As much as we don’t like to hear about it, America is not winning the cyberwar. Malicious hackers are winning and China has penetrated “every major U.S. company.” But there are elite cyber warriors who protect the world from cybercrime and the USA desperately needs more Cyber Guardians. In advance of the second annual Cyber Guardian information security training event in Baltimore next week, April 30 – May 7, 2012, I had an opportunity to interview Ed Skoudis about the SANS Cyber Guardian program.
Skoudis is a security expert on hacker attacks and defenses, a world-renowned author and senior security consultant with InGuardians. He’s demonstrated hacker techniques against financial institutions for the U.S. Senate and frequently speaks at security conferences. He is also a SANS Faculty Fellow who teaches thousands of information security professionals how to improve their skills and better defend their networks.
Interivew with SANS’ Ed Skoudis about hacking and elite Cyber Guardian hackers needed to help America win the cybersecurity war:
China and other nation states have hackers who go to work in specific buildings every single day with their job being to hack and attack the USA. Until recently the government kept these daily attacks on our critical infrastructure and our intellectual property on a hush-hush level. Yet officials confirmed that China has hacked every major US company. What do you have to say to the many people who believe reports of such cyberattacks are only scare tactics to give the government more power and control over private systems?
Ed Skoudis: In helping companies and government agencies respond to computer attacks, we have seen detailed evidence of foreign nation states deep inside computer networks of financial services companies, critical infrastructure systems, and manufacturing companies. We not only see the streams of packets going to and from other countries, we can also watch the attackers’ activities on the computer systems, as they search for sensitive information to gain competitive economic advantage, as well as to plan command-and-control software.
And, if such reports are just scare tactics, they don’t seem to be working successfully to scare anyone into action. These attacks have been going on for many years, yet we haven’t had any major strides in fighting them off. The US hasn’t been able to get significant cyber security legislation passed in many years, nor have we made much technical progress in fighting off these kinds of attacks.
The Presidential Cyber Committee says the U.S. has an acute shortage of talented cyber operators for modern engagement with the expertise across the entire cyber issues spectrum. There are only a handful of people who have that knowledge and can be called on if a major cyberattack were to occur. Approximately how many is a handful and about how many nation state hackers do you believe America is up against?
Ed Skoudis: The US Government has many tens of thousands of people that are focused on information security compliance, where they measure this or that security aspect on an annual basis for an assessment report. Unfortunately, such measurements are just a limited snapshot in time, and the efforts of these people at mere measurement tend to be a bureaucratic exercise which provides little help in actually securing their organizations. Their paper-based measurements usually don’t find the bad guys who are so deeply embedded on their computer systems.
What we need are more people with in-depth, hands-on skills for hunting down bad guys on already-infected networks. That is, we need expertise in draining the swamp — people experienced in finding the very subtle control channels and backdoors planted by the bad guys and eradicating them. We also need people who are experts at finding the flaws before attackers do so we can remediate them and prevent compromise. Right now, we estimate that there are only a few hundred of such people with those skills in the US Government, and we need a few thousand. That’s a ten-fold increase in the bad-guy hunters and serious vulnerability finders.
SCADA systems are deeply embedded in our infrastructure. The FBI wrote, “SCADA systems have proliferated rapidly-for starters, in the electric, oil, and gas; water treatment; waste management; and maritime, air, railroad, and automobile traffic control industries. SCADA systems also are embedded in ‘telephone and cell phone networks, including 911 emergency services’.” When talking about cyber terror, the FBI also warned against botnets and “ominous threats” such as electromagnetic pulse (EMP) bombs and high-energy radio frequency (HERF) weapons which differ from the malicious codes, computer viruses, and worms of yesteryear.” Some experts claim a $60 piece of malware could wreak havoc and bring America to her knees. Then with Shodan and Metasploit, hacking critical infrastructure and SCADA had a Firesheep moment. DHS warned that hacktivists could point, click and destroy. Where do you see the biggest cyber terror or cyberattack threats?
Ed Skoudis: The SCADA infrastructure associated with the power grid is a big concern. These systems were built without the intention of ever connecting them to a public network such as the Internet. Unfortunately, though, these systems are now controlled from networks that are indeed interconnected with the Internet. A computer attacker could exploit a power company computer network through the Internet, and then pivot through other networks to ultimately hit SCADA systems. Worse yet, even when SCADA systems are air-gapped from public networks, attackers have been remarkably effective in hoping that air gap with their infections using USB thumb drives or compromised laptops that are connected to the target network.
By attacking power grid systems, attacker could cause significant physical damage to the network, resulting in large scale blackouts that could require a lot of time to fix, possibly days or weeks.
Check back tomorrow for the second half of the interview with Ed Skoudis about the SANS Cyber Guardian program and how American can win the cybersecurity war with Cyber Guardians.