8/3/2019 Perspectives on Cyber Security
1/19
IntroductionTodays cybersecurity landscape is changing rapidly. Conventional security standards
and practices cannot keep up with the frequency and sophistication of attacks.
Between May and July 2011, the industry and governments experienced a sharp
increase in cyber attacks against a number of large, technically savvy organizations:
Sony revealed several major customer data thefts occurred, which affected more than 100million user accounts (77 million PlayStation Network users and 24.6 million PC games
customers).1
RSA, a company that makes one of the industrys most widely-distributed two-factor
authentication SecurID tokens, suffered an attack that resulted in RSA replacing 40 million
of its tokens.2
In an attack directly related to the RSA breach, defense contractors Lockheed Martin and
L-3 Communications were hit by sophisticated attackers who used counterfeit RSA tokens
to impersonate the access codes of targeted employees.3
The International Monetary Fund suffered cyber attacks in June, but it did not disclose the
nature of attacks or whether a security breach actually happened.4
Citibank reported that credentials for 200,000 users were stolen, including names, account
numbers and email addresses.5
Infragard, an FBI-lead partner organization, was compromised by hackers in Connecticut
and Atlanta, revealing passwords of hundreds of industry and law enforcement users.6
The identities of border patrol agents in Arizona were released in protest of Arizonas
immigration enforcement policies by hacktivists (defined as one who uses computers and
networks as a means of protesting political ends).7
Websites operated by organizations such as the CIA, the U.S. Senate, PBS and Citibank
have been defaced in high-profile attacks by a hacking group called LulzSec (hacking for
laughs).8
STUXNET, one of the most sophisticated computer viruses on record, specifically targeted
and severely damaged an Iranian nuclear facility and signaled the future of cyberwar
attacks on critical infrastructure.
9
Pag
Perspectives on CybersecurityThe Rapidly Evolving Risks, the Implications and the Path Forward
October 2011
Cyberspace is inextricablywoven throughout the
fabric of society.
Treating the security ofcyberspace separately from
the physical world can bemisleading, particularly
considering the range ofcritical infrastructure
applications that requiredigital communications.
Each group that is involvedwith cyberspace has a role
to play in increasingcybersecurity.
1 http://online.wsj.com/article/SB10001424052748704436004576299491191920416.html2 http://www.businessweek.com/news/2011-06-07/emc-unit-rsa-to-replace-security-tokens-after-data-
breach.html3 http://www.wired.com/threatlevel/2011/05/l-3/4 http://gcn.com/articles/2011/06/14/imf-hacked-foreign-government-suspected.aspx5 http://www.theregister.co.uk/2011/06/09/citibank_hack_attack/6 http://www.huffingtonpost.com/2011/06/21/lulzsec-hack-fbi-partner-infragard-ct_n_881038.html7 http://www.azcentral.com/news/articles/2011/06/23/20110623lulzsec-hacks-into-arizona-dps-system-abrk23-
ON.html8 http://www.huffingtonpost.com/2011/06/20/lulzsec-anonymous-war-_n_880637.html9 http://en.wikipedia.org/wiki/Stuxnet
WHITE PAPER
8/3/2019 Perspectives on Cyber Security
2/19
WWW.LEVEL3.COM
Page 2
SummaryCyberspace is inextricably woven throughout the fabric of society. It extends
from the public Internet, through both wired and wireless telecommunications
networks, and into every home and business that uses digital voice, video and
data. Treating the security of cyberspace separately from the physical world can
be misleading, particularly considering the range of critical infrastructure appli-
cations such as transport, energy distribution, and finance that require digital
communications. Because it is ubiquitous, cyberspace is vulnerable to at tacks by
malicious parties from anywhere around the world. Ensuring cybersecurity is
essential for society because the costs of ignoring it are too high. Also, due to
the evolving sophistication of attackers, the tools, policies and procedures
effective against attacks yesterday may continue to become obsolete. Therefore,
any new cybersecurity framework needs to avoid rigid procedures. Innovation
and rapid response to threats should be rewarded. Appropriate incentives (both
rewards and punishments) are needed for each segment of cyberspace. Because
new threats are constantly developing into new, potentially unrecognizableattacks, any legislative or policy initiatives designed to combat these threats
must be flexible and adaptable to encourage a high level of innovation.
Level 3 Communications believes all entities individuals, corporate,
government and non-government need to contribute towards securing vital
infrastructure. Responsibilities exist for individual end users, end-user organiza-
tions, broadband service and Internet service providers as well as government
agencies. Hardware and software vendors providing products that comprise
network infrastructure also need to help protect cyberspace. These vendors must
communicate vulnerabilities more rapidly to qualified recipients (such as the
government and major Internet carriers) and perform more comprehensive
testing prior to product r elease. Once all of the major cyberspace participants
invest in cybersecurity, it is conceivable that the overall number of damagingattacks could be reduced.
Cybersecurity, which consists of protecting computer systems and networks
from malicious software and attacks by outside parties, has become essential
for modern civilization. As more types of critical infrastructure depend on
software for global commerce, national security, emergency response, distrib-
ution of electricity, transportation and other critical services, the potential for
large-scale cyber attacks becomes ever greater. Individuals, corporations and
government agencies at local, state and federal levels all need to develop and
implement plans to protect their systems and networks from malicious software
and external attacks.
Each group that is involved with cyberspace has a role to play in increasingcybersecurity:
End users must ensure that their devices are free of malware, software intended
to penetrate and compromise security. Broadband access providers should
monitor traffic and help defeat malicious attacks at their sources. Equipment
and software providers must improve their development, testing and patching
procedures and be more forthcoming about latent defects in products when
they are discovered. Carriers should provide more informat ion to government
agencies and each other about potential network vulnerabilities and recurring
Ensuring cybersecurity isessential for society because the
costs of ignoring it are too high.Innovation and rapid responseto threats should be rewarded.
8/3/2019 Perspectives on Cyber Security
3/19
Pag
sources of attacks. Government agencies should be directed to disseminate
information about potential cyber threats to network providers, thereby
enabling more timely and effective responses to attacks. And finally, critical
infrastructure providers outside the telecommunications industry should receivegovernment and industry support to develop more extensive cybersecurity plans
and capabilities.
Legislation currently pending before Congress and Executive Branch initiatives
has the potential to significantly improve the overall level of cybersecurity
throughout government agencies and general public. These regulations can be
more effective by removing barriers to a llow greater communication between
private network providers and government agencies. Also, greater emphasis
should be placed on developing defensive strategies against unknown and
emerging attacks, while less focus is needed for the formal security and certifi-
cation processes.
Threats against critical cyberspace infrastructure will continue to increase inscope and severity in coming years. Legislation encouraging network
providers and government agencies to improve communication and focus on
outcomes instead of processes will increase the chances for success against
malicious actors.
Level 3 PurposeThis white paper is not intended to be an all encompassing review of the issues
and policies surrounding cybersecuri ty.
The intention is to:
Summarize Level 3 Communications policy concerning the responsibilities of
communications carriers, corporations, government and other segments of the U.S.Internet community.
Emphasize the importance of productive relationships and efficient, multilateral
communication between service providers and government agencies on issues
ranging from threat identification and evaluation to interoperability between
services and hardware.
Provide Level 3 perspectives on proposed legislation affecting cybersecurity policy.
Share Level 3 experience and learning in cybersecurity issues dealing with interna-
tional governments, customers and end users.
Assessment of Evolving Threats
To understand cybersecurity challenges some common attacks and obstacles aredescribed below.
EVOLVING SOURCES OF THREATS
The complexity of attacks against targets in cyberspace is constantly increasing.
As threats are discovered and counteracted, new threats are developed by a
range of perpetrators. Most attacks come from one these sources:
Foreign Governments: Many governments have cyberwarfare and cyberintelli-
gence agencies focused on gathering information from entities outside their borders,
Greater emphasis should beplaced on developing defensive
strategies against unknown andemerging attacks, while lessfocus is needed for the formalsecurity and certificationprocesses.
8/3/2019 Perspectives on Cyber Security
4/19
WWW.LEVEL3.COM
Page 4
including government and military agencies, commercial enterprises, non-profit
organizations and individuals. Some of these attacks are brute force, whereas others
are so subtle the victim never becomes aware of the data theft. A foreign nations
motivation goes beyond military intelligence. Some countries operate cyber-intelli-gence agencies to collect intellectual property for commercial competitive advantage.
Organized Crime: Earlier attacks were targeted at individuals, who were
persuaded to buy worthless items or provide credentials required for accessing bank
accounts. Recently, the focus has moved to corporate targets, where larger returns
can be achieved. Crime syndicates are international and specialized; it is not
uncommon for groups from around the world to join together for a specific attack
and then to dissolve once the exploit has been completed.
Hacktivists: Hacker activists are entities using hacking techniques for social or
political activism. Frequently cooperating in groups with a shared purpose,
hacktivists target corporations or non-profit organizations that supply products or
behave in ways that are disagreeable to the hacktivists. Victims come from a wide
spectrum of society. Usually, the goal is to embarrass people or deface websites.Recently, many hacktivist organizations have turned to Distributed Denial of Service
(DDoS) attacks intended to disrupt their targets commercial operations in an
attempt to influence policies.
Hacking Universities: These are informal, underground schools that teach
hacking techniques. Legitimate universities are teaching cybersecurity students
courses in hacking and countermeasure design.
Professional Hackers: These are experienced hackers who get paid for devel-
oping and launching attacks against targets. Many of them sell their services to the
highest bidder, whether its a government agency, a corporation looking to test their
own defenses or an organized crime syndicate. Others are more selective in their
approach; so-called white hats are focused on improving cybersecurity for specific
organizations or the Internet at large. Recreational Hackers: Many hackers get their start pursuing hacking for recre-
ational purposes, particularly young people who may have limited resources and
restrictions on their Internet usage. Their goal can range from curiosity to harmless
fun, to serious attempts at penetrating hardened websites. While these hackers are
capable of significant exploits, they can be a distraction from more experienced
attackers who can cause greater damage. Prudent cybersecurity plans take recre-
ational hackers into consideration, but success in thwarting these types of attacks
should not be considered to be an indicator of the cybersecurity plans ability to
deflect advanced attacks.
EVOLVING USES OF TECHNOLOGY
Technical innovation can provide better solutions for cybersecurity, such as more
computing power for packet inspection within firewalls. But it can also create
new areas where attacks can be a threat. Some of the new technologies that
pose an increasing challenge for cybersecurity include:
Cloud Computing: In place of using dedicated hardware servers to provide
websites and other processing functions, enterprises are increasingly using cloud
computing resources. The key benefit of a cloud is virtualization. Hardware resources
are dynamically allocated to software processes as needed, as opposed to a fixed
configuration of software on each hardware server. Attackers see cloud computing
companies as prime targets to gain access to multiple companies at once.
The complexity of attacksagainst targets in cyberspace is
constantly increasing.As threats are discovered andcounteracted, new threats are
developed by a range ofperpetrators.
8/3/2019 Perspectives on Cyber Security
5/19
Pag
Mobile Devices: Many people today carry mobile telephones and tablet
computers that have more processing power than previous desktop computers.
Coupled with their always-connected state, these devices are literally millions of
potential sources of new threat sources and targets for attack. DDoS Attacks: While there is nothing new about DDoS attacks, some technical
evolution is under way. The availability of botnets for hire is increasing the severity of
DDoS attacks. Botnets simultaneously bring millions of traffic sources online with the
intent of overwhelming websites. They can be controlled using encrypted proprietary
communications channels to precisely orchestrate their behavior. As botnets become
more sophisticated, they become harder to defeat and more dangerous to victims.
Technical Tradeoffs: As users migrate to high-speed network connections and
faster processors, they also expect quicker Internet response times. Technologies,
such as deep packet inspection, can parse individual packets looking for virus and
other malware signatures. In spite of the increasing levels of processor performance,
tradeoffs must still be chosen between network speed and cybersecurity.
EVOLVING TYPES OF ATTACKS
Several new attack types have been successfully developed by malicious agents.
Here are a few examples:
Spear Phishing is a variant of phishing, where users are lured to give out personal
data, such as credit card and bank account numbers, through websites and email that
appeared legitimate. In this attack, specific individuals are targeted based on their
access to information, technology or levels of administrative access within targeted
organizations. For example, a system administrator for a major financial institution
would be specifically targeted with messages or website referrals that appeared to be
coming from close fr iends or coworkers. To gain the information needed to prepare
these false messages, attackers often leverage information extracted from the targets
contact lists and online social networking profiles. This precise targeting of specificindividuals is what adds the spear concept to basic phishing.
Zero-Day Attacks exploit latent defects that existed in a product when it was
first delivered to market. These attacks may be simple tools to gain unauthorized
control of compromised systems by utilizing malicious code. As a result, there has
been an increase in professional researchers who identify and develop methods and
tools that take advantages of security weaknesses in applications, systems or
networks (called vulnerabilities or exploits) . And, a vibrant online market exists
to sell these methods and tools to criminal syndicates who use them to attack
networks for financial gain, such as stealing company proprietary data or financial
information from end users.
Advanced Persistent Threats (APT) represent a cyber attack which is focused
on obtaining specific types of information, such as business plans, identities of dissi-dents or government secrets. An APT is often the work of a group which has
demonstrated capabilities in persistently attacking a specific entity with precision.
Common targets include government agencies, media and social or culturally based
activist organizations. The scope of APTs can vary widely, ranging from telephone or
data communication intercepts, to malware and virus attacks. The most successful
attacks are designed to avoid detection by the victim and penetrate hardened
targets in a methodical fashion. The STUXNET worm described earlier is an APT, used
in several zero-day exploits, which targeted a brand of industrial control equipment
known to be used in Iranian uranium enrichment facilities.
Technical innovation canprovide better solutions for
cybersecurity, such as morecomputing power for packetinspection within firewalls.
But it can also create new areaswhere attacks can be a threat.
8/3/2019 Perspectives on Cyber Security
6/19
WWW.LEVEL3.COM
Page 6
Cybersecurity Roles and ResponsibilitiesAn effective cybersecurity program must include range of stakeholders who
share responsibility for security. There is no single point in the cyber ecosystem
where all protection activities are concentrated, as there are too many possible
attack vectors. Attacks that exploit weaknesses in one area can be thwarted by
protections within another layer. For example, if a virus happens to bypass the
defenses erected by a broadband provider, users could be shielded by security
software running on their own devices.
Todays Internet is formed through connections between millions of discrete
devices, which provide various capabilities for different parties. Security
behaviors can be grouped into broad categories: end users (both individuals and
enterprises), broadband access providers, equipment and software providers,
carriers, government, and critical infrastructure providers.
ROLES OF USERS
End users make up the largest group of Internet participants. Individual users
and sophisticated enterprise users connect to the Internet through networks
supplied by carriers and access providers.
The best security practice is for users to ensure their devices and networks are
free of viruses and botnets. In most cases, these tasks are best performed
automatically with virus protection programs and software update utilities.
Any changes in Internet user behavior needs to address privacy concerns of
individuals and enterprises. A federal law forcing users to submit to intrusive
device security scans may be rejected by the public and the courts. Instead,
regulations must identify unacceptable behaviors and appropriate remedies. For
example, user devices may not be allowed to send more than a specified number
of ping requests to an IP address each minute. If exceeded, the remedy wouldbe a temporary disconnection of the device.
ROLES OF BROADBAND ACCESS PROVIDERS
Broadband access providers play a crucial role in connecting all types of users
to carrier backbones. This category includes local suppliers of digital subscriber
line (DSL) and cable modem services, which may serve a few neighborhoods or
span across multiple states.
These networks are in a unique position of being able to detect and
prevent malicious traffic on computers, which is typically the largest source of
botnet traffic.
Backbone network carriers are challenged to prevent the propagation ofmalicious traffic from broadband access providers due to several factors: identi-
fying the source of malicious traffic; the volume of traffic that must be
monitored; and their caution in terminating a connection that may carry both
legitimate and illegitimate traffic. Traffic from malicious sources is better
filtered if those sources are confined to individual network connections. A
potential solution for controlling malicious traffic from unsuspecting users is
called the clean pipe method, enforced by broadband providers. It requires
users to have working anti-virus software on their PCs and up-to-date patches,
which will prevent general access to the Internet until the machine is properly
An effective cybersecurityprogram must include range of
stakeholders who shareresponsibility for security.
8/3/2019 Perspectives on Cyber Security
7/19
Pag
protected. In addition, clean pipe methods can also detect malicious activity
and reactively restrict the user on the Internet, providing the user with a method
to clean their machine. This practice will decrease the amount of malicious
traffic that flows over a network.
However, an interesting legal issue could arise: Is i t permissible for an access
provider to deny customers access if they do not meet the carriers clean pipe
criteria? Legislation may be needed to regulate criteria requirements and to
support carrier enforcement.
ROLES OF EQUIPMENT AND SOFTWARE PROVIDERS
Carriers, broadband access providers and users depend on a collection of
suppliers to provide the hardware and software used to build networks. System
components from PCs to routers to virus protection software are available. As
most carriers act as system integrators, they depend heavily on these suppliers.
They select best-of-breed components and combine them to provide compre-
hensive solutions.
Unfortunately, some hardware and software equipment contain defects, which
makes systems vulnerable to attacks. Many of these are zero-day defects, while
others are introduced by faulty patches or software upgrades applied to existing
code that attempt to alter the structure of that code.
Improvements clearly need to be made in commercial software development,
testing and release. Already, carriers and other system users are strongly encour-
aging technology suppliers to improve software development methods, yet
software product continue to yield significant number of security flaws that
pose security threats to infrastructure.
Alongside the need to reduce defects in commercial products, carriers would
benefit from prompt notification of defects after discovery. Today, manysuppliers hesitate to announce product issues until a remedy is developed and
tested. If critical infrastructure providers and government agencies were
notified at the time of discovery, they could institute their own remedies. By
rerouting sensitive traffic away from vulnerable systems or intensifying the
monitoring of systems with known defects to catch intrusions, significant
damage could be avoided.
Early notification of product defects might negatively affect equipment and
software suppliers due to the competitive market. Confidential information
about latent defects should only be used for the defense of critical infrastruc-
tures so that technology suppliers do not fear notifying users of product defects
when they are discovered. Suppliers intellectual property needs to be protected.
A government agency could be given a mandate to implement the necessary
regulations for distributing product defect information. Sanctions for any person
or enterprise that compromise the confidentiality of the defect report also must
be enforced.
ROLES OF CARRIERS
Carriers play a key role in cybersecurity, but should not be the sole focus of
security initiatives. Carriers can improve network security for users by providing
safe, secure mechanisms for domain name system (DNS) lookups. Accurate
Carriers play a key role incybersecurity, but should not be
the sole focus ofsecurity initiatives.
8/3/2019 Perspectives on Cyber Security
8/19
8/3/2019 Perspectives on Cyber Security
9/19
Pag
cooperatively with private network providers to develop and implement
effective cybersecurity policies. These policies must support the narrow goal of
protecting governmental infrastructure and the broader goal of increasing
communication security and public safety.
The federal government can contribute to increased cybersecurity by improving
information flow among carriers and other parties about threats and vulnerabil-
ities. The two-way information flow between carriers and the government about
actual and suspected threats must improve. New legislation should require
significantly improved communication between these organizations.
Several different types of information would be beneficial to both carriers and
government agencies:
Knowledge about common sources (by geographic location and/or IP address) for
threats and attacks.
Historical data about threats and related solutions.
Descriptions of new attack technologies and vectors, including the means of
infection and the targeted systems. Any exploits that target carrier-grade networking
equipment could be a priority, as these can impact connectivity to many customers
simultaneously.
Advance warning about software flaws uncovered during testing by equipment and
software suppliers or zero-day exploits discovered in the wild (exploits that are
actively being used).
Guidelines recommending minimum-security configurations and procedures. More
extensive or different technologies could be implemented, but the minimum set of
procedures must be met.
A government-industry sharing database that provides real-time information of
attack signatures, sources and other security-related data.
There is already a precedent for cooperative information sharing between
telecommunications carriers for fighting toll fr aud. An organization called the
Communications Fraud Control Association (CFCA) maintains a Fraud Alert
Library. This library offers members up-to-the-minute information about the
latest scams, evolving investigations and cases, compromised calling card and
authorization codes, and other related fraud matters.
When long-distance telephony providers identify a source of fraudulent
telephone calls, information about the suspected perpetrator is shared. This infor-
mation sharing helps in three major ways: It alerts carriers to suspected sources
and mechanisms for fraud; it can potentially increase evidence used by law
enforcement; and it helps to reduce the amount of fraud on other carriers
networks. These same benefits would result from sharing cybersecurity infor-mation. Another precedent is information sharing taking place between anti-virus
vendors, which provides companies greater awareness of emerging threats.
Currently, most government agencies purchase network services from carriers
on a piecemeal basis. They rely on the carriers to design overall system connec-
tivity on an incremental basis, as contracts are won or lost. This approach leaves
much to be desired. Overall efficiency and security of networks serving the
government are not based on a cohesive master architecture. This needs to be
re-examined. The Federal Government should take the lead in defining an
The federal government cancontribute to increased
cybersecurity by improvinginformation flow among carriersand other parties about threatsand vulnerabilities.
8/3/2019 Perspectives on Cyber Security
10/19
WWW.LEVEL3.COM
Page 10
overall architecture for communications between agencies and for interfaces to
non-government parties.
Government agencies could also benefit from establishing their own
autonomous system number (ASN) that could act as a peering separation layer
between government agencies and the rest of the Internet. The peering layer
could easily be utilized as a unified, protective barrier, ensuring all threats are
uniformly analyzed and appropriate responses are created. One possible benefit
of this arrangement would be to spur innovation among technology vendors to
help implement this enhancement on a carrier scale.
ROLES OF CRITICAL INFRASTRUCTURE PROVIDERS
A variety of private enterprises provide infrastructure that supply items that are
critical to modern society, including communications, energy, healthcare,
finance, food and water. Virtually all of these providers depend on modern
communications for routine daily operations and data transfers. The
government, in turn, depends on these private networks; therefore, ensuring ahigh level of cybersecurity for critical infrastructure network providers should
be a priority for all levels of government.
Beyond the networks used by telecommunications carriers, autonomous control
networks are common within large infrastructure enterprises. Automated
systems are used to regulate the supply of electricity within the power distrib-
ution grid, convey financial transactions between banks, and control devices
used to deliver healthcare and produce food. These systems and the connecting
networks need to be secured against cyber attacks. This includes ones similar to
the STUXNET infestation, which targeted industrial control systems not
normal computer workstations, servers or IP networking equipment.
Technical assistance could improve cybersecurity for critical infrastructureproviders by helping them develop a mature, comprehensive and agile plan that
reacts to threats from many sources. Since the primary business of many of
these providers is not related to networking, outside cybersecurity design and
implementation would be advantageous. Government agencies should develop
the framework necessary to gather assistance from industry experts.
LEVEL 3S PERSPECTIVE
As a large global provider of network infrastructure and services, Level 3 has a
broad view of issues impacting cybersecurity. We believe it is the responsibility
of service providers and government agencies at federal, state and local levels
to communicate openly regarding cybersecurity issues. Through cooperative
efforts between carriers and the government, and among carriers themselves,
cybersecurity can be improved on many levels.
Level 3 believes legislative efforts need to focus on creating a flexible, powerful
framework for identifying, communicating and defeating cybersecurity threats.
Because the frontline in this battle is constantly shifting, legislation that
mandates specific methods for dealing with threats typically becomes obsolete
before put into practice. A better policy would establish a set of clear goals,
reporting rules and appropriate sanctions for cybersecurity requirements.
Currently, cooperation between carriers and government agencies is hampered
Technical assistance couldimprove cybersecurity for critical
infrastructure providers byhelping them develop a mature,comprehensive and agile plan
that reacts to threats frommany sources.
8/3/2019 Perspectives on Cyber Security
11/19
8/3/2019 Perspectives on Cyber Security
12/19
WWW.LEVEL3.COM
Page 12
point for cybersecurity implementation. This is underscored by the increase
FISMA compliance within government agencies with little or no corresponding
addition in broad measures of cybersecurity.
FISMA could be improved by incorporating a set of best practices for the
protection of management and back-office network environments and systems.
This would help both government agencies and private network providers better
understand how to develop systems that are less vulnerable to cyber attack.
The DHS has established the Critical Infrastructure Partnership Advisory Council
(CIPAC) to facilitate effective coordination of infrastructure protection programs
between the federal, private, state, local, territorial and tribal sectors. The CIPAC
represents a partnership between government and critical infrastructure/key
resource (CIKR) owners and operators. It provides a forum to engage in a broad
spectrum of activities to support and coordinate critical infrastructure
protection.
KEY POINTS OF CONCURRENCE IN PROPOSED LEGISLATION
The following describes some of the provisions Level 3 believes should be
included in legislation:
A nationwide system of breach reporting is needed by government and critical infra-
structure providers. This will provide a richer data set for analysis of current and
potential threats, as well as support the development of better algorithms for attack
detection and prevention.
The proposed new penalties for cyber criminals appear to offer more effective conse-
quences. By applying stiffer penalties, deterrence and benefits of prosecution
are increased.
AREAS FOR FURTHER STUDY IN PROPOSED LEGISLATIONSome areas of proposed legislation require clarification or potential revision to
make them more closely aligned with the overall goal of enhancing cyber-
security. Level 3 proposes the following be considered for possible revision in
the proposed legislation:
The definition for the term security breach needs further clarification, particularly
when mandatory breach reporting requirements are being woven into the proposed
legislation. Level 3 submits the following definition for consideration:
An unauthorized acquisition of and access to unencrypted or unredacted
computerized data that materially causes or is reasonably likely to cause
substantial economic loss.
Disclosure of summaries of security plans to the general public has merits. It helps
reassure the public the government and critical infrastructure providers are makingsubstantial changes improve overall cybersecurity. Summary plans should include
very abstract descriptions with an emphasis on principles and goals. Actual
technologies and methods should not be disclosed. This will help retain cyberse-
curity solutions for longer periods of time. Current FISMA regulations provide a
framework designed to enhance cybersecurity.
There are a number of solid, practical rules included that make sense for any modern
networking organization. Unfortunately, the detail required for documenting and
certifying procedures is time-consuming, costly and can compete for resources to
Disclosure of summaries ofsecurity plans to the general
public has merits. It helpsreassure the public thegovernment and critical
infrastructure providers aremaking substantial changes
improve overall cybersecurity.
8/3/2019 Perspectives on Cyber Security
13/19
Page
design and implement cybersecurity measures. Further, the documentation require-
ments tend to incent maintaining the status-quo, instead of encouraging and
rewarding innovations that could help enhance security.
An adequate supply of trained, qualified personnel to design, implement and
monitor security systems and procedures is a requirement for any successful
cybersecurity operation. The proposed legislation actually may decrease the
staffing levels at carriers due to the continuing education and recertification
obligations required. Level 3 believes more than 20 percent of available staff
hours will be consumed by certifi cation, making those personnel unavailable for
active cybersecurity efforts. Modifications to reduce required formalized training
and certification should be considered. Carriers must also be encouraged to
employ qualified individuals and support them with continuing education.
OMISSIONS
More emphasis on communication and action regarding actual and potential
threats within proposed legislation could further enhance cybersecurity benefitsfor all stakeholders. Level 3 urges consideration be given to the following.
Higher standards of accountability need to be developed and enforced to ensure
that hardware and software suppliers develop and implement effective cyberse-
curity product controls. Manufacturers should be held responsible for developing
and executing effective hardware and software security test plans prior to manufac-
turing release.
The White House director of cybersecurity policy should define security and
validation requirements for hardware and software vendors. At a minimum, these
requirements could be used as criteria for future government purchase decisions.
Private enterprises (including carriers and broadband access providers) would also
be able to evaluate suppliers based on their compliance with these published
requirements.
The White House cybersecurity coordinator or director of cybersecurity policy must
formalize a national vulnerability disclosure policy for carriers and their vendors. It
needs to clarify the types of information required to be disclosed as well as the rules
to be used for distributing the information.
Many different types of infrastructure have been identified as critical infrastructure
in various pieces of existing and proposed legislation. Establishing a prioritized list
of these items to help guide actions of first responders in the event of a large-scale
attack would be beneficial.
Information about threats and attacks detected or suspected from carriers is
routinely shared with the government, and is a well-established feature of proposed
legislation. This could be improved by requiring the sharing of information between
government and carriers.
The National Cybersecurity and Communications Integration Center (NCCIC) should
be mandated to provide public databases to distribute current and past threat data
with carriers and other critical infrastructure providers. Additional information
including the identities of suspected attackers and methods for dealing with threats
should also be added. Different levels of access privileges may need to be enabled
for the database, with backbone Internet carriers and broadband access providers
having the greatest level of access, and commercial enterprises and other end users
having limited access privileges.
The proposed legislationactually may decrease the
staffing levels at carriers due tothe continuing education andrecertification obligationsrequired.
8/3/2019 Perspectives on Cyber Security
14/19
WWW.LEVEL3.COM
Page 14
Regulations should give broadband access providers greater responsibility for
detecting threats and stopping them. This will help overall cybersecurity goals by
helping thwart attackers closer to their source and preventing the attacker traffic
from integrating with other traffic. These regulations should be enforced throughincentives for strong security measures taken by broadband access providers and by
sanctions for failure to meet minimum standards.
For access providers hoping to implement a clean pipe strategy (i.e. only providing
network access to users who have installed effective anti-virus software on their
devices), a legal framework needs to be established. It should include a clarification
of the types of acceptable rules providers can establish. Liability protection for
carriers denying service to users whose machines do not meet clean-pipe require-
ments also needs to be addressed.
System logs record a great deal of valuable data that can be used to perform forensic
analysis after a cyber attack has occurred and for monitoring network health on a
long-term basis. Gathering and analyzing log data from a range of different network
devices and providers would create a rich data set for research and analysis.Unfortunately, data logs are captured by devices from different manufacturers and
deployed by individual carriers. This causes incompatibilities and inconsistencies,
which makes comparisons between logs extremely difficult. A standardized log
format developed by NIST or another suitable entity would greatly increase the
potential for data sharing. To stimulate use of a standard format, legislation
requiring carriers to routinely deliver copies of log files to a central repository could
be enforced. This should be managed by a federal agency, such as the NCCIC.
The White House cybersecurity coordinator has significant influence on the federal
administrations cybersecurity conduct and on regulations developed by various
federal agencies. Due to the level of responsibility, Senate confirmation should be
required.
Future Directions in CybersecurityBeyond the current legislative and regulatory initiatives, significant develop-
ments will shape the landscape of cybersecurity for years to come. The following
four paragraphs address several of these developments and potential impacts
on government networks as well as the public Internet.
IPV6 MIGRATION
As the September 2012 federal agency deadline approaches for IPv6 implemen-
tation, several issues must be addressed. First, any vulnerabilities arising from
publishing addresses inside the DNS network will need to be corrected. Second,
when more devices are issued with native IPv6 addresses and connected directly
to the Internet (bypassing the Network Address Translation servers commonlyused to protect IPv4 systems today), new mechanisms will need to be developed
for ensuring device cybersecurity. And third, the added complexity required to
simultaneously handling two protocol stacks (IPv4 and IPv6) within web servers
and other devices will require extra vigilance in design and increased testing to
prevent new vulnerabilities.
IDENTITY MANAGEMENT
Secure, flexible identity management can be easily deployed across multiple
platforms with support from carriers. By placing credential servers with the
More emphasis oncommunication and action
regarding actual and potentialthreats within proposedlegislation could further
enhance cybersecurity benefitsfor all stakeholders.
8/3/2019 Perspectives on Cyber Security
15/19
Page
network core, personnel can be verified across mult iple agencies networks. This
portability provides greater mobility for staff and improves agencies abilities to
redistribute staff during network outages and public emergencies. Additionally,
centralizing these functions could reduce overheads and lower costs.
FISMA REVISIONS
Future revisions to FISMA should focus on protecting systems against current
and emerging attack vectors. This will help ensure response plans are developed
to protect against specific threats. Once agencies start to implement incident
response capabilities, those judged to be superior can be shared. Through infor-
mation sharing and continuous improvement, the overall level of cybersecurity
will increase for all federal agencies.
FUTURE RULEMAKING
More complex viruses, worms and other malware are continuously developed at
rapid speeds. To keep pace, advanced innovation is needed throughout the
cybersecurity industry. Rules and regulations must be flexible to avoid inter-
fering with the development of effective countermeasures. Level 3 agrees with
DHS Secretary Janet Napolitano, who said, "We believe that any government
rules for cyberspace should identify where we want to be, not proscribe exactly
how to get there, and should allow ample space for innovation. They should also
be clear, fair and broadly supported, and respect and reflect the diversity of the
society in which we live."
ConclusionCybersecurity cannot be achieved through simplistic, rigid rules. Effective
defense against cyber attacks requires flexibility to adapt to an evolving array
of threats. Cybersecurity adversaries utilize multifaceted approaches tocompromise critical infrastructures. The cybersecurity industry must begin
working together as a unified force to prevent these attacks.
Legislation supporting increased two-way communications between service
providers and government agencies encourages all Internet participants to
accept appropriate responsibilities. It avoids burdensome certification and
documentation requirements and can help increase overall levels of security.
Although the threat of malicious cyber attacks and malware will never
completely disappear, effective regulations and policies can make government
and public networks safer and more secure.
2011 Level 3 Communications, LLC. All Rights Reserved. Level 3 Communications, Level 3 and theLevel 3 Communications logo are registered service marks of Level 3 Communications, LLC in theUnited States and/or other countries. Level 3 services are provided by wholly owned subsidiaries ofLevel 3 Communications, Inc. Any other service, product or company names recited herein may be
trademarks or service marks of their respective owners.
Appendix: Defining Cybersecurity and Other TermsLevel 3 broadly defines cybersecurity as the ongoing development and mainte-
nance of the security of all computers and systems in a network environment.
This definition may include related broad-based topics like social, political and
Cybersecurity cannot beachieved through simplistic,
rigid rules. Effective defenseagainst cyber attacks requiresflexibility to adapt to anevolving array of threats.
8/3/2019 Perspectives on Cyber Security
16/19
WWW.LEVEL3.COM
Page 16
legislative concerns. In contrast, the focus of the traditional information
assurance industry is protection of any given datas confidentiality, integrity and
authentication. Another way to understand the difference is that cybersecurity
aims to prevent attacks from accessing or destroying sensitive data, whereasinformation assurance is focused on encrypting data and recovering from
system failures and attacks. Cybersecurity rules are formulated in FISMA and
developed in Einstein; information assurance rules are based on HIPAA (Health
Insurance Portability and Accountability Act of 1996) and the Sarbanes-Oxley
Act of 2002.
A working knowledge of several key telecommunications and data networking
terms and concepts is helpful in understanding the content within this paper.
The following glossary should help define the key terms used in the document.
Access Provider: An enterprise that supplies network connections and Internet
access to households, organizations and enterprises on a retail basis. Also known as
ISPs (Internet service providers) and broadband access providers. Can take manyforms, including local telephone co-ops, community services and cable TV providers.
APT (Advanced Persistent Threat): Sophisticated malware or other cyber attack
targeted at a specific objective, such as disabling a certain website or obtaining
particular information. Differs from many other attacks that merely seek financial
gain from victims at random.
ASN (Autonomous System Numbers):A globally unique number that identifies
each of the Autonomous Systems (AS) that are connected to make up the Internet.
Each AS must have a single, consistent policy that is used for routing packets, and
must be under the control of a single entity, such as a carrier or a large corporation.
An AS can peer with another AS by exchanging routing information, which allows
data traffic to flow directly between the systems.
Attack Vectors: Mechanisms or routes that are used to gain unauthorized accessinto a computer system. Examples include Internet connections, email attachments,
USB thumb drives, and many others.
Backbone: International network of high-speed communication links and high-
performance routers that provides connections between different portions of
the Internet.
Botnet: Group of user devices or servers that have been infested with malware that
gives an external party the ability to control some or all functions of the devices.
Botnets made up of large numbers of compromised user PCs are frequently used to
carry out DDoS attacks.
Carriers: National and international providers of Internet backbone services. May
connect directly to large customers, but focus primarily on high-speed connections
to access providers. Clean Pipe: Cybersecurity principle wherein all devices connected to a specific
network (or pipe) demonstrate to be free of malware.
Cloud Computing: Software design concept where strict associations between
software modules and hardware platforms is replaced with a flexible, distributed
pool of computing resources that can be quickly allocated to tasks to meet rapidly
shifting processing loads.
Control Families: Groups of protocols or procedures that provide related forms of
protection against external threats. NIST has developed a reference list of control
8/3/2019 Perspectives on Cyber Security
17/19
Page
families including items such as Access Control, Physical and Environmental
Protection, Identification and Authentication, and several others.
Cyber Attack: Malicious attempt by an outside party (often of criminal
background) to gain control of a system, obtain unauthorized information orinterfere with the normal behavior of the system.
Cybersecurity: A condition of being safe from unauthorized access to private
information and protected against malicious use of networked devices; also, the
actions taken to achieve this state.
DDoS (Distributed Denial of Service) Attack: Cyber attack that utilizes
multiple coordinated processes to flood a targeted IP address with large numbers of
pings or other packets, thereby causing the target to malfunction or to be unable to
respond to requests from normal users.
Deep Packet Inspection: Technique used in firewalls and other devices where
each IP packet is subject to rigorous screen for malware, including all or most types
of embedded protocols.
DNS (Domain Name System): Functional component of World Wide Web thatconverts user-readable URLs (Uniform Resource Locators) into numeric IP addresses
required for Internet transport. Corruption of the DNS database can cause devices to
unknowingly connect to malicious servers.
FISMA (Federal Information Security Management Act of 2002): Federal
law that defined cybersecurity requirements to be followed by each federal agency,
including risk assessment, security planning and required certifications for systems
and personnel.
Hosting: Providing a processing platform, including hardware and software, that
allows an application to run. For example, web hosting provides a server and
related software necessary to support the delivery of web pages in response to
user requests.
IANA (Internet Assigned Numbers Authority): Organization that overseesthe assignment of numerical values that must be globally unique on the public
Internet, such as IP addresses and ASNs.
Identity Management: Process for verifying users and issuing them credentials
necessary to access specific systems and information. Commonly used in large
organizations.
Internet Protocol (IP): Part of the TCP/IP family of protocols describing software
that tracks the Internet address of nodes, routes outgoing messages and recognizes
incoming messages.
Intranet: Private IP-based network that may or may not connect to the public
Internet though a firewall.
IPSec: Set of secure IP transport technologies that use cryptography to prevent
unauthorized parties from reading packet contents.
IPv4 and IPv6: Current and emerging versions of Internet Protocol. IPv4 supports
vast majority of users and servers on todays Internet. IPv6, which has been defined
for more than a decade, is increasingly being used to support new users due to the
scarcity of new addresses in IPv4 needed to support new users and servers. All
access providers must migrate to IPv6 by September 2012, as outlined in the Trusted
Internet Connection mandate from the Office of Budget and Management.
8/3/2019 Perspectives on Cyber Security
18/19
WWW.LEVEL3.COM
Page 18
ISP (Internet Service Provider): Company or organization that provides
network access to the Internet for individuals and enterprises, generally on a
monthly fee basis.
Kill Switch: Informal name for a network feature that provides the ability tocompletely isolate one portion of a network from another, often along lines that
correspond to national boundaries.
Malware: Generic name for software with a malicious intent, comprising trojans,
viruses, worms and other algorithms designed to cripple, control or steal information
from targeted systems.
NCIRP (National Cyber Incident Response Plan): Document developed by the
DHS to define the roles and responsibilities of government agencies and private
industry in the event of a significant cyber attack.
Packet: A variable-length data container, consisting of a header and a payload,
which can be transported over an IP network.
Ping: Short control message used to verify connectivity between two devices on a
network. Devices can suffer from degraded performance when attempting torespond to a large number of simultaneous ping messages.
Provider Edge: Point that defines the limit of a given carriers network, where
connections are made to other carriers or to customer provided equipment. Provider
edge devices supply connectivity and packet forwarding functions that bring data
into and out of a providers network.
PSTN (Public Switched Telephone Network): Global telecommunications
network that connects voice and data circuits among hard-wired, mobile and other
devices that use numeric dialing.
Router: In IP networks, a device that examines the addressing information
contained in each IP packet header to determine where to transmit packets through
the network along towards their ultimate destinations.
Scareware: Web-browser pop-ups and email messages that provide false security
alerts to users in order to convince them to download and install useless or harmful
anti-malware utilities. Frequently used to distribute trojans.
Server: Generically, any hardware or software device that provides services to
another device or user. For Internet applications, web servers fulfill requests for data
that are made from end users operating web browsers.
SSL (Secure Sockets Layer): Predecessor to the TSL (Transport Security Layer)
that is used to provide secure, encrypted communications between devices over the
Internet or any other network.
STUXNET: One of the most sophisticated APTs encountered to date, this worm was
apparently intended to disrupt the operation of centrifuges used to enrich uranium
at facilities located in Iran. Stuxnet reportedly utilized four unknown zero-day
vulnerabilities along with an advanced mechanism for propagation through portable
USB thumb drives.
TIC mandate (Trusted Internet Connection): Set of rules issued by OMB for
all civilian federal agencies that was intended to increase the overall level of cyber-
security and to simplify and control the interface between federal networks and
the Internet.
Tier 1 Carriers: Large, self-sufficient network providers that provide data transport
primarily over facilities that are owned and operated by the carrier. Tier 1 carriers
8/3/2019 Perspectives on Cyber Security
19/19
provide direct connections to multiple Autonomous Systems and are typically inter-
national in scope.
Trojan: Named after the infamous Trojan horse described in Virgils epic poem, this
is a form of malware that hides inside a purportedly useful program such as a freeanti-virus scanning utility. A trojan propagates by prompting unsuspecting users to
download and install the program.
Virus: Form of malware that is typically transmitted through user actions such as
opening an email attachment or visiting a specific website. Like their biological
namesake, computer viruses often include a means to replicate within an infected
system in order to infect new host devices.
Worm: Form of malware that autonomously propagates among systems that are
connected by a common network, such as a shared corporate network.
Zero Day: System vulnerability that was present in a software system when initial
released; could also be considered a latent security weakness that can be exploited
by a malicious attacker.
Top Related