2012/04/27

The NBN and defending against Cyber warfare attacks.

CYBER-WARFARE and the Australian NBN.

We know from "Stuxnet" that Nation States are actively building and deploying Cyber warfare tools, applying them to National Security concerns and running them as Military, not technical, operations. This includes accurate reconnaissance and network topology and vulnerability mapping. The worst case is that attackers will gain access to the network control tools and infrastructure.

Recent coverage suggests that Obama denied a US Military request to launch a cyber attack on Syria's infrastructure during the recent 'troubles'.

From the "slammer" worm, we know that any Cyber warfare attack will be fully developed within 3 minutes, and any attack will be launched at the worst possible time for defenders, possibly accompanied by physical distractions.

Recovery from "munitions grade" worm/malware compromise will be long and expensive. Experience is that malware infections is as damaging to businesses as a fire: Within 12 months of a fire, 80-90% of small businesses fail.

We've no idea of what the impact and cost will be if major Government I.T. infrastructure is compromised: ATO, Finance, Centrelink and Medicare (and with e-Health, the PCEHR).

Never mind State Govt. Education, Hospitals and Police.
Will Banks and the financial system, including Superannuation companies, be immune??? Obviously, some will go down.

If, like the destruction of all clients (4800!) data at "Distribute IT" in 2011, some "preparatory work" is done by the attackers, not only will "business as usual" not be possible for the week after an attack, many businesses will lose all their data - including backups.

Saying, "but nobody would attack us" is pure wishful thinking.
Nobody may ever intend to attack us, but as the Internet's first worm in 1988 showed (the "morris worm"), the Internet is a single thing and it's really easy to mess up your first attack, with no way back.

Morris had been raised with computers (at Bell Labs) with his father becoming the Computer Security advisor for the NSA. He had talent, experience and great knowledge - and even then his experiment escaped from his control. Australia will be most likely be "collateral damage", not a prime target unless there are real wars over resources and clean water.

DSD already has a Network Security monitoring facility and at some point, as a critical National Security measure, it will have to be upgraded to defend against a Cyber warfare attack, for Government and all other users.

This requires:
• fully automatic responses, opening us to disruption by false attack detection, and
• full coverage of the whole Australian Internet.
• The Internet is a single thing, protection is "all or nothing".
Fortunately, while detection might be a little difficult, first-response protection is fast and simple:
pull the plug and put known infected machines into quarantine.
Next, identify and clean up the damage piece by piece. Whilst some of this can be automated and be performed within the network, compromised systems will need to be scrapped or physically visited and rebuilt. The economics seems odd, but when low-end machines are ~$500 and casual hourly service rates from tier-1/2 companies are$150-\$250/hr, it's cheaper to supply a new, clean machine and remove/destroy the compromised hard-drive. The alternative is for householders to take their machines to a "clean and restore" site that may take a month or two to fix their machine.

Without a single shared "wholesale" infrastructure, ie. in the current highly variable anarchic ISP arrangement, not only is this necessary protection a hard problem, it is impossible. The ability for the
authorised protection authority to, in real-time, disconnect or move any identified system into a quarantine area with a single system, is a critical feature only available on the NBN.

An attacker only needs one breach, just like a dam, dyke or flood-levy only needs to spring one leak to fail completely, often with devastating speed.

Careful, patient and capable attackers will construct their beachheads well ahead of time and be completely undetected. It's a given that our current "anything goes" Internet design is indefensible.

Patient, capable and determined attackers will still be able to wreak havoc on the Internet within Australia even with the NBN with long-running stealth attacks and multiple beachheads, but with a uniform, consistent, universal network monitoring, management and control system, DSD (or whomever) stands a chance of limiting an attack. Without a single, real-time and automatic detection/response system, we have no chance of defending ourselves.