Is cyber security cure worse than disease?

Leon Panetta's plan to safeguard the computers running critical US infrastructure would, analysts say, remove that which keeps the system safe: its fragmentation.

Defense Secretary Leon Panetta looks to the media to take a question as he participates in a joint news conference with Joint Chiefs Chairman Gen. Martin Dempsey, not seen, at the Pentagon, Thursday, Oct. 25, 2012. Panetta said the U.S. military did not intervene during the attack on the U.S. Consulate in Libya last month because it was over before the U.S. has sufficient information on which to act.  (AP Photo/Carolyn Kaster)
Powered by automated translation

There is a growing view that the US defence secretary's new strategy on cyber security could vastly increase the risk of the very "cyber Pearl Harbor" it is meant to prevent.

The secretary, Leon Panetta, has warned that America is facing the prospect of a highly targeted and orchestrated attack by adversaries of the United States, which officials identified as China, Russia, Iran and militant groups.

Mr Panetta outlined a nightmare scenario in which the US suffers a string of disasters such as derailed passenger trains loaded with lethal chemicals, simultaneous contamination of the water supply in major cities and a shutdown of the power grid across large parts of the country.

The Pentagon's strategy to counter this risk would effectively involve giving the government access to private IT systems across America, including those of large corporations and those involved in critical services in order to detect malicious software known as "malware". Financial institutions are understood to be particularly at risk since a cyber meltdown of the banks could devastate the fragile US economy.

But according to technology and security analysts, the US strategy risks opening a back door to a foreign power or terrorist group intent on bringing down critical infrastructure.

Indeed, the analysts say the reason that the US has so far not suffered a massive cyber attack is the current fragmentation of its private IT systems. Existing systems do not have a common security structure and do not share information easily with one another.

According to Graham Cluley, an analyst at the computer security firm Sophos, "Firms running critical infrastructure tend to put measures in place to reduce the opportunities for an internet-based attack to be successful - for instance, by not connecting sensitive systems to the net."

But any attempt by the government to link private systems could allow hackers who have gained entry to one organisation to infiltrate others, effectively giving them temporary control of the american infrastructure and financial systems, with potentially devastating consequences.

"One of the big concerns right now is that a number of systems may have been rooted and are just waiting for a command to do some really ugly stuff," says Rob Enderle, the principal analyst at the US-based Enderle Group.

He adds: "I don't even think the department of defence [DOD] is thinking this through because right now the systems aren't talking to each other, making it difficult to spread a virus around but the DOD wants to connect these systems for reporting and tracking attacks. But this connection could make us vastly more vulnerable to successful national attack."

Certain hardware designed to prevent this kind of attack exists, but isn't being implemented widely enough.

According to Mr Enderle: "The exposed systems range from cellphones to large servers."

But even if all the newly connected IT systems in the US carried sufficient software security, the very existence of a networked system would open up the US to the prospect of human sabotage.

According to Mr Cluley: "The biggest risk to critical infrastructure is likely to involve the 'insider threat', a member of staff who has access to critical systems but may have allegiances to enemy actors."

Heidi Shey, an analyst at the research company Forrester, says: "Insiders and business partners also have access to data and information that they compromise. Whether their actions are intentional or unintentional, insiders cause their fair share of breaches."

She adds: "Other common sources of breach include loss or theft of corporate assets, such as laptops or USB drives, and external attacks that target corporate servers or users."

Forrester surveyed 583 North American and European companies that had an IT security breach in the past 12 months and found that hacking was far from being the main cause.

The loss or theft of a corporate asset such as a laptop or smartphone accounted for 31 per cent of breaches, with inadvertent misuse by an insider representing 27 per cent and abuse by a malicious insider 12 per cent.

The growing popularity of portable IT devices such as smartphones and computer tablets represents a new threat to cyber security. In addition to being0 easily lost or stolen when taken outside the workplace, there is a growing tendency for staff to use their personal IT to try to access corporate systems.

Forrester's research discovered that most organisations have policies in place for smartphone, tablet and consumer-oriented tool use, but more than half say that they either don't have the tools to enforce policy or that their current tools are insufficient for enforcing it.

The West's reliance on increasingly complex and potentially vulnerable IT systems to run and manage critical infrastructure makes it vulnerable to attack, engendering a growing fear that the next major global war will be fought in cyber space.