February 2010

Cyber-Vulnerability Sees the Light of Day

  • Page 1 of 1
    Bookmark and Share

If anyone ever doubted that cyberspace is also a battlefield, that doubt should be permanently erased by the recent incident involving Google and China. What initially looked like a human rights/political squabble has revealed an underlying, ongoing technical struggle for national security. It is no coincidence that the United States now has an official U.S. Cyber Command, organized in October of 2009 under the United States Strategic Command and led by the National Security Agency

The really scary aspects of this incident that came to light along with the dispute between China and Google have been known to computer security specialists and network technical types for some time. This is, however, probably the first time that the dangers of cyber attacks on our infrastructure have been solidly brought home to the general public outside of Hollywood. And that is, to quote H.G. Wells, that “intellects vast and cool and unsympathetic were regarding us with envious eyes.” What has been known and talked about in only hushed tones for years is the ominous fact that there is an ongoing effort by a number of national governments, among them China, to compromise network security in an effort to gain industrial and classified information and to probe sensitive infrastructure, including the power grid, water, sewage and other systems for vulnerabilities that could be exploited for a potentially devastating attack. 

This is not some kids running on pizza and Jolt Cola trying to amuse themselves, but nation states directly funding battle in cyberspace by PhD-level computer scientists to gain an advantage that could be exploited at the outbreak of hostilities. It directly affects the design and development of connected embedded devices in all fields because things are now so intimately connected and that connectivity is increasing at a furious rate. That is why we brought four CEOs together from four leading companies involved in security for connected devices. It is our hope that their insights will both inform and motivate our readers to increase awareness of security issues involving the very heart of our technical infrastructure.

In terms of the Cyber Command, the effort is primarily defensive, but there is also a program to develop offensive capability as well. Just who should authorize an attack and when is not yet clear. For example, when does an effort to defend a U.S. military network cross the line into offensive action and what are the implications? Also, it has been pointed out that there is currently no medal for technical expertise or action like there are for valor and achievement in traditional military skills, so is the military mind-set really the best qualified for this mission? Well, at least something is being done at this level and it appears that the concerns for commercial security, such as spying on domestic companies in search of industrial secrets, are being left to the Department of Homeland Security.

Securing network devices will never be absolute. With the proliferation of smart phones and mobile devices, the entry points for an attack multiply exponentially. It is also somewhat ironic that the technologies that can be used to monitor for intrusion can also be used intrusively. For example, not much is known by the general public about the technology of deep packet inspection (DPI), which is essential for tasks such as network maintenance as well as for monitoring traffic for unauthorized access and security. But that same technology can be used for monitoring “private” communications, which was apparently done in the Google incident in the effort to access the Gmail accounts of dissidents. DPI technology is now sufficiently available that anyone with the necessary technical expertise can use it for whatever purpose they please. It can track terrorists as well as cheating spouses.

Industrial installations do really need to have their enterprise networks talk to their automation networks for a host of business-related reasons. But while a manufacturing operation could theoretically be isolated from the Internet, no business would dream of trying to so isolate the enterprise network, and that forms what is at least the easiest gateway for intruders. 

All kinds of technical strategies and policies are constantly being applied and must be applied to protect vulnerable assets. A good deal of it will remain in the shadows, but many aspects must be discussed in public at as technical a level that will not compromise security while (another bit of irony) serving the goal of actually creating and deploying the needed technology. As a publication dedicated to the developers of embedded and connected devices of all kinds, RTC will be a source of ongoing coverage of developments in this area.