What happens when the Net is attacked?
That's the question an obscure Homeland Security project is attempting to answer. So far, so good.
Without a comprehensive understanding of the potential economic impacts from cyber attacks, it is difficult to make an informed decision regarding ... countermeasures.'
'Andy Purdy, DHS
When a building collapses, you can see the devastation. When a network is brought to its knees, the effects are less obvious. That's why a little-known research institute funded by the Homeland Security Department is working to bring some order to the study of cyberattacks.
Despite annual reports from the FBI and repeated consultant studies, surprisingly little is known about the real costs of malicious code, denial-of-service and other attacks, because the companies that own the infrastructure are reluctant to share the information.
'Historically, the threat of cyberattacks has not received as much attention as the physical threat posed by terrorism and natural disasters,' said Andy Purdy, acting director of the DHS National Cyber Security Division.
As a result, estimates of financial impact have been based on guesses, said Scott Borg, director and chief economist for the U.S. Cyber Consequences Unit. There has been little solid data to analyze, and no tested methodologies to analyze it.
We don't even know what threats we should be protecting ourselves against.
'So much of what we have been hearing about cyberattacks was just hearsay,' Borg said. 'We found out a lot of things people were worried about were extremely unlikely.'
US-CCU was established in 2004 with a shoestring, four-month budget of $200,000 to do surveys of the electrical-power and health care sectors. Other industry sectors providing critical infrastructure were to be added later.
'We were very naive,' Borg said. 'The research project proved larger and more difficult than anticipated.'
The original contract was stretched out to cover a year, and now'well into its second one-year contract'US-CCU is still in what Borg calls a 'rather extended start-up phase.''We have time'
Fortunately, doomsday scenarios such as shutting down the power grid or the Internet are not likely to occur soon.
'These are not impossible, but they are way harder to do than a lot of people anticipated,' Borg said. 'Al-Qaida is not going to shut down the Internet or the power grid. So we have time.'
To use that time wisely, US-CCU recently released a security checklist to help enterprises focus on real-world consequences of cyberattacks. Borg and research director John Bumgarner based the 478 checklist items on their on-site visits.
'We started seeing huge vulnerabilities during our visits,' Borg said. Most of the systems they evaluated were compliant with current security checklists and industry best practices. 'And portions of those systems were extraordinarily secure. But they were Maginot lines,' susceptible to being outflanked.
The problem was that existing best practices were static lists based on outdated data. The US-CCU list shifts the focus from perimeter security to monitoring and maintaining internal systems. The problem with perimeter security is that there is always some way to circumvent it.
'We are way into diminishing returns on our investments in perimeter defense,' Borg said. 'To deal with it now, you have to think of the problem of cybersecurity not from a technical standpoint, but by focusing on what the systems do, what you could do with them and what the consequences [would] be.'
Unfortunately, the tools for analyzing consequences have been lacking. The biggest roadblock has been the unwillingness of companies to share data, either with other companies or with the government.
'Without a comprehensive understanding of the potential economic impacts from cyberattacks, it is difficult to make an informed decision regarding investment in and prioritization of countermeasures,' Purdy said.
It was Purdy's predecessor in the Cyber Security Division of DHS, Amit Yoran, who authorized formation of US-CCU in April 2004. But the initial impetus came from the department's Private Sector Office, which was concerned about the lack of credible information about the costs of cyberattacks.
Borg, a senior research fellow at Dartmouth College's Tuck School of Business, had given briefings to government agencies and corporations on his models for economic analysis. He also had been chief economist on the Livewire cyberattack exercise in 2003 and served in the same capacity in this year's DHS Cyber Storm exercise. He was tapped to lead the effort.
Borg advocates applying real-world economics rather than quick-and-dirty estimates to the cost of cyberattacks.
'The cost of cyberattacks can be assessed by looking at how they change the overall inputs and outputs of business,' Borg wrote in his funding proposal to DHS.
This is obvious, but previous attempts have simply added up the cost of lost capacity attributed to attacks, without taking into account how much capacity is normally used or how much value it creates. Disruptions in critical infrastructure are often mitigated by work-arounds or by postponing an activity, and value is not completely lost.
Initial studies by US-CCU have produced some surprises. In an era of just-in-time inventory and high-speed delivery, shutting down a company or a portion of the infrastructure is normally seen as the greatest threat to productivity.
'But shutting things down for up to three days just doesn't cost much,' Borg said. Systems have enough excess capacity and inventory to survive short shutdowns well.
On the other hand, poorly secured process control systems, which form a nexus of the nation's physical and IT infrastructures, appear to be a greater danger than anticipated. These supervisory control and data acquisition'or SCADA'systems, have long been a security concern.Cybersurprise
'I had already been paying attention to SCADA systems,' Borg said. 'But I was surprised by the degree of interconnections with the Internet.
'Most of this stuff has not been a big surprise to the relevant business people,' he said. The problem has been the lack of communication among business people and between business and government, because much of this information is proprietary.
It was this wariness that required US-CCU to be set up as an independent institute, working at arms-length from DHS and able to protect corporate data from government.
Funds for US-CCU have been funneled through a General Services Administration contract with Sonalysts Inc. of Waterford, Conn., an e-business consulting group that is the legal and financial administrator for the unit.
US-CCU has been able to survive on its shoestring budget because the 10-person staff uses its own day-job offices, and much of their work is donated, Borg said.
His next goal at US-CCU is to develop more industry-specific security tools, because one size does not fit all in IT security.
'No wonder we have vulnerabilities,' he said. 'This is a huge opportunity for both security vendors and the hacker community.'
But instability within the DHS Cyber Security Division has hampered the unit's ability to gain either funding or attention, Borg said. Yoran resigned in September 2004, and Purdy remains in an acting capacity nearly two years later. A newly created slot for assistant secretary of cyber-security is unfilled, and personnel changes have limited institutional memory. The draft of the US-CCU cyber-security checklist was released in April without the DHS name or seal and has yet to be vetted by the department.
'I have tried hard to keep the National Cyber Security Division informed about the CCU's work and sought guidance on the release of the checklist,' Borg said. He tried to set up a meeting to discuss the checklist, but 'the relevant people seemed to have trouble fitting me into their schedules.'
Still, Purdy said that 'understanding the consequences of cyberattacks is particularly important in assessing the risk to a critical infrastructure,' and this requires a 'quantitative, systematic and rigorous process,' which US-CCU is striving to provide.
Let's hope it's given the chance to succeed.