Keeping cyber-terrorists at bay
We've all seen the movies. Played by Hugh Jackman or Matthew Broderick, Hollywood computer hackers siphon unlimited sums of cash from bank accounts, rain radioactive death on us from above, shut down power plants and transform the world into a vision of the seventh layer of hell.
The reality is somewhat different, but perhaps not as far removed from the movie world as the government would like. That's why there are branches of government that are attempting to secure our vital infrastructure; everything from utilities' control systems to finance computers.
In the aftermath of the September 11, 2001, the government established the E-Security National Agenda "to create a secure and trusted electronic operating environment for both the public and private sectors". It's currently under review.
The federal government allocated AU$24.9 million over four years to fund the initiative in the May, 2002 budget, and a further AU$50.2 million in the 2004 budget. The money was split between several agencies, and lead to the establishment of the Trusted Information Sharing Network. It's a body designed to bring the private and public sector together to share information about protecting critical infrastructure from attack, cyber or physical.
It operates under the control of the Critical Infrastructure Protection Branch within the Attorney General's department. Within that group sits Steven Stroud, the director of the branch's National Information Infrastructure unit. With a background working for the Defence Signals Directorate, Stroud has been working in the field of computer security since 2001.
Is there a giant, national firewall controlled by a single government agency? Can Stroud hit a few keys on a master console to thwart a massive, catastrophic attack? Well, no. As things stand, the response to that type of event involves various agencies and groups -- the Defence Signals Directorate, the Australian High Tech Crime Centre, ASIO (Australian Security Intelligence Organisation) and AusCERT -- springing into action and doing the best they can. Will agency staffers run around their desks, arms flailing, shouting "Run away! Run away!"? Stroud says no.
He says NII's GovCERT unit is doing well to string together a response and coordination capability, but the concept is still a "work in progress".
"AFP, ASIO and DSD have an arrangement where they have agreed to share information and act in concert in response to an incident affecting [national infrastructure]," he said. "The nature of an incident will determine which of those three agencies takes the lead."
In such a scenario, it's GovCERT's responsibility to make sure information flows between the agencies.
Such attacks could consist of large, distributed denial-of-service attacks, targeted trojan attacks against government computers, or even a large-scale computer worm, he added. Each would require a different response.
Steven Stroud, director, National Information Infrastructure unit
One of Stroud's roles is creating detailed incident response strategies for infrastructure groups, private and public. "It's a full tilt policy role in that we're a policy agency, we're not in operations. What we have to basically do is figure out who does what, find the gaps and figure out who can fill them," Stroud says.
That means everything from establishing solid incident response strategies to helping infrastructure providers in assessing their risk profile. "One of the main activities that's going on here is the computer vulnerability assessment program ... the government providing up to half the cost of a vulnerability assessment for commercial operators," he says.
A vulnerability assessment by Attorney-General approved consultants helps infrastructure providers determine if they're at risk, Stroud says. So what are the risks? Can hackers access the control systems at a power plant or traffic light control centre?
Stroud says that process control systems (SCADA, or Supervisory Control And Data Acquisition) are being meshed into corporate IP networks, which could theoretically allow an attacker to compromise them, but it's not as scary a scenario as some might think. "In the olden days SCADA systems were standalone systems. Nowadays, for good business reasons, increasingly they're migrating to commodity hardware and software," Stroud told ZDNet Australia. "They're being connected to business systems ... the problem there is that business systems are in turn connected to the Internet."
The upside, Stroud says, is that by moving away from custom solutions and chopped down operating systems and on to standardised platforms and full-blown operating systems like Microsoft's Windows, security problems are more easily fixed.
The systems are not easy to compromise or even to "get to", he says, but SCADA is an area where care needs to be taken when implementing and operating the systems that control our daily lives. "That doesn't mean that the path to the SCADA systems is by any means easy and anyone can just waltz on through, but there is path," he said. "What we want to do is [ensure] that businesses consider the risk. In the main they have to because it's in their own interests, too."
In this special report, we've already heard from Dr Eugene Spafford, who discussed wiretaps on day two -- The spying game. As an expert who's advised two US presidents, Clinton and Bush Jr, he's spent a fair amount of time considering the risks to networks from terrorism. Have there been instances where fundamentalist groups have launched a cyber attack? Yes, he says. What are the details? He can't say -- it's secret.
But Spafford says the paranoia over cyber-attacks are somewhat overblown. Fundamentalist groups are using the Internet to communicate, coordinate and spread propaganda, he says, but cyber-attacks just aren't sexy enough for the average terrorist to get interested in. "They release videotapes to the west to appeal to the masses," he says. "They're trying to incite an Islamic revolution and portray themselves as leaders in the field, and the technology aspects are not going to highlight that."
Terrorists, it seems, want to fight the infidels with AK-47s and RPGs, not TCP/IP packets. There is, however, anecdotal evidence to suggest terrorist groups are using Internet scams to raise money which can be used to arm and train recruits.
AusCERT general manager Graham Ingram told ZDNet Australia a national priority for Australia should be the establishment of a national Internet monitoring scheme. "This is one of the things we've suggested in the E-Security national review," he says. "We've been talking about setting up better monitoring and detection systems."
Some Asian countries, like Korea and Malaysia, have outstanding monitoring capabilities, Ingram says. He regards securing the Internet from a large-scale attack a priority. "Some [attacks] are annoying, some of them are not of great concern, but some of them by sheer scale ... are increasingly of concern and getting to the point of a national security issue," he adds. "The real weakness is the Internet is not as robust as people would like it to be and it is not secure. Trying to maintain the security of transactions on a medium that is fundamentally not secure is a challenge."
