In the CrossfireInternational Cooperation

and Computer Crime

Stewart Baker

1815 1816Waterloo Mt. Tambora

1817

6th century BC

Stability and speed

Stability

Speed

A

B

C

What Point B Looks Like

Stability and speed

Stability

Speed

A

B

C

What Point C Looks Like

Summary • Attacks are already

heavy• Adoption of security

measures lags • The many roles of

governments – Regulator– Policeman– Attacker

1. Attacks are already heavy

• 60% reported theft-of-service cyberattacks– Low: Germany, UK (42%)– High: India (83%), Brazil (77%), France (76%)

• 29% reported multiple large-scale denial of service attacks each month, and nearly two-thirds of those reported an impact on operations– High: France (60%), India (50%)

• 89% report infection with viruses or other malware• 70+% report a wide range of other attacks

– E.g., phishing and pharming.

• More sophisticated attacks like DNS poisoning or SQL injection are less common, but still widespread – more than half of respondents report these attacks

2. Adoption of security measures lags behind the threat

• Basic, key security measures are not widely adopted

– Fewer than 60% patched and updated software on a regular schedule

– User name and password the most common form of login/authentication

– more than three-quarters of SCADA/ICS systems are connected to an IP network or the Internet

• nearly half of those admitted that these connections create unresolved security issues

• Security measure adoption rates vary widely by country

Security measure adoption rateMore than two dozen different security measures -- technologies,

policies and procedures

•Security Information and Event Management tools•Network access control measures•Intrusion prevention systems•Database security and access controls•Data leak prevention tools•Intrusion detection systems•Firewalls to public network•Firewalls between systems•Application whitelisting•Role and activity anomaly detection•Standardized desktop•Use threat monitoring service

•Encryption for –• Online transmission to network• Laptop hard drives• Individual emails• Data in databases• Data while in network storage• Tapes, portable media

•Authentication by –• User name and password• Token• Biometrics

•Regular patches and updates•Threat information sharing•Restrict or ban USB sticks

China leads in adopting security measures

3. The many roles of governments

• Regulators– Regulation seen as generally positive

• 74% have implemented new measures as a result of regulation• 58% say regulation has “sharpened policy and improved security”• 28% say it has “diverted resources from improving security to

recording/reporting incidents or other forms of compliance”

– Audit frequency varies widely

• Policemen– Widespread skepticism about governments’ ability to protect

networks

• Attackers, infiltrators and adversaries

Regulator: auditing to enforce compliance varies widely

Policeman: Little faith in laws against cyber-attack

Attacker: 60% believe governments are already attacking their country

Attacker: Many report government-style attacks

•Half report “stealthy infiltration by high-level adversary … like in Ghostnet”

•Half report DDOS attacks by “high-level adversaries” including governments:

Attacker: United States and China are most feared; Russia is third

China the outlier

• Chinese executives report --

– Uniquely close cooperation with officials

– High levels of regulation and auditing

– Very robust confidence in government

– Much higher adoption of security measures

• China is taking concerted steps to bolster its industries’ defenses

• Are the steps effective?

– Chinese companies report low to average levels of attack and damage

– China does appear better protected than other large developing countries, such as India and Brazil