Professional Documents
Culture Documents
In The Crossfire: Critical Infrastructure in The Age of Cyber War
In The Crossfire: Critical Infrastructure in The Age of Cyber War
Authors: Introduction 1
Stewart Baker, distinguished visiting fellow, The Threat is Real 2
CSIS; partner, Steptoe & Johnson
Shaun Waterman, writer and researcher, CSIS Responding to the Threat—Resources and Preparedness 12
Acknowledgements 40
Introduction and Background of the Study
In an ever more networked world, the cyber vulnerabilities of critical
infrastructure pose challenges to governments and owners and operators
in every sector and across the globe.
With the global economy still fragile after last levels of regulation, closely followed by China and
year’s financial crisis, assuring the integrity and Germany. Executives in the United States reported
availability of key national industries may fall out the lowest levels. Views about the impact and
of focus as a government priority, but will remain effectiveness of regulation varied widely, but overall
a key determinant of strategic vulnerability. most agreed that they improve security.
Six hundred IT and security executives from critical A majority of executives believed that foreign
infrastructure enterprises across seven sectors in 14 governments were already involved in network
countries all over the world anonymously answered attacks against their country’s critical infrastructure.
an extensive series of detailed questions about their The United States and China were seen as the
practices, attitudes and policies on security—the most worrisome potential cyber aggressors, but
impact of regulation, their relationship with govern- attribution challenges in cyberspace give all attackers
ment, specific security measures employed on their “plausible deniability.”
networks, and the kinds of attacks they face.
Methodology
Critical infrastructure owners and operators
The survey data gathered for this report paints for
report that their IT networks are under repeated
the first time a detailed picture of the way those
cyberattack, often by high-level adversaries. The
charged with the defense of critical IT networks are
impact of such attacks is often severe, and their
responding to cyberattacks, attempting to secure
cost is high and borne widely.
their systems and working with governments.
Although executives generally report satisfac- A team from the Technology and Public Policy Pro-
tion with the resources they have for security, gram of the Center for Strategic and International
recession-driven cuts have been widespread and Studies in Washington, DC analyzed the data,
sometimes deep. And there is concern about how supplemented it with additional research and
well-prepared critical infrastructure is to deal with interviews, and wrote this report.
large-scale attacks.
The respondents are executives who have IT, secu-
By gathering details on the actual security measures rity or operational control systems responsibilities
that organizations adopted, we were able to make with their organization. About half said they had
an objective comparison of security in different criti- responsibility for such functions at a business unit
cal infrastructure sectors, and in different nations. level, with a quarter reporting their responsibilities
The executives with responsibility for operational or were at the global level.
industrial control systems were also asked a series
The survey was not designed to be a statistically
of special questions about the security measures
valid opinion poll with sampling and error margins.
employed on those systems.
It is rather a rough measure of executive opinion,
Executives in China reported by far the highest a snapshot of the views of a significant group of
rates of adoption of security measures including decision-makers.1
encryption and strong user authentication. Among
The CSIS team used interviews to provide context,
sectors, water/sewage executives reported the
background and verification for the survey data—
lowest rate of adoption of security measures.
adding detail to the picture of regulatory environ-
Broken down by sector and by nation, the survey ments and threat/vulnerability levels across all seven
data reveals significant variations in attitudes to and sectors in each country, and discussing best prac-
reports about regulation and other government tices. Many interviewees declined to be quoted by
activity. Executives in India reported the highest name, some declined to be named or quoted at all.
All those who agreed to be identified are thanked
in the acknowledgements.
In the Crossfire: Critical Infrastructure in the Age of Cyber War 1
The Threat is Real
Networks and control systems are
under repeated cyberattack, often
from high-level adversaries like foreign
nation-states.
Bad as all this is, respondents believe the situation will get worse not
better in the future.
In the Crossfire: Critical Infrastructure in the Age of Cyber War 3
Serious cyberattacks are widespread spy ring featuring individualized malware attacks
More than half of the executives surveyed (54 that enabled hackers to infiltrate, control, and
percent) said they had experienced “Large-scale download large amounts of data from computer
denial of service attacks by high level adversary networks belonging to non-profits, government
like organized crime, terrorists or nation-state departments and international organizations in
(e.g. like in Estonia and Georgia).” The same dozens of countries.
proportion said they had been subject to “stealthy
A hefty majority (59 percent) believed that rep-
infiltration” of their network by such a high-level
resentatives of foreign governments had already
adversary “e.g. like GhostNet”—a large-scale
been involved in such attacks and infiltrations
targeting critical infrastructure in their countries.
75%
60%
45%
30%
15%
China Japan France Australia India Russia United Germany Brazil Mexico Saudi United Italy Spain Total
States Arabia / Kingdom
Middle East
In 2007, McAfee’s annual Virtual Criminology know they have been compromised—to bombard
Report concluded that 120 countries had, or target networks with millions of fake requests
were developing, cyber espionage or cyber war for information over the Internet. DDOS attacks are
capabilities. Authorities in the UK and Germany conducted by “robot networks”—or “botnets”—
have warned critical industries in the private sector of computers infected by specially written malicious
that their networks are the targets of foreign intel- software, known as malware.
ligence intrusions. In the United States, extensive
press reporting has revealed intrusions by foreign In today’s network environment, DDOS attacks are
intelligence agencies, often attributed to China, technically easier to detect and tamp down, and
aimed at the defense manufacturing and power most Internet Service Providers (ISPs) offer such
sectors in particular. mitigation to their clients—for a price.
“There are absolutely foreign entities that would “Generally ISPs very much have the mentality that
definitely conduct [cyber] reconnaissance of we just haul traffic.” said Adam Rice, chief security
our power infrastructure.” said Michael Assante officer of Tata Communications, the world’s larg-
chief security officer of the North American est wholesaler of internet service. “If you pay for
Electric Reliability Corporation. “They would be the [mitigation] service, we’ll kill [a DDOS attack]
looking to learn, preposition themselves to get before it gets to you, but otherwise providers tend
a foothold and try to maintain sustained access to watch it go by.”
to computer networks.”
By acting together, he said, the “tier one providers”
—who own and operate the backbones of the
Attacks are frequent and their impact is severe
global Internet—could do much more technically
Nearly one-third (29 percent) of those surveyed to mitigate such attacks.
reported suffering large-scale DDOS attacks
multiple times each month, and nearly two thirds The problem, as other experts pointed out, is that
(64 percent) of those said such attacks “impacted such mitigation activities could be complicated by
operations in some way.” regulatory and contractual concerns, unless the
law provided safe harbor provisions for companies
Distributed denial of service (DDOS) attacks use intercepting and diverting DDOS traffic. Moreover,
networks of infected computers—often owned providers who operated in more than one national
by individuals or organizations who do not even market might face competing or even contradictory
legal obligations in different jurisdictions.
In the Crossfire: Critical Infrastructure in the Age of Cyber War 5
Nearly two-thirds of those
experiencing large-scale DDOS
attacks said their operations
had been affected.
100%
80%
60%
40%
20%
Brazil India France Spain Italy Germany United Australia China Japan United Mexico Russia Saudi Total
States Kingdom Arabia /
Middle East
Theft and other monetary “DDOS attacks are growing in popularity and
motives are common increasingly cheap and easy to do,” said Rice. “You
Sixty percent of those surveyed reported can rent a botnet to do a DDOS attack… using
theft-of-service cyberattacks, with nearly one in your credit card within a couple of hours.”
three reporting multiple attacks every month.
All sectors face DDOS attacks
Victimization rates were highest in the oil/gas
sector, where three quarters of respondents The sector variations in large-scale DDOS attacks
reported theft-of-service attacks. The oil and gas were much smaller than those between countries,
sector also reported the highest rates of stealthy perhaps reflecting the greater significance of
infiltration—71 percent, as opposed to 54 per- national as opposed to industry specific factors in
cent of respondents overall, with more than a determining victimization rates. The most victimized
third reporting multiple infiltrations every month. sector was oil and gas, where two thirds of execu-
tives report such attacks, with one third reporting
In general, however, the variations between multiple attacks a month. The least victimized
victimization rates were wider between countries sectors for this kind of attack were water/sewage,
than between sectors, suggesting that national where only 43 percent reported them and trans-
factors are more significant than sector or industry portation (50 percent).
specific ones in determining attack rates.
Impact of attacks is severe and varies
Some countries suffer much more frequent across sectors
cyberattacks than others
Nearly two-thirds of those experiencing large-scale
In India and France, more than half of executives DDOS attacks reported that these had affected their
reported multiple large-scale DDOS attacks every operations in some way. Such attacks do not just
month. Spain and Brazil also had high multiple make public web sites inaccessible. They can affect
victimization rates.2 email connectivity, Internet-based telephone sys-
tems and other operationally significant functions.
“DDOS attacks are very common in Brazil,
as they are everywhere else in the world,” said
Achises De Paula, an iDefense Labs analyst based
there, adding that ISPs were becoming better at
managing them.
In the Crossfire: Critical Infrastructure in the Age of Cyber War 7
Web of Extortion different situation. It’s probably a lot higher
risk for the extortionist, but you could demand
One-in-five critical infrastructure entities reported
a whole lot more money.” In November 2009,
being the victim of extortion through cyberattack
there were reports in the U.S. media that two
or threatened cyberattack within the past two
power outages in Brazil, in 2005 and 2007, had
years. This striking data was consistent with
been caused by hackers, perhaps as part of an
the anecdotal accounts of experts from several
extortion scheme.
different countries and sectors; indeed, some
suggested the real figure might even higher. In September 2009, Mario Azer, an IT consultant
Most such cases go unpublicized if not altogether for Long Beach, Calif.-based oil and gas explo-
unreported, they said, because of reputational ration company Pacific Energy Resources pled
and other concerns by the victim company. guilty to tampering with computer systems after
a dispute with the firm about future employment
Victimization rates were highest in the power
and payment. He interfered with specially built
(27 percent) and oil and gas (31 percent) sectors.
industrial control software called a Supervisory
“I am very worried about extortion as it relates Control And Data Acquisition (SCADA) system—
specifically to power system interruption,” said in this case one designed to alert operators to
Assante. He called threats against company leaks or other damage to the miles-long undersea
networks “lower level” extortion—“the safest pipelines connecting the company’s derricks to
way to pull money under the radar and off the the shore.
books at a level that is not that material.” Threats
While the water/sewage sector had a lower rate
against the infrastructure itself were much more
of victimization (17 percent) the potential impact
serious. “If you take that to ‘hey I can make the
of extortion schemes is nonetheless felt very
lights go out,’ then you’re talking about a whole
keenly in that sector.
4% 3.5%
12% 19.5%
35% 35.5%
23%
19.5%
26% 23%
Total Energy
Percentage reporting extortion using network attack or the threat of it in the past two years
50%
40%
30%
20%
10%
India Saudi China France Brazil Spain Italy Australia Mexico Japan Russia Germany United United Total
Arabia/ Kingdom States
Middle East
In the Crossfire: Critical Infrastructure in the Age of Cyber War 9
Who would bear the costs of a major cyber incident in your sector
100%
80%
60%
40%
20%
Australia Brazil China France Germany India Italy Japan Mexico Russia Saudi Spain United United Total
Arabia / Kingdom States
Middle East
Insurance
Government bailout
Ratepayers/customers
100%
80%
60%
40%
20%
Saudi India France United Mexico Japan Italy Spain China Australia United Germany Brazil Russia Total
Arabia/ Kingdom States
Middle East
The average estimated cost These expectations may turn out to be optimistic. The risk of cyberattacks is rising
of 24 hours of down time In the future, one expert suggested, they are likely The situation is becoming worse not better. By
to change—driven by increasing efforts on the
from a major cyberattack nearly two to one, those who said the vulnerability
part of corporations to limit their liabilities as the of their sector to cyberattacks had increased over
was U.S. $6.3 million. costs of cyberattacks mount. the past year outnumbered those who said it had
decreased (37 percent, as opposed to 21 percent).
“In Australia [the consumer] has been fortunate
to date, in that this has always been someone Remarkably, two-fifths of these IT executives
else’s problem,” said Ajoy Ghosh, a Sydney-based expected a major cybersecurity incident (one causing
security executive with Logica. “If I’m an individual an outage of “at least 24 hours, loss of life or…
and I’m the victim of a phishing attack… I know failure of a company”) in their sector within the
that the bank is going to refund my money… I can next year. All but 20 percent expected such an
see a situation in the future where that’s going to incident within five years. This pessimism was par-
be flipped around and it will be my problem.” ticularly marked in the countries already experiencing
the highest levels of serious attacks.
Ghosh, a lecturer in cybercrime at the University
of Technology in Sydney, said that as corporations
sought to limit their liabilities “the only way they
can do that is by making it someone else prob-
lem. Sometimes that someone else is going to be
the government, sometimes it’s going to be the
insurer, but more often than not, I suggest, that
someone else is going to be the consumer.”
In the Crossfire: Critical Infrastructure in the Age of Cyber War 11
Responding to the Threat—
Resources and Preparedness
Cuts in security resources as a result
of the recession are widespread. Making
the business case for cybersecurity
remains tough.
In the Crossfire: Critical Infrastructure in the Age of Cyber War 13
Resources are generally considered adequate One in four said those cuts had reduced their
IT executives generally believed they had adequate resources by 15 percent or more. Energy and oil/
resources to protect their organization’s computer gas were the sectors with the most widespread
networks. Nearly two-thirds of the surveyed said cuts, with up to three-quarters of respondents
their resources were either “completely” or “mostly” reporting reductions. Cuts were most widespread
adequate. Just over a third said their resources were in India, Spain, France and Mexico; and least
“inadequate” or only “somewhat adequate.” widespread in Australia.
Some countries and sectors were Security is a key factor in investment decisions
less satisfied than others Even in a recession, security is still the top factor
The number who said resources were adequate in making IT investment and policy decisions.
was lowest in Italy, Japan and Saudi Arabia; and In making IT investment and policy decisions, 92
highest in Germany, the UK, and Australia. Bank- percent said security was either “vital” or “very
ing respondents were generally the most satisfied important.” Nearly as many, 91 percent, said
with their resources, transportation/mass transit the same of reliability. The other two factors the
the least. survey asked about, efficiency and availability,
were said to be vital or very important by three
Recession-driven cuts in resources are quarters of the executives.
widespread and in some cases deep
Executives in China and the United States were
Two-thirds of the IT executives surveyed said the most likely to call security “vital.”
there had been cuts in the security resources
available to them as a result of the recession.
100%
80%
60%
40%
20%
Australia Brazil China France Germany India Italy Japan Mexico Russia Saudi Spain United United Total
Arabia / Kingdom States
Middle East
In the Crossfire: Critical Infrastructure in the Age of Cyber War 15
Confidence in preparedness is variable Beyond high-level DDOS, executives generally
Nearly a third of the IT executives surveyed said rated their sectors as better prepared against
their own sector was either “not at all prepared” other forms of attack, with roughly only one in
or “not very prepared” to deal with attacks or four saying their own sector was unprepared
infiltration by high-level adversaries. Among against them.
those who had actually experienced such attacks,
Across the whole range of threats, those in the
this lack of confidence rises to 41 percent.
United States, the UK and Australia consistently
But there were significant variations between ranked their sectors the highest for preparedness.
nations. In Saudi Arabia, a remarkable 90 percent All of these countries have high-profile programs
said that their sector was unprepared (either “not of government outreach to critical infrastructure
at all prepared” or “not very prepared”). In most owners and operators.
countries, those who had suffered high-level
Doubts about whether banking and phone
attacks tended to be more pessimistic about pre-
systems can withstand attack
paredness, with 68 percent of Indian victims and
75 percent of Mexican victims saying their sector IT executives were also doubtful about the ability
was unprepared for them. of their own critical infrastructure providers
to offer reliable service in the event of a major
The countries where executives were the most cyberattack. Thirty percent lacked confidence that
confident about their preparedness for high-level their bank or other financial service provider could.
attacks were Germany (78 percent) and the UK And 31 percent had the same doubts about their
(64 percent). telecom provider. Confidence in the resilience of
the banking system was lowest in some European
countries: Italy, France and Spain.
2%
5%
14%
30% 35%
22%
60%
32%
During the DDOS attacks against Estonia in 2007, “because that’s where the money is”— financially
many of the country’s banks had their Web sites motivated cyberattackers will always be drawn to
knocked off-line, though they said afterwards that sector.
that operational systems were not compromised.
Security specialists from different sectors and The level of confidence about government services
countries agreed that banking and financial services was higher than for most sectors. Even so, only
tend to have higher levels of security. But they also 37 percent of respondents were confident their
have the “Willy Sutton problem”—when asked government could continue to deliver services in
why he robbed banks, Sutton apocryphally replied the face of a major cyberattack. Confidence in
government was lowest in Saudi Arabia, highest
in China.
Confidence that banking and financial services could withstand a major cyberattack
12%
9%
16%
14%
21%
28%
26%
44%
30%
Total France
In the Crossfire: Critical Infrastructure in the Age of Cyber War 17
Countering the Threat—
Security Measures
Basic, key security measures
are not widely adopted.
The other responses, taken question by question, reveal that some basic,
key security measures are not widely adopted.
And amalgamating this data shows which countries and sectors have
the highest and lowest adoption rate of these security measures overall.
This is not necessarily a measure of how “good” or “bad” security is in
a sector or country, but it does offer insights into security practices that
are not on the subjective self-assessment of the respondents, but on the
objective rate at which key security measures are deployed.
Using this measure, China had the highest security adoption rate over-
all—62 percent—well ahead of the United States, the UK and Australia,
the next highest rated countries, with 50–53 percent.
Italy, Spain and India had the lowest security adoption rates—all under
40 percent. The remaining countries—Japan, Russia, France, Saudi Arabia,
Mexico, Brazil and Germany—were all in the 40–49 percent range.
The sectors with the highest security adoption rates were banking and
energy. Water/sewage had the lowest rate of any sector.
In the Crossfire: Critical Infrastructure in the Age of Cyber War 19
Security measure adoption rates reported by respondents
65%
52%
39%
26%
13%
China United United Australia Japan France Russia Mexico Saudi Brazil Germany Italy Spain India
States Kingdom Arabia /
Middle East
The Security Measure Adoption Rate (SMAR) countries—Japan, Russia, France, Saudi Arabia,
IT and security executives were asked about 27 dif- Mexico, Brazil and Germany—were all in the 40–49
ferent security measures: ten security technologies, percent range.
six security policies, five different ways of using
Do higher security adoption levels reduce the
encryption, and six different modes of required
risk of successful attacks?
authentication. The SMAR essentially quantifies
how often executives said “yes” when asked if This is a critical question, but the answers provided
they employed a particular measure. by the survey are mixed. On the one hand, China,
with its high rate of security measure adoption,
Every organization has its own security strategy, does have a victimization rate that is lower than
and different uses can be made of many of the countries at the bottom of the security adoption
measures executives were asked about. For this rate scale like India. Other data also suggest that
reason the SMAR cannot necessarily be taken nations with lower adoption rates may suffer in
as a gauge of how “good” or “bad” security is various ways. McAfee’s global threat intelligence
in a given sector or country. But it does enable division, for instance, monitors malicious electronic
comparative judgments about the rate at which traffic from compromised computers recruited
different sectors and nations have adopted key into botnets after becoming infected. According
security measures. It is a rough measure, because to that data, India, the nation with the lowest rate
every security technology, practice or policy is of security measure adoption, tops the charts for
given the same weight, no matter how effective malicious traffic in Asia—producing more than
it is, but it is objective. Russia and China combined.
Chinese executives reported far and away the On the other hand, China’s overall security record is
highest security adoption rate—62 percent not noticeably better than the record of many other
They reported higher levels of adoption than any countries with much lower security adoption rates.
other country of every kind of security measure. China is not notably free from high-level attacks,
The United States, with a 53 percent adoption nor do Chinese respondents rate themselves as
rate, and Australia and the UK, with 51 and 52 being much better prepared than other nations.
percent respectively, were the countries with the
Some key measures are not widely adopted
next highest rates after China.
The least widely adopted security technology was
Italy, Spain and India had the lowest overall adop- application white-listing, implemented only by
tion rates—all fewer than 40 percent. The remaining fewer than one-fifth (19 percent) of organizations
on both SCADA/ICS and IT networks. Other more
Chinese executives reported advanced security technologies like Security Infor- Threat-monitoring intelligence services are most
far and away the highest mation and Event Management systems, and role widely adopted in India (57 percent) China (54
and anomaly detection tools, were employed by percent) and Japan (54 percent), while they are
security adoption rate.
43 and 40 percent respectively. used least in Saudi Arabia (20 percent) Russia
(23 percent) and Italy (20 percent).
Experts said that the benefits of some newer tools
might not be well understood in the marketplace, Wide variations in the use of encryption
or might be only suitable for larger enterprises.
As with almost all adoption rates, China led in the
But some much more basic measures were use of encryption. The one exception was the use of
not widely implemented either. Only 57 percent of encryption to protect data on CDs or other remov-
executives overall said their organization patched able media, where China’s 48 percent adoption rate
and updated software on a regular schedule. trailed the 56 percent rate in the United States and
Regular patching was most widely reported in Saudi the 54 percent rate in Japan and the UK. India had
Arabia (80 percent) Russia (77 percent) Australia (73 lower than average adoption rates for five out of six
percent) and least common in Brazil (37 percent). uses of encryption. Italy and Spain also had generally
below average adoption rates for encryption.
And only one third of executives reported that their
organization had policies “that restrict or ban the Water/sewage sector lags in adoption rates
use of USB sticks or other removable media.” Apart The sectors with the highest overall adoption rates
from the risk that data may be downloaded, stolen were banking/financial services and energy, each
and smuggled off the premises, such media—even with 50 percent. Water/sewage had the lowest
when used without ill intent—can easily spread sector rate, 38 percent. Other sectors were all in
viruses and other malware, even across systems the 40-plus range.
that are firewall-protected. Bans on USB sticks and
other such media were most widely adopted in The water/sewage sector also had the lowest
Saudi Arabia (65 percent) and Russia (50 percent). adoption rate for security measures protecting their
They were most rare in Spain (13 percent) and SCADA/ICS systems, perhaps because the sector
Brazil (20 percent). also had the lowest levels of SCADA connections
to IP networks, with only 55 percent reporting such
Other measures are more common connections, in contrast to 76 percent overall.
The most widely adopted security measure overall
When considering this data, the small number
was the use of firewalls between private and public
of water sector executives amongst those with
networks, which 77 percent reported using (65
SCADA/ICS systems responsibilities—only 11 out
percent for SCADA or ICS systems).
of 143—needs to be noted.
In the Crossfire: Critical Infrastructure in the Age of Cyber War 21
Eighty percent reported SCADA systems
were connected to IP networks or the
Internet, despite the risks involved.
In the Crossfire: Critical Infrastructure in the Age of Cyber War 23
The “State of Nature”
and the Role of Government
IT executives rank the United States as
the country “of greatest concern” in the
context of foreign cyberattacks.
In the Crossfire: Critical Infrastructure in the Age of Cyber War 25
Percentage believing current law in their country is inadequate against cyberattackers
80%
64%
48%
32%
16%
Russia Mexico Brazil Saudi India Spain China Australia Italy Japan United France United Germany Total
Arabia/ Kingdom States
Middle East
Doubts about the ability of government “Right now, the sheriff isn’t there,” said retired
and law to deter attackers Gen. Michael Hayden, who recently ended a
More than half of all the executives surveyed long career as a senior U.S. intelligence official
thought their nation’s laws were inadequate to as the director of the CIA, saying cyberspace
deter cyberattacks. More than three quarters of was like the Wild West of legend. “Everybody
Russians held that view, as did large majorities in has to defend themselves, so everyone’s carry-
Mexico and Brazil. Germans had the most faith ing a gun.” But in the cyber domain that was
in their national laws as a deterrent, followed by like expecting each citizen to organize their own
France and the United States. national defense. “You wouldn’t go to a post
office and ask them how they’re tending to their
There were also doubts in some of those same own ballistic missile defense… but that is the
countries about the capabilities of governments equivalent of the current set-up in cybersecurity,”
to prevent and deter attacks. A startling 45 percent Hayden said.
believed their governments were either “not
very” or “not at all” capable of preventing and Most believe that government regulation
deterring cyberattacks. In countries like Brazil is improving security
and Italy, two-thirds or more thought that their Many experts agreed that governments need to do
governments were either “not very” or “not at more to improve cybersecurity for critical infrastruc-
all” capable. Mexico, Saudi Arabia, Germany ture, but the record so far is decidedly mixed—
and Spain also had majorities with negative views there are many different approaches, their impact
about their government’s capabilities. In the United is uneven, and IT executives in different countries
States, in contrast, only 27 percent of executives viewed them with widely variable enthusiasm.
deemed the government not capable or not very
capable; in China, the “no confidence” vote was Overall, 86 percent of executives reported that
almost as low at 30 percent. their cybersecurity was in some way subject to
law or government regulation. Nearly three-
quarters, 74 percent, said their organization had
“implemented new policies, procedures, best
In the Crossfire: Critical Infrastructure in the Age of Cyber War 27
China is a leader in government engagement where 72 percent of executives said they were
with industry subject to regulation of their cybersecurity, com-
Overall, just under half, 49 percent, of IT and pared to 86 percent overall.
security executives reported being audited by a
The United States is seen as a model
government agency for compliance with cyber-
security laws or regulations. But there were large Perhaps for this reason, IT and security executives
variations between auditing rates in different most frequently identified the United States as
countries. Rates were far and away the highest the one country other than their own that they
in China (83 percent) and next highest in Saudi looked to as a model for cybersecurity, with 44
Arabia (73 percent). Brazil, Australia and France percent seeing the United States in that light. The
all reported audit levels above 50 percent. Rates next most popular national models are Germany
of audit were lowest in Russia (30 percent) and (22 percent) and the UK (18 percent). The U.S.
Spain (32 percent). model was especially salient in China (78 percent)
and Mexico (72 percent). Its popularity was low-
Chinese executives also reported a high level of est in Germany (31 percent).
regulatory and legislative activity by government,
with 92 percent saying they were subject to it, Interview data suggested that the salience of
tied with Germany as the second highest rate for the U.S. model may have more to do with the
any country except India, 97 percent. amount of attention the press and high-profile
officials have paid to U.S. efforts in the area than
The country where executives reported the lowest to the way the U.S. government is set up to deal
levels of regulatory activity were the United States, with the issue—few nations seem to be emulating
the United States in this regard.
Sources of doubt about the value improving security” or had no effect. Executives in
of regulation the sector also had the lowest level of confidence
in their government’s capabilities to prevent or
There is clearly widespread concern among execu-
deter cyberattacks.
tives about the impact of regulation and legislation.
This is perhaps unsurprising; using survey responses One U.S. security specialist from the water/sewage
to determine attitudes to regulation can be prob- sector said that regulatory demands were felt very
lematic. Few business executives ask for more acutely, especially by smaller concerns in a very
regulation. But several key points emerged. diverse sector. “Our guys on the ground are getting
into this… ‘feed the beast’ scenario”—chasing dis-
Interviewees identified three areas
crete regulatory requirements rather than planning
of particular concern:
for security in a coordinated fashion. “If you’re try-
• Lack
of faith in the understanding officials have ing to keep a bunch of masters happy, that’s what
about the way a sector works. drives people crazy. It eats up resources, and it
really leaves it to the utility head [to decide] about
• Thepossibility that clumsy regulation can how they’re going to manage risk.”
“level-down” security in very diverse sectors.
The specialist said he and his colleagues “often feel
• The risk that mandatory disclosure of security like we’re like the little step-child in the room,”
incidents—for example the compromise of at federal security forums where all the sectors
personal data—can drive policy and resources were represented. “We often don’t get the same
in counter-productive directions. amount of respect, not on a personal level, but on
a tactical and strategic level, that the other sectors
Doubts are notably widespread in the water/sew- get,” the specialist explained.
age sector, where a massive 77 percent said law
and regulation had either “diverted resources from
100%
80%
60%
40%
20%
China Saudi Brazil France Australia Germany Mexico Japan Italy United India United Russia Spain Total
Arabia/ States Kingdom
Middle East
In the Crossfire: Critical Infrastructure in the Age of Cyber War 29
But the United States was also seen as one of Different sectors tended to worry about different
the countries most vulnerable to cyberattack countries as potential attackers. Among execu-
Fifty percent of IT and security executives also tives in the government sector, for instance, China
identified the United States as one of the three surpassed the United States as the biggest worry.
countries “most vulnerable to critical infrastruc- Energy company executives worried most about
ture cyberattack in your sector”—ahead of any Russia, while China and the United States ran neck
other country. China was the second most fre- and neck in the telecom sector.
quently named, (34 percent), followed by Russia
“The aggressors we face [in Australia] are eco-
(27 percent).
nomic aggressors... it very much depends on
Perceptions of U.S. vulnerability were especially the sector,” said Ghosh, the Australian security
widespread in China (where 80 percent listed executive. “The mining sector sees China as more
it as one of the three most vulnerable nations), of a threat... In the defense sector, the competi-
Mexico (73 percent), and Brazil and Russia (70 tors are Europe and United States.”
percent each).
The United States was seen as the most worrisome
China was seen as especially vulnerable by potential aggressor by large majorities of execu-
executives based in neighboring regions—with tives in countries where broader suspicions of
respondents from India (57 percent) Japan (56 U.S. motives are common—China (89 percent),
percent) and Australia (43 percent) more likely Brazil (76 percent) Spain (67 percent) Mexico (65
than average to name it in the top three vulner- percent) and Russia (61 percent). But even in
able nations. a traditional U.S. ally like Germany, 45 percent
named it the top concern, while only 34 percent
Some experts suggested that the U.S. was named China, even though Germany’s govern-
seen as more vulnerable because it was more ment has publicly rebuked China for conducting
advanced—and more reliant than almost any computer network intelligence operations on key
other nation on computer networks. But others national assets.
cautioned that U.S. vulnerability in this regard
is not unique and can easily be overstated. “That [result] might be less shocking than it
seems,” observed Hayden. “It might simply be
The United States and China are both seen a reflection of the raw capabilities and frankly
as likely attackers in the cyber war the raw size of U.S. intelligence agencies.” The
U.S. government has also engaged in a series of
As noted in chapter one, a hefty majority of IT
public, drawn out and largely unresolved policy
and security executives surveyed believe that for-
debates about how to organize its network defense
eign governments have already been involved in
and attack capabilities. This ongoing public dis-
network attacks on their sector. When they were
cussion may have created “an echo chamber” for
asked which country “you worry is of greatest
concern about U.S. capabilities, said Hayden.
concern in the context of network attacks against
your country/sector,” 36 percent named the Although the U.S. debate attracted much more
United States and 33 percent China—more than media attention, Russian officials have also
any other countries on a list of six (respondents engaged this year in a series of legislative mea-
were also offered the chance to specify a differ- sures aimed at giving authorities greater freedom
ent answer). The next most frequently cited was of action against perceived attacks and threats. A
Russia, a distant third at just 12 percent. None newly proposed law would give Moscow author-
of the other three, the UK, France and Germany, ity to define and respond to acts of cyber war.
topped six percent. The new law “essentially says that if they can
determine that they have been targeted by a
government of another state in a cyberattack, of
whatever kind, they can treat it as an act of war,”
Kimberly Zenz a Russia specialist at iDefense
Labs, said.
100%
80%
60%
40%
20%
China Brazil Spain Mexico Russia Saudi United Australia Germany United France Italy Japan India Total
Arabia/ States Kingdom
Middle East
United States
China
Russia
Taken together, the new laws codify sweeping Despite these discussions, there are clear limits to
new powers for the Kremlin, she said. “If they do transparency. Both Russia and China, for instances,
have a major incident, they can decide on their have faced—and flatly denied—well-documented
own who they think it was, and take action on accusations that they make common cause with
their own at a very high level without needing nationalistic hackers. All three of these countries
any outside agreement or proof.” clearly intend to continue availing themselves to a
greater or lesser extent of the strategic advantage
China too has publicly disclosed information about that “plausible deniability” offers in cyberspace.
its network warfare plans. A 2009 review of open
source Chinese military literature by the U.S.-China How can we move away from the
Economic and Security Review Commission con- “state of nature”?
cluded that Chinese “campaign doctrine identifies
As long as major governments desire unimpeded
the early establishment of information dominance
operational freedom in cyberspace, it will continue
over an enemy as one of the highest operational
to be the Wild West. In the meantime, the owners
priorities in a conflict,” noting that a new strategy
and operators of the critical infrastructure which
called “Integrated Network Electronic Warfare”
makes up this new battleground will continue to
appeared designed to fulfill this goal by integrat-
get caught in the cross-fire—and may indeed need
ing cyber and other electronic warfare techniques
what amounts to their own ballistic missile defense.
with kinetic operations.
In the Crossfire: Critical Infrastructure in the Age of Cyber War 31
Improving Security
in an Age of Cyber War
In the Crossfire: Critical Infrastructure in the Age of Cyber War 33
Some key security technologies Similarly, on a global basis, only about half of the
remain underutilized executives reported using encryption routinely
Authentication standards in particular need under most circumstances, although it was more
improvement, and the take up of biometric tech- common for online transmission of data, where
nology remains low. Network security increasingly 61 percent reported using it. This too seems low,
depends on detecting and stopping users whose especially as the use of mobile devices grows.
accounts show anomalous behavior or exceed a Pamela Warren, a cybersecurity expert working
strictly defined set of privileges. And attackers are for McAfee, believes that, “if you’ve got mobile
increasingly targeting users on an individual basis devices and you have sensitive data on those
through phishing and other strategies. These devices, then you absolutely should be looking to
developments mean that authentication of users encrypt that data.”
and their privileges are growing in importance.
Vulnerabilities continue to expand
Yet over half of all executives (57 percent) said The increased use of IP networks for SCADA and
their organization employed only user-names and other operational control systems creates unique
passwords to authenticate those logging in. The and troubling vulnerabilities. Executives with
remainder used stronger authentication tech- SCADA/ICS responsibilities reported high levels
niques, like biometrics or tokens, either singly or of connections of those systems to IP networks
in combination. Overall, only 16 percent said they including the Internet—even as they acknowledged
used biometrics—a low take-up rate some experts that such connections create security issues. Sec-
attribute to cultural resistance in many countries. tor experts expressed grave concern about the
Tokens were more than twice as popular. There are security implications of this development, and IT
drawbacks, technical challenges and cost factors security specialists stressed the need to mitigate
in the use of biometrics and tokens, said experts, this threat.
and password/login combinations can vary greatly
in effectiveness, depending on the strength of the Remote access to control systems “poses a huge
passwords used and the encryption technology danger,” said Dr. Phyllis Schneck, McAfee’s vice
employed. But additional layers of security are president of threat intelligence. “We must either
clearly preferable to the simple use of usernames protect it appropriately or move it to more private
and passwords, which are often too easy to guess, networks and not use the open Internet,” added
steal or otherwise compromise. Schneck, a member of CSIS’ Commission on Cyber-
security for the 44th Presidency.
“There is a level of protection afforded by virtual- Whether the savings outweigh the risks remains
izing older software on top of newer software, so to be seen. One challenge looming in the develop-
that at least the protocols and the network access ment of smart metering is keeping the cost low
travels through newer software stacks,” added one enough for mass-market adoption. The security
veteran IT security specialist. He said owners and implications of that pressure are troubling. “How
operators “need to put as many hurdles as [they] much security can you build in if your unit cost
can put against an attacker.” needs to be less than a hundred dollars?” asked
one expert.
“The goal [for quickly securing SCADA systems]
should be not necessarily to hold [or] replace In a quickly changing environment, IT and security
those systems, but to put blocking technologies, executives find themselves having to make difficult
to the extent possible, in front of them and to calculations about security with limited informa-
have much more rigorous criteria for accepting tion, said Campione. “You have to make decisions
new systems in the future.” that weigh opportunity, risks and security, but you
do not want to get trapped in ‘analysis paralysis.’
SCADA risk is compounded by emerging You can’t know everything before you decide.”
“smart” delivery platforms In such an environment, it is not clear how much
New service delivery platforms like the interoper- attention has been paid to the security tradeoffs
able “smart metering” of electricity or banking that come with a “smart grid.”
on mobile devices create new vulnerabilities, but
also offer new opportunities. “The smart grid will Cloud computing too presents
absolutely create new vulnerabilities, but that new security challenges
doesn’t mean that the entire energy system will Cloud systems allow companies to lease server
be more vulnerable in the future,” said former infrastructure and software services—effectively
U.S. Department of Energy cybersecurity official outsourcing their computing requirements.
Christopher “Rocky” Campione, adding there Depending on the services and data being out-
were pay-offs in the form of improved efficiency sourced, it can offer new security measures as
and reliability. well as creating new vulnerabilities.
In the Crossfire: Critical Infrastructure in the Age of Cyber War 35
Many governments continue to
wrestle with the “org chart” question,
and in some cases the result is a work
in progress.
Cloud computing allows smaller enterprises to Response Teams (CERTs), to handle incident
utilize security measures that would not otherwise response, although their effectiveness varied,
be available to them. Even so, “cloud computing according to interviews. But many governments
scares the hell out of me,” said the veteran IT continue to wrestle with the “org chart” question,
security specialist. “Not because I know of any and in some countries the result is clearly a work
particular specific problem inherent to it, but in progress.
because, historically speaking, every time we
have moved into a new area we have failed to In Brazil, for example, the federal government
appreciate what new potential for attacks has in August 2009 established the Critical Infrastruc-
been created.” ture Protection Information Security Working
Group, under its Department of Information and
“We are creating yet more complex systems, and Communications Security. The group is working
yet more systems that depend for their value on on information security and incident response
providing services to loosely coupled or loosely plans, according to IDefense labs Brazilian analyst
authenticated other systems,” he concluded. Anchises de Paula.
Warren said to mitigate vulnerabilities businesses In Australia, a 2009 defense white paper
and governments should “consider the types of announced the establishment of a national Cyber
data that could be moved to the cloud and the Security Operations Center, within the military’s
best cloud model for the given business, vet the Defense Signals Directorate, but many details
security model and practices of the service provider, have yet to be announced.
and set guidelines for hosting accountability.”
One Australian cybersecurity specialist said his
Governments need to be better organized government spent a lot of time studying the
to confront cyber threats U.S. and UK models, as well as others, as part
of its recent cybersecurity policy review. “There
One issue which cropped up repeatedly in
is something of a standoff between elements of
interviews with experts from different sectors and
government that prefer the U.S. model and those
countries was the way governments were organiz-
that prefer the UK model,” he said.
ing themselves to confront the new threat. There
are common models—all of the countries surveyed,
for instance, had established Computer Emergency
In the Crossfire: Critical Infrastructure in the Age of Cyber War 37
Information sharing between software security But that is exactly the kind of information that
companies, for instance, “has made tremendous governments tend to guard most jealously, in
progress in overcoming challenges in trust, [intel- part because they see no sure way to share the
lectual property law] and competitive landscape,” information with critical infrastructure owners
said McAfee’s Phyllis Schneck. She said the sector and operators that does not also disclose the
“work[s] well together… especially in a time information to adversaries.
of crisis.”
For this reason, high levels of participation in
An even greater variety of approaches character- government-led information sharing bodies might
ized the organization of government to industry not be a good measure of their success. Some
information-sharing forums, and there was wide countries clearly adopt a more exclusive approach
national variation in participation rates reported. to information-sharing than others.
But here, in the interview data at least, a com-
mon complaint could be heard: governments are Secrecy and security
reluctant to share sensitive information about “In the United States and Europe there’s a little
threats and vulnerabilities. more effort” on the part of agencies to share
information, said the CSO, “But when it comes
The chief security officer for a large telecommu-
to getting truly useful information back from the
nications provider says his firm has relationships
government—warnings or advice about the use of
with law enforcement in more than a hundred
resources—[we get] nothing at all, from any gov-
countries where it operates. But when it comes to
ernment.” In the United States, where executives
sharing security information about critical national
reported a higher than average membership in
infrastructure, none of them “have anything as
government information-sharing groups, attempts
comprehensive as I would want to see. What I
have been made to address these issues through
want from any government is something I can’t
granting clearances to critical industry executives,
produce myself—intelligence on what [the] threats
but progress has been uneven.
are, where we could better utilize our assets on
the basis of more detailed threat analysis than I
can provide. They’ve got all their security services
and other capabilities.”
In the Crossfire: Critical Infrastructure in the Age of Cyber War 39
Acknowledgements
CSIS researchers and authors spoke formally and informally to dozens of people
while working through the huge amount of data gathered for this report. Many
agreed to be formally interviewed and quoted, but not all were happy to be
named, even here in the acknowledgments where they are safely separated from
their words. We are grateful to everybody—named and unnamed—who gave so
generously of their time and insight. Special thanks are owed to James Lewis for
his advice and counsel and Denise Zheng, who kept the project on track. Naturally,
the authors acknowledge themselves fully responsible for any errors or omissions.
Stewart Baker, distinguished visiting fellow, CSIS; partner, Steptoe & Johnson
Shaun Waterman, writer and researcher, CSIS
George Ivanov, researcher, CSIS
1 The survey was carried out in September 2009 by UK-based 2 Some aspects of the Russian survey data did not fit with
market research company Vanson Bourne, Ltd. The respon- what we learned in interviews. Only 30 percent of Russian
dents were drawn from panels of IT executives the company executives reported any large scale DDOS attacks, with only
maintains in different sectors and countries for its research. three percent experiencing multiple attacks monthly—the
One hundred of the 600 respondents were based in the United lowest rate for any nation. “DDOS attacks are a real problem
States; with 50 each in Japan, China, Germany, France, the UK in Russia,” said Kimberly Zenz, a Russian specialist at iDefense
and Italy; 30 each in Russia, Spain, Australia, Brazil, Mexico, Labs, “everything gets attacked. It’s so easy to rent a botnet
and India, and 20 in Saudi Arabia. The best-represented sec- there.” Zenz said anti-competitive attacks on rival Web sites—
tors were banking/finance and government services with 145 even between local stores in small towns—were legion. The
respondents in each. The smallest number of respondents, financial services sector is often targeted by DDOS attacks and
just 23 out of 600, came from the water/sewage sector. Other extortion threats, she added.
sectors—oil/gas, energy/power, transportation/mass-transit and
This seeming anomaly in the data may in part be due to
telecommunications—ranged from 59 to 82 respondents.
the way the question was phrased. It used as examples of
Given the size of the sample, we have drawn conclusions large scale attacks the DDOS campaigns against Estonia and
about patterns and variations from sector-to-sector or country- Georgia—attacks that were widely blamed on Russia. This
to-country, but not about sectors within countries. might have affected the answers of Russian respondents.
When asked about “low-level” DDOS attacks, without a refer-
When questions were asked only of those with operational
ence to Estonia or Georgia, 73 percent of Russian respondents
systems responsibilities, 143 of the 600 total respondents,
reported attacks, a figure much more in line with the data
the sample sizes become smaller and even variations between
from respondents overall—72 percent of whom said they had
countries become harder to rely on. Where caution is merited
experienced such low-level attacks.
in relying on data, it is noted in the text.
In the Crossfire: Critical Infrastructure in the Age of Cyber War 41
About the authors About McAfee
Stewart Baker is a distinguished visiting fellow at McAfee, Inc., headquartered in Santa Clara,
the Center for Strategic and International Studies California, is the world’s largest dedicated
and a partner in the Washington law firm of security technology company. McAfee is relent-
Steptoe & Johnson. From 2005–09, he was assis- lessly committed to tackling the world’s toughest
tant secretary for policy at the U.S. Department security challenges. The company delivers proac-
of Homeland Security. Prior to that, he served as tive and proven solutions and services that help
general counsel to the Silverman-Robb Commis- secure systems and networks around the world,
sion, investigating the failures of U.S. intelligence allowing users to safely connect to the Internet,
on Iraqi WMD. From 1992–94, he was general browse and shop the web more securely. Backed
counsel of the National Security Agency. by an award-winning research team, McAfee
creates innovative products that empower home
Shaun Waterman is a journalist and consultant users, businesses, the public sector and service
on terrorism and national and homeland security providers by enabling them to prove compliance
issues, contracted by CSIS to research and write with regulations, protect data, prevent disrup-
this report. Currently a freelance reporter for the tions, identify vulnerabilities, and continuously
Washington Times and other publications, he was monitor and improve their security.
from 2000–09 a senior correspondent and editor
at United Press International in Washington. For more information, visit:
www.mcafee.com
George Ivanov is a CSIS researcher and a master’s
degree candidate in International Science and
Technology Policy at George Washington University.
McAfee, Inc. McAfee and/or other noted McAfee related products contained herein are registered trademarks or trademarks of McAfee, Inc., and/or
3965 Freedom Circle its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. Any other
Santa Clara, CA 95054 non-McAfee related products, registered and/or unregistered trademarks contained herein is only by reference and are the sole property
888 847 8766 of their respective owners.
www.mcafee.com The information in this document is provided only for educational purposes and for the convenience of McAfee’s customers. We endeavor
to ensure that the information contained in the McAfee: In the Crossfire is correct; however, due to the ever changing state in cybersecurity
the information contained herein is subject to change without notice, and is provided “AS IS” without guarantee or warranty as to the
accuracy or applicability of the information to any specific situation or circumstance.
© 2010 McAfee, Inc. All rights reserved. 7795rpt_cip_0110