Supplement to the 2012/3 South African Cyber Threat Barometer
USA Case Study Report
Foreword Africa is considered to be the cradle of mankind. There is evidence that some of the earliest people lived in southern Africa. The hunter-gatherer San roamed widely over the area and the pastoral KhoiKhoi wandered in the wellwatered parts where grazing was available. Tribes from central Africa moved southwards into the eastern and central parts of the area known today as South Africa. Milestones in South African history: 1652 - Dutch Settlers arrive under the leadership of Jan van Riebeeck 1795 - British occupation of the Cape 1800 onwards - the Zulu kingdom under King Shaka rises to power 1835 - The Great Trek - Dutch and other settlers leave the Cape colony 1879 - Anglo-Zulu war 1880 - First Anglo-Boer war 1899 - Second Anglo-Boer War I am referring to the scourge of 1912 - The African National Congress (ANC) is founded cybercriminal activity that is rapidly 1961 - South Africa becomes a republic becoming a global concern and one 1990 - Mandela is freed after 27 years in prison and that we as Africans need to prioritise. opposition groups are unbanned We hope this project and proposed 1994 - South Africa's first democratic election initiatives will go a long way towards "rallying the troops" to urgently address the growing cyber threat facing South Africa has journeyed through many great obstacles our country. to become a nation whose dream of unity and common purpose is within grasp of all its people. We must not I wish to offer my sincere appreciation lose sight of this dream. As proud stakeholders of this to the British High Commission for great country we are now called upon to join hands in their funding and support to complete the fight against a new threat that is targeting all areas this vital research project. of our society - no organisation, community or child is immune to its impact. I also wish to convey my warmest thanks to all participating companies and teams for their input and For a copy of the full 2012/3 South African independent review of this report. Your Cyber Threat Barometer report and other country passion to make a positive impact in supplements please visit the research section this country has been amazing to of our website. witness. I would finally like to acknowledge the Wolfpack team for their dedication shown in the research, analysis, layout and distribution of this report. I am very proud of what we have achieved.
Corporate contact details: Building 1 Prism Office Park Ruby Close, Fourways Johannesburg, 2055 Telephone: +27 11 367 0613 Email: info@wolfpackrisk.com Website: www.wolfpackrisk.com
Craig Rosewarne Managing Director Wolfpack Information Risk (Pty) Ltd
1
United States of America President Obama has declared that the “cyber threat is one of the most serious economic and national security challenges faced as a nation” and that “America's economic prosperity in the 21st century will depend on cybersecurity.” The US government has been focusing on protecting its digital infrastructure, declaring it a ‘strategic national asset.’
History of Cybersecurity Legislation in USA (A look at the last 10 Years Bill / Act
Description
2002
Cyber Security Enhancement Act (CSEA)
Amended the USA PATRIOT Act to further loosen restrictions on Internet service providers (ISPs) as to when, and to whom, they can voluntarily release information about subscribers.
2003
Can-spam Law
Subsequent implementation measures were made by FCC and FTC
2005
Anti-Phishing Act
Added two new crimes to the US Code
2009
Cybersecurity Policy Review
Released by the Obama Administration
Cyber Command (CYBERCOM)
Created under the Strategic Command, led by the head of the National Security Agency (NSA)
2010
Cybersecurity Act (CSA) S 2150
A bill seeking to increase collaboration between the public and the private sector on cybersecurity issues. The bill has been criticized for:• Using dangerously vague language to define "cybersecurity threat indicators" (information that companies can share with the government), • Information collected under the CSA can be shared with law enforcement for non-cybersecurity purposes • If companies overstep their authority, violating the privacy of Internet users for non-cybersecurity purposes or over sharing sensitive information with the government, it will be very difficult for individuals to hold these companies accountable by taking them to court. • Allow sensitive private communications to flow to the NSA. • Creates new exemptions to FOIA—making it that much harder for people to understand how much and what kind of information is being shared with the government and ensure that the government and companies do not abuse this authority.
2011
Senate and House of Representative Legislation Passed in 2011
• • • • • • •
Year
Cyber Intelligence Sharing & Protection Act of 2011 (CISPA) The Cyber Security and Internet Freedom Act Personal Information Privacy and Security Act Grid Cyber Security Act Energy and Natural Resources Personal Information Protection and Breach Accountability Act Cybersecurity Education Enhancement Homeland Security Cyber and Physical Infrastructure Protection Act • Cybersecurity Enhancement • Cyber Intelligence Sharing and Protection Act Committee on Intelligence • Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness (PRECISE Act ) 2
Year 2012
Bill / Act
Description
Senate and House of Representative Legislation Passed in 2011
• CCybersecurity Information Sharing Act • Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act (SECURE IT Act) • Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act SECURE IT Act HR 3342 • Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act SECURE IT Act HR 4263 • Federal Information Security Amendment Act of 2012 ¨ Advancing America’s Networking and Information Technology Research and Development Act of 2012 • Federal Information Security Amendments Act of 2012 HR 425
Cybersecurity Act S 3414
• June 2012, a new bill is released to replace the prior Cybersecurity Act • The bill would have given companies new rights to monitor private communications and pass that information to the government • August 2012 – this bill was defeated by the US Senate. This was seen as a victory for internet freedom advocates
Industry Collaboration, Partnership Developments and Initiatives in Cybersecurity Organisation / initiative NSA regulates industry using SANS Top 20 Critical Controls
Description General Keith Alexander, head of the U.S. Cyber Command and the National Security Agency is considering making use of the SANS 20 Critical Security Controls to safeguard federal networks to regulate cyber security in the private sector. He states that the 20 Critical Security Controls “has a more profound and far-reaching impact” than any other security development. The FBI earlier this month awarded the organisation a contract, without an open competition, to educate cybercrime investigators. In justifying the sole-source deal, bureau officials stated that “although cyber training is a commonly offered product, only the SANS Institute is capable of providing all required courses with an American National Standards Institute (ANSI) accredited certification.”
Defense Industrial Base (DIB) Cybersecurity/Information Assurance (CS/IA) program
• Defense Industrial Base (DIB) efforts designed to help companies protect critical information related to Department of Defence (DOD) programs and missions. The DIB Cybersecurity/Information Assurance (CS/IA) program would:o Allow eligible DIB companies to receive government threat information and share information about network intrusions that could compromise critical DOD programs and missions. o Permit DIB companies and DOD to assess and reduce damage to critical DOD programs and missions when DOD information is compromised; o Fulfil statutory requirements to ensure the protection of DOD information; o Address vigorous congressional and public interest in increasing cybersecurity and information assurance activities through government-industry cooperation; and o Immediately provide a voluntary framework for DOD and DIB companies to share information to address sophisticated cyber threats that represent an imminent threat to U.S. national security and economic security • Until this rule is published as an interim final rule, eligible DIB companies cannot receive government information about cyber threats and mitigation strategies or share information about cyber incidents that may compromise critical DOD programs and missions. Without this information, eligible DIB companies’ ability to protect government information cannot be fully effective. While this vulnerability remains open, the government faces an elevated risk that critical program information. 3
Organisation / initiative
Description
The National Strategy for Trusted Identities in Cyberspace (NSTIC)
• In response to one of the near term action items in the President’s Cyberspace Policy Review, calls for the creation of an online environment, or an Identity Ecosystem where internet users (individuals and organizations) will receive IDs, thereby increasing trust among users, to complete online transactions with confidence, trusting the identities of each other and the identities of the infrastructure that the transaction runs on. • The US Commerce Department will host a National Program Office (NPO) in support of the National Strategy for Trusted Identities in Cyberspace (NSTIC). • The proposal has generated criticism since it was released in draft form by the White House around privacy implications. Concerns have been raised about the compromise of the President Obama’s promise that the government’s pursuit of cybersecurity will not include government monitoring of private sector networks or Internet traffic. The comments urge the Department to resist calls to create a cybersecurity information sharing regime that would involve sharing of Internet communications traffic that would compromise the promise of privacy that underlies the laws governing electronic surveillance. • Having a single trusted identity used across the internet could potentially result in increased identity theft, rampant information sharing from companies and a false sense of online security amongst consumers. If not done carefully the Identity Ecosystem could potentially make the problem worse.
Electric Sector Cybersecurity Capability Maturity Model initiative
• A new White House initiative led by the Department of Energy, in collaboration with the Department of Homeland Security will assist to develop a model to help identify how secure the electric grid is from cyber threats and test that model with participating utilities. Gaining knowledge about strengths and remaining gaps across the grid will better inform investment planning and research and development, and enhance public-private partnership efforts.
Comprehensive National Cyber security Initiative (CNCI)
• Major goals are:o To establish a front line of defence against today’s immediate threats by creating or enhancing shared situational awareness of network vulnerabilities, threats, and events within the Federal Government—and ultimately with state, local, and tribal governments and private sector partners—and the ability to act quickly to reduce our current vulnerabilities and prevent intrusions. o To defend against the full spectrum of threats by enhancing U.S. counterintelligence capabilities and increasing the security of the supply chain for key information technologies. o To strengthen the future cyber security environment by expanding cyber education; coordinating and redirecting research and development efforts across the Federal Government; and working to define and develop strategies to deter hostile or malicious activity in cyberspace. • Initiatives include:o Manage the Federal Enterprise Network as a single network enterprise with Trusted Internet Connections. o Deploy an intrusion detection system of sensors across the Federal enterprise and pursue deployment of intrusion prevention systems across the Federal enterprise. o Coordinate and redirect research and development (R&D) efforts. o Connect current cyber ops centres to enhance situational awareness. o Develop and implement a government-wide cyber counterintelligence (CI) plan. o Increase the security of our classified networks o Expand cyber education. o Define and develop enduring “leap-ahead” technology, strategies, and programs. o Define and develop enduring deterrence strategies and programs. o Develop a multi-pronged approach for global supply chain risk management. o Define the Federal role for extending cyber security into critical infrastructure 4
Organisation / initiative
Description
The University of Maryland’s Cybersecurity Center (MC2)
• The partnership will promote cybersecurity education, research, and student engagement through the Maryland Cybersecurity Center (MC2). MC2 and Sourcefire will leverage each other's resources, expertise, and unique perspectives to develop innovative cybersecurity expertise, educational opportunities and research-driven solutions to cybersecurity challenges. • Northrop Grumman – partnered with this global security leader with the goal of creating a new generation of advanced cybersecurity professionals. The new program, Advanced Cybersecurity Experience for Students (ACES), will produce a new generation of experts prepared to take on real-world cybersecurity challenges.
Intelligence and National Security Alliance (INSA)
• INSA is the premier intelligence and national security organization that provides a unique venue for collaboration, networking and examination of policy issues and solutions. Representing an unprecedented alliance among senior leaders from the public, private and academic sectors, INSA members form an unparalleled community of experts that collaborate to develop creative, innovative and timely solutions to the intelligence and national security issues facing the United States. • INSA is a non-profit, non-partisan, public-private organization that works to promote and recognize the highest standards within the national security and intelligence communities. INSA members include current and former highranking intelligence, military and government agency leaders, analysts, and experts from industry and academia. Drawing on the experience and expertise of this membership, the Intelligence and National Security Alliance provides the thought leadership that identifies crucial intelligence topics, completes strategic research and promotes innovative solutions. • INSA has over 150 corporate members, as well as several hundred individual members, who are industry leaders within the government, private sector, and academia.
National Cyber Security Partnership (NCSP)
• NCSP is led by the Business Software Alliance (BSA), the Information Technology Association of America (ITAA), TechNet and the U.S. Chamber of Commerce in voluntary partnership with academicians, CEOs, federal government agencies and industry experts. • Following the release of the 2003 White House National Strategy to Secure Cyberspace and the National Cyber Security Summit, this public-private partnership was established to develop shared strategies and programs to better secure and enhance America’s critical information infrastructure. • The partnership established five task forces comprised of cyber security experts from industry, academia and government. Each task force is led by two or more co-chairs. The NCSP-sponsoring trade associations act as secretariats in managing task force work flow and logistics. The task forces include: o Awareness for Home Users and Small Businesses o Cyber Security Early Warning, Corporate Governance o Security Across the Software Development Life Cycle o Technical Standards and Common Criteria
5
USA Cyberspace Policy – Action Plans Near-Term Action Plan
Mid-Term Action Plan
1.
Appoint a cyber security policy official responsible for coordinating the Nation’s cyber security policies and activities; establish a strong NSC directorate, under the direction of the cyber security policy official dual-hated to the NSC and the NEC, to coordinate interagency development of cyber security -related strategy and policy. 2. Prepare for the President’s approval an updated national strategy to secure the information and communications infrastructure. This strategy should include continued evaluation of CNCI activities and, where appropriate, build on its successes. 3. Designate cyber security as one of the President’s key management priorities and establish performance metrics. 4. Designate a privacy and civil liberties official to the NSC cyber security directorate. 5. Convene appropriate interagency mechanisms to conduct interagency-cleared legal analyses of priority cyber security -related issues identified during the policy-development process and formulate coherent unified policy guidance that clarifies roles, responsibilities, and the application of agency authorities for cyber security -related activities across the Federal government. 6. Initiate a national public awareness and education campaign to promote cyber security. 7. Develop U.S. Government positions for an international cyber security policy framework and strengthen our international partnerships to create initiatives that address the full range of activities, policies, and opportunities associated with cybersecurity. 8. Prepare a cybersecurity incident response plan; initiate a dialog to enhance public-private partnerships with an eye toward streamlining, aligning, and providing resources to optimize their contribution and engagement 9. In collaboration with other EOP entities, develop a framework for research and development strategies that focus on game-changing technologies that have the potential to enhance the security, reliability, resilience, and trustworthiness of digital infrastructure; provide the research community access to event information to facilitate developing tools, testing theories, and identifying workable solutions. 10. Build a cyber security -based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacyenhancing technologies for the Nation.
1. Improve the process for resolution of interagency disagreements regarding interpretations of law and application of policy and authorities for cyber operations. 2. Use the OMB program assessment framework to ensure departments and agencies use performance-based budgeting in pursuing cyber security goals. 3. Expand support for key education programs and research and development to ensure the Nation’s continued ability to compete in the information age economy. 4. Develop a strategy to expand and train the workforce, including attracting and retaining cyber security expertise in the Federal government. 5. Determine the most efficient and effective mechanism to obtain strategic warning, maintain situational awareness, and inform incident response capabilities. 6. Develop a set of threat scenarios and metrics that can be used for risk management decisions, recovery planning, and prioritization of R&D. 7. Develop a process between the government and the private sector to assist in preventing, detecting, and responding to cyber incidents. 8. Develop mechanisms for cyber security -related information sharing that address concerns about privacy and proprietary information and make information sharing mutually beneficial. 9. Develop solutions for emergency communications capabilities during a time of natural disaster, crisis, or conflict while ensuring network neutrality. 10. Expand sharing of information about network incidents and vulnerabilities with key allies and seek bilateral and multilateral arrangements that will improve economic and security interests while protecting civil liberties and privacy rights. 11. Encourage collaboration between academic and industrial laboratories to develop migration paths and incentives for the rapid adoption of research and technology development innovations. 12. Use the infrastructure objectives and the research and development framework to define goals for national and international standards bodies. 13. Implement, for high-value activities (e.g., the Smart Grid), an opt-in array of interoperable identity management systems to build trust for online transactions and to enhance privacy.
6
USA Case Studies In March the U.S. Secret Service, in coordination with U.S. Immigration and Customs Enforcement announced the results of “Operation Open Market” against 50 individuals allegedly engaged in crimes such as identity theft and counterfeit credit card trafficking. The suspects were linked in a transnational organised crime operating on multiple cyber platforms, buying and selling stolen personal and financial information through online forums. All of the defendants are said to be members, associates or employees of a criminal organization called Carder.su (which also includes Carder.info, Crdsu.su, Carder.biz, and Carder.pro), (McAfee Threats Report: First Quarter 2012, By McAfee Labs) Several Anonymous members or affiliates were the target of law enforcement operations. After the LulzSec member “Sabu” pleaded guilty in August 2011 and cooperated with FBI, law enforcement agents caught other top members of the computer hacking group. The suspects—who included two men from the United Kingdom, two from Ireland, and two from the United States—were indicted in the Southern District of New York. Earlier in the quarter, Interpol announced the arrest of 25 suspected members of Anonymous in Argentina, Chile, Colombia, and Spain.W0rmer and Kahuna, two members of CabinCr3w, a hacker group close to Anonymous, were arrested on March 20 in the United States, (McAfee Threats Report: First Quarter 2012, By McAfee Labs) On March 23 Microsoft’s Operation B71, which focused on botnets using Zeus, SpyEye, and Ice-IX Variants unveiled a joint lawsuit with the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the National Automated Clearing House Association (NACHA). Microsoft and its agents captured four hours of network traffic and seized servers from two hosting locations in Pennsylvania and Illinois. In addition, more than 1,700 domain names were analyzed to understand their role in this business, (McAfee Threats Report: First Quarter 2012, By McAfee Labs) United States Researchers note that 41% of 170 Thanksgiving holiday search terms had malicious links containing script injections in the top search results. These script injections use exploit kits to take advantage of vulnerabilities in plugins such as Flash and Acrobat and install malicious software on a victim’s system. Tweets per second in Twitter on the Thanksgiving holiday were much higher than on Black Friday, a known holiday shopping day. Researchers also saw double the number of links shared about Thanksgiving compared to Black Friday. http://wb-sn.com/GMIaHr President Obama allegedly began ordering cyber attacks on Iran within days of taking office. The story finally confirms what many cyber security experts have suspected: the Stuxnet worm, which disabled industrial equipment in Iran and Europe, was originally designed by Israel and the U.S. to slow down Iran's nuclear enrichment plant. The virus' escape from Iran's Natanz plant and subsequent discovery in Germany in 2010 was a mistake that U.S. authorities blamed on Israel. Former CIA chief Michael Hayden also acknowledged to the Times that Stuxnet is the first major cyber attack intended to cause physical destruction (to Iranian centrifuges). The article includes a history of the classified cyber weapons program, dubbed "Olympic Games," which began under President Bush, and includes details of how President Obama decided that digital attacks were preferable to a potential military conflict between Iran and Israel. But the bottom line is that President Obama (and his predecessor) ordered a sophisticated campaign of cyber attacks against Iran's nuclear program, and has either attacked or considered attacking networks in China, Syria, and North Korea as well. The Obama administration previously acknowledged that it might respond to cyber attacks with physical force, but the report makes it clear that even as the U.S. was making those threats, it was perpetrating cyber attacks on the very nations it accuses of targeting its networks. http://thomas.loc.gov/cgi-bin/bdquery/z?d112:HR03523:@@@D&summ2=m& http://www.digitaltrends.com/web/beyond-cispa-the-cybersecurity-bills-you-need-to-worry-about-rightnow-cybersecurity-act-of-2012-secure-it-act/#ixzz22anScCLy https://www.eff.org/deeplinks/2012/08/victory-over-cyber-spying http://www.whitehouse.gov/administration/eop/nsc/cybersecurity http://www.nbcwashington.com/news/tech/UMd-Northrop-Grumman-Develop-Cybersecurity-Partnership158449925.html http://www.marketwatch.com/story/umd-and-sourcefire-announce-new-cybersecurity-partnership-201207-12 http://www.insaonline.org/index.php?id=79 http://www.cyberpartnership.org/about-overview.html http://www.gao.gov/products/GAO-12-876T Cybersecurity: Authoritative Reports and Resources, Rita Tehan Information Research Specialist July 3, 2012 (http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf)
7