|“||We must learn to negotiate a new geography, where borders are irrelevant and distances meaningless, where an enemy may be able to harm the vital systems we depend on without confronting our military power.||”|
|“||is any identified effort directed toward access to, exfiltration of, manipulation of, or impairment to the integrity, confidentiality, security, or availability of data, an application, or a federal system, without lawful authority.||”|
|“||are potential cyber events that may cause unwanted outcomes, resulting in harm to a system or organization. Threats may originate externally or internally and may originate from individuals or organizations.||”|
|“||[is] anything capable of compromising the security of, or causing harm to, information systems and internet connected devices (to include hardware, software and associated infrastructure), the data on them and the services they provide, primarily by cyber means.||”|
|“||The primary 'values at risk' from cyber threats and vulnerabilities are an entity's assets and reputation. Because of critical dependencies, the consequences on these assets could be the result of a larger, cascading event beyond the entity's direction or control.||”|
A cyber threat can be unintentional and intentional, targeted or nontargeted, and can come from a variety of sources, including foreign nations engaged in espionage and information warfare, criminals, hackers, virus writers, and disgruntled employees and contractors working within an organization.
- Unintentional threats can be caused by inattentive or untrained employees, software upgrades, maintenance procedures and equipment failures that inadvertently disrupt computer systems or corrupt data.
- Intentional threats include both targeted and nontargeted attacks. A targeted attack is when a group or individual specifically attacks a critical infrastructure system. A nontargeted attack occurs when the intended target of the attack is uncertain, such as when a virus, worm, or malware is released on the Internet with no specific target
- Repeatedly identified as the most worrisome threat is the "insider" — someone legitimately authorized access to a system or network. Other malefactors may make use of insiders, such as organized crime or a terrorist group suborning a willing insider (a disgruntled employee, for example) or making use of an unwitting insider (by getting someone with authorized network access to insert a disk containing hidden code, for example).
Background on cyber threats
Threats to the U.S. cyber and telecommunications infrastructure are constantly increasing and evolving as are the entities that show interest in using a cyber-based capability to harm the nation’s security interests.
Concerns have been raised since the 1990s regarding the use of the internet and telecommunications components to cause harm to the nation's security interests. Activities producing undesirable results include unauthorized intrusion to gain access and view protected data, stealing or manipulating information contained in various databases, and attacks on telecommunications devices to corrupt data or cause infrastructure components to operate in an irregular manner.
Of paramount concern to the national and homeland security communities is the threat of a cyber-related attack against the nation’s critical government infrastructures — "systems and assets, physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health and safety, or any combination of those matters." Early concerns noted attacks on components of the energy grid, infrastructure control systems, and military equipment as examples of telecommunications-based threats to physical infrastructures.
In response, the Department of Energy conducted an experiment in 2007 in which the control system of an unconnected generator, containing similar components as that of larger generators connected to many power grids in the nation supplying electricity, was damaged and became inoperable. While data from federal agencies demonstrate that the majority of attempted and successful cyber attacks to date have targeted virtual information resources rather than physical infrastructures, many security experts are concerned that the natural progression of those wishing to harm U.S. security interests will transition from stealing or manipulating data to undertaking action that temporarily or permanently disables or destroys the telecommunications network or affects infrastructure components.
Many security observers agree that the United States currently faces a multi-faceted, technologically based vulnerability in that "our information systems are being exploited on an unprecedented scale by state and non-state actors [resulting in] a dangerous combination of known and unknown vulnerabilities, strong adversary capabilities, and weak situational awareness." This, coupled with security observers' contention that the United States lacks the capability to definitively ascertain perpetrators who might unlawfully access a database or cause harm to a network, leaves the nation increasingly at risk. It also causes acts or discussions related to deterring cyberattacks to be ignored or negated by entities exploiting known or newly found vulnerabilities.
Prominent national security experts have emphasized the vulnerability of U.S. infrastructures. As recently as January 2009, former Director of National Intelligence (DNI) Mike McConnell equated "cyber weapons" with weapons of mass destruction when he expressed concern about terrorists' use of technology to degrade the nation's infrastructure. In distinguishing between individuals gaining access to U.S. national security systems or corporate data for purposes of exploitation for purposes of competitive advantage, former Director McConnell noted that terrorists aim to damage infrastructure and that the "time is not too far off when the level of sophistication reaches a point that there could be strategic damage to the United States."
Sources of cyber threats
There are a variety of sources of cyber threats, including:
- Botnetwork operators — Botnet operators use a network, or botnet, of compromised, remotely controlled systems to coordinate attacks and to distribute phishing schemes, spam, and malware attacks. The services of these networks are sometimes made available on underground markets (e.g., purchasing a denial of service attack or servers to relay spam or phishing attacks).
- Business competitors — Companies that compete against or do business with a target company may seek to obtain sensitive information to improve their competitive advantage in various areas, such as pricing, manufacturing, product development, and contracting.
- Criminal groups — Criminal groups seek to attack systems for monetary gain. Specifically, organized criminal groups use spam, phishing, and spyware/malware to commit identity theft and online fraud. International corporate spies and criminal organizations also pose a threat to the United States through their ability to conduct industrial espionage and large-scale monetary theft and to hire or develop hacker talent.
- Foreign nation states — Foreign intelligence services use cyber tools as part of their information gathering and espionage activities. Also, several nations are aggressively working to develop information warfare doctrine, programs, and capabilities. Such capabilities enable a single entity to have a significant and serious impact by disrupting the supply, communications, and economic infrastructures that support military power. According to the Director of National Intelligence, a growing array of state and nonstate adversaries are increasingly targeting — for exploitation and potentially disruption or destruction — information infrastructure, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries."
- Hackers — Hackers break into networks for the thrill of the challenge, bragging rights in the hacker community, revenge, stalking others, and monetary gain, among other reasons. While gaining unauthorized access once required a fair amount of skill or computer knowledge, hackers can now download attack scripts and protocols from the Internet and launch them against victim sites. Thus, while attack tools have become more sophisticated, they have also become easier to use. According to the Central Intelligence Agency, the large majority of hackers do not have the requisite expertise to threaten difficult targets such as critical U.S. networks. Nevertheless, the worldwide population of hackers poses a relatively high threat of an isolated or brief disruption causing serious damage.
- Hacktivists — Those who make politically motivated attacks on publicly accessible web pages or e-mail servers. These groups and individuals overload e-mail servers and hack into websites to send a political message.
- Insiders — The disgruntled insider, working from within an organization, is a principal source of computer crimes. Insiders may not need a great deal of knowledge about computer intrusions because their knowledge of a victim system often allows them to gain unrestricted access to cause damage to the system or to steal system data. The insider threat also includes contractor personnel.
- International corporate spies — International corporate spies pose a threat to the United States through their ability to conduct economic and industrial espionagea and large-scale monetary theft and to hire or develop hacker talent.
- Phishers — Individuals, or small groups, execute phishing] schemes in an attempt to steal identities or information for monetary gain. Phishers may also use spam and spyware/malware to accomplish their objectives.
- Spammers — Individuals or organizations distribute unsolicited e-mail with hidden or false information in order to sell products, conduct phishing schemes, distribute spyware/malware, or attack organizations (i.e., denial of service attack).
- Spyware/malware authors — Individuals or organizations with malicious intent carry out attacks against users by producing and distributing spyware and malware. Several destructive computer viruses and worms have harmed files and hard drives, including the Melissa virus, the Explore.Zip worm, the CIH (Chernobyl) virus, Nimda worm, Code Red, Slammer worm, and Blaster worm.
- Terrorists — Terrorists seek to destroy, incapacitate, or exploit critical infrastructures to threaten national security, cause mass casualties, weaken the U.S. economy, and damage public morale and confidence. However, traditional terrorist adversaries of the United States are less developed in their computer network capabilities than other adversaries. Terrorists likely pose a limited cyber threat. The Central Intelligence Agency believes terrorists will stay focused on traditional attack methods, but it anticipates growing cyber threats as a more technically competent generation enters the ranks.
Types and techniques of cyber threats
Cyber threats can take the form of:
- Collateral damage — Unplanned side-effects of cyber attacks.
- Cross-site scripting — An attack that uses third-party web resources to run script within the victim's web browser or scriptable application. This occurs when a browser visits a malicious website or clicks a malicious link. The most dangerous consequences occur when this method is used to exploit additional vulnerabilities that may permit an attacker to steal cookies (data exchanged between a web server and a browser), log keystrokes, capture screen shots, discover and collect network information, and remotely access and control the victim's machine.
- Denial of service attack — A method of attack that denies system access to legitimate users without actually having to compromise the targeted system. From a single source, the attack overwhelms the target computers with messages and blocks legitimate traffic. It can prevent one system from being able to exchange data with other systems or prevent the system from using the Internet.
- Distributed denial of service (DDOS) attack — A variant of the denial-of-service attack that uses a coordinated attack from a distributed system of computers rather than a single source. It often makes use of worms to spread to multiple computers that can then attack the target.
- Eavesdropping attack — Violations of confidentiality of communication within a network.
- Exploit tools — Publicly available and sophisticated tools that intruders of various skill levels can use to determine vulnerabilities and gain entry into targeted systems.
- Logic bomb — A form of sabotage in which a programmer inserts code that causes the program to perform a destructive action when some triggering even occurs, such as terminating the programmer’s employment.
- Malicious code (malware) — viruses, worms, and Trojan horses.
- Passive wiretapping — The monitoring or recording of data, such as passwords transmitted in clear text, while they are being transmitted over a communications link. This is done without altering or affecting the data.
- Pharming — A method used by phishers to deceive users into believing that they are communicating with a legitimate website. Pharming uses a variety of technical methods to redirect a user to a fraudulent or spoofed website when the user types a legitimate Web address.
- Phishing — A high-tech scam that frequently uses spam or pop-up messages to deceive people into disclosing sensitive information. Internet scammers use e-mail bait to "phish" for passwords and financial information from the sea of internet users.
- Reconnaissance attack — Probing of a system to provide attackers information on capabilities, vulnerabilities, and operation.
- Rogue device — An unauthorized device accesses the system, manipulating it or providing incorrect data to system operators.
- Sniffer (also called packet sniffer. — A program that intercepts routed data and examines each packet in search of specified information, such as passwords transmitted in clear text.
- Spamming — Sending unsolicited commercial e-mail advertising for products, services, and websites. Spam can also be sued as a delivery mechanism for malicious software and other cyber threats.
- Spoofing — Creating a fraudulent website to mimic an actual, well-known site run by another party. E-mail spoofing occurs when the sender address and other parts of an e-mail header are altered to appear as though the e-mail originated from a different source. Spoofing hides the origin of an e-mail message.
- Spyware — Malware installed without the user's knowledge to surreptitiously track and/or transmit data to an unauthorized third party.
- Structured Query Language (SQL) injection — An attack that involves the alteration of a database search in a web-based application, which can be used to obtain unauthorized access to sensitive information in a database.
- Trojan horse — A computer program that conceals harmful code. A Trojan horse usually masquerades as a useful program that a user would wish to execute.
- Unauthorized access attack — An attack where the adversary exercises a degree of control over the system and accesses and manipulates assets without authorization.
- Unauthorized use of assets, resources, or information — An attack in which assets, services, or data are manipulated by an authorized user in an unauthorized manner. This can result in system operators being given inaccurate information from a “trusted” source, and thereby being misled into making decisions based on this data that result in impacts to the system.
- Virus — A program that “infects” computer files, usually executable programs, by inserting a copy of itself into the file. These copies are usually executed when the infected files is loaded into memory, allowing the virus to infect other files. Unlike the computer worms, a virus requires human involvement (usually unwitting) to propagate.
- War-dialing — A simple program that dials consecutive phone numbers looking for a modem.
- War-driving — A method of gaining entry into wireless computer networks using a laptop, antennas, and a wireless network adaptor that involves patrolling locations to gain unauthorized access.
- Worm — An independent computer program that reproduces by copying itself from one system to another across a network. Unlike computer viruses, worms do not require human involvement to propagate.
- Zero-day exploit — An exploit that takes advantage of a security vulnerability previously unknown to the general public. In many cases, the exploit code is written by the same person who discovered the vulnerability. By writing an exploit for the previously unknown vulnerability, the attacker creates a potent threat since the compressed timeframe between public discoveries of both makes it difficult to defend against.
|“||Two of our greatest strategic challenges regarding cyber threats are: (1) the difficulty of providing timely, actionable warning of cyber threats and incidents, such as identifying past or present security breaches, definitively attributing them, and accurately distinguishing between cyber espionage intrusions and potentially disruptive cyber attacks; and (2) the highly complex vulnerabilities associated with the IT supply chain for US networks.||”|
Impact on critical infrastructure
Cyber threats are asymmetric, surreptitious, and constantly evolving — a single individual or a small group anywhere in the world can inexpensively and secretly attempt to penetrate systems containing vital information or mount damaging attacks on critical infrastructures.
There is increasing concern among both government officials and industry experts regarding the potential for a cyber attack on a national critical infrastructure, including the infrastructure's control systems. The Federal Bureau of Investigation has identified multiple sources of threats to our nation's critical infrastructures, including foreign nation states engaged in information warfare, domestic criminals, hackers, and virus writers, and disgruntled employees working within an organization.
Threats to the U.S. cyber and telecommunications infrastructure are constantly increasing and evolving as are the entities that show interest in using a cyber-based capability to harm the nation’s security interests. Concerns have been raised since the 1990s regarding the use of the internet and telecommunications components to cause harm to the nation's security interests.
Activities producing undesirable results include unauthorized intrusion to gain access and view protected data, stealing or manipulating information contained in various databases, and attacks on telecommunications devices to corrupt data or cause infrastructure components to operate in an irregular manner. Of paramount concern to the national and homeland security communities is the threat of a cyber-related attack against the nation’s critical government infrastructures — "systems and assets, physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health and safety, or any combination of those matters."
Cyber threats generally fall within six categories:
- Traditional threats typically arise from state employing recognized military capabilities and forces in well-understood forms of military conflict. Within cyberspace, these threats may be less understood due to the continuing evolution of technologies and methods. Traditional threats are generally focused against the cyberspace capabilities that enable our air, land, maritime, and space forces and are focused to deny the US military freedom of action and use of cyberspace.
- Irregular threats can use cyberspace as an unconventional asymmetric means to counter traditional advantages. These threats could also manifest through an adversary's selective targeting of US cyberspace capabilities and infrastructure. For example, terrorists could use cyberspace to conduct operations against our financial and industrial sectors while simultaneously launching other physical attacks. Terrorist also use cyberspace to communicate anonymously, asynchronously, and without being tied to set physical locations. They attempt to shield themselves from US law enforcement, intelligence and military operations through use of commercial security products and services readily available in cyberspace. Irregular threats from criminal elements and advocates of radical political agendas seek to use cyberspace for their own ends to challenge government, corporate, or societal interests.
- Catastrophic threats involve the acquisition, possession, and use of weapons of mass destruction (WMD) or methods producing WMD-like effects. Such catastrophic effects are possible in cyberspace because of the existing linkage of cyberspace to critical infrastructure SCADA systems. Well-planned attacks on key nodes of the cyberspace infrastructure have the potential to produce network collapse and cascading effects that can severely affect critical infrastructure locally, nationally, or possibly globally. For example, electromagnetic pulse events could cause widespread degradation and outright destruction of the electronic components that comprise cyberspace leading to the debilitating destruction of segments of the cyberspace domain in which operations must occur.
- Disruptive threats are breakthrough technologies that may negate or reduce current US advantages in warfighting domains. Global research investment, development, and industrial processes provide an environmental conductive to the creation of technological advances. DOD must be prepared for the increased possibility of adversary breakthroughs due to the continuing diffusion of cyberspace technologies.
- Natural threats that can damage and disrupt cyberspace include acts of nature, such as floods, hurricanes, solar flares, lightning, and tornados. These types of events often produce highly destructive effects requiring DOD to support the continuity of operations in cyberspace, conduct consequent management, and restore cyberspace capability. These events also provide adversaries the opportunity to capitalize on infrastructure degradation and diversion of attention and resources.
- Accidental threats are unpredictable and can take many forms. From a backhoe cutting a fiber optic cable of a key cyberspace node, to inadvertent introduction of viruses, accidental threats unintentionally disrupt the operation of cyberspace. Although post-accident investigations show that the large majority of accidents can be prevented and measures put in place to reduce accidents, accidents must be anticipated.
- President's Commission on Critical Infrastructure Protection, Critical Foundations: Protecting America's Infrastructures, at ix (Oct. 1997).
- U.S. Department of Homeland Security, Privacy Impact Assessment for the Initiative Three Exercise 3 (Mar. 18, 2010) (full-text).
- Partnering for Cyber Resilience: Risk and Responsibility in a Hyperconnected World-Principles and Guidelines, at 14.
- National Cyber Security Strategy 2016 to 2021, Glossary, Annex 2, at 75.
- Peter Eisler, "Reported Raids on Federal Computer Data Soar," USA Today (Feb. 17, 2009) (full-text). Based on data reportedly provided to USA Today, the U.S. Computer Emergency Readiness Team (US-CERT), found that known cyberattacks on U.S. government networks rose 40% in 2008 compared to 2007. While this survey focused on U.S. government computer systems, telecommunications networks are maintained by private industry, and any degradation to these services or components would necessarily have negative implications for both public and private cyber activities.
- 42 U.S.C. §5195c(e).
- Of note, many of the cyber-related incidences that were found to have negatively affected control systems connected to physical infrastructure components were resolved as being the work of current or former employees who had access to and knowledge of the architecture of the affected network.
- Jeanne Meserve, "Staged Cyber Attack Reveals Vulnerability in Power Grid," CNN Online (Sep. 26, 2007) (full-text).
- See Center for Strategic and International Studies, Securing Cyberspace for the 44th Presidency: A Report of the CSIS Commission on Cybersecurity for the 44th Presidency, at 12 ("we expected damage from cyber attacks to be physical (opened floodgates, crashing airplanes) when it was actually informational").
- House Permanent Select Committee on Intelligence, Cyber Security: Hearing on the Nation's Cyber Security Risks, 110th Cong. (Sept. 18, 2008) (statement of Paul Kurtz, Former Senior Director, Critical Infrastructure Protection, White House Homeland Security Council).
- The Charlie Rose Show, "Interview of Mr. Mike McConnell, Director of National Intelligence," PBS, Jan. 8, 2009.
- GAO analysis based on data from the Director of National Intelligence, Department of Justice, the Central Intelligence Agency, and the Software Engineering Institute’s CERT Coordination Center.
- Joe Weiss, "Control System Cyber Vulnerabilities and Potential Mitigation of Risk for Utilities" 3-4 (Juniper Networks, Inc. 2009).
- Office of the Director of National Intelligence, "Unclassified Statement for the Record on the Worldwide Threat Assessment of the US Intelligence Community for the Senate Select Committee on Intelligence," at 8 (Jan. 31, 2012).
- Peter Eisler, "Reported Raids on Federal Computer Data Soar," USA Today (Feb. 17, 2009) (full-text). Based on data reportedly provided to USA Today, the U.S. Computer Emergency Readiness Team (US-CERT), a Department of Homeland Security entity, found that known cyberattacks on U.S. government networks rose 40% in 2008 compared to 2007. While this survey focused on U.S. government computer systems, telecommunications networks are maintained by private industry, and any degradation to these services or components would necessarily have negative implications for both public and private cyber activities.
- For more information on cyberattackers' capabilities, see Terrorist Capabilities for Cyberattack: Overview and Policy Issues.
- 42 U.S.C. §5195c(e). For more on U.S. efforts to protect critical infrastructures, see Critical Infrastructures: Background, Policy, and Implementation.
- National Military Strategy for Cyberspace Operations, at C-1, C-2.
- Information Security: Cyber Threats and Vulnerabilities Place Federal Systems at Risk.
- Information Security: Cyber Threats Facilitate Ability to Commit Economic Espionage, at 3-5.