/ 14 June 2013

If you want cyber peace, prepare for cyber war

Beza Belayneh heads a high-level team of experts at the South African Centre for Information Security.
Beza Belayneh heads a high-level team of experts at the South African Centre for Information Security. (Delwyn Verasamy, M&G)

The South African National Cyber Crime Framework states: "South Africa has become dependent on the internet to govern, to conduct business and for social purposes.

"The internet has become indispensable to many South Africans and will continue to be, as more people join the information highway. Cybercrimes and threats will continue to increase. These cybercrimes and threats have the potential to impact on our national security and economy."

Network hacking, mass target phishing, persistent cyber criminality and the illegal release and posting of classified information on the internet were all hot topics in recent news headlines. These are topics that the government, citizens and the military must take seriously and treat as a crisis and a digital disaster in the making.

Although the situation is not yet at a level of catastrophic or digital disaster, it is still dire and critical decisions must be made to change South Africa's approach to cyber defence to succeed and provide viable solutions to the challenges it faces in the cyber space.

The country must deeply understand the current adversaries, develop effective proactive defensive strategies that are less reactive and create a warfare mentality towards the fight against the well-organised cyber criminals.

War mentality in cyber defence is not hype
Cyber crimes cost South Africa billions of rands every year. Thousands of citizens become victims of identity theft, card fraud, phishing, online dating scams and other computer-supported fraud.

Since 2011 South Africa has been one of the top three countries in the world targeted by phishing. It's the most effective and critical stage of a multi-stage, targeted and persistent attack.

By all accounts, South Africa may not feel it is at cyber war, but its adversaries have set up online and offline shops, and have declared co-ordinated and sophisticated cyber assault on its people, government and financial institutions.

The military's warfare mentality facilitates the framing of information security policy and implementation tactics. First, although warfare may sound cliché for some, countries around the world have maintained a warfare mentality when it comes to overcoming cyber attacks and significantly reduce the risk thereof.

They frame the problem in terms of offence and defence and believe in the value of collecting intelligence data on the potential attackers.

The cyber war fighter expects that both the offence and defence will engage in surveillance and reconnaissance geared at identifying target systems and threats as well as building proactive defence.

Survivability must be a goal in martial mentality
Second, the military's need for survivability is now applied to computing and communications systems as well as traditional weapon systems and people. Most information security professionals should think of cyber defence tactics in terms of survivability, which is exactly what information resiliency is about.

Information resiliency refers to the continuous availability of uncorrupted mission-critical information to support business or military operations, even under the threat of a cyber attack.

An information resilient enterprise will continue to engage in its critical operations, despite the attacker's attempts to intrude, corrupt or deny service. The manner and efficiency with which the operations are conducted may change somewhat, but they remain operative.

The commercial world needs information resiliency to maintain its computing operations to prevent financial losses.

Understanding the processes of an attack
Third, the concept of information resiliency and the components that comprise it must be developed to understand how a cyber attack unfolds, and where to deploy defensive resources in a familiar framework.

Cyber attacks follow a prescribed series of events and those events are somewhat dependent on the preceding events. For example, before a system can be effectively attacked, the attacker has to accomplish surveillance and then perform an analysis of the target system.

The surveillance of the target system provides knowledge of networks, operating systems and others, which is then used in the analysis to uncover potential entry points and exploit publicly available vulnerabilities.

Taking 'defence in depth' to cyber space
Fourth, the military's use of multiple lines of defence is transferable to cyber war. In any type of conflict, a single mode of defence is unlikely to be effective over time.

Attackers become familiar with the defensive strategy and then alter their means of attack. Thus, the military has moved towards defence in depth, in which it utilises multiple and overlapping types of defence against cyber attackers.

For example, firewalls and proxy servers allow two forms of defence to be placed on a system without undue operational impact. Understanding the cyber attack cycle facilitates the selection, placement and timing of defensive deployments.

'Know Thy Enemy'
Sun Tzu in The Art of War said: "If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle."

Fifth, borrow the notion of reconnaissance and threat analysis from the military. With sufficient knowledge of the adversary, the attacker's actions can be anticipated and proactive defensive actions can be made.

By moving out from behind the entrenched defences, it becomes possible to perform independent surveillance and reconnaissance, characterise the potential attacker's modus operandi, and search for indications of the impending cyber attack.

What is meant here is to look for trace evidence of the adversary's own surveillance, reconnaissance and intelligence gathering activities (as represented by mapping and access probing). The successful identification of these precursors before the attack provides an early warning system that effectively eliminates the adversary's element of surprise.

Above all, educating end users, citizens and decision makers through the media, public discussions or similar interactions on how cyber criminals operate and what they are after makes it possible to strengthen the human firewall.

Timing is almost everything
Finally, borrow from the military the concept of upsetting the adversary's timetable and advancing one's own. By throwing the adversary off his plan, it may deter him from future action or postpone his attack.

A reliable knowledge of who the adversaries are and how they operate can deter the attack, change the attack method, or minimise damage. It is not sufficient to simply know what to do. When to deploy specific defensive tactics is as important.

To achieve information resiliency, cyber defence must move from a "reactive" paradigm to a "proactive" one. Proactive defence anticipates an attack and then uses defensive tactics to respond to an attack as soon as, or before, it penetrates and causes damage.

Today, the multi-stage attacks launched by state and non-state actors against South Africa are motivated by greed, harassment, revenge and the intention to cause psychological terror.

The best approach for South Africa to secure peace in cyber space is to prepare for cyber war and not wait for a manageable crisis to develop into a disaster.

The current state of cyber threat in South Africa
South African political, economic, and military systems are already vulnerable due to the pervasive use of commercial information technology.

Some of the country's most important infrastructures (energy, telecommunications, transportation, finance and communications) are among the most vulnerable.

Decision makers are not presented capabilities, tools and awareness to detect and monitor the performance of the nation's critical infrastructures and information systems in times of cyber attacks.

The prevalence of commercial information technology is introducing vulnerabilities faster than defenders can discover, evaluate, and mitigate weaknesses.

The cyber-environment is target-rich and easy to attack, and even weak actors can have a major asymmetric impact with openly available tools.

Our dependence on these systems and their inherent complexity and interrelated nature is not well understood by the "non-techies" and even sometimes by technologists who make both policy and business decisions.

This makes for a real risk of cyber-exploit. That's because a majority of these essential systems are riddled with security vulnerabilities.