Q&A: Threats to the US critical communications infrastructure

Paul Parisi is the CTO of DNSstuff.com and has an extremely broad and deep technical background offering reality based solutions to everyday issues. In this interview he discusses the biggest threats to the communications infrastructure, the full disclosure of vulnerabilities as well as cyberterrorism.

What are currently the most significant threats to the US critical communications infrastructure?
It depends on what one defines as critical communications infrastructure. Certainly this should include:

• Radio (RF) communications for law enforcement and public safety
• Telecommunications (cellular and landline telephone communications)
• Internet communications

Each of the above can support its own rational for use and value. The simplest and most effective means to impede that use/value is to limit the effectiveness of the medium. For example, if you cannot place a phone call you have reduced the telecommunications infrastructure to zero, at least for the person trying to place the call. Similarly, operating an illegal radio frequency jamming device can yield similar results in the case of RF communications.

Again with Internet communications – similar results can be attained by employing easily executed denial-of-service (DOS) attacks. All of the modes of communication are implicitly vulnerable to DOS attacks. DOS attacks are easily mitigated by detecting the source of the attack and dealing with the cause at the originating location. Distributed denial of service attacks (DDOS) are much more difficult to mitigate as they occur from many locations and may even change locations as time progresses. Additionally, if you were to render a Venn-diagram of these three mediums, it shows that there are overlaps which could exacerbate effects in any one of the mediums.

What can be done to mitigate these threats?
Let’s examine each medium:
Radio Frequency – to date, the deterrent to the compromise of the RF communications infrastructure is based solely on the law and legal enforcement as interference is detected. Government agencies, via methods of triangulation, determine locations of interference and act as necessary to address the source. If someone was not concerned with the legal repercussions it would be virtually impossible to prevent deliberate interference.
Telecommunications – again, as with all of these mediums, we have the law and its enforcement as a significant deterrent. The only truly viable means to mitigate a DOS or DDOS attack on the telecommunications infrastructure is to build private telecom networks. Many exist and have existed for years. However, it should be noted that much of the private telecommunications traffic has moved to transit over the public Internet. This presents an Achilles-heel which could be exploited.
Internet – the Internet by its very nature and design is a network of trust, largely only regulated by each participant’s common sense. In some ways it is similar to a large road and highway infrastructure, but with no police or legal authority to enforce common sense.

Typically problems are only “noticed” when it is too late and the impact of the problem is felt by multiple people. The current protocols in use on the Internet do not offer explicit nor implicit security. If we begin to layer on new protocols and allow the old protocols to persist, we leave ourselves open to nearly all of the problems of the older protocols. In response to the problems, a significant step would be to disallow the old protocols. However, this would be very painful. Potentially a new Internet could be deployed which addresses these inherent issues and only allow peering with compliant participants.

What is the biggest challenge in protecting sensitive information at the government level?
At a basic level, information should be encrypted in both its stored and transmitted states. However, while decryption is rather difficult, it is not impossible and can be easily achieved. The simplest vector for breaking encryption is that of social-engineering – convincing another person to give up access to confidential information. If the information in question is being accessed over anything that touches the Internet, that information is fundamentally less secure than information not passing over the Internet. Several high profile news reports have shown that people can misplace laptops containing large amounts of sensitive data, or backup tapes can be lost or misplaced. Data in its non-encrypted state is not protected at all. Further, when computers in the wild (taken home, or used outside of strictly controlled conditions) are used to access encrypted data, the same data is also in the wild and subject to compromise. Encryption is only as effective as the lack of persistence the perpetrator has. If you have the time, you can break most encryption schemes.

What do you think about the full disclosure of vulnerabilities?
First let’s think about this from a different angle-¦ let’s say that a consumer product is discovered to have a short coming – for example – a child’s toy has small parts which could come off and cause choking. We would all want to be informed of this issue so that we can protect ourselves and children. Full disclosure is just that – letting the people who are depending on the technology know its flaws so that they can avoid the potential danger.
Going back to the child’s toy example, if some unscrupulous person continues to sell the questionable toys and doesn’t comply with the recall, they are potentially exploiting the buyer. We mostly operate by buyer beware, but when was the last time you checked if there were any recalls on the toys your children play with. The major difference here is the agent involved in exploiting the problem.

The inherent openness and enablement of the Internet makes it easy for someone to take advantage of breaking in with little opportunity to detect it. Imagine that a flaw was discovered in a door lock that when turned three times to the left and twice to the right the door just unlocked? Maybe the door of your home has one of these locks? Do you know? But, you say, I live on a busy street and someone would see someone trying my door and call the police. You are placing some implicit trust in the context of your home and neighbors. But what if someone could try the lock remotely from across the globe, you would never know.

So to make a long answer short, full disclosure needs to be measured. I think the approach that Dan Kaminsky and Paul Vixie used in disclosing a recent DNS vulnerability is acceptable. They coordinated fixing a certain technology with all of the vendors of DNS server software prior to publicly disclosing the problem. This allowed the vendors time to get repair kits for the locks ready before details of the vulnerability were common knowledge.

What do you expect from the future? Is it likely for a serious “cyberterrorism” event to take place in the next 12 months, or do you see it as hype?
I think the future will be frustrating for organizations that depend on the Internet. One can do everything right and if someone, really anyone else on the net, does not do what they should, you will potentially feel the negative effects. The Internet is inherently not a protected system. Don’t get me wrong, it is extremely resilient, but it is not protected. The Internet functions daily at a level which was never imagined by its designers. Frankly, it is amazing it works at all sometimes. Internet vulnerabilities are not all together just hype. The scenarios are plausible and easily accomplished. So the real question is – why wouldn’t a serious event take place on the Internet?

We have already seen coordinated attacks on Estonia and Georgia. It is a well known fact that significant bot networks exist under the control of disreputable organizations. The only saving grace with bot networks and their being propagated by organized crime, it that the goal of organized criminals is to make money, and in order to achieve their goal, they need the Internet to work reliably. So it is unlikely that a bot network will extemporaneously cripple the Internet as that would be counterproductive to their goals.However, these bot networks can be rented – and those potentially renting them could task them with disruption of the Internet, at least for a time. All that is required is motive and that certainly exists in many different forms. Well informed network administrators must be ever vigilant so that their systems are properly configured and must quickly implement both reactive and preemptive security patches.