Thursday, August 04, 2011

A NATO Cyber Shield?

Why The Pentagon’s ‘Cyber Shield’ Concept Is Hopelessly Flawed

Posted by JEFFREY CARR
Sep. 17 2010 - 1:54 pm
Courtesy Of "Forbes Magazine"


Deputy Secretary of Defense William Lynn III recently advocatedthat NATO members build a “cyber shield” for collective cyber defense against their networks by, presumably, non-NATO states. This would be the equivalent of NATO’s missile shield that Lynn’s former employer, Raytheon, is a key contractor  for. The cyber shield concept was raised by Secretary Lynn during a NATO meeting in Brussels on September 15:

Cyber security is a crucial element for the 28-nation alliance to adopt at its summit of leaders in Lisbon November 19 and 20, US Deputy Defense Secretary William Lynn said in Brussels.
Lynn said the alliance needs to play a significant role in “extending a blanket of security over our networks.”
“NATO has a nuclear shield, it is building a stronger and stronger defense shield, it needs a cyber shield as well,” he said.
Is Lynn really proposing to build some kind of international firewall amongst NATO member states that will keep non-member states out of their networks or is he speaking metaphorically? Please tell me it’s the latter. I would hate to think that Secretary Gates’ trust in Lynn’s abilities was so badly misplaced when he pushed for the approval of Lynn despite the fact that he was Raytheon’s top lobbyist.
The following comes from an L.A. Times article from 2009:
Raytheon, one of the five largest U.S. defense contractors, is a key supplier of missiles and radar to the military. The Waltham, Mass.-based company also produces components of the missile defense system.
If confirmed for his position, Lynn probably would have a large say in the future of the missile defense system. If the Obama administration decided to scale that program back dramatically, for instance, it would affect Raytheon.
Gates pushed hard for Lynn’s appointment and favored him over other officials suggested by the Obama transition team. At a news conference Thursday, Gates said he was impressed with Lynn and argued he should get the job despite the lobbying ban.
“I asked that an exception be made because I felt that he could play the role of the deputy in a better manner than anybody else that I saw,” Gates said.
White House officials said they had provided Levin with the language of the waiver and assured the Senate committee that Lynn would not be prevented from doing his job by recusing himself from issues involving Raytheon.
Apart from the obvious question this raises about the wisdom of hiring former lobbyists for administration positions, the entire concept of a cyber shield is hopelessly flawed. Firewalls and AV programs are completely ineffective against state-sponsored attacks because adversaries who are targeting high value data have multiple attack vectors to choose from that would be utterly invisible to automated defenses. For example, an adversary might:
  • build something like the Stuxnet worm with multiple zero-days and valid digital certificates that exploit built-in vulnerabilities in the targeted system.
  • trigger a hardware exploit built-in during the manufacturing process which opens a back-door.
  • use social engineering to gain NATO credentials and elevate privileges inside the network.
Apart from those off-the-cuff examples, there’s the rather obvious fact that some NATO member states conduct cyber intelligence operations against other NATO members which begs the question – who is the cyber shield supposed to be protecting us from?
All in all, if such a plan were approved, the only people who would benefit would be the defense contractors who won the award to build it. Personally, I hope it dies a quick death in Lisbon.

No comments:

Post a Comment