Whatever its origin, the Stuxnet worm provided something that few publicly-debated online incidents have offered to date.
For at least 15 years, security experts have warned that cyber attacks would one day strike at “critical infrastructure” – whether it’s power grids, energy supply, air traffic control (in the more extreme imagination of Richard Clarke, at least), emergency services and so on.
Real-world incidents have been limited, however: most countries have no single electricity “off-switch” accessible from the Internet, for example. In attacking SCADA software, Stuxnet has acted as a proof-of-concept for something rarely seen in the wild. Arguably, it also demonstrated that environments like SCADA systems are, to date, not typically Internet-connected: its medium of infection was USB keys.
But in a world that’s probably growing weary of the jump-at-shadows mindset of IT security journalism, Stuxnet wasn’t a shadow but a real event.
Dr Prescott Winter, former director and CIO of the US National Security Agency and now CTO (Public Sector) for security vendor ArcSight, argues that it’s time for governments to take a more active role in finding ways to secure the Internet.
Speaking to journalists in Sydney in early October as part of an ArcSight national roadshow, Dr Winter said that while private industry (particularly in America) might chafe at government intervention and regulation of the online world, it’s as inevitable as regulation of air traffic became in the 20th century.
The prime manifestation of the problem, Dr Winter said, is the ongoing problem of the “botnet”. Individuals at home aren’t protected, he told the roadshow; their computers become incubation grounds for botnets.
“Some kind of protective process to clean that up is absolutely essential,” he said.
“There are botnets residing in millions of home computers around the world, and those can be turned-on ‘like that’.”
Today’s “scattershot” approach to the botnet problem isn’t enough protection, he said: “we have bans on aircraft ... bans on ‘bad packets’ is an area governments need to work on.”
And that in itself is a challenge. The “bad packet” problem is international – and around the world, the relationship between the government and the private sector changes from country to country.
Dr Winter said America may not even be the best country to take the lead in protecting Internet users, because of its historical gulf between government and the private sector. As a result, an effort like the IIA’s Internet code of practice is “almost unimaginable in the US.
“I think this case in Australia is going to be very interesting to watch. It seems to have come about with a group of the leading ISPs and service providers coming together to design this solution.
“There are a lot of things it doesn’t have in it yet – but as an initial outline for a policy framework to clean up ... the Australian part of the Internet, it is certainly a commendable start. Eventually, you probably want to make sure that you have all your service providers involved.”
Worms and the Real World
Given that “physical attacks” – damage to infrastructure, attacks on emergency services and the like – hold such a high profile in the popular mind, it’s interesting that Dr Winter nominated attacks against intellectual property as today’s leading concern.
One reason, he said, is that “some action has been taking in protecting the critical systems ... for example, the FAA is getting a complete rebuild from the ground up.”
The shift in emphasis “from catastrophic failure to IP”, Dr Winter said, is because “the steady drain of intellectual property out of the leading technical nations of the world is a major cause for concern.
The investment in developing products and services, he said, is in danger of “leaking” to countries like China, but “IP protection and the integrity of the supply chain are currently lower on most peoples’ threat radar than a catastrophic cyber ‘Pearl Harbour’”.
Security, software and the Cloud
Security would seem to provide a great marketing entree for cloud providers: if everything the home user needs can be hosted by a cloud provider, the user’s exposure to threats could fall dramatically.
However, it’s not playing out that way.
“I don’t think there’s as much progress as any of us would like to see ... we have had some discussions with people at Microsoft about trust models you can begin to build into the Internet.”
“App store” markets are another area Dr Winter would like to see paying more attention to security, since users place an implicit trust in the integrity of the software they download from an app store.
That, however, leads to the vexed question of software quality. If cloud providers and app sellers are expected to warrant that their software is secure, shouldn’t a similar requirement apply to the whole software industry, which typically escapes liability with disclaimers?
Yes: “The software industry has gotten away with murder on this point forever,” Dr Winter said. “Deploy, then fix, is the old habit of the software industry, and that model isn’t viable in the cloud.”
He said software quality processes need to be put into place industry-wide (and world-wide), and this will represent a culture-shock for the software industry.