It has become clear that Stuxnet-like worms pose a serious threat even to critical U.S. infrastructure and computer systems that are not connected to the Internet. However, defending against such attacks involves complex technological and legal issues. In particular, at the federal level, different organizations have different responsibilities and levels of authority when it comes to investigating or defending against intrusions.
- What is the nature of the threat posed by sophisticated, virulent malware, particularly to U.S. government computer systems?
- What are the challenges and limitations in defending against these threats?
- What steps has the federal government taken and how do these measures fit within current privacy and legal frameworks?
Iran's announcement that a computer worm called Stuxnet had infected computers that controlled one of its nuclear processing facilities marked a signal event in cyber attacks. Although such attacks were known to be theoretically possible, the incident proved that a cyberworm could successfully infiltrate a system and produce physical damage. Furthermore, the sophisticated nature of the worm and the resources that would have been required to design, produce, and implant it strongly suggest a state-sponsored effort. It has become clear that Stuxnet-like worms pose a serious threat even to infrastructure and computer systems that are not connected to the Internet. However, defending against such attacks is an increasingly complex prospect. The nature of cyberspace ensures that the attacker has the upper hand and can move about with impunity and relative anonymity. The sophistication of virulent malware has also made it difficult to detect whether an intrusion has occurred, and attackers have a wide range of means at their disposal to gain access to networks, even those that are closed. Finally, bureaucratic and legal barriers can hinder the ability to mount a successful defense. Under the current framework, different organizations have different responsibilities and different levels of authority when it comes to investigating or defending against intrusions, depending on the nature of the attack, its geographic origin, and the systems it targets. In addition, there is a need to protect critical government and private-sector infrastructure in a way that does not infringe on civil liberties or proprietary data. The authors argue that new legislation is needed to establish a more efficient assignment of responsibilities, and a revised legal code may be required to successfully defend against the ever-evolving cyber threat.
The Characteristics of Cyberspace Pose Challenges to Those Who Seek to Defend It
- A myriad of factors compound cyber defense, including the porous borders of cyberspace and the relative anonymity it offers, the sophisticated and rapidly evolving nature of threats, and legal and privacy limitations that can curtail effective defense.
- Cyberspace favors attackers: Firewalls and intrusion prevention systems will prevent only some attacks. An attacker has to be right only once; defenders must be right every time.
- Cyber attacks are difficult to identify: Worms can lie dormant only to activate only under precise circumstances.
- The best defense includes a good offense. A "proactive self-defense" strategy is more effective than one that involves responding to attacks after they have occurred.
- Bureaucratic and legal boundaries currently hinder efforts to identify and mitigate intrusions, complicating the defense of critical cyberspace.
- Congressional action is needed to enable better collaboration among the various government organizations with a role in cyberspace and between these organizations and the private sector.
- Legislation is also needed to grant at least one capable organization the authority to track cyber intruders and criminals, with sufficient freedom to maneuver. This may require revisions to the U.S. Code, which would be a complicating factor.