It has become clear that Stuxnet-like worms pose a serious threat even to critical U.S. infrastructure and computer systems that are not connected to the Internet. However, defending against such attacks involves complex technological and legal issues. In particular, at the federal level, different organizations have different responsibilities and levels of authority when it comes to investigating or defending against intrusions.
Download eBook for Free
Full Document
| Format | File Size | Notes |
|---|---|---|
| PDF file | 0.7 MB | Use Adobe Acrobat Reader version 10 or higher for the best experience. |
Summary Only
| Format | File Size | Notes |
|---|---|---|
| PDF file | 0.1 MB | Use Adobe Acrobat Reader version 10 or higher for the best experience. |
Research Questions
- What is the nature of the threat posed by sophisticated, virulent malware, particularly to U.S. government computer systems?
- What are the challenges and limitations in defending against these threats?
- What steps has the federal government taken and how do these measures fit within current privacy and legal frameworks?
Iran's announcement that a computer worm called Stuxnet had infected computers that controlled one of its nuclear processing facilities marked a signal event in cyber attacks. Although such attacks were known to be theoretically possible, the incident proved that a cyberworm could successfully infiltrate a system and produce physical damage. Furthermore, the sophisticated nature of the worm and the resources that would have been required to design, produce, and implant it strongly suggest a state-sponsored effort. It has become clear that Stuxnet-like worms pose a serious threat even to infrastructure and computer systems that are not connected to the Internet. However, defending against such attacks is an increasingly complex prospect. The nature of cyberspace ensures that the attacker has the upper hand and can move about with impunity and relative anonymity. The sophistication of virulent malware has also made it difficult to detect whether an intrusion has occurred, and attackers have a wide range of means at their disposal to gain access to networks, even those that are closed. Finally, bureaucratic and legal barriers can hinder the ability to mount a successful defense. Under the current framework, different organizations have different responsibilities and different levels of authority when it comes to investigating or defending against intrusions, depending on the nature of the attack, its geographic origin, and the systems it targets. In addition, there is a need to protect critical government and private-sector infrastructure in a way that does not infringe on civil liberties or proprietary data. The authors argue that new legislation is needed to establish a more efficient assignment of responsibilities, and a revised legal code may be required to successfully defend against the ever-evolving cyber threat.
Key Findings
The Characteristics of Cyberspace Pose Challenges to Those Who Seek to Defend It
- A myriad of factors compound cyber defense, including the porous borders of cyberspace and the relative anonymity it offers, the sophisticated and rapidly evolving nature of threats, and legal and privacy limitations that can curtail effective defense.
- Cyberspace favors attackers: Firewalls and intrusion prevention systems will prevent only some attacks. An attacker has to be right only once; defenders must be right every time.
- Cyber attacks are difficult to identify: Worms can lie dormant only to activate only under precise circumstances.
- The best defense includes a good offense. A "proactive self-defense" strategy is more effective than one that involves responding to attacks after they have occurred.
- Bureaucratic and legal boundaries currently hinder efforts to identify and mitigate intrusions, complicating the defense of critical cyberspace.
Recommendations
- Congressional action is needed to enable better collaboration among the various government organizations with a role in cyberspace and between these organizations and the private sector.
- Legislation is also needed to grant at least one capable organization the authority to track cyber intruders and criminals, with sufficient freedom to maneuver. This may require revisions to the U.S. Code, which would be a complicating factor.
Research conducted by
The research described in this report was prepared for the Office of the Secretary of Defense (OSD). The research was conducted within the RAND National Defense Research Institute, a federally funded research and development center sponsored by OSD, the Joint Staff, the Unified Combatant Commands, the Navy, the Marine Corps, the defense agencies, and the defense Intelligence Community.
This report is part of the RAND Corporation Occasional paper series. RAND occasional papers may include an informed perspective on a timely policy issue, a discussion of new research methodologies, essays, a paper presented at a conference, or a summary of work in progress. All RAND occasional papers undergo rigorous peer review to help ensure that they meet high standards for research quality and objectivity.
This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit www.rand.org/pubs/permissions.
The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.