Cyber security and countermeasure

Cybercrime (or computer crime) refers to any crime that involves a computer and a network.^[1]

In general, a countermeasure is a measure or action taken to counter or offset another one. In computer security a countermeasure is an action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken. The definition is as IETF RFC 2828^[2] that is the same as CNSS Instruction No. 4009 dated 26 April 2010 by Committee on National Security Systems of United States of America.^[3] According to the Glossary^[4] by InfosecToday, the meaning of countermeasure is:

The deployment of a set of security services to protect against a security threat.

Threats

Although different types of threats (e.g., earthquakes, floods, electrical break-down) can cause an incident, or may harm a system or an organisation,^[5] only intentional threats will be considered here.
According to Microsoft's classification there are 6 categories of threats^[6]:

• Spoofing of user identity : describes a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage.
• Tampering : describes an intentional modification of products in a way that would make them harmful to the consumer.
• Repudiation : describes a situation where the authenticity of a signature is being challenged.
• Information Disclosure (Privacy breach or Data leak) : describes a situation where information, thought as secure, is released in an untrusted environment.
• Denial of Service (DoS): describes a situation where a technological resource (computer, network, ...) becomes unavailable to its intended user.
• Elevation of Privilege : describes a situation where a person or a program were to gain elevated privileges or access to ressources that are normally restricted to him/it.

This model is named after the initials of every threat : STRIDE, and is now widely used. Nevertheless, other models do exists ; for instance the DREAD : Damage, Reproducibility, Exploitability, Affected users, Discoverability.
To exploit those vulnerabilities, perpetrators (individual hacker or a criminal organization) most commonly use malwares (malicious software), worms, viruses and targeted attacks.
To assess the risk of an attack, different scale exists. In the United States, authorities use the Information Operations Condition (INFOCON) system. This system is scaled from 5 to 1 (INFOCON 5 being an harmless situation and INFOCON 1 representing the most critical threats).

Past attacks: the need for policy

Over the past 10 to 15 years, multiple cyber attacks occurred targeting both governmental agencies and private companies.

• In 2000, several commercial websites including Yahoo.com, Amazon.com, Ebay.com, Buy.com, CNN.com, ZDNet.com hit massive DOS. The FBI estimated that the attack caused $1.7 billion in damage.
• In 2003, a slammer worm infected 90% of vulnerable computers within 10 minutes. This caused interferences with elections, airline flights cancellation, Seattle's 911 emergency system failure and over 13,000 Bank of America ATMs failure. The lost in productivity was estimated around $1 billion.
• Since 2003, a series of coordinated attacks on American computer systems occurred. The US government designated those attacks as Titan Rain. Titan Rain hackers gained access to many U.S. computer networks, including those at Lockheed Martin, Sandia National Laboratories, Redstone Arsenal, and NASA.

A global problem

"As a fundamental principle, cyberspace is a vital asset to the nation and the United States should protect it"^[7] is the opening statement of the Cybersecurity act of 2010.
Most of the countries do not possess a digital infrastructure that can be qualified as "secure". The United States is no different: "Without major advances in the security of these systems or significant change in how they are constructed or operated, it is doubtful that the United States can protect itself from the growing threat of cybercrime and state-sponsored intrusions and operations".^[7]
As more than 85% of the digital infrastructure is owned and operated by the private sector in the United States,^[7] it is crucial that both public and private sectors, in addition of on their own, cooperate on finding a global solution.

Government

The role of the government is to make regulations to force companies and organizations to protect their system, infrastructure and information from any cyber attacks, but also to protect its own national infrastructure such as the national power-grid.

The question of whether the government should intervene or not in the regulation of the cyberspace is a very polemical one. Indeed, for as long as it has existed and by definition, the cyberspace is a virtual space free of any government intervention. Where everyone agree that an improvement on cybersecurity is more than vital, is the government the best actor to solve this issue? Many government officials and experts think that the government should step in and that there is a crucial need for regulation, mainly due to the failure of the private sector to solve efficiently the cybersecurity problem. R. Clarke said during a panel discussion at the RSA Security Conference in San Francisco, he believes that the "industry only responds when you threaten regulation. If industry doesn't respond (to the threat), you have to follow through."^[8] On the other hand, executives from the private sector agree that improvements are necessary but think that the government intervention would affect their ability to innovate efficiently.

Public–private cooperation

The cybersecurity act of 2010 establishes the creation of an advisory panel, each member of this panel will be appointed by the President of the United-States. They must represent the private sector, the academic sector, the public sector and the non-profit organisations.^[7] The purpose of the panel is to advise the government as well as help improve strategies.

Infraguard is an example of public-private organization.

Actions and teams in the US

Cyber Security Act of 2010

The "Cybersecurity Act of 2010 - S. 773" (full text) was introduced first in the Senate on April 1, 2009 by Senator Jay Rockefeller (D-WV), Senator Evan Bayh (D-IN), Senator Barbara Mikulski (D-MD), Senator Bill Nelson (D-FL), and Senator Olympia Snowe (R-ME). The revised version was approved on March 24, 2009.
The main objective of the bill is to increase collaboration between the public and the private sector on the issue of cybersecurity. But also

"to ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cybersecurity defenses against disruption, and for other purposes."^[7]

The act also wants to instate new higher standards, processes, technologies and protocols to ensure the security of the "critical infrastructure".

Government initiatives

The government put together several different websites to inform, share and analyze information. Those websites are targeted to different "audiences":

• the government itself: states, cities, counties
• the public sector
• the private sector
• the end-user

Here are a few examples :

• http://www.msisac.org/ : the Multi-State Information Sharing and Analysis Center. The mission of the MS-ISAC is to improve the overall cyber security posture of state, local, territorial and tribal governments.
• http://www.onguardonline.gov/ : The mission of this website is to provide practical tips from the federal government and the technology industry to help the end user be on guard against internet fraud, secure their computers, and protect their private personal information.
• http://csrc.nist.gov/ : The Computer Security Division (Computer Security Resource Center) of the National Institute of Standards and Technology. Its mission is to provide assistance, guidelines, specifications, minimum information security requirements...

Military agencies

Homeland Security

The Department of Homeland Security has a dedicated division responsible for the response system, risk management program and requirements for cyber security in the United States called the National Cyber Security Division.^[9][10] The division is home to US-CERT operations and the National Cyber Alert System. The goals of those team is to :

• help government and end-users to transition to new cyber security capabilities
• R&D^[10]

In October 2009, the Department of Homeland Security opened the National Cybersecurity and Communications Integration Center. The center brings together government organizations responsible for protecting computer networks and networked infrastructure.^[11]

FBI

The third priority of the Federal Bureau of Investigation(FBI) is to:

Protect the United States against cyber-based attacks and high-technology crimes^[12]

According to the 2010 Internet Crime Report, 303,809 complaints were received via the IC3 website. The Internet Crime Complaint Center, also known as IC3, is a multi-agency task force made up by the FBI, the National White Collar Crime Center (NW3C), and the Bureau of Justice Assistance (BJA).^[13]
According to the same report,^[14] here are the top 10 reported offense in the United States only :

• 1. Non-delivery Payment/Merchandise 14.4%
• 2. FBI-Related Scams 13.2%
• 3. Identity Theft 9.8%
• 4. Computer Crimes 9.1%
• 5. Miscellaneous Fraud 8.6%
• 6. Advance Fee Fraud 7.6%
• 7. Spam 6.9%
• 8. Auction Fraud 5.9%
• 9. Credit Card Fraud 5.3%
• 10. Overpayment Fraud 5.3%

In addition to its own duties, the FBI participates in non-profit organization such as Infraguard. Infragard is a private non-profit organization serving as a public-private partnership between U.S. businesses and the FBI. The organization describes itself as an information sharing and analysis effort serving the interests and combining the knowledge base of a wide range of members.^[15] InfraGard states they are an association of businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to sharing information and intelligence to prevent hostile acts against the United States.^[16]

Department of Justice

In the criminal division of the United States Department of Justice operates a section called the Computer Crime and Intellectual Property Section. The CCIPS is in charge of investigating computer crime and intellectual property crime and is specialized in the search and seizure of digital evidence in computers and networks.
As stated on their website:

"The Computer Crime and Intellectual Property Section (CCIPS) is responsible for implementing the Department's national strategies in combating computer and intellectual property crimes worldwide. The Computer Crime Initiative is a comprehensive program designed to combat electronic penetrations, data thefts, and cyberattacks on critical information systems. CCIPS prevents, investigates, and prosecutes computer crimes by working with other government agencies, the private sector, academic institutions, and foreign counterparts."^[17]

USCYBERCOM

The United States Strategic Command (USSTRATCOM) is one of the ten Unified Combatant Commands of the United States Department of Defense (DoD). The Command, including components, employs more than 2,700 people, representing all four services, including DoD civilians and contractors, who oversee the command's operationally focused global strategic mission. The United States Cyber Command, also known as USCYBERCOM, is under the command of the USSTRATCOM. Its mission are to plan, coordinate, integrate, synchronize and conduct activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries."^[18]

FCC

The U.S. Federal Communications Commission's role in cyber security is to strengthen the protection of critical communications infrastructure, to assist in maintaining the reliability of networks during disasters, to aid in swift recovery after, and to ensure that first responders have access to effective communications services.^[19]

Computer Emergency Readiness Team

Computer Emergency Response Team is a name given to expert groups that handle computer security incidents. In the US, two distinct organization exist, although they do work closely together.

• US-CERT: the United States Computer Emergency Response Team is part of the National Cyber Security Division of the United States Department of Homeland Security.^[20]
• CERT/CC: The Computer Emergency Response Team Coordination Center is a major coordination center created by the Defense Advanced Research Projects Agency (DARPA) and is run by the Software Engineering Institute (SEI).

International actions and teams

International actions

A lot of different teams and organisations exists, mixing private and public members. Here are some examples:

• The Forum of Incident Responses and Security Teams (FIRST) is an international confederation of trusted computer incident response teams who cooperatively handle computer security incidents and promote incident prevention programs.^[21] The US-CERT, AT&T, Apple, Cisco, McAfee, Microsoft are all members of this international team.^[22]

• The Council of Europe helps protect societies worldwide from the threat of cybercrime through the Convention on Cybercrime and its Protocol on Xenophobia and Racism, the Cybercrime Convention Committee (T-CY) and the Project on Cybercrime.^[23]

• The purpose of the Messaging Anti Abuse Working Group (MAAWG) is to bring the messaging industry together to work collaboratively and to successfully address the various forms of messaging abuse, such as spam, viruses, denial-of-service attacks and other messaging exploitations. To accomplish this, MAAWG develops initiatives in the three areas necessary to resolve the messaging abuse problem: industry collaboration, technology, and public policy.^[24] France Telecom, Facebook, AT&T, Apple, Cisco, Sprint are some of the members of the MAAWG.^[24]

• ENISA : The European Network and Information Security Agency (ENISA) is an agency of the European Union. It was created in 2004 by EU Regulation No 460/2004 and is fully operational since September 1, 2005. It has its seat in Heraklion, Crete (Greece).
  

The objective of ENISA is to improve network and information security in the European Union. The agency has to contribute to the development of a culture of network and information security for the benefit of the citizens, consumers, enterprises and public sector organisations of the European Union, and consequently will contribute to the smooth functioning of the EU Internal Market.

National teams

Here are the main computer emergency response teams around the world.

EU

In the EU most CERTs were created locally by universities and larger IT companies. Most member countries do not have a national coordination center and the teams are cooperating via the paneuropean TF-CSIRT "Task Force - Collaboration Security Incident Response Teams". There were 100 CERT teams accredited at the TF-CSIRT in 2006. The TF-CSIRT runs also the FIRST "Forum of Incident Response and Security Teams" being the global coordination center for CERTs around the world. The EU-centric CERT governance is passed gradually to the ENISA agency.

• RUS CERT, Universität Stuttgart, the oldest CERT in Germany
• DFN CERT, Deutsches Forschungsnetz
• Mcert, BITKOM and BMWi (Bundesverband Informationswirtschaft, Telekommunikation und neue Medien and Federal Ministry of Economics and Technology (Germany))
• CERT-Verbund since 2002, coordination center für CERT-Bund, DFN-CERT, IBM BCRS, Siemens-CERT, S-CERT and Telekom-CERT.
• CERTA "Centre d'expertise gouvernemental de réponse et de traitement des attaques informatiques", DCSSI "Direction centrale de la Sécurité des systèmes d'information" (reporting to the General secretary for national defence (France))
• Cert-IST, [1] "CERT de la communauté Industrie, Services et Tertiaire", founded in 1998 by Alcatel, le CNES, ELF and France Télécom
• CERT-RENATER, Réseau National de télécommunications pour la Technologie (reporting to Minister of National Education (France))

Other countries

• CERT.br, Brazil, member of FIRST (Forum for Incident Response and Security Teams)
• CARNet CERT, Croatia, member of FIRST
• Brazil CERT
• AE CERT, United Arab Emirates
• SingCERT, Singapore
• CERT-LEXSI, France, Canada, Singapore

References

1. ^ Moore, R. (2005) "Cybercrime: Investigating High-Technology Computer Crime," Cleveland, Mississippi: Anderson Publishing.
2. ^ RFC 2828 Internet Security Glossary
3. ^ CNSS Instruction No. 4009 dated 26 April 2010
4. ^ InfosecToday Glossary
5. ^ ISO/IEC, "Information technology -- Security tecniques-Information security risk management" ISO/IEC FIDIS 27005:2008
6. ^ http://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx
7. ^ ^{a b c d e} Cybersecurity Act of 2010 - http://www.opencongress.org/bill/111-s773/text
8. ^ http://articles.sfgate.com/2005-02-17/business/17361991_1_rsa-security-conference-cybersecurity-counterpane-internet-security
9. ^ "National Cyber Security Division". U.S. Department of Homeland Security. http://www.dhs.gov/xabout/structure/editorial_0839.shtm. Retrieved June 14, 2008. 
10. ^ ^{a b} "FAQ: Cyber Security R&D Center". U.S. Department of Homeland Security S&T Directorate. http://www.cyber.st.dhs.gov/faq.html. Retrieved June 14, 2008. 
11. ^ AFP-JiJi, "U.S. boots up cybersecurity center", October 31, 2009.
12. ^ "Federal Bureau of Investigation - Priorities". Federal Bureau of Investigation. http://www.fbi.gov/about-us/quick-facts. 
13. ^ Internet Crime Complaint Center
14. ^ "2010 Anual Report - Internet Crime Complaint Center". IC3. http://www.ic3.gov/media/annualreport/2010_IC3Report.pdf. 
15. ^ "Robert S. Mueller, III -- InfraGard Interview at the 2005 InfraGard Conference". Infragard (Official Site) -- "Media Room". http://www.infragard.net/media/files/dir_med.mov. Retrieved 9 December 2009. 
16. ^ "Infragard, Official Site". Infragard. http://www.infragard.net/. Retrieved 10 September 2010. 
17. ^ "CCIPS". http://www.cybercrime.gov/. 
18. ^ U.S. Department of Defense, Cyber Command Fact Sheet, May 21, 2010 http://www.stratcom.mil/factsheets/Cyber_Command/
19. ^ "FCC Cyber Security". FCC. http://www.fcc.gov/pshs/emergency-information/cybersecurity.html. 
20. ^ Verton, Dan (January 28, 2004). "DHS launches national cyber alert system". Computerworld (IDG). http://www.computerworld.com/securitytopics/security/story/0,10801,89488,00.html. Retrieved 2008-06-15. 
21. ^ "FIRST website". http://www.first.org/about/mission/mission.html. 
22. ^ "First members". http://www.first.org/members/teams/index.html. 
23. ^ "European council". http://www.coe.int/t/DGHL/cooperation/economiccrime/cybercrime/default_en.asp. 
24. ^ ^{a b} "MAAWG". http://www.maawg.org/about_maawg.