The IT Law Wiki
Register
Advertisement
We must learn to negotiate a new geography, where borders are irrelevant and distances meaningless, where an enemy may be able to harm the vital systems we depend on without confronting our military power.[1]

Definitions[]

Cyber threat(s)

is any identified effort directed toward access to, exfiltration of, manipulation of, or impairment to the integrity, confidentiality, security, or availability of data, an application, or a federal system, without lawful authority.[2]
are potential cyber events that may cause unwanted outcomes, resulting in harm to a system or organization. Threats may originate externally or internally and may originate from individuals or organizations.[3]
[is] anything capable of compromising the security of, or causing harm to, information systems and internet­ connected devices (to include hardware, software and associated infrastructure), the data on them and the services they provide, primarily by cyber means.[4]

Overview[]

The primary 'values at risk' from cyber threats and vulnerabilities are an entity's assets and reputation. Because of critical dependencies, the consequences on these assets could be the result of a larger, cascading event beyond the entity's direction or control.[5]

A cyber threat can be unintentional and intentional, targeted or nontargeted, and can come from a variety of sources, including foreign nations engaged in espionage and information warfare, criminals, hackers, virus writers, and disgruntled employees and contractors working within an organization.

Background on cyber threats[]

Threats to the U.S. cyber and telecommunications infrastructure are constantly increasing[6] and evolving as are the entities that show interest in using a cyber-based capability to harm the nation’s security interests.

Concerns have been raised since the 1990s regarding the use of the internet and telecommunications components to cause harm to the nation's security interests. Activities producing undesirable results include unauthorized intrusion to gain access and view protected data, stealing or manipulating information contained in various databases, and attacks on telecommunications devices to corrupt data or cause infrastructure components to operate in an irregular manner.

Of paramount concern to the national and homeland security communities is the threat of a cyber-related attack against the nation’s critical government infrastructures — "systems and assets, physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health and safety, or any combination of those matters."[7] Early concerns noted attacks on components of the energy grid, infrastructure control systems, and military equipment as examples of telecommunications-based threats to physical infrastructures.[8]

In response, the Department of Energy conducted an experiment in 2007 in which the control system of an unconnected generator, containing similar components as that of larger generators connected to many power grids in the nation supplying electricity, was damaged and became inoperable.[9] While data from federal agencies demonstrate that the majority of attempted and successful cyber attacks to date have targeted virtual information resources rather than physical infrastructures,[10] many security experts are concerned that the natural progression of those wishing to harm U.S. security interests will transition from stealing or manipulating data to undertaking action that temporarily or permanently disables or destroys the telecommunications network or affects infrastructure components.

Many security observers agree that the United States currently faces a multi-faceted, technologically based vulnerability in that "our information systems are being exploited on an unprecedented scale by state and non-state actors [resulting in] a dangerous combination of known and unknown vulnerabilities, strong adversary capabilities, and weak situational awareness."[11] This, coupled with security observers' contention that the United States lacks the capability to definitively ascertain perpetrators who might unlawfully access a database or cause harm to a network, leaves the nation increasingly at risk. It also causes acts or discussions related to deterring cyberattacks to be ignored or negated by entities exploiting known or newly found vulnerabilities.

Cyberthreat

Prominent national security experts have emphasized the vulnerability of U.S. infrastructures. As recently as January 2009, former Director of National Intelligence (DNI) Mike McConnell equated "cyber weapons" with weapons of mass destruction when he expressed concern about terrorists' use of technology to degrade the nation's infrastructure. In distinguishing between individuals gaining access to U.S. national security systems or corporate data for purposes of exploitation for purposes of competitive advantage, former Director McConnell noted that terrorists aim to damage infrastructure and that the "time is not too far off when the level of sophistication reaches a point that there could be strategic damage to the United States."[12]

Sources of cyber threats[]

There are a variety of sources of cyber threats, including[13]:

Types and techniques of cyber threats[]

Cyber threats can take the form of:

Two of our greatest strategic challenges regarding cyber threats are: (1) the difficulty of providing timely, actionable warning of cyber threats and incidents, such as identifying past or present security breaches, definitively attributing them, and accurately distinguishing between cyber espionage intrusions and potentially disruptive cyber attacks; and (2) the highly complex vulnerabilities associated with the IT supply chain for US networks.[15]

Impact on critical infrastructure[]

Cyber threats are asymmetric, surreptitious, and constantly evolving — a single individual or a small group anywhere in the world can inexpensively and secretly attempt to penetrate systems containing vital information or mount damaging attacks on critical infrastructures.

There is increasing concern among both government officials and industry experts regarding the potential for a cyber attack on a national critical infrastructure, including the infrastructure's control systems. The Federal Bureau of Investigation has identified multiple sources of threats to our nation's critical infrastructures, including foreign nation states engaged in information warfare, domestic criminals, hackers, and virus writers, and disgruntled employees working within an organization.

Threats to the U.S. cyber and telecommunications infrastructure are constantly increasing[16] and evolving as are the entities that show interest in using a cyber-based capability to harm the nation’s security interests.[17] Concerns have been raised since the 1990s regarding the use of the internet and telecommunications components to cause harm to the nation's security interests.

Activities producing undesirable results include unauthorized intrusion to gain access and view protected data, stealing or manipulating information contained in various databases, and attacks on telecommunications devices to corrupt data or cause infrastructure components to operate in an irregular manner. Of paramount concern to the national and homeland security communities is the threat of a cyber-related attack against the nation’s critical government infrastructures — "systems and assets, physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health and safety, or any combination of those matters."[18]

Early concerns noted attacks on components of the energy grid, infrastructure control systems, and military equipment as examples of telecommunications-based threats to physical infrastructures.

Military[]

Cyber threats generally fall within six categories:

  • Traditional threats typically arise from state employing recognized military capabilities and forces in well-understood forms of military conflict. Within cyberspace, these threats may be less understood due to the continuing evolution of technologies and methods. Traditional threats are generally focused against the cyberspace capabilities that enable our air, land, maritime, and space forces and are focused to deny the US military freedom of action and use of cyberspace.
  • Irregular threats can use cyberspace as an unconventional asymmetric means to counter traditional advantages. These threats could also manifest through an adversary's selective targeting of US cyberspace capabilities and infrastructure. For example, terrorists could use cyberspace to conduct operations against our financial and industrial sectors while simultaneously launching other physical attacks. Terrorist also use cyberspace to communicate anonymously, asynchronously, and without being tied to set physical locations. They attempt to shield themselves from US law enforcement, intelligence and military operations through use of commercial security products and services readily available in cyberspace. Irregular threats from criminal elements and advocates of radical political agendas seek to use cyberspace for their own ends to challenge government, corporate, or societal interests.
  • Catastrophic threats involve the acquisition, possession, and use of weapons of mass destruction (WMD) or methods producing WMD-like effects. Such catastrophic effects are possible in cyberspace because of the existing linkage of cyberspace to critical infrastructure SCADA systems. Well-planned attacks on key nodes of the cyberspace infrastructure have the potential to produce network collapse and cascading effects that can severely affect critical infrastructure locally, nationally, or possibly globally. For example, electromagnetic pulse events could cause widespread degradation and outright destruction of the electronic components that comprise cyberspace leading to the debilitating destruction of segments of the cyberspace domain in which operations must occur.
  • Disruptive threats are breakthrough technologies that may negate or reduce current US advantages in warfighting domains. Global research investment, development, and industrial processes provide an environmental conductive to the creation of technological advances. DOD must be prepared for the increased possibility of adversary breakthroughs due to the continuing diffusion of cyberspace technologies.
  • Natural threats that can damage and disrupt cyberspace include acts of nature, such as floods, hurricanes, solar flares, lightning, and tornados. These types of events often produce highly destructive effects requiring DOD to support the continuity of operations in cyberspace, conduct consequent management, and restore cyberspace capability. These events also provide adversaries the opportunity to capitalize on infrastructure degradation and diversion of attention and resources.
  • Accidental threats are unpredictable and can take many forms. From a backhoe cutting a fiber optic cable of a key cyberspace node, to inadvertent introduction of viruses, accidental threats unintentionally disrupt the operation of cyberspace. Although post-accident investigations show that the large majority of accidents can be prevented and measures put in place to reduce accidents, accidents must be anticipated.[19]

References[]

  1. President's Commission on Critical Infrastructure Protection, Critical Foundations: Protecting America's Infrastructures, at ix (Oct. 1997).
  2. U.S. Department of Homeland Security, Privacy Impact Assessment for the Initiative Three Exercise 3 (Mar. 18, 2010) (full-text).
  3. Partnering for Cyber Resilience: Risk and Responsibility in a Hyperconnected World-Principles and Guidelines, at 14.
  4. National Cyber Security Strategy 2016 to 2021, Glossary, Annex 2, at 75.
  5. ]Id.
  6. Peter Eisler, "Reported Raids on Federal Computer Data Soar," USA Today (Feb. 17, 2009) (full-text). Based on data reportedly provided to USA Today, the U.S. Computer Emergency Readiness Team (US-CERT), found that known cyberattacks on U.S. government networks rose 40% in 2008 compared to 2007. While this survey focused on U.S. government computer systems, telecommunications networks are maintained by private industry, and any degradation to these services or components would necessarily have negative implications for both public and private cyber activities.
  7. 42 U.S.C. §5195c(e).
  8. Of note, many of the cyber-related incidences that were found to have negatively affected control systems connected to physical infrastructure components were resolved as being the work of current or former employees who had access to and knowledge of the architecture of the affected network.
  9. Jeanne Meserve, "Staged Cyber Attack Reveals Vulnerability in Power Grid," CNN Online (Sep. 26, 2007) (full-text).
  10. See Center for Strategic and International Studies, Securing Cyberspace for the 44th Presidency: A Report of the CSIS Commission on Cybersecurity for the 44th Presidency, at 12 ("we expected damage from cyber attacks to be physical (opened floodgates, crashing airplanes) when it was actually informational").
  11. House Permanent Select Committee on Intelligence, Cyber Security: Hearing on the Nation's Cyber Security Risks, 110th Cong. (Sept. 18, 2008) (statement of Paul Kurtz, Former Senior Director, Critical Infrastructure Protection, White House Homeland Security Council).
  12. The Charlie Rose Show, "Interview of Mr. Mike McConnell, Director of National Intelligence," PBS, Jan. 8, 2009.
  13. GAO analysis based on data from the Director of National Intelligence, Department of Justice, the Central Intelligence Agency, and the Software Engineering Institute’s CERT Coordination Center.
  14. Joe Weiss, "Control System Cyber Vulnerabilities and Potential Mitigation of Risk for Utilities" 3-4 (Juniper Networks, Inc. 2009).
  15. Office of the Director of National Intelligence, "Unclassified Statement for the Record on the Worldwide Threat Assessment of the US Intelligence Community for the Senate Select Committee on Intelligence," at 8 (Jan. 31, 2012).
  16. Peter Eisler, "Reported Raids on Federal Computer Data Soar," USA Today (Feb. 17, 2009) (full-text). Based on data reportedly provided to USA Today, the U.S. Computer Emergency Readiness Team (US-CERT), a Department of Homeland Security entity, found that known cyberattacks on U.S. government networks rose 40% in 2008 compared to 2007. While this survey focused on U.S. government computer systems, telecommunications networks are maintained by private industry, and any degradation to these services or components would necessarily have negative implications for both public and private cyber activities.
  17. For more information on cyberattackers' capabilities, see Terrorist Capabilities for Cyberattack: Overview and Policy Issues.
  18. 42 U.S.C. §5195c(e). For more on U.S. efforts to protect critical infrastructures, see Critical Infrastructures: Background, Policy, and Implementation.
  19. National Military Strategy for Cyberspace Operations, at C-1, C-2.

Sources[]

See also[]

Advertisement