Protect and survive: communication networks can only be protected against cyber terrorist attacks if telcos, governments and end-users work together - The Future of Telecom

We are only too aware of the presence and impact of physical terrorism but, as with most high-profile catastrophes, we tend to adapt an 'it will never happen to me' attitude. Yet even though physical acts of terrorism are thankfully rare, another threat is emerging -- cyber or computer-based attacks -- and it can't be ignored.

Cyber attacks involve the disruption, destruction or alteration of data within computer based-systems. The aim is to acquire information or temporarily disable the system. When used to disrupt telcos, tandem acts of physical terrorism may be used to heighten the chaos. For example, imagine if terrorists disrupted the telephone systems of the emergency services prior to a physical attack. One can only imagine the horror that this situation would create.

A particular concern for telcos is that the opportunity for exploiting network vulnerabilities with electronic attacks has increased dramatically over the past five years due to the development of a number of circumstances and conditions. Most notably, the rapid proliferation and integration of network and computer-based systems has created an increasingly complex interdependence between organisations. For the terrorist, this expanding network represents an exploitable weakness -- a backdoor into a company's IT systems through which worms, viruses and other cyber threats can pass. As more organisations embrace the internet, the number of doors available to the terrorist increases.

Additionally, the growing interdependency between companies means that by attacking one organisation the terrorist can indirectly affect another. This is why telcos are such an obvious target because disabling their network infrastructure has such a profound effect on the organisations that use their services.

Rising cyber crime

Over the last five years the number of cyber attacks on telcos and their networks has increased significantly. Carnegie Mellon University's computer emergency response team, based in the US, reported 3,700 attacks on telco networks in 1998 while in 2002 it is set to increase to a staggering 11 0,000. In the UK, security analysts have recently reported a 30 per cent increase of cyber attacks on the critical national infrastructure between 2001 and 2002, of which carriers represents a significant proportion.

On the other side of the world, the Australian government reported that cyber crime against carriers has increased threefold in the last three years. Nearly 67 per cent of companies have suffered attacks on their networks with reported losses of US$5.78 bn, a figure that now outstrips the US.

Cyber crime is a reality worldwide. However, what is particularly frightening is that although cyber crime is increasing, awareness of the threat and its potential consequences remains painfully low among the majority of global carriers. Research undertaken by the Institute for Communications Arbitration and Forensics and the Communications Management Association concludes that most UK and European carriers fail to understand or acknowledge the threat of cyber crime. In addition, IT Week recently conducted a survey which indicated that over 95 per cent of telcos in Europe and the UK do not consider cyber terrorism as a threat and do not have adequate protection. The same pattern exists in the US. The TIA (Telecommunications Information Authority) concluded that two thirds of the 250,000 attempted break-ins into the department of defence's networks were successful.

A means to an end

The reason why telcos are under threat is because they provide the pipeline of networks that almost every company or government organisation in the world depends on to conduct their business. For the terrorist or pressure group, what better way to cause chaos or weaken a nation's defences before a physical attack?

The potentially horrifying consequences of an attack on the emergency services communication systems are clear. But what about air or ground military installations that rely on communication networks to coordinate their defence strategies, or air traffic control systems that need communications to ensure the safety of air traffic? Or even chemical process plants that deal with hazardous material - such companies are increasingly using web browsers to monitor their plant operations and process controls. Without the networks to support these browsers the consequences of systems failures could be widespread, especially for nuclear power plants that process radiated material.

What is a real concern is that even though the consequences of such attacks are so potentially devastating, telcos remain viable targets for pressure groups and hackers. Not only could many of them have insufficient security defences, but there are also websites that have step-by-step guides on how to gain access to network infrastructures, including government emergency telephone systems. Access to such readily available information is making the terrorist's job easy, and makes the telco an increasingly vulnerable target.

Are you protected?

It would be unfair to suggest that action to protect networks against cyber terrorism has so far been totally inadequate. There are already a number of government-funded bodies, especially in the UK and the US, set up specifically for this purpose. In the UK the government has formed the National Infrastructure Security Coordination Committee (NISCC), which advises telcos on threats, post-attack procedures, as well as on security products and solutions. However, the threat assessment services they offer are at a national level and are not sufficiently granular to offer companies accurate information about the threats that they face individually from a technically proficient hacking organisation.

In the US similar organisations have been set up. For example, the President's National Security Telecoms Advisory Committee (PNSTAC) was recently established to provide security advice and protection for the telecoms sector. PNSTAC consists of a high-level group of senior managers from security suppliers and operators who counsel the president on national security issues. In addition, an information security standards board exists to manage conformity and enforce new security standards and legislation.

So, there is clearly evidence that in some countries the structure is already in place to help governments implement and manage IT security for this sector. However, one of the key difficulties facing governments worldwide is persuading the industry's players to actively engage with these issues at a national level. Telcos are commercial organisations and are understandably reluctant to work towards anything that involves collaborating with competitors or that distracts them from their business agenda. This approach can make it difficult for them to work collectively. Same don't see themselves as part of a wider, interdependent infrastructure and many view the threat of cyber terrorism as fanciful.

A great deal of effort has already been made by telcos to protect their own computer systems, even if it is on an individual rather than collective level. Some global carriers have invested large sums on intrusion detection software supplied by vendors such as Tekelec and Fortinet.

However, there is little evidence to suggest these carriers have put anything in place to protect the organisations that use their networks.

Protecting our future

Communication networks will never be truly safe until all parties are active in their protection, and that includes government bodies, carriers and the companies using the network.

To achieve this, governments across the world need to take the lead and ensure that all parties are pulling together to achieve a more secure communications infrastructure. Plans need to be put in place now to improve awareness amongst carriers and companies that provide critical services, to galvanise them into action. This can be achieved indirectly, through organisations such as the NISCC, or more directly through government legislation that forces change.

The first step is to educate the network operators and make them more aware of the important role they play and the devastating consequences if a large-scale cyber terrorist attack were to happen. This would create the required urgency, encouraging greater cohesion and a culture of self-help. Equally, governments need to target companies and organisations that provide critical services, such as utilities or emergency services, making them aware of their responsibility to protect their networks. They also need to give them adequate assistance to achieve this, Only when this level of awareness and desire for self-preservation has been achieved will carriers and other critical service providers consider implementing more robust security strategies.

The first and most crucial step is to perform an accurate risk assessment, Risk is a variable that cannot be applied equally to every. Each has a different level of risk dependent on a whole range of circumstances, factors and variables, and so a different level of protection is required for each. QinetiQ Trusted Information Management, a former part of DERA and now information se curity provider to commercial organisations, has developed a unique risk assessment model that enables companies to build up an accurate risk profile.

The methodology takes companies through a number of steps, leading to a final risk assessment. The model encourages companies to look at both the external factors contributing to risk, such as threat capability, inhibitors, amplifiers and event catalysts, as well as internal risk factors, such as system vulnerability and protection.

Threat capability looks at the aggressor's ability to sustain an attack, assessing factors such as available technology, training facilities, methodologies and finances. Inhibitors are factors that may reduce the risk of attack, such as fear of capture, and the level of technical difficulty that the attack presents. Amplifiers are factors that may encourage an attack, such as access to information, or changing technology that presents a weakness. Finally, catalysts are external events that may trigger an attack, such as armed conflict between two countries, or the advent of new hacking techniques.

From an internal perspective, the model encourages carriers to assess their weaknesses, and identify were their system vulnerabilities lie. Under the pretext that access will only be possible from the exploitation of weaknesses, vulnerability testing is crucial here. Vulnerability can be tested in a number of ways, including extensive penetration testing or other intrusion techniques.

Once the carrier is aware of the risk they face, they can invest in the appropriate security protection. This may be through technical solutions or through 'soft' methods of processes, procedures and awareness training. There is a huge range of protection software, systems and methodologies available on the market - from intrusion detection software and firewalls to encryption, PKI and security architecture models. There is little point in giving advice on which solutions to chose, because requirements will vary depending on the level of risk and the circumstances of each organisation. What can be said is that if an accurate risk assessment is performed first, carriers can rest assured they have mode a shrewd investment and are well protected if a cyber attack were to take place.

Debi Ashenden, managing consultant, QinetiQ Trusted Information Management

If this subject interests you, visit us online at www.telecommagazine.com

COPYRIGHT 2003 Horizon House Publications, Inc.
COPYRIGHT 2003 Gale Group