This paper was prepared for PSAA 656 – Fundamentals of Homeland Security at the Bush School of Government and Public Service at Texas A&M University. This paper was intended to give an overview of current policy around Cyber Security as it relates to the discipline of Homeland Security in the United States as well as review the potential threats to cyber security including actual events that have occurred within the US as of 2017.

Since the 1980s technology has been a major driving force in the American economy. With the advent of personal computers (PCs) bringing digital technology into the home for the first time we have seen the start of a new era. In the 1990’s as the internet began to spread and create a whole new world of commerce and communication across the globe we started to see new opportunities in this “cyber” landscape. In the mid-2000s further advances were made in technology and the internet with new avenues of communication on the web called social media from companies like Facebook and Twitter. These new systems were mostly made successful by the start of the smartphone era with the launch of the Apple iPhone in 2007 which brought all the computing power and “always on internet” connectivity into our pockets. These new technologies were so successful in gaining adoption by society that we now see articles talking about the hazards social media and smartphone addiction. There is truly a saturation of technology in our every day lives to the point that much of western culture is highly dependent on it.

This dependence not only brings with it some of the popularly discussed issues, like the previously mentioned social media and smartphone addiction. It also brings with it different vulnerabilities to our security. Not only have we individually become dependent on the internet for our day to day lives, so has a large portion of the nation’s critical infrastructure. Financial institutions for different transaction, the healthcare industry for transmitting patient records, communications and news to bring their content to the public, and many more areas of the critical infrastructure. We have even started to see the use of internet technology or internet related technology brought in as a part of the control systems in different industries including the petrochemical and energy sectors. All of these are potential targets for a cyber attack by an individual, an organization, or a nation conducting a cyberwar against the United States. Despite what much of society thinks, however, this is not a new concept. We have seen several examples just in the last decade that demonstrate the vulnerability of a nation’s critical infrastructure to cyber attack.

Precedent Overseas

The United States is very fortunate in that we have not seen the worst cyber attacks on the internet thanks to various laws that are in place as well as practical protections performed in the various government and private sectors due to voluntary industry best practices and government regulations and market demand. Instead the worst cyber attacks have been seen overseas. However, the world of technology (which includes cyber attacks) is an ever-changing landscape in which different parties’ capabilities are always increasing and evolving. Think about how much the average smartphone has advanced just in the last five years. Now apply that same rate of advancement to cyber attacks and cyber defense. Therefore the US must stay ahead of the game on cyber defense for the country. To do so we must look to areas where cyber attacks have been the most disruptive and learn from the tactics that were used in the attack and defense.

In the former soviet state of Estonia, in February of 2007 the government sought to remove a statue that had been put in place by the Soviet Union during the Cold War. Moscow, who opposed the removal of the statue took the conflict to cyberspace. Russia attacked most of the websites in Estonia with a Distributed Denial of Service attack (DDoS). A DDoS attack utilizes a large number of computers that have been infected with malware to grant control to an individual hacker. These “slave” computers are then used to overload a server on the internet with so many requests that legitimate visitors are unable to connect to it. Imagine a highway where each of the cars is a request for the server. A DDoS attack will fill that highway with cars, creating a significant traffic jam and slowing traffic to a standstill. Russia used this strategy to go after Estonia’s banks, government agencies, and news websites for both print and broadcast journalism companies (Clarke, 2012). Because of how dependent on the internet many of Estonia’s infrastructures in these sectors are, this created a great deal of instability in their economy and prevented government officials from communicating with their citizens that they were in fact under attack.

Probably the most important fact about this attack was that it was directed specifically at elements of a country’s critical infrastructure that are 1) both in the government sector and private industry; 2) are significant elements used for public safety especially during an emergency (specifically the means of communication within a country and the financial industry); and 3) it’s primary focus was to create chaos and instability within the target country. The primary response by Estonia to this attack was to blame the Russian government, however there was never any concrete evidence pointing to the Kremlin. “It is not a stretch to imagine that they (the Russian government) also asked organized crime groups to launch the hackers in their employ, perhaps even giving those hackers some information that would prove helpful. Did the Russian government security ministries engage in cyber attacks on Estonia? Perhaps that is not the right question. Did they suggest the attacks, facilitate them, refuse to investigate or punish them? And, in the end, does the distinction really matter when you are an Estonian unable to get your money out of a Hansapank ATM?” (Clarke, 2012). What Richard Clarke is pointing out in his book, Cyber War, is the great difficulty of attributing a cyber attack to a particular actor (whether a state or non-state actor). At the same time he is asking the very appropriate question of whether or not it really matters from a response point of view.

Whoever perpetrated the Estonia attack, their target was simply the cyber components of Estonia’s infrastructure. Put another way, there was no real world damage as a result of the attack. But what about situations in which a cyber attack’s goal is some kind of damage in the real world? The most notable example where this has occurred is in Iran at the Natanz Uranium Enrichment Facility in 2009. It was discovered that a computer worm, called STUXNet, had worked its way into the control system of the centrifuges responsible for enriching uranium. This malware was very targeted and only attacked the programmable logic controllers (PLCs) that were found in this facility. PLCs are used in most industrial systems today to automate what used to be manual processes such as opening and close valves, turning on and off different motors, and many other mechanical processes. This cyber attack used a strategy to speed up and slow down the centrifuges, through the PLCs used to control the motors, to create instability in the system that would permanently damages them. The idea being to significantly reduce the Iranians’ capability to enrich uranium for use in nuclear weapons (Wired, 2014). The attack was successful and caused the destruction of several of the Iranian centrifuges. While no one has admitted to creating the STUXNet virus, it is commonly presumed in the cyber security sector that it was created through the cooperation of the United States and Israeli intelligence communities. This is the first known instance in which a cyber attack yielded its primary result in the real world. Something that is important to keep in mind is that the PLCs that were attacked by STUXNet are not unique to nuclear enrichment facilities in Iran. PLCs are found throughout industry in the petrochemical and energy sectors and are used as a means of controlling by computer and automating the bulk of the processes found at chemical plants, oil refineries, power plants, and other similar sites. So the effects of STUXNet in the cyber security world was primarily that we are no longer looking at cyber threats as just something that affects websites and databases. Cyber threats are now something that can actually have an effect in the physical space as well as cyberspace.

With kinetic attacks that have been seen overseas it has only been a matter of time until we have seen at least the threat of similar attacks used here in the United States. Many of the tactics that terrorist groups like ISIS have used in places like Europe are now starting to make their way to the United States. For example, earlier this year in June, 2017 a terrorist drove a truck off the road and into pedestrians killing eight and leaving forty-eight severely injured (The Sun, 2017). Fast forward to November, 2017 and another similar attack was conducted in Manhattan where a terrorist drove a truck off the road and into pedestrians and bicyclists killing eight and severely injuring a dozen more (CNN, 2017). Cyber attacks are no different in that the attacks that we see overseas could easily be brought to the United States. Especially given the nature of the internet in which people can move across geographic borders with little to no resistance.

Attacks in the United States

We’ve seen cyber attacks overseas that have involved a wide range of targets and end goals. From disruption of an internet connected society like in Estonia to real world effects like what was seen with STUXNet in Iran. But what kind of cyber attacks have been seen in the United States? While the US has been very fortunate in that we have not seen any serious damages as a result of cyber attacks, we have not been immune as a target.

Bowman Avenue Dam Control Breach, 2013

In 2013 from late August to mid September, Hamid Firoozi successfully gained access to the Supervisory Control and Data Acquisition (SCADA) system of the Bowman Avenue Dam in Rye Brook, New York (Newsweek, 2016). SCADA systems are used throughout the industrial world as a way to control and receive feedback in modern industrial systems. They are used heavily in multiple industries including petrochemical, energy, and dams used for flood control as was the case the Bowman Avenue Dam. From a typical SCADA system, individuals are able to control the various programmable logic controllers (PLCs) that are used to control different parts of the industrial process. In the case of the Bowman Dam a SCADA system would be used to report water levels and other vital statistics about the dam to the team of supervisors and also provides the ability to change different settings within the system including the ability to open and close floodgates from a computer screen at a central location.

Firoozi was able to gain total access to this SCADA system because it had been connected to the internet over a cellular modem (Time, 2016), not unlike how the mobile hotspot that is built into the typical smartphone works. He was able to gather information such as water level and water temperature from the SCADA system. Luckily, however, he was not able to operate the floodgate that could have been used to flood the entire community of Rye Brook. I say luckily because it was not due to any cybersecurity countermeasures that had been taken prior to the attack. Instead it was because the equipment that controls the opening and closing of the gate had coincidentally been manually disconnected for maintenance at the time of the attack. This was a disaster that was avoided entirely because of blind luck.

The general public learned of this attack when the US Justice Department unsealed an indictment three years after the attack in 2016 against Firoozi and six other Iranian nationals for cyber attacks that were conducted against targets in the United States. Most of the targets mentioned in the indictment were financial institutions. The Bowman Dam was the only non-financial industry target. “The FBI has said they worked for two private security computer companies in Iran that operate on behalf of the Iranian government” (Newsweek, 2016). While an indictment has been filed, it is unlikely that any of the seven defendants mentioned in the indictment will ever see jail time since they all reside overseas in Iran and were able to conduct their attack from Iran.

Dyn DDoS Attack, 2016

A major element of what makes the modern internet work is a series of servers all over the globe that provide what is called a Domain Name Service (DNS). Prior to the development of DNS for the internet all connections between computers had to be done using IP Addresses. At the time, IP Addresses were a collection of four numbers that ranged from 0 to 255. So for example, 192.168.0.1. Each IP Address represented a different machine on the internet. These IP Addresses functioned much like a phone number for each of these machines. However, this can be very cumbersome as the number of machines on the internet grew exponentially over the years. This is where the development of DNS servers came into play. If IP Addresses are the phone numbers of the internet, then DNS servers are the phonebook. A DNS server contains a simple listing of every domain name and the IP Address of the server that domain name represents. So for example, if you have a website hosted on a server whose IP Address is 192.168.0.1 and you want the domain name “www.example.com” to take visitors to your website to the correct server, then you will register that domain name with the DNS services to point visitors to 192.168.0.1. All of this is done automatically behind the scenes by your web browser as you visit different websites. If you type in “www.example.com” into your web browser, the first thing it will do is ask the nearest DNS service what is the IP Address for the server with that website then take you to that server. DNS is particularly useful today as IP Addresses have become much more complicated to allow for more machines on the internet. The internet has moved away from the prior standard known as IPv4 to the current standard known as IPv6. An IPv4 IP Address may look like what has been mentioned before, 192.168.0.1, while an IPv6 IP Address may look like 2001:0db8:85a3:0000:0000:8a2e:0370:7334. The older standard allowed for over 4.29 billion machines on the internet, while the new standard allows for 340,282,366,920,938,000,000,000,000,000,000,000,000 different machines on the internet. As you can see this is a huge increase in capacity, but makes DNS that much more essential to the successful operation of the internet.

Dyn is a New Hampshire based company that provides DNS service and allows some of the biggest names on the internet to be quickly and easily reached by the general public browsing the web. If you are visiting sites like Netflix, Twitter, Spotify, Airbnb, Reddit, Amazon, or PayPal then you are doing so by using Dyn’s DNS service (Daily Signal, 2016). Just that small sampling of very popular sites will likely cover 90% to 95% of the internet users from the US on any given day. So it was noticed very quickly when suddenly many of these sites could no longer be reached by visitors in October of 2016. Hackers used a DDoS attack to go after Dyn’s DNS servers not unlike what Russia used to attack servers in Estonia in 2007. DDoS is not an overly advanced tactic to be used by hackers. However, it is a very popular and effective one. As the DDoS attack was carried out, flooding the DNS servers with tons of requests by the hackers, legitimate requests from regular users trying to visit these websites could not get through.

What was unique about the DDoS attack, aside from the volume of illegitimate requests the attackers were able to generate, was the type of slave devices the hackers used. Most DDoS attacks in the past have used traditional PCs that have been infected with malware. In the case of the Dyn attack, the attackers used a wide variety of internet connected devices that were infected with malware. So instead of desktops and laptops, the slave machines in this case were all devices that fall under the new category, “Internet of Things” (IoT). This included smart printers, internet connected security cameras, baby monitors, DVRs, and many others. The attackers were able to infect all of these devices with malware called Mirai which granted them control over these devices to work as fake web browsers making multiple requests to Dyn’s DNS servers (Daily Signal, 2016).

This raises two significant issues for cyber security professionals. The first is the security of what is essentially the backbone of the internet, DNS servers. Without these servers, significant portions of the internet would be made unreachable without having to attack specific websites like what the Russians did in the 2007 Estonia attack. How secure are DNS servers against a DDoS attack is the question that needs to be asked. For areas of the internet utilized by our critical infrastructure such as the financial industry, news websites, government websites, communications, and others, how secure are the DNS servers that connect US citizens to those websites? Could those essential websites be brought down from an attack like this? The second issue is how secure is this new class of internet connected device found in the world of IoT against malware infection and/or takeover by an attacker. Our society is becoming more and more connected every day as we add internet connections to everything in our homes from baby monitors, to DVRs, to refrigerators, to home security systems. Is proper cyber security being built into these internet connected devices? If not, what attacks in the future could be launched by an attacker against our infrastructure using these devices?

It is still unknown who the perpetrators of the Dyn attack are. Initially the hacktivist groups Anonymous and New World Hackers claimed the credit for this attack saying that it was in retaliation for the Ecuadorian government cutting off internet access for WikiLeaks founder Julian Assange who had been in their embassy under political asylum since 2012. At the time of this attack Assange and WikiLeaks had been heavily involved in leaking emails that were stolen from Hillary Clinton’s personal email server while she was running against Donald Trump in the 2016 Presidential Election (Politico, 2016). However, some security researchers doubted the two groups’ claims of credit on the basis that both had falsely claimed credit for high profile cyber attacks before and instead pointed to amateur hackers simply playing around to see what they could do (TechCrunch, 2016). For example, New World Hackers claimed credit for attacks against the websites for the Trump hotel chain, the Republican’s presidential campaign, and Xbox Live. But it was never proven that they were the culprits.

The significant element of this attack was how widespread it was in terms of its effects. It was generally random in terms of the kinds of websites that were affected. Social media platforms like Twitter, news websites like Wired, BBC, and CNN, e-commerce websites like Amazon and Airbnb, financial websites like PayPal and Visa, and entertainment websites like Netflix, DirecTV, Comcast, and Xbox Live. There really is no pattern. It was extremely disruptive to day to day activity on the internet, but at the end of the day was simply an inconvenience for users. However, it would not be difficult to imagine this attack being used in a more focused way that would be more than just a disruption.

WannaCry Ransomware, 2017

In May of 2017 a new ransomware worm started to spread very quickly across computers running Microsoft Windows. Ransomware is a type of malware that once deployed on a system will utilize strong encryption to fully encrypt all of the files stored on a computer, thus preventing the owner of those files from being able to accessing them. In order to regain access the owner must obtain the decryption key which only the original programmer of the worm would have. To do this, a ransom is paid to the programmer in the form of an untraceable digital currency such as Bitcoin (Trend Micro, 2017). The early reports of WannaCry came from Europe, especially the United Kingdom’s National Health Service. However, demonstrating the ability of cyber attacks to quickly and easily move across national borders, US drug manufacturer, Merck, as well as the international law firm, DLA Piper, were hit by WannaCry as well (Recode, 2017).

Of note in this attack was that the WannaCry worm was able to spread using a vulnerability in the Microsoft Windows Operating System which was identified in a series of documents and software that was leaked by the hacker group, Shadow Brokers. This information was allegedly stolen from the National Security Agency (NSA) and included information on how to exploit a vulnerability that was codenamed by the NSA “EternalBlue” (Trend Micro Blog, 2017). This vulnerability allowed the WannaCry worm to spread on its own from system to system on a network as well as through email in the form of an attachment. In short, this was a situation in which a cyber weapon that was apparently developed by our own intelligence community but had been leaked to the public and was now being used against the West.

Attribution of this attack to a particular attacker seems to have been at least partially successful. Unlike the Dyn attack where different hacktivist groups have tried to claim credit but cannot be confirmed by security analysts, and the Bowman Dam attack that was easily traced back to hackers affiliated with the Iranian government, identifying the attacker here seems to be a bit more opaque. However, through the use of linguistics as well as similarities in code to other attacks, it is the prevailing theory that the WannaCry worm was launched by the North Koreans (New York Times, 2017).

The WannaCry worm was extremely disruptive for different companies and agencies on both sides of the Atlantic. With the infection of the UK’s National Health Service, a large number of medical procedures had to be put on hold. As the US moves more and more essential records to digital storage, how vulnerable are we to such an attack?

Current Measures Of Protection

The concept of cyber security is not new. “Hackers” and other cyber criminals have been around as long as the internet. As a result, cyber security professionals have been concerned about security for just as long. But technology companies as a whole have not started significantly focusing on cyber security until the last ten or fifteen years as the damages caused to their customers have gone up with the emergence of issues like identity theft, internet fraud, and other similar issues. Dealing with issues of this type have generally been left to private industry as demand from the public for better security has increased. Larger issues that deal more with infrastructure like what has been detailed in these three cases of cyber attacks within the United States are also starting to draw the attention of the homeland security world.

The Department of Homeland Security currently has the National Cyber Security Division (NCSD) whose mission is “to contribute to enhancing the security and resilience of the nation’s critical information infrastructure and the Internet by (1) developing and delivering new technologies, tools and techniques to enable DHS and the U.S. to defend, mitigate and secure current and future systems, networks and infrastructure against cyberattacks; (2) conduct and support technology transition and (3) lead and coordinate research and development (R&D) among the R&D community which includes department customers, government agencies, the private sector and international partners” (DHS – Cyber Security Division, 2017).

Additionally there is InfraGard which exists as a partnership between the FBI and members of the private sector. “The InfraGard program provides a vehicle for seamless public-private collaboration with government that expedites the timely exchange of information and promotes mutual learning opportunities relevant to the protection of Critical Infrastructure” (InfraGard, 2017). While all information is kept totally confidential, InfraGard is effective at providing an open channel for which information can flow between professionals in the private sector and the relevant agencies in the federal government tasked with protecting the homeland against threats. In my own experience as a member of the Houston Alliance of InfraGard, the bulk of the information that is shared is around the topic of cyber security. This is a great way to not only promote awareness around current threats, but also to establish working relationships between the public and private sectors to help protect the nation’s critical infrastructure.

At this point in time much of the work being done to protect the US in cyberspace is through information sharing and market driven forces that compel the industry to develop better cyber security for their products that run on the internet both in the government sector (such as the smartphones and PCs used by government offices) as well as the private sector. But there is no comprehensive cyber security strategy for the country at this time. There is currently some federal regulation that requires cyber security measures be taken which are detailed in these three pieces of legislation:

  • Health Insurance Portability and Accountability Act (HIPAA) – Cyber security for the healthcare industry (HHS, 2017).
  • Gramm-Leach-Bliley Act – Cyber security for the financial industry (FTC, 2017).
  • Federal Information Security Management Act – Cyber security for agencies within the federal government (TechTarget, 2017).

From a regulatory standpoint there are no other requirements for cyber security. Therefor the extent of the cyber security strategy for the United States involves regulation for the protection of federal government agencies, the healthcare industry, and the financial industry only. From there the rest of the strategy involves cooperative programs and information sharing between public and private sectors to identify threats and to develop concepts for defending against those threats.

Conclusion

All tactics and weapons used in warfare have been limited by their range and the time to affect a target. The history of warfare technology development has been filled with attempts to extend the effective range of an attacker’s ability to attack a target while reducing the time to affect that target. From swords, to archery, to rifles, to explosives, to airplanes, to ICBMs. What separates cyber warfare and cyber weapons is that there is no effective limit on their geographic range and they can affect a target almost instantly thanks to the speed and the truly global nature of the internet. While the concept of homeland security has evolved predominantly around traditional kinetic attacks from adversaries such as what we saw in 9/11, the concept of attacks on the homeland in cyberspace potentially throws a lot of those assumptions out the window such as how border protection is approached. Cyberspace is inherently a space without real borders. This has very much been the internet’s strength when it comes to matters of economics and communications. Individuals and organizations have been able to conduct international trade and communications like never before with less of the typical bureaucracy that may occur at national borders (customs, passports, etc.). But this is also the internet’s biggest weakness in that it enables the same level of free movement for individuals and organizations with malicious intent to attack targets within the United States.

The Department of Homeland Security’s annual budget in 2015 was $9.797 billion. Of that, around 49% was spent on some form of border protection (Bullock, Haddow, Coppola, 2015). From this we can assume that border protection is considered by policy makers to be an essential part of protecting the homeland. This makes sense given that most attacks against the United States will come from overseas and across our borders. If the US Customs and Border Protection service is tasked with safeguarding America’s borders while enabling legitimate trade and travel across those borders, how can they carry that mission into the world of cyberspace to defend against this new and emerging threat which does not see a geographic border as a substantial obstacle to its goal? It is essential to shift our thinking when talking about this new threat against the homeland.

References:

Charles Teel is an experienced Cyber and Information Security Professional and founder of SR2 Solutions with a demonstrated history of working in the the business world including in a variety of sectors. Skilled in Secure Software Development, Team Building, Leadership, and Management Consulting. Graduated from Lamar University MBA Program. Currently an Executive Masters Student at the Bush School of Government and Public Service at Texas A&M University with a concentration in Homeland Security and Critical Infrastructure Protection.