Sri Lanka just came out with a draft bill for a proactive, national cyber-defense entity. This entity functions by designating systems as Critical Information Infrastructure (CII) and then appointing people responsible for reporting security breaches and so on and so forth. The legalese looks like this:
Part V 18(1) states that “the Agency shall identify and recommend to the Minister the designation of a computer or computer system as CII for the purposes of this Act, if the Agency is satisfied that- (a) the computer or computer system is necessary for the continuous delivery of essential services for the public health, public safety, privacy, economic stability, national security, international stability and for the sustainability and restoration of critical cyberspace or for any other criteria as may be prescribed and the disruption or destruction of which would likely to have serious impact on the public health, public safety, privacy, national security, international stability or on the effective functioning of the government or the economy; and (b) the computer or computer system is located wholly or partly in Sri Lanka…
The current proposed version gives the Agency the right to designate even corporate computer systems as CIIs, bust down their doors, inspect their premises, and demand to read whatever bits of paper are lying around.
This approach is rooted in classical security ideas – the idea that infrastructure is a physical thing, and that you can wall it off, protect it, examine it, understand it. It neglects the connected nature of computer systems today. Let us examine an alternative drawn from both public health and mathematics.
Networks, not infrastructure
Humans do not exist in isolation, but interact in networks made of other humans. Often these interactions are unobservable, and one-to-many and many-to-many instead of simple one-to-one relationships.
Because humans function in networks, they can be analyzed in terms of graph theory from mathematics. Some humans are superconnectors; or, in mathematical terms, they have the property of connectivity. Others are critical paths: they bridge networks, and have the property of high centrality.
In today’s world, computer systems are arranged much like humans: in networks. A large part of their utility relies on them being connected and passing data back and forth.
If a highly central system such as h or i is removed, the information path between two communities is broken (this plays out in politics). A highly connected system (such as P) can be worked around, but can still spread or receive information very efficiently. Sometimes a system is both highly central and highly connected, and is thus critical.
Let us take Dialog Axiata as a specific example; Dialog is both highly central and highly connected. Billions of phone calls, SMS and data requests pass through that system daily. The temptation is to designate Dialog as Critical Information Infrastructure and try to keep it safe.
But consider the actual structure of this so-called ‘infrastructure’. Dialog’s servers reside in a secure facility. We can assume that the handling of data (whether voice, text or traditional ‘data’ Internet) are done by these machines, which connect to Axiata Malaysia, various DNS systems, IXPs, Google, Amazon and many other systems worldwide. They also handle logging mechanisms, which in turn are used by billing systems, which in turn are used by front offices and customer notification systems and online billing systems, which in turn are queried by the machines of employees at the corporate head office in order to make decisions. Assume this entire system, or whatever parts of it are within the bounds of Sri Lanka, can be declared a CII. What of the millions of mobile phones and computers connected to those servers, from which the company derives its value? What of the various devices that employees and visiting businesspeople and journalists bring inside? What of the software within all these systems that rely on third-party IP and code, all derived from sources both local and foreign?
Already we have surpassed the geographic bounds of one physical, clearly-definable ‘infrastructure’. Each of these connected systems is an entry point into the Dialog network, in some form or the other. They can carry data, and therefore they can carry threats. The sheer number of entry and exit points makes the classical infrastructure concept infeasible for such an entity.
Whether Dialog is declared a CII or not, practically policing every single entry point is impossible. It is not like guarding a building; one has to think of the network.
In cybersecurity, this network mentality is critical. We have gone from email worms to viruses that try to send nuclear power plants critical (StuxNet), and from lone hackers stealing data to mob attacks (Anonymous) to sophisticated state-sponsored cyberwarfare in the form of Advanced Persistent Threats (APT) that combine human intrusion and custom malware. Notable examples are APT1 (aka Unit 61398), China; Apt28 (aka Tsar Team, Russia); APT34 (aka Helix Kitten, Iran); Dragonfly; the Equation Group (US NSA), and others. These use a sophisticated methodology:
- Initial compromise – performed by use of social engineering and spear phishing, over email, using zero-day viruses. Another popular infection method was planting malware on a website that the victim’s employees will be likely to visit.
- Establish foothold – plant remote administration software in victim’s network, create net backdoors and tunnels allowing stealth access to its infrastructure.
- Escalate privileges – use exploits and password cracking to acquire administrator privileges over victim’s computer and possibly expand it to Windows domain administrator accounts.
- Internal reconnaissance – collect information on surrounding infrastructure, trust relationships, Windows domain
- Move laterally – expand control to other workstations, servers and infrastructure elements, and perform data harvesting on them.
- Maintain presence – ensure continued control over access channels and credentials acquired in previous steps.
- Complete mission – exfiltrate stolen data from victim’s network.
To merely examine the CII alone is to be blind to the paths of initial compromise, foothold establishment and lateral movement throughout the network. Indeed, there is evidence that this blindness may have happened already: see my brief analysis of the 2013 hack on the Sri Lanka Media Center for National Security.
A proactive cybersecurity defense agency, to be effective, must be able to understand the entire network of connections within which a specific important system is located. It must concern itself with the protection of not just one system, but the overall network – with the understanding that threats are constantly evolving in sophistication and ability.
The defense of networks
Fortunately, there are organizations that already deal with protecting networks.
Public health is a field that has to deal with threats to an entire population. These range from biological agents to environmental conditions. It is understood that these threats may be specific (striking only a select few) with the potential to spread and do devastating damage if unchecked.
Because humans interact in networks, and seem unable to function without being a part of biological ecosystem, a few isolated cases in a hospital may turn into a plague. Effective public health agencies have to be willing and able to correlate isolated cases, postulate and prepare for multiple threat vectors, deliver both specific and generic solutions, and, in extreme cases, physically quarantine infected areas and populations.
To protect such critical ecosystems, public health utilizes the concept of herd immunity.
Herd immunity is the concept that, while it may be impossible to protect every person against disease, sufficient numbers of immunized (vaccinated) people in a network will prevent a given disease from progressing and turning into a full contagion. The effect of having a vaccinated person in the middle of the transmission path prevents the disease from reaching an unvaccinated person at the end of the path. With a large enough percentage of vaccinated people, even the unvaccinated remain largely safe.
Cyberthreats can be envisioned as diseases. These diseases may be hackers, viruses, worms, but there is always a transmission path – one compromised system in a Critical Ecosystem leads to another, and then to another.
It is also understood that threats are continously mutating and adapting, another trait of biological systems. In disease, superbugs appear, flu strains adapt, and relatively harmless infections mutate into epidemics. This is similar to what happens in cybersecurity, as new threats mutate into old. It is no coincidence that cybersecurity borrows terminology such as ‘viruses’ and ‘antiviruses’ from biology.
In short, a proactive Agency must take the same approach taken in public health, and concern itself with the defense of a certain percentage of connected systems in an overall network. Therefore it behooves us to examine how agencies responsible for public health carry out their roles in maintaining the security of biological networks.
The CDC as a case study
Whatever the failings of their commercial health system, the US Center for Disease Control can be considered a powerful and effective organization. According to their website, their mission is:
- Detecting and responding to new and emerging health threats
- Tackling the biggest health problems causing death and disability for Americans
- Putting science and advanced technology into action to prevent disease
- Promoting healthy and safe behaviors, communities and environment
- Developing leaders and training the public health workforce, including disease detectives
- Taking the health pulse of our nation
The CDC is a body that carries out the implementation of such measures. It works with authorities to implement regulations related to protecting America from health and safety threats, both foreign and within the United States, and increasing public health security. It implements health laws passed by Congress through Federal Regulations. It then works with federal agencies to put the law into action through the development of regulations. Federal regulations give the public details or specific requirements of how the law will be applied.
Under 42 Code of Federal Regulations parts 70 and 71, CDC is authorized to detain, medically examine, and release persons arriving into the United States and traveling between states who are suspected of carrying these communicable diseases. As part of its federal authority, CDC routinely monitors persons arriving at U.S. land border crossings and passengers and crew arriving at U.S. ports of entry for signs or symptoms of communicable diseases.
When alerted about an ill passenger or crew member by the pilot of a plane or captain of a ship, CDC may detain passengers and crew as necessary to investigate whether the cause of the illness on board is a communicable disease.
Under Section 361 of the Public Health Service Act (42 U.S. Code § 264), the U.S. Secretary of Health and Human Services is authorized to take measures to prevent the entry and spread of communicable diseases from foreign countries into the United States and between states.
The CDC has, from this, the authority to isolate and quarantine, and to carry out such actions on a daily basis: these are “police power” functions, derived from the right of the state to take action affecting individuals for the benefit of society. If a quarantinable disease is suspected or identified, CDC may issue a federal isolation or quarantine order. Public health authorities at the federal, state, local, and tribal levels may sometimes seek help from police or other law enforcement officers to enforce a public health order. U.S. Customs and Border Protection and U.S. Coast Guard officers are authorized to help enforce federal quarantine orders.
Breaking a federal quarantine order is punishable by fines and imprisonment.
To make such powers effective, the CDC monitors at authorized entry and exit points into the US ecosystem, maintains advanced lab analysis to proactively detect threats and find solutions, maintains and nurtures local and state measures for public health, and, as national security protocol, monitors new diseases around the globe before it reaches US soil.
Applying the CDC model to a proactive cybersecurity agency
Some of what the CDC does is practical for cybersecurity; some of it must be adapted. Therefore, a proactive agency should be able to:
- Understand critical systems, identity the network / ecosystem that they operate in, and designate key portions of that network as a Critical Network.
- Provide recommendations for maintaining the public health of certain key portions of that network within the bounds of Sri Lanka (these may range from requiring employees using two-factor authentication to the implementation of firewalls and heuristics when interfacing with certain foreign entities).
- Use mathematical notions of centrality to identify key information paths in the Critical Network, both within and without Sri Lanka, and provide regulations for maintaining the security of those paths.
- Conduct periodic assessments, in partnership with the operator of the Critical Network, as to the implementation of these measures, and work with police authorities to impose penalties for noncompliance.
- Maintain periodic assessments of global threats to any Critical Network.
- Examine connections of high national priority deemed to be at risk from these global cybersecurity threats, and, after due legal process, to initiate regulations regarding cyberdefense regulation at the points of entry and exit or outright disconnection from such connections.
- Maintain a reactive team that can, upon completion of a legal process, impose quarantines (both cyber and physical) upon Sri Lankan portions of the Critical Network that are deemed to be compromised, work with the network operator to ensure that these portions are restored, and authorize their use once it is certain that the compromising element has been removed.
Many of these ideas can be implemented as additions or expansions to the existing proposal (eg: powers of search). However, the shift in thinking from physically protectable infrastructure to intangible networks in cyberspace will require rethinking the ideas of CII. Such a body and a basis for analysis, we feel, would ultimately be more effective than the classical infrastructure approach.