The age of cyber diplomacy and cyber policy enforcement is upon us. These and other related topics have been recently covered in the popular press and now seem to have made their way from print into reality. In recent weeks Iran was hit be a series of cyberattacks that impacted its ability to refine and export its oil and gas. As one would expect, Iranian officials have downplayed the attacks and insisted they hadn’t affected oil production or exports. If the main facility of the National Iranian Oil Company was disrupted it would have an economic impact of about $200 million a day.
As you may recall, the United States and the European Union sought to pressure Iran to end its nuclear enrichment and imposed sanctions on the nation, which is one of the top three crude producers in the world. Recently, the effectiveness of the sanctions came into question, even though President Mahmoud Ahmadinejad acknowledged in November 2011 that they were having an impact. Despite the economic impact produced by these sanctions, the Iranian leadership shows no indications that it is scaling back or intends to scale back its nuclear enrichment program.
Did forces yet to be named (Iran says they know who was behind the cyberattacks) use cyberattacks to enhance the impact of the existing sanctions and put further pressure on the country’s leadership to curb its nuclear enrichment program? One could certainly see how world leaders might use the soft-power projection capabilities of cyberattacks. As one insider put it, “Use of ‘cyber sanctions’ is a viable alternative to the alternative bombings.” This is the latest tool in 21st-century diplomacy.
Posted on May 03, 2012 at 7:04 AM0 comments
As soon as the term spying comes up, most people conjure up the mental image of James Bond, the spy of all time. That image of spying is in dire need of an update. Today, spying does not just target governmental, diplomatic and military secrets. Spying is now just as much about the next generation of products and technological innovation.
It was recently disclosed that losses from open cases of corporate espionage under investigation by the FBI total $13 billion. It was a shock to me that industry organizations in countries such as South Korea and Israel are often said to be the recipients of illegally obtained secrets. I thought they were our allies. Of course, the largest offender is said to be China, which should not surprise anyone.
What about our defenses? Have we taken this problem seriously and put the proper level of protection in place? I took a look at one multibillion dollar organization on which I had detailed information, and came up with the following:
- Breach risk dollars: The estimated total dollar risk of a breach is about $263.8 million. (That’s the total records containing personal information times $194, the average per record breach cost.)
- Security team load: Cybersecurity team revenue protection burden of more than $136 million. (That’s the total dollars of revenue divided by the number of security team full-time equivalents.)
The back-of-the-envelope metrics surprised the heck out of me. Those two metrics would seem to indicate a significant amount of responsibility for each individual member of the security team. Does this sound reasonable?
Posted on Apr 26, 2012 at 12:08 PM1 comments
Software bugs are a fact of life. With all the tools and technology we use, they exist in virtually every piece of code placed into operation. There are a multitude of metrics available out there, and arguably the one most commonly sited appears to indicate that there are between 10 to 20 defects per 1,000 lines of code (KLOC). Most of these are caught during the multiple levels of testing that take place during the software development and quality assurance processes. All the testing and reviewing of the code reduces the KLOC to about 0.3 defects per KLOC in the production version of the software.
Two benchmarks are worth noting. First, based on a fairly robust history, there were an estimated 0.1 defects per KLOC in the space shuttle flight software. Second, as of 2012, the Linux 3.2 release had 14,998,651 lines of code.
So why don’t we just find and remove the remaining bugs? There are multiple factors influencing software quality. Time, cost, diminishing returns and the fact that we have all been mentally programmed to accept software bugs as a fact of life, and we do. These errors cause system freezes, blue screens of death and other issues with which we are all too familiar. In many cases, they also become a security issue, which is often the point of exploitation for hackers and malicious code.
Enter the bug bounty. Some companies offer some kind of reward for those that are the first to find and report to them bugs in their software. Once discovered software developers have a process in place to investigate the report, correct it and release a patch to be applied to the software in production.
The biggest issue is that criminal organizations, cyber terrorists, cyber espionage agencies and militaries creating cyber weapons are looking for bugs to exploit as well. While there are no hard numbers, you can bet that there are many more resources looking for the bugs for illicit activities and profits then there are for improving software quality. That will not change any time soon.
Posted on Apr 19, 2012 at 7:41 AM2 comments
This June will mark the third anniversary of then Defense Secretary Robert Gates’ authorizing the creation of a new military command that would develop offensive cyber capabilities and defend command and control networks against computer attacks. Many believe his action became the catalyst behind was has been referred to as a revolution in military operations. In fact, some believe these actions might have caused multiple nation states, including China, to accelerate their military and intelligence efforts in the cyber domain.
China’s military modernization efforts are known to militaries and intelligence organizations worldwide. Especially concerning is its emerging asymmetric capabilities in cyber warfare and anti-satellite warfare. Intelligence about China’s cyber military has begun to circulate in the public domain. This has many examining the well conceived doctrine on information operations and cyber war the People’s Liberation Army has drafted. Part of the master plan is said to include raising a private cyber army who will wage clandestine cyberattacks against the state's enemies from home computers. According to a Congressional Research Service report titled Cyber Warfare, China is developing a strategic information warfare unit called “Net Force” to counter the military capabilities of superior adversaries. These actions, as well as China’s significant research and development efforts that are needed to accomplish their goals, have nations looking at counter cyber weaponry, strategies and tactics.
China’s actions as well as the cyberattacks that have been linked to them have nations looking at counter cyber weaponry. There are those that believe we are in a new arms race – a cyber arms race and compare it to the old Cold War type environment.
Posted on Apr 12, 2012 at 9:10 AM0 comments