The use of technology in both the public and private sectors comes at a cost in terms of risk and security.  Countries adopt technology in every day facets of life and business whether it is financial or military operations, this same technology also serves as a tactical consideration of warfare.  There are a number of possible tactics available to cripple or even decimate an enemy or individual; a few examples include denial of service, data modifications, espionage, or even manipulation of core infrastructure assets, which include electric or nuclear plants.  The possibilities are endless and only limited by the scope of technology employed by the perceived enemy.

Introduction

The advent and rapid expansion of technology in modern times has provided an abundant deal of positive impact but at the same time has destabilized the security infrastructure of the United States as well as many other countries.  While current and future battles, at least in the short term, are fought by the Armed Forces, the battlefield of the future will be supported with coordinated cyber-attacks.  Never before in history have countries been attacked by foreign intelligence agencies, enemies of the state, or even activist groups using cyber tactics that occur today.  A number of fundamental day to day services are at risk and while the U.S. Federal Government have begun addressing cyber threats from a military standpoint (CBS News, 2011), the reality is that the infrastructure surrounding economic, public water works, electrical, and nuclear power plants face countless risk.  While it is unclear what role governments are to perform in terms of security in the private sector, it becomes apparent that businesses must make vital investments to ensure proper protections.  If you have any doubts that the infrastructure is at risk, consider for a moment in the time of war when manufacturers are distributing equipment to the military.  If an enemy is successful in taking down a power grid, the results are chilling.  The tactic of attacking infrastructure is not new but the ease of attacking these areas has never been easier.  To combat the problem, it is imperative to understand the threats and ultimately implement and sustain security.

The Cyber Threat

Cyber war is something that the population can only envision or turn to Hollywood for a glimpse into the possibility. In 2007, a movie titled Live Free and Die Hard was released where a small group attacked every aspect of the American economy termed as a “fire sale” which meant every part of infrastructure that make use of technology must be taken down. In theory, this type of attack is completely possible.

Threats are pertinent to both the government and public because of the interdependency of these entities, if one falls victim, the other feels the impact. The Department of Homeland Security determined that anyone attacking infrastructure would have to do so with multiple targets and over time, which in turn would propagate terror and cause the target to respond in a way that could either prevent the attack or even divert attention from another target (Lewis, 2002). Once put into context of how a virus, malware, or even something as basic as access control works, the reality is all of these components can affect a country in an adverse way that in turn ripples thru an infrastructure. In 2003, a virus known as SQL Slammer hit computer systems around the globe and impacted South Korea particularly hard. Because of this virus, South Korea experienced an internet outage that lasted nine hours, affected the citizens, and adversely affected e-commerce transactions (Hinde, 2003). This example must serve as a wakeup call for everyone! Stop for a moment and consider the possible outcome should a foreign state launch a cyber-attack on the United States where the target was air traffic control. The loss of life, impact to the airline industry, and the government would be tremendous and this type of attack is entirely feasible should any aspect of security fail.

Commercial and Government Targets

The Internet, while some would say is really still in the early stages of use, it is evident that over the last two decades over 30 countries have incorporated cyber warfare tactics into military and intelligence operations (Knapp & Boulton, 2006).  For the United States, there have been indications that China has been targeting both military and commercial systems.  Early in 2010, Google released a statement that they were victim of a breach in security by China and as the result; Google suffered theft of intellectual property (Lee, 2010).  Similarly William Mathews (2008) references a Security Review Commission report that stated “China is targeting U.S. government and commercial computers for espionage, and has developed cyber espionage capabilities so advanced that the U.S. may be unable to counteract or even detect the efforts.”  To further outline the where cyber warfare tactics are employed an in-depth study of remote access tools (RAT) perform by McAfee generated a number of interesting points (Alperovitch, 2011).  First, while there were vast amounts of data, the report outlined 71 attacks across a number of governments, technologies, and private sectors.  Not surprisingly, the U.S. has been victimized 10 to 40 times more than any other country.  At this point, the scale of cyber warfare starts to dictates that government bodies and private industry focus much more on security, no matter at what cost.  If cyber security fails to be addressed in a much more aggressive manner, then the alternative is unthinkable.

The Measure of Protection

Now that the groundwork surrounding cyber warfare is defined, as it is essential to understand the risk and it is also equally as important to raise awareness and implement a strong and comprehensive cyber security infrastructure.  There are wide variations of approaches in defining an achievable cyber security program that will place the tools and responsibility directly in the hands of every individual.  The challenges at times may seem insurmountable but persistence and attention to detail will always pay off in the end.  In order to address security there are two fundamental components which are the systems and the personnel.

Personnel Background Checks

The single common thread to any organization are people who make up the business and this is true for both private industry and the government.  In today’s modern age of computers, background checks of personnel becomes tremendously important.  The challenge with this process, while used at a number of governments agencies, is that the process is not typically used in the private sector and the reason may very well come down to cost and time.  At the state and federal level, one would think that everyone would undergo a background check however this is not always the case.  For example, mayors and governors generally do not hold a security clearance and are restricted to intelligence information (Kaiser, 2003).  In the modern brave new world of information technology, local, and foreign threats it is now imperative that any personnel that potentially require access to sensitive informative undergo a proper and complete security check.  Consider for a moment electric companies and what may occur should an individual who desires to bring down a power grid.  While this example may be unlikely, the reality is an organization and the public rely upon the individual performing a particular job.  The upfront cost would always justify security and ensure proper screening of personnel.

Personnel Training

The single largest threat to any organization is the person sitting at the keyboard and this is especially true for government bodies and companies that hold contracts with the government.  Training does not start or end with the before mentioned entities, rather training is imperative in all aspects of business.  As a deeper dive into personnel begins to occur, the numbers that arise begin to be alarming and this data greatly assist in terms of identifying and implementing training opportunities.  To further drive home the risk that personal bring to the organization Cisco (2008) performed a study that produced findings that only 17% of employees never used assets for personal use whereas 63% used assets at a minimum of once a day.  This same study yielded further details in terms or unauthorized access, password use, and physical security.  The hurdle is changing human behavior and the initial step is identification of the risks.  To ensure a training program is successful it takes a variety of measures, which include annual training, management buy-in, and finally being able to adapt to the changing threats.  Should an organization fail to have the expertise in house, there are organizations available that provide assistance such as the Information Technology Essential Body of Knowledge Framework (Conklin & McLeod, 2009).  Any comprehensive security program includes engagement of everyone and by doing so; everyone has a stake in security.

System Controls

Technology itself provides a vast array of opportunity to assist in terms of security and protection but it is also important to understand people manage technology at the end of the day.  System controls make up multiple aspects of technology, which include but are not limited to operating systems, secure coding, access control, and hardware.  Each facet presents its own unique solutions and problems.

Operating Systems

The foundation of every system is the operating system (OS).  The majority of vulnerabilities start at the OS level, (Edwards, 2011) and because of this, the organization is at the mercy of the vendor.  There are steps to lessen the vulnerabilities, which include a strong patch management process as well as establishing a baseline for OS distribution across the organization.  For example, Microsoft Windows by default ships with a number of services enabled that may result in ports being open when they should not.  A concise understanding of the features within an OS will provide for greater security in the end.

Application Security

Many organizations produce custom software to complete a given task.  While software greatly helps in the business process, it does not come without its own risk.  Since the beginning of software development, the problem of code injection has and will continue to be a problem.  While there are many solutions available that they are software based and it may be beneficial to look to hardware as a potential solution (Riley, Xuxian, & Dongyan, 2010) based upon the complexity and nature of the business process to be protected.  In fact, the Open Web Application Security Project (OWASP) produces a Top 10 list of security vulnerabilities and at the top of this list are injection attacks (OWASP, 2010).  Injection attacks come in a variety of options but the most common are structured query language (SQL) attacks because the likelihood of a database being in place is commonplace.

Conclusion

At this point, the gravity of security as applied to both countries and business should be a call to action.  The potential for destruction is obvious and the result may be financial or worse, loss of life.  For example, turning attention to 1945, the United States delivered an atomic payload via an air strike on Hiroshima, Japan, which drove Japan’s surrender of World War II.  Modern day enemies have the capability to launch a similar attack from a remote location with the use of the Internet.  The modern day landscape of warfare continues to evolve and the evidence of these tactics is evident in recent times with cyber-attacks that have been making news and how these vulnerabilities lead to exploits to serve a political and social agenda.

Modern day threat tactics are exploited on a continual basis and tend to evolve more quickly than the solutions.  Because of these threats a comprehensive security model is required that is both network and people centric.  Within this model, the points of interest will fluctuate from organization to organization but the point is to call out all characteristics of business.  As the threat surface begins to be analyzed; only then is it practical to implement both a plan and training to either diminish or in some cases eradicate the threat.

References

1. Alperovitch, D. (2011). Revealed: Operation Shady RAT. McAfee. Retrieved from http:// www.mcafee.com/
2. CBS News. (2011). Obama hands military new cyber war guidelines. CBS News. Retrieved on October 26, 2011 from http://www.cbsnews.com
3. Cisco. (2008). Data leakage worldwide: common risks and mistakes employees make. Cisco. Retrieved from http://www.cisco.com
4. Conklin, W., & McLeod, A. (2009). Introducing the Information Technology Security Essential Body of Knowledge Framework. Journal of Information Privacy & Security, 5(2), 27-41. Retrieved from http://www.ivylp.com
5. Edwards, C. C. (2011). Security: the new frontier. Engineering & Technology, 6(5), 80-83. doi:10.1049/et.2011.0508
6. Hinde, S. (2003). Cyber-terrorism in context. Computers & Security, p. 188. doi:10.1016/S0167-4048(03)00303-1
7. Kaiser, F. M. (2003). Access to classified information: seeking security clearances for state and local officials and personnel. Government Information Quarterly, 20(3), 213. doi:10.1016/S0740-624X(03)00040-6
8. Knapp, K. J., & Boulton, W. R. (2006). Cyber-warfare threatens corporations: Expansion into commercial environments. Information Systems Management, 23(2), 76-87. Retrieved from http://www.tandf.co.uk
9. Lee, M. (2010). Google attack puts spotlight on China’s “red” hackers. Reuters. Retrieved from http://www.reuters.com
10. Lewis, J. A. (2002). Assessing the risks of cyber terrorism, cyber war and other cyber threats. Center for Strategic and International Studies. Retrieved from http://www.csis.org
11. Matthews, W. (2008). Chinese Cyber Attacks On Rise: U.S. Report. Defense News. Retrieved from http://www.defensenews.com
12. OWAP. (2010). OWASP Top 10 Application Security Risks. OWASP. Retrieved from http://www.owasp.org
13. Riley R, Xuxian J, & Dongyan X. (2010). An architectural approach to preventing code injection attacks. IEEE Transactions on Dependable & Secure Computing, 7(4), 351-365. Retrieved from http://www.computer.org