exist and how fragile and tenuous our economies and way of life actually are. As we pursued outlining both the problems and some possible solutions it became clear that there is no single “magic bullet” approach that will guarantee our safety. It is more a question of constant vigilance and the will to evolve our security solutions to deal with 21st Century threats. Finally, to succeed in hardening our security across cyberspace will require unprecedented cooperation between nations, companies, academia and citizens as the challenges are both formidable and multi-dimensional. The price of not solving these problems may be nothing less than our way of life.
References [1] [2]
http://www.internetworldstats.com/stats.htm IBM Press Release, Government, financial services and manufacturing sectors top targets of security attacks in first half of 2005, August 2, 2005
28
[3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17]
A. Vidali / Striking the Balance: Security vs. Utility
CRS Report for Congress: Terrorist Capabilities for Cyberattack: Overview and Policy Issues, January 22nd, 2007 Law enforcement on the cyber beat: Government Security News, January 8th, 2009 U.S. Army Training and Doctrine command, Cyber Operations and Cyber Terrorism, Handbook No. 1.02 August 15th, 2005 P.II-1 and II-3 DNS Attack: Only a Warning Shot; http://www.darkreading.com/security/perimeter/showArticle.jhtml? articleID=208804344 Schneier, B., Secrets and Lies, John Wiley & Sons, 2000 Mark Sasse, Angela M., Computer Security: Anatomy of a Usability Disaster, and a Plan for Recovery, Department of Computer Science, University College of London Adams, A. and Sasse, M.A. (1999), Users are not the enemy, Communicatins of the ACM, Vol. 42, No. 12 December, 1999 Sasse, Angela M., Computer Security: Anatomy of a Usability Disaster, and a Plan for Recover, Department of Computer Science, University College of London Weirch & Sasse, M.A, 2001: Pretty Good Persuasion: A first step towards effective password security for the Real World. Proceedings of the New Security Paradigms Workshop 2001 (Sept. 10-13 Cloudcroft NM), pp. 137-143. ACM Press Kevin Mitnick, The Art of Deception, 2002 Forbes, Arik Hesseldahl, December, 1st, 2000. Disaster of the Day: The CIA http://www.forbes.com/ 2000/12/01/1201disaster.html Wayne Penny, GSEC Certification Practical, SANS Institute 2002: Biometrics: A Double Edged Sword Adler, School of Information Technology and Engineering, University of Ottawa, Ontario, Canada: Sample images can be independently restored from face recognition templates Brad Ulery, William Fellner, Peter Hallinan, Austin Hicklin,Craig Watson. Evaluation of Selected Biometric Fusion Technique: Studies of Biometric Fusion, July 20, 2006 Ken Fisher, Ars Technica, April 11, 2008: Vista's UAC security prompt was designed to annoy you
Modelling Cyber Security: Approaches, Methodology, Strategies U. Gori (Ed.) IOS Press, 2009 © 2009 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-074-2-29
29
Secure Software Engineering: Developing the New Generation of Secure Systems by Introducing a Security Focus Throughout the Development Lifecycle H. MOURATIDIS School of Computing, Information Technology and Engineering University of East London, England
[email protected] Abstract. In this paper we argue that, in order to develop the next generation of secure software systems, a security focus must be introduced throughout the development lifecycle. We also argue that security is not just a technical issue, and we explain how considering security issues from the earliest stages of the development process leads to the development of more secure software systems. After looking at the limitations and barriers of existing research and industrial approaches, with respect to the engineering of secure software systems, we briefly describe a methodology, which considers both the social and the technical aspects of security and supports the objective of considering security from the early stages of the software systems development. Moreover, we also argue that, in order to provide a security focus throughout the development lifecycle, we need to look at the issue collectively, rather than individually, by establishing a discipline that will form the basis of an in depth understanding of the security issues involved in the development of software systems; provide the appropriate knowledge and best practice to assist software and security engineers in developing secure software systems; and also educate system users on security related issues.
Introduction Security systems have been used to protect humans since the start of time. Initially, physical security systems, such as mechanical traps, walled castles and ramparts, door locks and alarms, were put in place as protection from intruders. More recently, the storage of important information in electronic format has introduced the need for computer security systems, such as firewalls, intrusion detection systems and antivirus software. The field of Computer Security, although newer in comparison with physical security, is definitely not a new topic and has been an actuality since the 1960s [1]. Nevertheless, it was not until the advent of distributed systems and computer networks that the security of information systems has become an issue of monumental concern. Current software systems contain a large quantity of important and sensitive information ranging from medical records, to financial accounts, to confidential government information, to military secrets. As a result, the need to protect such
30
H. Mouratidis / Secure Software Engineering
information and develop secure software systems is no longer an option, but rather a necessity. It is therefore of paramount importance to fully understand the underlying characteristics, principles and challenges involved in the development of secure software systems. It is only then that we will be able to create software systems capable of safeguarding the information that is stored in them. As we gain an in depth understanding of of how to develop secure software systems, it is important to understand that software systems operate within the greater context of “human society” and not in isolation. This is because a number of factors can affect the security of a software system. Such factors, however, do not necessarily challenge the technical issues related to the security of a software system. Consider, for example, the scenario in which a system, X, operates a password protected policy, where each user must enter a correct username and password to gain access. Consider also that user Y has written down his/her password and has attached it to their computer screen. An attacker, Z, can gain access to the system using the details of user Y. Although the technical security solution of the system is not under attack, the human interaction with the system has introduced security vulnerabilities. Despite the need to consider software systems security as a multidimensional issue, current research work mostly focuses on the technical issues of software system security, such as authentication and encryption. Although this work is very important, we believe that it cannot achieve the development of secure software systems on its own. A multidimensional treatment of security is needed to form the basis for an in depth understanding of security issues involved in the development of software systems; provide the appropriate knowledge to assist software systems engineers and security engineers in developing secure software systems; and also educate system users on issues related to the security of software systems. In this paper, we review the current state of the art in the area of secure software engineering, and we briefly present a security-aware methodology that enables software engineers to generate the appropriate security requirements for a system by analysing its environment, including its stakeholders. This allows software engineers not only to understand the technical challenges and requirements of the system but, equally important, the challenges and security requirements introduced by the social aspects of the system (environment, stakeholders, users and so on). The necessity of introducing a discipline to support engineering secure software systems is also discussed. In particular, Section 1 reviews research work in the area, whereas Section 2 briefly presents the Secure Tropos methodology. Section 3 discusses the foundations for a Secure Software Engineering discipline and , finally the last Section concludes the paper.
1. Secure Software Engineering: State of the Art Initial work from the software systems engineering community produced a number of methods and processes intended to address non-functional requirements, including security. Chung [2] proposed the Non-Functional Requirements (NFR) framework to represent security requirements as potentially conflicting or harmonious goals and to be able to use them during the development of information systems. From the security engineering community, Schneier [3] proposed attack trees as a useful way to identify
H. Mouratidis / Secure Software Engineering
31
and organise different attacks in an information system, whereas Viega and McGraw [4] proposed ten (10) principles for building secure software. More recently, Anton et al. [5], proposed a set of general taxonomies for security and privacy, to be used as a general knowledge repository for the (security) goal refinement process. The pattern approach has been proposed by a number of researchers to assist security novices to act as security experts. Schumacher and Roedig [6] proposed a set of patterns, called security patterns, which contribute to the overall process of secure information systems engineering. Fernandez [7] specified security models to be object oriented patterns that can be used as guidelines for the development of secure information systems. Although useful, these approaches fail to define a structured process that takes security into account. A well defined and structured process is of the utmost importance when considering security during the development phase. On the other hand, a number of researchers model security by taking the behaviour of potential attackers into account. Van Lamsweerde and Letier [8] use the concept of security goals and anti-goals. Anti-goals represent malicious obstacles set up by attackers to threaten the security goals of a system. In addition, Van Lamsweerde [9] also defines the notion of anti-models, models that capture attackers, their goals and capabilities. Similarly, Crook et al. [10] introduce the notion of anti-requirements to represent the requirements of malicious attackers. Anti-requirements are expressed in terms of the problem domain phenomena and are satisfied when the security threats imposed by the attacker are realised in any one instance of the problem. Lin et al. [11], incorporate anti-requirements into abuse frames. The purpose of abuse frames is to represent security threats and to facilitate the analysis of the conditions in the system in which a security violation occurs. An important limitation of all of these approaches is that security is considered a vague goal that has to be satisfied, and they all lack a precise description and enumeration of specific security properties. Differently, another “school of thought” indicates the development of methods to analyse and reason about security that is based on the relationships between actors (such as users, stakeholders and attackers) and the system. Liu et al. [12] have presented work to identify security requirements that are analysed, during the development of multiagent systems, as relationships amongst strategic actors. Moreover, secure Tropos [13] has been proposed to deal with the modelling and reasoning of security requirements and their transformation to a design that satisfies these last (see more information in the next section). Secure Tropos has been complemented by works in the areas of security attack scenarios [14] and a security patterns language [15]. Another direction is based on the extension of use cases and the Unified Modelling Language (UML). Initial work by McDermott and Fox [16] adapt use cases, which are called abuse cases, to capture and analyse security requirements. An abuse case is defined as a specification of a type of complete interaction between a system and one or more actors, where the results of the interaction are harmful to the system, one of the actors, or one of the stakeholders of the system. Similarly, Sindre and Opdahl [17] define the concept of misuse case, the inverse of use case, which describes a function that the system should not allow. They also define the concept of mis-actor as someone who intentionally or accidentally initiates a misuse case and to whom the system should not give support. Alexander [18] adds Threatens, Mitigates, Aggravates links to the use case diagram, while Jurgens proposes UMLsec [19], an extension of the Unified Modelling Language (UML), to include the modelling of security related
32
H. Mouratidis / Secure Software Engineering
features, such as confidentiality and access control. Lodderstedt et al. [20] also extends UML to model security. In their approach, security is considered by analysing security related misuse cases. A significant limitation of the use-case/UML related approaches is that, although they treat security in system-oriented terms, modelling and analysis of security requirements at a social level are still lacking. In other words, they lack models that focus on high-level security requirements, meaning models that do not force the designer to immediately go down to security requirements. On the other hand, a large amount of work has been devoted to security policies and the definition of security models. Various models have been proposed based on mandatory access control (MAC), discretionary access control (DAC) and role-based access control (RBCA). One of the first models was the Bell & Lapadula multilevel security model [21]. Another well known model is the Chinese Wall model [22], according to which data is organised into three different levels. The definition of security ontology is also an important area of research within the security engineering community. Initial efforts to define a widely accepted security ontology resulted in what is known as the Orange Book (US Department of Defense Standard DOD 5200.58-STD). However, work towards this standard started in the late 1960s and was concluded by the late 1970s. Therefore important issues, raised by the introduction of the Internet and the usage of information systems to almost every aspect of our lives, have not been inserted into the standard. More recently, Kagal et al [23] have developed an ontology, expressed in DAML+OIL, to represent security information, trust and policies in multiagent systems, whereas Undercoffer and Pinkston [24], after analysing over 4000 computer vulnerabilities and the corresponding attack strategies employed to exploit them, have produced an ontology for specifying a model of computer attacks. Bimrah et al. [25] have defined an ontology to support trust modelling and have discussed how security is affected by trust. A number of works have been initiated in industrial environments. CLASP [26] is an application security process that supports the consideration of security issues during the software development lifecycle. CLASP introduces a number of activities that can be integrated into a software development process to support security along with indications on who (from a development team) is responsible for each of these activities. The Microsoft Security Development Lifecycle (MS SDL) [27] aims to reduce security vulnerabilities. SDL consists of best practices and tools that have been successfully used to develop recent Microsoft products. The approach includes a number of stages, such as education and awareness, project inception, cost analysis and so on. All of the works presented in this section have aided in increasing a general understanding of the problem of developing secure software systems, and they have provided some support towards a move in this direction. However, most of the existing work primarily focuses on the technological aspects of security, and, in general, it ignores the social dimension of security. It is important that security be considered within the social context and any social issues, such as trust and the involvement of humans, be taken into account [28]. In the next section, we briefly describe secure Tropos, a methodology that considers the technical as well as social aspects of security when developing a software system.
H. Mouratidis / Secure Software Engineering
33
2. Secure Tropos In this section, we present the Secure Tropos methodology [13], a security-aware methodology that enables software engineering to take security issues into account throughout a system’s development process. Due to page limitations, our description is focused on the modelling language, some modelling diagrams and the development steps of the methodology. Applications of the methodology to various case studies have been presented in the literature [29] [30]. The Secure Tropos modelling language adopts a number of concepts from the i* modelling framework [31]. The modelling language supports the creation of models representing actors, their intentional goals (alongside the plans and resources required to fulfil these goals), security constraints (alongside secure plans and resources required to satisfy these constraints), and social and secure dependencies for defining the dependencies of one actor to another. The language has also been extended to be able to take threats and vulnerabilities, as well as trust, into consideration [25] [32]. In particular, the language defines the following concepts: An actor [31] represents an entity that has intentionality and strategic goals within a software system or within its organisational setting. An actor can be a (social) agent, a position, or a role. Agents can be physical agents, such as a person, or software agents. Software agents are defined as software having properties such as autonomy, social ability, reactivity, and pro-activity. A role represents an abstract characterisation of the behaviour of a social actor within some specialised context or domain of endeavour [31]. A position represents a set of roles, typically played by one agent. A hard-goal [31], represents a condition in the world that an actor would like to achieve. In other words, goals represent an actor’s strategic interests. The language differentiates the concept of a hard-goal (simply goal hereafter) from the concept of soft-goal. A soft-goal is used to capture non-functional requirements of the system, and unlike a goal, it does not have clear criteria for deciding whether it is satisfied or not, and therefore it is subject to interpretation [31]. For instance, an example of a soft-goal is “the system should be scalable”. A plan represents, on an abstract level, a way of doing something [33]. The fulfilment of a plan can be a means for satisfying a goal, or for contributing towards the fulfilment of a soft-goal. Different (alternative) plans, that actors might employ to achieve their goals, are modelled. Therefore, developers can reason over which different ways actors are able to achieve their goals and decide for the best possible option or route to take. A resource [33] represents a physical or informational entity that one of the actors requires. The main concern when dealing with resources is whether the resource is available and who is responsible for its delivery. A dependency [31] between two actors is an indication that one actor depends on another to attain some goal, execute a task, or deliver a resource. The dependant actor is called the depender, and the actor who is depended upon is the dependee. The nature of an agreement between dependee and depender is described by the type of dependency and is referred to as dependum. Goal dependencies represent the delegation of responsibility for fulfilling a goal. Soft-goal dependencies are similar to goal dependencies, but their fulfilment cannot be defined precisely, whereas task
34
H. Mouratidis / Secure Software Engineering
dependencies are used in situations where the dependee is required to perform a given activity. Resource dependencies require the dependee to provide a resource to the depender. By depending on the dependee for the dependum, the depender is able to achieve goals that it is otherwise unable to achieve independently, or not as easily or as well. However, the depender becomes vulnerable, because if the dependee fails to deliver the dependum, the depender is affected in their aim of reaching their goals. A capability [33] represents the ability of an actor to define, choose and execute a task for the fulfilment of a goal, given certain world conditions and in presence of a specific event. A security constraint [13] is defined as a restriction related to security issues, such as privacy, integrity and availability, which can influence the analysis and design of a software system under development by restricting some alternative design solutions, by conflicting with some of the requirements of the system, or by refining some of the system’s objectives. Security constraints, captured through a specialisation of constraint, do not represent specific security protocol restrictions, which should not be specified until the implementation of the system. However, they do contribute to a higher level of abstraction, which allows for a generalised design that is free of models biased toward particular implementation languages. A secure dependency [13] introduces security constraint(s) that must be fulfilled for a certain dependency to be satisfied. Both the depender and the dependee must agree to the security constraint in order for the secure dependency to be valid. That means the depender expects that the dependee will satisfy the security constraint(s) and also that the dependee will make an effort to deliver the dependum by satisfying the same security constraint(s). Secure Tropos defines three different types of secure dependency. In a depender secure dependency, the depender depends on the dependee and the depender introduces security constraint(s) for the dependency. In a dependee secure dependency, the depender depends on the dependee and the dependee introduces security constraint(s) for the dependency. In a double secure dependency, the depender depends on the dependee and both the depender and the dependee introduce security constraints for the dependency. Both must satisfy the security constraints introduced for the secure dependency to be achieved. The term secure entity [13] is used in Secure Tropos to represent a secure goal, a secure task or a secure resource. A secure goal [13] represents the strategic interests of an actor with respect to security. Secure goals are mainly introduced in order to achieve possible security constraints that are imposed on an actor or that otherwise exist in the system. However, a secure goal does not specifically define how the security constraints can be achieved, since alternatives can also be considered. The precise definition of how the secure goal can be achieved is given by a secure task. A secure plan [13] is defined as a plan that represents a particular way of satisfying a secure goal. A secure resource [13] can be defined as an informational entity that is related to the security of the software system. A secure capability [13] represents the ability of an actor/agent to achieve a secure goal, carry out a secure task, and/or deliver a secure resource. To support the analysis of security requirements using the concepts defined above, secure Tropos defines a number of models. Detailed information regarding these models is outside the aim of this paper. However, to facilitate a better understanding of
H. Mouratidis / Secure Software Engineering
35
the methodology, we briefly describe one of the methodology’s models, the security enhanced actor model. Readers interested in obtaining information for the other models of the methodology may refer to references [29] [30]. The security-enhanced actor model, models any secure dependencies and the appropriate security constraints imposed on the network of actors. The meta-model for the security enhanced actor model is shown in Figure 1.
Figure 1. Meta-model for Security Enhanced Actor Model
The secure Tropos process supports three main aims when considering security issues throughout the development stages of a software system: (i) identify the security requirements of the system; (ii) develop a design that meets the specified security requirements; and (iii) validate the developed system with respect to security. The first step of the methodology’s process aims to identify the security requirements of the system. Security requirements are identified by employing modelling processes such as security constraints, secure entities and secure capabilities modelling. In particular, the security constraints imposed on the system and the stakeholders are identified and secure entities, which guarantee the satisfaction of the identified security constraints, are imposed on the actors of the system. The second step in the process consists of identifying a design that satisfies the security requirements of the system, as well as its functional requirements. To achieve this, sub-components of the system are identified and then secure capabilities that guarantee the satisfaction of the security entities identified during the previous step are allocated to these sub-components. It ought to be noted that, in this stage, different architectural styles might be used to satisfy the functional requirements of the system. However, there should be an evaluation of how each of these architectural styles satisfies the security requirements of the system.
36
H. Mouratidis / Secure Software Engineering
The third step of the process is the validation of the developed solution. The Secure Tropos process allows for two types of validation. A model validation and design validation. The model validation involves validating the developed models (for example, the security enhanced actor model or the security enhanced goal model) with the aid of a set of validation rules [13]. It is worth mentioning that the validation rules are divided into two different categories, the inter-model rules and the outer model rules. The first allow for the validation of each model individually, whereas the second allowfor the consistency between the different developed models to be validated. The inner model rules allow developers to validate the relationships between the components of the different security-related models, such as the relationship between the security features and the threats in the security reference diagram; to validate the consistency between the same components that appear in more than one model, such as a security constraint that appears in the actors’ model, as well as in the goal model; and to validate the consistency when the delegation of components between actors takes place. The aim of the design validation is to check the developed solution against the security policy of the system. A key feature of Secure Tropos that allows us to perform such a validation is the fact that the same secure concepts are used throughout the development stages. Moreover, the definition of these concepts allows us to provide a direct mapping between them, and therefore to be able to validate whether the proposed security solution satisfies the security policy. It is of interest to note that the secure Tropos methodology has been employed in a number of case studies [13] [29] [30] with positive results.
3. Secure Software Engineering: A discipline 3.1. Motivation There are various reasons that motivate the establishment of a discipline on Secure Software Engineering. In this section we identify and discuss four important reasons, and we explain how these affect the development of secure software systems by presenting real-life scenarios. Independent solutions: Securing information systems raises a set of intertwined issues in the relevant areas of research, such as security engineering and software systems engineering. However, the research communities of these two areas of research (and in fact the research communities from most of the areas involved) traditionally work independently. On one hand, software systems engineering techniques and methodologies do not consider security as an important issue, although they have integrated concepts, such as reliability and performance, and they usually fail to provide precise enough semantics to support the analysis and design of security requirements and properties [10] [13]. On the other hand, security engineering research has mainly produced formal and theoretical methods, which are difficult to understand by non security experts and which, apart from security, only consider limited aspects of the system. Sharing of knowledge: As discussed in the previous section, a number of efforts have been reported in the literature towards developing security mechanisms, and
H. Mouratidis / Secure Software Engineering
37
methods, but these usually look at the problem from specific views and only for specific purposes. this is primarily due to the fact that software systems and security engineering communities mainly work separately. This separation not only creates a void in the proposed solutions, but it also results in restricted sharing of existing knowledge. Different research events organised by the two communities, different research publications, and so on are rarely informed of what occurs in the forums of the other. Even widely used textbooks mostly concentrate on one part of the problem, either technical security issues or software engineering techniques, and, when they do, they only contain very limited information about the integration of the security and software systems engineering principles. The problem is worst when looking at the integration of such work with other areas of research, such as social phenomena, cognitive theories etc. Custom solutions: In many cases, the inclusion of security on a system is driven by existing custom technical solutions (e.g. security mechanisms) rather than the system’s real security requirements. Basing the development of the security of a system on specific security mechanisms, as opposed to the security requirements, prevents different and sometimes better solutions from being considered and chosen to satisfy the security requirements. As reported by Firesmith [34], requirements engineers do not usually receive appropriate training in generating, analysing and specifying security requirements. As a result, they often confuse them with security mechanisms, which are used to fulfil the security requirements. Therefore, the engineers end up defining architectures and constraints rather than true security requirements [34]. For instance, imagine a system that requires identification and authentication. If the development of the system is based on some specific solutions to these requirements, such as username and password, then other solutions might be ignored, such as biometric identification and authentication, which in some cases could better fulfil the initial security requirements. Therefore, it is important that development be driven only by the security requirements, as it happens with functional requirements, and not by the well-known security solutions. Lack of appropriate education: Professional training courses and university curriculum should help towards solving the aforementioned problem. However, unfortunately, they propagate it. Software engineering and security engineering training, as well as curriculum development in universities adhere to the separation of the two main research areas and also isolate students from other non-technical areas. McDermott [16] argues that not all information systems practitioners are security specialists neither do they fully understand mathematical security models. Moreover, studies related to human behaviour and so on are never covered. This means that software systems engineers are not well educated regarding the security issues that they might be faced with during the development of software systems, and security engineers are mostly not familiar with current practices and issues surrounding software systems engineering. Furthermore, both only understand very little the aspects of human behaviour and, therefore, have only a specific understanding of potential social issues that might affect the security of a system.
38
H. Mouratidis / Secure Software Engineering
3.2. Foundations We define Secure Software Engineering as the engineering discipline concerned with the development of secure software systems. In particular, secure software engineering is concerned with the unification of any area of research that can contribute to the development of the knowledge (theoretical and practical), principles, practices as well as the establishment of a research agenda regarding secure software systems development. It is worth noting that we do not consider the definition above to be absolute, but rather we expect it to be revised from time to time to indicate the maturity and the progress the discipline makes, as is the case with most disciplines. As every discipline aims to address a unique fundamental question, we propose that the first question for secure software engineering can be formulated as “how are secure software systems engineered?”. In answering such a question, many sub-questions need to be formulated and answered. For example, what we mean by “secure software systems” and “what is good security”. Usually, different researchers and practitioners will answer such questions differently. However, it is imperative that common answers are established for such fundamental issues, in order to provide a well-founded base on which we will be able to base further research questions that will lead us ever closer to answering the fundamental question of the discipline. Moreover, in answering such questions, most likely global, general assumptions need to be made. We consider the following three to be the general assumptions that need to be made for secure software engineering: (1) the development of secure software systems is a complex issue that involves technical as well as social challenges; (2) Processes, models, methodologies and automated tools can be employed to assist in the development of secure software systems; (3) Proper education of anyone involved in the development as well as in the usage of software systems is needed to support the outputs of research addressing the technical challenges and to compliment the social challenges. Disciplines do not exist in isolation, but they are related to reference disciplines. Reference disciplines are existing bodies of knowledge that help establish the new discipline. By formally referencing disciplines, the contributions of existing knowledge are recognised and a logical link to the new discipline is provided. Without this linkage, researchers in existing disciplines may question the grounding theories of a new discipline and dismiss its importance [35]. Secure software engineering builds upon the knowledge, theories and methods of several existing disciplines including software engineering, security engineering, and social sciences. The development of such techniques should be based on research provided by the security engineering research community, such as attack testing, secure design principles and security ontologies, complimented by research provided by the software engineering community, such as requirements engineering techniques, information systems development methodologies and modelling languages, and testing. Moreover, theories from the social sciences should also be taken into account to ensure that the human factor is appropriately considered. We argue that an engineering discipline for secure information systems should be based on the following principles: consider security from the early stages of the information system development; separation of concepts; ensure quality of security solution; consistency. Although some of these principles are not novel, and they are
H. Mouratidis / Secure Software Engineering
39
based on related information systems and/or security engineering principles, the point is that current approaches do not follow them.
Conclusion This paper argues that the need to introduce a security focus through the entire software development process, in order to support the development of the next generation of secure software systems, is necessary. Such effort should bring the experience and techniques from various current disciplines together, such as the software engineering, security engineering and social studies disciplines, in a coherent and organised way. We have also argued that security is not just a technical issue and we explain how the consideration of security issues from the early stages of the development process leads to the development of more secure software systems. The secure Tropos methodology is briefly described and an attempt is made to define the foundations for a discipline for secure software engineering. However, this is not an absolute attempt and the paper aims to motivate a large scale effort towards the development of the discipline, which will hopefully result into a more complete and detailed definition of the proposed discipline.
References [1]
Saltzer, J., Schroeder, M.D., (1975). The Protection of information in computer systems, In the Proceedings of the IEEE 63 (9), pp.1278-1308, September 1975. [2] Chung, L., and Nixon, B., (1995) Dealing with Non-Functional Requirements: Three Experimental Studies of a Process-Oriented Approach. In Proceedings of the 17th International Conference on Software Engineering, Seattle- USA. [3] Schneier, B., (2000). Secrets & Lies: Digital Security in a Networked World, John Wiley & Sons [4] McGraw, G., Viega, J., (2001), Building Secure Software: How to Avoid Security Problems the Right Way. Addison-Wesley. [5] Anton, A.I., Earp, J.B., (2004) A requirements taxonomy for reducing web site privacy vulnerabilities, Requirements Engineering, 9(3):169-185, 2004. [6] Schumacher, M., Roedig, U., (2001). Security Engineering with Patterns, in the Proceedings of the 8th Conference on Pattern Languages for Programs (PLoP), Illinois – USA [7] Fernandez, E.B. (2004) A methodology for secure software design, Proceedings of the 2004 International Conference on Software Engineering Research and Practice (SERP'04), Las Vegas, NV, June 21-24, 2004. [8] Van Lamsweerde, A., Letier, E., (2000). Handling Obstacles in Goal-Oriented Requirements Engineering, Transactions of Software Engineering, 26 (10): 978-1005 [9] Van Lamsweerde, A., (2004). Elaborating Security Requirements by Construction of Intentional AntiModels, Proceedings of the 26th International Conference on Software Engineering, Edinburgh, May, ACM-IEEE, pp. 148-157 [10] Crook, R., Ince, D., Nuseibeh, B. (2003). Modelling Access Policies Using Roles in Requirements Engineering, Information and Software Technology. 45(14):979-991, Elsevier [11] Lin, L.C., Nuseibeh, B., Ince, D., Jackson, M., Moffett, J., (2003). Analysing Security Threats and Vulnerabilities Using Abuse Frames, Technical Report 2003/10, The Open University [12] Liu, L., Yu, E., Mylopoulos, J., (2003). Security and Privacy Requirements Analysis within a Social Setting, In Proceedings of the 11th International Requirements Engineering Conference, pp. 151-161, IEEE Press.
40
H. Mouratidis / Secure Software Engineering
[13] Mouratidis, H. (2004). A security oriented approach in the development of multiagent systems: applied to the management of the health and social care needs of older people in England, PhD thesis, University of Sheffield. [14] Mouratidis, H., Giorgini, P., Manson, G., (2004b). Using Security Attack Scenarios to Analyse Security During Information Systems Design, in the Proceedings of the International Conference on Enterprise Information Systems (ICEIS 2004),pp. 10-17, April, Porto-Portugal [15] Mouratidis, H., Weiss, M., Giorgini, P., (2005c). Security patterns meet agent oriented software engineering: a complementary solution for developing security information systems, Proceedings of the 24th International Conference on Conceptual Modelling (ER),Lecture Notes in Computer Science 3716, pp. 225-240, Springer-Verlag. [16] McDermott, J., Fox, C., (1999). Using Abuse Care Models for Security Requirements Analysis, Proceedings of the 15th Annual Computer Security Applications Conference. [17] Sindre, G., Opdahl, A.L., (2005). Eliciting security requirements with misuse cases, Requirements Engineering, 10(1):34-44 [18] Alexander, I. (2003). Misuse Cases: Use cases with hostile intent. IEEE Software, 20, 58-66. [19] Jürjens, J., (2004). Secure System Development with UML. Springer-Verlag. [20] Lodderstedt, T., Basin, D., Doser, J., (2002). SecureUML: A UML-Based Modelling Language for Model-Driven Security, in Proceedings of the UML’02, LNCS 2460, pp. 426-441, Springer-Verlag. [21] Bell, D. E., LaPadula, L. J., (1976) Secure Computer Systems: Mathematical Foundations and Model. The Mitre Corporation [22] Brewer, D.F.C., Nash M.J. (1989),The Chinese Wall Security Policy, Proceedings of the IEEE SYMPOSIUM ON RESEARCH IN SECURITY AND PRIVACY, pp.206-214, 1-3 May1989, Oakland, California. pp 206-14) [23] Kagal, L., Finin, T., (2005). Modeling Conversation Policies using Permissions and Obligations, in Developments in Agent Communication, Frank Dignum, Rogier van Eijk, Marc-Philippe Huget (Eds), (Post-proceedings of the AAMAS Workshop on Agent Communication, Springer-Verlag, LNCS), January, 2005. [24] Undercoffer, J., Pinkston, J., (2002). Modelling Computer Attacks: A target-centric ontology for intrusion-detection, proceedings of the CADIP research symposium, available at: http:// www.cs.umbc.edu/cadip/2002Symposium/ [25] Bimrah, K. K., Mouratidis, H., Preston, D. (2007) Trust Ontology for Information Systems Development, Proceedings of the 16th International Conference on Information Systems Development (ISD2007), Galway – Ireland. [26] CLASP Project (2008), http://www.owasp.org/index.php/Category:OWASP_CLASP_Project, [Last Accessed October 2008] [27] Lipner, S. (2004), The Trustworthy Computing Security Development Lifecycle, In Proc. of the 20th Annual Computer Security Applications Conference (ACSAC ‘04), CA, USA, 2004, IEEE CS Press, pp. 2-13. [28] Mouratidis, H., Giorgini, P. (2006). Integrating Security and Software Engineering: Advances and Future Vision, IDEA Group Publishing, ISBN 1-59904-148-0. [29] Mouratidis, H., Giorgini P., Manson, G., (2005). When Security meets Software Engineering: A case of modelling secure information systems, Information Systems, Vol. 30, Issue 8, pp. 609-629, Elsevier. [30] Mouratidis, H., Giorgini P., (2007), Secure Tropos: A Security-Oriented Extension of the Tropos methodology, International Journal of Software Engineering and Knowledge Engineering (IJSEKE) 17(2) pp. 285-309, World Scientific. [31] Yu, E., Modelling Strategic Relationships for Process Reengineering, Ph.D. Thesis. Dept. of Computer Science, University of Toronto. 1995 [32] Matulevicius, R., Mayer, N., Mouratidis, H., Dubois, E., Heymans, P., Genon N., (2008) Adapting Secure Tropos for Security Risk Management during Early Phases of the Information Systems Development, Proceedings 20th International Conference on Advanced Information Systems Engineering (CAiSE’08), Montpellier, France [33] Bresciani, P., Giorgini, P., Giunchiglia, F., Mylopoulos, J., Perin, A., (2004). TROPOS: An AgentOriented Software Development Methodology, Journal of Autonomous Agents and Multi-Agent Systems. Kluwer Academic Publishers Volume 8, Issue 3, Pages 203 - 236. [34] Firesmith D.G., (2003). Engineering security requirements, Journal of Object Technology, Vol 2., No. 1, ETH Swiss Federal Institute of Technology [35] Liles, D.H., Johnson, M.E., Meade, L.M., Underdown, D.R., (1995), Enterprise Engineering: A discipline?, Proceedings of the Society for Enterprise Engineering Conference, June.
Section 1.2 Current Methods Applied to Security
This page intentionally left blank
Modelling Cyber Security: Approaches, Methodology, Strategies U. Gori (Ed.) IOS Press, 2009 © 2009 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-074-2-43
43
A Fuzzy Approach to Security Codes: Cryptography Between Technological Evolution and Human Perception Serena LISI C.S.S.I. - Centre for Strategic and International Studies, University of Florence
Abstract. Cryptography may be considered a science in fieri; it is constantly evolving and being updated, in order to adapt to today’s fast-changing scenarios. This paper underlines the coexistence of two different approaches to the theory of codes and protection of confidential information; the first and largely diffused approach emphasises technology (i.e. a scientific approach) and the second emphasises human perception (i.e. a cultural, allegorical, non-conventional approach). The two different approaches are gradually merging together to create a new integrated and fuzzy approach, which resembles those theories of systems and political science developed by Burt Kosko during the late 1990s to present. In order to accept the aforementioned fuzzy approach, we need to accept a specific definition of the word cryptography, here intended as the theory and technique used to create secret codes, either in written form (encryption) or in visual form/ jargon (steganography). Keywords. cryptography, encryption, steganography, entropy, fuzzy theories, integrated approach, language evolution, asymmetrical war, allegories.
Cryptography may be considered a science in fieri; it is constantly evolving and being updated, in order to adapt to today’s fast-changing scenarios. But, what is cryptography exactly? There are several accepted answers to such a question, each is true, depending on the point of view taken. Just to give an idea of this multiplicity, both of the following definitions1 refer to cryptography. They are the most well-known and it is worth noting how different they are, since they seem to describe two opposite situations: Definition one: secret writing, which can not be read by those who do not know the specific device used during its development. It can be developed through invisible writing, conventional writing, cyphers. Definition two: an ensemble of theories and techniques (manual, mechanical, electronic, digital and so on), which create a secret code, either through encryption (using a key) or through steganography (using visual devices or jargon codes). The approach promoted in this paper requires that the second definition be accepted, wherein cryptography is considered to be a theory and technique used to
1
I have obtained these definitions by making a comparative analysis of the following texts: Dizionario della Lingua Italiana “Devoto-Oli”, ed. 2008, Dizionario della Lingua Italiana “Il Gabrielli”, Ed 1999, The Oxford English Dictionary, Ed. 2000, Simon Singh, “Codici e segreti”, Bur Saggi, Milano 1999 [1], [2], [3], [4]
44
S. Lisi / A Fuzzy Approach to Security Codes
obtain secret written or visual/jargon codes with the aim of protecting confidential information. Following the aforementioned definition, we can turn our attention to the coexistence of two different approaches commonly used to protect information. The first emphasises the importance of technology, supporting mathematical theories such as the theory of prime numbers (Fermat’s theorem or quantum theory, which also involves physics) [5] [6]. The second approach emphasises cultural, allegorical, and non-conventional human perception, and involves technical and linguistic steganography [4]. In several works, two macro-classes of techniques are presented, i.e. those developed from, and based on, mathematics and physics and those developed using approaches linked to human perception. In both macro-classes, the techniques are gradually reaching their maximum level of innovation in comparison to their usability. On one hand, the most important steps in the evolution of the first class of techniques are as follows2: • • • •
Vigenere’s polialphabetic code (26 alphabets) Enigma during the second World War Asymmetrical key codes developed during the 1970s Usage of the theory of prime numbers (Fermat’s theorem) has been increasingly used in innovative applications for security.
These steps can be considered to be milestones or turning points in encryption systems [7]. Probably, the third step (with Diffie-Hellman) can be considered the most important when speaking of the marginal productivity of an encryption system. Today, the theory of prime numbers (Fermat’s theorem) has been increasingly used in innovative applications for security. According to various physicists3, the next turning point will be the application of quantum cryptography. This is quite probable, given that the studies on the issue are on-going and, with them, their usage and derived applications. But, for the moment, quantum cryptography is still too expensive to be considered as a mass solution device. On the other hand, we can see how steganography [4] has maintained the same principles it has always had; its aim is to hide the message through the application of either visual devices or jargon codes, blanks, grids and so on. The point is that, today, several technological devices are now involved in such a process. Digital imaging, watermarking, blanks and so on need technology to be developed further. For this reason, the present situation can be described as follows:
2 This refers to the modern and contemporary era. Several other important steps were introduced and used in ancient times (e.g. Caesar Cipher, the so-called “Lakedaimon Scytale”) [4] 3
The interest rose up in the 1980s, with Bennett & Brassard’s theories and was developed through Eckert’s study on entagled photons, Today, entanglement is the key-work for quantum theories [8]
S. Lisi / A Fuzzy Approach to Security Codes
45
Figure 1. Description of the two main approaches to confidential information encoding
The result is a complex, integrated system resembling the evolution in communication: lexicon, symbols, tools, media. Communication is the mirror of society. And, as we know, society is afraid of several present day threats. First and foremost, terrorism and Al Quaeda, the symbol of asymmetrical war/threats. These threats are considered to be asymmetrical for the strategies and system of values used4 , but also for communication, which develops towards a “New Middle Ages Era”, that is made up of symbols, metaphors, allegories 5. The complex, integrated system represented below is an attempt to respond to such a threat and to keep up with it, on one hand, by protecting our encoding systems and, on the other hand, by understanding the non-conventional, allegorical language codes that are being used.
4
For example, the usage of shahada (death for faith, martyrdom) in a Western Post-heroic Era.
5 An
example of the evolution of such a message:
This is an encrypted message itself and usually doesn’t need any other additional code/encryption.
46
S. Lisi / A Fuzzy Approach to Security Codes
Figure 2. Graph representing the evolution of confidential information protection in response to asymmetrical threats.
This approach also brings computational matter to light. Today we speak of quantum cryptography as a possible further step for encoding methods. The fact is that data processing, obtained by using quantum sources, can not currently be compared to what the human brain is able to produce, since the human brain involves a number of computational operators (neurons) superior to the number of operators used in quantum cryptography (the number is 1026)6 . This an important indicator of a contemporary trend; researchers are trying to free science from traditional hermeneutics, which leads to hermeneutic circles (i.e. closed logical paths)7 , in order to work with hermeneutic spirals (i.e. fuzzy logic8). Fuzzy logic implies the usage of continuous variables instead of discrete variables. It applies the following principle: using a continuous variable implies that we can take and use any value within the variable range [9]. The same can
6
From a discussion on languages and complexity with Prof. Dr. F.T. Arecchi, University of Florence.
7 An example of an hermeneutic circle (meant as a limited perspective view) is Euclide’s theories regarding the sameness of triangles: if two triangles can be overlapped so that they coincide, then they are equal to each other. The movement should be a rigid movement (i.e. moving polygons without altering their shapes), This is true, but it is a limited concept, since it just involves the mere shape of a polygon. 8 Fuzzy logic is a type of logic that comprehends more than the classical two “truth values” (true or false). Therefore, it is considered to be a multi-valued rather than a classical two-valued logic and is generally used to handle situations that are approximate rather than specific. An example of its use is highlighted by an experiment that is being conducted in Japan, where human rail conductors have been replaced with robots that are able, through the use of applied fuzzy logic, to conduct trains on determined tracks.
S. Lisi / A Fuzzy Approach to Security Codes
47
be done using a fuzzy approach to cryptography; any combination of methods is possible in the attempt to obtain successful usage. The same principle may be applied to several other issues related to cryptography. The most common methods of encoding, indeed, work as protection for a message made up of words. This means working either with entire works or, more frequently, on letters. Words are made up of a periodic repetition of letters or sound groups, depending on the different languages that are used. For example, in the Italian language, we can see a very large usage of vowels such as “a” and “e”. On the contrary, in the German language there is a very frequent repetition of consonant groups such as “ch” and “sch”. In addition, it is possible to notice that a relevant number of peculiarities exist in, and are particular to, each language, from verbal inflected forms to the alphabets themselves9. Considering such peculiarities and the repetition scheme (if applicable) of letters in each alphabet, we can assert that each language has its own grade of entropy, both for the language itself (the combination of letters/sound) and for the cultural system of symbols. The grade of entropy of each language depends on an objective factor, which is the structure of the language10 , and on a subjective factor, which is the cultural system of values. Therefore, it is possible to identify which languages are “high entropy” and which are “low entropy”. Encoding and decoding high entropy languages will be more difficult, since it will take longer11. Researchers are working on the issue. A relevant result in the field is the study on connections between codes, languages and the human brain by Professor Patrice Pognan12. His research aims at obtaining a new type of language elaborator that will be able to pay attention to the statistic distribution of specific key points in each idiom (i.e. word endings, repetition of vowels and so on). This study is a very important step towards the effective integration of approaches, since it pays attention to linguistic peculiarities. In the future, we will have to work very diligently on the connection that exists between such peculiarities and allegorical languages, which represent (from today on) one of the most important asymmetrical, non-conventional forms of communication, which are frequently used in asymmetrical conflicts. A simple example can be supplied by a drawing adapted from a well-known Sufi comic strip, and is explained below13:
9
E.g. Hiragana an Katakana alphabets in the Japanese language: the first is made of ideograms, the second is a syllabic alphabet, which expresses sounds.
10
This factor is recognised in all theories and has been quite often studied
11
As also shown in a personal experiment in the INOA (Istituto Nazionale di Ottica Applicata – National Institute of Applied Optics, University of Florence). A CO2 laser sends the same message translated in several languages. Receiving it will take as long as the entropy level is high. 12
Patrice Pognan teaches at the Institute of Formal and Applied Linguistics, Faculty of Mathematics and Physics, Prague and at the INALCO, Paris. He has also been a professor of Military Strategy in France. His contribution to the subject at the 2007 Flairs Conference, Key West, Florida, USA is notable. Another important work of his is “Analyse morphosyntaxique automatique du discours scientifique tchèque” [10]
13
This is a sequence built on autograph blue ink calligrams inspired by a famous picture, also included in “L’alfabeto Arabo (Arabic alphabet)”, Gabriele Mandel, Ed. Mondadori. The illustration above is just a harmless example, but it explains the situation very well, since it demonstrates how allegories can be used as real codes when the system of reference is different.
48
S. Lisi / A Fuzzy Approach to Security Codes
Figure 3. Drawing illustrating an allegorical, multilevel, non-conventional form of communication
(God’s) lover launches an arrow towards a lion (passion). The lion avoids the arrow, which strikes the eye of the beloved person (the one who should understand religious message) [11]. This is just an artistic example (comic strip) of the great power and grade of complexity allegories can have. We will have very difficult task ahead of us in this post-Wassenaar Arrangement era14 . For a true comprehension of cryptographic matters,
14
The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, of 1996, replaced the Coordinating Committee for Multilateral Export Controls (COCOM). It was a turning point since it included cryptography and other similar devices in the number of dual-use devices that were subject to export controls. It was also combined with several privacy laws.
S. Lisi / A Fuzzy Approach to Security Codes
49
indeed, we should start thinking of languages themselves as “dual-use devices”15 . We should believe in HumInt (Human Intelligence) capabilities, since language is a collection of symbols and a code itself. The two pictures below try to explain this process. Below is a figure that is inspired by essays and studies taken from Scientific American and one of its partner networks [12, 31] and demonstrates how a message is understood at different levels [13]:
Figure 4. Diagram of brain comprehension on multiple levels
As we can see, through Fibonacci’s theories (look at the pentagon) and other noncomputational associations, the human brain is capable of elaborating highly complex messages, which can only be fully understood thanks to human operators, as shown in this last figure below, which summarises the major points made in Pognan’s studies on language comprehension [9].
15 Dual-use devices are goods or technologies that can be used both for common (daily life) purposes and for
strategic or military purposes, and therefore for either peaceful or military aims.
50
S. Lisi / A Fuzzy Approach to Security Codes
Figure 5. Break-down of language constructs and communication
Hermeneutic semantic areas could very well be the future of cryptography.
References 16 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]
[13]
Dizionario della Lingua Italiana “Devoto-Oli”, Mondatori – Dizionari e Grammatiche, ed. 2008 Dizionario della Lingua Italiana “Il Gabrielli”, Gruppo Editoriale Mondadori Ed 1989 The Oxford English Dictionary, Oxford University Press, Ed. 2000 Simon Singh, “Codici e segreti”, Bur Saggi, Milano 1999 A.D.Aczel, “L’enigma di Fermat”, Net, Trento, 2003 Moro, Giovanni. “Il codice dei numeri interi: l’ultimo teorema di Fermat”. Rivista Marittima, 1986. Fondazione Ugo Bordoni, “Crittografia - pubblicazioni”, 1992 A.D.Aczel, “Entanglement, il più grande mistero della fisica”, Rizzoli, Bergamo 2004 Bart Kosko, “Il fuzzy-pensiero. Teoria e applicazioni della logica fuzzy”, Baldini e Castoldi , Milano 2002 Patrice Pognan, “Analyse morphosyntaxique automatique du discours scientifique tchèque”, Dunod, Association Jean-Favard pour le développement de la linguistique quantitative, Paris 1975 Gabriele Mandel Khân, “L’alfabeto arabo”, Mondadori, Milano 2000 Scientific American: January 2005 "Best kept secrets" by Gary Stix (pp.65-69); October 1980 "The Causes of Color" by Kurt Nassau (pp.106-123); October 1977 "Fundamental Particles with Charm" by Roy F. Schwitters, "The Solution of the Four-color-map Problem" by Kenneth Appel and Wolfgang Haken, "Hallucinations" by Ronald K. Siegel (pp. 56-70, 108-121, 132-140); October 1976 "Whitelight Holograms" byemmett N. Leith (pp.80-95); April 1976 "Subjective Contours" by Gaetano Kanizsa (pp.48-52); June 1975 "Electron-Positron Annihilation and the New Particles" by Sidney D.Dell and "Visual Motion Perception" by Gunnar Johansson (pp. 50-62, 76-88), http:// dericbownds.net/ last visited July 2009 – Scientific American Partner Network Nicholas Falletta, “Il libro dei paradossi. Una raccolta di rompicapi avvincenti e figure impossibili”, Longanesi & c., Milano 2002
16 References [14] to [30] are those sources which were used as general references throughout this paper, which is an elaboration of the arguments presented by these on “cryptography”.
S. Lisi / A Fuzzy Approach to Security Codes
51
[14] Paul Forman, “Fisici a Weimar. La cultura di Weimar, la causalità e la teoria dei quanti.” A cura di Tito Tonietti, CRT (PT) 2002 [15] Igor Shparlinski, “Number Theoretic Methods in Cryptology. Complexity lower bounds”. Birchhäuser, Boston, Basel, Berlin 1999 [16] Paolo Facchi, Saverio Pascazio, “La regola d’oro di fermi”, Bibliopolis Trecase (NA) 1949 [17] C.J. Snijders, “La sezione aurea. Arte, natura, architettura e musica”, Muzzio Scienza PD 2000, translated from “Die Golden Snede”, 1969 Driehoek, Amsterdam [18] Fritjof Capra, “Il tao della fisica”, Gli Adelphi N/1989 ried. 1999 [19] Fondazione Ugo Bordoni, “Primo simposio nazionale su stato e prospettive della ricerca crittografica in Italia - ATTI”, Roma 30-31 ottobre 1987 [20] A.D.Aczel, “L’equazione di Dio”, Net Trento 2003 [21] Ludwig von Bertalanffy, “Teoria generale dei sistemi. Fondamenti, sviluppo, applicazioni”, Oscar Saggi, Milano 2004 [22] Vito A. Martini, “Grammatica araba”, Istituto Editoriale Cisalpino-Goliardica, Milano 1976 [23] Ghani Alani, “Calligraphie arabe”, Editino Fleurus, Paris 2001 [24] Len Walsh, “Read Japanese today”, Tuttle, Rutland, Vermont & Tokyo, Japan 1969, new ed. 1999 [25] Wolfgang Hadamitzky, Mark Spahn “Kanji & Kana, a handbook of the Japanese writing system”,Tuttle Language Library, Rutland, Vermont & Tokyo, 1999 [26] Lawrence Washington “Elliptic Curves: Number Theory and Cryptography”, Chapman & Hall/CRC 2003 [27] Jonathan Katz and Yehuda Lindell “ Introduction to Modern Cryptography”, CRC Press 2007 [28] John R. Pierce, ”Elettronica quantistica. Transistor, maser, laser”. BMS Zanichelli 1968 [29] http://www.epfl.ch/, last visited 01/2009 [30] http://www.lci.det.unifi.it, last visited 10/11/2008 [31] http://www.peds.ufl.edu, last visited July 2009
52
Modelling Cyber Security: Approaches, Methodology, Strategies U. Gori (Ed.) IOS Press, 2009 © 2009 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-074-2-52
Cryptography and Security: Evolutionary Information Theory and Prime Numbers Genetics Gerardo IOVANE DIIMA, University of Salerno, Italy
[email protected] Abstract. In this paper we will consider Evolutionary Information Theory, and pay specific attention to the application of prime numbers to cyber security and cryptography. Indeed, we will demonstrate that the sequence of prime numbers is deterministic, and not stochastic, as we have believed for several centuries. This implies that much attention must be directed toward the new scenario that has been formed of cryptosystems, encryption and ciphering in order to prevent cyber attacks and protect Critical Network Infrastructures.
1. Introduction Behind the new cyber warfare threats it is possible to find computer evolutionism and the genetics of prime numbers. The former will bring the International Community to face these threats at a systemic level, whereas the virtual and physical spaces will no longer be uncoupled, as it happens today, and it will be possible to control wireless instruments through a notebook or an organiser from a distance of thousands kilometres. To know more about this topic, it is useful to trace the history of the Information Era using a key-word for each epochal change: i) use; ii) interaction; iii) communication, iv) immersion; v) immersive shared reality; vi) control. In Information Technology, the term “use” indicates the birth of that very same technology. In other words, the computer replaces all the operations of office automation, hence providing a single integrated mean which can easily and rapidly offer all one needs for the daily activities of any given structure, be it a basic family structure or a complex structure typical of governments and large companies. Over the years, the use of the computer and Internet has been refined to offer the user newer ways with which to improve interaction. This means that it is now possible to solve the problem which emerged in the 1980s, when technologies reached one of their limits, that of running the risk of being boring. Although people continue to experiment new and more engaging forms of interaction with the computer, their primary need to communicate with other people and share data, information, strategies and goals persists. In fact, the 1990s saw the spread of technologies that were linked to communication, internet and the web. In the last decade of the 1900s, virtual reality virtual left its technological incubator, and those research environments that aimed at providing different instruments for the most various fields, from Defence to medicine, transportation, entertainment, etc. Now what can we say about the present? It is clear that immersive information technologies, such as virtual reality, and communication technologies, namely the web,
G. Iovane / Cryptography and Security
53
are merging into each other to create new ICT forms. Indeed, in this field of research it is already possible to see new forms of organisation that no longer use the NET (such as InterNET and others) but rather use a new form or GRID, as do the so-called VO (Virtual Organisation) and VN (Virtual Network). The GRIDS represent the next step in net technology. This is because in the web you not only find information, but also services (the so-called web-services). The web is no longer simply a web of computers and their peripherals, but it is now comprised of meshes of electronic devices such as the electronic equipment in a lab; an oscilloscope; the washing machine; the video camera that monitors your sleeping child; and the rain sensor that activates the rolling shutters of your porch where the laundry has been hung out to dry. If this is what is happening now, in the present, what must we control in the near future to make better use of these instruments? What might we predict about the remote future? After the phase of ‘shared immersive reality’, we will enter into an era of control of IT and our new technologies. In other words, what we now call virtual reality and what we know to be our physical reality will merge and become one single action field; it must not come as a surprise that our children will be able to command their IT teacher’s ABS car from a distance, using remote wireless RFID (Radio Frequency Identification) technologies directly from their organiser in order to take revenge for a bad mark. But what would happen in the event that this technology was not used for pseudo-recreational goals, such as was illustrated in the example above, but rather for actions in contrast or reaction to governments that have not provided what has been requested? It is clear that these types of terrorist actions would be completely out of control. As a result, it is necessary that we study and analyse the limits of the control theory in order to guarantee its intrinsic security on a global level, that is, on a systematic level. The genetics of primality, on the other hand, is able to reveal a potential and intrinsic weakness of the security systems with which most of the technological equipment for coding and preserving information has been built over the last few decades. More specifically, it has been discovered that the sequence of prime numbers is not random. Even the total knowledge of the structure of prime numbers has lead us to meaningful questions regarding the weakness of the generation of numerical security keys, which are based on prime numbers. At this point it is possible to make an analogy. In the near future, we will need to use new forms of prevention to contrast a cyber terrorism that is as linked to current forms of cyber terrorism as much as 15th century artists were associated to the great art of Leonardo Da Vinci, the former being amateurs and inaccurate, the latter being the symbol of perfection and geniality able to combine art and science in works that have no equal in human history. It is necessary that we respond to the evolution that is taking place within the field of cybertechnology, and it is particularly necessary that we address issues of cyber terrorism and the forms it will take in the near future. For this to be effective, the reaction must be synergic. In other words, it must not be the result of isolated scientific, technological, political or social solutions, but rather it ought to be part of a texture which manifests its complexity through a perfection and harmony that is typical of even the most basic and fundamental level, DNA. Like the fingers of a hand, the political, social, scientific and technological spheres will have to work together.
54
G. Iovane / Cryptography and Security
2. Genetics of Prime Numbers: A New Era of Cryptography In this section, we will consider some results in the context of prime number generation. Indeed, we will see that the prime sequence follows a scheme that is deterministic rather than stochastic. The generation of prime numbers, their distribution, and the knowledge of a possible deterministic scheme for discovering new primes have all been relevant questions in mathematics over the last two centuries. [1-9] The knowledge of prime numbers is relevant not only in mathematics but also in other fields, such as information and communication technology and information security. In Prime Numbers Distribution: the Solution comes from Dynamical Processes and Genetic Algorithms, Chaos, Solitons and Fractals (herein after [10]), we built a new approach based on dynamical processes and genetic algorithm, while in The set of prime numbers: Symmetries and supersymmetries of selection rules and asymptotic behaviours, Chaos, Solitons and Fractals, (herein after [11]), we analysed the analytic properties of prime numbers. We then considered the selection rules in order to obtain two pure sets of primes, which contained all prime numbers with the exception of the first two (i.e. 2,3), since they are the basis on which the genetic of primes is obtained. Moreover, we studied the symmetries and supersymmetries of the selection rules. Asymptotic behaviour was considered in The Set of Primes: Towards an Optimized Algorithm, Prime Generation and Validation, and asymptotic consequences (herein after [12]). Therein, we moved closer towards finding an optimised algorithm to generate primes, whose computational complexity was C(n)O(n). In addition, a precomputed algorithm was also considered for which the computational complexity proved to be C(n) O(1). In The set of prime numbers: Multiscale Analysis and Numeric Accelerators (herein after [13]), we performed a multiscale analysis, demonstrating that prime numbers clearly manifest themselves beautifully on different scales. In other words, prime numbers at a fixed scale generate new primes at the next scale. Indeed, by fixing the prime numbers at a fixed interval, they become the seeds for primes in the following intervals. In this work, starting from the multi-scale analysis in [13], we demonstrate that prime numbers live on the vertices of a multifractal polygon. The change in resolution and the number of sides of the polygon are initially mediated by the first prime numbers, and more generally speaking, progress by the sequence of primes themselves. As has been known for quite some time, a number of efficient algorithms have been discovered (for details see bibliographic references [14-20]). The algorithms of Rabin, and Solovay and Strassen are randomised. In addition, the algorithm of Adleman et al. requires (slightly) super-polynomial time, while the algorithm of Miller is in P only under an unproved number-theoretic hypothesis. A relevant contribution was given by Agrawal, Kayal and Saxena in 2004 [14]. While in [10] and [11], we demonstrated that the sequence of primes is not random, in [12] we considered a first attempt towards an optimised sieve. It is in [12] that we have developed a multi-scale procedure in order to facilitate the search for prime numbers and reduce the amount of time to look for them. This procedure is a process that is the equivalent to walking on a prism whose first basis is an hexagon. Step by step, this structure becomes a multifractal polygon. The third dimension of the polygon is a discrete parameter, k, which is used to generate classes of primes. It is important to emphasise that in our approach we build a multifractal structure so as to obtain a deterministic process for generating primes and not to simply describe the apparent randomness of the prime sequence. It also appears that our vision generalises the procedure shown in Prime sieves using binary quadratic forms, Mathematics of Computation, [20], where the
G. Iovane / Cryptography and Security
55
authors only consider the first and the second level of the fractal and multiresolution decomposition. This paper also presents a way to generate trees that are based on specific diagrams. In other words, just as physicist, Richard Feynman, introduced his specific diagrams to describe processes in terms of particle paths within the context of QFT (Quantum Field Theory), here, we can introduce specific diagrams for describing the process of prime generation and so, control the decomposition level of the multifractal that is initiated by the hexagon to generate primes. The result is an interesting approach to create a numeric accelerator capable of discovering prime numbers that move along the branches of the tree structure.
3 Multiscale Analysis In [11], we proved that we can write a closed formula for the sequence of prime numbers:
with
To obtain increasingly better computational performances, we can point out that this representation can be seen as the first step of a multiscale approach. Indeed, it is important to emphasis that the choice of the number 6 is connected to the fact that 6 is the product of the first two primes, i.e.6=23. We can iterate this approach, obtaining 30=235, 210=2357 and so on. In other words, we can realise different partitions of the set of positive integer numbers, N, in terms of 30k- ,210k- (with specific prime number) and so on. It is both trivial and relevant at the same time to observe that this multiscale approach reduces the number of candidates which are composites and so, also identifies which numbers are not primes, since it reduces the the time and resources dedicated to the research regarding prime numbers. This happens since each prime number can be written as:
where the new prime pij is written in terms of the product of other primes, pj, multiplied by a positive integer, k, minus a prime, pi, that is smaller than pij and obtained in the previous step of the computational recursive procedure. By using the graph theory, or the tree analysis, we can see that at the first level we have two classes or sets of candidates to primality, that is, the 6k- , while at the second level, we have 8 classes (in other words, 30k- , where =1,7,11,13,17,19,23). At the
56
G. Iovane / Cryptography and Security
third level, there are 48 classes of candidates and so on (see the following table 1 and Figure 1).
Table 1: Results in a multiresolution context regarding prime number candidates
Figure 1. Prime number candidates and the tree structure
Conclusions and Perspective Starting from the results presented in this work on multiscale analysis, it is possible to demonstrate that prime numbers are found on the vertices of a multifractal polygon. Both the change of resolution and the number of sides of the polygon are initially mediated by the first prime numbers and, more generally, proceed according to the sequence of primes themselves.
G. Iovane / Cryptography and Security
57
The proposed procedure is a process that is equivalent to a walk on a prism, whose first basis is an hexagon. Step by step this structure becomes a multifractal polygon. The third dimension of the polygon is a discrete parameter, k, which is used to generate classes of primes, as shown above. Thanks to our approach, it is possible to realise a multifractal algorithm to obtain a deterministic process for generating primes, and not to simply describe the apparent randomness of the prime sequence. This creates an opportunity to generate trees based on specific diagrams. In other words, similarly to Richard Feynman’s introduction of his specific diagrams to describe particles and interaction processes in the QFT (Quantum Field Theory), here we can introduce specific diagrams for describing the process of primes. It is an interesting approach to realise a numeric accelerator able to discover prime numbers that moving along the branches of a tree structure. If it is true that the work opens relevant and new questions regarding Information Security based on primality, it is also true that it gives a way to implement a new mechanism that is based on a key exchange protocol, which in turn is founded on pure multifractal sets or mixed multifractals, with biometric watermarkers, for example. Just as the DNA of prime numbers has been discovered today, in few years we could have the Genetic Engineering of prime numbers. This means that in a few years time we could have the capability to realise ever more accurate and rapid algorithms to generate numeric keys to crack code and data encryptions. Therefore, it is relevant to find solutions to this problem and define new strategies to prevent and combat cyberterrorist attacks. These solutions, once again, will not only be technological or scientific, but also political and social. If they are not found, the progress of knowledge could itself become a Trojan horse and defeat us.
References [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
E.Bombieri, Problems of the Millennium: the Riemann hypothesis, CLAY, 2000. A.Granville, Harald Cramér and the distribution of prime numbers, Lecture presented on 24th September 1993 at the Cramér Symposium in Stockholm. M. Du Sautoy, The music of the primes, RCS Libri, Milano 2003. A.Connes, Trace formula in non-commutative geometry and the zeros of the Riemann zeta function, Selecta Math. (NS) 5, 29-106, 1999. G.H.Hardy, Divergent Series, Oxford Univ. Press, Ch.II, 23-26, 1949. H.L.Montgomery, Distribution of the zeros of the Riemann Zeta Function, Proc.Int.Conf.Math. Vancouver, Vol.I, 379-381, 1974. A.M.Odlyzko, Supercomputers and the Riemann Zeta Function, Supercomputing 89: Supercomputing Structures and Computations, Proc. 4-th Int.Conf. on Supercomputing, L.P.Kartashev and S.I. Kartashev (eds.), International Supercomputing Institute, 348-352, 1989. Z.Rudnik and P.Sarnak, Zero of principal L-Functions and random matrix theory, Duke Math.Jou. 82, 269-322, 1996. A.Selberg, On the zeros of Riemann’s zeta-function, Der Kong.Norske Vidensk.Selsk.Forhand. 15, 59-62, 1942. G.Iovane, Prime Numbers Distribution: the Solution comes from Dynamical Processes and Genetic Algorithms, Chaos, Solitons and Fractals, 37, 1, 23-42, 2008. G.Iovane, The set of prime numbers: Symmetries and supersymmetries of selection rules and asymptotic behaviours, Chaos, Solitons and Fractals, 37, 4, 950-961, 2008. G.Iovane, The Set of Primes: Towards an Optimized Algorithm, Prime Generation and Validation, and asymptotic consequences, in press, Chaos, Solitons and Fractals, 2008. G.Iovane, The set of prime numbers: Multiscale Analysis and Numeric Accelerators, in press, Chaos, Solitons and Fractals, 2008. M.Agrawal, N.Kayal and N.Saxena, PRIMES is in P, Annals of Mathematics, 160, 781-793, 2004. M.Agrawal and S.Biswas, Primality and Identity Testing via Chinese Remaindering, Journal of the ACM, 50, 4, 429-443, 2003. G.L.Miller, Riemann's hypothesis and tests for primality, Journal Comput.Syst.Sci., 13, 300-317, 1976.
58
G. Iovane / Cryptography and Security
[17] M.O.Rabin, Probabilistic algorithm for testing primality, Journal Number Theory, 12, 128-138, 1980. [18] R.Solovay and V.Strassen, A fast Monte-Carlo test for primality, SIAM Journal Comput., 6, 84-86, 1977. [19] L.M.Adleman, C.Pomerance, and R.S.Rumely, On distinguishing prime numbers from composite numbers, Annals of Mathematics, 117, 173-206, 1983. [20] A. O. L. Atkin, D. J. Bernstein. Prime sieves using binary quadratic forms, Mathematics of Computation 73, 246, 1023-1030, 2004.
Modelling Cyber Security: Approaches, Methodology, Strategies U. Gori (Ed.) IOS Press, 2009 © 2009 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-074-2-59
59
A Note on Public-key Cryptosystems and Their Underlying Mathematical Problems Dario A.M. SGOBBI, Guglielmo MORGARI Italian Navy Abstract. While the classic symmetric encryption systems require a single key for both encryption and decryption, public-key systems are based on the existence of two distinct keys, one private and one public, and on the concept that, while the private key is never transmitted over any channel, and is therefore known only by its owner, the public key is made publicly known. Public-key systems are thus extremely useful in open network scenarios, where not all users are known in advance, or where it is simply impractical to establish a secure channel with any of them over which to exchange symmetric keys for the ensuing communications protection. Asymmetric systems are very interesting from a mathematical point of view, since they are based on one-way trapdoor functions, which are invertible functions that are “easy” to compute in one direction and “difficult” to compute in the opposite direction, with the additional condition of being “easy” to compute in that direction if additional information (the trap) is available.
Introduction The need to protect communications has historically been associated with military and government contexts. Although they were at times very ingenious, the techniques that were used to protect communications were more an art than a science and were known only within restricted circles of specialists. Only in the last 30 years, has the need for data protection become more and more evident in many fields of our everyday life, like mobile communications, e-commerce, and ATM machines. Due to these new applications, we observe on one hand the development of new cryptographic mechanisms, and on the other a diffusion of knowledge tending towards open research (academic) communities. This has led cryptography to be based on stronger formal mathematical foundations. Unfortunately, despite this progress, this does not mean that we are now able to build systems with absolute and mathematically provable security, since many building blocks of modern cryptography are still based on unproved mathematical assumptions. Moreover, the same mathematical knowledge available to cryptographers is obviously also available to cryptanalysts. However, we now have a common framework to better assess our mathematical model through the use of formal tools and therefore are able to avoid repeating the same mistakes in new and different contexts. Prior to the 1970s, communications protection basically consisted of encrypting and hiding messages. The former is obtained using cryptographic measures in the attempt to make messages unintelligible to possible interceptors, while the latter uses steganographic methods in order to make the messages difficult to detect. These techniques are therefore complementary and both should be used whenever possible. In the following, however, we will focus only on cryptography. It was in the 1970s that the use of cryptography has experienced a remarkable expansion. This is because applications in military fields, and even more so in
60
D.A.M. Sgobbi and G. Morgari / A Note on Public-Key Cryptosystems
commercial fields, require security mechanisms to ensure data integrity that go well beyond simple encryption, such as digital signatures. This increase in the use of cryptography is basically due to the introduction of a new class of cryptographic primitives, called asymmetric or public-key algorithms. In fact, the conceptual meaning and the foreseeable practical impact of the new paradigm were so extensive that the authors of the seminal paper about public-key cryptography gave it the title “New Directions in Cryptography” [1]. While the classic symmetric encryption systems require a single key for both encryption and decryption, public-key systems are based on the existence of two distinct keys, one private and one public, and on the concept that, while the private key is never transmitted over any channel, and is therefore known only by its owner, the public key is made publicly known. This feature makes public-key systems very versatile and theoretically suitable not only for encryption but even more so for authentication and key management. Public-key systems are thus extremely useful in open network scenarios, where not all users are known in advance, or where it is simply impractical to establish a secure channel with any of them over which to exchange symmetric keys for the ensuing communications protection. On the other hand, public-key systems are very slow and are therefore seldom used alone. More often than not, they are part of an hybrid system, in which they are used to determine a session key, which is then used to protect a single communication through symmetric key algorithms. In some situations, asymmetric systems are not used at all, either because of their poor efficiency (for example in constrained environments) or because of the specific scenario (in military or diplomatic networks, due to their strictly hierarchical nature, entirely symmetric systems often represent the best solution). Asymmetric systems are very interesting from a mathematical point of view, since they are based on one-way trapdoor functions, which are invertible functions that are “easy” to compute in one direction and “difficult” to compute in the opposite direction, with the additional condition of being “easy” to compute in that direction if additional information (the trap) is available. This additional information represents the private key, which must be “difficult” to obtain from the knowledge of the public key only. For practical purposes, hereinafter, by “easy” and “difficult” we mean computationally feasible and unfeasible. The notions of complexity theory that we will introduce below are the basis for the quantitative measure and formal tools for handling these concepts. The aim of this paper is to briefly present a possible classification of the various cryptographic techniques and their goals, paying special attention to public-key systems and their underlying mathematical problems. The paper is organised as follows: Section one is devoted to presenting some complexity theory elements which will be used in the following analysis. The second section will list the goals of modern cryptography and the techniques applied to fulfil these goals. The last section will discuss the two most widely used public-key systems (RSA, and Diffie-Hellman) from a complexity theory perspective.
1. Elements of Complexity Theory The exact computation of efficiency, normally expressed in terms of required elementary operations, is usually not of much interest. What is of interest, however, is its behaviour as the problem increases in size, in other words the scalability of the algorithm. Indeed it is clear that for “small” problems, virtually any meaningful
D.A.M. Sgobbi and G. Morgari / A Note on Public-Key Cryptosystems
61
algorithm terminates in an acceptable amount of time, but quite often, in cryptography it is much more useful to study what happens when the problem size grows to include values actually used in practice. By size we normally mean the number of digits required to define the parameter chosen to characterise the problem. For instance, if we consider algorithms dealing with natural numbers, the size of a number is their logarithm. Because we are interested in the behaviour complexity as the size increases, the base of the logarithm is irrelevant since the expressions resulting from different choices are linked by simple multiplicative constants. In practice, it is interesting to distinguish between polynomial and exponential algorithms. Polynomial algorithms are those whose complexity may be expressed in polynomial terms with respect to the problem size. All non-polynomial algorithms are called exponential (a more precise classification is possible but for our purposes distinction in these two big classes is enough). Roughly speaking, we can say that as the size grows, the complexity of polynomial algorithms grows steadily, while that of the exponential algorithms grows very quickly. Therefore, polynomial and exponential are often seen as synonyms of feasible and unfeasible, respectively. The notation commonly used in this field is the so called big O. Although more formal definitions exist, here we can say that a function C(n) is O(f(n) ) if at most it grows like (a constant multiple of) f as n increases. For example, given a function C(n)=2n3+3n2-n+4, we can say C(n)=O(n3), since constants and low order terms do not matter when we consider asymptotic behaviour. For example, if n is the size of a problem and C=O(n2) is the complexity of an algorithm that solves the problem, we say that such an algorithm is polynomial and thus practical. On the contrary, an algorithm with a complexity C=O(en) is exponential and therefore, as soon as n increases, it becomes rapidly impractical. A common mistake in the evaluation of the complexity of an algorithm is a misunderstanding regarding the meaning of problem size. Let us now take for example the simple problem of searching for a prime factor in a given integer number, N, and the algorithm, which consists in dividing N for every integer smaller than N. The complexity of the algorithm is clearly O(N) = O(N1/2), and the algorithm is therefore polynomial in N. However, the size of the problem is not N, it is n = log N and the resulting complexity is O(N1/2) = O(en/2), which is clearly exponential in n. As previously mentioned, the complexity of the algorithm can refer to several parameters, the most useful being time and space (memory occupation). Quite often, algorithms can be reshaped in order to find a trade-off between different parameters, but it is important to realise that if an algorithm is exponential with regard to any of them, then it is impractical. From a practical perspective, let us consider a sample function with complexity C=O(2n). In the table below, we first assume that this complexity refers to time and that the elementary operation considered takes 1 μsec (second column). We then assume that the complexity refers to memory and that the elementary memory unit is made of a single atom (third column). While very effective for small values of n, the algorithm quickly becomes totally impractical as n increases (first column). The table spans from small values to common values used today in cryptography, like n=128 or n=256, and shows the tremendous amount of time and space required as n increases. This very clearly demonstrates the practical meaning of exponential algorithms.
62
D.A.M. Sgobbi and G. Morgari / A Note on Public-Key Cryptosystems
Table 1. Sample Function with Complexity C=O(2n)
n
time
atoms
2
4 microseconds
4
5
32 microseconds
32
10
1 second
1024
20
17 minutes
107
40
34 years
1.1*1012
80
1.2*1024
128
3.8*1013 years (>1011 years, believed age of the universe) 1.1*1028 years
256
3.7*1067 years
3.4*1038 1.2*1077(~1077, believed number of atoms of the universe)
The reason for which complexity theory is so important in cryptography is that in any kind of cryptographic keyed primitive, the evaluation of the complexity of a given attack allows us to understand whether that attack is concretely possible and, in the eventuality that it is not, to evaluate the corresponding security margin. Often, in practice, it is enough to state that a given system is computationally secure; this means that the complexity of the supposedly ideal attack is greater than the resources any attacker could ever procure. A more formal approach is to prove that a system is provably secure, meaning that breaking the system is equivalent to solving a mathematical problem, which is known to be computationally intractable. This approach is often followed with the application of asymmetric systems, but unfortunately the intractability of the underlying mathematical problems has, to date, been just conjectured. It is of course clear that, in theory, a system can always be broken by an attacker with unlimited resources, simply by systematically trying all possible solutions until the right one appears. The only remarkable exception is the OTP (One Time Pad) encryption (as described in any text on cryptography, see [2]). This is the only unconditionally secure system (i.e. the attacker has no way of identifying or recognising the correct solution), which is, however, of extremely rare practical use because of its heavy management complexity. Furthermore, in asymmetric systems, the evaluation of complexity is relevant not only for evaluating the cryptographic robustness of an algorithm, but also for the construction of the algorithm itself. The algorithm used for the choice of secure parameters can in fact be quite complex. In this regard, we will analyse in some depth the very interesting problem of determining whether a given integer is prime or composite.
2. Cryptographic Goals and Mechanisms In the current digital era, not only is data interception even easier than in the past, but the modification of data in transit or the creation of fake data can also be very simple
D.A.M. Sgobbi and G. Morgari / A Note on Public-Key Cryptosystems
63
tasks. Consequently, it is necessary to clearly define the threats and countermeasures in a modern cryptography language. A possible classification defines 4 goals for modern cryptography.
Table 2. Classification from Modern Cryptography defining four goals
Confidentiality Integrity Authenticity Non repudiation
The message can be understood only by the intended recipient The message has not been tampered with The message was actually sent by the declared sender. For certain hypothesis, it is also referred to as “digital signature” The sender cannot deny having sent it
Cryptographic applications today vary from the most well-known, such as secure transactions on the Internet, to the most surprising,such as mental poker (a way to remotely play a fair game without any need of a trusted third party) [3]. However, basically all of them can be modelled according to the previous classification. These goals can be accomplished by using a number of cryptographic primitives. As we will see, the same goals can be reached by the use of different primitives or their combination, and, in fact, primitives can be consistently classified in many different ways. One of the possible high-level classifications defines three classes: unkeyed primitives, symmetric key primitives, asymmetric key primitives. Using this classification, we can give the following overview of the primary tools of modern cryptography.
3. Unkeyed Primitives The main primitives in this class are random sequences and hash functions. These primitives are keyless, however, since they are building blocks for many cryptographic operations, they satisfy strict requirements. The generation of random sequences, for example, is of paramount importance in the production of cryptographic parameters, since poor generation can significantly reduce the complexity of an exhaustive search attack on these parameters. They must therefore satisfy extremely stringent cryptographic constraints, which are usually not required for standard random generators. Hash functions are well known primitives that take an input (message) of variable length and produce a fixed length output. Analogously to random generators, when used in cryptographic applications, hash functions must satisfy extra requirements, the first of which is the (practical) impossibility of finding two messages with the same hash. Consequently, the obtained value represents an unambiguous digest of a given message and can, therefore, be used to guarantee the integrity of the message from unintentional data corruption.
64
D.A.M. Sgobbi and G. Morgari / A Note on Public-Key Cryptosystems
4. Symmetric Key Primitives These primitives are based on sharing a secret key between two users. They provide tools for message encryption, sender authentication, and data integrity. As encryption primitives, they fall in one of two categories: block ciphers and stream ciphers. While from the security point of view there is no general reason to prefer one class over the other, the distinction is sometimes relevant with regard to their implementation. Block ciphers are, in fact, considered to be more versatile. Furthermore, standard schemes exist to convert block ciphers into to stream ciphers (Output Feedback Mode, Counter Mode [4]) when needed. Among a wide set of available symmetric ciphers, the currently most used is certainly the AES (Advanced Encryption Standard [5]). MAC (Message Authentication Codes) functions are essentially keyed hash functions and thus can be used to guarantee not only data integrity but also data origin (authentication); since the secret key is shared only between the sender and the receiver, when the latter verifies the correct value of the MAC he also has proof of the sender identity. Note however that this does not allow for non repudiation, since both sender and receiver can later claim that a given message was produced by the other party. Native MAC functions exist, but it is common to use schemes based on other primitives in practice; for example, see HMAC [6] and CMAC [7] to convert unkeyed hash functions and block ciphers to MAC.
5. Asymmetric Key Primitives As previously explained, public-key schemes rely on couples of values, private and public, which are linked by a specific mathematical relationship, which makes it (practically) impossible to derive one from the other (it is for this reason that these schemes are often referred to as asymmetric cryptography). This feature allows the public key to be widely disseminated to every user, while the corresponding private key is kept secret by the user him/herself (this user is the only “owner” of the private key). It is important to be aware that the public key can be transmitted over any insecure channel, but only as far as passive interception is considered. It is mandatory to protect the key value against active interception, which could modify its value. Different solutions exist for this risk (either at the infrastructure level, like PKI, or through an auxiliary channel with some form of authentication, like voice recognition). In this paper, we are not interested in exploring them, we simply assume that the public key is distributed unmodified. Public-key systems are so versatile that when properly used, it is possible to obtain the four cryptographic goals mentioned above. Apart from confidentiality, integrity and authentication (digital signature), it is in fact also possible to obtain non-repudiation since the private key is specific to each user and does not have to be shared with anyone else. From a mathematical point of view, the key asymmetry is typically based on problems from number theory, which are believed to be difficult to solve. Nevertheless their difficulty has not been formally proven yet. There are two problems used in practice to construct strong public-key cryptosystems: Integer Factorisation Problem (IFP) and Discrete Logarithm Problem (DLP). Other problems have been proposed, but they are of little interest either because they are insecure (like Knapsack problem based
D.A.M. Sgobbi and G. Morgari / A Note on Public-Key Cryptosystems
65
cryptosystems [8]) or because they are extremely inefficient with regard to speed or public key size (like the McEliece cryptosystem [9]).
6. RSA, Diffie-Hellman In this section, we briefly analyse the mathematical problems underlying the two most used public-key cryptosystems (RSA and Diffie-Hellman) and especially focus on the complexity issues. 6.1. RSA This algorithm [10] allows the implementation of both encryption and digital signature. Without going into detail, we recall from a mathematical point of view that its security is strictly linked to the problem of integer factorisation (IFP) [11], since operations are performed with modulus, which is an integer, N, where N is equal to the product of two primes of adequate size (N=pq, the size of p and q being today typically in the range [1024, 4096] bits). While the modulus N is part of the public key, and is therefore known to anyone, the primes p and q are not public and allow for the private key to be computed. It is clear then that solving IFP means breaking RSA, but it is interesting to note that, in principle, RSA could be broken in some other way, even if this occurrence appears to be quite unlikely. The conclusion is that IFP and RSA are not theoretically equivalent problems and RSA may in fact be easier (a very recent result [12] however provides strong evidence that equivalence may actually hold true, even if formal proof is still missing. It is interesting to note that another public-key system exists, that is attributable to Rabin [13], which can be proven to be as difficult to crack as IFP and in this sense may be considered to be stronger than RSA but, due to its decryption complexity, it has never gained widespread practical use). As of today, no efficient algorithm to solve IFP has been discovered. More precisely, no polynomial time algorithms are known, since the most efficient is the General Number Field Sieve [14], which, for a small constant c (n, as usual, is the number of bits representing the integer to be factored), has the complexity . Another number theory problem related to RSA is the primality problem (PP), i.e. to determine if a given integer is prime or composite. Each RSA user must in fact choose a different modulus N and therefore a different couple of primes (p, q). As a consequence, it is important to have algorithms to quickly and affordably determine the primality of a number of any reasonable size. Fortunately, this problem has been solved both in theory and in practice. Extremely efficient primality tests have been known for a long time, and have been widely used in practice. Their only drawback is that they are probabilistic rather than deterministic. This means that the outcomes they provide may be wrong. This apparently surprising feature is actually of no practical concern, since the probability of error can be mathematically computed (upper-bounded) and made as small as is desired. The most commonly used probabilistic algorithms are the Soloway-Strassen [15] and the Miller-Rabin [16]. Both algorithms consist of k iterations of a basic round, k being an integer number chosen by the user. Computational complexity and error probability can be easily determined, according to the value of k. For example, the Miller Rabin test with k iterations has a computational complexity O(k*n3) and an error probability (4)-k, while the Soloway Strassen test with k iterations has a computational
66
D.A.M. Sgobbi and G. Morgari / A Note on Public-Key Cryptosystems
complexity O(k*n3) and an error probability (2)-k (n being the number of bits of the tested integer). It is clear that with moderately small values of k, the resulting algorithms are very efficient and the probability of error is so low as to be totally negligible. From a theoretical point of view, several deterministic algorithms to solve PP have been known for a long time. Some of them are trivial and others are more complex, but all of them have either exponential complexity or polynomial complexity that is based on some unproved mathematical assumption (typically the Riemann hypothesis). In 2002, three Indian researchers [17], for the very first time, found an algorithm that was at the same time deterministic, polynomial and unconditional (i.e. not based on any conjecture). The theoretical interest for their algorithm, later improved by other researchers, is enormous, but from a practical perspective, their result is totally useless since the resulting complexity (O(n12) in the original version and O(n6) in an improved variant) cannot compete with that of probabilistic algorithms. 6.2. Diffie-Hellman This protocol allows a secret key to be generated between two users without any prior agreement being made. The security of the scheme is based on the Discrete Logarithm Problem (DLP) in a cyclic group. The protocol was originally formulated to work in the cyclic group of natural numbers where the modulus is prime (of proper size, say 1024 bits), but recently it has become more and more common to use a cyclic subgroup of specific elliptic curves defined over Galois fields. This choice allows for much faster implementation and shorter parameters (including public keys), while keeping the security level the same. Independently of the domain in which computations are carried out, the underlying problem is the DLP. As for IFP, there are currently no algorithms working in polynomial time. As of today, the most efficient algorithm to solve DLP is the Index Calculus Algorithm [18]. Similar to the RSA case, the Diffie-Hellman cryptosystem has no formal proof of equivalence with the underlying hard problem. While it is clear that solving DLP would break Diffie-Hellman, it is still unknown whether the opposite is also true, despite some evidence that this may be the case [19].
7. Relations between IDP, DLP and PP. IDP and DLP share some interesting features. With regard to size, when we consider DLP for natural numbers, the size of the used modulus for IDP and for DLP is the same for an equivalent security level (>= 1024 bits for today’s computation power). With regard to security, both of them are believed to be intractable, but there is no formal proof for this. However, it is interesting to observe that solving DLP would lead to the solution of IDP [20], while there is no evidence of the opposite. The third considered problem, PP (Primality Problem), is evidently linked to IDP. While solving IDP (factoring a number) immediately solves PP, the opposite is not true at all. Determining the primality of a number is by far easier than finding its factors and actually provides no way to do it. With regard to asymmetric algorithms, this means that improving the existing primality tests (either deterministic or probabilistic) does not lead to any threat to public-key systems like RSA or Diffie-Hellman.
D.A.M. Sgobbi and G. Morgari / A Note on Public-Key Cryptosystems
67
Conclusions In this paper we have presented a short overview of the main tools available in modern cryptography, with special emphasis on the most used public-key algorithms (RSA, Diffie-Hellman) and their related mathematical problems. These problems have been considered principally from a complexity theory point of view, since their complexity has an impact on their efficiency (primality problem) and on their security (factorisation problem, discrete logarithm problem). Furthermore, links between the different problems have been described and discussed.
References [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20]
W. Diffie, M.E.Hellman, New Directions in Cryptography IEEE Transactions on Information Theory, vol. IT-22, Nov 1976, pp 644-654 J.Menezes, P.Van Oorschot, S.A.Vanstone, Handbook of Applied Cryptography ,CRC Press, 1996 A. Shamir, R. Rivest, and L. Adleman, Mental Poker, Technical Report LCS/TR-125, Massachusetts Institute of Technology, April 1979. Recommendation for Block Cipher Modes of Operation. Methods and Techniques. NIST Special Publication 800-38A, 2001 Edition Advanced Encryption Standard (AES), FIPS PUB 197, November 2001 The Keyed Hash Message Authentication Code (HMAC), FIPS PUB 198, March 2002 Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication, Nist Special Publication 800-38B, May 2005 The rise and fall of knapsack cryptosystems, C.Pomerance editor, Cryptology and Computation Number Theory, volume 42 of Procedings of Symposia in Applied Mathematics, 75-88, American Mathematical Society, 1990 R.J.McEliece, A public key cryptosystem based on algebraic coding theory, DSN progress report 42-44, Jet Propulsion Laboratory, Pasadena, 1978 A Method for Obtaining Digital Signatures and Public Key Cryptosystems, Communications of the ACM, v.21,n.2, Febr1978, 120-126 Richard P. Brent, Recent Progress and Prospects for Integer Factorisation Algorithms, Computing and Combinatorics", 2000, pp.3-22 D.Aggarwal, U.Maurer, Breaking RSA Generically is Equivalent to Factoring, at eprint.iacr.org/ 2080/260 T. Rabin, Digitalized signatures and public key functions as intractable as factorization, MIT/LCS/ TR-212, MIT Laboratory for Computer Science, 1979 Arjen K. Lenstra and H. W. Lenstra, The development of the number field sieve, Jr. (eds.). Lecture Notes in Math. (1993) 1554. Springer-Verlag. R.M.Solovay and V.Strassen (1977) A fast Monte-Carlo test for primality, SIAM Journal on Computing 6 (1): 84–85. G.L.Miller, Riemann's hypothesis and tests for primality , Journal of Computer and System Sciences, 13 (1976) M.Agrawal, N.Kayal, N.Saxena, PRIMES is in P, Annals of Mathematics 160 (2004), no. 2, pp. 781– 793. O.Schirokauer, D.Weber, T.Denny, The effectiveness of the index calculus method, 2006, Algorithmic Number Theory, Lecture Notes in Computer Science, vol 1122/1996 U.Maurer, Towards the Equivalence of Breaking the Diffie-Hellman Protocol and Computing Discrete Algorithms, Crypto94, Lecture Notes In Computer Science; vol. 839 E,Bach, Discrete logarithm and factoring, Report no. UCB/CSD 84/186, Comp. Sc. Division (EECS), University of California, Berkeley, June 1984
68
Modelling Cyber Security: Approaches, Methodology, Strategies U. Gori (Ed.) IOS Press, 2009 © 2009 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-074-2-68
Intrusion in a Mission Critical Network: A Tutorial on Intrusion Detection Systems and Intrusion Prevention Systems Dario A.M. SGOBBI, Marco PAGGIO Italian Navy
Abstract. Both Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are technologies that will help to enhance the security environment of private sector companies and government agencies. These technologies provide visibility and also offer many other benefits related to the network monitoring activity. The IDS and IPS provide the real time monitoring of network activity, while contemporaneously consenting for the relevant information to be stored in order to perform data analysis and/or reporting at a later date. In the decisionmaking process, visibility has an important role since it allows a security policy, based on quantifiable real world data, to be envisaged. The Intrusion Detection technologies, and, specifically, the host-based and network-based technologies, are divided into two categories depending on which technique is used to detect security events. The first is the Anomaly-Based technology, which is based upon behaviour, and the second is the Signature-Based technology, which is based upon knowledge. IPS and IDS technologies are only two of the many resources that can be deployed to increase visibility and control in a complex and critical network infrastructure. With these two technologies, the network will have a perimeter and core defence that can combat zero day attacks and counter existing threats, as well as being able to render activity in the internal network visible and be capable of providing forensic analyses.
Introduction Security is the process of maintaining an acceptable level of perceived risk. As Dr. Mitch Kabay wrote in 1998, “Security is a process, not an end state” or as Bruce Schneier wrote, “security is a process, not a product”. The security process revolves around four steps: assessment, protection, detection and response.
D.A.M. Sgobbi and M. Paggio / Intrusion in a Mission Critical Network
69
•
Assessment: Is the preparation phase for the other three steps. Stated as a separate action, it deals with policies, procedures, regulations and other managerial duties.
•
Protection: Is the application of countermeasures that aims at reducing possible compromising events.
•
Detection : Is the intrusion identification process, for which intrusion is intended as policy violation or computer security incidents.
•
Response : Is the process that validates the findings of the detection phase and takes steps to remediate intrusions. Response activities include “patch and proceed” as well as “pursue and prosecute”.
1. Concepts Related to Risk Risk is the possibility of suffering harm or loss. Risk is a measure of the existing threat to an asset. The asset is anything of value, which in the security context could refer to information, hardware or intellectual property. Risk is frequently expressed in terms of a risk equation, where: RISK = THREAT x VULNERABILITY x ASSET VALUE •
Threat: A party having capabilities and intentions to exploit the vulnerability of an asset. The Federal Bureau of Investigation (FBI) categorises threats into “Structured Threats” and “Unstructured Threats”. •
The “Structured threats” are foes with formal methodology and a defined target. They include economic spies, organised criminals, terrorists, foreign intelligence agencies, etc.
•
The “Unstructured threats” do not have methodology; their action is more likely compromising their victims out of intellectual curiosity.
70
D.A.M. Sgobbi and M. Paggio / Intrusion in a Mission Critical Network
Unstructured threats include crackers, malware without a defined target and malicious insiders who abuse their status. •
Vulnerability: The weakness in an asset that could become the object of exploitation. Vulnerabilities may be introduced into assets through poor design, implementation or containment. Poor design is the responsibility of the asset designer. A firm producing buggy codes will create weak products, and possible attackers will be able to take advantage of any architectural weakness in the software. Implementation, i.e. deployment and configuration, is the responsibility of customers (or their consultant), who deploy a given product, and it is not the responsibility of the manufacturers. Containment refers to the ability to reach beyond the intended use of the product. A good software product should perform its intended function and no more.
•
Asset value: The value of the asset is the amount of time and resources that would be necessary for its substitution or to restore it to its former state. The value of an asset may also refer to the organisation’s reputation or the public’s trust in the organisation.
2. Detection Both Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are technologies that will help to enhance the security environment of private sector companies and government agencies. These technologies provide visibility and also offer many other benefits related to the network monitoring activity. The IDS and IPS provide the real time monitoring of network activity, while contemporaneously consenting for the relevant information to be stored in order to perform data analysis and/or reporting at a later date. In the decision-making process, visibility has an important role since it allows a security policy, based on quantifiable real world data, to be envisaged. Another main aspect that ought to be kept in mind, is network control; IPS technology provides active network control capability. Control is the key to enforcement and makes it possible to enforce compliance with security policy.
3. Intrusion Detection Systems (IDS) Intrusion detection is the art of individuating an inappropriate, incorrect or anomalous activity on a network. IDS may be used to determine an unauthorised intrusion of a computer network or a server. Intrusion Detection technologies include the following: • • •
Host-based Intrusion detection systems (HIDS). In this solution, data from each host are used to detect signs of intrusion. The HIDS alert the administrator in the presence of a violation of the pre-set rules. Network Based Intrusion Detection Systems (NDIS). In network based IDS, the correlation between the implementation data and several host or network traffic patterns permit signs of intrusion to be detected. Security Information Management (SIM). This kind of solution has the ability to correlate data and multiple sources (log file, IDS, network management,
D.A.M. Sgobbi and M. Paggio / Intrusion in a Mission Critical Network
71
routers log etc.) in order to produce a comprehensive representation of intrusion activity within a network. Basically, the Intrusion Detection technologies, and, specifically, the host-based and network-based technologies, are divided into two categories depending on which technique is used to detect security events. The first is the Anomaly-Based technology, which is based upon behaviour, and the second is the Signature-Based technology, which is based upon knowledge. 4. Anomaly-Based IDS Anomaly-based IDS, also known as behaviour-based IDS, apply various forms of logic in order to detect security events. Such applications try to establish what a “normal” profile for system or network behaviour is, and successively individuates any deviations from this profile. A profile is generally established through a modelling process that has been incorporated into the IDS. To a significant extent, this means that all behaviour-based IDS systems apply “normalisation” theory to event detection in spite of the differences in which a base profile is developed. In anomaly-based IDS, the following logic may be implemented:
Statistical anomaly-based. In this solution, initial behaviour profiles are generated, but additional statistics are gathered and compared to the initial profiles. As the amount of data variations between the original and current profiles increases, the IDS can fine tune the initial profile accordingly. This means that the IDS is learning from its environment. Predictive pattern generation. This kind of technology feeds information on past security events into the context for current event analysis, and based on the aforementioned past security events, defines patterns that may represent malicious activity, while at the same time performing some statistical analysis in order to eliminate false positives or false negatives. Mean and standard deviation model. In this case, the IDS use profiles that model the behaviour of users, applications, systems or networks based on previous events. So, for example, in a network, if a service that gains access 50 times a day undergoes a change in its behaviour, a threshold will be crossed and generate the alert. Time series modelling. The time series modelling system uses time criteria to develop a profile for normal user, application, network and system behaviour and then flags events that exceed the time-based profile.
Collectively, these techniques result in behaviour-based IDS solutions that have the ability to model normal user, application, system or network behaviour and to report events that fall outside the “normalised” profile as security events. Behaviour IDS solutions are generally considered to be more proficient than signature-based solutions in detecting unknown or new forms of attack activity. This solution is also considered to be more effective for detecting privilege abuse and other forms of user application activity that are more difficult to detect with signature-based, vulnerability-focused IDS.
72
D.A.M. Sgobbi and M. Paggio / Intrusion in a Mission Critical Network
5. Signature-based IDS This kind of IDS system uses predefined attack signatures to detect security events and report anomalous behaviour. The signature definitions may represent known system or network vulnerabilities or known patterns of malicious activity. Normally, the vendor provides automatic updates to the signature database and the administrator may define or edit the signature. Of course, this kind of technology is less suitable for identifying new or unknown attacks. In signature-based IDS, the following logic is implemented:
State transition analysis. This system works by establishing a series of states that represent attack activities. These states are, for example, reconnaissance, mapping, penetration, etc. Detection involves assessing the system or the network activity against these states that have been defined through the use of signatures. Model-based reasoning. These techniques are more closely representative of behaviour-based IDS but are administrator driven. This kind of IDS generally uses some form of predicting logic to determine which patterns of activity to search for and in which resources to search; the IDS keeps accumulating this information until an alert threshold is reached and then an alert is generated.
The main difference between the two technologies is that signature-based detection exploits known signatures that describe malicious activities, whereas anomaly-based detection considers all “non-normal” activities as malicious. Signature-based IDS is currently more widely implemented than behaviour-based IDS, since it is perceived to be easier to adapt to a specific system or network environment and its known vulnerabilities. 6. IDS Implementation Remarks One of the main concepts in the deployment of IDS is that this is a useful tool for capturing information and providing visibility in a network. For critical infrastructures that have an added need for full visibility, it is common to install IDS devices in all the primary network points in order to provide visibility internally as well as externally. This kind of deployment provides the data needed to track down potential internal threats as well as those posed to the network from the outside. Another concern about IDS deployment is the performance factor. Today, IDS solutions have come a long way in design and use of high performance components that help ensure the greatest amount of data capture. In any case, even with the higher performance components, it is well known that current IDS implementation has the tendency to drop packets, due to the high throughput of today’s high bandwidth network devices. Performance is one of the primary key issues in IDS deployments. Encrypted traffic is another point to bare in mind, since IDS do not currently have the ability to decrypt packets, thus blinding the security administrators as to what is coming into and going out of a mission critical network. The use of VPN and other encrypted data streams do increase the need to get solutions like IPS to the perimeter.
D.A.M. Sgobbi and M. Paggio / Intrusion in a Mission Critical Network
73
7. Intrusion Prevention Systems (IPS) Combining the blocking capability of a firewall together with the deep packet inspection of the IDS, we obtain a new obstruction: Intrusion Prevention Systems. Still today there are many definitions for IPS and many views on what the requirements for IPS implementation should be. Some people suggest that IPS is the evolution of IDS and that IDS is a technology that will eventually disappear. There are companies that are combining multiple technologies to enable organisations to improve the level of protection of their networks through a combination of passive network discovery, behavioural profiling, and integrated vulnerability analysis to deliver the benefit of real time network profiling. In many cases, the argument is that the decision to deploy IDS or IPS technology much resembles that of the chicken and the egg. As organisations start to realise the potential savings associated with preventing downtime caused by the almost weekly worm or virus attacks, they will be more inclined to adopt measures like IPS. IPS and IDS technologies can and should be able live together. IPS technology must be placed at the perimeter of the network, to help prevent zero day attacks such as worms or viruses, using anomaly-based rules as well as signature-based inspection. The adoption of IPS at the ingress/egress points of an organisation’s network will help ensure that both new and previously identified threats are dropped at the perimeter. Therefore, IPS deployment along the outer portion of the network will provide the preventive measures and control needed to contrast new and existing threats, while including IDS on the inside of the critical network nodes will provide visibility and confirmation of inside activity. IPS and IDS technologies are only two of the many resources that can be deployed to increase visibility and control in a complex and critical network infrastructure. In fact, an exhaustive approach to the topic of security, which is beyond the target of this paper, should take the concept of Defence in Depth into account. The Defence in Depth approach has been presented in many papers and books. The underlying idea of this approach is to provide multiple levels of security. The idea behind the Defence in Depth approach aims at defending a system against any particular attack by using several, varying methods. It is a layering tactic, conceived of by the National security Agency (NSA) as a comprehensive approach to information and electronic security.
Conclusion Winning the challenge of security and service availability is a priority for mission critical networks that provide real-time services like Voice over IP and other strategic services. Choosing the appropriate security architecture solution is the most important target for mission critical networks. The use of both the discussed technologies, IDS and IPS, will positively influence an organisational security posture. IPS at the border of the network will increase the visibility and the control of intrusions and attacks. IDS systems, used to monitor the internal network, will provide the least intrusive method for identifying possible internal threats. With these two technologies, the network will have a perimeter and core defence that can combat zero day attacks and counter existing threats, as well as being able to render activity in the internal network visible and be capable of providing forensic analyses.
74
D.A.M. Sgobbi and M. Paggio / Intrusion in a Mission Critical Network
References [1] [2] [3] [4]
Honeypot and Honeynet resources, www.honeypots.net Stephen Northcutt, Judy Novak. An Analyst's Handbook, - Network Intrusion Detection, New Riders Publishing 2002) Richard Bejtlich, Extrusion Detection, Addison-Wesley Professional, 2005 NSA, Defense in Depth, A practical strategy for achieving Information Assurance in today’s highly networked environments, NSA website www.nsa.gov
Modelling Cyber Security: Approaches, Methodology, Strategies U. Gori (Ed.) IOS Press, 2009 © 2009 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-074-2-75
75
A World-Wide Financial Infrastructure to Confront Cyber Terrorism Dr. Paolo CAMPOBASSO UniCredit Group Abstract. Considering that one of the most dynamic and attractive segments of the commercial world is the financial sector, it naturally becomes a favourite target for information warfare, due to the direct impact an attack on this sector could have on economic stability. Our reliance on infrastructures that support the use of information is subject both to being used for violence itself or to being the target of violent acts; industries such as broadcasting, or banks, stock markets, and telecommunication companies are dependant on technologies and a disruption of their systems can potentially cause serious harm to basic societal interests. All corporate leaders must be aware of the diversity of potential attacks and should plan and implement measures to defend their organisations. In order to assure secure information exchange between business partners, it is mandatory that all involved parties secure their business environments by implementing the appropriate security measures. There is need for international response wherein the authorities and organisations alike use military expertise as consultancy or knowledge transfer in order to establish appropriate frameworks.
In today’s world, we are becoming more dependent on communications and information technologies than ever before. Accurate and timely information provides competitive advantage; information systems technology makes our lives more efficient; telecommunication systems and computers have global reach and support economic infrastructures; information systems networks integrate economies, cultures and societies. The growing reliance of our society on cyber technologies has increased our exposure to dangerous sources of information warfare threats. The effect of any disruption, manipulation or sabotage of these networked infrastructures goes far beyond the directly attacked systems. We already perceive that information warfare has moved beyond the military dimension – it has already begun to threaten the commercial world as well. Considering that one of the most dynamic and attractive segments of the commercial world is the financial sector, it naturally becomes a favourite target for information warfare, due to the direct impact an attack on this sector could have on economic stability. Our reliance on infrastructures that support the use of information is subject both to being used for violence itself or to being the target of violent acts; industries such as broadcasting, or banks, stock markets, and telecommunication companies are dependant on technologies and a disruption of their systems can potentially cause serious harm to basic societal interests. Banking and financial services industries in general, can be both the target of violence or can be indirectly used as a form of support for an act violence. On one hand, banks have to defend themselves by defending their infrastructures against cyberattacks and on the other to defend others by avoiding to become a mechanism that supports the perpetrators of violence. The frequency of international terrorist acts are usually proportionate to the financing that terrorists are able to obtain. It is critical that suspicious transactions are appropriately monitored and law enforcement is put in place to target the financial sponsors of terrorist activities. Otherwise, financial institutions can innocently fund terrorist groups through transfers of funds that are believed to be
76
P. Campobasso / A World-Wide Financial Infrastructure to Confront Cyber Terrorism
perfectly legitimate and, in this way, a financial organisation can unknowingly become the technical support for violence. Banking and financial services industries are key components in maintaining and integrating economies, and, in turn, information technology is the heart of these industries’ operations the moment that the vast majority of all financial transactions are made electronically. In this interconnected world, the organisations that provide financial services are not the only ones that must implement measures against organised crime and cyber threats. All corporate leaders must be aware of the diversity of potential attacks - including organised crime, high-tech espionage, or cyber-attacks that have been organised by individuals (hackers) or by groups that have been sponsored by nation-states or even by business competitors – and should plan and implement measures to defend their organisations. Nevertheless, corporate leaders must be aware that in the context of a networked environment, the security of their organisation depends on the security of others. As mentioned earlier, in an interconnected world such as the one we have today, in order to assure secure information exchange between business partners, it is mandatory that all involved parties secure their business environments by implementing the appropriate security measures. We all know that in security, through propagation, a weak link in the chain can be exploited and used to compromise the information that transits that chain. Unfortunately, today it is not an exaggeration if we say that every organisation is faced with the threat of cyber attacks. Therefore, regardless whether the threat level an organisation might be faced with is high or low, it always needs to be taken seriously. Building company defences will not always be enough to reduce threats. Often, more extensive cooperation is required in order to provide a more consistent and effective response to cyber threats. In order to build a reliable defence system against cyber threats, three directions should be considered: -building solid corporate governance for the organisation -joint approach of organisations against similar threats • cooperation for response against cyber threats • common prevention programs -world-wide cooperation • there is need for international response which should include those countries that are currently safe havens for cyber-criminals; international cooperation between authorities against cyber-criminals will improve the capabilities of neutralising sources from which the attacks originate; • using military expertise as consultancy or knowledge transfer in order to establish appropriate frameworks for conducting cyber warfare both offensively (aggressive defence) and defensively; in this respect collaboration protocols should be established with governments that can in this way better support the private and public sectors in setting up such frameworks; As is clearly illustrated above, the measures to be taken are not only local but also regional and global. For example, because cyber crime and cyber terrorism are a transnational phenomenon, legal enforcement cannot be effective as long as it remains on an exclusively local or regional level. This is particularly critical for large corporations operating in foreign countries, which are subject to various national legal restrictions that could possibly impact the overall protection strategy of the corporation itself.
P. Campobasso / A World-Wide Financial Infrastructure to Confront Cyber Terrorism
77
Extended cooperation is also required to fight cyber-terrorism. Regarding cyberterrorism, some experts consider cyber-terrorism to be almost a myth, others consider it an imminent threat. On the internet we can find evidence that cyber terrorist groups exist and are active. Unfortunately, through web sites, it is possible for such organisations to reach public audience. In a direct quote, Raphael F. Perl stated: “There are websites regularly visited by tens of thousands of persons where prominent terrorist literature is made available and terrorist acts glorified. There are websites through which “leaders” interact directly with their supporters, creating social bonds and maintaining virtual communities, all of which can be later exploited to mobilise support. There are websites hosting virtual training camps as well as online manuals on how to assemble an explosive belt for instance or to create an explosive with every day life materials” [1] Without a public audience, terrorism is limited. We all know that terrorists are media dependent and the internet is used as a means to reach large audiences. The size of the audience determines the amplitude of the impact terrorist actions can produce on a given population. Through the media and especially the internet, terrorists are able to reach a global audience. This global reach via the internet enables terrorists to disseminate potential target intelligence amongst members in near real time. Therefore, we must be aware of these new potential capabilities terrorists have: Ignorance is not an option against cyber-terrorism. Because a cyber-terrorist attack starts with a cyber-attack, regardless our perception of cyber-terrorism, we must defend our organisations against cyber-threats by identifying and eliminating vulnerabilities and defending ourselves against possible cyber-attacks. Nevertheless, we should not play the role of appeaser – “An appeaser is one who feeds a crocodile, hoping it will eat him last.”1 The civilian/business world has no experience in fighting cyber-terrorism and for this reason military knowledge in cyber warfare ought to be shared with governments and the private and public sector in order to improve overall defensive capabilities. The global information infrastructure is the new supply chain for terrorist organisations. Despite the efforts that the security industry has made in R&D, this infrastructure remains vulnerable to cyber threats. What we need today is the awareness that we have to secure ourselves, that our security also depends on others and that the knowledge of threats and security expertise must be shared. Only through active participation can we create an environment that reduces the risks of cyber threats, including the risks of cyber terrorism. Another aspect of information security that must be considered on a global basis regards security breaches and reporting. Currently, efforts to collect and disseminate information regarding security breaches are fragmented. One of the most important aspects in developing a culture of security is to improve the knowledge of the problem. This improvement can be achieved by increasing information diversity which is directly affected because the collection of security breaches is fragmented. For instance, establishing a centralised reporting structure, such as a Global Information Security Centre or World Information Security Centre, would create a database of aggregated information that could be shared in a unified format and be available to governments and organisations world-wide. This source of information is extremely valuable for an organisation to prepare its measures against cyber-attacks. The complexity of the business world, and the threats it is faced with, makes it clear that the military, law enforcement and the private sector must work even more closely together than they are today, since none of these parties is likely to have full and comprehensive knowledge of all security aspects and all of the different types of 1
Sir Winston Churchill, Reader’s Digest, December, 1954
78
P. Campobasso / A World-Wide Financial Infrastructure to Confront Cyber Terrorism
security threats that the various actors must deal with today. Without a full picture and a joint approach, we limit our response capabilities in the face of cyber crimes. UniCredit is sensible to these issues and actively promotes cooperation with national and international actors; it aims at exchanging knowledge and expertise, to improve overall awareness and response capability to crimes. Like possibly other large players, Unicredit is already active in this area of cyber defence, and practical returns are expressed in terms of improved awareness, prevention capabilities, and loss reduction. Through the implementation of a security model based on international standards and best practices, having reliable AML in place, along with anti-fraud mechanisms, being concerned with permanently improving its prevention levels, detection and response capabilities, Unicredit Group achieves excellent results in minimising losses.
References [1] [2] [3] [4] [5] [6]
[7] [8] [9] [10] [11] [12]
[13] [14] [15] [16] [17] [18] [19]
Raphael F. Perl, Head of the OSCE Action against Terrorism Unit. April 2008. Remarks on ” Terrorist Use of the Internet” at the Second International Forum on Information Security. Sir Winston Churchill, Reader’s Digest, December, 1954. Nain D., Donaghy N., Goodman S. The International Landscape of Cyber Security. In:Straub D, Goodman S, Baskerville R (ed) Information Security: Policy, Processes, and Practices. M.E.Sharpe, New York. 2008. INTERPOL Information Technology Crime. 2008. http://www.interpol.int/Public/TechnologyCrime/ default.asp. INTERPOL Information Technology Crime. IT security and crime prevention methods. 2008. http:// www.interpol.int/Public/TechnologyCrime/CrimePrev/ITSecurity.asp Creating a Safer Information Society by Improving the Security of Information Infrastructures and Combating Computer-related Crime. Communication from the Commission to the Council, the European Parliament, the Economic and Social Committee and the Committee of the Regions. 2000. http://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexplus!prod! DocNumber&lg=en&type_doc=COMfinal&an_doc=2000&nu_doc=890 CORDIS ICT Challenge 1: Pervasive and Trusted Network and Service Infrastructures. Information and Communication Technologies. 2008. http://cordis.europa.eu/fp7/ict/programme/challenge1_en.html. Countering the Use of the Internet for Terrorist Purposes, Decision No. 7/06. Organization for Security and Co-operation in Europe. 2006. http://www.osce.org/documents/mcs/2006/12/22559_en.pdf Cyber threat on the rise as terrorists recruit computer specialists, says OSCE expert. Secretariat – Action against Terrorism Unit. Organization for Security and Co-operation in Europe Press Release. April 10, 2008. http://www.osce.org/atu/item_1_30591.html. Security, Trust, and Data protection. ISSS (ICT). European Committee for Standardization. 2008. http:// www.cen.eu/cenorm/sectors/sectors/isss/activity/securitytrustdpp.asp Cyber Security. Inter-American Committee Against Terrorism. Organization of American States. 2006. http://www.cicte.oas.org/Rev/En/Programs/CyberSecurity.asp Resolution: Date and Venue of the Ninth Regular Session of the Inter-American Committee against Terrorism. CICTE/RES. 1/08 Cyber Security. Inter-American Committee Against Terrorism. Organization of American States. March 7, 2008. http://www.cicte.oas.org/Rev/En/Documents/ Resolutions.asp Best Practices in Security Governance. Aberdeen Group, USA. 2005. Allen, Julia. Governing for Enterprise Security. Carnegie Mellon University, USA. 2005. Privacy Framework Principles and Criteria, USA and Canada. American Institute of Certified Public Accountants/Canadian Institute of Chartered Accountants. 2005. Hallawell, Arabella. Gartner Global Security and Privacy Best Practices. Gartner Analyst Reports, USA. 2004. www.csoonline.com/analyst/report2332.html Microsoft Windows Malicious Software Removal Tool disinfections by category, 2H05-2H07 CSI Computer Crime and Security Survey Report. 2008. IBM Internet Security Systems X-Force Report. 2007.
Modelling Cyber Security: Approaches, Methodology, Strategies U. Gori (Ed.) IOS Press, 2009 © 2009 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-074-2-79
79
A Pragmatic and Foolproof Approach for Connecting Critical/Industrial Networks to External Less Secure Networks Esti PESHIN CEO, Waterfall Security Solutions Ltd.
[email protected] Abstract. Critical Networks monitor and control the most valuable assets of national and homeland security and usually refer to operational, real-time networks. Ecosystems involving Critical Networks, on the other hand, often include inter-connections with external, Less Secure Networks. There is a constantly increasing demand to connect Critical Networks to Less Secure Networks or ecosystems in order to enable more business processes and improve business continuity and day to day operations. This paper describes three models of ecosystems that involve Critical Networks and Less Secure Networks, in which the role of the Critical Network differs within each of the proposed ecosystems: 1. 2. 3.
Production/DCS (Data Control System) Network - An Industrial (Critical) Network (for example, an oil refinery) which is monitored by a Business Network within the organisation. Remote Infrastructure Management – Assets (for example, data centres) within a Critical Network that are monitored by a third party support centre (for example, equipment vendors). Lawful Interception – A Critical Network that monitors assets within External Networks (for example, Service Providers, Telecomm Operators).
This paper analyses the IT Security threats inherent to the above ecosystem models. It describes the pros and cons of the existing IT Security approaches for mitigating these threats, and presents a novel pragmatic approach that can completely eliminate these risks, while maintaining the business processes that require inter-connectivity. Keywords. Unidirectional connectivity, Waterfall, One Way Link, Critical National Infrastructures (CNI), Critical Infrastructures Protection (CIP), Critical Networks, SCADA, Lawful interception (LI), hacking, cyber attacks, segregation topology, Remote Infrastructure Management (RIM), Secure Manual Uplink (SMU)
80
E. Peshin / A Pragmatic and Foolproof Approach for Connecting Critical/Industrial Networks
Introduction Critical National Infrastructure (CNI) is a term used by governments to describe assets that are essential for the country’s society and economy to function. Electricity generation, gas and oil production, telecommunications, water supply, food production and distribution, public health, transportation, financial services and security services are those facilities which are most commonly associated with the term. Governments employ a Critical Infrastructures Protection (CIP) concept to address their preparedness and response capabilities to serious incidents involving CNIs. Naturally, CNIs are tempting high-profile targets for hostile and terror-related activities. In recent years, cyber-terror, cyber-crime and cyber-warfare are the new emerging threats for Critical Networks, which are the heart and soul of Critical National Infrastructures. These threats are here to stay, and thus, Critical Networks’ operators must adapt to this situation by adopting new mind-sets and implementing modern methods, technologies and solutions to mitigate and eliminate the potential damage of an attack. One of the most vulnerable points of Critical Networks are their connections to external less secure networks, whether they are in the organisation itself (e.g. the organisation's business network), a public network (e.g. the internet), or a third-party network. By reviewing just a few of the numerous articles and reports recently published in the electronic and written media, one can observe the security and operational risks that these threats entail: Cyber Terror “CIA Confirms Cyber Attack Caused Multi-City Power Outage: We have information that cyber attacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet.” (SANS Organization - January 18, 2008 - www.sans.org/newsletters/newsbites/ newsbites.php?vol=10&issue=5&rss=Y) Cyber Crime “Federal prosecutors have charged 11 people with stealing more than 41 million credit and debit card numbers, cracking what officials said on Tuesday appeared to be the largest hacking and identity theft ring ever exposed. … Once the thieves identified technical weaknesses in the networks, they installed so-called sniffer programs, obtained from collaborators overseas.” (New York Times – 5 August 2008) Cyber Warfare “While Russia and Estonia are embroiled in their worst dispute since the collapse of the Soviet Union, a row that erupted at the end of last month over the Estonians' removal of the Bronze Soldier Soviet war memorial in central Tallinn, the country has been subjected to a barrage of cyber warfare, disabling the websites of government ministries, political parties, newspapers, banks, and companies.” (The Guardian, May 17, 2007) For obvious IT security reasons, it would be best to completely segregate Critical Networks from any external Less Secure Networks. Yet, typically, Critical Networks
E. Peshin / A Pragmatic and Foolproof Approach for Connecting Critical/Industrial Networks
81
are part of ecosystems that interconnect multiple networks of varying ownership, and varying levels of control and security. This interconnection to external Less Secure Networks is essential for the operation of the Critical Network and the Critical National Infrastructure. This article provides a detailed description of models of ecosystems that involve Critical Networks, the IT security threats inherent to the ecosystems, and the pros and cons of the existing IT security approaches for mitigating those threats. The article will further present a novel pragmatic approach that completely and eternally eliminates the risks, without reducing the functionalities and services of the Critical Network within the ecosystem.
1. Typical Ecosystems Involving Critical Networks 1.1.
Production/DCS Network
A production/DCS network is commonly located within a Supervisory Control and Data Acquisition (SCADA) system. It consists of a Control Centre, which is connected to sensors, actuators and controllers that monitor elements and processes within the system. The Control Centre (a.k.a. Master) is typically a large and complex network, which includes vast information storage capability as well as analysis and display capabilities. The control centre is usually operated around the clock and is required to provide a constant real-time view of the production line status. Production/DCS networks are commonly interconnected with an organisation’s Business Network. It is through this last that updates are sent to different functionaries within the organisation and, sometimes, to external ones (for example, a power plant that is required to provide real-time updates to large customers about the production status and faults). The Business Network, in turn, is also typically connected to the Internet.
Figure 1. Typical DCS network topology
82
E. Peshin / A Pragmatic and Foolproof Approach for Connecting Critical/Industrial Networks
1.2.
Remote Infrastructure Management (RIM)
Remote Infrastructure Management (RIM) is the remote support and management of various IT services that are related to infrastructure support from third-party global sites. The service includes health-monitoring, support, administration, maintenance, troubleshooting, and performance enhancement of networks and network elements, such as data centres, communication equipment, production equipment and more. Organisations tend to favour RIM, since it reduces costs and increases productivity. Some equipment vendors are offering attractive SLA (Service Level Agreements) packages that are based on RIM, and some are not even inclined to offer long term SLAs without RIM. However, RIM intrinsically requires an interconnection to exist between the monitored equipment and the third-party support/monitoring centre. The same remote centre usually monitors many pieces of equipment within a set of different networks.
Figure 2. Typical Remote Infrastructure Management (RIM) topology
If a Critical Network includes remotely monitored equipment, it consequently becomes part of an ecosystem that involves the third-party Monitoring Network and ALL of the additional networks that are connected to the same Monitoring Network. The different networks that are part of this ecosystem are not controlled by the same organisation. Hence, an organisation agreeing to have the equipment within its Critical Network remotely monitored, in fact, exposes its Critical Network to external networks that may or may not be less secure than its own Critical Network, and, in any case, that are not under its control. 1.3.
Lawful Interception
Lawful interception (LI) is the process by which Law Enforcement Agencies (LEAs) and Security Organisations legally obtain real-time communication intercepts from the communications of suspects and criminals. In particular, this involves interconnecting the Critical Network at the LEA facility, where the information is gathered and analysed, to the Service Provider’s networks, from where the information is obtained.
E. Peshin / A Pragmatic and Foolproof Approach for Connecting Critical/Industrial Networks
83
Interconnection is mandatory, since it is the only way in which the LEA can obtain the necessary information in real-time.
Figure 3. Typical Remote Infrastructure Management (RIM) topology
It is not uncommon for a single LEA network to be connected to multiple Service Provider sites that differ in ownership and in their security level. As a result, an ecosystem may be formed with the LEA network at its base, where various service providers are linked together. These last each have their own security provisions and concerns. 1.4.
Ecosystems with External Connections
As mentioned above, external connections from/to Critical Networks are a necessity, because they enable the network to meet its business and operational demands. The main reasons why a Critical Network is required to have external connections are: • Sending updated information and system alerts to a Business Network – an intra-organisation ecosystem. • Sending monitoring information from the Critical Network to equipment vendors or system integrators (for example, for Remote Infrastructure Management) – an ecosystem where the Critical Network is a node. • Monitoring third-party networks/assets via a Critical Network (for example, for Lawful Interception) – an ecosystem where the Critical Network is the root. The vast majority (if not all) of the external connections are IP-based, usually over LAN or WAN. This is true even for partially IP-based Industrial Networks.
84
E. Peshin / A Pragmatic and Foolproof Approach for Connecting Critical/Industrial Networks
1.5.
Why Are External Connections a Major Risk?
- Because an attacker will first try the path with the best cost/performance ratio! Let's assume, for the sake of simplicity that a criminal or terrorist entity wants to penetrate an electric plant's Production/DCS Industrial network. Scenario I: The entity tries to hack into the plant's Industrial network via one of the sensors or controllers, or even by tapping into the medium network (which can be wireless) – a physical-access attack. Scenario II: The entity tries to hack into the Industrial network via a connection that the network has to a third-party over the internet – an online attack. Both scenarios are theoretically feasible, but: Scenario I requires that: 1. 2.
3. 4.
The attacker have physical access to a network element, or be geographically close to the network. The attacker have preliminary inside information regarding the specific network elements, with specific and wide detail level (which sensor/controller, of which vendor/model/version/etc...). The attacker have a deep understanding of Industrial networks (for example, SCADA protocols). The attacker have proprietary tools, sometimes hardware-based, to facilitate the attack.
On the other hand, Scenario II is possible with: 1. 2.
3. 4.
No need for physical proximity to the Industrial network; it can even be done remotely. Minimal (sometimes no) preliminary information requirements of the specific Industrial network (for example, SCADA protocol). The entity only needs information about the external connection. Minimal, even superficial, knowledge about Industrial networks. An wide variety of available "off-the-shelf" hacking tools and techniques that is accompanied by a large and easily accessible knowledge base and knowhow about the vulnerabilities and exploitable weaknesses of IT infrastructures, network appliances, servers and applications.
This means that in terms of efforts, costs, complexity and technical expertise, it is much more cost effective to successfully execute a scenario II type attack – hack the Critical Network via an (IP) external connection.
E. Peshin / A Pragmatic and Foolproof Approach for Connecting Critical/Industrial Networks
2.
A Secure Solution for External Connectivity
2.1.
Why Not Deploy Standard IT-Security Solutions?
85
Considering the sensitivity of Critical Networks, the potential damage that could be caused by an attack, and the high levels motivation that exist to attack them, a solution for protecting the external connections should provide ultimate security while having little or no effect on the business and operational requirements. Standard IT security solutions and technologies such as firewalls, content filters and intrusion detection and prevention (IDP) systems, while good enough for most organisations and users, are not sufficient for securing external connections to Critical Networks. Firewalls are circumvented on a daily basis, content filters are bypassed, and IDP systems detect mainly known attacks. There is an abundance of security patches and software updates being produced and installed on a daily basis, which only keep the security products up-to-date for yesterday's attacks and vulnerabilities. As for Critical Networks, standard IT security measures are insufficient, primarily because they are: • Software-based and running over and operating system subject to bugs, software vulnerabilities and online hacking and penetration • Configurable – many security products are partially configured or configured poorly • Partial – none of which provides, by design, 100% security To emphasise the extent of the risks, below is a risk-analysis table detailing the probability and severity of security threats in the three types of ecosystems that are protected by software-based security solutions.
86
E. Peshin / A Pragmatic and Foolproof Approach for Connecting Critical/Industrial Networks
2.2.
Risk Analysis – Ecosystem protected Standard IT Security solutions
Table 1. Risk Analysis – Ecosystems protected by standard IT Security solutions Threat
Description
Online access to CN (Critical Network) from Internet via the EN (External Network) Access to CN after Physical Data leakage gaining physical access (EN) to the EN site and accessing the EN Access to CN after Physical Data leakage gaining physical access (CN) to the CN site Compromise of CN Online attack from Internet via the EN Compromise of CN Physical-access attack after gaining physical (EN) access to the EN site and accessing the EN Compromise of CN Physical-access attack after gaining physical (CN) access to the CN site Compromise of a EN site after gaining access (online or physical) to Interlinking (EN to EN) another EN site, connected to the same CN Compromise of a CN site after gaining access (online or physical) to Interlinking (CN to CN)another CN site, connected to the same EN
Severity (1-5 highest)
5
Probability (1-5 highest) Production/ RIM DCS 4 3
LI 3
Online Data leakage
2.3.
5
4
4
4
5
1
1
1
5
4
3
3
5
2
4
4
5
1
1
1
5
N/A
N/A
3
5
N/A
3
3
Securing Critical Networks via Unidirectional Connectivity
Since the importance and sensitivity of Critical Networks is beyond question, a Critical Network ought to be secured in the best way possible. Hence, imposing a segregation topology seems to be the most obvious choice because it would leave the Critical Network physically isolated from the External Networks while still enabling the business processes to continue to function. Implementing the connection of External Networks from or to the Critical Network via real-time physical unidirectional gateways, allows the complete and eternal mitigation of all the above mentioned IT security threats, while maintaining the business processes within the ecosystem.
E. Peshin / A Pragmatic and Foolproof Approach for Connecting Critical/Industrial Networks
2.4.
87
Waterfall One Way TM
The Waterfall One Way TM technology is today’s leading physical unidirectional gateway, and allows data transfer to be transmitted from a Transmitting Network to a Receiving Network for which no return channel exists. The Waterfall One Way TM product consists of two elements – a TX Component and an RX Component. Each element includes a unique hardware design that guarantees unidirectional data transfer. The TX and RX Components are connected via a single fibre optic cable. This is the only connection between the two components of the Waterfall One-WayTM product.
Figure 4. Waterfall One Way TM - Core
Each component has a standard Ethernet (RJ45) socket connecting it to the respective network (via a NIC supporting 100Mbps). On each of the networks, a dedicated server runs Waterfall’s software, which manages the hardware and provides standard interfaces to third-party applications and protocols. The following information can be transferred via Waterfall: • UDP Packets • Files (for example, Local / Remote File-Server / FTP / S/W updates / SMTP) • Streams (for example, RTP, RTSP, UDP, TCP) • Messaging Queues (for example, Websphere MQ) • SNMP traps and applications (for example, CA SIM) • SCADA and process control (for example, OSISoft PI, Modbus, OPC, DNP3)
88
E. Peshin / A Pragmatic and Foolproof Approach for Connecting Critical/Industrial Networks
Figure 5. Waterfall One Way TM - Technological Overview
2.5.
Securing Ecosystems Involving Critical Networks
We will now detail how the three models of ecosystems we previously described can be secured using physical unidirectional gateways. 2.5.1. Production/DCS Network Information from the Critical Network is replicated in real-time to the business network, via a physical unidirectional gateway. The fact that the unidirectional gateway is physically unidirectional, without exception, eliminates any possibility for the data entry from the business network to pass over into the Critical Network. All types of online attacks are completely blocked from the external side (the RX side of the Waterfall One-Way TM). Consequently, any possibility of data leakage is absolutely mitigated.
E. Peshin / A Pragmatic and Foolproof Approach for Connecting Critical/Industrial Networks
89
Figure 6. Production/DCS Network Topology - with a unidirectional gateway
2.5.2. Remote Infrastructure Management (RIM) System logs and events are sent in real time from the monitored asset within the Critical Network to the third-party remote maintenance/support centre, via a physical unidirectional gateway. When the need arises for the maintenance/support centre to access the monitored asset (e.g., for troubleshooting), a Secure Manual Uplink (SMU) is manually activated on the Critical Network side. The activated uplink, which can be either synchronous or a-synchronous, allows commands to be sent to the monitored asset from the maintenance/support centre. Because the uplink is manually activated, it also must be deactivated when it is no longer required. However, for security reasons, the uplink has a built-in clock and time limit that shuts down the link automatically after a predefined interval.
Figure 7. Production Remote Infrastructure Management (RIM) topology - with a unidirectional gateway
90
E. Peshin / A Pragmatic and Foolproof Approach for Connecting Critical/Industrial Networks
2.5.3. Lawful Interception (LI) In order to effectively secure a Lawful Interception topology, the LEA network should be segregated from the SP network(s), by implementing physical unidirectional gateways for the outgoing and the incoming connections. To further increase the security level of the LEA network, an internal segregation must be implemented between the “HI-1” (outgoing) and “HI-2/3” (outgoing) environments within the LEA network. The segregation is achieved by implementing another physical unidirectional gateway from the “HI-1” environment, which enables the transfer of “HI-1” information and other operationally required data to the “HI-2/3” side.
Figure 8: Lawful Interception (LI) Topology - with unidirectional gateways
2.6.
A Pragmatic and Effective Solution - Risk Analysis
To emphasise the value of deploying physical unidirectional gateways, below is a riskanalysis table, detailing the probability and severity of security threats in the three types of ecosystems that are protected by physical unidirectional gateways, such as Waterfall One-Way TM.
91
E. Peshin / A Pragmatic and Foolproof Approach for Connecting Critical/Industrial Networks
Table 2. Risk Analysis – Ecosystems protected by physical unidirectional gateways Threat
Description
Online access to CN (Critical Network) from Internet via the EN (External Network) Access to CN after Physical Data leakage gaining physical access (EN) to the EN site and accessing the EN Access to CN after Physical Data leakage gaining physical access (CN) to the CN site Compromise of CN Online attack from Internet via the EN Compromise of CN Physical-access attack after gaining physical (EN) access to the EN site and accessing the EN Compromise of CN Physical-access attack after gaining physical (CN) access to the CN site Compromise of a EN site after gaining access (online or physical) to Interlinking (EN to EN) another EN site, connected to the same CN Compromise of a CN site after gaining access (online or physical) to Interlinking (CN to CN)another CN site, connected to the same EN
Severity (1-5 highest)
5
Probability (1-5 highest) Production/ RIM DCS 0 0
LI 0
Online Data leakage
5
0
0
0
5
1
1
1
5
0
0
0
5
0
0
0
5
1
1
1
5
N/A
N/A
0
5
N/A
0
0
92
3.
E. Peshin / A Pragmatic and Foolproof Approach for Connecting Critical/Industrial Networks
Summary
Critical Networks are the heart and soul of Critical National Infrastructures, which in turn are high-end and attractive targets for cyber-terror and cyber-attacks. Based on the potential damage that can be caused by a cyber attack on Critical Networks, and taking into consideration the relatively low cost and simplicity of such attacks, Critical National Infrastructures must secure their Critical Networks in order to protect their assets. There are a multitude of vulnerabilities and weak points in Critical Networks, some of which require costly and complex solutions to protect or strengthen. However, the entry points, which are the most likely to be exploited – the connections to External Networks – can be fully and sufficiently protected using physical unidirectional gateways. These last are a relatively simple and cost-effective solution that completely eliminates the IT Security risks originating from connections to external Less Secure Networks.
Modelling Cyber Security: Approaches, Methodology, Strategies U. Gori (Ed.) IOS Press, 2009 © 2009 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-074-2-93
93
A Cyber Security Approach for Smart Meters at ERDF a EDF
Pascal SITBONa R&D, 1 avenue du Général de Gaulle, 92141 Clamart
[email protected] Abstract. In this article, we discuss the cyber security approach taken by ERDF (Electricité Réseau Distribution France) as a preliminary step in its smart meters deployment project. First, we focus on the emerging risks introduced by the new technologies and their usages. Then, we explain how and why we have to define high-level security objectives independently of the technical solutions, and conclude by emphasising the committed involvement needed from the whole metering community and supply-chain in order to achieve these objectives. Keywords. Security, smart metering, SCADA, risk management, security objectives
1. A Fast-changing Metering Context Cyber-security for industrial systems has recently been gaining a lot of attention, due to the fact that such systems are getting more complex, interdependent, and interconnected. Particular attention is given to Critical Infrastructure Protection such as energy, transportation, telecommunications, or water, which are all monitored and controlled by industrial systems. This is also the case for the electricity distribution network. A metering system is a central part of such an electric grid. In addition to measuring electricity consumption, its role is to deliver electricity to end users, including critical users such as hospitals or emergency services. It handles and processes sensitive commercial and technical data, such as nominative information and consumption data, or remote control meter commands such as electric power modification. ERDF, the main distribution subsidiary of EDF in France, is currently identifying requirements for its pilot project of 300,000 smart metering points for its domestic users in order to prepare for the potential general deployment in France of the system. The system would enable a wide range of new services to be offered to the consumer and new management capabilities made available to power utilities. The metering world is changing dramatically due to its steadily growing reliance on information technologies. This implies that there is a clear need for a more global approach to cyber security. The challenge to balance the cost/benefit ratio, must take the specifics of metering and the whole spectrum of the associated risks into account. In this equation, the sheer number of meters, which have been distributed on a national scale, has to be underlined; each euro spent is multiplied by tens of millions. The long life span of such systems, typically 20 years, is another structuring fact, especially for risk characterisation and security level continuity. The metering system is very complex and consists of many different players (solution providers, integrators, public regulators, meters builders, etc.). Complexity is an anathema for security: it usually takes too long and costs too much money to protect
94
P. Sitbon / A Cyber Security Approach for Smart Meters at ERDF
complex systems. Consequently, it is harder to achieve a balanced cost-benefit ratio. Last but not least, potential attackers can easily access metering systems because of their widespread distribution throughout the country, creating many entry points and targets.
2. The Risk Management Process The security process aims at managing risks in accordance with the company’s objectives. Since total security is not attainable, this means that our limited resources have to be used efficiently and with purpose. Risk management is the process that helps us to protect our critical assets and operations with proportional, coherent, and verifiable measures, thus a balanced cost/benefit ratio. This process is a crucial tool in the decision-making process; it allows us to conscientiously make trade-offs, state our security posture, and choose the appropriate measures. Security, like trust or assurance, could (and should) add real value to a company’s image and inspires confidence in stakeholders.. Since security is not a static state that is present or not present, we ought to define security levels as a continuous cycle that constantly changes over time. Without a proactive approach to security, the levels of security would rapidly decrease over the lifetime of the system. Products and technologies alone cannot solve security problems; they can only provide security when used efficiently, through consistent and thoroughly defined processes. We can mention two such processes:
the business continuity planning process, which defines how to recover after a disruption or disaster and how to restore the critical functions in order to keep the business going, the incident management process, which describes how to log, record, and resolve security incidents, including legal aspects and evidence management. It is certain that security incidents will occur; we just don’t know when they will take place. Therefore, we must anticipate how such incidents will be handled.
System design phases should cover technical and functional aspects, but also nontechnical ones, right from the start, that include considerations regarding people (e.g., responsibilities or organisational issues) and process dimensions. In addition, new technologies come with new risks. Attackers are creative people; they are constantly finding new ways to abuse the system. Moreover, as aforementioned, because access to the meters is relatively easy, part of the system providing security is located in the potential attackers’ hands, making it more complicated to globally render the system less vulnerable. There is a wide spectrum of threats that ranges anywhere from fraud and competitors to cyber-terrorism. Malicious actions, such as the remote shutdown of numerous meters, could lead to an economic disturbance, distrust within the society, and even safety issues. The risks may be roughly classified as follows:
Classical petty offenders, who are more concerned with lowering the bill and stealing money, modify consumption indexes, tariffs to their own benefit. There are no damages to the system apart from financial ones (easy physical access);
P. Sitbon / A Cyber Security Approach for Smart Meters at ERDF
95
Organised crime targets consumption data, in order to alter or sell it. These kinds of threat agents could also try to distribute or sell “cheat boxes” on the Internet in order to automate fraud. The automatic collection of consumption profiles of many users or particular users (VIP, etc.) could be interesting for organised crime; Cyber-terrorism could have major impacts on the electric distribution network and could lead to the disruption of electrical power to strategic areas, impacting the economy and compromising safety.
There are already a few examples of cyber-attacks on metering systems, including one that targeted the AMM (Advanced Metre Management) system of ENEL in Italy. The method to change the tariff rate on the meter without paying the fee, of course, was published on the Internet (cf. Fig. 1). ENEL has successfully responded to this threat, but all actors in energy distribution are now warned that the cyber-threat is very real and should be taken into account.
Figure 1. Publication on the Internet of the ENEL AMM systems vulnerability.
We cannot avoid these threats, nor can we eliminate all of the risks definitively. What we can do is reduce the risks to an acceptable level. The approach we’ve used is based on well-known best practices, like Common Criteria (ISO 15408) and EBIOS (Expression des Besoins et Identification des Objectifs de Sécurité). EBIOS is a method for risk management used in numerous big projects in different sectors, for example by the French Atomic Energy Commission and the Council of the European Union. EBIOS was designed by French DCSSI (Information System Security Central Direction, a dependant of the French government). Our approach includes:
Statement of security needs (according to the context), metering processes, and challenges Threat and risk analysis Security objective definitions, according to the threats and assumptions. Those objectives form the security policy of the Automated Metering System.
96
P. Sitbon / A Cyber Security Approach for Smart Meters at ERDF
The global security approach is described in Fig. 2. The environmental security is considered to be external to the AMM project and shares common requisites regarding the Business Recovery Process and the security of operating systems and data centres. The security strategy is of course decided at the top-management level. The organisational security measures are central to the overall level of security that can be achieved; for example the specific safety procedure used to handle a request to open a new account is an intrinsic part of the overall level of security.
Figure 2. Global security approach
The risk management process used for the AMM system is composed by a threestep approach that is illustrated in Fig.3:
P. Sitbon / A Cyber Security Approach for Smart Meters at ERDF
97
Figure 3. ERDF AMM system risk management process
In the following section, we will develop the steps:
Step 0 – Define the context and perimeters Step 1 – State/Identify the sensitivities to threats of the assets that need protection – “some of my assets need protection” Step 2 – Study the threats in the environment –“there are threats to my assets” Step 3 – State the security objectives – “I set my security objectives without specifying the technical solutions” Step 4 – Determining the security requirements
2.1. Step 0 – Define the context and perimeter
Figure 4. Step 0 – Define the context and perimeter
98
P. Sitbon / A Cyber Security Approach for Smart Meters at ERDF
Objectives:
Sum up the technical, business, regulatory context Identify essential elements, functions and information, which constitute the added value of the information system Essential elements are linked to a set of entities of various types: hardware, software, networks, organisations, human resources and sites
ERDF example:
Target: AMM Information system Context: business, regulatory, technical, etc. Essential elements: o Detection of low voltage incidents, o Supervision of the communication chain, o Local actions on the meter, etc. Entities: o Hardware: meters, concentrators, servers, etc. o Software: firmwares, applications, etc. o Sites: MV/LV transformers, meter’s sites, etc.
2.2. Step 1 – State the sensitivities to threats of the assets that need protection
Figure 5. Step 1 – state the sensitivities to threats of the assets that need protection
Objectives:
The sensitivity of each essential element to threats must be expressed Expression is based on various security criteria such as availability, integrity and confidentiality If this sensitivity is not covered, there will be an impact on the organisation
ERDF example: We begin by focusing on critical assets that would need protection. This step involves interviews with the individuals that are responsible for each business process. The covered topics include the description of the business process and the security sensitivity of the process. The level of sensitivity is broken down using criteria such as CIA (Confidentiality, Integrity, and Availability) and an additional criterion which is Accountability (proof of responsibility for an action). In this analysis, we focused on the potential impact a malevolent action would have. The ERDF case is composed of 8 business processes and 20 essential elements.
P. Sitbon / A Cyber Security Approach for Smart Meters at ERDF
99
Example: essential element “detection of low voltage incident”
Availability: High Integrity: High Confidentiality: Low Accountability: Low
In this example, we state that it is important to obtain the right information on time when detecting a low voltage incident. But it doesn’t really matter who sends the information, nor is it important that the information be kept secret. 2.3. Step 2 – Study the threats in the environment – “there are threats to my assets”
Figure 6. Step 2 – Study the threats environment
Objectives:
Identify main threat agents Identify the vulnerabilities of the components Identify the attack methods and scenarios
ERDF example: There are 688 vulnerabilities defined in the EBIOS method. We adapt the method to suit our needs. For example, according to the “no authenticity guaranteed” attack method, we have vulnerabilities, such as “use resource without accountability” or “no authentication of source or destination”. These threats to the identified assets are categorised before performing a risk analysis: the probability (likelihood of the risk) and impact (consequence if the risk occurs) of attacks are evaluated in order to define risk levels. It is then stated what the acceptable level of risk is (cf. step 3). 2.4. Step 3 – State the security objectives
Figure 7. Step 3 – State the security objectives
100
P. Sitbon / A Cyber Security Approach for Smart Meters at ERDF
Objectives:
Determine how the essential elements can be affected by the threat agents (risk) Threat agents can affect the essential elements by using a given attack method to exploit their vulnerabilities The security objectives mainly consist in shielding any vulnerabilities from the entities that represent what are considered to be the existing risks
ERDF example: Our goal is to state our security objectives without specifying the technical solutions. These objectives constitute the long-term security policy. In order to illustrate the methodology, two macroscopic security objectives have been identified for ERDF future Smart Meters System:
Protection of critical orders (authenticity, integrity and non-repudiation). Critical orders, such as changing the electrical power subscription or targeted curtailment, should definitely be secured by using strong security mechanisms (with regard to the identified threats and attack scenarios): • to authenticate the sender, • to verify that there is no unwanted modification, and • to make the sender responsible for his actions. “Evolution”. Keeping in mind that the metering system components will need to be upgraded during their long life, the ability to upgrade these components’ firmware, software, or application has to be an essential and inherent feature of the system. Since new security functionalities could also become useful in the future, the upgrade could be used to integrate those new functionalities. This upgrade process itself ought to be secured!
2.5. Step 4 – Determining the security requirements
Figure 8. Step 4 – Determining the security requirements
Objectives:
Specify the required security functionalities Demonstrate that the security objectives are perfectly covered by these functional requirements Specify assurance requirements to allow the required level of confidence to be obtained and then demonstrated
P. Sitbon / A Cyber Security Approach for Smart Meters at ERDF
101
ERDF example: We want to state our security objectives without specifying the technical solutions. These objectives constitute the long-term security policy and should reduce all possible risks.
Figure 9. Security objectives and risk coverage presentation
Figure 10. An example of the results of our approach
102
P. Sitbon / A Cyber Security Approach for Smart Meters at ERDF
3. Discussion of the Risk Management Method Security objectives must not depend on technologies. For example, if classical telecom lines are used instead of mobile phone communications, or any other wide area network technology, for technical reasons, security objectives should remain the same. If the data is confidential when transmitted through the lines, the same data is of course still confidential when transmitted over other media. Those objectives have to be stated clearly, even if there is not an adequate technological answer to fulfil them today. Long-term objectives must be addressed; a new technology or product could appear from one moment to the next and be the answer to our needs. We only state our security objectives and what we believe to be an acceptable level of risk. The technical requirements and solutions to achieve our security policy are handled by the solution providers. When accomplishing the security objectives, one should never forget that the security chain is only as secure as the weakest link. Each link has to be taken into account; this includes operators performing actions on the Information System, local and wide area networks, meters, etc. Tightening security measures can happen on different levels, including technical, human (education, training, and awareness), and procedural levels. In fact, it is crucial that none of these dimensions should be forgotten.
Figure 11. Modelization the AMM system
As illustrated in Fig. 11, all components have to be considered, from smart meters to the metering Information System, including network communications. The risks that an attack could occur for every element of the chain, from equipment to data or orders through the supervisory and operation centre. All actors, from constructors to public regulators, have an important role to play in ensuring the cyber-security of the supply chain in metering systems.
P. Sitbon / A Cyber Security Approach for Smart Meters at ERDF
103
Conclusion Security objectives should be clearly stated, without specifying any technical solution, in order to protect our critical assets against thoroughly identified risks. Options should be kept open, in order to leave opportunities for future potential evolutions. The management support is essential throughout the whole process. All of this work has to be done before the metering system is designed. More generally, all metering actors, utilities, regulators, solution providers, manufacturers, and integrators, will have to be involved in a global security approach that allows for experience and knowledge sharing. The earlier this is done, the better.
References [1] [2]
EBIOS – Expression of Needs and Identification of Security Objectives http://www.ssi.gouv.fr/en/ confidence/ebiospresentation.html “Cyber security approach for smart meters at ERDF”, Metering International magazine, issue 4, pp 90-91, 2007
This page intentionally left blank
Section 2 Understanding Terrorism and Its Interaction with Critical Infrastructures
This page intentionally left blank
Section 2.1 Facing Terrorist Attacks and Attacks to Critical Infrastructures
This page intentionally left blank
Modelling Cyber Security: Approaches, Methodology, Strategies U. Gori (Ed.) IOS Press, 2009 © 2009 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-074-2-109
109
Al-Qaeda: Its Global Marketing Strategy Anat HOCHBERG-MAROM1 Tel Aviv University, Israel Abstract. This study presents a new and unique perspective -- the marketing perspective -- to analyse and increase our understanding of the global terror phenomenon. Based on a quantitative-statistical content analysis of the statements of Al-Qaeda's leaders, I examined how a global terror organisation, such as Al-Qaeda, markets itself using the international media and the Internet between the years 2000-2008. The findings reinforce the idea that Al-Qaeda's leaders consciously adopt a nihilistic-destructive approach and aim to destroy the "other" world, which it views as a world that is not a "pure" and "authentic" Islam, from its point of view. They encourage the willingness to kill and to die in the name of God and emphasise that the Jihad activists are their primary agents for cultivating and distributing the "martyrdom culture". Furthermore, Al-Qaeda and its partners utilise the Internet not only to intensify its power and radicalise the strength of the Jihadi image, but also to empower its worldwide strategic threat. By knowing "our enemy" and its uncompromising ideology and strategy, we can actively help to confront Al-Qaeda today, with counter-marketing-warfare and undermine its discourse. Keywords. Marketing perspective, content analysis, Internet, Al-Qaeda, Jihad, threat, counter-marketing-warfare
Introduction This study presents a new and unique perspective, the marketing perspective, for analysing and increasing our understanding of the global terror phenomenon. Although radical movements have been previously perceived as irrational ideological zealots by the West, my results demonstrate that Al-Qaeda currently acts as a rational actor, and thus can be examined using rational models and theories [1]. Therefore, once we have rationalised the actions of Al-Qaeda, we can improve our comprehension of how to counteract the global jihad group and reduce its influence and worldwide threat by employing marketing warfare tactics. Al-Qaeda leaders and supporters, who strive to influence "the hearts and minds" of the Muslim population around the world, use the resources of the Internet to promote and distribute its vision, ideology and policy, as well as its militant messages and values. Motivated by militant ideology, their objective is to position a powerful image of the organisation and its actions into the “awareness” of the public opinion, and thereby, influence the worldwide political and communications agenda. Marketing, in essence, deals with and concentrates on influencing public opinion [2]; for militant organisations such as Al-Qaeda, efforts to persuade and convince the masses can be "translated"/modelled into marketing terms and tools. An example of 1
I am grateful for the Netvision Institute for Internet Studies (NIIS). I am particularly grateful to Prof. Shaul Mishal and to Prof. Alex Mintz, and for the comments made here by Prof. Niv Ahituv. Address correspondence to Anat Hochberg-Marom, Tel Aviv University, Israel. E-mail:
[email protected] 110
A. Hochberg-Marom / Al-Qaeda: Its Global Marketing Strategy
this is the use of a destructive approach and coercion tactics to distribute and promote their vision, policy etc. There is no doubt that for the global jihadists, the Internet is an important tool to be implemented as a form of "soft power"; Al-Qaeda and its partners utilise the cyber arena in the "war of ideas" in order to inflame millions of readers and viewers, and transform a large number of them into militants and even suicide bombers [3]. How does Al-Qaeda promote and distribute Global Jihad on the Internet, so that it becomes so very attractive to the masses (including non-religious and non-Muslim people all over the world)? While most studies deal with defence strategies that are designed to block potential cyber attacks, my research presents a totally different approach and methodology to analyse and confront the global terror phenomenon. In the research, I conducted a quantitative-statistical content analysis of the statements made by Al-Qaeda's leaders, using DVD/video recordings (containing approximately 3,500 minutes of airtime) that have been released over the international media channels and the Internet between 2000 and 2008. By implementing a universal marketing model2 on Al-Qaeda recordings, and by analysing Bin Laden's and Zawahiri's statements, I was able to thoroughly examine their ideology and strategy as well as the patterns of their actions. My aim was to reveal some practical insights. The results are briefly described below.
1. What "Products" Does Al-Qaeda Market? Empirical results strengthen the common view that the Jihad is perceived by Al-Qaeda as the highest religious value (rated 41%) and described by Bin Laden and Zawahiri as the political objective and military tool used to advance and distribute its perception of the world. "Ummah", in Arabic, literally means a "nation" but can also mean a "universal community"; this, in Al-Qaeda's view, is a global Islamic civilisation. However, this concept surprisingly has the lowest frequency among favourable religious values, with a rating of only 25%. This is the opposite result to what we had anticipated. In fact, we would have expected that for Al-Qaeda leaders, who often claim to defend Islam from Western hegemony, a universal value would be the primary tool for consolidating and intensifying the unity and solidarity among worldwide Muslim populations. In addition, Bin Laden and Zawahiri do not mention any political program for constructing a nation based on any specific model. This is a clear indication that the leaders of Al-Qaeda are selling an image rather than a concrete ‘product’ and are exploiting the hopes, desires and weaknesses of people as a means to another end’. From a marketing perspective, we can generally infer that, although they call for building a universal caliph, their "constructivist" approach is implemented by negative orientation and coercion tactics; this includes killing anyone who is perceived to be an "infidel" or "apostate" from their perspective, including their Muslim "brothers" who do not adhere to their "pure" Islam. Furthermore, the above findings reinforce the idea that Al-Qaeda's leaders are not only motivated by a non-constructivist approach, but they also consciously adopt a nihilistic-destructive approach, aiming to cause politicalsocial anarchy and impose a "pure" and "authentic" Islam. 2 The Marketing model is known by the abbreviation "4P's". It argues that marketing strategy is determined by four attributes: Product, Price, Promotion and Place. McCarthy, E. Jerome: Basic Marketing, Irvin Homewood, IL. 1960; Kotler, Philip and Andreasen R. Alan, Strategic marketing for nonprofit organizations, Pearson/Prentice Hall, Upper Saddle River, NJ, 2003
A. Hochberg-Marom / Al-Qaeda: Its Global Marketing Strategy
111
2. What is the "Price" of Cost-effectiveness for a Global Terrorist Organisation such as Al-Qaeda? Empirical findings reinforce the idea that, for Al-Qaeda, participation in Jihad and selfsacrifice (i.e., committing suicide) is a matter of strength that stems from having a strong faith and devotion, as opposed to the Western claim, that it is a matter of weakness and a "nothing-to-lose" position. "Price" for Al-Qaeda followers/supporters, is framed by the willingness to sacrifice the present comfortable life and lifestyle (including family, social connections, status at work, wealth etc.) for the "hereafter" and the collective virtue. It is interesting to note that in their statements, Bin Laden and Zawahiri, who use religious and psychological incentives to encourage sacrifice, emphasise the need to have a strong "belief-in-God" and a great sense of power; they glorify personal characteristics such as determination, courage, decisiveness and above all, the willingness to kill and to die for the sake of God, contrary to the "desire-for-pleasure", as is perceived to be common in the West, for the sake of the individual. From this perspective, it is reasonable to infer that Jihad appeals to young people around the world, who want to express their courage and leadership no matter what religion, nationality or language background they come from. Furthermore, by its aggressive-destructive approach, Jihad inspires and empowers young people to act and to take risks. In this way, when they are given the chance to actively participate in a cause or feel they have some control over their destiny, they consequently feel that they have fulfilled their sense of power and desire for eternal life as a martyr/"shaheed".
3. How Does a Global Terrorist Organisation Promote its "Products"? On-line D'awa/education for Al-Qaeda is the most popular form of promotion used (rated 55%) to clarify and glorify the advantages achieved from adherence to religious values. Bin Laden and Zawahiri strive to influence the perceptions, opinions and beliefs of Muslims. They do this by using different rhetorical devices and wording that combine political rhetoric as well as Islamic symbols and narratives to describe the "crisis of values" of Islam and the urgent need to act [4]. While they rationally and emotionally apply different messages to differing target audiences, they arouse and reinforce feelings such as hate, humility and fear that are diverted towards fuelling an active Jihad (both physical and virtual) against the West. Moreover, it is important to remember that the term Jihad is perceived differently by the West than by Al-Qaeda and extremist Muslim groups. In the West, Jihad is understood and narrowly perceived to be a “holy war”. For Al-Qaeda’s leaders, however, Jihad is a total and eternal military struggle that is identified with the victory of the spiritual over the materialistic and, therefore, a victory of Islam over the West. Utilising Western virtual capabilities against Western values, on-line D'awa enables Al-Qaeda to intensify its power and radicalise the strength of the "Jihadi" image, not only for those who participate in the virtual "war of ideas", but also for the worldwide population outside the net. More importantly, in the absence of regulation and control, the cyber arena enables the development of an independent Global Jihad discourse that is characterised by a contextual meaning and identity. Thus, we can infer that the significance of the on-line D'awa for Al-Qaeda is not only the empowerment of its activity and status, but also its worldwide strategic threat. Furthermore, in my opinion, in the Internet era, Jihad has became a popular "global trademark" that no longer depends on any specific
112
A. Hochberg-Marom / Al-Qaeda: Its Global Marketing Strategy
organisation or leader (such as Al-Qaeda and Bin Laden respectively), and therefore it is more dangerous, as opposed to the common perception in Western discourse on the subject.
4. How Does a Global Terrorist Organisation Distribute its Messages and Values ("Place")? The next question that I examined was: "who are the agents that practically distribute non-tangible assets, such as the Global Jihad of Al-Qaeda"? In a religious collectivist society, such as Islam, it is accepted that religious scholars are the mediators between the holy and the worldly. They are the main channels through which religious values and messages are distributed. However, Bin Laden and Zawahiri, who tend to resist religious authority (i.e., the institutional 'Ulema'), have developed an alternative distribution channel, namely, independent religious scholars. These last assume responsibility for distributing Al-Qaeda’s ideology and perceptions. Nonetheless, based on empirical evidence, Al-Qaeda leaders emphasise that the Jihad activists (rated 61%, which is the highest rating) are their primary agents used to cultivate and distribute the "martyrdom culture", and who also use terror activity to impose their "true" Islam. From an Al-Qaeda point of view and as derived from a religious decree (i.e., "tawhid"/the "oneness" of God), Jihad activists are perceived as the most faithful believers, who are obligated to distribute the global Islamic message. Moreover, since they are the expression of such strong faith and total fidelity to God, the Jihad activists are glorified as the ideal model for "Jihad activity", and because of this, they are willing and determined to sacrifice their lives to the cause. From this perspective, we can currently deduce that, in the eyes of Bin Laden and Zawahiri, extremist young Muslims are considered to be militant "weapons" against the West and its supporters (who are perceived to be "infidels") and not the peaceful future generation. Therefore, based on the above as well as on other empirical findings, there is strong evidence that Al-Qaeda is not aspiring to construct and consolidate the Muslim world, but is motivated by a militant-nihilist approach with the intent to destroy the "other" world that, from its point of view, is not Islamic.
Conclusion By knowing "our enemy" and its uncompromising ideology and strategy, we can actively help to confront Al-Qaeda today by applying techniques of countermarketing-warfare in order to undermine its discourse; when appealing to young Muslims in particular, we ought to emphasise the importance of choosing a peaceful and constructivist approach to life rather than destructiveness and darkness. Through the proactive use of the internet, and more specifically with tools of promotion, the West, and in particular Europe, can counteract Al-Qaeda's attractiveness and positively influence "the hearts and minds" of the future Muslim generation. Particular attention should be dedicated to the Muslim citizens of Europe.
A. Hochberg-Marom / Al-Qaeda: Its Global Marketing Strategy
113
References [1] [2] [3]
[4]
Walid Phares, The War of Ideas: Jihad against democracy, Palgrave Macmillan, New York, 2007. Philip Kotler, Kevin Lane Keller, Marketing Management, Pearson/Prentice Hall, Upper Saddle River, NJ ; London, 2009; Alen R. Andreasen, Philip Kotler, Strategic marketing for nonprofit organizations, Prentice Hall, Upper Saddle River, N.J, 2003 Walid Phares, The War of Ideas: Jihad against democracy, Palgrave Macmillan, New York, 2007; Reuven Paz, "Reading Their Lips: The Credibility of Jihadi Web Sites as ‘Soft Power’ in the War of the Minds" PRISM Series of Special Dispatches on Global Jihad, vol. 5/5 (2007) at: http://www.eprism.org/images/PRISM_no_5_vol_5_-Reading_Their_Lips_-_Dec07.pdf Oliver Roy, Globalized Islam: the search for a new Ummah, Columbia University Press, New York, 2004; Rohan Gunaratna, Inside Al Qaeda: global network of terror, Columbia University Press, New York 2002; Gilles Kepel, The war of Muslim minds: Islam and the West, Belknap Press of Harvard University Press, Cambridge, Mass, 2004; Marc Sageman, Understanding terror networks, University of Pennsylvania Press, Philadelphia, 2004
114
Modelling Cyber Security: Approaches, Methodology, Strategies U. Gori (Ed.) IOS Press, 2009 © 2009 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-074-2-114
A New Paradigm for Countering Jihadism Antonio Guido MONNO Colonel, Carabinieri Corps Expert in Asian History and Institutions - Trieste University
Abstract The complex relationship that exists between Islam and the Western world makes it necessary to enlist an increasing number of people who are capable of understanding these two cultures and of mediating between them. The Islamic world, in all its variety and diversity, becomes even more complex when it enters the West through immigration, where immigrants no longer have a purely superficial physical contact with the Western world, as was the case throughout the whole of the colonial period, but live within it. It is often the case that the products of both societies do not integrate, but tend to dis-integrate, not knowing to which world they belong. People using religious symbolism to pursue political ideas, opting for terrorism as their means of struggle, are able to exploit this sense of searching for an identity. This type of exploitation avails itself of the multiplier effect of the virtual world to bolster support; but without an adequate counterweight, this can cause damage which, while not irreparable, can impair our complex societies. This paper takes a fresh approach to counter this phenomenon which could prove to be extremely effective when contrasting this quest to enlist support. Keywords. Web; Terrorism; Islam; Salafism; Recruitment; Propaganda; Immigration.
Introduction Contemporary conflicts, whatever their nature, are not only being fought out in the real world, but also in the virtual world, for operational, logistical and “marketing” purposes, particularly, in the latter case, through a propaganda mechanism which can lead to recruitment and indoctrination. The potential the Internet offers for achieving these aims initially seemed to be fairly limited. Wiktorowicz,1 for example, maintained that before people took part in acts of violence they had to undergo a long process of “socialisation”; Sageman wrote that: “for the type of allegiance that the jihad demands, there is no evidence that the Internet is persuasive enough by itself”.2 While the opinions voiced only a few years ago were well-founded, and to a large extent are still valid today, they obviously could not take into account the degree to which the Internet is now able to contract time and space. There are, however, a number of scholars who believe that the important part that the Internet plays in recruitment is bound to increase. 1
Wiktorowicz, Quintan, “Joining the Cause: Al-Muhajiroun and Radical Islam”. Department of International Studies, Rhodes College at http://www.yale.edu/polisci/info/conferences/Islamic%20Radicalism/papers/ wiktorowicz-paper.doc 2
Sageman Marc, Understanding Terror Networks, University of Pennsylvania Press, Philadelphia, 2004.
A.G. Monno / A New Paradigm for Countering Jihadism
115
In his book, “On Intelligence”,3 Robert Steele predicted that there would be greater recourse to open sources in which the Internet would play a paramount role in the optimum management of Intelligence. Neumann has written that: “….it would be a mistake to brush aside or ignore these instances of selfrecruitment merely because they do not fit with long established views about group dynamics and the importance of social bonds. It is easy to forget how quickly the Internet has evolved, and it may well be the case, therefore, that widely held assumptions will have to be reassessed as the new medium continues to change the way in which we communicate”. 4 In operational terms, the November 2008 Lashkar-i-toiba terrorist operation, carried out in Mumbai, demonstrated the essential role of the Internet and modern technology. But apart from the operational applications, I would like to focus my attention on the phases of both the enlistment of support and of recruitment – particularly in the Western world – by the organisations that draw their inspiration from so called jihadist theories, and on an innovative potential means of combating them, which as far as I know has never been tried. In a special report published in March 2004, by the “United States Institute of Peace” entitled “www.terror.net: How Modern Terrorism Uses the Internet”, Gabriel Weizmann examined the various possibilities provided by the virtual world that would be able to be exploited by all organisations, many of which are considered to be terrorist groups, to attain their ends. These possibilities consist above all of:
Spreading their ideology and view of society and the world to attract support; Challenging ideologies and policies at odds with their own; Recruiting people in several stages initially by merely attracting people interested in or feeling sympathy towards an idea or ideal, and gradually leading to all-out active involvement; Extolling its actions and consequently building up myths and decrying everything done by the adversary.
Using the Internet, these groups put forward what Professor Anat HochbergMarom has called “the marketing perspective” and, following standard marketing practice, most of their activities are performed in virtual mode. The Western mind often underestimates the importance of the modern mass media and propaganda in the Islamic world, despite daily events that demonstrate the contrary. Khomeini’s revolution, whose ideas were propagated above all through sermons distributed on audiocassettes, as well as images broadcast on al Manar (Hezbollah's TV network) or al Aqsa TV (Hamas’s network), and videos broadcast over the Internet on sites linked to the jihadist world, show that the Islamic world has certainly not remained aloof from modernisation or using the most common communications tools. Anyone who thinks that the style of these messages lacks communicative effectiveness would fall into what Edward Said denounced as “Orientalism” – the wholly Western capacity to apply thought patterns that might work well, albeit not even everywhere, for the average Western culture and are considered to be superior, without taking into
3
4
Robert Steele, On Intelligence: Spies and Secrecy in an Open World (AFCEA, 2000).
Peter R. Neumann, Joining Al Qaeda - Jihadist Recruitment In Europe, Adelphi Paper 399, Routledge for the International Institute for Strategic Studies, London 2008.
116
A.G. Monno / A New Paradigm for Countering Jihadism
account the fact that the vast majority of the world’s population has other cultural archetypes.
1. The Reality of the Islamic World and its Relations with the West 1.1. The Islamic World Although due account must be taken of the fact that democracy, as it is understood in the West, is certainly not part of the tradition of most countries in the Islamic world, one might raise the issue of the responsibilities of the colonial and imperial powers in this regard. But this would fall outside the scope of this paper. It is important to remember that only one in five of the almost one and a half billion Muslims in the world live in regions that the West views as typically Islamic, that is to say, in places from which the message of Muhammad was propagated; most Muslims live in Asia and Africa, while many millions have now settled in the Western world. From the ethnic, social and religious points of view, the Muslim world is not monolithic. In addition to the well-known difference between Shi'ites and Sunnis, there are also numerous other distinctions within both these branches of Islam. The difference between the Twelver and the Fivers Shi'as, the presence of the Isma’ili sects, from which the noted Hashshashin originated within the Shi'ite world, to mention but a few, and the numerous differences amongst the Sunnis, including those of the four leading legal schools, each of which is linked to a cultural and ideological archetype and present in different areas of the Sunni world, underlie the complexity of this subject. Furthermore, the message of Muhammad envisaging the establishment of a new society united by new bonds of solidarity – the Ummah – intended to replace the previously existing tribal ties never came into being in practice, except within the Islamic imaginary. Even the much-lauded period under the leadership of the “Rightly Guided Caliphs”, or the al-Khulafa ar rashidun, the first four caliphs, successors of Muhammad, should be viewed with a certain detachment, considering that three of these caliphs died violent deaths which, if nothing else, suggests a certain degree of internal strife. For Muslims, Islam is a unicum in which it is meaningless to try to distinguish between the legal and the moral spheres, both of which have their origins in the Sharia, the path revealed by God, whose founding pillars are the Qur’an and the Sunnah of the Prophet. Not having a priestly class as a mediating authority between man and God, which Muslims consider to be a direct relationship, no-one has ever been seen as the depositary of the orthodox interpretation of Islamic truth. In Islam, those the Western world equates with its concept of clergy are, in reality, interpreters, responsible for safeguarding the dogma, rituals and law of Islam, and for making decisions regarding the lawfulness of new ideas and theories. Due to the extreme complexity of the revealed language, over time the roles of the ulama and the fuqaha, or religious scholars and experts in sharia law in general and in fiqh in particular came into being. 5 As Khaleed Mohammed has put it, “Even for native Arabic speakers, the Qur’an is a difficult document. Its archaic language and verse structure 5
It is important to note that fiqh, may be considered a part of Islamic jurisprudence in that it complements sharia law. Given its nature, fiqh has developed and evolved over time.
A.G. Monno / A New Paradigm for Countering Jihadism
117
are difficult hurdles to cross”[6]. This function, of interpreting and safeguarding, has been of enormous importance throughout the Islamic world, legitimising, de facto, the role of these ulama and, fuqaha as leaders of the various communities in return for protection and patronage. It should be recalled that the greatest peril that the Islamic community can face is fitna, the splitting of the community. According to traditional Islamic teaching, it is preferable to accept the lesser evil of an usurper as the leader of the community than to permit internecine strife within the community In time this results in the acquiescence of the people to the status quo. Language is another factor which helps to increase the structural diversity of the various Islamic communities. Contrary to what is sometimes thought, although classical Arabic was the language used for revealing the Qur'an, which must be maintained and memorised in that language, it does not perform any other bonding functions to hold the Islamic world together. For example, it is impossible for Muslims from Pakistan, Albania, Indonesia and Nigeria to hold a conversation because of a lack of widespread familiarity with spoken classical Arabic. 1.2. The Islamic World in the West One can therefore well imagine what happens when all this is transferred to the Western world, where millions of Muslims live as members of religious and ethnic minorities, initially stemming from a colonial past and subsequently from immigration and globalisation. According to classical Islamic theory, living in the lands known as dar al harb (house of war) or at most dar al hudna or dar al suhl (house of the truce) is a negative condition for Muslims. This condition may, in principle, be considered temporary, because it is impossible in such places to fully deploy the Islamic identity, which entails membership to the ummah (the Islamic community). Over the years, in order to preserve and not lose their customs and traditions and not to feel dispossessed, the Islamic communities in the West have had to adjust to their situation by looking to their places of origin as benchmarks. Since these communities have never really been accepted into the Western world, they have become inward-looking in order to survive. The Muslim presence in Western Europe, which was rare until the dawn of the 19th-century, began to gain ground in the colonial period. The First World War led to a sharp increase in the Muslim population because of the need for labour, in addition to their use in the instrument of war as such. Some 72,000 Muslim colonials died for France, and between 45,000 and 75,000 died for Britain. By the end of 1918, there were officially 59,088 North Africans living in France. By 1929, this number had increased to 69,800 and 102,000 by 1931. In the United Kingdom, there were between 10,000 and 20,000, in addition to several hundred converts7. In both these Western countries, which were driving forces of Western colonialism, the Muslim identity was defended through such sufi orders as the Alawiya, and through the penetration of the two leading schools of thought already present in India, the Barelwi and the Deobandi, which propagated different ideas but shared the need to come to terms with a situation in which the Islamic religion had ceased to be dominant 6
http://www.meforum.org/717/assessing-english-translations-of-the-quran
7
Clayer Nathalie & Germain Eric editors: Islam in inter-war Europe;- Hurst publisher; London (UK); 2008
118
A.G. Monno / A New Paradigm for Countering Jihadism
and had become a minority faith. These schools were therefore committed, with differing perspectives, to preserving the Islamic identity. The Second World War not only made use of the colonies’ military personnel, labour force and resources, but it also brought the war, the ideologies and the armies into the Muslim world, from Africa to Asia, with great loss of life; one-half of the Indian forces used by the United Kingdom in the Second World War came from one region of India alone, the Punjab, which was overwhelmingly Muslim. In a purely personal note, I should like at this point to recall the sense of community that one experiences in seeing Christians from Britain, New Zealand, South Africa and Australia, Muslims from India and Jews, who fought with the Jewish Brigade, resting together in the British Military Cemetery at Camerlona (RavennaItaly). In the post-war period, political ideologies and a heightened self-awareness in the colonial world, driven by veterans such as the Algerian ben Bella, eventually led to the collapse of the European colonial powers, which were embroiled in conflicts in which the resources of the immigrants and appeals to Islam as a compacting force played no small part. From that moment onwards, the Islamic presence in the Western world was made up not only of immigrants as cheap labour, but also of political refugees and migrants living abroad to study and to take up highly skilled occupations. But perhaps the most important change was in the attitudes of the migrants themselves, who were no longer interested in returning to their original homeland, but wanted to lead a new life in a new place that was extraneous to their culture of origin. It was in this environment that the second- and third-generation Muslims have grown up, for whom the integration – or, rather, the conflict prevention – policies implemented until then in Western countries appeared to have failed, just as the United States’ ‘melting pot’ concept no longer seemed to be relevant to current needs. The perceptions and feelings of second- or third-generation Muslims in the Western world have been highlighted by several of their writers, and in this connection I would recall the description made by Hanif Kureish in his book, “The word and the bomb”. Not being fully accepted due to the colour of their skin or their allegiance to another religion, which was viewed as a threat to the local modus vivendi, they feel uprooted from the social fabric and they identify with, and idealise, the other half of themselves that is linked to their distant origins and homeland and which often bears little resemblance to reality, while at the same time fully satisfys some internal aspiration. Oliver Roy has written that, “Neofundamentalism has gained ground among rootless Muslim youth, particularly among second- and third- generation migrants in the West. Even if only a small minority is involved, the phenomenon feeds new forms of radicalization, among them support for al Qaeda, but also a new sectarian communitarian discourse, advocating multiculturalism as a means of rejecting integration into western society. These Muslims do not identify with any given nationstate, and are more concerned with imposing Islamic norms among Muslims societies and minorities and fighting to reconstruct a universal Muslim community, or ummah”. 8 The younger generations are having to carve out an identity of their own for themselves, as both citizens of states that belong to the Western world and as followers of the Muslim faith, the latter experienced in a world that is alien to the social fabric of
8 Oliver Roy; Globalized Islam -Columbia University Press- New York- 2004-pag. 2.
A.G. Monno / A New Paradigm for Countering Jihadism
119
the life, daily experiences and codes of conduct that constitute the very essence of Islamic culture and in which a common language becomes the bonding agent. I am speaking, here, of an Islamic faith and experience lived through the customs that have been handed down within the family, with precepts, traditions and customs that are often thought to be Islamic while, in reality, they are features of the culture of the place from which the family originated, and where the disassociation between the two worlds can be extremely pernicious. This by no means applies only to the Islamic world transplanted into the West, in which two worlds are in a state of conflict within one and the same individual. It is a phenomenon that has also emerged recently within the Islamic world itself. Antonio Giustozzi 9 has written that: “Gul (Imran Gul, programme director of the Sustainable Participation Development Program, an NGO based in Banu, just outside North Waziristan) believes that the tribal system is in crisis and that it can no longer provide peace, income, a sense of purpose, a social network to the local youth, who then turn to radical movements (collectively known as the Pakistani Taliban) as the only outlet where they can express their frustration and earn the prestige once offered by the tribal system”. 1.3. The New Islamic Thinking This quest for an identity has obviously paved the way for the emergence of a new class of preachers, imams, leaders of mosques that follow the new Islamic ideologies which are seeking a new dimension of Islam and Islamic culture, which have originated with such thinkers and intellectuals as Muhammad Abdu, Rashid Rida and Gamal al Din al Afghani. This new ideology reinterprets Islam, not along the lines of the past – which had led to the decline of Islam as a unicum of din and dawla, State and faith, in which the concept of watan (nation) had acquired primacy over the concept of ummah (community in the broadest sense of the term) – but by seeking to “modernise” the Islamic world through the use of the modern media detached from the Western culture that is usually linked to them. It is, therefore, a case of a revival of the Islamic world in a Western context with rapidly evolving ideologies and programmes, while remaining fiercely attached to basic elements related to its security in terms of resources and the economy. The development of this way of thinking has given rise to numerous schools of thought, such as those developed by the Muslim Brotherhood and by such ideologues as Hassan al Banna, Sayyd Qutb and Abu ala al Mawdudi, who are considered to be the masterminds behind the modern extremist movements. These are the innovative driving forces advocating a revisitation of Islam through a doctrine called Salafiyya. This doctrine is based on the premise that it is only by returning to the original Islam, the Islam of the Salaf 10 or “Companions of the Prophet”, that all problems can be solved relying on one simple certainty: a doctrine that had made it possible for a small community caught between two empires, animated solely by total devotion and submission to the one God, to create a new “empire” by destroying the other two had demonstrated de facto its soundness, and in their eyes, 9 Antonio Giustozzi; Koran, Kalashnikov and laptop – The neo-Taliban insurgency in Afghanistan- Hurst & Company- London- 2007. 10
A term meaning predecessors, applied to the ideology that seeks to recreate a lifestyle and world based on the practices of the earliest Muslims.
120
A.G. Monno / A New Paradigm for Countering Jihadism
was, confirmed by divine support. This soundness was only compromised subsequently, due to later changes to its original essence. A return to the original sources is therefore the only answer. Other theories have stemmed from this mindset, including those involving the concepts, which, in the Western world, we mistakenly call ‘jihadism’. While most of those modern preachers that attract large numbers of Western Muslims in search of an identity are the exporters of such ideas, it nevertheless remains the case that not all salafitic ideas support terrorism as a means of struggle. Furthermore, amongst the latter, some advocate combating “the near enemy” – namely, the regimes in the Islamic world – and others “the far enemy”, namely, the Western countries, which support the Islamic regimes. Erecting a new doctrinal system that is based on an ideal view of the past raises numerous issues regarding the foundations on which the system is to be built. For the ideal reconstruction of a perfect society, the salafite movement relies on two essential pillars, the Qur'an and the Sunnah of the Prophet. The problem, however, is deciding who is to interpret the Qur'an and who is to decide which events and sayings of the Prophet are true. In particular, it is not a foregone conclusion that the new preachers acknowledge the codes of traditional deeds and sayings, which are commonly accepted by the classical theory of Islamic knowledge. And while this applies to that area of the world in which Islam is the cultural faith to which the vast majority of the population claims allegiance, it applies to an even greater degree in the Western world where, as we have already seen, the linguistic knowledge of the parents and grandparents has gradually been lost, making it impossible to even refer to a body of classical knowledge.
2. The Importance of the Web This leads us to an analysis of what the cyber-world can signify today in the Islamic cultural faith. Most of the modern Islamic websites, or rather the sites dealing with issues of relevance to Islamic culture and the Islamic faith, are located in various places in the Western world, and the language they normally use is English. As a result, in a world without specific cultural and religious familiarity with the Muslim world, the website managers, like the preachers in the mosques mentioned earlier, are able to insert their own ideas and pass them off as being part of traditional Islam. Confirmation of this can be found in two articles published in the “Middle East Quarterly”11 entitled:
Assessing English translations of the Quran; 12 Beheading in the name of Islam.13
11
http://www.meforum.org/meq/issues
12
http://www.meforum.org/717/assessing-english-translations-of-the-quran
13
http://www.meforum.org/713/beheading-in-the-name-of-Islam
A.G. Monno / A New Paradigm for Countering Jihadism
121
These two articles demonstrate that traditional Islamic knowledge, that is to say, the knowledge of the ulama and the fuqaha, has been manipulated and tailored to suit the ideas of one or more groups and used by these groups to achieve their own ends. Khaleed Mohammed, the author of the first of these two articles, offers an in-depth examination of the English translations of the Qur'an, and shows how they have been monopolised and sponsored by the present Saudi dynasty, with the aim of ensuring the greatest possible diffusion worldwide. Suffice it to say, the English translation of the Qur'an by Mohammed Asad14 has been banned in Saudi Arabia. The author himself has written that, “Indicative of the desire and drive of Saudi Arabia to impose a Salafi interpretation upon the Muslim world, the kingdom has banned Muhammad’s work over some creedal issues. Because the Saudi government subsidizes the publication and distribution of so many translations, the ban has in effect made Asad’s translation both expensive and difficult to obtain. Nevertheless, it remains one of the best translations available both in terms of its comprehensible English and generally knowledgeable annotations”. It is relevant to note that Asad was a member of the Libyan Senussya resistance against the Italian occupation, a Mujahideen ante litteram, and yet, because his translation does not fit in with a one-sided and monopoly-oriented reading of Islam, his version has been censored. The author of the second article, Timothy R. Furnish, in his analysis of decapitation in Islamic theology, notes that everything that has been publicised and advocated as rooted in Islamic theology by the so called “jihadist” groups - such as al Tawhid wa al Jihad, whose leader was abu Mus’ab al-Zarqawi - is by no means consistent with the tenets of classical Islamic theology. Zarqawi has said that he would “accept comments from ulema regarding whether his killing operations are permitted or forbidden according to Islam – provided that the ulema are not connected to a regime and are offering opinions out of personal conviction and not to please their rulers”. 15 It is interesting to note in this regard that one Islamic website linked to “jihadist” doctrine16 makes reference to “The Book of Jihad” by Abi Zakaryya Al Dimashqi Al Dumyati, also known as Nahaas (who died in 1411), to subvert the well-known and established classical doctrine regarding jihad. This site claims that the difference between the “greater” and the “lesser jihad”, which is an important element in official Muslim doctrine and is considered to date back to the great authors of the past, did not in fact exist at all. When arguing the reasons why this hadith did not exist, the site obviously refers to ibn Tamiyya and a series of ulama who also recorded some of the hadith of the Prophet, namely those supporting war as the only possible interpretation or meaning of jihad. The site exclusively referred to these as the sole means of understanding the meaning of jihad, adding that the other version “had never been reported by any scholar as having anything to do with the hadith”. This collection of hadith and this theory of jihad tend
14 Born Leopold Weiss, in July 1900, in what was then Austro-Hungarian Lwów in the Austro-Hungarian Empire, was a Jew who (in 1926) converted to Islam, thus changing his name to Mohamed Asad. During World War II, he was imprisoned by the British in a camp for enemy aliens (because of his Austrian nationality) while his father was interned by the Nazis for being Jewish. In 1949, Asad joined the Pakistan Foreign Ministry as head of the Middle East Division and, in 1952, went to New York as Pakistan’s representative to the United Nations. 15
Al-Zarqawi Associate, Al-Zarqawi Unconnected to Al-Qa'ida, Seeks to Expand Fighting to Entire Region, Middle East Media Research Institute (MEMRI), Sept. 23, 2004.
16
http://www.masterplanstewardship.org/ConstantContact/PDF/Mashari_Book_of_Jihad.pdf
122
A.G. Monno / A New Paradigm for Countering Jihadism
to look only at those deeds performed by the Prophet which support this interpretation of the doctrine. Although I am not saying that the website deliberately ignored other deeds, it certainly did not attempt to search for them, and when doubts arose – as often happens with events and issues needing interpretation – it was only logical to offer an interpretation that supported its particular views. It is no coincidence that the author the site refers to was one of the main sources from which Bin Laden’s mentor, Sheikh Azzam, drew. This might seem to suggest that the Internet only propagates messages connected with the type of Islamic doctrine that, in the West, is defined as “fundamentalist” – a term that was originally coined to identify theories connected with Christianity, and which therefore has no corresponding meaning in the Islamic cultural language. But this is not the case. As I have already pointed out, Salafi doctrine comprises numerous schools of thought, including those which the Western world deems jihadist. These last, however, are certainly not the only ones, as Gilles Kepel has pointed out in his book, “The War for Muslim Minds”. The aim of the radical preachers is obviously to recruit followers and get them to adopt their ideas, and thus lead them to commit actions using terrorism as the primary means to achieve their purposes. Although it has not yet been possible to profile the so-called ‘jihadist’ terrorists living in the Western world, the analysis carried out by Marc Sageman, in his “Leaderless Jihad”, is particularly interesting in that it topples a number of the myths connected with the reasons underlying the support that certain ideas attract – such as poverty, immaturity, ignorance, sexual frustration and so on – and, instead emphasises the importance the criterion of justice has, which far outweighs the concept of democracy and that of brotherhood, both of which lead people to subscribe to certain ideas.
3. A New Perspective for Countering These Ideas A number of specific considerations can be drawn from the aforesaid. Most modern preachers, or imams, which advocate these so-called ‘jihadist’ doctrines, do not have a background in the classical fields of knowledge or of Koranic scholarship. Their doctrinal construction is formulated using principles and religious symbols to push forward a political idea. Those who adopt this political view, are driven above all by sentiments of justice and equity. Once this path has been taken, it becomes increasingly more difficult to escape or renounce their commitment due to the powerful sense of group membership that is created and made all the more solid by shared experiences and by the progress made together. If the political idea is underpinned by religious concepts, which extend beyond earthly experiences through the construction of myths that make it possible for the individual to achieve the long-awaited recognition by a society which, until that moment had ignored him, and, above all, if the ultimate purpose is the establishment by a supernatural reality of a better and more just society, it becomes easy to follow the pathway indicated by the spiritual guide. The question of how can we counter these efforts must be asked and answered. As I have already said, reality is very different from what our imagination or fears suggest.
A.G. Monno / A New Paradigm for Countering Jihadism
123
It is important to emphasize that the majority of Muslims and followers of Islam are not extremists or fundamentalists. However, many do not attach no importance to the Western desire for a longer consumerist life of ease and comfort. Furthermore there is a small percentage who are extremists and who, through such virtual activities on the internet described above and the ensuing consequences in the real world, are capable of causing extremely serious damage to our complex and delicately balanced Western societies. This in turn only aids in heightening a sense of mutual alienation. Below, I will suggest how I believe this problem could be faced and which approach will be the most effective through a proposed model. The key to the model, which I wish to propose as a means of countering so called Islamist-type terrorism, is to acquire as thorough and accurate a cultural understanding of the Islamic world and society as possible, in order to be able to use it to challenge the cultural vulnerability of the “jihadist imams”. The Internet is the cyber-world where everyone has the right to speak out, a place where there are no controls and where information is often sacrificed to speed, but also where it is possible to apply Popperian falsification theories - if there is a public wishing to learn. It would help to break that unchallenged chain of thought in doctrinal terms, if an alternative network of scholars, sociologists and political commentators from the Islamic world could be established - with cyberspace users from both cultures - to interact and monitor discussions and trends. As far as we know, scholars and experts on the Islamic world have so far only been asked to supply their expertise for study and consultancy purposes, but not to act directly and actively in the field of counterintelligence to destroy or dent the validity of certain ideas and the foundations on which they have been based. Only an expert or a person with a solid understanding of the Islamic world might competently navigate the world of what we have come to know as “fundamentalist” ideas. A fresh reading “The Great Arab Conquests”17 by Sir John Bagot Glubb, better known as Glubb Pasha, the last British Commander of the Arab Legion in the Kingdom of Jordan, is enlightening in this regard. With his profound understanding of the Arab world, he was able to grasp the way the Bedouins fought and to adapt it to the circumstances of modern warfare. He succeeded in reconstructing the reasons for the victorious expansion of the Muslim armies, as they conquered the Arab lands following the death of Muhammad, and in exploiting them for his own military campaigns. One might ask how a scholar of the Islamic world could understand when a group starts professing the pathways of what is known as jihadist Salafism. The logical train of “jihadist” thought follows the canons of the life of Muhammad. The first step of which was to erect a new society through the Hijra, a society based on the canons of the structure put in place by Muhammad at Medina following his migration from Mecca. The hijra is an historical period that has been seriously underestimated by those Westerners who are not experts on the Islamic world. It marked a break with the past and total dedication to a new society from which a new faith could be propagated. The whole construction of the jihadist movement is based on the observance of what is written in the Qur'an and in the Sunnah, as evidenced from the emergence and development of such movements. They advocate jihad against infidels, no longer meant as solely those who profess a faith other than Islam, but as anyone who professes or lives according to a different cultural code, thereby again taking up the concept of 17
John Bagot Glubb, The Great Arab Conquests, J.B.G. Ltd, Hodder & Stoughton, 1963.
124
A.G. Monno / A New Paradigm for Countering Jihadism
jahilyya and takfir, ignorance and apostasy, revisited in a modern form by the Egyptian ideologist Sayyd Qutb. All of this is obviously viewed one-sidedly, for there is no judge to issue a ruling and no common agreement on what is right and what is wrong, apart from whatever it is that the members of the group want. The structure, the military activities and the organisation are based on patterns borrowed from an ideal and idealised past, as one clearly sees from the statements issued in the wake of every terrorist attack. Who, then, is better equipped to penetrate and change the indoctrination and the quest for support by the “jihadist” preachers than an expert who is thoroughly familiar with the Islamic world? Who, better than an expert, can learn and understand when a virtual ummah is being created on the Internet, in which to grow a new community, but above all, can perceive in which direction the movement is heading, whether it be towards an area characterised by da’wa, preaching, through which to carry out a social revolution based on the construction of a critical mass within society, or towards the jihad, namely, a militant approach, by declaring war against the political leaders of nations forming part of the Islamic world who fail to observe the precepts and the contents of sharia law? What I have said above only gives a slight indication of the complexity of this subject area to anyone who is not a scholar or expert on the Islamic world because it is impossible to address such complex issues using superficial knowledge and inaccurate information-gathering tools, particularly on the part of members of the security services.
Conclusions Penetrating a system such as the cyber world of Islamic fundamentalist movements, engaging in dialogue on forums, instilling doubts about absolute truths, implementing a Popperian falsification process against unshakable truths, speaking the same language, sharing the same doubts, reasoning using the same methodologies: all of these could constitute a new instrument for countering fundamentalism. Success might perhaps be achieved by involving people who know how to interpret the signals of worrying deviations and attitudes in intelligence-gathering and operational programmes, not only as “advisers” but as part of the security agencies, using their knowledge to counter theories with no doctrinal basis on blogs and forums, sowing doubt about what the “real truths” might be. People who understand the feelings, frustrations and sensitivities of people who are unable to feel fully part of one of the various worlds to which they belong, together with people seeking to defend Western civilisation by eschewing all forms of racism, deliberate or otherwise, or lack of understanding, building a “bridge theory” starting from the virtual world and expanding outwards to the real world, including prisons that are all too often neglected.
References [1]John Bagot Glubb, The Great Arab Conquests, J.B.G. Ltd. Hodder & Stoughton, 1963. [2]Marc Sageman, Leaderless Jihad, University of Pennsylvania Press, Philadelphia, 2008. [3]Gilles Kepel, The War for Muslim Minds, The Belknap Press of Harvard University Press, Cambridge and London, 2004. [4]Montasser al-Zayat, The road to al Qaeda, Pluto Press, London, 2004, [5]Peter R. Neumann, Joining al Qaeda, Adelphi Paper 399, Routlege for The International Institute for Strategic Studies.
Modelling Cyber Security: Approaches, Methodology, Strategies U. Gori (Ed.) IOS Press, 2009 © 2009 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-074-2-125
125
Modelling Deterrence in Cyberia* Claudio CIOFFI-REVILLA1 Center for Social Complexity, George Mason University Abstract. Deterrence is an ancient strategy (as early as the 4th millennium BCE) based on defence and retaliation to prevent undesirable behaviour from a potential attacker. Specifically, deterrence—both classical and cyber-related—is based on a potential attacker perceiving an unacceptable cost and consequently refraining from attack. Similarly to nuclear deterrence, cyber-deterrence may be an effective strategy against foreign governmental attackers, who might refrain from attacking for fear of retaliation. However, cyber-deterrence may not be as effective against individual terrorist hackers or clandestine organisations that have a high propensity towards risks or simply believe they can attack with impunity. This paper outlines some solutions to the fundamental challenge of modelling deterrence in Cyberia and discusses theoretical and policy implications based on computational social science. Keywords. Deterrence, infrastructure protection, cyber security, cyber attacks, cyber warfare
Introduction Challenges and opportunities posed by the rise and evolution of the Internet and related IT systems—“Cyberia”, for short—have called into question traditional policies and national security priorities. [1, 2, 3] When faced with threats, deterrence is often invoked as the natural and logical policy to design and implement. However, deterrence is an ancient strategy (applied as early as the 4th millennium BCE) based on defence and retaliation to prevent undesirable behaviour from a potential attacker. More specifically, as a well-defined form of social power relation, deterrence—both the classical version that began in Mesopotamia and the more recent cyber-related adaptation—is always based on a potential attacker perceiving an unacceptable cost and consequently refraining from attack. [4, 5] As a consequence, cyber-deterrence may be an effective strategy against foreign governmental attackers, assuming all the necessary requirements are met (i.e., credibility of capability and credibility of intent, each of which has its own component requirements). As with nuclear deterrence between states, state attackers may refrain from attacking for fear of retaliation. However, cyber-deterrence may not be as effective against individual actors (e.g., terrorist hackers) or clandestine organisations that have a high propensity towards risks * This chapter was presented at the NATO Advanced Research Workshop (ARW) on Operational Network Intelligence: Today and Tomorrow, L'Arsenale, Venice, Italy, 6–7 February, 2009. I am grateful to S. Numrich, M. Zalesny, and A. Vespignani for comments and discussion on an earlier version of this paper. Many thanks to Professor Umberto Gori for the invitation to participate in the NATO ARW as well as for comments received by workshop participants, especially M. Agazzi, N. Ahituv, M. Arditti, A. Gazzini, G. Grasso, .A. Hochberg-Marom, G. Iovane, E. Peshin, P. Rapalino, U. Rapetto, F. Sanfelice di Monteforte, E. Tikk, and A. Vidali. The author is solely responsible for the views expressed in this chapter. 1 Corresponding Author: Prof. Claudio Cioffi-Revilla, Director, Center for Social Complexity, George Mason
University, 4400 University Drive, MSN 6B2, Fairfax, Virginia 22030 (near Washington DC), USA. E-mail:
[email protected] URL: http://socialcomplexity.gmu.edu
126
C. Cioffi-Revilla / Modelling Deterrence in Cyberia
or simply believe they can attack with impunity. This chapter frames the problem of deterrence in cyberspace in terms of the classical theory of deterrence and uses such a framework to gain some insights into the problems and solutions to modelling deterrence in Cyberia.
1. Elements of Deterrence Modelling and the simulation of deterrence in a cyber-security context [6, 7] necessitates the clear understanding of deterrence in the classic, conventional context and the viable identification of relevant IT systems at risk including their increasingly complex operating environment. Deterrence is a passive form of power relation or strategy, for the preventive use of power between two actors—the potential attacker and defender—whereby a potential attacker refrains from attacking the defender for fear that the defender will retaliate with unacceptable consequences or that the very cost of attack will be too high, due to the effective defences. Accordingly, the main purpose of deterrence is to prevent a form of behaviour on the part of a potential attacker, by threatening the attacker with some punishment that carries sufficient severity in terms of consequences—either by attacking or by subsequent retaliation or prosecution. Crucially, deterrence works when a potential attacker does not act as a result of the communicated threat. By contrast, compellence is an active form of power relation whereby an actor seeks to induce a given form of behaviour on the part of another actor [8]. The attempts of the US and other members of The Quartet to get Israel and Palestine to reach permanent peace in the Middle East is a form of compellence, as is the US attempt to obtain a viable government of national unity between rival domestic factions in Iraq. Compellence is therefore about inducing behaviour that has not yet manifested, whereas deterrence is about preventing some undesirable future behaviour. Accordingly, compellence works when desirable behaviour does occur as a result of a threat or inducement (carrots or sticks, respectively). A parallel analysis based on positive incentives (“carrots”), rather than just threats (“sticks”), is necessary for a complete theory of deterrence and compellence. Carrots and sticks may be part of both forms of power. Like most national security strategies, deterrence is not a modern invention. As a form of power relation, deterrence has ancient origins going back several thousands of years (it was practised in the Near East by ca. 3500 BCE), thus significantly pre-dating the modern world and even the nuclear deterrence context, where it became prominent during the Cold War between the United States and the USSR. [9] Moreover, the social and behavioural science of deterrence has provided no reason to anticipate its demise. [10] Formally, the basic strategy of deterrence consists in making a threat that takes on the following form: “If you do X, we will do Y to you (or punish you with consequence Y).” X is some undesirable form of behaviour that a defender seeks to prevent, and Y is some consequential punishment/response that is deemed unacceptable by the potential attacker. (In terms of incentives, a defender may also deny some valuable benefit to a potential attacker, wherein Y is a form of bribe.) Deterrence theory is one of the most mathematically elaborate areas of social science. It is based on probability theory, decision theory, and game theory and the foundations of deterrence theory are probabilistic in nature. [11] Accordingly, as a subjective perception, the credibility of deterrence is critical; it depends not only on the credibility of capabilities (to effectively carry out the threat)
C. Cioffi-Revilla / Modelling Deterrence in Cyberia
127
but also the credibility of intentions (or willingness to retaliate). In the theory (and practice) of deterrence as a strategy to ensure security, both forms of credibility are viewed as necessary conditions. In practice, each type of credibility is ensured by multiple means. These include diverse systems that guarantee a high degree of reliability in the delivery of punishment and multiple signals and organisational arrangements ensuring an elevated level of credibility with respect to willingness. Thus, while the foundations of deterrence require serialisation (as in a supply chain), the implementation of deterrence is based on parallelisation in order to ensure and communicate sufficiently high levels of credibility in terms of both capability and willingness. [12] Redundancy plays a critical role in deterrence theory and practice, because many of the basic systems and processes involved with deterrence have a serialised structure that by nature will degrade overall performance. Redundancy, however, has costs that are both material and organisational. [13] Examples of deterrence redundancy include: 1. 2. 3.
For credibility of capability: Develop multiple systems to inflict devastating retaliation and ensure efficient defences. For credibility of intent: Communicate resolve to employ retaliation through multiple signals that minimise or eliminate uncertainty. For defensive fortifications: Establish effective and efficient defensive systems capable of withstanding potential attack. (An additional valuable feature of defensive security systems is that they fail by drift and in isolated modes, rather than catastrophically or in interactive ways.)
In addition to retaliation, deterrence also relies on defence or fortification, which takes on numerous forms: layered defences, choke points, overlapping fields of fire, observation detection, baffled entries, etc. (For the classic study of deterrence and defence see [14].) The overall purpose of defence is to lower the base probability of the attacker’s success, which can positively interact with the credibility of the defender’s deterrence. (A mighty or impenetrable defender might also be—in the mind of a potential attacker—a merciless retaliator.) Therefore, in the implementation of deterrence, defence is just as important as retaliation and it is a feature that should not be overlooked within the complex context of cyber-deterrence. When deterrence fails, two additional considerations are mitigation (what can be done in advance of an attack to lessen the effects of undeterred attack) and prosecution (how can the perpetrators be found and brought to justice). Both types of preparatory issues acquire special significance in the cyber context. Unfortunately, only scant attention is paid to both, especially the latter.
2. Cyber-deterrence Within the specific context of cyberspace [6]—a world fundamentally different from the one in which deterrence originated among Sumerian city-states several thousand of years ago [9]—a deterrence strategy by the government would seek to prevent attacks to the nation’s IT infrastructure and related systems by threatening unacceptable retaliation to potential attackers [15]. Given such requirements, the following two classes of questions immediately emerge as fundamentally important in the cyber context:
128
C. Cioffi-Revilla / Modelling Deterrence in Cyberia
1. 2.
Concerning potential attackers: What punishment would be sufficient to deter potential cyber attackers? What do potential cyber attackers fear most? What would they fear enough to deter them from even planning such attacks? Concerning the defender: Does a nation and its allies have—or can it develop and maintain in the future—both the necessary will and capability to inflict such punishments on potential cyber attackers? How would such a posture be developed within the extant framework of capabilities and other elements of national power? Which communication strategies would maximise the defender’s deterrence?
These questions suggest that there is an even more fundamental underlying question: Is deterrence a viable strategy for ensuring the cyber-security of a nation? Given the fundamentally different worlds of conventional security and cyber-security, a positive answer to this question is not preordained. After all, deterrence was invented in the age of Mesopotamia, thousands of years before the age of the Internet. Deterrence theory can help discover answers; the former questions pertain to the subjective decision-making process of a potential attacker, whereas the latter pertain to the national strategic planning of governments. In terms of a potential cyber adversary, it matters greatly whether such an actor is (1) an individual, (2) a non-governmental organisation (such as a terrorist group or criminal organisation), or (3) a governmental actor. Deterrence thresholds—i.e., the modalities and levels of what constitutes effective punishment—will vary qualitatively and quantitatively depending on which type of potential attackers the actors happen to be. Deterring an individual al-Qaeda extremist acting alone poses a very a different challenge from deterring a cyber-attack by the Red Army cyber-warfare organisation of the PRC. [16] In turn, both of these cases differ substantially from the case of deterring cyber threats that originate from criminal networks that are active in one or more policy domains (e.g., narcotics, terrorism, money laundering, trafficking in persons, or other illicit areas). Such groups have a tendency to create illegal welfare policies and institutions that provide public goods in competition with the official state government. [17] The implications are numerous and complicated and are distinct from the other two aforementioned cases. For example, deterring such groups almost always involves a much longer time span and may require coordination across numerous jurisdictions or agencies. This is because such “horizontal polities” [18] are often capable of mobilising significant capabilities on the basis of which they are able to launch and support cyber campaigns. Non-state actors, on the other hand, also need to cope with significant vulnerabilities that derive from the fact that they lack legitimacy and at least in some areas must operate in a covert way. For example, operational security always poses many challenges, especially when it must operate under governmental surveillance. General concepts and principles of systems security apply to the analysis of this type of threat as well as to others. [19] The table below suggests some significant features associated with each type of potential cyber-attacker in terms of distinct capabilities and vulnerabilities. Other features may suggest additional attributes and dynamics for computational modelling and simulation.
129
C. Cioffi-Revilla / Modelling Deterrence in Cyberia
Table 1. Characteristics of types of cyber-attackers as a function of capability and vulnerability. Potential attacker Governmental Non-governmental Individual
Capabilities
Vulnerabilities
Major cyberwarfare resources; state IT infrastructure and other national sanction assets (e.g., financial and industrial infrastructure) Significant cyber-warfare resources; Clandestine requirements; financial organizational strengths; potentially and logistical constraints. transnational Greed, likely, financial. Potentially high talent and skill; Clandestine requirements; must limited cyber-warfare resources maintain high opsec; pride, boasting, egotism
More specifically, the requirements of deterrence also vary according to which potential attackers must be faced (unlike the case of classical deterrence), with targeting posing arguably the greatest challenge due to the clandestine and formal nature of the two opposite scenarios (individual and governmental, respectively). Such requirements suggest different, albeit coordinated capabilities for dealing with the full spectrum of potential attackers. In computational modelling terms, such scenarios also correspond to different ontologies, each with its own relevant actors and dynamics. The contemporary theory and practice of deterrence has yet to identify the specifics of such ontologies with specific reference to Cyberia. Computational social science has made several key innovations in advancing our understanding of deterrence in Cyberia: 1. 2. 3. 4.
Agent-based models of attacks in cyberspace (e.g., K. De Jong and C. Hunt’s work described in [7]) have demonstrated the viability of multi-agent systems and evolutionary computation (genetic algorithms) applications; Social network analysis (SNA) of terrorist groups and related organisations (including network analysis of the physical internet and WWW) has similarly demonstrated that systematic analysis can lead to new insights [20]; Complexity-theoretic and power-law analysis of conflict [21] could be applied to the analysis of CERT and related event data; and Visualisation analytics and related computational methods for automated information extraction are also ripe for applications to cyberspace. [22]
Finally, cyber-deterrence must pay attention to the nature of punishments by retaliation, in addition to the architecture of cyber-defences. Retaliatory punishment capable of credibly deterring a foreign government may be meaningless in the case of an individual attacker, such as a clandestine hacker with the necessary knowledge and skill (including, for instance but not exclusively, an insider). Moreover, a viable policy of cyber-deterrence should emphasise exemplary punishment in order to deter future attacks. At present, however, relatively little publicity is given to instances of successful prosecution of cyber crimes, let alone deliberately public displays of prosecutions and retribution—unlike other forms of crime and terrorism where sentenced culprits are made public for all to see. Within legal boundaries, much more could be done to highlight the prosecution of cybercrime and cyber-attacks on all scales, from individual to state-sponsored.
130
C. Cioffi-Revilla / Modelling Deterrence in Cyberia
Summary From a national strategy perspective, the reliability or even the very feasibility of deterrence as a viable strategy for cyber-security seems dependent on the character of the threatening actor or potential attacker. For some potential attackers, such as national governments, deterrence would seem quite viable against cyber attacks: If you attack our cyber infrastructure, we will retaliate accordingly with unacceptable damage to your assets (which may or may not include the attacker’s cyber assets; population or other assets may be as effective, albeit possibly disproportionate). For other potential attackers, such as individuals or clandestine organisations, deterrence is a far more problematic strategy that may be sub-optimal and inefficient—even dangerous—for ensuring the nation’s cyber-security. Against such actors it may be advisable to adopt more active preventive strategies, given the difficulty or even impossibility to implement viable retaliation. Overall, the value of a deterrence strategy for ensuring cyber-security seems to decline with the decrease in the formal organisational level of the potential attacker, ranging from effective (against a foreign government) to ineffective (against a resourceful individual hacker).
References [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20]
J. Arquilla, and D. Ronfeldt, eds., Networks and Netwars, RAND Corporation, Santa Monica, California, 2001. D. Verton, Black Ice: The Invisible Threat of Cyber-Terrorism, McGraw-Hill, New York, 2003. G. Weimann, Terror on the Internet: The New Arena, the New Challenge, United States Institute of Peace, Washington, DC, 2006. J. Knopf. Three Items in One: Deterrence as Concept, Research Program, and Political Issue, Annual Convention of the International Studies Association, San Francisco, CA, March 26-29, 2008. J. Knopf, The Fourth Wave in Deterrence Theory: A Critical Appraisal, Annual Meeting of the American Political Science Association, Boston, MA, August 28-31, 2008. Threat Working Group of the CSIS Commission on Cybersecurity for the 44th Presidency, Threats Posed by the Internet, Center for Strategic and International Studies, Washington, DC, 2008. M. Lawlor, Virtual Hackers Help Take a Byte Out of Cybercrime, SIGNAL Magazine, February 2004. T.C. Schelling, Arms and Influence, Yale University Press, New Haven, Connecticut, 1966. C. Cioffi-Revilla, Origins and Age of Deterence, Cross-Cultural Research 33 (1999), 239–264. F.C. Zagare, and D.M. Kilgour, Perfect Deterrence, Cambridge University Press, 2000. C. Cioffi-Revilla, A probability model of credibility: Analyzing strategic nuclear deterrence systems. Journal of Conflict Resolution 27 (1983), 73–108. C. Cioffi-Revilla, Politics and Uncertainty: Theory, Models and Applications, Cambridge University Press, 1998. C.L. Streeter, Redundancy in Social Systems: Implications for Warning and Evacuation Planning, International Journal of Mass Emergencies and Disasters 9 (1991), 167–182. G.H. Snyder, Deterrence by denial and punishment, Woodrow Wilson School of Public and International Affairs, Center of International Studies, Princeton University, 1959. J.A. Lewis, Securing Cyberspace for the 44th Presidency: A Report of the CSIS Commission on Cybersecurity for the 44th President, Center for Strategic and International Studies, Washington, DC, 2008. J. Fritz, How China will use cyber warfare to leapfrog in military competitiveness, Culture Mandala 8 (2008), 28–80. M. Mousseau, and D.Y. Mousseau, How the Evolution of Markets Reduces the Risk of Civil War, 4th Annual General Conference of the European Consortium for Political Research (ECPR), University of Pisa, Italy, 6-7 September 2007. Y.H. Ferguson, and R.W. Mansbach, Polities: Authority, Identities, and Change, University of South Carolina Press, Columbia, South Carolina, 1996. B. Schneier, Beyond Fear: Thinking Sensibly About Security in an Uncertain World, Springer, 2006. M. Tsvetovat, and K. Carley, Structural Knowledge and Success of Anti-Terrorist Activity: The Downside of Structural Equivalence, Journal of Social Structure 6 (2, 2005), online.
C. Cioffi-Revilla / Modelling Deterrence in Cyberia
131
[21] C. Cioffi-Revilla, and P.P. Romero, Modeling Uncertainty in Adversary Behavior: Attacks in Diyala Province, Iraq, 2002-2006, Studies in Conflict & Terrorism 32 (2009), 253–276. [22] J.J. Thomas, and K.A. Cook, eds., 2005. Illuminating the Path, IEEE Computer Society, Los Alamitos, CA, 2005.
132
Modelling Cyber Security: Approaches, Methodology, Strategies U. Gori (Ed.) IOS Press, 2009 © 2009 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-074-2-132
The Cutting Edge of Cyber Network Development - A Paradigm to Translate and Predict the Network Strategies of Avantgarde Cyber Criminals Dott. Maurizio AGAZZI Intelligence & Security Expert, Robur S.p.A Abstract. Human beings are experiencing new paradigms, such as collective intelligence, that contribute to levels of knowledge enhancement and information sharing unimaginable prior to the existence of the Internet. Nevertheless, these new paradigms are equally interesting for cyber-terrorist groups and for organised crime. This work intends to analyse this new paradigm, which avant-garde cyber networks, since they gain vitality from the web’s complexity, also happen to use to express their developing dimension. This work focuses on the characterising aspect of advanced cyber criminal networks: the fast and broad movements along temporary trajectories. Mutation is an implicit aspect of their development, given that the Internet itself is constantly changing, together with interconnections that are enriched by collective experience. Keywords. Collective Intelligence, Social Engineering technique, WEB2.0.,WebForums, Cyber Crime Community, Encryption, Illegal Underground Economy, Malware, Malicious Application, Distributed-Denial-Of-Services, Peer-To-Peer, Botnets, Rootkits, Rustock.
Introduction Economic growth is related to the innovation capability of industrialised countries, which, along with it, are able to create profitability and wealth and to spread those democratic values which have been culturally transmitted to us. The fast pace of the innovation age we are experiencing is induced by Information and Communication Technology which has vastly increased knowledge, and has thus lead to the solution of complex problems. Human beings are experiencing new paradigms, such as collective intelligence (think of phenomena like WIKI1 or the Human Genome Project 2), in which a vast quantity of data and information is shared through Internet platforms. This enhances knowledge thanks to the free participation of thousands, sometimes millions, of individuals, who share their talent and their knowledge with the community. The talents of the net-generation3 have generated competitive advantage of some interest. This generation, from a business point of view, has been able to make use of the 1
www.wikipedia.org
2
www.geonomics.energy.gov
3
Net-generation is a term that has been applied to the generation that has had access to Internet throughout its adolescence and, thus, is not only aware of the web is also computer literate. This is a recent phenomenon of this last decade.
M. Agazzi / The Cutting Edge of Cyber Network Development
133
growing complexity of the Internet (think of the creators of Facebook), the Internet’s latest evolution with WEB2.04 (an example of which is the success of platforms like Facebook, MySpace, Google, Wikipedia, Wikidocs, Linkedin, YouTube, Linux, SecondeLife, Human-Genome-Project etc. etc.), and with virtual computing. This acceleration creates a fast-paced movement (for example Linux is created and made possible by the community of programmers who contribute to the construction of this open source operating system), which produces evident technological progress within the spheres of nanotechnology, biotechnology, and grid-computing. This has a marked effect on molecular sciences, on the study of materials, mechanics and others. Scientists pose questions that are stimulated by these new emerging paradigms in an attempt to understand whether humankind could undergo significant changes, and therefore bring about further evolution in humankind. The question that naturally arises is: what has drastically changed our cultural habitat in this historical moment? We may dare say Internet, the worldwide interconnection.
1. Emerging Paradigms In Stephen Jay Gould’s theory of evolution, otherwise known as “Punctuated Equilibrium” (which, consequently, disposes the “Modern Synthesis”), evolution is above all a story of dramatic migrations, drifting populations, operations and substitutions within species that have often been caused by sudden and strong climate, geographical, and geological changes etc...In nature, form appears to tend towards stability, while mutation is often caused by drastic changes brought about in the habitat or environment. It is, therefore, natural for the science community to question whether or not global interconnection may be considered to be a drastic change for humankind or not. In the eventuality that it were, this change would signify an equally powerful cultural change that no one at present is able to clearly comprehend. We know that paradigms do not claim to predict future events, however, they allow extremely complex problems to be simplified into models, which in turn are understood and analysed with greater ease by the human brain. Moore’s well-known Law, for which the progress of computational capacity grows at an exponential rate compared to the costs for the development of new processors, when declined, becomes the doubling of computational capacity every 18 months at a fixed cost. Already from the midseventies, this demonstrated the entity of the technological progress that we would have experienced over the last thirty years; hence, the paradigm is still of great effectiveness. Evolutionary processes, as scientists know, are open systems that not only feed themselves within their habitat, but draw upon it for their options of diversification. So, if we accept the idea of global interconnection as a drastic change in habitat, tell-tale signs of some sort of avant-garde cyber-crime activity should already be visible in cyberspace. The movement on the Internet is referred to as surfing. In this movement, made of temporary trajectories, it is hard to be fully aware of the progress of avantgarde activity. For the authors of such activity, meaning takes the form of bitstreams, but it is the movement itself that is important; this movement is propelled by the websites that are visited, for which a thrust is received from each transit. Were we to 4 WEB2.0
is a term used for the more heterogeneous components such as the mashup applications of GoogleMap that replaced the old Internet architecture in use around 2000. It is also characterized by sociological aspects, like communities that come together through Internet portals, such as Facebook, that are called community platforms.
134
M. Agazzi / The Cutting Edge of Cyber Network Development
focus all of our attention on these movements, avant-garde activity would then become visible. With the aid of readily available technology and the global diffusion of the net and bandwidth, the forefront of cyber activity is rapidly evolving within this growing complexity and is undergoing a transformation. 1.1. Illegal Underground Economy According to recent studies, the illegal underground economy5 related to cyber-crime activities is sufficiently developed, the value of which is estimated at $276 million for the period that goes from July ‘07 to June ‘08. The underground economy has identical characteristics to those of the free market; supply and demand meet on the basis of quotations that are related to the availability and needs of the global market. Publicity in this market is located on web-based forums or web-blogs. These popular socialnetworking instruments are used by the cyber-crime community for trading goods and services. In the mean time, the servers of these platforms are located in countries in which the governments of these states have difficulty in contrasting these cyber-crime activities, or in which the regulations are simply less restrictive. The Goods and Services offered on web-forums are mainly the following:
Malicious application. Phishing generator toolkit. Account cracker. Password recovery tools. Encryption and Compression utilities. Mobile viruses. Credit Card generator and Checker. Cracker proxy toolkit. Credit Card Information. Financial Accounts. Spam and phishing information. Withdrawal service. Identity theft information. Server accounts. Compromised Computers. Website accounts.
In the past, hackers mostly sought fame through sensational and visible actions. Nowadays, hackers have every interest in remaining in the shadows and anonymous, because they are a link in cyber-crime activity, supplying the lucrative illegal market with malwares. These malwares are sold at market price on web-forums. Cybercriminals, with war-driving and exploiting actions, use these malwares to fraudulently access systems and on-line transaction processes in order to obtain credit card codes. This is especially true for weakly protected wireless networks, where sniffers are employed to capture data at the time of transmission 6 and subsequently shift it over to remote servers. Investigations conducted by the U.S. authorities uncovered a criminal network that stored data on servers located in Latvia and the Ukraine. This criminal 5
Symanatec, Symantec Report on the Underground Economy, of July 07- June 08, www.symantec.com, 2008.
6
http://nytimes.com/2008/08/12/technology/12theft.html?pagewanted=2&_r=1
M. Agazzi / The Cutting Edge of Cyber Network Development
135
organisation cloned new ATM cards that were provided by Chinese contacts, whereupon the cloned cards were subsequently introduced into the North American market7. It is possible to note that the economic mechanisms inherent to the underground economy have transformed the ‘species’ of cyber-criminals, forcing them to highly specialise in order to survive. In other words, the specialisation undertaken by cyber-criminals is required in order to maintain control over the growing complexity of the web, and allows them to secure a greater advantage from their own abilities. Those who create malicious applications do not expose themselves to open use on the field, but rather hold the source code and each time they are asked for a malicious code, they introduce slight variations in the code itself. Since research and development investments are expensive, they limit themselves to selling the application on the network at market price. One exception are the malwares, which allow the introduction of backdoors on the grids of the processors. Because they serve specific purposes, such as the gathering of precise forms of information that include on-line account codes or other highly profitable data, the malwares tend to follow direct-marketing channels and do not have an official quotation. 1.2. Cyber Crime Community and Social Networking Instruments: Their Avant-garde Cyber Network Strategy The actions that this illegal business takes to publicise or advertise their activities are channelled through topics that are posted on web-forums and that employ either a multi-channel or thematic strategy to contact buyers and inform them of the different categories of goods and services offered; this procedure helps to promote goods and services worldwide. Cyber-crime communities populate web-based forums using selfdefining strategies thanks to the options that manage the account registration of members and the private messaging on such forums. The aforementioned topics re-call other forums on which illegal goods and services are traded. Payments are often made with on-line accounts or through the exchange of goods and services. The administrator has a prime role in creating the forum and setting the basic access rules for the different user groups: administrator, moderator and member. The administrator is usually also one of the moderators. His role consists in administering the server; building classifications for goods and services, which are fitted into sub-forums; and checking on the security policies that govern the forum. When a new forum is set up, the administrator also creates a moderator, whose role is to keep the forum going through communication strategies typical of its specific market, including the possibility of deleting or correcting inconsistent topics and of creating new sub-forums for the new thematic channels. The forum members have the possibility to write topics and, once the forum is running, can vote for the most interesting topics on the basis of pre-set regulations. The moderator’s role is assigned to the author of the most voted topics. This gives the cyber criminals sufficient reason to register on the forum repeatedly under different nicknames in order to drive his nomination as moderator. Since goods and services have a variable quotation and can become outdated, the oldest topics are automatically deleted. On the other hand, when the community’s attention is focused on certain goods on sale, then the topics are repeated over and over with the same message so that the
7
Symaatec, Symantec Report on the Underground Economy, of July 07- June 08, www.symantec.com, November 2008
136
M. Agazzi / The Cutting Edge of Cyber Network Development
search-engine within the web-forums will list topics on which the article that is being promoted will appear. The administrator changes nick-name often to avoid authority tracking activities. When the forum server itself is bought in the underground economy, the administrator appears at the moment of launch, only then to then disappear whilst the forum moderators’ role is elective within the community, according to the principles that regulate the basic settings. The web-forum can also remain active on the server for a limited time, sometimes a few months, before it gets exported to a different server. These movements are facilitated by the wideband available and are especially used to elude authority control. Access to the community is possible after registering a nickname, a brief self-description, and an avatar; if this isn’t convincing, the administrator denies access to the forum. Registration can also be completely automatic and it is left to the moderators to deny future access, if the applicant’s credentials are not convincing; the web system is able to discredit a registration instantly. Forums also have filters that block access to IP addresses that are considered unsafe which then place them on blacklists. The access of new visitors to the forum triggers an on-line alert system that is visible to the community. Some forums use mash-up technologies with geo-defining applications, which are able to visualise the on-line users’ ISP position on a world map; this is so that the community can take the necessary countermeasures to elude police control. Since malware production can be costly, it is possible to trade specific components which, once assembled, give the desired result. On the net, the same nick-name can buy malware software components and then sell malicious applications that have been assembled with the final code and supplied with directions. The most dangerous malwares are the polymorphic type; not only is the code assembled in steps, and often encrypted, the malware is also able to transform its structure. The malware code encryption makes it difficult for anti-virus systems to recognise the malware. The malware code encryption is composed with the use of encryption tool-kits that are traded on the black market. In other words, the underground economy offers the entire supply-chain access to goods and services at market value, be they from the production to the final assembly of malwares of all sorts, (and that are intended for fraudulent use by cyber-criminals), to directions for hacking techniques on how to black out the source (personal IP), generate spam, and also take on a false identity. These techniques underlie the distributed-denial-of-services (DDoS) attacks, for it is easier to take action in a chaotic situation. These attacks are created by dangerous malwares, botnets8; Estonian and Georgian banks, in fact, were their victims in April 2007. The leading edge of the virtual world transmits/leads the transformation. With this last, the criminal network expands and techniques simultaneously improve. Proximal networks make use of temporary trajectories and affect the outer digital realities of the real economy. The U.S. authorities reported that cyber-crime activity paid Russian criminal groups over $150 million in 2006; through the use of phishing techniques, credit cards were stolen using servers located in North America and the cards were subsequently cloned in a Russian factory, Occasionally, such techniques rely on databases containing identity-related data. These databases can be bought on the forum (identity theft information is sold in lots, just as credit card codes are) depending on the scale economy of the market and also because the percentage of faulty data causes rejects or discards that in turn cause 8 Cisco, Cisco 2008, Annual Security Report,, www.cisco.com, 2008, p.10, Botnets consist of thousands of malware-compromised computers. Those who control the botnets can rent out the processing power and bandwidth available to these computers, or use it themselves.
M. Agazzi / The Cutting Edge of Cyber Network Development
137
irreplaceable gaps. The U.S. authorities have related these specific crimes to the Russian Business Network (RBN). The RBN’s servers are believed to be responsible for the diffusion of malicious codes like the MPack exploit toolkit 9 and the Peacomm Trojan virus botnet, (this last through the Internet Relay Chat). It is evident that the the avant-garde cyber criminals are plumbing our depths, our virtual spaces, our digital routes, on which we have built financial structures, research centres, economic development, and power and control structures, in search of an Achilles’ heel. 1.3. Botnets: The Nervous Disorder of Web2.0 WEB2.0 represents a technological development with an obviously positive influence on the various economic sectors. It is based on collaboration and co-development and its multi-level structure relies on reusable components. These characteristics guarantee high productivity levels, which translates into cost containment throughout the lifecycle of the software applications. WEB2.0 applications have high interoperability characteristics; independent of the hardware platform and the operating system in use, these applications are usable by any browser. Information and Communication Technology plays off of these platforms to develop new business enterprise platforms, through which it is possible to produce, promote and commercialise the use of the software as a service (SAAS). However, cyber-criminals have also adopted this reference model to amplify the threats on the web, and have gained strength from the illegal underground economy. Modern on-line threats combine different elements, such as malwares, botnets, spam and social-engineering techniques10. The greatest threat today comes from malicious botnet applications, like Mailer Reactor, Kraken or variations of Asprox. This is due to the fact that the attack spreads like a swarm, in an adaptable and intelligent way, and has the characteristics of the Peer-to-Peer net (P2P). Therefore, the attack automatically synchronises with thousands of other malware servers, which in turn send hundreds of thousands of spam over the web. At this point, cyber-criminals have entire control not only over the band but also the computational power for which the Distributed Denial of Services (DDOS) is the devastating effect. An example of the damage suffered may be given by Estonia in 2007. All of these elements lead to the strong deterioration of the transmission band available for the Internet and often thwart investments made for the introduction of bandwidth11 in the net infrastructure. Ironically, the father of cybernetics, Norbert Wiener12, during his research at the MIT in the 1940s, had understood certain feedback processes that lie within complex systems. Together with other MIT scientists, he formulated the fascinating theory
9
www.symantec.com
10
Cisco, Cisco 2008, - Annual Security Report, www.cisco.com, 2008, p.3.
11 The financial loss is also caused by servers that when under DOS attack are not able to satisfy on-line user requests. Enterprises lose thousands of transactions per hour since the services under attack are no longer available. During these attacks, keylog softwares are installed on the computers to transmit identity, banking access codes, and credit card codes to remote servers. 12Flo
Conway, Jim Siegelman, Dark Hero of the Information Age – In Search of Norbert Wiener the Father of Cybernetics, Perseus Books Group, 2004
138
M. Agazzi / The Cutting Edge of Cyber Network Development
wherein complex systems are conditioned by feedback13 that is received from the ecosystem it interacts with. He had especially highlighted the dangers of a negative random motion, which he called “nervous disorder”, which occurs when non-linear systems are carried past their limits. One step that could be taken against cyber crime would be to be able to identify the location from which the infection first originated by following the initial signs of “nervous disorder”. Unfortunately, this is much like looking for a needle in a haystack! What are we really supposed to be looking for? Today, the web is a highly complex system, and so non-linear. Swarms of malwares are able to cross peripheral digital borders without even leaving a trace (just think of the failure of British intelligence during the Second World War, when the launch pads for the V2 missiles weren’t recognised despite having previously been photographed by aviators). 1.4. Emerging Questions in the Domain of Complex Systems Norbert Wiener had imagined problems with feedback. His research was followed first by the work of Pitt and McCalloch at MIT and then by Hopfield’s research. Hopfield discovered the so-called “Hopfield nets” model, which was published in 1980 and became the basis for the development of the Artificial Neural Network (NN). Hopfield’s model is the point of departure for many real-time and near-real-time applications based on artificial intelligence that have been intended for commercial use. The question that could be asked is whether a real-time system based on the Artificial Neural Network model (NN), fed by key-indicators (automatically sent by intelligent agents located on the server), would be effective in identifying attacks right from the initial stages. Were this the case, appropriate steps to neutralise the attacks could be taken in almost real-time, either by taking action on the network’s peer-to-peer nodes or by up-dating the servers’ anti-virus systems. Clearly, this presumes some form of supranational coordination, which, from my point of view, continues to be an ongoing issue. The difficulties encountered by the authorities in the fight against cyber-crime activities are also due to the fact that State laws have jurisdiction only within domestic borders, whilst cyber-crimes move on worldwide trajectories. Since malware code is generally encrypted14 and is spread thanks to a peer-to-peer mode, months may go by before a new malicious application is identified. In these conditions, even authority control is deceived because the patterns containing malwares cannot be recognised at an early stage. However, credit institutions and banks with on-line accounts have or are in the process of adopting data mining systems to track down unauthorised use, promptly informing the client when unusual on-line payments are made. As a matter of fact, nothing else is done and, in most cases, crimes go unpunished. It is highly unlikely that the majority of crimes have ever come to light, and in the few cases that one has, they have never, or rarely, been rendered public. Cyber crimes occur especially when the net is not sufficiently protected or when the firewalls and anti-virus systems are out of date. This lack in technology creates the ideal conditions for cyber-criminals not only to successfully install backdoors on the net processors, but also allows them to be able to 13
Pitt and McCulloch worked on this idea, then Hopfield defined a model known as “Hopfield’s net” which, when further developed, became the basis for the realization of important commercial applications.
14
The malware root-kit Rustock used RC4e
M. Agazzi / The Cutting Edge of Cyber Network Development
139
conduct industrial espionage and delete their traces. This ability to cover their traces, the malfunction of the processors is easily attributed to chance. This demonstrates how important the introduction of encryption truly is. Not only would it protect databases that store identity information and credit card and bank data, it would also protect sensitive data in general, especially archives of strategic interest to organisations. However, encryption is costly; because it requires extra computational resources, and therefore requires a considerable level of investment. In relation to the quantity of code to be modified, however, not all software is able to run with an encryption for storage in the Input/Output level. This is particularly true for projects that have incorporated Product Lifecycle Management software, which are often used in R&D. Over the life span of high-tech products, or in old Enterprise Resources Planning Solutions, further software updates would be required. At this point we can relate to what Niklaus Wirth, inventor of the famous program languages modula, pascal and algol, in January 1997, during the conference “Software: Quality or Quantity, that is the question”, stated what he defined as Reiser’s Law “Software is getting slower more quickly than hardware getting faster”.
Conclusion In conclusion, the post-industrial epoch is characterised by the use man has made of computer science. The technological progress we are experiencing in different areas, is part of the well-being we are used to and, therefore, based on the good use man has made of global interconnection over the past decade. The digital age is the new habitat; it is a drastic change, that with it brings transformations within each field that are yet to be fully analysed. However, the changes that are taking place have lead to an evolution/ transformation of cyber-crime groups. The avant-garde of cyber criminals in cyberspace gains strength from coming in contact with the proximal networks with their temporary trajectories, and, once this has been accomplished, the transformation may be considered complete.
References [1] [2] [3] [4] [5] [6] [7] [8]
Flo Conway, Jim Siegelman, Dark Hero of the Information Age – In Search of Norbert Wiener the Father of Cybernetics, Perseus Books Group, 2004. Ray Kurzweil, The Singularity is Near: When Humans Transcend Biology, Viking Press, 2005. Don Tapscott, Anthony D. Williams, WIKINOMICS-How Mass Collaboration Changes Everything, Portfolio, 2006. Niklaus Wirth, Software Quality or Quantity, That is the question, Managing Software – Quality – Engineering Success, WWW.INFOGEM.CH/Taungen/1997/Niklaus_Wirth.pdf, Jannuary 27, 1997. Symantec, Symantec Report on the Underground Economy of July 07-June 08, www.symantec.com, November 2008. Cisco, Annual Security Report, www.cisco.com, 2008. Sophos, NAC 2.0: A new model for a more secure future, www.sophos.com, July 2008. Sophos, Sophos Threat Report July 2008, www.sophos.com, 2008.
140
Modelling Cyber Security: Approaches, Methodology, Strategies U. Gori (Ed.) IOS Press, 2009 © 2009 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-074-2-140
Protecting Critical Infrastructures from Cyber Attacks Involving Malware Y. ELOVICI and A. SHABTAI Deutsche Telekom Laboratories at Ben-Gurion University, and the Department of Information System Engineering, Ben-Gurion University
Abstract. Protecting Critical Information Infrastructures (CIIs) from attacks originating from the Internet is a great withstanding challenge. This article describes the challenges in protecting CII from malware and suggests three approaches. The first approach suggests purifying malicious traffic on public NSP/ ISP networks in order to minimise the risk that innocent users, unbeknownst to them, will be exploited and used by the perpetrators as launch pads for attacks on CIIs. The second approach focuses on overlay networks established between CIs, where communication between CIs is mapped to underlying physical networks and the most critical routers are pinpointed, thereby enabling the cost/effective deployment of malware filtering devices. Finally, the third approach focuses on detecting hidden botnets, which often serve as a launch pad for Distributed Denial of Service (DDoS) attacks on CIIs. Keywords. Cyber-security, Malware, Critical Information Infrastructure
Introduction The everyday life of citizens in modern societies relies on the critical services provided by a variety of entities, including among others: power stations, stationary/cellular telecom providers, public utility companies, banks, healthcare providers, food manufacturers, transportation, and education systems. All modern Critical Infrastructures (CI) rely on Information and Communication Technologies (ICT) for their ongoing operations, control, and monitoring activities, as well as for interactions involving data exchange with their peer CIs [1-4]. In many cases, CIs sub-contract Network Service Providers (NSP) to dispatch their transactions. Consequently, CIs depend upon the availability and performance of NSP backbones and are prone to malicious attacks. Dependence or interdependence between CIs, or within various divisions of a CI, creates another significant risk, where the failure of one critical CI, resulting from a malicious attack or communication failure, can result in horrendous cascading effects that hamper dependent stations in the same or other CIs [5]. Nowadays, terrorists and the agencies of rival governments can easily create new malware in order to attack CIs [6]. Following the announcement of newly discovered vulnerabilities, a new malware may be developed, tested and then launched towards the critical networks [7]. As a case in point, during April 27, 2007, officials in Estonia relocated the "Bronze Soldier," a Soviet-era war memorial commemorating an unknown Russian who died fighting the Nazis. The move incited rioting by ethnic Russians and the blockading of the Estonian Embassy in Moscow. The event also marked the beginning of a large and sustained distributed denial-of-service attack on several Estonian national Web sites, including those of government ministries and the prime minister's Reform Party. Often,
Y. Elovici and A. Shabtai / Protecting CI from Cyber Attacks Involving Malware
141
these attacks are conducted in the initial stages of conventional wars to achieve a strategic advantage in command, communication, and control capabilities 1. Critical Information Infrastructure Protection (CIIP) from attacks originating on the Internet is a great withstanding challenge; improving CII security by disconnecting them from other networks is often in direct contradiction with the open and interoperable nature of modern web-based platforms and applications. In many instances, CII are attacked via the computers of innocent home users that have been compromised by attackers. Industry reports suggest that individual users receive malware mainly from the Internet [8]. In fact, an online safety survey conducted by America Online and the National Cyber Security Alliance (NCSA), revealed that 81% of the respondents were found to be lacking recently-updated anti-virus software, a properly-configured firewall, and/or spyware protection. In the same survey, 74% of the respondents claimed to use the Internet for “sensitive” transactions from their home computers, including among others banking, stock trading, and reviewing personal medical information [8]. Numerous tools are available nowadays to address different facets of the aforementioned challenges [9-11]. Anti-virus, -Spyware and -Adware utilities focus on a host-based protection of end user devices. Intrusion Detection/Prevention Systems (IDS/IPS) and firewalls focus on tackling malware at the core and edges of ISP/NSP and enterprise networks. Penetration tests are often used to evaluate how robust CII are and their compliance with security criteria and guidelines [12]. One of the major loopholes in these technological solutions in relation to malware is that they are mostly based on the signatures (either content or behavioural) of known malwares. This limitation is very critical the moment that new attacks are based on new malware (unknown to the detection systems) that are able to compromise distributed networks with thousands of computers in a matter of minutes. Moreover, the exploitation of newly discovered vulnerabilities is discovered every day. They are being used by attackers to develop new malware that in many cases is capable of compromising the existing systems without being detected until a software patch has been released or a new signature has been released. This situation, therefore, calls for employing maximum automation and minimising the response time of all security technology used to tackle new unknown malware. This article describes three alternative approaches to harden and secure the networks used by CI and boost their immunity against malicious attacks. The first approach proposes to purify malicious traffic on public NSP/ISP networks in order to minimise the risk that innocent users will be unwittingly exploited and used by perpetrators as launch pads for attacks on CIIs (section 1). The second approach focuses on overlay networks established between CIs, where communication patterns between CI are mapped to underlying physical networks and the most critical routers are pinpointed, thereby enabling the cost effective deployment of malware filtering devices (section 2). Lastly, the third approach focuses on detecting hidden botnets, which often serve as a launch pad for Distributed Denial of Service (DDoS) attacks on CIIs (section 3). Concluding remarks are described in section 4.
1. Cleaning the Traffic of Network Service Providers Enterprises and ISPs serving private customers are connected to the Internet through Network Service Providers (NSP). Nevertheless, traffic flowing through the NSP 1
http://news.zdnet.com/2100-1009_22-152212.html
142
Y. Elovici and A. Shabtai / Protecting CI from Cyber Attacks Involving Malware
infrastructure usually has not been purified from malware, in the same quality as the clean drinking water that we receive nowadays from public water supply companies. Moreover, it is estimated that only 15% of the Internet users are protected with an updated anti-virus [1], and therefore end users can not be relied upon to protect themselves from being unknowingly exploited as launch pads for attacks against CIIs. As a result, terrorists and/or governments can easily attack CIs through innocent user hosts without detection. Detection of malware by NSPs on their core networks provides a better economy of scale because NSPs are more likely to posses the resources to handle unknown malware and thus, are more likely able to prevent thousands of end users from being infected and later used to launch DDoS attacks. Such a centralised approach provides very fast and effective detection. Figure 1 describes this centralised NSP-oriented approach, which is comprised of three main phases [13]: first, it removes known malware by standard signature-based IPS filtering devices (a); then, it assembles executable files from observed traffic (b); next, these files are forwarded for back-end analysis by an ensemble of detection plug-ins capable of detecting new malware based on similarity to known malware (c). Finally, in the event a new malware is detected by the ensemble of plug-ins, the signatures are published and updated instantaneously on all IPS filtering devices (d).
a) Signature-based filtering of known malware
Y. Elovici and A. Shabtai / Protecting CI from Cyber Attacks Involving Malware
b) Monitoring traffic and retrieval of suspected files for inspection
c) Analysis of suspected files using various detection techniques
143
144
Y. Elovici and A. Shabtai / Protecting CI from Cyber Attacks Involving Malware
d) Generating signature of newly detected malware and announcing it to IPS filters
Figure 1. NSP-Level Malware Purification
The aforementioned centralised approach will provide cleaner traffic to unprotected home and business users and reduce the number of Internet users that can be used to launch cyber-terror attacks. Another important benefit is the reduced network traffic, since malware creates additional traffic that will be eliminated. As customers of the NSP infrastructure, CIs will therefore be more protected from cyberterror attacks.
2. Cleaning the Traffic of the CI Overlay Network Critical Infrastructures communicate with each other over the public web and their communication patterns form an Inter-CI overlay network. Overlay networks [14] can be used to model both attack propagation channels as well as legitimate data exchange. Knowledge of extant overlay networks is useful for network security personnel in finetuning security appliance deployment according to the expected communication patterns that are determined by application usage. Acquiring the structure of overlay networks, however, is a challenging task due to the absence of information on "who communicates with whom". Therefore, there is a need to protect the overlay network formed by CI, and this can be achieved by securing either the overlay network or the underlying NSP network or both. A conceptual diagram of the overlay network and the underlying NSP network with Distributed Intrusion Detection Systems (DNIDS) is depicted in Figure 3.
Y. Elovici and A. Shabtai / Protecting CI from Cyber Attacks Involving Malware
a) CI Overlay network
b) Launching attacks exploiting the inter-CI overlay network Figure 2. Inter-CI Overlay Network
145
146
Y. Elovici and A. Shabtai / Protecting CI from Cyber Attacks Involving Malware
Figure 3. Distributed Network Intrusion Detection System
Deployment of DNIDS filtering appliances can be accomplished by employing different metrics which are calculated for the vertices (i.e., routers) on the overlay or NSP networks. The group-betweenness [15] centrality measure can be used to rank the number of shortest paths passing through each node and can be used to find the optimal deployment as depicted in Figure 4. Figure 4 exemplifies the importance of incorporating the overlay network formed by CIs when looking for the central NSP nodes that are being used by the CIs. When taking the overlay network into account, a different optimal deployment, that is, the NSP routers that are most critical for CI operations (i.e., R6) are not necessary those most critical for the operation of the public-domain NSP network.
Y. Elovici and A. Shabtai / Protecting CI from Cyber Attacks Involving Malware
147
a) R6 is a central node based on the overlay network
b) R5 is the central node when the overlay network is not taken into account
Figure 4. Pinpointing the Central Node (with and without taking into account the overlay network)
148
Y. Elovici and A. Shabtai / Protecting CI from Cyber Attacks Involving Malware
The aforementioned overlay approach will provide cleaner traffic for CIs in a cost/ effective fashion. Like the centralised approach, it will reduce the number of Internet users connected to the overlay network that can be used for launching cyber-terror attacks. As customers of the NSP infrastructure, CIs will therefore be better protected from cyber attacks.
3. Detection of Botnets The underlying idea of this approach is to closely monitor computers, servers, and other computerised devices that are being used by CIs, and identify computers that have been unknowingly infected with malware, which can be later used by the attacker to launch DDoS attacks. Whenever an infected computer is detected by a backend analysis system, the user is guided on how to remove the relevant malware, or the infected computer is disconnected from the network.
Figure 5 (a) depicts the first stage, where measurements of system- and applicationlevel features from the monitored computer are extracted by a distributed agent and forwarded to the backend system for deeper analysis by an ensemble of plug-ins. The voting of various plug-ins are meshed into a single diagnosis regarding the status of the monitored computer – infected/non-infected. Figure 5 (b) and (c) depict the possible outcomes after meshing the recommendations from the ensemble of plug-ins.
a) Extracting and Forwarding Agent Measurements
Y. Elovici and A. Shabtai / Protecting CI from Cyber Attacks Involving Malware
149
b) Backend system concludes that the computer is clean
c) Backend system concludes that the computer is infected Figure 5. Analysis of Collected Measurements and Notification
The aforementioned distributed approach will allow detecting CI computers that are being infected by a malware that may be a part of a botnet.
150
Y. Elovici and A. Shabtai / Protecting CI from Cyber Attacks Involving Malware
4. Limitations and Future Research We presented three complementary approaches to strengthen CI security. Each approach focused on a different facet of the CII protection challenge in terms of centralisation versus distribution. In section 2 we presented a completely centralised approach that focused on public-domain NSP infrastructure and provided economiesof-scale in shielding large audiences of users. In section 3, we focused on the privatelyregulated networks interconnecting CIIs, and finally in section 4 we focused on the protection of CI from botnets. Nevertheless, these three generic approaches ought to be elaborated in order to address enduring challenges such as: handling encrypted/polymorphic malware; developing novel and more precise methods to detect botnets from measurements on various platforms; and finally, ensuring an optimal (cost/effective) deployment on the premises of both NSP/ISP and critical infrastructure.
References [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]
T. G. Lewis, Critical Infrastructure Protection in Homeland Security: Defending a Networked Nation (Hardcover), Wiley, Hoboken, New Jersey, 2006. R. Radvanovsky, Critical Infrastructure: Homeland Security and Emergency Preparedness, CRC Press, Boca Raton, Florida, 2006. U. S Government Accountability Office, Critical Infrastructure Protection, 2008. Available from: http://www.gao.gov/new.items/d081157t.pdf S. Flynn, The Edge of Disaster: Rebuilding a Resilient Nation, Random House, New York, 2007. M Amin, Toward self-healing energy infrastructure systems, Computer Applications in Power, IEEE, 14 (1), (2001), 20-28. L Janczewski, A. M. Colarik, Managerial Guide for Handling Cyber-Terrorism and Information Warfare, Idea-Group, 2005. C. Wilson, Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress, CRS Report for Congress, 2008. NCSA Study, http://www.staysafeonline.info/pdf/safety_study_2005.pdf. Symantec Internet Security Threat Report (January-June 2004), www.symantec.com. The Danger of Spyware, Symantec Security Response. www.symantec.com, June 2003. Symantec 2006 Security Report. www.symantec.com. J. S. Tiller, The Ethical Hack: A Framework for Business Value Penetration Testing, CRC Press, Boca Raton, Florida, 2003 Y. Elovici, A. Shabtai, R. Moskovitch, G. Tahan, C. Glezer, Applying Machine Learning techniques for detection of malicious code in network traffic, The 30th Annual German Conference on Artificial Intelligence (KI-2007), Springer, LNCS 4667, 44-50, Osnabrueck, Germany, September 10-13, 2007. SP Gorman, L. Schintler, R. Kulkarni, and R. Stough. The revenge of distance: Vulnerability analysis of critical information infrastructure. Journal of Contingencies and Crisis Management, (2004), 12:48-63. L. C. Freeman. Centrality in social networks conceptual clarification. Social Networks, 1 (1979), 215-239.
Section 2.2 Police and Military Force Operations and Approaches
This page intentionally left blank
Modelling Cyber Security: Approaches, Methodology, Strategies U. Gori (Ed.) IOS Press, 2009 © 2009 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-074-2-153
153
Protecting Critical Information Infrastructures: Domestic Experience and Competencies of the Postal and Communication Service of the Italian National Police Domenico VULPIANIa and Sergio STARO b Postal and Communication Police Service b Head of the section for International Relations, the Postal and Communication Service a Director,
Abstract. The Postal and Communications Police Service is the central agency of the Italian National Police that has been entrusted with the prevention of and response to the various and multiple forms of cyber crime; approximately 2000 officers are located throughout the Italian territory. The protection of national critical information infrastructures (hereafter C.I.I.) that support and operate the vital points of the community has recently been added to its competences. The possibility that the security of a countrymay be compromised by cyber attacks on C.I.I. of terrorist or criminal nature , represents a real threat that is presently felt at both the national and international level. In Italy, in particular, a twofold solution had to be reached; firstly, the prevention of and response to any type of cyber crimes against C.I.I. computer systems and networks; secondly, the exclusive assignment of this task to a specialized agency. In fact, art. 7 bis of Law 155 of 31.07.2005 states that the exclusive competence of protecting the critical information infrastructures of national relevance is devolved upon the Postal and Communications Police Service. Following the enactment of the Minister of the Interior's Decree on 09.01.2008, a National Cyber Crime Centre for the Protection of Critical Information Infrastructures (Italian acronym, CNAIPIC) was instituted within the Postal and Communications Police Service. This Centre is equipped with high technology resources and staffed with highly skilled personnel, and will be the sole office in charge of the prevention of and response to cybercrimes (common crimes, organized crime and terrorism) targeting national critical information infrastructures that have institutional functions or provide operating or controlling services strategic to the security and prosperity of the country. Keywords. Critical Information Infrastructures, Postal and Communication Service of the Italian National Police, CNAIPIC, CNCPO, On-line Police Station
Introduction The information society we live in relies essentially on computer science. In fact, all the processes necessary to its operation are created and managed by means of electronic tools and information networks. Those processes whose suspension could cause the disruption of the normal course of life in a country are considered to be critical. These processes are characterised by an increasing level interdependence and interconnection, and therefore the companies and
154
D. Vulpiani and S. Staro / Protecting Critical Information Infrastructures
institutions that own the systems and networks related to those services are considered to be critical information infrastructures. The possibility that the security of everyday life in a country may be compromised by attacks on critical infrastructures, whether of terrorist or criminal nature, is now a real threat. This scenario necessitates that a tangible and effective logic in the way governance is applied take all possible threats and attacks on a system’s security and its related interests and values into account. The origin of attack may come from common crimes, organised crime, or terrorist and subversive criminal phenomena. The threat, endangerment, or destruction of such a technological system including the illegal removal of data and information utilised by the system, in order to gain an immediate profit (regardless of their intrinsic value), or using them improperly for other purposes, today represent the criminal conducts that expose the security and prosperity of the social system as a whole to the greatest dangers. Just as with the advances in technology, the approach to security has undergone a radical change. With this regard, the approach employed by the Postal and Communications Police Service (hereinafter referred to as PCPS), by virtue of its particular skill in preventing and combating cybercrime, designed to achieve two fundamental objectives: • the protection of "technological infrastructures", which, on the network, have a strategic importance for the security and prosperity of a country; • the protection of network "users" and the assets they entrust every day to information infrastructures, with particular reference to crimes relating to the exploitation of children, identity theft and internet fraud.
1. The Protection of National Critical Information Infrastructures Essential services to a country (waters; electricity; gas; transportation, including roads, railways and air) are now provided via telecommunication networks, whose interconnection is a formidable tool that ensure shigh standards of quality in the supply of and access to services. The other side of the coin, however, reveals a context where the cascade effect is the main danger. A criminal or terrorist attack, intended to hit a single node of the infrastructure network, has the potential to reset the whole system to zero. This issue has been in the spotlight of the world community for some years: in several institutional forums on international cooperation (EU, G8, etc.) several initiatives for the analysis and in-depth examination of the problem are currently being adopted and carried out, and efforts are being made to establish the definition of shared operational models. In Italy, art. 7 bis of Law 155 of 31 July 2005, concerning "Urgent measures to counter international terrorism" exclusively devolves the task to protect the cyber
D. Vulpiani and S. Staro / Protecting Critical Information Infrastructures
155
systems of the critical infrastructures of national interest to the PCPS, by virtue of their special skill 1. For that reason, a National Cyber Crime Centre for the Protection of Critical Information Infrastructures (CNAIPIC)2 has been established within the PCPS; this is a type of privileged emergency service that, through exclusive and secure connections, shall receive and transmit information and data relevant to the prevention of and response to cyber threats and attacks on the systems of national critical infrastructures. The Minister of the Interior3 , by means of a decree, has also taken measures to identify the national critical infrastructures that would benefit from the protection services provided by the CNAIPIC. Furthermore, the Department of Public Security has and continues to promote, together with public and private bodies that provide services considered essential for our nation, a number of agreements designed to establish shared protocols for staff training and actions to take in the eventuality that computer incidents occur. The Department works in close cooperation, through the exchange of information, with other bodies involved in the protection of critical infrastructures at the national and international level. The CNAIPIC can also make use of particularly effective investigative tools, typically used in the fight against terrorism, such as undercover investigations on the internet and the preventive interception of internet and computer communications4. As a matter of fact, in 2008 the CNAIPIC has: • detected 228 cyber attacks on national critical information infrastructures; • monitored 4712 websites; • submitted 851 reports concerning the attacks or threats detected; • and, finally, started 64 investigations on this phenomenon.
2. The Protection of Internet Users: The National Centre for Combating Child Pornography Online (CNCPO) and the On-line Police Station (Commissariato Virtuale) Traditional forms of crime have evolved into and expanded to incorporate the concept of computer crime and computer related crime. These are namely criminal phenomena, where information and communication technology plays a leading role within the legal 1 Art. 7 bis, paragraph 1, of Law 155 of 31.07.2005, which has converted the L.D. 144 of 27.07.2005 with amendments, states as follows: "…being understood the competencies of information and security services, set forth in articles 4 and 6 of Law 801 of 24.10.1977, the agency of the Ministry of the Interior in charge of the security and regularity of telecommunication services shall also provide the protection of critical information infrastructures of national interest, identified by decree of the Minister of Interior, through privileged connections regulated by means of appropriate agreements with the owners of the infrastructures concerned". 2 Art 3 Art.
2 of the Minister of Interior's Decree dated 9 January 2008 1 of the Minister of Interior's Decree dated 9 January 2008
4 Art. 7 bis, paragraph 2, of the aforementioned Law 155 of 31.07.2005 states as follows: "For the purposes referred to in paragraph 1 and for the prevention of and response to terrorist activities and activities encouraging terrorism carried out by means of computer tools, the police officers serving with the agency indicated in paragraph 1 may perform the activities set forth in art. 4, paragraphs 1 and 2 of L.D. 374 of 18.10.2001, converted with amendments by Law 438 of 15.12.2001, and those set forth in art. 226 of the implementing, coordinative and transitional provisions of the Code of Penal Procedure, described in L.D. 271 of 28.07.1989, also upon request or in cooperation with the law enforcement agencies therein".
156
D. Vulpiani and S. Staro / Protecting Critical Information Infrastructures
system, both as the legally acknowledged and protected target of the illegal action and as the tool used to commit the offence. In the background of this new criminal scenario, some known individuals of the Italian crime and terrorism panoramas, such as Totò Riina, Raffaele Cutolo, Morucci and Renato Curcio, can rightly be replaced – in the people's imagination - by go-ahead computer experts who, although very young and in low-structured organisations, have the same ambitions and determination of their predecessors. It is necessary to take into account the extent of the Internet population, represented by millions of users, to get an idea of how serious the criminal impact might be on the so-called "global village". According to data provided by ISTAT (Italian Statistics Institute), the use of computers and the internet by young people has exponentially increased in all age groups, and about 70% of 14-year-olds use them on a daily basis. This figure, although encouraging and satisfying in some respects, for the obvious positive impact on the social and cultural growth of our children, in others requires us to raise the security threshold to ensure that they and, more generally, the weakest individuals of our society, do not become victims of cyber criminals while surfing the net. Online child pornography, internet fraud, hacking activities, distribution of malicious codes, creditcard cloning, release of original works in violation of copyright laws, spamming, and phishing are all new crimes that threaten the community and the assets related thereto. In order to counter such a widely diffused criminal phenomenon, an equally comprehensive strategy is necessary. For each of the aforementioned offences, not to mention the many others, the PCPS conducts various activities of cybercrime prevention and response. It does this with a staff of approximately 2,000 operatives that are divided into specialised units distributed across the country (20 regional departments and 76 provincial sections) and coordinated by the headquarters in Rome (the Service). The protagonists of this new approach are the National Centre for Combating Child Pornography Online (CNCPO) and the On-line Police Station (Commissariato Virtuale). These two functional units within the PCPS are responsible for monitoring criminal phenomena that, just as for terminal patients, are “treated” through constant specific response actions. The CNCPO was established by Law 38 of 6 February 2006, concerning "Provisions on combating the sexual exploitation of children and child pornography
D. Vulpiani and S. Staro / Protecting Critical Information Infrastructures
157
even through the Internet". 5 It contains several regulatory provisions aimed at increasing the capacity to prevent and combat the hateful scourge that is the sexual exploitation of minors. Firstly, it creates the possibility to arrest (optionally) the suspect, not only in the case an exchange of child pornography material takes place, but also for the mere possession of that material. Among the functions of the Centre is the compilation and update of a blacklist, i.e. a list of internet addresses leading to child pornography contents. The consequent requirement is for Internet Service Providers to implement it on their systems in order to prevent their users from accessing those contents 6. Currently, the blacklist contains 444 sites. Presently, ISPs also have the obligation to report to the Centre all companies or entities that, for any reason whatsoever, disseminate child pornography over their communication networks7 . Equally important is the relationship with the Bank of Italy for the identification, tracing and suspension of financial transactions related to online material produced by means of the sexual abuse of minors 8. The establishment of the aforesaid Centre represents the acknowledgement of the effectiveness with which, in the last few years, the PCPS was able to use the regulatory and technological instruments at its disposal to carry out both the daily and systematic monitoring of the internet, in order to study the continuous evolution of paedophile
5 In fact, art. 19 of the above mentioned Law 38 of 06.02.2006 provides that, after art. 14 of Law 269 of 03.08.1998 on "Provisions against the exploitation of prostitution, pornography, and sexual tourism to the detriment of children, as new forms of slavery", is added to art. 14 bis, entitled "National Centre for Combating Child Pornography on the Internet", which states: "1) A National Centre for Combating Child Pornography on the Internet, hereinafter referred to as the "Centre", is established within the agency of the Ministry of Interior indicated in paragraph 2 of art. 14, with the task of gathering all reports, also coming from foreign law enforcement agencies and from private and public bodies involved in the fight against child pornography, relating to websites disseminating, by means of the internet and other communication networks, material resulting from the sexual exploitation of children, as well as the operators and the possible beneficiaries of payments. All police officers are obliged to transmit these reports. Without prejudice to the actions and determinations of the J.A., in case of positive feedback the website reported, as well as the names of any possible operator and beneficiary of payments, shall be included on a list to be continuously updated. 2) The Centre takes advantage of the existing human, financial and instrumental resources. The constitution and the operation of the Centre should not bring about new or increased burdens on the State budget. 3) The Centre shall notify the Presidency of the Council of Ministers - Department for equal opportunities – of all information and statistics relating to child pornography on the Internet, useful for the preparation of the National Plan for the prevention of and response to paedophilia and the annual report referred to in art. 17, paragraph I". 6 This procedure is governed by art. 14 quater of Law 269 of 03.08.1998, as introduced by the above mentioned art. 19 of Law 38/06. 7 This obligation is set forth in. art. 14 ter of Law 269 of 03.08.1998, also introduced by the above mentioned art. 19 of Law 38/06. 8 The procedures in question are governed by art. 14 quinquies of Law 269 of 03.08.1998, also introduced by the above mentioned art. 19 of Law 38/06.
158
D. Vulpiani and S. Staro / Protecting Critical Information Infrastructures
websites and their users, and a constant response activity using exclusive undercover techniques9. Over the past six years, in fact, through complex investigations conducted by police officers specialised in computer science, electronics, telecommunications and psychology, 4450 subjects have been identified and reported to the J.A., and 238 have been arrested. In our country 177 child pornography websites have been discovered and inhibited, while 10,977 more sites with the same contents, whose servers were located abroad and unreachable by the Italian justice system, were reported to the competent foreign law enforcement agencies. From the operational-investigative point of view, the growth of cybercrime has required a review of the strategies used to fight this phenomenon, thus highlighting the need for forms of closer cooperation among police agencies in the world, and the need for shared technological tools of investigation. Essentially, in order to achieve more satisfying results we need to institute some excellent but not homogeneous investigative approaches, and adopt more coordinated, accurate and harmonised strategies, all the while respecting the autonomy of each single State. The indispensable requirements for this change to take place are: • Standardised international regulations; • shared course of action; • real-time constant exchange of data and information; • and, above all, common software using the same "language". In our country, the attention of the law making authority given to cybercrime has always been punctual and effective. As a matter of fact, the Italian law framework has been integrated with regulations in line with the evolution of this criminal phenomenon since 199310 - the year when law provisions intended to punish cybercrimes were introduced in our legal system. At international level, with the ratification of the Convention on Cybercrime11 in Budapest on 23 November 2001, Italy came to the forefront in the prevention of and response to cybercrime. As for the shared investigative software, an important role can be played by private industries; in particular, Microsoft developed the Child Exploitation Tracking System (CETS) following the suggestions and indications of various law enforcement agencies, including the Italian police force. This has created an international police network to 9
In fact, art. 14 paragraph 2 of Law 269 of 03.08.1998 states: "As part of the tasks pertaining to telecommunication policing, as defined by the decree referred to in art. 1, paragraph 15 of Law 249 of 31.07.1997, the agency of the Ministry of the Interior entrusted with the security and regularity of telecommunication services shall perform, upon reasoned request of the J.A., the activities necessary to respond to the crimes, referred to in art. 600-bis, par. 1, art. 600-ter, par. 1, 2 and 3, and art. 600-quinquies of the Penal Code, committed through the use of computer systems, or telematic means of communications or telecommunication networks publicly available. For this purpose, the personnel in charge can use covert data even to activate websites, implement and run communication areas or exchange on networks or systems, or to participate therein. The above mentioned specialised personnel performs for the same purpose the activities described in paragraph 1 also via the internet".
10
Law 547 of 23.12.1993 concerning "Amendments and additions to the Penal Code and Penal Procedure Code regulations on Cybercrime".
11
Law 48 of 18.03.2008 "Ratification and implementation of the Council of Europe Convention on Cybercrime, signed in Budapest on 23.11.2001, and national rules of procedure". At international level, Italy is in the forefront in the prevention of and response to cybercrime.
D. Vulpiani and S. Staro / Protecting Critical Information Infrastructures
159
counter paedophile networks. Relying on their national experiences, cybercops should be closely cooperating and communicating to one another, using the same language and the most advanced investigation "protocols", which are a result of the various courses of action taken in each respective country. Still, in terms of strategies to combat cybercrime, with child pornography online representing its most hateful form, it is important to stress the need for more and more effective forms of collaboration between institutions and civil society. The creation of the Police Station online within the PCPS was an important step forward. This is a web portal that offers the "surfing citizens" a wide range of services: areas for an in-depth view of cybercrime regulations, chat lines and interactive forums to discuss issues related to cybercrime, opportunities for web users to report an offence or simply inform the Postal and Communication Police about criminal events they have been victims or witnesses of. From 15 February 2006 to 10 March 2009, the portal of the Police Station online (www.commissariatodips.it) was visited by 1,281,774 people in Italy, 183,246 European users and 85,062 web surfers from the rest of the world. These cybernauts have submitted 36,067 requests for information and reports mainly relating to 33,906 cases of phishing, child pornography, hacking and ecommerce. The Department of Public Security is intentioned to further develop this site, which is particularly appreciated by users for its innovative quality when compared to the traditional forms of the relationship between the citizens and thepolice. In fact, with the online Police Station, citizens feel like they are "protagonists" in the defence of their own interests and safety, and not only passive "targets" of the criminal threat.
References [1]
S. AMORE,.V. STANCA, S. STARO, I crimini informatici: Dottrina, Giurisprudenza e Casi Pratici di Indagine, Halley editrice, Macerata, 2006.
160
Modelling Cyber Security: Approaches, Methodology, Strategies U. Gori (Ed.) IOS Press, 2009 © 2009 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-074-2-160
Fighting Terrorism in Cyberspace Colonel t.ISSMI Giovanni CATALDO Head of the Organized Crime Office of Carabinieri General HQ - Rome Abstract. The theme of the discussion is very topical due to the fundamental role that cybernetics and data transmission play in our everyday life. Often, each technological innovation brings, along with the benefits, risks for society at large. The Carabinieri are working in today’s global scenario, sure that the only effective way to fight terrorism is through the concerted coordinated and cooperative efforts of all possible resources, in the areas of intelligence and investigations, where the control of the territory, both real and virtual, plays a pivotal role. Keywords. Cyber-crime, international terrorism, internal subversive organisations, control of virtual territory, virtual sanctuary.
Introduction I would like to thank Professor Gori for giving me the opportunity to illustrate in this prestigious setting the efforts of the Italian Carabinieri Corps in the fight against terrorism in Cyberspace. The theme of today’s discussion is very topical due to the fundamental role that cybernetics and data transmission play in our everyday life. Frequently, each and every technological innovation not only brings with it, but also risks for society at large. The threat which comes from the illicit use of the Internet does not stop at the most obvious effects of “cyber-crime”, such as tele-fraud and the presence of child pornographic sites on the net. The potential power offered by internet has been used, in fact, by terrorist groups of different natures, means and ideology, to various ends: to obtain visibility, to maintain high levels of intimidating pressure through the media, to organise activities, to search for information, and to recruit new members. These strategies have been confirmed and demonstrate the rising use of the web by internal subversive and international organisations, to plan and make attacks, to pass documents between members and to sustain public “campaigns”.
1. Internal Subversive Groups Analysis of extremist projects revealed a steady increase in the use of Information and Communication Technology by the Marxist-Leninist Italian organisation, “the Red Brigades” and by the pro-anarchist wing of internal subversive groups. The Red Brigades of the Combatant Communist Party (B.R.-P.C.C.) claimed responsibility for the murder of Marco BIAGI (killed on March 19, 2002 in Bologna), in an e-mail sent from a mobile telephone to several hundred addresses. The Federazione Anarchica Informale (FAI), or The Informal Anarchist Federation, an informal militant team may be the most dangerous group in Italy. From the first terrorist attacks that took place in Bologna, Italy at the home of the former President of the European Commission, Romano Prodi, in December 2003, the Internet was used as a means of communication between the local members of the group to
G. Cataldo / Fighting Terrorism in Cyberspace
161
spread its plans and organise the attack. Thanks to Internet, the group, was able to organise a well-ordered structure.
2. International Terrorism For international terrorism, the web has become of crucial importance in maintaining contact and giving orders to the cells situated in different locations across the globe. During Operation “Tracia”, which was conducted against a Kurdish organisation (DHK-PC) active in Turkey, the Carabinieri Corps was able to demonstrate that the operational cells, one of which was located in Italy, used internet to exchange encrypted and camouflaged files. It was necessary to analyse the encryption program in order to isolate parts of the code key, after which an attack (the so called ‘brute force’) to recover the password was carried out. The internet was also used to disseminate proclamations taking responsibility for the attacks; these were sent from Perugia, Italy to a newspaper editor in Turkey. The investigation that was opened after the terrorist attack in Nasiriya verified that the internet was also used by the terrorists in charge of this criminal act. Many open sources, in particular websites that specialised in Islamic terrorism, had given out information on the presence of an Abu Musab Al Zarqawi file entitled “Winds of Victory” that was circulating on the internet. The video, produced by the “Section for Propaganda” of the “Jamaa al Tawhid wal Jihad” (Monotheism and Holy War Group) explained the religious ritual that was adopted by the “martyrs” to prepare themselves for suicide missions targeting the American and Coalition Forces in Iraq. On one hand, the document publicised the operational capacity of the organisation and encouraged the inflow of mujahiddin to Iraq. On the other hand, through the violence and brutality of the message, the document was intended as a warning to its enemies. At the same time, the movie explained the religious rituals that were celebrated by “shahid” before their suicide missions against the civilian or military targets selected by the organisation. Actions in the various scenes reflected the preparation of the attacks, the moments that preceded them, the distance covered by the “shahid” up to destination and the explosion at the target object of the attack. Among the terrorist acts listed in the movie, we found the attack to the military base “Maestrale” on 12 November 2003, and the one against the headquarters of the UN in Baghdad on 19 August 2003. The multitude of possibilities that cyberspace offers are exploited by international terrorist groups that use the web as a means to asymmetrically spread conflict from its traditional, physical battleground to the virtual territory of cyberspace. The Net has proven to be an efficient instrument for communication, recruitment, financing and training. These groups frequently take advantage of the so-called “deepweb”1, in other words, the use of compressed files that are not normally detectable with the usual search engines and whose the access is limited to users who possess the relevant keywords and knowledge of the specific information pathways. We need not forget, in fact, that for terrorism to develop on an international scale, the media are an essential element. Frequently, the very act of media reporting is exploited as a form of propaganda by terrorist groups, in that by covering events, the media are able to rapidly reach an unlimited number of people, thus publicising the success or failure of an attack, or simply allowing the terrorists to see the effect that 1
“Deep web” is used to avoid normal checks or controls and is based upon compressed and hidden files. Log in is limited, and it is necessary to know passwords or specific paths to access the information.
162
G. Cataldo / Fighting Terrorism in Cyberspace
their actions have had. In this way, the traditional media, such as television and radio, are among the tools that, if used to influence the public (in this case, a passive spectator), do not guarantee interaction with the structure. On the contrary, the Internet can be the point of interactive convergence for militants, who gather on the web in a "virtual sanctuary", which enables them to communicate without high risks and find training and indoctrination manuals. Therefore, the internet can easily be used in compliance with terrorist logic because it can be used to radicalise, to recruit and to train activists. Internet has become an essential tool, for the strategy of Al Qaeda in particular. The strategy is to essentially engage the countries of the Western world in a “permanent jihad”, or long term war, in multiple crises theatres, with the ultimate intention of eroding the sense of security and destroy alliances in the targeted countries. The Net perhaps represents the main tool with which Al Qaeda’s ideology can be spread to achieve a sort of “jihad of the word”. It is the way through which a doctrinal, psychological and terminological manipulation of the holy texts and tradition may be used to motivate suicide attackers, the protagonists of the so-called “jihad of the sword” against the West. The interest of the Al Qaeda terrorist organisation in the media sector is confirmed by the increasing quality in their audio and video products. These are often tailored to the different people they are targeting, and present international events in such a was as to demonstrate the supposed Western design to persecute the Islamic world. The primary efforts made have been in the fields of propaganda and indoctrination. They are aimed at the radicalization of the Islamic community in both countries of Muslim faith and the West, and often specifically target young people. In addition, European countries are also facing the threat of “home-grown” terrorism. What is “home-grown” terrorism? “Home-grown” terrorism is a form of terrorism which primarily involves “second generation” immigrants that, although perfectly integrated into society and do not participate in fundamentalist groups, are driven by intimate and personal convictions and religious pressures to act in the name of the Islamic ideal. This form of terrorism recruits its members mostly within the heterogeneous components of the virtual community that wish to partake in acts of violence and which use the web to strengthen and reinforce their contacts and ties. Through the use of the internet, fundamentalist terrorism has attempted to influence public opinion and the political resolutions of governments, while conducting kidnappings in theatres of crisis. In February 2006, the Net was used to direct protest demonstrations in different Muslim countries against the publication of political cartoons in some European newspapers, which were claimed to be blasphemous towards the Islamic religion. 2 Recently, the notification of the eventual broadcast of an anti-Koran video on the web was enough to cause apprehension and fear of possible violent reactions.
3. Fighting Cyber-terrorism Specialised units of the Carabinieri are engaged in the fight on cyber terrorism and are trained to use the use of the latest telecommunication interception technology. This monitoring activity made it possible to identify and locate internet sites where the visitor is invited to join an “electronic jihad”. In other words, the attack and destruction 2 In Denmark, on February 12, 2008, three persons suspected of being involved in the organisation of the attacks against the authors of the “blasphemous” cartoons were arrested.
G. Cataldo / Fighting Terrorism in Cyberspace
163
of websites considered to spread messages that are offensive to Islam. This kind of propaganda has the potential of becoming or developing into concrete actions of information sabotage. The info-investigative activities that were conducted by monitoring the net revealed how the terrorist cells are composed and how they disseminate their lessons. Documents have been uncovered regarding precise indications of the organisation of a terrorist attack involving explosives, as well as the successful execution of ICT exploits. In the security system, no police force or an intelligence agency is exclusively in charge of monitoring Internet sites containing terrorist contents. An active contribution aimed at prevention is conducted by each police force and information agency within their own competence. Apart from the role played by the Judicial Authority in the investigation, coordination in the prevention phase is managed by the Minister of the Interior, through the National Authority for Public Security, which uses the Anti-terrorism Strategic Analysis Committee. In this commission, positive synergy is reached between the various institutions in charge of developing action to fight terrorism. These actions are decided in weekly joint meetings between The Central Director of the Prevention Police, The chief of the II Division of the Carabinieri General Headquarters, delegates from the directors of AISI3 and AISE4 (the two Italian intelligence services), a representative of the Department of Penitentiary Administration and an officer of the General Headquarters of the Guardia di Finanza (Anti-Fraud Force). During the meetings, particular attention is paid to monitoring Jihadist sites. While monitoring activities are carried out during the preventive and informative police activities and before investigations, an internet site may be shut down only after a judicial decision has been made. This can happen only once an investigation has verified the presence of illicit contents on the site. The use of internet by terrorist groups is considered a concrete threat for the security of the European Union as well. Therefore, The European Office of the Police – Europol, since 2006, has actuated a specific project, “Check the web”, in order to raise the levels of police cooperation in this sector. The goal is to establish a form of common elaboration and consequently a common approach to fight terrorism. The Carabinieri actively take part in this project. This is not a spontaneous initiative, but a decision that was taken in conformity to the Force’s institutional objectives, which are to increase the levels of control over the territory, in a virtual sense (like cyberspace), and increase investigative quality. In this fight against terrorism, activities must be directed in such a way as to to prevent the biased use of the web; the error of associating or mistaking the Islamic world with terrorism must be avoided. In this type of struggle, we must acquire familiarity with different agents and not only from the intelligence point of view, but also a cultural one. However, technology is not enough; human resources capable of fighting these activities are essential and must be developed. for this reason, many specific courses of
3
AISI - Agenzia Informazioni e Sicurezza Interna, the Italian Internal Information and Security Agency
4
AISE - Agenzia Informazioni e Sicurezza Esterna, the Italian Foreign Information and Security Agency
164
G. Cataldo / Fighting Terrorism in Cyberspace
varying levels have been organised to learn the Arabic language and culture and include internships in Qatar and Tunisia. This is the perspective in which the Carabinieri are moving in today’s global scenario, sure that the only effective way to fight terrorism must be accomplished through the concerted, coordinated and cooperative efforts of all possible resources, in the areas of intelligence and investigations, where the control of the territory, real and virtual, plays a pivotal role.
Modelling Cyber Security: Approaches, Methodology, Strategies U. Gori (Ed.) IOS Press, 2009 © 2009 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-074-2-165
165
Cyberspace Control: How to Avert a Cyber World War VADM (ret) Ferdinando SANFELICE di MONTEFORTE Abstract. Just as with the air and maritime domain - namely those geostrategic spaces where police authorities are unable to carry out law enforcement activities independently without military assistance - cyberspace could also become the object of military attention, from the moment that, like the other two, it is an environment where adversarial activities can be carried out by state or statesponsored actors within the framework of international controversies among states. Due to the fact that the military was the first public sector to take serious steps toward ensuring adequate levels of security on its IT systems, and therefore holds an advantage in this field, military participation in questions of cyber security at the national and international levels could potentially be beneficial for all state agencies concerned with security issues of this nature.
Introduction The most recent Declaration on Alliance Security (DAS), issued by the NATO Heads of State and Government, at the end of the Strasburg-Kehl summit in April 2009, has inserted cyber attacks among the “new, increasingly global threats” which our nations and the world are facing, together with terrorism, the proliferation of weapons of mass destruction, and their means of delivery. Some sceptics may remark that such a phrase is to take one step closer to a sort of dangerous snowballing of the cyber security issue since the Estonian IT networks were first attacked a few years ago. The fact that both commercial and state-owned nets were hit hard, thus temporarily bringing not only these networks to their knees but also the Nations themselves, has, quite understandably, deeply worried all NATO statesmen, fearful of finding their own nations under similar stringencies, which could hit them in particularly sensitive moments of their political or economic life. Thus, the DAS has been drafted with the inclusion of this new, strong and almost bellicose wording on cyber attacks. These concerns, though, are further complicating a situation where – it is sad to say – strategic mistakes, outlined below, have piled up to such an extent that the whole problem may be likened to a Gordian knot, difficult to untangle without cutting it in one straight and direct move.
1. The Historical Development of the Use of Cyberspace It is fair to say that when the impulse to use the extensive resources, made available by Automatic Data Processing within a network context, became incessant, the private and public sectors decided to maximise the exploitation of these new possibilities. This was, of course, natural for individuals, who found in the Internet a new and most convenient way to communicate with others. This new impulse to use Internet as a means of communication was especially motivated by the inherent limitations of the classical mail system and the telephone (fixed or cellular).
166
F. Sanfelice di Monteforte / Cyberspace Control: How to Avert a Cyber World War
This novelty was indeed extremely promising, also for profit-seeking corporations, such as industries, banks, and contractors for a variety of reasons. Primarily it allowed them to increase their efficiency, to simplify their structure, to hire less employees, as well as achieve an easier and more effective customer-provider relationship. It is worth mentioning, however, that both these kinds of actors, by adopting the networked approach, were fully aware that there were naturally some risks that would come with such a choice. The service was provided, in fact, by a number of commercial firms, which operated within the free-market space. They were thus exposed to the dangers that are linked to the possibility that someone could use countermeasures to check and slow their success, as well as to try to exploit the new facilities, for petty or major criminal purposes, at the customers’ expense. Government bodies, throughout the world, were also quick to discover that these new and revolutionary electronic tools were instrumental to aid in dramatically enhancing their effectiveness. Unfortunately, due to both budget restrictions and an inability/lack of determination to rapidly modernise their structures, many governments decided to forego operational security and to walk along the slippery road of the “Commercial Off-The-Shelf”(COTS) systems. Another reason for which governments were hesitant to make the necessary investments was that these systems were undergoing such significant improvements, every two-three years, that the governmental procurement procedures would have never been able to keep pace with the ongoing progress. The predictable overall result of such widespread favour for these COTS systems, by a multitude of entities, has been the consequent bonanza for spies, jammers, hackers – namely those willing to undermine the credibility of existing networks – and all those having a vested interest in muddling the cyber-waters, be they sponsored by other states, or, being industrial corporations, individual adventurers and businessmen. All of them have enjoyed the great advantage of being able to acquire the very same systems of their intended victims on the market, and have therefore been able to study their weaknesses and vulnerabilities in depth before acting at the chosen moment.
2. Cyber Security Measures, a General Context As a consequence, cyberspace has become a virtual version of the Wild West. It is worth bearing in mind that among the reasons for this is the global nature of the phenomenon; the “bad guys” are diffuse in all parts of the world, the hardware and software providers are multinational firms, and the multitude of offered services knows no boundaries. The moment that no competent and official Authority exists with the global range of action that these actors have, the rules of the game remain unclear to everyone; when they exist, they either differ from state to state, or are not endorsed by all. Lastly, there is no effective control on the international level, with the exception of horizontal coordination among like-minded countries. Essentially, Western governments realised that they had plunged head first into a great predicament without a parachute. It was then that governments began to adopt corrective measures, at least for their military instruments and top-level decisionmakers, to improve their degree of operational security. Similar actions have been taken by some international organisations, with the very same rationale. Cyber security is such a general and cross-agency requirement that a new thriving business rapidly sprang up, in which the firms, that had been hired to increase the cyber security levels of several governments, took their know-how and used it to benefit of other customers, be they governmental, commercial or private citizens.
F. Sanfelice di Monteforte / Cyberspace Control: How to Avert a Cyber World War
167
It is fair to say that, in the field of cyber security, state actors avail themselves of two technical approaches in particular. The first is to have a good encryption system put in place. Encryption is coupled with the use of specially hardened computers (to make them more resistant to external intrusion), and, in addition, those networks that handle sensitive data and information are physically separated from the greater network. Nevertheless, not everybody can implement this complicated and expensive approach; many, therefore, will necessarily continue to rely on COTS computers that are connected to and through the Internet, albeit with encryption devices, and will be exposed to all of the related inconveniences and vulnerabilities that this entails, for years to come. Encryption is not all that is required to protect networks, and Estonia and Georgia are only the first two instances of what may happen to those states that do not take more prudent measures, such as those described above. But the case of these two countries has raised another serious problem, which is fraught with potentially dangerous consequences. All hindrances to networked systems, as well as all instances of unlawful use of the Internet, were up until this moment considered to be law enforcement issues and, in many nations, fell under the jurisdiction of the judiciary pillar and state police, who carried out criminal investigations, often supported by Interpol structures, whenever required.
3. Cyber Security, the International Context and the Role of the Military In the case of the cyber attacks on Estonia and Georgia, however, suspicions were raised that the massive cyber attacks were part of another state’s reaction to events within these countries that were undesired by that state. Should this suspicion be confirmed beyond any reasonable doubt, this could imply that electronic warfare, namely what has already been defined several years ago as “soft kill” activity, will have found yet another domain for its application in the world of interstate conflicts and – what is worse – any massive disruption of networks in a country may be attributed to another states’ actions. Therefore, how the cyber misfits can be kept under control beyond the criminal investigation level, is an issue that must be considered in depth by governments, since it has become an issue for national security on the whole. Fortunately, the possibility exists to effectuate effective approaches that have already been used in similar cases. Just as with the air and maritime domain - namely those geostrategic spaces where police authorities are unable to carry out law enforcement activities independently without military assistance - cyberspace could also become the object of military attention, from the moment that, like the other two, it is an environment where adversarial activities can be carried out by state or state-sponsored actors within the framework of international controversies among states. Due to the fact that the military was the first public sector to take serious steps toward ensuring adequate levels of security on its IT systems, and therefore holds an advantage in this field, military participation in questions of cyber security at the national and international levels could potentially be beneficial for all state agencies concerned with security issues of this nature. Cyber space, though, is characterised by a specific problem, which is not as relevant for the air and sea domains. In each nation, a number of firms have been used for centuries to provide essential collective services, such as the electric companies. Apart from causing losses and damages, the magnitude of which has already been experienced during the periodic “black-outs” resulting from occasional events and
168
F. Sanfelice di Monteforte / Cyberspace Control: How to Avert a Cyber World War
mistakes, any attack against such infrastructures could cause the Nation to enter into a state of temporary chaos. Setting this peculiarity aside, by going into depth and examining how the military carries out its activities in the air and at sea, the multiple and varied approaches to problems, as well as a form of labour division that the military employs, become readily apparent and could conceivably be applied, as a template, to cases regarding cyber security as well. On one hand, surveillance, control and coordination are normally delegated to international organisations, and NATO is often in the front row. On the other, every state continues to independently carry out its own protection and enforcement activities; each state maintains its sovereign rights and exclusive duties over its own resources and assets and hoists its own flag on such, wherever they might be, as well as over its own territorial air and maritime spaces. This activity is carried out in coordination with others, where and when friendly relations exist between them. Of course, bilateral or multilateral agreements among states improve this situation, ensuring that the spaces belonging to smaller states enjoy a higher degree of protection and control, which is exerted by larger and more powerful countries on their behalf, and through a timely coordination with them. Another complementary feature that is adopted to tackle the problems of the wide international spaces, especially when fighting a mix of potential aggressions and international organised crime, has been the inter-agency approach. This approach mobilises special expertise, procuring great advantages for the concerned states. This is particularly the case for drug enforcement in some regions, such as the Caribbean. Nonetheless, to make a long history short, all attempts to collectively use the global Navies/Air Forces, to say nothing of international police enforcement activities, to protect global commercial trade/air traffic - as some nations are proposing - have met, so far, with a flat refusal by all governments concerned. This attitude was apparent already during the first Gulf War, and has been confirmed by the most recent decisions taken in the counter-piracy activities off Somali waters. This approach has clearly led to the formation of many gaps. especially in the maritime domain, where merchant vessels harbouring flags of convenience have become the rule rather than the exception, and these gaps have, for instance, only served to encouraged piracy to flourish again. To date, no change to the present state-centric approach to the air and maritime domains is in view, and, most likely, there will be no exception in the approach chosen to handle global threats related to cyberspace, as it has been defined by the NATO Declaration on Alliance Security, in that virtual yet vital space.
4. Preliminary Considerations and Proposals But let us make some preliminary considerations, which may be helpful to start reflecting in depth on the cyber security issue. First and foremost, even now it is almost impossible to catch another state in real time while it still has the cyber “smoking gun” in its hand. Even if we don’t know all there is to know on the recent cyber attacks, it is at least proper to assume that proxy agents have been, and will be used in the future, by states willing to inflict this kind of damage on others; these measures effectively hide the true culprits. This sort of activity is seldom carried out independently of a serious dispute among states. This basically means that there is an interval of time available, which allows for some monitoring and preliminary damage-control actions to be prepared,
F. Sanfelice di Monteforte / Cyberspace Control: How to Avert a Cyber World War
169
during the initial stages of the crisis. It is worth asserting that self-defence against any sort of cyber attack is a key responsibility for each state, which in some cases may decide whether to extend these defence measures or not to the industries that are most relevant to ensuring a state’s overall good function (i.e. critical infrastructures, such as the electric companies, transportation, communication networks, water supply). In addition, the fact that principals are generally not easy to detect means that any justification for a timely and proportional retaliation using classic measures is difficult, if not impractical, in that it could needlessly complicate international relations, along with the risk that such actions meet with the disapproval of the public opinions concerned. Second, in our countries, civilian control over military activities is an unquestioned rule, and rightly so. Cyber space, however, is far too specialised a domain to allow swift political decisions, at least in our times, to be taken regarding retaliations. Therefore, special decision-making support agencies, to be provided with politically endorsed and clear terms of reference, need to be established in order to allow for these cases to be handled effectively and efficiently. Third, a monitoring system, capable of spotting state-sponsored cyber attacks has to be put in place. Despite the increasing world trend to outsource, this monitoring activity cannot easily be delegated to commercial firms; the risk that a provider may “cry wolf” to disqualify a competitor would always loom over the decision-makers at the political level were such outsourcing to be used. It must be noted that, to date, no key activity has been outsourced by states that have in the past chosen to sign outsourcing contracts with multi-national firms. Last but not least, the high costs of any monitoring system may discourage several countries from undertaking this sort of development on their own. It is fair to say, therefore, that a convenient solution for many nations may be to delegate such a monitoring activity to collective security organisations, such as is the case with NATO, which has been given responsibility in the air domain for decades, and more recently in some maritime areas. Incidentally, NATO expertise is already exploited whenever states require assistance for cyber protection, thus benefiting all. Research and development activities, whose aim is to enhance the security of national activities of great public interest, are also most convenient when carried out through multinational cooperative projects. The cyber sector allows for many of these possibilities to be realised, within either the NATO or the EU/EDA contexts. Even if it is a matter of policy, to chose one or the other organisation, it is worth noting that while NATO has much expertise, the EU is multi-disciplinary, and is therefore better equipped to handle the issues involving nonmilitary, state, or local agencies and key infrastructures in accordance with the wishes of its Member States. All things considered, great potential for collaboration exists between these two international organisations, provided the two structures are willing to share their know-how. The big question, though, concerns confrontational activities, such as retaliation. Everybody should consider what the political implications of a collective response would be, even were they to be “in kind” to adversarial acts that had been carried out against a single state. As with the air and at sea, individual nations are the most appropriate actors to carry out this sort of action, which cannot be considered separately from other political factors.
170
F. Sanfelice di Monteforte / Cyberspace Control: How to Avert a Cyber World War
Conclusion To conclude, there are problems quite similar to what happens in the air and at sea in the cyber dimension; therefore, the approach to manage, nay, to control this domain could be the same, where individual countries decide to what extent their non-military agencies and key infrastructures have to be protected, where cooperative developments might be beneficial in finding valid solutions to carry out prevention by stepping up security, and where international organisations could help by managing the monitoring structures. Nonetheless, any temptation to retaliate, be it in kind or not, is a serious decision, where single governments must decide in isolation and be ready to carry the weight of the responsibilities that come with their decisions, in that responsibility for unilateral actions cannot be spread around even among friends. By taking such a multifaceted approach, countries might be able to avoid being mauled by others, be they other states or criminal organisations, and the Western Community will avoid the risk of another “cyber-Serajevo”, which is a clear and present danger that has to be prevented at any cost.
Section 3 European Measures and Legal Aspects
This page intentionally left blank
Modelling Cyber Security: Approaches, Methodology, Strategies U. Gori (Ed.) IOS Press, 2009 © 2009 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-074-2-173
173
The Role of Europe in Matching Today’s Asymmetric Threats Giancarlo GRASSO Senior Adviser to the President of Finmeccanica
Abstract. If one Member States imposes rigourous security standards in relation to a particular cross-border infrastructure, that infrastructure and the services it provides will still be vulnerable if another Member State does not impose adequate or similar measures of protection on its side of the border. Although each Member State has the responsibility to protect the critical infrastructure present under its jurisdiction, it is crucial for the security of the European Union to make sure that the most important infrastructures that have an impact on two or more Member States, or on a single Member State in the case that the critical infrastructure is located in another Member State, are effectively protected and that individual Member States are not rendered vulnerable because of the existence of lower security standards in other Member States. In today’s context of new dangers, but also new opportunities, the strong commitment demonstrated by Member States to give the enlarged European Union the tools it needs to make a major contribution to security efforts and stability within a context of well governed countries in and around Europe and in the world is stronger than ever.
1. Security, the First Priority of the European Citizen A possible definition of an asymmetric threat, reads 1: “a broad and unpredictable spectrum of military, paramilitary, and information operations, conducted by nations, organizations, or individuals or by indigenous or surrogate forces under their control, specifically targeting weaknesses and vulnerabilities within an enemy government or armed force”. In order to broaden this definition, the following consideration must be made: One of the basic responsibilities of the European Union and it’s member state governments is to ensure the security of its citizens. The Treaty of Lisbon2 states that Europe has to be an area free of internal borders, based on the principles of transparency and democratic control, of freedom, security and justice. Therefore, whoever and whatever opposes all the above, has to be considered an asymmetric threat having the objective to trigger asymmetric conflict. We Europeans must defend ourselves, our values, principles and goals. We must develop the capacity to act and react so that we may be regarded as a significant participant by our partners in the international arena. To achieve this goal, close cooperation among countries and international organisations has to be reinforced. However, there is a price that cannot be expressed simply in monetary terms. 1
“The Asymmetric Threat; M. L. Kolodzie, USMA; http://www.almc.army.mil/alog/issues/JulAug01/ MS628.htm; 2
for the Full text of the treaty: http://europa.eu/lisbon_treaty/full_text/index_en.htm
174
G. Grasso / The Role of Europe in Matching Today’s Asymmetric Threats
2. Obtaining Security and Respecting Freedom and Privacy Privacy is one of the most powerful fundamental ethical values in Western cultural history. It organises a broad spectrum of knowledge and cultural practice, from politics to law, from health to hygiene and sexuality, from family relations to commerce. Its moral core, it is argued, has given rise social principles such as autonomy, integrity, independence. These values form the foundation of today’s shared understanding of human rights, citizenship and civic obligation and are at the core of the European civil life. Closely related to the notion of privacy as inviolate, that which is personal is the notion of privacy as intimacy. Ideas like love, friendship, loyalty and trust are only possible in relation to some sort of assurance of privacy. Directive 95/46/EC (on the protection of individuals with regard to the processing of personal data and on the free movement of such data)3 was developed to harmonise national provisions in this field and states: “Member States shall protect the fundamental rights and freedom of natural persons, and in particularly their right to privacy with respect to processing of personal data”. In this Directive, the classical concept of privacy is transformed into the notion of organised information relative to a single person, i.e., the intimate knowledge of the individual: personal data. The assumption that one has the right to control knowledge about oneself no longer holds true. Personal data are no longer personal, but rather transportable, commercial, marketable. At the same time, the EU Member States have the responsibility to both protect the privacy of the European citizen and ensure their security. It may generally be conceived that security and privacy are in opposition. And it may be said that there is a zero-sum game between the two, for which an increase in security is ordinarily said to come only at the cost of a decrease in privacy and viceversa. European citizens, it is often suggested, enjoy less and less privacy as technological developments allow an ever growing invasion of the private sphere. This zero-sum approach to security and privacy is not mandatory. Technology is capable of improving compliance with those principles that protect an individual’s privacy. It could empower individuals, by giving them easier access to, and control over, information that directly pertains to them. It would allow them to decide how, when, and which parts of their personal data could be disclosed, and to whom and for which uses. The best protection for individuals is that their personal information is only collected where it is considered to be essential. Privacy enhancing technologies (P.E.T.) have traditionally been limited to “pseudo-denomination” tools: software and systems that allow individuals to withhold their true identity, and only reveal it when absolutely necessary. Examples of a more extensive approach to privacy enhancing technologies include:
3
encrypted biometric access systems that allow the use of a fingerprint to authenticate an individual’s identity, but do not retain the actual fingerprint; secure online access for individuals to access their own personal data in order to be able to check accuracy and make amendments;
http://ec.europa.eu/justice_home/fsj/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf
G. Grasso / The Role of Europe in Matching Today’s Asymmetric Threats
175
software that allows browsers to automatically detect the privacy policy of different websites and compares it to the preferences expressed by the user, highlighting any incompatibilities; and ‘sticky’ electronic privacy policies that are attached to the information itself, preventing it from being used in ways that are not compatible with the aforementioned policy.
Furthermore, the technology should contain features that support the legal and regulatory framework. This connection to technical features that support organisational measures, will increase usability for security technology users, help them to comply with their legal obligations, and, if designed the right way, fit into the organisational processes that already exist within the user entity.
3. Security Needs a Coordinated and Cooperative Effort Among Member States: From Interoperability to Network Centric Systems As has been emphasised by Javier Solana, speaking of The Common Foreign and Security Policy and European Security and Defence Policy 4: “...we are stronger when we act together. Over recent years we have created a number of different instruments, each of which has its own structure and rationale”. In the EU Security context, the NATO definition of “Force Interoperability”5 , calls for : “The ability of the forces of two or more nations to train, exercise and operate effectively together in the execution of assigned missions and tasks”, This definition could be expanded to include and incorporate the following concept: “The ability of the resources of one or more PMS and of one or more EU Agency/Institution to train, exercise and operate effectively together in the execution of the tasks/missions foreseen in an agreed Common Security Capability Plan (CSCP)”. NATO considers the defence against terrorism one of its primary tasks. The same is true for the European Union. Twenty five of the twenty eight NATO Member States are European or members of the European Union. To refuse to consolidate or align efforts made in the Security domain of these two major global institutions, would not make logistical sense, just as it would cause unacceptable levels of wasted time and resources. An example of such collaboration regards maritime surveillance, which is of the highest importance in ensuring the safe use of the sea and in securing Europe's maritime borders. The improvement and optimisation of maritime surveillance activities, and interoperability at the European level, are important and crucial for Europe to be able to properly and successfully handle the challenges and threats that 4 A SECURE
EUROPE IN A BETTER WORLD - presented by Javier Solana, EUHR for CFSP - European Council, Thessaloniki (Greece), June 20, 20003
5
NATO NC3TA Volumes; V2-Technical Architecture Management, Chapter 2. NATO Interoperability Constructs; http://194.7.80.153/website/book.asp?menuid=15&vs=0&page=volume2%2Fch02.html
176
G. Grasso / The Role of Europe in Matching Today’s Asymmetric Threats
are related to many maritime activities including safety of navigation, marine pollution, law enforcement, and overall security. Surveillance activities are carried out by individual Member States, but most of the activities and threats that they address are transnational in nature. Within most Member States, surveillance activities concerning fishing, the environment, policing of the seas, or immigration fall under the responsibility of several different enforcement agencies that operate independently one from the other. This often results in the sub-optimal use of scarce resources. The EU Commission, therefore, advocated the need for a higher degree of coordination on maritime surveillance by intensifying forms of cooperation within and among the coast guards and other appropriate agencies of the Member States. Although it would be a gradual process, developing an integrated network of vessel tracking and e-navigation systems for European coastal waters and the high seas, including satellite monitoring and long range identification and tracking (LRIT), would provide an invaluable tool to public agencies. Substantial progress along these lines is present in the EC Regulation No 863/2007, which establishes a mechanism that allows for rapid operational assistance to be provided to a requesting Member State for a limited period of time when faced with a situation of urgent and exceptional pressure. This would especially be the case for situations occurring at the arrival at points of the external borders of large numbers of third-country nationals attempting to illegally enter the territory of the Member State requesting assistance. Aid would be provided in the form of Rapid Border Intervention Teams (hereinafter referred to as teams). This Regulation also defines the tasks to be performed and powers to be exercised by members of the teams during operations in a Member State other than their own. The threats that the EU is exposed to are shared with all of our closest partners. International cooperation is a necessity and our objectives ought to be pursued through both multilateral cooperation in international organisations and direct partnerships with key actors. It is for this that the transatlantic relationship that exists between the European Union and the United States is irreplaceable. By acting together, the EU and the US form a formidable force for good in the world.
4. The EU Must Define a Security Standard for Strategic Infrastructures The security of strategic infrastructure is only as strong as its weakest link. If one Member States imposes rigourous security standards in relation to a particular crossborder infrastructure, that infrastructure and the services it provides will still be vulnerable if another Member State does not impose adequate or similar measures of protection on its side of the border. The interdependencies that exist between the various sectors do define an environment where a particular event could readily have a cascading effect on other sectors and areas of life, which are not immediately and obviously interconnected. The existence of a multitude of levels of protection and standards across EU Member States increases costs for businesses, which have to incur redundant security investments depending on the jurisdictions under which they operate. Therefore, the EU ought to define a security standard for strategic infrastructures to avoid unnecessary inefficiencies in the allocation of resources. The principle of subsidiarity may be invoked the moment the measures that need to be undertaken cannot be effectively achieved by any single EU Member State and must therefore be addressed at EU level.
G. Grasso / The Role of Europe in Matching Today’s Asymmetric Threats
177
Although each Member State has the responsibility to protect the critical infrastructure present under its jurisdiction, it is crucial for the security of the European Union to make sure that the most important infrastructures that have an impact on two or more Member States, or on a single Member State in the case that the critical infrastructure is located in another Member State, are effectively protected and that individual Member States are not rendered vulnerable because of the existence of lower security standards in other Member States. The EU’s effort to protect critical infrastructure will soon turn to concrete measures for Europe’s information and communication technologies (ICT) sector with the release of a new policy paper6. The general aim of the document is to urge the 27 member nations to define a common set of response criteria regarding cyber-attacks and, specifically, to align their national regulations.
5. Security, Along with Safety, Must be Embedded into Systems and Certified with Proper Labelling It is common understanding today that incorporating safety into the design process has a positive impact on a company's safety, quality and productivity. Costs can be lowered, task performance improved, and life-threatening work hazards reduced. Cost benefits are maximised when applied at the earliest stages of development, but owners will experience benefits when safety is considered at every stage in the project continuum. Similar benefits could be associated to the introduction of security and environmental criteria as early as possible into the product life cycle. It is interesting to remember that the EU recently promoted a Safety Certification and Authorisation Team (SafeCert Team)7, that has been given the task of dealing with the harmonisation of decision-making criteria regarding the procedures for safety certification of railway undertakings and the safety authorisation of infrastructure managers. The market for security solutions in Europe is is still highly fragmented and has a long way to go before it matures. This hinders the industrial base of security technology, preventing it from exploiting its overall potential and accessing market opportunities more effectively. It is necessary to analyse not only the role that standards play but also that of the process of standardisation in organising the market from both the demand and the supply side. Thus far, most of the impetus has been focused on the European Security Label, the basis of which is the final Communication from the European Commission COM (2008)133, “Towards an increased contribution from standardization to innovation in Europe, namely standardization” 8. The aim of the Communication is:
To contribute to the development of sustainable industrial policy. To unlock the potential of innovative markets.
6
“Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience"; COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS on Critical Information Infrastructure Protection; http://ec.europa.eu/information_society/ policy/nis/docs/comm_ciip/comm_en.pdf
7 Assessment 8
Criteria for Railway Undertakings and Infrastructure Managers
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2008:0133:FIN:EN:PDF
178
G. Grasso / The Role of Europe in Matching Today’s Asymmetric Threats
To strengthen the position of European economy by more efficiently capitalising on its knowledge base.
The EU expects standardisation to make an important contribution to the following priority actions for innovation and competitiveness:
Sustainable industrial policy: this aims at improving the energy and resource efficiency of products, processes, and services and the competitiveness of European industry. Standardisation is important in enabling the further development of eco-innovation and environmental technologies. Lead markets: Standardisation is one of the key elements for the success of the lead market initiative which aims to accelerate the emergence of innovative market areas such as e-Health, sustainable construction, recycling and renewable energy. A European lead position in developing globally accepted standards would facilitate the growth of these markets both in Europe and abroad. Public procurement: the appropriate use of standards in public procurement may foster innovation, while providing administrations with the tools needed to fulfil their tasks. The integration of ICT in industry and administrations: the potential to improve the competitive position of the European economy through a more efficient and effective use of ICT tools is important, and standards are essential to realise this potential.
A strong role for Europe in international standardisation is also a a way to capitalise on European leadership in new markets and to gain first-mover advantages in global markets. To further standards, a process is needed, such as conformity with standards required by a EU Security Label, that will demonstrate that increased security and quality as criteria for market access exist. The market needs basic criteria upon which to base decision-making processes that regard the acquisition and implementation of security products, services and their respective integration, and justify choice of purchase by adopting recognised security principles. The Security Label will create the confidence that security products and services meet certain standards of quality and are suitable for the intended use, thus resulting in risk management for the end users. In order to implement an European Security Label Certification it is necessary that a co-ordinated accreditation process for testers, auditors etc. be created that includes harmonisation criteria and encourages the relevant organisations to apply. It must constitute a network that, where possible and appropriate, uses existing competence.
6. Defence and Security Are Closely Interrelated In contrast to the massive visible threat of the Cold War, none of the new threats of today is purely military; nor can any be dealt with by relying on purely military means; each threat requires a mixture of instruments. Their proliferation is contained not only by controlling exports, but they are also handled by applying multiple forms of political, economic and other pressures. A key element in fighting the proliferation of new threats is to contemporaneously tackle the underlying political causes of the threats themselves.
G. Grasso / The Role of Europe in Matching Today’s Asymmetric Threats
179
Dealing with terrorism, for instance, requires a mixture of intelligence, police, judicial, military and other means that include communications and economic endeavours. Where military forces often have the task of implementing security measures on foreign soil, and frequently in failed states, in which military instruments may be needed to restore order, humanitarian aid is used to tackle the immediate crisis and to relieve civilian victims. Regional conflicts always need political solutions, which are complimented by the military assets and effective policing that are generally necessary for maintaining order in the post conflict phase. Economic instruments (although not exclusively) serve in reconstruction efforts, and civilian crisis management activities help restore civil government. The European Union is a global actor, ready to share the responsibility of ensuring global security. With the adoption of the European Security Strategy in December 2003 by the European Council9, it affirmed the role it wants to play in the world, supporting an international order based on effective multilateralism within the UN. In today’s context of new dangers, but also new opportunities, the strong commitment demonstrated by Member States to give the enlarged European Union the tools it needs to make a major contribution to security efforts and stability within a context of well governed countries in and around Europe and in the world is stronger than ever. The EU has the civilian and military framework needed to face the multifaceted nature of the actual asymmetric threats. Member States have decided to commit themselves by 2010 to be able to respond with rapid and decisive action applying a fully coherent approach to the whole spectrum of crisis management operations that are covered by the Treaty on the European Union. This includes humanitarian and rescue tasks, peace-keeping tasks, tasks of combat forces in crisis management, including peacemaking. As indicated by the European Security Strategy this would also include joint disarmament operations, the support for third countries in combating terrorism and security sector reform. This approach requires Member States to voluntarily transform their armed forces by progressively developing an elevated degree of interoperability, at the technical, procedural and conceptual levels. Without prejudice to the prerogatives of individual Member States regarding defence matters, a co-ordinated and coherent development of equipment compatibility, procedures, concepts, command arrangements and defence planning is a primary objective. In this regard, the commonality of a shared security culture should also be promoted. Interoperability must be considered within a broader framework that includes military, civilian and civil-military aspects. The EU could further strengthen the coordinated use of its civil and military capabilities acknowledging that modern Crisis Management Operations typically require a combination of multiple instruments. Synergies relevant to crisis management capabilities should be identified and fully exploited between civilian and military ESDP, the European Community, as well as third pillar actors (Police and Judicial Cooperation), with the aim to maximise coherence in the field as well as at the governing and administrative levels in Brussels. Issues, such as field security, training, logistics and procurement should be taken into account.
9
http://www.consilium.europa.eu/uedocs/cmsUpload/78367.pdf
180
G. Grasso / The Role of Europe in Matching Today’s Asymmetric Threats
7. Why Interconnection among European Agencies Operating in the Field of Safety and Security is Necessary A number of specialised and decentralised EU agencies have been established to support the EU Member States and their citizens. These agencies are an answer to a general trend toward the decentralisation and geographic redistribution of administrative responsibility the need to cope with new tasks of a legal, technical and/ or scientific nature. The available competence and experiences accrued in almost all areas pertinent to the Safety/Security sector is impressive, and it forces one to consider what opportunities exist for improving networking and interaction among the existing resources and agencies. In fact, given the aforementioned advantages of incorporating safety/security requirements in all phases of a process, the majority of the structures that focus on safety issues could invariably expand on a technical level to address security related issues. Over the coming years, Europe will need to develop a commonly shared capability-based planning process, and, possibly, a European Security Capability Plan. In the meanwhile, public and private stake-holders alike, both at EU and national levels, will need to proceed with the systematic identification of available and required capabilities. In specific sectors, relevant agencies can play an important role. EDA and FRONTEX could be seen as examples of good practice, which might be considered by other agencies. The need of interconnecting all of these resources will therefore grow in the forthcoming years and accelerate the transformation of existing Agencies from stand alone entities to a system of systems.
8. ESRIF, the European Security Research & Innovation Forum The European Security Research and Innovation Forum (ESRIF) was established in September 2007, on the basis of a joint initiative of the European Commission and EU Member States. ESRIF is an informal group, set up jointly and co-owned by its stake-holders from the demand and supply side of security technologies/solutions, as well as from civil society. It thus includes independent representatives from industry, public and private end-users, research establishments and universities, as well as non-governmental organisations and EU organisations and entities. With this kind of composition and approach, ESRIF hoped to overcome the boundaries and limitations inherent of a more formal structure. ESRIF is the only large scale, high level, attempt of this kind in Europe. It is also supported by FP7 (Seventh Framework Programme) Associated Countries. ESRIF’s mandate is limited to advising on security research and innovation. The primary reason for creating ESRIF was the need for:
Coordination of the strategy and implementation of European and National Security Research Funding Programmes; Taking a mid- and longer term perspective for civil security research in Europe, going beyond pure research and also embracing innovation elements; Improving coordination between security policy and its implementation on the one side and security research on the other, including the demand and supply side of security technologies/solutions and considering the economic effects of future civil security research
G. Grasso / The Role of Europe in Matching Today’s Asymmetric Threats
181
Addressing how action at European, national and regional levels can be coordinated to better exploit the use of future capabilities and resources. Looking at coordination between civil and military security research. Encompassing societal aspects of security to gain a better understanding of interdependencies and dynamics behind decisions, policies and programs by the Union and their effects, to enhance the security of EU citizens.
ESRIF was given the task of developing a ”European Security Research and Innovation Agenda”10 , a strategic roadmap for security research and related measures that will bring greater coherence and efficiency to the sector, while promoting innovation. The hope was that an Agenda that studied these factors would create opportunities for more coherent research programming and funding that would eventually lead to better innovation. It was hoped that this would also stimulate the private sector to invest funds in research strategic priorities, thereby complementing public investments. Moreover, it corresponds to the general aim of building a true European Research Area, notably by promoting greater coherence between investments in research and development allocated at European, national and regional levels. This should ultimately strengthen EU security and the EU security market and the competitiveness of the private sector. ESRIF is now in the final stage of elaborating its Final Report and therefore close to the end of its assigned task.
10
http://ec.europa.eu/enterprise/security/doc/border_control_workshop/k_giovanni_barontini.pdf
182
Modelling Cyber Security: Approaches, Methodology, Strategies U. Gori (Ed.) IOS Press, 2009 © 2009 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-074-2-182
Information Sharing in the Context of European Union Critical Information Infrastructure Protection Alessandro GAZZINI, Andrea RIGONI Booz & Company
[email protected] [email protected] Abstract. Effective anticipation and response to the characteristics of today’s security threats require an effective information sharing (IS) component. The need for IS and the relative benefits that come with it are evident to most security stakeholders. Information sharing has become even more urgent as the extreme adaptability of our adversaries and the relative rigidity of our current security organisations, in both the public and private sectors, have become increasingly clear. Many governments have already recently issued specific IS policies, stating the objectives as well as launching operational initiatives. The European Union has also introduced an IS objective within its more general program of critical (information) infrastructure protection and has recently launched several research and pilot instruments for IS solutions. Many challenges to develop successful IS models still exist, particularly in the security environment. Most notably, there is a tendency to dedicate excessive attention to technology concerns and solutions. A successful IS model, however, needs to comprehend and incorporate a more multidimensional strategic approach and focus on the concept of IS as a market place value. Keywords. Information Sharing, Cyber Security, Critical Information Infrastructure Protection, Critical Infrastructure Protection, Security, IT security
1. Information Sharing: An Emerging Security Need for Reducing “Operational Asymmetry” In the commercial, government and military sectors of EU Member States, there has been a significant impulse to increase interconnectivity and interoperability between systems in order to enable and increase operational benefits. The nature of the ICT (Information and Communication Technologies) market has also produced many common ICT components, which consequently share common vulnerabilities. In areas, such as critical national infrastructures, there is already a high degree of cross border interconnection and interdependency between systems. The complexity and criticality of these systems cannot be overemphasised. The threat to these federated systems is growing. Terrorists and other disaffected organisations and individuals have identified the dependence of EU countries upon these systems and the potential impact a successful attack could have. However, while these “systems of systems” are increasingly closely integrated horizontally, their protection is all too often aligned vertically, within countries and within companies. This misalignment presents enticing opportunities to attackers. This is why Information Sharing (IS) has become a key component of modern protection and is one of the main pillars of Intelligence. Information Sharing has gained
A. Gazzini and A. Rigoni / Information Sharing in the Context of European Union CII Protection
183
in popularity after 9/11, and, today, it is at the centre of many National Security Intelligence Strategies, as may be demonstrated by the growing policy initiatives, as well as operational IS initiatives (i.e. Warp, Intellipedia, A-Spaces, etc…) including at the European level (i.e. CIWIN, M3I, NEISAS, European Rapid Alert Platforms, etc…).
Figure 1. Examples of Recent Information Sharing Policies
One of the primary reasons we believe this emerging attention on IS is well-placed as a priority is due to the phenomenon of “operational asymmetry”. Fundamentally, our adversaries have extremely adaptive “leaderless” operational models based on flexibility, speed, knowledge exchange and strong (often ideological) motivational drivers while our security organisational constructs both in the government and in the private sector tend to be resource intensive, hierarchical, based on complex structures and formalised processes, which create accountability (at times). but more often generate slow and rigid systems and system response. This imbalance is particularly evident in the cyber domain, where speed reigns and the attack mode is far more successful by several orders of magnitude than any response or defence. IS can be a vital resource in reducing some aspects of this operational imbalance and in generating multiple benefits, but, most importantly, increasing speed and quality of our capability to anticipate and react. The need is for vital knowledge to be spread quickly, not to mention generated effectively, within the “mega-community” of public and private security stakeholders.
184
A. Gazzini and A. Rigoni / Information Sharing in the Context of European Union CII Protection
Figure 2. Benefits of Information Sharing
Sharing information on security risks is clearly beneficial to both government and industry. If a mechanism can exist through which one organisation is able to learn from the experiences, mistakes, and successes of another, without fear of exposing its vulnerabilities to national security, competitors and the media, then every participant will be able to improve their level of resilience and safety.
2. The EU CIP Information Sharing Panorama There are many initiatives and projects in Europe on Information Sharing, most of them, however, are managed on a national level. Some exceptions are those systems that interconnect operators in a specific sector (i.e., banks, air controls, adjacent Power Transmission Operators, etc.), which are typically used for daily operations and not specifically for Critical Infrastructure Protection (CIP). According to an European Network and Information Security Agency (ENISA) study 1, “EISAS – European Information Sharing and Alert System,” 13 Member States do not have any known Information Sharing activity, 5 Member States have a dedicated level of organisation, and the other 9 have some initiatives that are managed by nondedicated organisations. In the study, only two Member States are reported to have organisations that are in charge of Information Sharing and that have Critical Infrastructure Operators as their constituency. These numbers, though, do not completely reflect reality; many other Member States are running information exchanges that are facilitated by government organisations, where Critical Infrastructure Operators meet regularly (for instance, the Information Exchanges managed by CPNI in the United Kingdom, or the NICC in the Netherlands). These initiatives are all very successful, primarily because of the importance that has been given to the development of trust among all participants, including the government.
1
www.enisa.europa.eu/doc/pdf/studies/EISAS_finalreport.pdf
A. Gazzini and A. Rigoni / Information Sharing in the Context of European Union CII Protection
185
Furthermore, EU Member States share the need to exchange information on an international level, in particular for the protection of Critical Infrastructures (CI), where many are interconnected or interdependent, or the impact of an attack on one CI in one Member State could affect another CI in another Member State. This is why the European Commission included the creation of Information Sharing Systems in the European Critical Infrastructure Program. An important aspect that should be always considered when discussing International Information Sharing Systems, is that most of the time these services are used by governments and national infrastructures to exchange notifications and communications regarding new vulnerabilities, threats, incidents and good practices, and, in most cases, this exchange assumes a relevance in respect to national security. This is one of the main reasons why most Member States are promoting a federated approach, both at a National and European level. The most successful projects in Europe, such as the UK WARP (Warning, Advice and Reporting Point), owe their success to this approach that, among the other things, is able to address the specific requirements and needs of certain sectors. The energy sector, for example, is considered among the most critical in Europe. In particular, Transmission System Operators (TSOs) run the European Power Grid, which provides electricity to all European citizens. TSOs form a strong and wellconnected community. Information Sharing is vital to these companies; a problem, fault, incident or attack to any one operator could have disastrous impacts on all the other operators. This is the reason why building “Shared Situational Awareness” improves the overall resilience of the system. These companies are already exchanging a lot of information, both at an operational and a strategic level. The exchange is based on “peer to peer” relations, mainly because there is no single authority or organisation that is in charge of regulation or coordination of the operators. In 2004, the Commission issued a communication to the Council and the European Parliament on “Critical Infrastructure Protection in the fight against terrorism (20-10-2004)”2 . In this document, the Commission identified security management and, in particular, risk management as the key area that needed to be addressed by a European Program for Critical Infrastructure Protection that would be based on an all hazard approach. The document also stated that the EPCIP would promote information exchange (sharing), where the constraints of competition, liability and information sensitivity can be balanced with the benefits of a more secure critical infrastructure. When sector based standards do not exist, or where international norms have not yet been established to support this sharing, the document goes on to state that the standardisation of organisations should be approached with proposals for uniform security and adapted standards for all of the various branches and sectors interested. The importance of information sharing in supporting Critical Infrastructure Protection (CIP) has been recognised for some time, and moves have been made toward developing European information sharing initiatives through both the 2002 and 2005 e-Europe Action Plans 3. These plans have respectively focused on stimulating public-private cooperation regarding the dependability of information infrastructures (including the development of early warning systems) and on the establishment of the European Network and Information Security Agency (ENISA). ENISA is assigned, 2
3
10679/2/04 REV 2, no. 19 http://www.consilium.europa.eu/uedocs/cmsUpload/EU_17.18-6.pdf
COM(2002) 263 final 28.5.2002 - eEurope 2005: An information society for all - http://ec.europa.eu/ information_society/eeurope/2002/news_library/documents/eeurope2005/eeurope2005_en.pdf
186
A. Gazzini and A. Rigoni / Information Sharing in the Context of European Union CII Protection
amongst other things, the task of fostering and enhancing cooperation between relevant stakeholders, information gathering, the exchange of best practices and the establishment of synergy between public and private sector initiatives.
Figure 3. Examples of IS initiatives in the EU
ENISA has been active in raising awareness of the need for information sharing and has produced many studies in this area, in particular, the EISAS – European Information Sharing and Alert System Feasibility Study 2006/7. Although this feasibility study focused on the citizen and small to medium enterprise, there are aspects of the study which also relate to CIP, government and large enterprise communities, such as the need to adopt a standardised approach to information sharing. Furthermore, on 30 March 2009, European Commission Directorate General Information Society and Media (DG INFSO) issued a Communication 4 that announces the launch of a policy initiative to Protect Critical Information Infrastructures in Europe. The initiative focuses on the following five areas:
4
Preparedness and prevention: to ensure preparedness, by defining a baseline of capabilities and services of national/governmental Computer Emergency Response Teams, creating a European Public-Private Partnership for Resilience and a European Forum of Member States to share information, good policy and operational practices. Detection and response: to provide adequate early warning mechanisms, by supporting the development and deployment of a European Information Sharing and Alert System, reaching out to citizens and SMEs, and being based on national and private sector information and alert sharing systems. Mitigation and recovery: to reinforce EU defence mechanisms for CII via the development of national contingency plans by Member States and the organisation of regular security incident response and disaster recovery exercises for large scale networking in a move to stimulate stronger pan-
http://ec.europa.eu/information_society/policy/nis/strategy/activities/ciip/index_en.htm
A. Gazzini and A. Rigoni / Information Sharing in the Context of European Union CII Protection
187
European coordination, as well as strengthening the cooperation between national/governmental Computer Emergency Response Teams. Cooperation on international and EU levels: to promote EU priorities internationally by driving a Europe-wide debate involving all relevant public and private stakeholders, to define EU priorities for the long term resilience and stability of the Internet by working with Member States to define guidelines for the resilience and stability of the Internet and by working on a roadmap to promote principles and guidelines at the global level, possibly leveraging strategic cooperation with third countries. Criteria for the ICT sector: to support future implementation of EPCIP, by continuing to develop, in cooperation with Member States and all relevant stakeholders, the criteria to identify the European critical infrastructures in the ICT sector.
In the Action Plan of the Communication (par. 5.2)5, Information Sharing is mentioned as one of the key elements of a successful Critical Information Infrastructure Protection strategy. In 2006, the European Commission presented a program6 to foster and support Information Sharing in Europe, including the provision of a software platform called CIWIN - Critical Infrastructure Warning Information Network, now in pilot phase. Furthermore, Commissioner Jacques Barrot, Directorate General Justice Liberty and Security, recently proposed new legislation7 to enable European Union Countries to share information regarding critical infrastructure protection. This proposal is expected to be discussed at the next Justice and Home Affairs council in Luxemburg, 4th and 5th of June 2009. During the presentation, a EU policy review and key projects will be made, the main goals of Information Sharing will be presented, together with the direct and indirect benefits to the stakeholders, and will show the importance of quality in relation to extension of the community and the quantity of Information exchanged.
3. Designing a successful IS system While we all basically agree on what the benefits of IS are, we are a little less sure about how to actually build a successful model. Too often the discussions are quickly oriented towards aspects related to the IT systems, appropriate tools and protocols etc. This is not to imply that technology is a minor concern, but simply to highlight that it tends to become a dominant topic. As a matter of fact, many technological challenges still remain. Despite the many good examples of Information Sharing, progress towards making these virtual platforms universal is hampered by the lack of a common language and framework. For communication to occur between people, there is more to the equation than merely 5 http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2009:0149:FIN:EN:PDF - COM(2009) 149 final 30.3.09 6
15041/08 31.10.08 proposal for a council decision on a Critical Infrastructure Warning Information Network (CIWIN) - http://register.consilium.europa.eu/servlet/driver?lang=EN&ssf=DATE_DOCUMENT +DESC&fc=REGAISEN&srm=25&md=400&typ=Simple&cmsid=638&ff_TITRE=&ff_FT_TEXT=CIWIN &ff_SOUS_COTE_MATIERE=&dd_DATE_REUNION=&srs=26&rc=37&nr=119&page=Detail
7
IP/08/1586
27/10/2008 http://europa.eu/rapid/pressReleasesAction.do?reference=IP/08/1586
188
A. Gazzini and A. Rigoni / Information Sharing in the Context of European Union CII Protection
choosing a specific vocabulary from native languages such as English or Italian. When speaking of communication involving computers, it is also more than choosing a standard based on the XML framework. What has been missing in the past is a management messaging standard that describes a set of requirements on how these should be used. One good example of a requirement for a management messaging standard is the need to have a common understanding of how shared information can be distributed virtually. The Traffic Light Protocol (TLP) is a specific example in use by many organisations, which takes the sensitive nature of some types of information into account. It is important that the TLP be recognised and understood in communications involving people and computers, where both must follow the agreed rules for information distribution. It is also important to recognise that the TLP may be just one example of good practice. In designing an IS system, we suggest that along with the IT complexities, one should equally focus attention on other key dimensions, which ultimately will determine the success of the IS system. A successful model must consider at least 5 macro areas:
Value Exchange - the essence of any IS environment. Policy and Organisation – the structure, rules and process. Technology – the IT solution. Culture – the willingness to participate. Economic – the resources.
Figure 4. Booz & Co IS framework
As a final comment we would like to add that trust is an essential element in information sharing and it should be built as a two way system. The recipient of information must trust the source, in particular, that the information received is truly coming from the person it purports to come from, is not malicious or misleading, and that it is also relevant. The source must also trust the recipient, in particular, that the information received will only be used or distributed according to previously established agreements and parameters. Without this two way trust, meaningful information sharing is impossible.
Modelling Cyber Security: Approaches, Methodology, Strategies U. Gori (Ed.) IOS Press, 2009 © 2009 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-074-2-189
189
Defining Critical Information Infrastructure in the Context of Cyber Threats: The Privacy Perspective Eneken TIKK1 Cooperative Cyber Defence Centre of Excellence Tallinn, Estonia Head of the Legal Task Team
[email protected] Abstract. While the two organisations, the EU and NATO, share interest in the field of Critical Infrastructure Information (“CII”) protection, and while the interests of these organisations have developed significant overlaps, personal data protection in the EU legal framework may become a factor that could hinder the creation of effective cyber defence, unless timely and duly attended to by the interested nations and entities. This article will provide insight into personal data protection issues that relate to the exchange of information concerning cyber incidents and, based on considerations pertinent to national approaches, it will provide guidance on how to minimise the related legal risks that come with cyber incident management.
Introduction About a year ago, NATO adopted two documents that will shape the way cyber incidents of concern to (inter)national security will be managed. 2 The cooperative aspect of managing cyber incidents of relevance for NATO will require national regulatory action in regard to defining the critical information infrastructure and providing a proper legal basis for information exchange between NATO and its member states. Cyber incidents may range anywhere from simple deviations from internal security regulations to criminal acts, acts of cyber terrorism, and even warfare. The investigation and management of such incidents is based on sharing and comparing traffic data and server logs, including IP addresses. Countries subject to both the EU
1
Eneken Tikk works as the Legal Advisor to the NATO Cooperative Cyber Defence Centre of Excellence (“CCD COE”) and is currently the Research Fellow for the Center for Infrastructure Protection of the George Mason University Law School.
2
NATO Cyber Defence Concept (MC, 13 March 2008), based on the NATO Cyber Defence Policy (NAC, 20 December 2007).
190
E. Tikk / Defining Critical Information Infrastructure in the Context of Cyber Threats
and NATO organisational framework of cyber defence3 will face difficulties transferring such data to NATO or another member state’s national authorities since the legal view governing EU data protection institutions categorises IP addresses and logs as personal data. The EU legal framework on data privacy thus creates obstacles to processing cyber incident data for the purpose of cooperative cyber defence management. While there are legally safe ways to secure evidence and manage cyber incidents, recent trends in EU member states require that more attention be paid to these issues on the national regulatory level. This article will provide insight into personal data protection issues that relate to the exchange of information concerning cyber incidents and, based on considerations pertinent to national approaches, it will provide guidance on how to minimise the related legal risks that come with cyber incident management.
1. The Benefit of Sharing Information During 2007 and 2008, the CCD COE legal team analysed the legal aspects of five major cyber incidents – Estonia, Radio Free Europe in Prague, Lithuania, Georgia, and Burma4. The Estonian cyber incident that occurred in early 2007 was a landmark case, where publicly sharing information about the cyber attacks turned out to benefit the government in its efforts to defend itself against its invisible enemy. Since then, major IT security think tanks and international media channels keep a column on cyber incidents of international concern. There is an increasing amount of information available about politically motivated and government-targeted cyber incidents. The management of cross-border cyber incidents and conflicts, however, requires extensive and detailed information-sharing among governmental entities and also among these last and the entities responsible for the information infrastructure, which are often privately owned. This kind of cooperation is inevitable between nations and international organisations. The data of interest comprises not only details about the course of action and background of the incidents but also real-time reporting on targets and, most importantly, details of the server logs, which make it possible to differentiate the good traffic from the bad, block hostile IP addresses, and trace the origin of the attacks. With cyber defence developments in NATO, sharing information on cyber incidents will form an essential part of the national cyber security agenda. The study of
3 While there is no internationally accepted legal definition of cyber threats (one of the key reasons for difficulties related to the implementation of personal data protection rules), the concerns of cyber security involve stakeholders such as international organisations, governments, the private sector and IT infrastructure providers, as well as home users. The incidents that may affect the functioning of a society’s critical infrastructure may initially occur as simple human error and the deviation from internal information security regulations, or they may turn out to be intentional, often politically motivated, criminal activities or coordinated and well-targeted attacks that support other hostile activities towards the entity or nation in question. Therefore, the term “cyber defence” is to be understood to cover the prevention of and potential responses to different types and levels of cyber threats. 4
These papers are available on www.ccdcoe.org.
E. Tikk / Defining Critical Information Infrastructure in the Context of Cyber Threats
191
recent cyber incidents shows that the nature of the information infrastructure5 in conjunction with the territoriality principle6 make it difficult for a nation, when acting alone, to defend itself against cross-border cyber attacks. NATO has developed a mechanism to assist nations in case of severe cyber attacks, but the implementation of the relevant provisions of the Cyber Defense Policy and Cyber Defense Concept requires structured and well-coordinated information sharing on those aspects that demonstrate the relevance the said cyber incidents have for NATO. In order to meet the criteria for receiving help from rapid reaction teams, consulting or any other type of assistance, the nation must satisfy a burden of proof of the relevance of the conflict for NATO. This can only be done after a thorough analysis of the underlying facts about the nature, extent and sources of the incident has been completed. In summary, effective defence relies on cooperation, and effective cooperation needs precision in terms of facts of the incidents. Effective measures of defence depend on accuracy of information and in order to achieve prosecution, the evidence must be able to indicate the source of the attacks. Estonia is one of the countries that is both a NATO nation and an EU member state. In the context of cyber security there is an increase in the interrelation of the activities and areas of concern for these two major and influential organisations; sharing information on cyber incidents is just one of them.
2. EU vs. NATO: The Cyber Security Agenda A sustainable information society and trusted environment for e-commerce and information society services has been a key concern for the EU over the past decades.
5
The nature of the information infrastructure can be best explained by the rationale that was employed in developing the Internet. It was designed as a response to national security concerns to provide a communications network that would work even if some of the sites were physically destroyed. If the most direct route was not available, routers would direct traffic around the network via alternate routes.
6
The contemporary legal framework adheres to the concept of sovereignty, which is granted to the nations on the basis of the physical dimensions of their air, land and sea territory. While few other arrangements exist (the common understanding of governing high seas and space), so far no general agreement has been concluded with respect to the governance and control of the Internet. Therefore, conduct on the Internet can only partly and conditionally be subjected to a nation’s jurisdiction.
192
E. Tikk / Defining Critical Information Infrastructure in the Context of Cyber Threats
The EU is known for its wide-reaching and effective information society regulation7 , which is reflected in the national legal systems of not only EU member states but also EEA countries and others. 8 NATO is known as a security and defence organisation, which focuses on issues that in practical terms remain beyond the scope of the applicability of the EU law. The “security” paradigm has been changing over the past couple of decades, expanding the focus of defence interests beyond kinetic and symmetric threats to include issues such as terrorism, electronic warfare and critical infrastructure protection. Thus, in the past few years, the interests of these organisations have developed significant overlaps. This is especially the case since NATO has begun to look more into the cyber attacks and has recognised that not only cyber incidents against military targets but also those directed against national governmental and possibly private critical infrastructure functions may affect (inter)national security, thus deserving the interest of this military organisation. It is due to this interest that a common playing field has emerged for the two organisations. While the two organisations share interest in the field of Critical Infrastructure Information (“CII”) protection, personal data protection in the EU legal framework may become a factor that could hinder the creation of effective cyber defence, unless timely and duly attended to by the interested nations and entities. There seems to be some inconsistency in the application of the Directive 95/46/EC (herein after referred to as ‘the Directive’ or ‘the ‘Personal Data Protection Directive’) by the Member States. These differences in interpretation and application of the Directive are particularly evident when looking at the approach taken by Germany in comparison with Sweden. These two cases will be discussed below. The dominant view held by the EU data protection authorities, however, requires that information sharing 7
Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive), OJ L 108, 24/04/2002 pp. 0033-0050; and four specific Directives: Directive 2002/20/EC of the European Parliament and of the Council of 7 March 2002 on the authorisation of electronic communications networks and services (Authorisation Directive), Directive 2002/19/EC of the European Parliament and of the Council of 7 March 2002 on access to, and interconnection of, electronic communications networks and associated facilities (Access Directive), Directive 2002/22/EC of the European Parliament and of the Council of 7 March 2002 on universal service and users' rights relating to electronic communications networks and services (Universal Service Directive), Directive 97/66/EC of the European Parliament and of the Council of 15 December 1997 concerning the processing of personal data and the protection of privacy in the telecommunications sector). Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Personal Data Protection Directive); OJ L 281, 23/11/1995 p. 31; Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications); OJ L 201, 31/07/2002 pp. 0037 – 0047. Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market ('Directive on electronic commerce'), OJ L 178 , 17/07/2000 pp. 0001–0016. Directive 1999/93/EC of the European Parliament and of the Council on a Community framework for electronic signatures was published in the Official Journal of the European Communities; OJ L 13, 19/01/2000, p. 12. Directive 2003/98/EC of the European Parliament and of the Council of 17 November 2003 on the re-use of public sector information; OJ L 345, 31/12/2003 pp. 0090–0096.
8 Currently, personal data can flow between the 27 EU member states and three EEA member countries (Norway, Liechtenstein and Iceland) and to Switzerland, Canada, Argentina, Guernsey, and the Isle of Man. An exception is granted to the US Department of Commerce under the Safe Harbor Privacy Principles, and the transfer of Air Passenger Name Records to the United States Bureau of Customs and Border Protection.
E. Tikk / Defining Critical Information Infrastructure in the Context of Cyber Threats
193
regarding cyber incidents be supported by specific legal provision under the national law of each Member State.
3. EU Data Protection Agenda and Reflections on Member States Systematic data protection in Europe dates to the aftermath of the Second World War and arises from the need to face the threat that people could be potentially mistreated based on an abuse/misuse of personal data available to the state. 9 Essentially, the EU data protection regulatory framework is based on the prohibition of processing personal data and has issued different exceptions that allow the data to be processed under a set of personal data protection principles and restrictions. Directive 95/46/EC serves as the basis for personal data protection legal acts in nearly 30 advanced information societies. Personal data are defined as "any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;" (art. 2 a). This definition is intended to be extensive. Data are "personal data" when someone is able to link the information to a person, even if the person holding the data cannot make this link themselves. Some examples of "personal data" are: address, credit card number, bank statements, criminal record, etc. Recently, EU data protection supervisor, Peter Hustinx, shared his opinion on IP addresses as personal data, pointing out that IP addresses are also protected under data protection laws. Speaking to ZDNet at an RSA information security conference in London, he said that a person does not have to be identifiable by name in order for details of computer usage to be protected. Companies that gather addresses that might or might not be personal data should just treat them all as personal. When companies are unsure whether information, such as activity or server logs or a record of Internet protocol (IP) addresses, are personal data or not, they should treat it all as personal data. 10
9
In 1939, the German authorities conducted a census to register German Jews and those who were half Jewish with the Reichssicherheitshauptamt. While the authorities claimed that personal data, such as religious inclination and nationality, were confidential, a national registry was created on the basis of those data to point out which citizens had a Jewish parent or grandparent. Similar registries were created and updated in Poland and compared to the data of the 1933 census. After the census, the German citizens were listed in the Reichskartei as Aryans or non-Aryans and their fate for the purposes of the Second World War was determined by the Nazi authorities controlling those registries. In this context, the statistical data was put to the service of the governing regime. Extremely high regard to population policy transformed normally quantitative data about people into a qualitative and psychological basis of reigning. Although statistical in nature, this information relied on the penetration of private and public lives, recording and categorising such data, and last but not least, subdivision of the data. The census based on religion and nationality were not the only listed categories of information. In 1935, the authorities created the labour registry, in 1936 the health registry, in 1939 the population registry, and in 1944 the personal identification number system. From 1934 on, those with hereditary illnesses were registered. By the beginning of the war, the authorities had a clear picture of family planning, land inheritance and health status of the population. These statistics were put to service by and under the control of the authorities.
10
Michael, James. EU DP Supervisor says IP addresses are protected. Privacy Laws and Business International Newsletter, December 2008, issue 96, page 9.
194
E. Tikk / Defining Critical Information Infrastructure in the Context of Cyber Threats
In the event personal data is treated, any processing 11 of such data falls under the jurisdiction of the Directive unless it has otherwise been provided for under national law. In the context of information exchange regarding cyber attacks, one of the more important provisions of the EU Data Protection Directive in the context of exchange of information about cyber attacks is Article 25, which prohibits the transfer of personal data to third countries.12 In principle, the transfer of personal data to countries outside of the EU requires the European Commission to assess the specific personal data protection regulations and practices of the country concerned. Since cyber threats have affected different countries, the national courts have the task of providing guidance on how to deal with those threats in the context of personal data privacy concerns. Interestingly, the views and approaches to the balance between privacy and security expressed by the various national courts indicate not only a difference of position and approach from country to country, but it also highlights the existing challenge of finding a balance for the application of the directive itself. In a verdict of 27 February 200813 , the Bundesverfassungsgericht (German Constitutional Court, henceforth “BVerfG) ruled that from the right to personal selfdetermination comes an individual’s right to security and integrity of information systems (Grundrecht auf Gewährleistung der Vertraulichkeit und Integrität informationstechnischer Systeme). The essence of this ruling reflects Germany’s wellestablished guarantees of personal privacy, privacy of communications, and protection of personal data, and it emphasises the duty to refrain from violating the privacy of the user without a proper basis in applicable law. The court emphasised that covert infiltration in information systems resulting in the surveillance of a person’s use of that system is only allowed when there is a) effective evidence, b) a real threat, c) a legally protected value, and d) where the authority for such interference is clearly provided for in the law. This effectively provides a relevant authority with a checklist of legal criteria/conditions that must be met in order to carry out a surveillance procedure. The court specified that threats to the fundamental institutions or existence of the state itself would indeed be a category that could justify such interference, indicating, inter alia, that under certain circumstances surveillance can be justified as a pre-emptive measure. In addition to the factual and legal necessity outlined above, and as part of the legal basis of authority requirement (element d) also referenced above, resorting to such measures in Germany would usually also require a court order as a prerequisite. 11 Under Article 2 (b) of the Directive, processing personal data ('processing') shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. 12 The Member States shall provide that the transfer to a third country of personal data, which are undergoing processing or are intended for processing after transfer, may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection, The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectorial, in force in the third country in question and the professional rules and security measures which are complied with in that country. 13
http://www.bverfg.de/entscheidungen/rs20080227_1bvr037007.html
E. Tikk / Defining Critical Information Infrastructure in the Context of Cyber Threats
195
BVerfG represents a cautious approach to how and to what degree the authority of the state has over private communications and in particular the surveillance of such communications. As such, the judgement in Germany is in counter position to recent developments under Swedish law, where a bill was passed in June 2008 that allowed for monitoring of all emails, text messages and phone calls for the purpose of national security.14 This legal instrument received widespread public criticism for excessively restricting civil liberties, violating integrity and creating a "big brother" state. According to the law, the state institution given the authority for surveillance, FRA (Försvarets radioanstalt, the Swedish National Defence Radio Establishment) – unlike the police – would not be required to seek a court order to commence surveillance15; however, the Swedish Data Inspection Authority would supervise the activities of the FRA, and a collective board would be instituted to decide on surveillance in specific cases.16 The UK Information Commissioner's Office (ICO) has issued a statement that isolated IP addresses do not constitute personal data, but become personal data if they are used to create a profile on an individual or when in the hands of an ISP. According to the ICO’s reasoning, it is difficult to use IP addresses to build up personalised profiles. Many IP addresses, particularly those allocated to individuals, are 'dynamic'. This means that each time a user connects to their internet service provider (ISP), they are given an IP address, and this will be different each time. So if it is only the ISP who can link the IP address to an individual it is difficult to see how the Act can cover collecting dynamic IP addresses without any other identifying or distinguishing information. Some IP addresses are 'static', and these are different. Like some cookies, they can be linked to a particular computer, which may then be linked to an individual user. Where a link is established and profiles are created based on static IP addresses, the addresses and the profiles would be personal information and covered by the Act. However, it is not easy to distinguish between dynamic and static IP addresses, so there is limited scope for using them for personalised profiling. 17 The ICO approach is a purpose-based approach, where the applicability of the Directive would depend on whether processing the data is intended to justify the aim of the Directive itself or not. However, in light of personal data protection regulation in the EU and the numerous rulings of the European Court of Justice and the European Court of Human Rights, the focus of the Directive may have shifted towards a German school of interpretation. Furthermore, the EU data protection authorities have recently supported a rather protective approach towards personal data protection. Thus, the personal data protection regulation under the First Pillar may have a cooling effect on the implementation of measures regarding Third Pillar concerns and more generally, affect the way that the world manages cyber incidents.
4. Balancing Privacy and Cyber Security 14
‘Signal Surveillance Act’, Lag (2008:717) om signalspaning i försvarsunderrättelseverksamhet
15
'Yes' to surveillance law. The Local, June 18, 2008.
16
Thelenius-Wanler, Emma. Riksdagen röstade igenom FRA-lag. Dagens Nyheter, June 18, 2008. 17 http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/
collecting_personal_information_from_websites_v1.0.pdf .
196
E. Tikk / Defining Critical Information Infrastructure in the Context of Cyber Threats
In the hierarchy of fundamental rights, the right to privacy has traditionally been considered one of the most significant, coming right after the “vital” rights to life, health, and freedom. 18 As long as there are security concerns regarding these legally protected values, creating exceptions from the Directive may be seen as a matter for national regulation.19 But contemporary cyber incidents are often difficult to legally categorise. The Estonian cyber incident, often referred to as Cyber War 1.0, did not really result in loss of life or freedom, but rather portrayed a novel set of threats that does not readily fit into the existing perception of threat. Similarly, nobody was killed or injured in Georgia as a result of DDoS attacks against government and media websites. Modern information societies have become greatly dependent on information infrastructure and consequently may not only be vulnerable in “traditional” ways but also in the context of accuracy, reliability and security of information, not to mention those ways that could restrict the freedom of information and speech. These threats are not readily justified exceptions from the area of application of the Data Protection Directive. As a matter of fact, these threats do not fall within the focus of the law of armed conflicts or criminal law in the field of IT, either. 20 Therefore, in order to create legal certainty for processing data about cyber incidents, the concept of cyber threat as well as the components of cyber incident management, such as transmitters and recipients of data and the nature, purpose and possible legal effect of data processing, need to be defined under the national regulatory framework. Otherwise, different opinions regarding the applicability of the personal data protection framework may hamper legal proceedings related to cyber incident management and create even more inconsistency in implementing the measures created for this complex and sophisticated legal area.
5. National Self-Help Remedies for Personal Data Protection Risks Under the circumstances, where the extent of cyber security exceptions under the EU Personal Data Protection Directive is unclear, the nations are in a position to consider additional regulatory steps to reduce the risk of personal data privacy invasion and to support the interaction between national CERTs, the private sector, the government and international entities dealing with cyber defence. These include: clearly indicating and better defining the area of applicability of the national personal data protection regulation; defining the elements of critical infrastructure that, if attacked or otherwise disabled by electronic means, would be part of a member state’s request for assistance to NATO; and using other, possibly
18
Vital interests of the data subject or a third person are a legitimate basis for processing personal data without additional consent requirements under Article 8 (2) c.
19
According to Article 3 (2), this Directive shall not apply to the processing of personal data in the course of an activity which falls outside the scope of Community law, such as those provided for by Titles V and VI of the Treaty on the European Union and in any case to processing operations concerning public security, defence, State security (including the economic well-being of the State when the processing operation relates to State security matters) and the activities of the State in areas of criminal law.
20
LOAC was drafted with kinetic and bloody wars in mind, whereas most of the criminal law pertaining to IT incidents has the economic effect of IT criminality in the background.
E. Tikk / Defining Critical Information Infrastructure in the Context of Cyber Threats
197
technical, economic, policy etc. measures in order to shape society’s tolerance and general understanding of cyber security. 5.1. Making a Provision Concerning the Area of Applicability of the EU Personal Data Protection Regulation in the Field of Cyber Security As indicated by the BVerfG, the elements necessary to design the national view of cyber security clearly ought to provide for the aforementioned conditions of a) effective evidence of, b) a real threat against, c) a legally protected value, and d) the authority for interference. In other words, the exceptions to the national data protection regulation have to be tied to national threat assessment procedures and legally accepted means of cyber deterrence. Last but not least, the authority must give clear indications that allow for the immediacy of a threat to be determined. 5.2. Defining Critical Infrastructure (Relevant to Cyber Security) Defining the components of national information architecture, that are not only critical for the State to function correctly but also to preserve national security, will render the institutions that are part of the information flow transparent in case of a cyber incident of concern to national security. This will, on the one hand, establish the framework for the potential focus regarding personal data processing and thereby serve as part of the legal basis for data processing. On the other hand, defining the components that are critical to national, and possibly international security, will outline what the potential threat assessment and risk management criteria are for the institutions involved. For example, under the Directive 95/46/EC, the private sector is under obligation to provide the data subject with a comprehensive understanding of the potential uses of the data available about him or her. The definition of CII elements will help to determine and define additional legal measures such as audit obligations, threat assessment and reporting measures or potential restrictions to terms of use of critical information systems. 5.3. Defining the Procedure for the Exchange of Information Regarding Cyber Incidents There are a number of persons involved in gathering accurate and consistent data on cyber incidents. Provided that the addressee of the information about the incident is NATO Cyber Defence Management Authority, the information will be readily accessible to potentially all NATO nations. The information will be provided by a designated national authority that, under most circumstances, is not in the position to directly gather data, but will be enabled to use different sources, such as national CERTs, components of the CII under attack and ISPs. Last but not least, information may be directly or indirectly collected from the data subjects. In order to minimise the risk that the information and details of the incident are not misused, the potential chain of information ought to be defined so as to create a correct legal basis for processing such details.
198
E. Tikk / Defining Critical Information Infrastructure in the Context of Cyber Threats
5.4. Engaging Soft Law and Self-regulatory Means to Enhance National Cyber Defence Capability The law in the field of cyber defence and cyber security is evolving and is, to a great extent, dependent on political (and popular) views on the issue. It is important therefore that all legal measures be communicated to the general public from the moment that such regulation could necessitate a reduction in the sphere of privacy and anonymity of the data subject in order to ensure national cyber security. Laws regarding privacy may very well need an element of public dialogue to better support the activities of the cyber defence authorities and law enforcement agencies and to increase the understanding and cooperation of these last with the data protection authorities. Creating an understanding between all stakeholders of the information society is a task that no government is capable of implementing on their own. Consequently, a global approach to the development of national cyber security policies and strategies must be taken that incorporate not only international concerns but also the interests of the private sector and the habits of individual consumers in the information society.
Conclusions and a Way Forward The ideas presented above, which take a generalised look at national approaches into account, aim at identifying more effective cyber defence policies and strategies. As international cyber security concerns evolve, more constructive and sophisticated cooperation is needed between the EU and NATO, and potentially other international organisations, to ensure that any loose ends in the defence measures adopted are kept under control and resolved. As countries build their national cyber defence framework, they face the privacy vs. security test. It is not only about choosing between the approaches of Germany and Sweden, which find themselves on either end of the privacy vs. security spectrum, but it is also a question of taking the factors of cyber threats unique to each nation and balancing them with the international cyber security agenda and concerns. Recognising and defining CII as an aspect of cyber threats of national/NATO relevance will serve to facilitate the management of cyber incidents by enabling a model and procedures to be created that are capable of addressing the incidents and any information connected to them. In defining how personal data ought to be processed for cyber security purposes, two courses of action must be considered and pursued - transparency and visibility for the data subjects and a systematic approach to be taken by the authorities to manage cyber conflicts. National Data Protection Authorities will play an important role in reconsidering national approaches to data processing as they take aspects of cyber defence into account. In developing their views on the implementation of the EU Directive, they may need to rethink the essence and aims of personal data protection in Europe and, thus, reshape the landscape of personal privacy.
Modelling Cyber Security: Approaches, Methodology, Strategies U. Gori (Ed.) IOS Press, 2009 © 2009 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-074-2-199
199
Crimen Ex Machina: A Legal Approach Prof. IVO PAPARELA PhD, University of Dubrovnik Abstract. Appropriate laws and efficient judiciary and law enforcement agencies that are not corrupt, are the first line of defence against cyber aggression. Due to the border-less nature of the internet and activity on the internet, it is also clear that criminal laissez faire (in other words, a “crime friendly” legal system) in one country jeopardises anti-crime efforts in many others. An efficient legal system is, in and of itself, a form of “antivirus” and adds value to all of the existing technical anti-virus solutions; it is also the only anti-virus that criminals and terrorists alike are afraid of. But is the legislation of the NATO countries and other countries, particularly Eastern European Countries (hereinafter, EE), on cyber criminality, adequate and capable of supporting law enforcement agencies in their fight against cyber criminals? Keywords. criminal code, cyber criminality, Croatia, East European Countries, cyber war, cyber army
Introductory Remarks Is the legislation of the NATO countries and other countries, particularly Eastern European Countries (hereinafter, EE), on cyber criminality, adequate and capable of supporting law enforcement agencies in their fight against cyber criminals? Are the law enforcement agencies, in NATO countries and in other EE countries, sufficiently supported politically and juridically to be able to cope with cyber “warriors” regardless of the motives of these attackers? If yes, then this article is of no consequence. If not, what happens next? These questions need an answer, an honest one and not simply a politically correct one! In the interest of common security and welfare of the citizens, these questions must be given an answer. At the same time, we are perfectly aware of how much the business world needs “virtual” shares in order to carry out ordinary operations on the stock exchange. Therefore, the challenges that legislators, internet users, policemen and criminals face once they start using their computer become readily understandable. In other words, having appropriate laws (1), both ius and lex, in place and efficient judiciary and law enforcement agencies that are not corrupt, are the first line of defence against cyber aggression. This is the strategic defence structure of every democratic country. Readers know that law and order are the basis of any free society and that “chaotic freedoms” (such as free license) are the enemies of freedom and human dignity. It is evident that the cyber world has many elements of “chaotic freedoms”. In these last few years, policing of the web has appeared even to politicians to be a necessity. As a result, in most countries, legislation regarding socially unacceptable activities on the web has been promulgated. A legal analysis of cyber space, although necessary in and of itself, also helps those in the field to better understand, from a technical viewpoint,
200
I. Paparela / Crimen Ex Machina: A Legal Approach
how their work fits into the social and security dimensions of cyberspace, be they within country boundaries or the international arena. Efforts made by police forces in this field, like elsewhere, can be neutralised or rendered ineffectual by inadequate laws and corrupt judges. Due to the border-less nature of the internet and activity on the internet, it is also clear that criminal laissez faire (in other words, a “crime friendly” legal system) in one country jeopardises anticrime efforts in many others. The juridical approach to face cyber criminality focuses on the human element, which is essential to the question of cyber regulation. In other words, the juridical approach focuses on human behaviour as it uses a “machine”. An efficient legal system is, in and of itself, a form of “antivirus” and adds value to all of the existing technical anti-virus solutions; it is also the only anti-virus that criminals and terrorists alike are afraid of. This paper is product of an embryo of research “in situ”; The conclusions are provisory.
1. A brief comparative overview of legislation on cyber activities Cyberspace is simultaneously: a) big business; b) a work tool; c) a source of information; d) a space for social activities, including recreation ; e) a field for criminal activities, including terrorism; f) a weapon of mass destruction; g) a battlefield sui generis. Each one of these aspects has its own legal rules that regulate how they function within a given context and circumstances. All users are expected to respect those rules. Legal systems are put in place to “make life difficult” for those who would infringe upon the rules. Those who abuse the internet and its rules, however, can be very dangerous because of the effects that they can have not only in the virtual world but also in the real world. In this section, national legislation on cyber activities will be briefly presented and emphasis will be placed on the improvements that would need to be made in each of the presented legislation. Recently, Western countries have found that legally policing the Internet is a public interest. (Russia, China, and Arab countries police their cyber space efficiently). Most Eastern European countries (EE) have some form of basic “cyber legislation” in place. However, they may still be considered to be “numerical paradises”, the Balkan countries among them. The reasons for which are: that criminality, in general, flourishes better there than in other parts of Europe; the existing legislation is incomplete nor is it properly enforced. Criminal codes in Croatia and Slovenia have articles that directly deal with cyber criminality (2). Serbia and other countries also have similar legislation (3). Neither Penal Code nor Code of Criminal Procedures in the EE countries discourage people from committing illegal acts in general and ipso facto on the Internet (4). Punishments are frequently lenient (5). In fact, this author currently knows of only four cases of criminal activities that have gone before the courts in Croatia for which the sentences have been lenient. In other EE countries judicial policy is about the same!
I. Paparela / Crimen Ex Machina: A Legal Approach
201
Legislation in EE countries is based on the Convention of the Council of Europe on Cyber Criminality (Budapest 2001). Neither the various national legislation in EE countries nor the Convention itself are adapted to suit the reality of cyber criminality today. The reasons are that both the Criminal Code (CC) and Code of Criminal Procedures (CCP) are crime friendly in general. Another reason has to do with the difficulty of finding a juridical definition of cyber criminality that is satisfactory for everybody. Moreover, there is a general lack of political will to impose criminal legislation necessary to face the presently high levels of criminality. From the interviews held with prosecutors in various Balkan countries, the impression that was clearly transmitted was that cyber criminality is the least of their worries. First, they do not fully understand cyber technology. Second, “ordinary criminality is their priority. Third, they do not care much about cyber or other criminality to begin with. Police departments have better knowledge of the subject, but policemen are discouraged by the laxity of the judiciary. What is more, the police finds itself under the political pressure! Yearly meetings between the Ministers of the interior, the chiefs of police, and state prosecutors of the Balkan countries has had the tangible result of ensuring that only the small fish, or petty criminals, are imprisoned more frequently than before. In the near future, it would be necessary to introduce a provision in the CCP that the defendant bear the onus probandi if he is charged for financial or cyber offences. That would be an excellent anti-virus for all.
2. Cyber criminality as a part of general criminality Both criminals and terrorists need money more than cell phones or computers. For this reason they look for safe places, like Balkan countries (6), so that they can carry on with business in total impunity. In order to do this, however, the criminals need new identities and passports to fit that identity. They also need lawyers, public notaries, court experts and accounting auditors, who will assist then in various procedures regarding trade documents, corporate registration and other “business activities”. Thus, the visible part of the business hides the illegal aspects. One might ask where the computer is in all of this? The following is a real life example from Croatia: The real estate records of the whole country may be found on the Internet. This enables everybody to see the land or house and the name of its owner; the latter is usually a normal citizen. Crooks, who need to legalise dirty money or want real estate for speculation purposes, pay the police for a new identity superimposed on the name of the innocent owner, after which, they buy and sell under the new identity. The public notary asks no questions and the business is done. When the owner discovers his tragedy and asks the police for help, the police officer simply tells him that his department does not investigate real estate disputes and that he has to go to the court, which is competent ratione loci. In other words, the owner is told to go see the judge who is in contact with crooks and who “legalised” this operation. The result for the honest man is evident. Several thousand of such operations have taken place all over the area and represent tens of millions of euro and large profits for criminals. Many Russian and Serbian criminals have Croatian passports.
202
I. Paparela / Crimen Ex Machina: A Legal Approach
This is clearly the combination of organised crime assisted by criminality within institutions and an application of NEC 1. It is often difficult to say whether the institutions are a subsidiary of crime or whether crime in these countries is a subsidiary of governmental bodies. Furthermore, most of the judges and prosecutors in Croatia have been appointed before 1990. The vast majority of them have secret police files and have been in contact with the political police prior to the declaration of independent Croatia. Those files have been sold to the criminals by police officers, who either joined the “private sector” after 1990, or have been corrupted by criminals or by their former colleagues in the “private sector”. Some of the supreme court judges have been involved in political trials during that period of time and do not want that the public opinion and their children to discover how they behaved as judges before 1990. This means that these judges can be easily blackmailed by criminals at any time. This explains the many “procedural” errors that occur when criminals of high calibre are judged. Errors are often made intentionally, so that defence lawyers have no difficulty obtaining “not guilty” verdicts. From what has been said above, it is evident that criminals, in general, and cyber criminals, in particular, are free, and indeed have a relatively free range of action, in EE & Balkan countries. This has implications on the NATO area of interest, because it is from those countries that cyber attacks can be launched to strike targets anywhere in the world. Some of these countries are EU and NATO members, which implies that their citizens can move freely within the entire EU area. Many people in EE countries are jobless or want to get rich quickly, like their leaders have done. Those are normal, everyday citizens that have no criminal past or criminal connections. Criminals on the other hand have been able to steal their names and addresses and have started to use them for their drug businesses, on a one shot basis. The same techniques are often used in illegal cyber activities. For example, students are offered free computers or laptops. Those laptops are then used for the dissemination of pornography or any other criminal purposes, more often than not without knowledge of the student. The standard abuse of the stock market and other forms of criminal banking is kept secret and no one wanted to speak of it to this author. Bearing in mind that Bosnia is a poor country and that in this poor country banking density has almost reached the same proportions as in Geneva, it is left to the readers to draw their own conclusions. New draconian legislation is needed: fragenti fidem non est fides servanda!
3. Computer as a WMD Several issues are presented here. Imagine that a group of “illuminated”, spoiled or manipulated young people have intercontinental missiles in their hands. Now, imagine that the Serbian mafia has the same thing. A computer can have devastating effects on the infrastructure of a country with generated costs (direct or indirect) comparable to those of a warhead. (7)
1
NEC (Network Enabled Capabilities) are a less radical concept than Network Centric Warfare and aim at merging the existing systems and platforms in an effective communication network. In the text, this concept is used allegorically.
I. Paparela / Crimen Ex Machina: A Legal Approach
203
This implies how important it is that each and every government seriously polices its territory as well as its cyber space. If the police and judiciary in such a country, however, are corrupted, assistance to the authorities of a country that has been attacked is not guaranteed or it is misleading. How evidence is handled and administered is absolutely crucial, but within states where high levels of corruption exist this is next to impossible. When an aggression is actually committed by a government, questions of international law are also raised. This requires the re-examination of military doctrine. There are, more or less three possibilities of attack: Virtual vs. Virtual; Virtual vs. Real; Real vs. Virtual. Within this context it might be of some interest to read old soviet (yes soviet) military authors once again (8). Virtual reality is the sixth dimension of military operations: Ground, sea, underwater, air, cosmos, and cyber space. This then goes back to ground operations if and when dominance is the purpose of the war. Rethinking cyber war is a challenge, because one has to deal differently with concepts of time and space in the cyber reality and link them with the parallel concepts of ordinary, physical reality. Cyber space may be simultaneously considered to be an independent entity in its own right or an element, sine qua non, in any operation that takes place within the other five aforementioned dimensions. This is why the Russian military speaks (9) of informaticeske vojsk (cyber army), informaticeska vojna (cyber war) and realna virtualna vojna (real virtual war) and they quote American authors, Marcus Ranum and Bruce Schneider (10). Top commanders must react more quickly than platoon commanders in this new and rapidly shifting environment. They must have the reflexes of a water polo goal keeper. The initial phase of a war (nacalni period vojni) follows the same political logic, but radically changes the technology that is used. This is another point of concern and would be an important research subject. One can imagine the legal implications when governments start to think about the nonproliferation of cyber technologies, or about the reduction of cyber forces. Intelligence agencies, which work in cyber space, need to have a lot of knowledge, experience and wisdom. Mathematical modelling is necessary and helpful, but the results depend on initial inputs, which are arbitrary. Thus, human intelligence (agenturnaja razvedka) factor remains as important as ever.
En guise de conclusion The answer to the two questions that are asked at the very beginning of this paper is clearly, no. The intention of this paper was to highlight the importance of the laws, which protect free nations of totalitarian threats. Security is not divisible. Even if it were divisible it would have prohibitive costs. EE countries are the weak link in the security chain, for many reasons, but above all because of the corruption that runs through their government agencies. Public opinion in the West is also a liability for defence and security organisations, and it is not favourable to the proposal of a legally based control over Internet activity; this shows the effects of brain washing on the populations and youth. Various “gurus”, Madonna, Beatles and other starlets, have more credibility than heads of security services in the eyes of public opinion. But this same public opinion requires protection when their bank accounts or credit cards are lost or stolen. Do they not believe that “Hannibal is ante portas”? In reality, why should they? Have they any example in society?
204
I. Paparela / Crimen Ex Machina: A Legal Approach
NOTES 1) 2) 3) 4) 5)
Good laws are not always appropriate. Croatian Criminal Code www.Zakoni.hr Serbian CC www.Serbia.gov.rs So art. 223 §1 Croatian CC In Slovenia & Croatia maximum penalty is five years. Practically, this means two years for good behaviour in jail. 6) see Xavier Raufer in Revue Défense Nationale 12/2008 7) see Cybercriminalité à la cyberguerre Revue Défense Nationale 5/2008 8) see Isserson in Voprosy strategii I oprativnovo iskustva Gosizdat 1963 / Moskva 9) Gen. Anatoly Nogovicnii Deputy Chief of General staff in ”Vzgljad” 25/2/2009 10) See Vzgljad 25/12/2007
Modelling Cyber Security: Approaches, Methodology, Strategies U. Gori (Ed.) IOS Press, 2009 © 2009 The authors and IOS Press. All rights reserved.
205
Curricula Vitae of the Authors Maurizio AGAZZI Company Director of Information and Communication Technology for the ROBUR S.p.A Group. Niv AHITUV Marko and Lucie Chaoul Chair for Research in Information Evaluation and the Academic Director of Netvision Institute of Internet Studies at Tel Aviv University. Paolo CAMPOBASSO Senior Vice President of UniCredit Group. Giovanni CATALDO Chief of the Section on Terrorism in the Organised Crime Office at the Carabinieri General Headquarters. Claudio CIOFFI-REVILLA Professor of Computational Social Science and Founding Director of the Center for Social Complexity at George Mason University, Jefferson Science Fellow at National Academy of Science. Yuval ELOVICI Director of the Deutsche Telekom Laboratories at Ben-Gurion University and Senior lecturer at the Department of Information Systems Engineering, Ben-Gurion University. Alessandro GAZZINI Principal at Booz & Company. He leads Booz’s Risk, Resilience and Information Assurance related activities for the European Union and Middle Eastern markets. Umberto GORI Full Professor (r) of International Relations and Strategic Studies, University of Florence. Professor at the Naval Academy and Air Force College. President of CSSI. Director of ISPRI. President of the Scientific Committee, Master in Intelligence and Security, Link Campus University of Malta.
Giancarlo GRASSO Senior Advisor to the Chairman and CEO of Finmeccanica S.p.A., Chief of the Italian Delegation at N.I.A.G., Deputy Chairman of ESRIF, and Chairman of the ASD Security Commission. Anat HOCHBERG-MAROM Department of Political Science, Faculty of Social Science at Tel Aviv University.
206
Curricula Vitae of the Authors
Gerardo IOVANE Associate Professor in Mathematics Analysis at the University of Salerno, National Scientific Expert at NATO (Research and Technology Agency), and Scientific Expert at the Ministry of University and Scientific Research (MIUR). Serena LISI Centre of Strategic and International Studies (CSSI), University of Florence. Antonio Guido MONNO Colonel of the Carabinieri, Udine Regional Headquarters and former Branch Chief of Counter-Intelligence and Security in Afsouth - NATO (Allied Forces of Southern Europe). Guglielmo MORGARI Crypto team leader at TELSY Elettronica e Telecomunicazioni S.p.A. His current technical interests are encryption algorithms with a main focus on the development and cryptanalysis of stream ciphers; security protocols; cryptographic primitives implementation on general purpose and dedicated hardware. Haris MOURATIDIS Principal Lecturer in Secure Systems and Software Development at the School of Computing, Information Technology and Engineering (CITE) at the University of East London, where he is also the Field Leader for the Secure Systems and Software Development Field. Marco PAGGIO Project leader and technical Director at TELSY Elettronica e Telecomunicazioni S.p.A. and member of IEEE. Esti PESHIN Former Chief Executive Officer, Waterfall Security Solutions Ltd. Ivo PAPARELA Full professor at the University of Dubrovnik. His current research is focused on the legal and economic aspects of stock markets in South-Eastern Europe and on corporate accounting laws and standards. Andrea RIGONI Booz and Company. Ferdinando SAN FELICE DI MONTEFORTE Former Italian Military Representative to the NATO and EU Military Committees. Dario Maria SGOBBI Director of the Navy Cryptographic Center (CDR) and is also involved in resolving all of the Italian Navy INFOSEC technical issues.
Curricula Vitae of the Authors
207
Asaf SHABATAI Deutsche Telekom Laboratories at Ben Gurion University. Pascal SITBON Expert Researcher and Project Manager on Industrial Control Systems, Cybersecurity at EDF (Electricité de France). Sergio STARO Deputy Questore of the Italian National Police, Senior Police Officer of the Computer Crime Unit and Head of the International Relations Section of the Postal and Communications Police Service. Eneken TIKK Head of the Legal Task Team of the Cooperative Cyber Defence Centre of Excellence (CCD COE), Estonia. Ari VIDALI CEO of ENVISAGE Technologies Corp. (USA). Founder of iFORCES (the Institute For Operational Readiness and Continuous Education in Security). Consultant for the Federal Government, Homeland Security, Emergency Management, Military, Law Enforcement, First Responder, Higher Education and Medical industries. Domenico VULPIANI Superior director of the Italian State Police. Since 2001, he has been the Director of the Postal and Communications Police Service, which objective is to protect communications and counter postal, computer and cyber crime.
This page intentionally left blank
Modelling Cyber Security: Approaches, Methodology, Strategies U. Gori (Ed.) IOS Press, 2009 © 2009 The authors and IOS Press. All rights reserved.
209
LIST OF PARTICIPANTS NATO ARW - Operational Network Intelligence: Today and Tomorrow
AGAZZI Maurizio AHITUV Niv ANCORA Massimo ARDITTI Michel
Robur SpA NIIS, Netvision Institute for Internet Studies, Italian Army CESIC, Cercle d’Étude de Sécurité Industrielle & Commerciale
BERNARDI Romolo BLITZBLAU Shai BOBYLEV Nikolai BOLOGNA Enrico BOZZO Luciano
Finmeccanica University of Tel Aviv Technische Universitat Berlin Italian Defence General Staff
CAMPOBASSO Paolo CANTARELLA Alfonso CATALDO Giovanni CELEBI Erdogan
Unicredit Group Holding Confindustria Carabinieri Corps Center of Excellence Defence against Terrorism Italian Army The Centre of Social Complexity, G. Mason University ISPRI, Institute of Forecasting Studies ISPRI, Institute of Forecasting Studies NATO Defence General Staff Italian Army Deutsche Telekom Laboratories Italian Army Booz & Company
CHAINESE Flavio CIOFFI-REVILLA Claudio COLBY Fifolle CUDA SOMMERFELD Renate DELL’ACQUA Francesca DI CECCO Vittorio Emanuele DIAMANTI Tiziano ELOVICI Yuval FERILLI Mauro GAZZINI Alessandro GORI Umberto GRASSO Giancarlo GRIGORYAN Arsen GRILLO Bardhyl HAKOPIAN Christina HANAFI Menouar HOCHBERG-MAROM Anat
CSSI, University Centre for Strategic and International Studies
CSSI, University Centre for Strategic and International Studies
Finmeccanica Yerevan State University University Scanderberg of Tirana Yerevan State University University of Oran Tel Aviv University
210
List of Participants. NATO ARW – Operational Network Intelligence: Today and Tomorrow
IOVANE Gerardo JONGMAN Albert J. KASKA Kadri KAVUNENKO Lidiya LEZZI Paolo LISI Serena
University of Salerno Dutch Ministry of Defense Cooperative Cyber Defence Centre of Excellence National Academy of Science of Ukraina Maglan Group CSSI, University Centre for Strategic and International Studies
LOMBARDINI Gualtiero LUCATTELLI Giancarlo MALTAGLIATI Ilaria
Generale Agricola s.n.c. Finmeccanica
MANDARINO Lorenzo Antonio MARCHAL Jacqueline
Starpur S.r.L. ISPRI, Institute of Forecasting Studies Carabinieri Corps Italian Army Generali Insurance Group University of London ITU, International Telecommunication Union TELSY, Elettronica e Telecomunicazioni S.p.A University of Dubrovnik and Paris Waterfall Security Solutions
MONNO Guido MORETTO Gianluca MORIGGI Cedrick MOURATIDIS Haris NTOKO Alexander PAGGIO Marco PAPARELLA Ivo PESHIN Esti PETRUCCELLI Anna Maria PODDA Stefano RAHAV Reut RAMACCIOTTI Stefano RAMOINO Pier Paolo RAPETTO Umberto REBORA Antonio ROTARU Victor SANFELICE di MONTEFORTE Ferdinando SGOBBI Dario Maria SITBON Pascal SOMMA Catello STARO Sergio STOPPONI Pietro TIKK Eneken TONINI Pietro TUNCEL Gonca UDOVYK Oleg VARDANIAN Trahel Gerasim VARDANIAN Vahram
CSSI, University Centre for Strategic and International Studies
CSSI, University Centre for Strategic and International Studies
Unicredit Group Maglan Group Italian Defence General Staff Italian Navy Italian Financial Police Ansaldo Ricerche (Finmeccanica) Unicredit Group Italian Navy Italian Navy EDF, Electricité de France Italian Defence CERT Italian State Police ISPRI, Institute of Forecasting Studies Cyber Defence Task Force Finmeccanica Dokuz Eylul University National Institute for Strategic Studies Yerevan State University Yerevan State University
List of Participants. NATO ARW – Operational Network Intelligence: Today and Tomorrow
VIDALI Ari VITAGLIANO Davide WYLIE Margot
Envisage Technology Corporation Italian Army
ZAPPELLI Maurizio
Italian Army
211
CSSI, University Centre for Strategic and International Studies
This page intentionally left blank
Modelling Cyber Security: Approaches, Methodology, Strategies U. Gori (Ed.) IOS Press, 2009 © 2009 The authors and IOS Press. All rights reserved.
213
Subject Index allegories 43 Al-Qaeda 109 asymmetrical war 43 authentication 11 biometrics 11 botnets 132 CNAIPIC 153 CNCPO 153 collective intelligence 132 content analysis 109 control of virtual territory 160 counter-marketing-warfare 109 criminal code 199 critical information infrastructure(s) 140, 153 critical information infrastructure protection 182 critical infrastructure(s) protection (CIP) 79, 182 critical national infrastructures (CNI) 79 critical networks 79 Croatia 199 cryptography 43 cyber army 199 cyber attacks 79, 125 cyber-crime 160 cyber crime community 132 cyber criminality 199 cyber security 11, 125, 140, 182 cyber war 199 cyber warfare 125 deterrence 125 distributed-denial-of-services 132 East European Countries 199 encryption 43, 132 entropy 43 fuzzy theories 43 hacking 79 human-computer interaction 11 illegal underground economy 132
immigration 114 information security 5 information sharing 182 infrastructure protection 125 integrated approach 43 internal subversive organisations 160 international terrorism 160 Internet 109 Islam 114 IT security 182 Jihad 109 language evolution 43 lawful interception (LI) 79 malicious application 132 malware 132, 140 marketing perspective 109 one way link 79 on-line Police Station 153 open information society 5 peer-to-peer 132 postal and communication service of the Italian National Police 153 privacy 5 privacy of an organisation 5 propaganda 114 recruitment 114 remote infrastructure management (RIM) 79 risk management 93 rootkits 132 rustock 132 Salafism 114 SCADA 79, 93 secure manual uplink (SMU) 79 security 11, 93, 182 security objectives 93 segregation topology 79 smart metering 93 social engineering technique 132 steganography 43 terrorism 114
214
threat unidirectional connectivity usability virtual sanctuary
109 79 11 160
waterfall web WEB2.0 web-forums
79 114 132 132
Modelling Cyber Security: Approaches, Methodology, Strategies U. Gori (Ed.) IOS Press, 2009 © 2009 The authors and IOS Press. All rights reserved.
215
Author Index Agazzi, M. Ahituv, N. Campobasso, P. Cataldo, G. Cioffi-Revilla, C. Elovici, Y. Gazzini, A. Gori, U. Grasso, G. Hochberg-Marom, A. Iovane, G. Lisi, S. Monno, A.G. Morgari, G.
132 5 75 160 125 140 182 vii 173 109 52 43 114 59
Mouratidis, H. Paggio, M. Paparela, I. Peshin, E. Rigoni, A. Sanfelice di Monteforte, F. Sgobbi, D.A.M. Shabtai, A. Sitbon, P. Staro, S. Tikk, E. Vidali, A. Vulpiani, D.
29 68 199 79 182 165 59, 68 140 93 153 189 11 153
This page intentionally left blank