Cybersecurity and Cyberwar (52 page)
Read Cybersecurity and Cyberwar Online
Authors: Peter W. Singer Allan Friedman,Allan Friedman
“meeting government mandates”
Ken Dilanian, “U.S. Chamber of Commerce Leads Defeat of Cyber-Security Bill,”
Los Angeles Times
, August 3, 2012,
http://articles.latimes.com/2012/aug/03/nation/la-na-cyber-security-20120803
.
XERCISE
I
S
G
OOD FOR
Y
OU:
H
OW
C
AN
W
E
B
ETTER
P
REPARE FOR
C
YBER
I
NCIDENTS?
malicious computer code
Dan Goodin, “At Facebook, Zero-Day Exploits, Backdoor Code, Bring War Games Drill to Life,”
Ars Technica
, February 10, 2013,
http://arstechnica.com/security/2013/02/at-facebook-zero-day-exploits-backdoor-code-bring-war-games-drill-to-life/
.
no major damage
Sean Gallagher, “Facebook Computers Compromised by Zero-Day Java Exploit,”
Ars Technica
, February 15, 2013,
http://arstechnica.com/security/2013/02/facebook-computers-compromised-by-zero-day-java-exploit/
.
tried to harm Facebook
Dennis Fisher, “How Facebook Prepared to Be Hacked,”
Threatpost
, March 8, 2013,
http://threatpost.com/en_us/blogs/how-facebook-prepared-be-hacked-030813
.
offensive tactics and tricks
Samuel L. King, Peter M. Chen, Yi-Min Wang, et al., “SubVirt: Implementing Malware with Virtual Machines,” University of Michigan,
http://web.eecs.umich.edu/~pmchen/papers/king06.pdf
, accessed August 11, 2013.
“Israelis tried it out”
William J. Broad, John Markoff, and David E. Sanger, “Israeli Test on Worm Called Crucial in Iran Nuclear Delay,”
New York Times
, January 15, 2011,
http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?pagewanted=all&_r=0
.
network-based attack
Tucker Bailey, James Kaplan, and Allen Weinberg, “Playing Wargames to Prepare for a Cyberattack,”
McKinsey Quarterly
, July 2012.
McKinsey found
Ibid.
pension database
Estonian defense official, interview with the authors, March 17, 2012, Washington DC.
“We were warned”
Bipartisan Policy Center, “Cyber ShockWave,”
http://bipartisanpolicy.org/events/cyber2010
, accessed August 11, 2013.
officials from different European countries
“ENISA Issues Report on âCyber Europe 2010' Cyber Security Exercise,” SecurityWeek News, April 18, 2011,
http://www.securityweek.com/enisa-issues-report-cyber-europe-2010-cyber-security-exercise
.
under poor assumptions
Nick Hopkins, “US and China Engage in Cyber War Games,”
Guardian
, April 16, 2012,
http://www.guardian.co.uk/technology/2012/apr/16/us-china-cyber-war-games
.
Stewart Baker highlighted
“Classified Memo Toughens Cyber-Threat Portrayals in DOD Exercises,”
Inside the Pentagon
, January 20, 2011,
https://defensenewsstand.com/component/option,com_ppv/Itemid,287/id,2351617/
.
Ryan McGeehan said
Goodin, “At Facebook, Zero-Day Exploits, Backdoor Code, Bring War Games Drill to Life.”
UILD
C
YBERSECURITY
I
NCENTIVES:
W
HY
S
HOULD I
D
O
W
HAT
Y
OU
W
ANT?
“tangible and demonstrable progress”
Jonathan Krim, “âWe Want to See Results,' Official Says at Summit,”
Washington Post
, December 4, 2003,
http://groups.yahoo.com/group/unitedstatesaction/message/3317
.
FBI repeatedly has found
Devlin Barrett, “U.S. Outgunned in Hacker War,”
Wall Street Journal
, March 28, 2012,
http://online.wsj.com/article/SB10001424052702304177104577307773326180032.html
.
banks' individual brand names
Tyler Moore and Richard Clayton, “The Impact of Incentives on Notice and Take-down,” in
Managing Information Risk and the Economics of Security
, edited by M. Eric Johnson (New York: Springer, 2008), pp. 199â223.
unpatched vulnerabilities
Lucian Constantin, “Over Half of Android Devices Have Unpatched Vulnerabilities, Report Says,”
PC World
, September 14, 2012,
http://www.pcworld.com/article/262321/over_half_of_android_devices_have_unpatched_vulnerabilities_report_says.html
.
automated security tool
Benjamin Edelman, “Adverse Selection in Online âTrust' Certifications,”
Electronic Commerce Research and Applications
10, no. 1 (2011): pp. 17â25,
http://www.benedelman.org/publications/advsel-trust-draft.pdf
.
opt-in model
Eric J. Johnson and Daniel Goldstein, “Do Defaults Save Lives,”
Science
302, no. 5649 (November 2003): pp. 1338â1339,
http://www.sciencemag.org/content/302/5649/1338.short
.
“extensive mitigation costs”
United States Department of Homeland Security, “Enabling Distributed Security in Cyberspace.”
“
reduce risks to participants”
Ibid.
keys to the kingdom
SANS Institute, “CSIS: Critical Controls for Effective Cyber Defense, Version 4.1,” March 2013,
http://www.sans.org/critical-security-controls/
, accessed August 11, 2013.
94 percent of security risks
Ibid.
“nefarious entities”
“Cyber-Attacks That Kill, IPv6, and Vulnerability Markets on Tap for 2013,”
Infosecurity
, December 7, 2012,
http://www.infosecurity-magazine.com/view/29741/cyberattacks-that-kill-ipv6-and-vulnerability-markets-on-tap-for-2013/
.
EARN TO
S
HARE:
H
OW
C
AN
W
E
B
ETTER
C
OLLABORATE ON
I
NFORMATION?
“To share with everyone”
Jack Johnson, “The Sharing Song,”
Sing-A-Longs and Lullabies for the Film “Curious George,”
2006, Brushfire/Universal,
http://www.azlyrics.com/lyrics/jackjohnson/thesharingsong.html
, accessed August 11, 2013.
estimated $330 million
Tyler Moore and Richard Clayton, “The Consequence of Non-cooperation in the Fight against Phishing,” in
Proceedings of the 3rd APWG eCrime Reseachers Summit
, Atlanta, GA, October 15â16, 2008,
http://lyle.smu.edu/~tylerm/ecrime08.pdf
.
Cyberspace Policy Review explained
Executive Office of the President of the U.S., “Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure,” December 2009,
http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf
, accessed August 11, 2013.
inside a trusted group
Moore and Clayton, “The Consequence of Non-cooperation in the Fight against Phishing.”
“provide analytical support”
Dan Verton, “Interview: Scott Algier, Exec. Director, IT-ISAC,”
The Risk Communicator
, January 2013,
http://archive.constantcontact.com/fs173/1102302026582/archive/1112298600836.html
, accessed August 11, 2013.
“trust and relationships”
Christopher Schroeder, “The Unprecedented Economic Risks of Network Insecurity,” in
America's Cyber Future: Security and Prosperity in the Information Age
, vol. 2, edited by Kristin M. Lord and Travis Shard (Washington, DC: Center for a New American Security), p. 178.
“DoD is compromised”
Department of Defense, “Defense Industrial Base Cyber Security,” Office of the Deputy Secretary of Defense, October 31, 2012,
http://www.acq.osd.mil/dpap/policy/policyvault/OSD012537-12-RES.pdf
.
maintaining confidentiality
Advanced Cyber Security Center, “Initiatives,”
http://www.acscenter.org/initiatives/
, accessed August 11, 2013.
malware is studied and defeated
IEEE Standards Association, “ICSG Malware Working Group,”
https://standards.ieee.org/develop/indconn/icsg/malware.html
, accessed August 11, 2013.
quoting its reports
David E. Sanger, David Barboza, and Nicole Perlroth, “Chinese Army Unit Is Seen as Tied to Hacking against U.S.,”
New York Times
, February 18, 2013,
http://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html?pagewanted=all
.
“respect and credibility”
Adam Shostack, “Can You Hear Me Now?”
Emergency Chaos
, June 13, 2008,
http://emergentchaos.com/archives/2008/06/can-you-hear-me-now-2.html
.
“improving our cybersecurity”
Shawn Osbourne, “Shawn Osbourne to the Honorable Mike Rogers and The Honorable C. A. âDutch' Ruppersberger,” letter regarding the Cyber Intelligence Sharing and Protection Act, April 17, 2012,
http://intelligence.house.gov/sites/intelligence.house.gov/files/documents/041712TechAmericaLetterCISPA.pdf
.
pesky lawyers
Joseph Kramek, “The Critical Infrastructure Gap.”
Paul Rosenzweig explains
Paul Rosenzweig, “The Organization of the United States Government and Private Sector for Achieving Cyber Deterrence,” in
Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and Developing for U.S. Policy
, edited by the National Research Council (Washington, DC: National Academies Press, 2010), p. 2084.
phishing takedown firms
Tal Moran and Tyler Moore, “The Phish Market Protocol: Sharing Attack Data between Competitors,” in
Proceedings of 14th International Conference on Financial Cyrptography and Data Security
, Tenerife, Spain, January 25â28, 2010,
http://lyle.smu.edu/~tylerm/ecrime08.pdf
.
EMAND
D
ISCLOSURE:
W
HAT
I
S
T
HE
R
OLE OF
T
RANSPARENCY?
Simitian's proposed bill
Kim Zetter. “California Looks to Expand Data Breach Notification Law,”
Threat Level
(blog),
Wired
, March 6, 2009,
http://www.wired.com/threatlevel/2009/03/ca-looks-to-exp/
.
80 members ⦠40 members
Ibid.
there were 51
Alessandro Acquisti, Allan Friedman, and Rahul Telang, “Is There a Cost to Privacy Breaches? An Event Study,” paper presented at the 27th International Conference on Information Systems and Workshop on the Economics of Information Security, Milwaukee, WI, December 2006,
http://www.heinz.cmu.edu/~acquisti/papers/acquisti-friedman-telang-privacy-breaches.pdf
.
A 2011 industry study
Brian Grow and Mark Hosenball, “Special Report: In Cyberspy v. Cyberspy China Has the Edge,” Reuters, April 14, 2011,
http://www.reuters.com/article/2011/04/14/us-china-usa-cyberespionage-idUSTRE73D24220110414
.
Christopher Schroeder explained
Schroeder, “The Unprecedented Economic Risks of Network Insecurity,” p. 177.
According to the SEC
US Securities and Exchange Commission, “CF Disclosure Guidance: Topic No. 2: Cybersecurity,” Division of Corporation Finance, October 13, 2011,
http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm
.
“more disclosure in this area”
Sarah N. Lynch, “SEC âSeriously' Looking at Cybersecurity,” Reuters, June 8, 2011,
http://www.reuters.com/article/2011/06/08/us-sec-cybersecurity-idUSTRE7576YM20110608
.
Melissa Hathaway counters
Ellen Nakashima and David S. Hilzenrath, “Cybersecurity: SEC Outlines Requirement That Companies Report Cyber Theft and Attack,”
Washington Post
, October 14, 2011,
http://articles.washingtonpost.com/2011-10-14/world/35279358_1_companies-report-breaches-guidance
.
a 2012 study
Jody R. Westby, “How Boards & Senior Executives Are Managing Cyber Risks,” Governance of Enterprise Security: CyLab 2012 Report, May 16, 2012,
http://www.rsa.com/innovation/docs/CMU-GOVERNANCE-RPT-2012-FINAL.pdf
.
As Tyler Moore explains
Tyler Moore, “Introducing the Economics of Cybersecurity,” National Academies report, 2010,
http://www.nap.edu/openbook.php?record_id=12997&page=3
, accessed August 11, 2013.
ET
“V
IGOROUS
”
ABOUT
R
ESPONSIBILITY:
H
OW
C
AN
W
E
C
REATE
A
CCOUNTABILITY FOR
S
ECURITY?
said Bill Braithwaite
Rob Stein, “Medical Privacy Law Nets No Fines,”
Washington Post
, June 5, 2006,
http://www.washingtonpost.com/wp-dyn/content/article/2006/06/04/AR2006060400672.html
.
not a single case
Ibid.
Winston Wilkinson
Ibid.
Dmitri Alperovitch notes
Dmitri Alperovitch, “Deterrence in Cyberspace: Debating the Right Strategy with Ralph Langer and Dmitri Alperovitch,” remarks at the Brookings Institution, Washington, DC, September 20, 2011,
http://www.brookings.edu/~/media/events/2011/9/20%20cyberspace%20deterrence/20110920_cyber_defense.pdf
.
Michael Assente
Mark Clayton, “America's Power Grid Too Vulnerable to Cyberattack, US Report Finds,”
Christian Science Monitor
, February 3, 2011,
http://www.csmonitor.com/USA/2011/0203/America-s-power-grid-too-vulnerable-to-cyberattack-US-report-finds/(page)/2
.
