Could US repel a cyberattack?
The nation's defense relies on a small group that operates on a tiny budget and with little clout, experts say.
Oakland, Calif. and Washington — Evidence is mounting that cyberwarfare tactics are part of the 21st-century arsenals of powers like Russia and China, yet the United States has not made Internet defenses a major priority.
A two-week cyberattack on Estonia – which overloaded government websites, knocked a bank's overseas customers offline, and caused Internet service to slow to a crawl – has brought the issue to the fore for US defense officials. While the tiny Baltic nation reacted well, experts say, the US may be at greater risk for mass disruptions of banking, telecommunications, and government services. The reasons: a lack of coordination, funding, and centralized authority.
"Estonia didn't collapse, and we wouldn't collapse under this type of attack either," says James Lewis, a senior fellow and cybersecurity analyst at the Center for Strategic and International Studies, a think tank in Washington. "But it would be very disruptive."
Repelling major attacks on critical national networks requires enormous coordination inside and outside government, as well as expensive research and preparation. However, primary responsibility for this falls on a small group within the Department of Homeland Security that experts say operates on a tiny budget and with little clout.
"The part of the US government that has responsibility for this doesn't have the authority to command attention from within other parts of the government, and it doesn't have the money to get the work done that is on its plate," says Bill Woodcock, a cybersecurity expert with the nonprofit Packet Clearing House who also traveled to Estonia to lend his help.
Estonia, a highly wired society, came under weeks of attack starting on April 27 after local officials moved a statue important to ethnic Russians. In what is known as a distributed denial-of-service attack, the servers for government agencies, media outlets, and banks were pounded by hundreds of thousands of computers in an effort to overwhelm their capacity.
While Estonian officials linked the attack in part to a computer in the Russian government, analysts say that nation's involvement is very difficult to prove – and may be the work of hacker-activists who only were encouraged by the Russians.
The country suffered a blow, but successfully prevented major damage. Estonia benefited from strong coordination of efforts by the government's computer emergency response team, or CERT. Law enforcement made a key local arrest, passing along critical information. System administrators shut out suspicious traffic, and foreign experts helped the CERT communicate with Internet service providers – many located in other countries – to cut off the sources of the attacks.
In the case of a major attack on this country, the US-CERT in the Department of Homeland Security may not have the same ability to take charge, analysts say.
"They do not have the central pull that [CERTs] have in other countries," says Jose Nazario, a senior security researcher at Arbor Networks. He says that the early development of the Internet here contributed to more independent security efforts, and private companies are sometimes loathe to share information with competitors. "The lack of clout can be frustrating. Internet Service Providers here in the States are generally free to ignore [US-CERT] if they want to, and there are some shady providers here."
The situation is improving, says Jerry Dixon, the acting director of the Department of Homeland Security's National Cyber Security Division, which runs US-CERT. He points to the rising number of incident reports of suspicious Internet activity from the private sector as well as government agencies, which are coming in at eight times the level of fiscal 2005.
Much work remains to be done, says Mr. Dixon, particularly in terms of developing state-level preparedness efforts and in preparing for an incident in which several major networks were attacked simultaneously.
"I'm not going to paint a total rosy picture," he says. But "I think we're in a pretty good position to deal with the issue."
Some analysts believe the private sector shouldn't be forced to report and otherwise participate in these kinds of DHS initiatives – except for companies that occupy four key sectors: finance, telecommunications, energy, and government services – such as those that provide checks to senior citizens.
And DHS must know which elements of the private sector would be vulnerable during a cyberattack, Mr. Lewis says. "To say we don't know which banks would stay online is unacceptable," he says.
US-CERT itself is funded at around $46 million per year, which pays for exercise programs such as one called "Cyber-storm" held last year, and other software assurance programs. Overall, the national cybersecurity division is funded at $96 million, according to Dixon.
But it's not a question of throwing more money at the problem, says Lewis. The issue is coming up with a coherent national strategy. DHS has improved its approach over time, but it needs to do more – and faster. "It's not a question of budget, it's a question of strategy," he says, adding that the strategy now is "too diffuse."
"Whoever the next administration is will have to take all these strategies and throw them out the window and start over," he says.
The Pentagon – a bureaucratic gorilla with deep pockets – has remained largely on the sidelines of cyberdefense. The military's protection umbrella is limited to its own separate networks. However, that stance may be shifting.
The Air Force is looking to get into cyberdefenses with the creation of a new Cyber-space Command, which would help to defend the military's interests in cyberspace. Although the concept is still being developed, it's likely that the military's role and that of nonmilitary agencies and the private sector would overlap some, officials say.
The range of domestic targets, however, extends far beyond the military's traditional reach.
"Usually when people discuss critical infrastructure they are discussing systems such as electricity, water, etc. In this case [in Estonia], the civilian infrastructure such as banks, ISPs, and the press proved to be far more important," says Gadi Evron, an expert with the security vendor Beyond Security in Israel.
ESTONIA ATTACK IS TIP OF THE ICEBERG
Cyberattacks are commonplace, says Mr. Evron, who used to run security for the Israeli government's Internet operations. "Whenever there was civil or political tension, a [cyber] attack followed here in Israel."
Denial-of-service attacks are observed on virtually a daily basis, says Dmitri Alperovitch, a researcher with Secure Computing Corp., a network security firm based in San Jose, Calif.
Home computers can be quietly infected when users surf onto certain web pages and then come under control of hackers without the knowledge of their owners.?? Mr. Alperovitch says an estimated 50 million machines around the world have been compromised, and shadowy underworld figures rent out control – often just pennies per machine – over these computers for attacks.
Homeland Security conducts some research into new defensive technology, though a department reorganization saw those research dollars cut from $22.7 million to $14.8 million. The House passed a 2008 budget appropriation that would bump up the research to $50 million, and the subcommittee on emerging threats, cybersecurity, and science and technology has been highlighting the issue in recent hearings.