Russinovich: Prepare for cyber-attack

Mark Russinovich, a cyber-security and Stuxnet expert, is the author of "Zero Day," a novel that portrays the collapse of the Internet from a widespread cyber attack.

The world has become more dependent on computers, and the systems that serve as the foundation for the basic operation of our country are no exception. Turning off the electrical grid, disrupting food distribution, compromising water supplies or bringing down a stock exchange would cause major economic damage and, in many cases, even loss of life.

The electrical grid uses computers to monitor and control the flow of electricity; food distribution schedules are stored in computers; water filtration stations rely on computers to control the proper mix of chemicals; the entire banking and financial system relies on them -- and since most of our money exists only as digital data in these computer systems, so do we.

The threats against these critical systems include our traditional adversaries like China, Iran and North Korea; terrorists with a political or religious agenda; and even lone malcontents. For many reasons, the risk of and threat posed by a cyber-attack is actually greater than that of a physical attack.

A cyber-attack can be executed with virtual anonymity, making it difficult or impossible to attribute the source and nullifying the ability to counterattack as a deterrent. While carrying out a large-scale attack on physical infrastructure requires manpower and coordination, expensive to obtain and difficult to conceal, a cyber-attack's scale is limited not by the number of attackers, but by the number of computers penetrated and the role those computers play in the smooth operation of the systems we rely on in our daily lives.

Because they are obvious targets, military systems generally have the best security policies and software. Yet even Department of Defense networks have been penetrated many times over the last few years. In 2008, a cyberspy infiltrated Army command-and-control computers overseeing operations in Iraq and Afghanistan. More recently, several military contractors, including Lockheed Martin and Booz Allen Hamilton, have admitted to having been breached, and multiple national laboratories have at points taken themselves off the Internet while they've investigated and cleaned up cyber-intrusions. And those are just some of the incidents we know about.

Most of the country's critical infrastructure is operated by the private sector, not the government. And if military networks are vulnerable to sophisticated cyberattacks, the private sector is a much softer target.

From Sony to Citigroup to Automatic Data Processing (ADP) to Aetna, major corporations have made headlines with announcements that hackers have infiltrated their computers. In some cases, companies are forewarned that they're a target, yet they're still unable to hold off the attack. Last month, the hactivist group Anonymous told the San Francisco subway system, BART, that it would deface BART's websites in retaliation for its decision to block cellphone reception to thwart protests. A few days later, the group made good on its threat.

The weaknesses attackers exploit to gain unauthorized entry into these networks are varied. Public-accessible websites that don't check for malformed input and software vulnerabilities let an attacker establish a foothold. If the computers managing critical infrastructure are accessible from such Web servers, an attacker can often find a way to compromise those computers using other vulnerabilities, gaining access to the infrastructure's core. Misconfigured firewalls, no antivirus or antivirus that's out of date, and weak or preconfigured passwords are all common -- as are users with a lack of security training.

One of the most problematic weaknesses in our systems is simply poorly written software. Software that isn't designed to assume it will be attacked -- and that isn't taking advantage of state-of-the-art mechanisms that harden it against attack -- makes for easy exploitation. Unfortunately, that represents most of the software running our critical infrastructure, much of which was crafted before cybersecurity was an important consideration.

The Stuxnet virus attack uncovered last year, believed to have been targeting Iranian nuclear facilities, graphically demonstrates common flaws. Computers were infected by malicious code believed to have been created by Israel, possibly with the help of the United States, which destroyed the centrifuges used in Iran's uranium enrichment program. The same or similar software attacked is used to run much of the infrastructure in our country.

Another concern is critical infrastructure systems that are connected to the Internet, either directly or indirectly, creating an electronic pathway from attackers to the computers they want to compromise. Such computers should be "air gapped" instead -- placed on separate, isolated networks.

Finally, lack of network monitoring and intrusion-detection software let an attacker's presence go undetected. Many of the breaches that have been recently disclosed weren't discovered for months or, in some cases, years -- allowing the attacker to extract unknown amounts of data. A recent report by the technology security company McAfee revealed that malicious software had been sitting in the network of the United Nations for a year before being discovered. And Stuxnet spread for a year before an antivirus company happened to stumble across it.

Since 9/11, there's been an increased emphasis on protecting critical infrastructure from physical attack. But while we've long recognized that the computerization of these systems make them vulnerable, we've done little to defend them. The Department of Homeland Security is charged with ensuring the cybersecurity of our critical infrastructure, but it has little authority for dictating security policy to private industry.

With the high-profile cyber-incidents in the first half of the year, Congress has a heightened awareness of the risks, and it's considering legislation for more rigorous disclosure of cyberbreaches. There are many other initiatives under review by various committees. Yet the proposed legislation doesn't go far enough. Without focusing on the specific problems that make our infrastructure vulnerable, we won't make progress.

The current proposals for partnership between the public and private sectors won't achieve the desired results in a timely way -- if ever. Implementing security measures costs money and requires expertise. The private sector has no incentive to voluntarily implement those policies. Congress must pass legislation that directs and empowers the Department of Homeland Security to institute cybersecurity policies that apply to all companies delivering critical infrastructure service. DHS must not only be able to define standards, but mandate the schedules by which they're enforced, auditing requirements, and the penalties for lack of compliance.

Regulation is a difficult pill for any industry to swallow -- particularly in tough economic times -- but there are examples where the government has been largely successful at using it to ensure public safety without undue burden on the sectors they govern. Though they've been used as political footballs lately, the Environmental Protection Agency and Food and Drug Administration have effectively protected parts of our critical infrastructure through regulation.

It's time we treat threats to cyberspace with the urgency they deserve.