Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.

February 06 2012

Business-government ties complicate cyber security

From time to time, we like to check in with "Inside Cyber Warfare" author Jeffrey Carr to get his thoughts on the digital security landscape. These conversations often address specific threats, but with the recent release of the second edition of Carr's book, we decided to explore some of the larger concepts shaping this space.

Are corporate and government interests in the U.S. becoming one and the same? That is, an attack on an American business' network may be regarded as an assault on the country itself?

Jeffrey Carr: Due to the dependence of the U.S. government upon private contractors, the insecurity of one impacts the security of the other. The fact is that there are an unlimited number of ways that an attacker can compromise a person, organization or government agency due to the interdependencies and connectedness that exist between both.

Are national network security and media piracy becoming interrelated and confused?

Jeffrey Carr: It has definitely become confused to the point where the Department of Homeland Security (DHS) is now the enforcement arm of the Recording Industry Association of America (RIAA), which I find utterly disgraceful. It's due entirely to the money and power that entertainment industry lobbyists have to wave in front of members of Congress. It has absolutely nothing to do with improving the security of our critical infrastructure or reducing the attack platform used by bad actors.

Flipping this around, how much of a cyber threat does the U.S. pose to other countries?

Jeffrey Carr: The U.S. is probably as capable or more capable at conducting cyber operations than any of the other nation states who engage in it. It's not a question of "they do it to us, but we don't do it to them." It's a question of how to defend your critical assets in light of the fact that everyone is doing it.

What recent technologies concern you the most?

Jeffrey Carr: We are racing to adopt cloud computing without regard to security. In fact, many customers wrongly assume that the cloud provider is responsible for their data's security when the reverse is true. Not only is security a major problem, but there's no telling where in the world your data may reside since most large cloud providers have server farms scattered around the world. That, in turn, makes the data susceptible to foreign governments that have cause to request legal access to data sitting on servers inside their borders.

Inside Cyber Warfare, 2nd Edition — Jeffrey Carr's second edition of "Inside Cyber Warfare" goes beyond the headlines of attention-grabbing DDoS attacks and takes a deep look inside recent cyber-conflicts, including the use of Stuxnet.

This interview was edited and condensed.

Related:

December 05 2011

Why cloud services are a tempting target for attackers

The largest cloud providers today are Google, Microsoft, and Amazon; each offering multiple services and platforms for their respective customers. For example, Microsoft Azure, Google Apps, and Amazon EC2 are all hosting and development platforms. Google Docs, Acrobat.com, and Microsoft Office 365 all provide basic word processing, spreadsheets and other applications for individuals to use via the web instead of on their individual desktops. Then, of course, there's social networks, online gaming, and video and music sharing services — all of which rely on a hosted environment that can accommodate millions of users interacting from anywhere on earth, yet all connected somewhere in cyberspace. While the benefits are many, both to individuals and to corporations, there are three distinct disadvantages from an individual and national security perspective:

  • The cloud provider is not responsible for securing its customers' data.
  • Attacking a cloud-based service provides an economy of scale to the attacker.
  • Mining the cloud provides a treasure trove of information for domestic and foreign intelligence services.

No security provisions

A Ponemon Institute study (pdf) on cloud security revealed that 69% of cloud users surveyed said that the providers are responsible, and the providers seemed to agree. However, when you review the terms of service for the world's largest cloud providers, responsibility for a breach of customer data lies exclusively with the customer.

For example:

  • From Amazon: "Amazon has no liability for .... (D) any unauthorized access to, alteration of, or the deletion, destruction, damage, loss or failure to store any of your content or other data."
  • From Google: "Customer will indemnify, defend, and hold harmless Google from and against all liabilities, damages, and costs (including settlement costs and reasonable attorneys' fees) arising out of a third-party claim: (i) regarding Customer Data..."
  • From Microsoft: "Microsoft will not be liable for any loss that you may incur as a result of someone else using your password or account, either with or without your knowledge. However, you could be held liable for losses incurred by Microsoft or another party due to someone else using your account or password."

Not only do none of the three top cloud providers assume any responsibility for data security, Microsoft goes one step further and places a legal burden upon its customers that it refuses to accept for itself.

An economy of scale

NASDAQ's Directors Desk is an electronic boardroom cloud service that stores critical information for more than 10,000 board members of several hundred Fortune 500 corporations. In February 2011, an un-named federal official revealed to the Wall Street Journal's Devlin Barrett that the system had been breached for more than a year. It's unknown how much information was compromised as well as how or when it will be used.

From an adversary's perspective, this type of breach offers an economy of scale that has never been seen before. In the past, several hundred Fortune 500 companies would have to be attacked, one company at a time, which costs the adversary time and money — not to mention risk. Now, one attack can yield the same amount of valuable data with a significant reduction in resources expended as well as risk of exposure.

An intelligence goldmine

China's national champion firm Huawei is moving from selling telecommunications network equipment toward developing Infrastructure-as-a-Service software (IaaS) needed to provide a highly scalable public cloud like Microsoft's Azure or Amazon's EC2. If it sells IaaS with the same strategy that it uses in selling routers and switches, Amazon, Google, and Microsoft can expect to begin losing a lot of enterprise business to Huawei, which will cut pricing by 15% or more against its nearest competitor. Cloud customers can expect their data to reside in giant state-of-the-art server farms located in Beijing's "Cloud Valley" — a dedicated 7,800-square-meter industrial area that is home to 10 companies focusing on various aspects of cloud technology, such as distributed data centers, cloud servers, thin terminals, cloud storage, cloud operating systems, intelligent knowledge bases, data mining systems, and cloud system integration.

Cloud computing has been designated a strategic technology by the People's Republic of China's State Council in its 12th Five-Year Plan and placed under the control of the Ministry of Industry and Information Technology (MIIT). MIIT will be funding research and development for SaaS (Software as a Service), PaaS (Platform as a Service), and IaaS (Infrastructure as a Service) models as well as virtualization technology, distributed storage technology, massive data management technology, and other unidentified core technologies. Orient Securities LLC has predicted that by 2015, cloud computing in China will be a 1 trillion yuan market.

According to the U.S.-China Council website, MIIT was created in 2008 and absorbed some functions from other departments, including the Commission of Science, Technology, and Industry for National Defense (COSTIND):

From COSTIND, MIIT will inherit functions relating to the management of the defense industry, with a scope that covers the national defense department, the China National Space Administration, and certain administrative responsibilities of other major defense-oriented state companies, such as the China North Industries Co. and China State Shipbuilding Corp. MIIT will also control weapons research and production in both military establishments and dual-role corporations as well as R&D and production relating to "defense conversion" — the conversion of military facilities to non-military use.

Clearly, the PRC has made a serious commitment to cloud computing for the long term. This doesn't portend well for today's private cloud service providers like NetApp or public cloud providers like Amazon, Google, and Microsoft — especially if buying decisions are based on price.

What to consider

The move to the cloud is both inevitable and filled with risk for high-value government employees, corporate executives, and companies engaged in key market sectors like energy, banking, defense, nanotechnology, advanced aircraft design, and mobile wireless communications, among others.

To make matters more complicated, cloud providers may move data to different server farms around the world rather than keep it in the same country as the corporation or individual that owns it. That could potentially put the customer's data at risk for being legally compromised under foreign laws that would apply to the host company doing business there. For example, Microsoft UK's managing director Gordon Frazier was recently asked at the Office 365 launch, "Can Microsoft guarantee that EU-stored data, held in EU-based datacenters, will not leave the European Economic Area under any circumstances — even under a request by the Patriot Act?" Frazier replied, "Microsoft cannot provide those guarantees. Neither can any other company."

The best advice for individuals and companies at this time is to insist that cloud providers build a measurably secure infrastructure while providing legal guarantees and without the use of foreign data farms. Until that occurs, and it's highly unlikely to happen without strong consumer pressure, there are significant and escalating risks in hosting valuable data with any cloud provider.

Inside Cyber Warfare, 2nd Edition — Jeffrey Carr's second edition of "Inside Cyber Warfare" goes beyond the headlines of attention-grabbing DDoS attacks and takes a deep look inside recent cyber-conflicts, including the use of Stuxnet.

Associated photo on home and category pages: Dark Cloud, Blue Sky 2 by shouldbecleaning, on Flickr.

Related:

May 28 2010

Korea Family Feud


(Global Pulse: May 28, 2010) After the South Korean warship Cheonan sunk -- allegedly due to a North Korean torpedo -- the West was unanimous in its judgment of North Korea's guilt, and quick to spin different theories on the motive for the attack. But, some South Koreans aren't so sure, thinking the attack too neat a coincidence with the looming elections, and finding the evidence murky. The plot thickens.SOURCES: KBS, South Korea; KCTV, North Korea; Fox News, U.S; MBC, South Korea; Al Jazeera English, Qatar; BBC, U.K.; CCTV, China.

May 27 2010

Democracy Now! 2010-05-27 Thursday

Democracy Now! 2010-05-27 Thursday

Download this show

May 26 2010

Play fullscreen
Talk of war over sinking of South Korean ship
Larry Wilkerson: The tension between two Koreas is higher now than any time since 1994
Views: 0
0 ratings
Time: 12:31 More in News & Politics

May 14 2010

Times Square Bomber: Terrorist or Pawn?

(Global Pulse: May 14, 2010) No one can understand why someone like Faisal Shahzad, an educated, naturalized U.S. citizen, would try to bomb Times Square. Many in the media question if he is a true terrorist or just being used as a political pawn. While most U.S. and international media condemn Shazhad as a terrorist and dissect every facet of his life, Pakistani media is quick to see a conspiracy and to question American motives. SOURCES: South Asia Newsline, India; France 24, France; BBC, U.K.; Geo TV, Pakistan; Dunya Today, Pakistan; Al Jazeera English, Qatar

April 09 2010

Democracy Now! 20100408 - EXCLUSIVE: One Day After 2007 Attack, Witnesses Describe US Killings of Iraqi Civilians

Witness
As the US Central Command says it has no plans to reopen an investigation into the July 2007 helicopter attack that killed a dozen people in Baghdad, including two Reuters news staff, we play never-before-seen eyewitness interviews filmed the day after the attack. [includes rush transcript]

April 05 2010

02mydafsoup-01

December 15 2008

December 12 2008

Older posts are this way If this message doesn't go away, click anywhere on the page to continue loading posts.
Could not load more posts
Maybe Soup is currently being updated? I'll try again automatically in a few seconds...
Just a second, loading more posts...
You've reached the end.

Don't be the product, buy the product!

Schweinderl