2012: The year in cybersecurity

Cyberspace was more dangerous than ever in 2012. With the emergence of highly sophisticated attacks, adversaries were pilfering information and generally wreaking havoc on the digital infrastructure. The cyber battlefield became a reality, and federal agencies stepped up their efforts to fight an invisible enemy.

FCW asked a variety of experts how 2012 will be remembered in the history of cybersecurity — and what those developments might mean for federal agencies in the years to come.

1. A change in attackers’ battle plans

Cyber experts and top government IT security officials have noted a sharp increase in cyber assaults in the past half-decade. From 2006 to 2011, federal agencies experienced a 680 percent spike in cyberattacks. The Department of Homeland Security alone was bombarded with 50,000 attacks in a five-month period.

There are a growing variety of assault methods, but coordinated and high-precision attacks on infrastructure in particular increased in 2012, said Keith Rhodes, chief technology officer in QinetiQ North America's Services and Solutions Group. He cited the Stuxnet worm as an example of particularly complex malware that targeted and knocked out individual pieces of equipment. That code, generally believed to be the work of the U.S. and Israeli governments, is a preview of how attacks will likely evolve.

Attackers “basically got it down to the part number — this manufacturer, this piece of equipment, this part number,” he said. “It’s not the usual, ‘I’m going to go against a router or a switch.’ They’re going after programmable logic controllers, the infrastructure pieces.”

The main purpose of such attacks is to interrupt whatever activity the targeted device is used for. Think of an assembly line, said Rhodes, who served as the Government Accountability Office’s first chief technologist. If hackers go after a programmable logic controller of a particular type, they can accelerate it or turn it off, and the system will stop or break. By contrast, previous attacks simply shut down the entire production, he said.

“It’s a more sophisticated approach to a rather on/off brute-force approach, and that means...an adversary is trying to be more subtle,” Rhodes said. “They are trying to have not just a bunch of arrows in their quiver but they want arrows of different length, size and weight.”

Those infrastructure-based attacks are revealing the true nature of cyber weapons, said W. Hord Tipton, executive director of (ISC)2 and former CIO at the Interior Department.

“Now we see much more focused attacks with targets that are much more defined, and that makes them more stealthy,” he said. “When you’re scanning networks and looking around for vulnerabilities, you’re just banging on all the doors, and it makes it easier for our defensive teams to figure out where attacks are coming from. But now if attackers can’t find a vulnerability, they stay hidden and keep looking behind the scenes to find a way in.”

2. Heightened awareness of attacks

All that activity means agencies are more aware of their vulnerabilities, and they are taking action. “There is a lot more awareness that breaches are going to occur and that they need to be managed,” said Neville Pattinson, vice president for government affairs, standards and business development at Gemalto.

Many agencies are using smart cards for physical access, but they should also be using them to grant access to digital resources, he said. A major milestone in cybersecurity was when the Defense Department banned the use of user names and passwords to access agency computers. Now employees use Common Access Cards to log onto computers. Overnight, more than 46 percent of cyberattacks at DOD were eliminated, Pattinson said.

“That to me is one of the best practices in the defense against cyberattacks, and I think that people should really learn from that,” he said. “I think 2013 and 2014 are going to see a strong case in all federal agencies to follow the lead of DOD and enforce the use of the smart cards for logical access.”

2012 also characterized “the mask falling off what I would refer to as the invisible cyber war,” said Jamie Barnett, senior vice president of national security policy at the Potomac Institute for Policy Studies.

“We all can see the effects of a cold war, with the discovery of Flame [malware] and some of the other cyber weapons,” he said. “It’s clear that there is an invisible war going on, both offensive and defensive, such as espionage missions and reactive measures as well.”

With the onslaught of attacks on the banking industry, including Bank of America and Wells Fargo, came the realization that government and industry need stronger collaboration, said Barnett, who previously served as chief of the Federal Communications Commission's Public Safety and Homeland Security Bureau.

“Typically, what we were hearing from the private sector is, ‘Government, don’t get involved; we’ve got this covered,’” he said. “But the attacks on the financial sector [were] a wakeup call that there needs to be a partnership between the private sector and government and other stakeholders.”

What is also different from previous years is the recognition from senior government leaders that the cyber threat is real, and digital assets, infrastructure and information must be protected, Rhodes said.

“Let’s say you’re a CIO at Department X,” he said. “It’s very hard to argue a secure posture if there isn’t recognition at the top of the pyramid that the threat is real and that we are under attack.”

3. Dedicated efforts to boost cybersecurity

At the national level, cybersecurity is no longer spoken of in vague terms, Rhodes said. “Now, we have a president who talks about how cyberattack is an act of war,” he said, referring to Presidential Policy Directive 20, a classified document that outlines protocol and procedures for the U.S. military to take in thwarting cyberattacks from other nations.

“This goes beyond just cyber defense and protecting networks,” Barnett said. “We’re not going to stand in the corner with boxing gloves covering our faces. We’re going to take a swing if anyone is trying to harm our national interests in cyberspace.”

For agencies, 2012 was the year when they stepped up efforts to harden their systems despite tighter budgets, Tipton said. “They’re recognizing that even though money is hard to come by, cybersecurity is certainly not an area where you can afford to fiscally constrain,” he said.

The FCC, for example, launched voluntary cyber initiatives that include the U.S. Anti-Bot Code of Conduct for Internet Service Providers. However, “I think we’re nearing what can be done on a voluntary basis before we need the authorities,” Barnett said.

“We always worry about someone breaking in, but with the telecommunications supply chain threats, the threat is built into your system — your hardware, middleware, software,” Barnett said. “I don’t think anyone in the government has the authority to do anything about the telecommunications supply chain. This is a major problem.”

Another problem is that cybersecurity education needs to start early, and “we need to appreciate that this is not something we can continue to go after and hire more super, highly technical people in the IT world and expect them to solve our problems,” Tipton said. “As badly as we need people like that, we need broader skills just as much, if not more so.”

The government has made major strides in identity management, but it remains a work in progress, Pattinson said. In terms of abandoning user names and passwords in favor of smart cards, “this year is about recognition, next year will be about preparation, and then shortly thereafter, it’s going to be enforcement,” he said.

“It’s certainly the year when people have become more sophisticated in working out how to deal with the problems, and there is a lot more knowledge,” Pattinson said. “I think it’s a year of realization that this is a very complex and serious task, and agencies have taken steps to bring into order some of the things that have been out of order.”

In 2011, Barnett said, the question for the 112th Congress was: “Is there anything we can get done?” With the 113th Congress, there will be a sharper focus on taking action, he said.

“We’ve got to move to the question of what is the most effective way for us to ensure cybersecurity, and then do just that,” Barnett added. “We’ve got to do something about it.”

But that will not be an easy task for any agency, and the rise of social media and mobile devices adds to the challenges.

“It’s always going to become more complex,” Rhodes said. “It’s just now with the ubiquity of the wireless environment and everyone walking around with their entire computing world in their hand — tablet or midsize or small mobile device — it just complicates things a lot more.”