Two recent articles have highlighted the threat posed by foreign cyber-espionage, and the security difficulties of so-called 'cloud computing'.
First, AOL Defense warns that 'China and Russia are stealing our lunch'.
While Chinese threats have gotten the most attention, the rat in the kitchen is just as likely to be Russian, said Smith, a former ambassador who worked on arms control negotiations with the then-Soviet Union and who now spends about half his time in the former Soviet republic of Georgia, which suffered a Russian cyberattack alongside a conventional invasion in 2008. The Russians have a well-educated population with computer skills and a thriving underworld with government contacts, so the Kremlin can mobilize legions of online scammers as "a vast cyber reserve force" for online campaigns, Smith said, pointing to the attacks on Georgia and on Estonia in 2007.
"The difference is the Russians don't get caught" as often as the Chinese, Smith said. But hackers from both countries are going after American intellectual property on a grand scale that goes beyond individual larceny to a national strategy.
"What you have underway right now is systematic espionage against the United States," said Smith. "This is not intelligence agencies stealing this or that secret, this is not industrial espionage where some company in another country wants to get the process for something or other. We're talking about a systematic effort to equalize the technology edge that the United States enjoys over every other country in the world by stealing US intellectual property.... This is strategic."
There's more at the link.
Next, DefenseNews warns of the vulnerabilities of cloud computing for Department of Defense applications.
The argument in favor of private cloud systems rests on three assertions about how the architecture could improve DoD systems:
• The cloud is more secure than less consolidated data systems.
• The cloud will require fewer talented cyber experts to protect.
• The cloud can save the department large sums of money through fewer hardware requirements and more efficient operation.
The third argument, that the cloud would save money, is widely recognized and accepted by experts, although the magnitude is disputed. The other two, however, are the subject of heated debate.
“There are specific vulnerabilities associated with cloud architecture that, as far as I can tell, have not been fully and adequately addressed,” said Moulton, who previously served in the U.S. Air Force doing special operations communications.
The simplest and most frequently cited argument against the assertion that the cloud is more secure is the risk of centralization. DoD networks are still largely fragmented, which can make information sharing difficult. But that fragmentation means no individual breach would compromise the larger data mass.
“When there is no centralized control of all those systems, there is no central place to [get] access to everything else,” Bejtlich said. “Is it better to have everyone decide how to deploy their systems independently, or is it better to have one super-image that we believe contains the best security posture?
“With the former, the bad guy who gets onto the system or is trying to get onto the system doesn’t necessarily know what the victim is running. With the latter, he knows exactly what they’re running, and he can tailor his research efforts to that.”
The complaint about the fragmented approach has been that maintaining decent security at each individual outpost was both expensive and difficult. By consolidating systems, DoD could be more confident that its systems are properly designed.
But with cloud architecture, even if the protection is better, once an attacker is in, the loss is much worse.
“You’re putting all of your eggs in the same basket,” Moulton said.
Because of the added risk, the exterior defenses and network monitoring need to be even better to guard a more valuable system, probably meaning as many experts as are employed across networks now, Moulton said. And because of the lack of expertise in cloud architecture, building and protecting cloud systems could be far more expensive than has been predicted, he said.
“There’s the rush to this, and everyone thinks they’re going to save so much money and manpower,” he said. “I don’t agree with that broad assumption.”
Again, more at the link.
Of course, if those security risks and vulnerabilities affect military systems, with their institutional emphasis on confidentiality, what does that imply for our commercial systems? I use a 'cloud computing' backup service to store copies of critical documents (manuscripts, personal data files, etc.). What happens if someone takes down that cloud, or disrupts access to it?
Not a comfortable thought . . .