Talk:The Changing Internet: Cybersecurity

From Internet Law Program 2011
Jump to navigation Jump to search

Student Response Michael Adelman, Ona Balkus, Justin Tresnowksi, and Michael Redding

The session on cybersecurity led by Professor Zittrain of Harvard Law School was held on Wednesday, September 7, 2011 at 10:30am. After a brief preamble reviewing the online commenting tools available to iLaw participants, Professor Zittrain delievered his “primarily expository” talk on the state of cybersecurity. Professor Zittrain began by delineating two categories of discussion within the realm of cybersecurity. He described the first as the “Important but Uninteresting”. This category encompasses the type of catastrophic cyberattack dramatized in movies such as Live Free or Die Hard whereby a cyberattack causes both physical structural damage (i.e. by taking down automobile traffic management networks) and financial / personal damage (i.e. deletion of credit card records). These attacks would by typified by an attack on SCADA (Supervisory Control And Data Acquisition) systems which control our power plants, water treatment, oil and gas pipelines, etc. But other than the Stuxnet virus (further described below) there have been few such attacks and the “in-a-bubble” nature of most of these SCADA networks makes it difficult to execute such attacks. And those vulnerable are already taking some actions to enhance their security i.e. military installations putting rubber cement in the USB ports of their computers.

There have also been turf wars over who will be the cyberwarriors responsible for cybersecurity. Professor Zittrain recounted the US Airforce’s push to become the defenders of Cyberspace with the Air Force Cyber Command. But even after years of effort and funding, the Air Force was limited to creating a reduced Cyber Command, which is currently far from dominant in the field. Professor Zittrain then moved on to the cybersecurity issues which he described as not quite important, but more intellectually engaging. In essence, regular computer users today are vulnerable to the “Princess and the Pea” problem. Like the fairy tale, where only the princess can discern the pea buried under layers of mattresses, only the rare power-user can discern malicious code running on their computer among the many processes running in the background with names like “SystemUIServer”.

Further anecdotes included the example of the url shortening service, which until recently routed traffic through Libya’s top-level domain. Another example was a letter Professor Zittrain’s received from American Express, which alerted him that his credit card information may have been compromised, but provided no further detail or instructions other than to “remain vigilant” for 12-24 months.

Nor are the experts ever free to consider themselves secure and protected. A comical yet chilling example is provided by HBGary, a computer security firm that attempted to boost its profile by outing members of the hacking collective Anonymous. Anonymous’s response overwhelmed HBGary’s security, and resulted in the publication of HBGary’s corporate email archives and the takeover of HBGary’s website, among other embarrassing humiliations. But then, even the highly skilled members of Anonymous had their own IRC channel and other means of communication compromised. Professor Zittrain then reduced these notable incidents into an overarching conundrum: The Internet’s openness and generativity are also the source of all its security concerns. How to resolve this conundrum was left for another session. Complementing the class discussion, Kim Zetter’s article “How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History” and Michael Gross’ “A Declaration of Cyber-War” tell the suspenseful story of how computer programmers and anti-hacking experts around the world discovered and broke through the complex coding of malware that was successfully hindering the Iranian uranium enrichment program. Stuxnet was unique in a few notable ways in terms of its design and impact.

First, Stuxnet could be transferred into a computer system through one USB stick, that transferred the encrypted code into a computer, which then transferred the virus to other computers that shared printers, planners, and other internal communication tools. While most malware is designed to spread through the internet, Stuxnet was designed to infect a specific community of linked computers, such as within an organization or factory.

The investigators soon discovered that Stuxnet was also unique in its disproportional effect on computers in Iran and little impact in the United States and South Korea, countries normally affected by malware. The isolated impact of this complex and neatly designed virus suggested that Stuxnet was created by a well-funded organization or government agency specifically interested in damaging computer programming in Iran.

Lastly, Stuxnet is unique in that it was the first instance where anti-hacking experts saw malware used for physical sabotage: “physically destroy something in the real world.” Stuxnet was a type of malware that affected programs that drive motors, valves and switches, and in this instance sped the rate at which centrifuges installed at Natanz, a nuclear enrichment plant in Iran, operated and therefore had to be replaced.

While the investigators eventually went public with their findings and Stuxnet ceased its operations, Stuxnet remains a central example of the potential for malware to hinder or break down the central operations of a country’s infrastructure. Similar malware could be used to obstruct energy production, clean water production, traffic lights, and other essential services. This highlights the importance of government investment in cybersecurity efforts as an integral part of national defense and discussions addressing cybersecurity on the international stage in negotiations and collaboration.

An additional article, “Anonymous speaks: the inside story of the HBGary attack,” documented how the hacker group infiltrated the security firm HBGary counterpart HBGary Federal. In response to a claim by HBGary’s CEO Aaron Barr that he could and would unmask a particular Anonymous member, the collective fought back tooth and nail. Breaking into HBGary’s servers, Anonymous created a searchable database of the entire company’s emails. Further, the website was shut down completely and their data was destroyed.

First, Anonymous determined the number of characters in certain passwords, which were recorded as hashes instead of characters. Then, using a combination of rainbow tables and “salting,” techniques that have been developed by hackers over the last decade to create databases of likely passwords based on the number of characters, Anonymous was able to work backward from the hashes to determine the actual password characters. Making the process easier, two senior officials - CEO Aaron Barr and COO Ted Vera - used very simple passwords: six lowercase letters with two numbers. Not only that, they used these passwords for a number of different systems - email, twitter, etc. - compromising much of their personal data and leaving it susceptible to Anonymous.

Once into Barr’s email - an administrator account - it was only a matter of time and email trickery before Anonymous could take down the entire HBGary system. The amazing thing about the infiltration was the carelessness of HBGary, a purported security firm. Their officials used very simple passwords, used the same password in multiple places, and their security officials emailed out passwords and usernames. Anonymous’s attack was not complex - they merely exploiting the human vulnerabilities of HBGary, albeit efficiently and cleverly.

The discussion provoked a number of questions, such as:

1. To what extent are cybersecurity breaches the result of laziness and to what extent would these breaches occur regardless of individuals’ vigilance?

2. If the proper response to cybersecurity threats is greater regulation, how should that regulation balance security concerns with preservation of the Internet’s generative power?

3. In addition, if regulation is required, who should do the regulating?