2012/04/18

The NBN as an Essential Strategic Defence for Cyber-warfare.

Whilst reading this piece today I 'had a thought'.
online",  Nick Hopkins, guardian.co.uk, Monday 16 April 2012 15.00 BST
One argument in support of the NBN I've not heard is about Security, but not the "how to keep your bank account and credit card safe" kind - the usual direct theft or Identity Fraud talked about at Cyber-Security conferences.

The National Security kind that interest the Intelligence agencies and Military, a.k.a. "Cyber-warfare".

This is as far removed from normal Cyber-security as guarding bank vaults is from fighting a war. Attack, and hence Defence, is taken to a whole new level: because the resources employed and what is at stake is taken to a whole new level.


The Y2K debacle/non-event conclusively demonstrated a number of things, one of which was Federal Government "front office" functions (normal day-to-day tasks) were completely dependent on I.T. and the 'Net. Their dependence has only become more embedded and ubiquitous since then. [FeGovt "back office" functions were, like Banking, completely dependent on I.T. by around 1990-1995. Widespread automation started 1955-1960.]

The Nick Hopkins piece takes this one step further, the militarisation of cyberspace attacks, with all the attendant organisation, funding, talent, 'hardware' and strategies - including reconnaissance, stealth incursions and long-term, low-visibility high-impact campaigns where patience is the key. One to Five year operation lifetimes are not unthinkable.

The Australian equivalent of the NSA, DSD (Defence Signals Directorate) already takes the possibility of Cyber-warfare quite seriously with its "CSOC – Cyber Security Operations Centre".

The guy who detected and defeated the first known "Denial of Service" (DoS) attack, Bill Cheswick, later started "The Internet Mapping Project" in mid-1998 as an aide in controlling these attacks.
The first element of which is, "What link(s) are they coming at us from?". [The current version is a Distributed Denial of Service (DDoS) attack, where 'zombies', ordinary PC's infected with malware, are controlled in real-time in a "BotNet" (robot network).]
Ideally, you'd also like to be able to identify all the originating machines so they could be potentially isolated.

So why are the new capabilities of the NBN so important to National Security?

Because of its implementation: 802.1ad, a.k.a. "QinQ" or Stacked VLAN's (Virtual Local Area Networks).  VLANs on the NBN Co site: 2010 consultations, Access Seeker Certification.
  • Unlike the uneven, disparate designs and capabilities of existing ADSL and Cable networks, the NBN gives us a single network that has designed in from day-zero, sufficient security capabilities.
  • Limited interconnection points (121) allow common event detection and reaction at realistic costs and complexity.
  • The Stacked VLAN approach of the NBN allows high-speed traffic analysis to be performed without inspecting the content. Bytes, and potentially traffic flows, may be counted, but information privacy is respected. Sudden changes in traffic volumes and targets are indicative of BotNet attacks.
  • ISP's can elect to drop all traffic from suspect links and sources.
  • Co-operating ISP's can automatically, and in real-time, put all identified members of a BotNet into a quarantine VLAN, to which the CSOC would have special access.
  • Because there will be a small number of very well identified and controlled international links into and out of Australia, we can selectively "pull the plug" on overseas DDoS or BotNet attacks.
    • Because every link has two ends, and both parties must trust each other, one option is to drop attack packets before they get onto the link into Australia (or outbound link for attacks originating in Australia), preventing link congestion. This requires one trusted, controlling authority in Australia and cooperation agreements with far-end operators to facilitate secure remote commands.
    • More subtly, DSD might direct all identified attack traffic into a set of HoneyPot VLAN's: it will look to the attackers that their attack is succeeding, while they are just playing with a set of Virtual Machines at the CSOC. This comes at the cost of congesting the international links. 
  • The NBN allows one consolidated and co-ordinated set of defences, no "market driven" scheme allows this. It isn't an issue of cost, complexity or convenience, it is entirely about being able to defend ourselves at all from Cyber-warfare attacks.
What may not be clear is the speed at which attacks will originate and propagate in Cyber-warfare, and hence the importance of real-time co-ordinated defences. From a 2003 piece on the "Slammer" worm:
... the number of infected machines doubled roughly every 8.5 seconds, the study found. This is more than 250 times faster than Code Red, which hit in mid-2001 and had a doubling time of 37 minutes, according to the report. The worm hit its full scanning rate of around 55 million scans per second at around three minutes after the attack began at roughly 05:30 GMT on Saturday.
I don't have figures to hand, but network speed/capacity, as well as size of BotNets, has increased 100-fold or more in the intervening decade.
What everyone should understand is "Internet Time". The rate of increase (doubling time) of capacity, endpoints and "events" (or attacks) is measured in weeks and months. 12 months from inception, some new technique or attack vector will have completely saturated the Internet. With the advent of Internet connected smartphones and tablets, the number of new devices connecting has accelerated another 10-fold.

At the 3-minute mark, the Cyber-warfare event is pretty much won or lost. Defences have to be both automatic and high-speed. [Hence there will be false positives when defences are accidentally or deliberately triggered. This is an unavoidable and inevitable cost of good defences.] We no longer have the option of "turning off the Internet", nor even can we just "unplug the problem link".

As well, because the attacker can select their timing, they will choose the worst time for the defenders. If somehow they gain Intelligence (remember this is military in nature, not just a bunch of techno-crims) about even the shortest of times critical controls are unmanned or incapacitated, that's when they'll go in. You wouldn't expect less from highly trained, success-focussed professionals.

The other issue is the degree-of-coverage.
With a consolidated infrastructure, you have the possibility of complete coverage because its physically possible and economically feasible to have a single control network with complete coverage originating from the authorised defence organisation.

With the anarchic, decentralised free-for-all "market-place" model we have now, this uniformly high-standard of defence and control, guaranteed across the whole system, is impossible. At the very best it is an N2 problem, but more likely the far larger N! (N-combinatnorial). This scale is completely unmanageable and uncontrollable.

Complete coverage is needed for any large-scale Internet defence system.
It's exactly like a dam or flood levy: you only need one undetected breach and the whole asset is quickly lost.

With the militarisation of the Internet, not having the NBN compromises National Security in the immediate future. Any person or organisation that claims otherwise doesn't understand the problem. Any political group not supporting the full NBN is deliberately sacrificing our security for short-term political gains. [I'd personally be more comfortable with a faster implementation schedule as well. More costly, but safety arrives sooner.]

Wide-scale coordinated Cyber-attack isn't a possibility, it is a certainty, the only uncertainty is the timing. We can choose to be prepared, or not.

The outcomes of ineffective defences will not be pleasant. I'm sure there must be Military or Intelligence briefings that describe the results in awful detail. They won't be for the feint of heart.

No comments: