The interesting thing is I don’t even remember doing this interview! Enjoy…

Matthew G. Devost: Ready the Defense

States should be working with private organizations and companies to ensure critical infrastructure and information technology are not vulnerable to cyber terrorism. By Steven Ferry, Government Technology, February 2002

Matthew G. Devost has been researching the impact of information technology on national security since 1993. He is currently the executive director of Technical Defense Inc., a company providing strategic consulting services to international and Fortune 500 corporations and governments. Devost also serves as president of the Terrorism Research Center Inc., an institute that researches and analyzes counter-terrorism and information-warfare issues. His clients have included Microsoft; the Department of Defense; the President’s Commission on Critical Infrastructure Protection; the FBI; and numerous other defense, intelligence and law enforcement entities. In this interview, he provides a current look at the state of cyber security in the United States and provides some simple suggestions for dealing with the threat of cyber terrorism.

Visions: Since you first conducted research on national security and information warfare for your graduate thesis many years ago, you have discerned an evolution or growth in the threat presented by cyber terrorists. Where do we stand now in terms of any real threat?

Devost: Terrorist organizations that presented traditional threats, the Department of State top 30 terrorist organizations, were not interested in the cyber terrorism component initially, but this is no longer the case. They are actively pursuing these ends now.

Visions: What leads you to this conclusion?

Devost: These organizations are obtaining education and training in computer-science and computer-security disciplines for some of their followers. In an environment where resources, logistics and mobility are becoming increasingly constrained for these organizations, cyber terrorism has become one of the more attractive options in their threat arsenal.

To date, we have no evidence of them trying to launch attacks, but there have been isolated indicators with regard to the education being sponsored by them. They used to focus heavily on engineering; subjects that allowed them to build better bombs, smaller bombs, bombs that would trigger based on a plane’s altitude and such forth. We are now seeing a focus on computer components.

This changing trend was in part prompted by the realization that the U.S. government has been articulating a significant vulnerability on this problem. These terrorist organizations have, therefore, raised their research levels, exploring these vulnerabilities. They have heard all these acronyms within the United States — organizations, commissions and councils — focusing on critical infrastructure protection and so recognized a potential avenue of attack. Many of these critical infrastructures are owned by private industry and the government has been obliged to articulate to these companies the existence of a threat. This, obviously, is one of the downsides of an open society: It attracts attention to its problems, as well as how it plans to solve them. Unfortunately, we have done a very good job of attracting attention to our problems, but we have not done a very good job of solving them.

Visions: How big is the danger of cyber attacks from nation-states and well-financed terrorist groups?

Devost: These are factually two different threat elements. There are some obvious deterrents to a nation-state using an information-warfare-type attack, and these differ from the more autonomous, asymmetric terrorist organizations that have no economic interdependencies with the nation-state being attacked, which could recoil upon them. In the event of a major nation-state conflict, cyber attacks will be launched. If you look at some of the doctrine coming out of nations like China, they do not believe in hegemonic war anymore. They believe in unrestricted wars, with attacks against financial centers, cyber attacks and information warfare as the means of adversarial conflict.

But a terrorist organization is not bound by any interdependencies or the fact that their actions could escalate to a conventional war. They know that any attack attributed to them is going to receive a conventional response, regardless of whether [the attack] is cyber or physical in nature. Some of these organizations are no doubt in the planning cycle right now to try and launch a cyber attack. Depending upon how much damage they want to inflict, their planning cycle can range from one to five years. They are patient with regard to researching and discovering vulnerabilities and planning out attacks to achieve maximum impact. Launching an isolated attack with limited impact and so tipping the hands of the U.S. government is something they will avoid. The significant consequences they will be seeking are not necessarily the loss of life, but the psychological confidence in infrastructures. We are talking about economic impact on the society as a whole. Those are more likely the types of impact a terrorist will have in a cyber attack, versus actually trying to kill people. They may have some isolated incidents of success in achieving loss of human life in cyber attacks, but the psychological and economic components are much more attractive.

Visions: Are there any fundamental differences in the cyber-terrorist tools used by hackers, terrorist groups and hostile nation-states?

Devost: There are major fundamental differences. Hackers rely, to a large extent, on tools developed and available within the hacker community — vulnerabilities that are known and discussed. They are not very structured; they lack the resources to study and target a specific infrastructure. We will still have denial-of-service and other attacks by hackers, but it’s a small-scale issue from the perspective of vulnerability. It is really just noise on the radar screen more than a really significant threat.

Elevate that to the terrorist level, and you have the ability to impact significantly critical infrastructures, as defined by the President’s Commission on Critical Infrastructure Protection. Such isolated rather than systematic attacks are an obvious concern to the [United States], but are potentially recoverable after inflicting varying degrees of economic and psychological impact.

Moving into the nation-state level, any attacks will strive for national, strategic, long-term impacts, denying the use of critical infrastructures, attacking those infrastructures that would impact our ability to project force or wage conventional warfare. With national-level attacks, we are looking at a force that has the resources to develop tools and vulnerabilities that are probably not in the public domain and which, therefore, will catch us potentially by surprise.

Visions: What do you identify as the major cyber-security challenges today?

Devost: Major challenges are recognizing, despite the absence of a threat, our interconnectivity, and then determining which structures are vulnerable and what the impact would be if they went down. Also recognizing that security is not about throwing technology, such as firewalls, at networks. It is about putting programs, policies and procedures into place that ensure a dynamic security posture. As new vulnerabilities are discovered, one has to have a process in place to mitigate them. I don’t see that planning taking place at either the government or private-industry levels to the degree needed in order to secure our infrastructures, or any demonstration of an ability to respond and recover from attacks down the road. Those are the biggest challenges: recognizing the true vulnerabilities and the need for security processes, procedures and policies that create a risk-management program, rather than just throwing technology at networks in order to secure them.

We need to avoid static remediation, conducting a one-time vulnerability assessment, addressing those vulnerabilities, and then having no program in place to address future vulnerabilities. With dynamic remediation, one takes a snapshot of the vulnerabilities as they exist, but then also puts in place a program to identify and mitigate new vulnerabilities as they arise.

Visions: As much as one can predict where technology may take us in the years ahead, what will be the cyber-security challenges in the next five years?

Devost: Hopefully, we would have the vulnerability out of the way and have a manageable understanding of what our infrastructures look like, how they are interconnected and interdependent with each other. And we would have a dynamic remediation process in place.

We haven’t seen any large-scale information warfare or cyber terrorist attack. That does not mean we should not plan for them and prepare ourselves to respond and recover from these kinds of attacks. We also need to develop our intelligence capabilities with regards to attribution and identifying the sources of attack, so that we have a real viable means of responding to whoever launched the attack. Right now, if someone launched a systematic attack, we could not determine who it was with any reliability. It’s an issue we need to work on still.

As next-generation protocols are released, which will allow for more accountability with regard to packets, etc.; and as more international institutions start addressing issues of cyber crime and critical-infrastructure vulnerability; and as we develop cooperative agreements that allow us to trace back the source to a greater extent, we will be able to deal with these issues more easily.

Visions: You have covered the Internet, but what about software, which is often released with security loopholes?

Devost: This is a significant concern. We continue to release software that is vulnerable to the same type of exposures that we have known about for decades. Take buffer overflows, for example. We have known about problems with them and software code for a long time, yet we continue to develop such software. We definitely need to harden some of these code bases in use now. We have moved to a modular coding system where you reuse software. So if you use one component in 10 different products, all 10 will be vulnerable.

This issue needs to be addressed at the free market level. We are in such a rush to deploy the latest technology, that we have put companies in a position where it is financially lucrative for them to deploy vulnerable software to their customers. They deploy and then fix. If we moved to a model where users tell manufacturers that they do not believe they have subjected their newly released software to adequate security testing, and that they will wait a year before moving to the next generation, that would begin to have an impact on the development cycle within these organizations, and they would start to accept some accountability with regard to performing some quality control before release. This is probably the only true way to address it — articulating to software and hardware manufacturers that security is an important feature and needs to be incorporated into the design and be tested. The product [is] only released when it has been subjected to adequate testing.

Visions: What actions are being taken right now to secure cyberspace from terrorist attack?

Devost: We are definitely throwing a lot of technology at the issue. Some organizations are also addressing it from the programmatic level, recognizing that they need the processes, procedures and policies in place as part of a risk-management program in order to secure their enterprise. Assessments are being conducted, but from the point of static remediation. There are initiatives to close off networks, which is a viable approach, but then we lose some of the benefits of the networked economy and society. Ground is being broken in all of the areas that need to be addressed, but the question of cyber security has been addressed by isolated groups without any systematic approach to the problem.

Visions: If your responsibility were to achieve cyber security, what would you do?

Devost: I would immediately develop a security program that incorporates a risk-management process that asks for our immediate vulnerabilities and interconnections, and then immediately fix those vulnerabilities. Then institute policies and procedures to allow for new vulnerabilities to be addressed, making sure at the same time that employees were not introducing new risks into the system, and constantly evaluating our level of exposure in a dynamic process. I would want to know if a new vulnerability had been found in a certain platform. In other words, I would want to know that all the systems have been patched and fortified, and periodically, evaluate the entire enterprise to ensure that no new vulnerabilities or network connections have been introduced.

And I would hold people accountable. That’s a big issue in the security community right now: lack of accountability or legal liability with regard to computer security. We saw this issue emerge in early December when a federal judge ordered the Department of Interior offline for failure to have a due diligence approach to information security and protecting information with regard to some Indian land trust data.

That’s a position I articulate constantly, that the only element of security that has not come to the fore yet is the legal liability and due diligence component. If I am going to operate in a network environment, there is some standard that has to be applied. This Department of Interior case is the first I have seen that has real implications for an organization. The judge basically pointed out that the department had been entrusted with information [that] they were unable to protect adequately and had been introducing risk into these people’s lives. Financial and personal information was easily available to those exploiting the system. So, the only mitigation the judge had was to take the department offline completely.

So what happens if the erring component is a critical infrastructure? If I am an adversary, I do not need to exploit the vulnerabilities in order to take you down. All I need is a good lawyer who can show that your system introduces so much risk due to the negligence on the part of the people who own and operate the system that it is a liability that needs to be addressed. The network needs to be taken offline until it can demonstrate to the court that it can be secure. This will be a huge issue in the future.

Visions: It seems that whether it is a hacker, terrorist group or hostile government, the issues are still the same.

Devost: Exactly. The threat spectrum is wide-ranging, but everybody is funneled through the same critical infrastructures and vulnerable systems, and that’s the issue because the vulnerabilities to the different threats occur in the same technologies and infrastructures. That means the remediation strategies are basically the same, no matter the threat.

Visions: What should local and state governments do to address cyber terrorism?

Devost: They need to recognize that they are all part of the solution. There needs to be a sharing of information and remediation strategies between the public and private sectors at the state and federal level. If you ask state officials right now, “What are the critical infrastructure vulnerabilities from a cyber perspective in your state?” they will not be able to say. In the federal government, they would be hard pressed to offer an answer. They understand critical infrastructures at the high level, but they don’t understand, at the private-organization levels, who has control, how they are interconnected and what the impact might be of an attack. These communities need to be talking to each other — that’s the most important action to take. The government needs to share with industry to a greater extent the intelligence they have that demonstrates a viable threat.

But then again, within the private sector, if I am sitting in the boardroom, trying to make a strategic decision on how to invest my money, unless there is an articulated threat in the cyber arena, there is really no motivation for me to expend the dollars necessary to maintain my security program. So I decrease our funding and increase our vulnerability state.

The government needs to articulate to a greater extent than the director of the CIA saying there are a hundred nation-states developing these capabilities and we are going to experience a digital Pearl Harbor. These are great sound bites for media articles and such buzz words exist inevitably at the senior level, but they need to be backed up with some realistic intelligence and threat analyses that say, “Yes this is a problem, we are sufficiently concerned, we recognize that you own these infrastructures, this needs to be a cooperative effort, we need your help, work with us.”

Visions: How has democracy fared under the twin forces of cyber terrorism and the tendency of government to curtail liberties in order to protect them?

Devost: There’s always this balance between civil liberties and civil security and it is up to society to articulate where that line is drawn. This is one of the great things about the democratic society. We entrust the government to protect us and provide critical services. If in doing so we think that the government is overstepping the boundaries of our civil liberties, we have mechanisms for changing that. We can have an impact if the citizens start to draw the line. That’s a message I have communicated in lectures at area schools recently when the students ask the same question. My response is always the same: “You tell me, what are you willing to live with? Do you think there is a viable threat to your security, to your personal well being, such that you are willing to accept some of these more intrusive measures?”

It’s the same within cyberspace. Are you concerned enough with the fact that your bank account information can be stolen, your power grid could go offline or your telecommunications system could go down, that you are willing to subject yourself to greater levels of surveillance, to further authentication so that you are not able to access some critical services anonymously, or there is special authentication required to access a specific network? There is a balance, and it will be set by the civilian populace.

Visions: Do you have any particular message for local and state governments?

Devost: State governments are all required now to come up with counter-terrorism plans. As they start to think through the question of their infrastructure vulnerabilities and how they would respond to terrorism incidents, make sure they include a component for the cyber aspect. Because they can harden physical infrastructures to the greatest extent possible, and I could probably still do more damage coming in over the telephone lines or the network connectivity than I could ever accomplish by trying to penetrate that physical security perimeter. So there needs to be recognition at the state and local levels that cyber terrorism needs to be included in their response plans.

Understand what you have, understand what the threat is, and then work with industry to determine how you are going to mitigate or recover from any incident that may happen.

Steven Ferry