The organization responsible for protecting the country from cyberattacks needs to develop a warning system that is "consistently actionable and timely," according to a new Government Accountability Office (GAO) report (pdf) released Tuesday.
The problem, says the GAO, is that the United States Computer Emergency Readiness Team (US-CERT) does not have a comprehensive cyberanalysis and warning capability. The GAO identified 15 key attributes for such a system spread across four capabilities: monitoring, analysis, warning, and response.
The problem, however, is this:
While US-CERT’s cyber analysis and warning capabilities include aspects of each of the key attributes, they do not fully incorporate all of them. For example, as part of its monitoring, US-CERT obtains information from numerous external information sources; however, it has not established a comprehensive baseline of our nation’s critical computer-reliant critical assets and network operations. In addition, while it investigates if identified anomalies constitute actual cyber threats or attacks as part of its analysis, the organization does not integrate its work into predictive analyses, nor does it have the analytical or technical resources to analyze multiple, simultaneous cyber incidents. The organization also provides warnings by developing and distributing a wide array of attack and other notifications; however, these notifications are not consistently actionable or timely—providing the right information to the right persons or groups as early as possible to give them time to take appropriate action. Further, while it responds to a limited number of affected entities in their efforts to contain and mitigate an attack, recover from damages, and remediate vulnerabilities, the organization does not possess the resources to handle multiple events across the nation.
The report notes there has been a proliferation of threats to computer networks and the sensitive information stored and transmitted from them as the Internet has increasingly become critical to modern life. Such threats range from the relatively benign--hackers breaking into a network for bragging rights--to serious threats from foreign intelligence services and terrorists, which seek to disrupt and destroy U.S. critical infrastructure.
"U.S. authorities are concerned about the prospect of combined physical and cyber attacks, which could have devastating consequences," according to the GAO. "For example, a cyberattack could disable a security system in order to facilitate a physical attack."
Russia's recent invasion of Georgia illustrates such a fear. Don Jackson, director of threat intelligence for SecureWorks, told Security Management that coordinated cyberattacks hit Georgia computer networks just before the Russian military attack.
Just hours before bombs started falling on certain towns earlier this month, local Web sites were hit with denial of service (DOS) attacks, in which site servers shut down after receiving a flood of requests. Many targeted sites had “high military value,” [Jackson] says, including those run by law enforcement and by media outlets.
There is also “significant evidence” that numerous Georgian government servers were hacked on the first day of the conflict over the territory of South Ossetia, he says, adding that some intrusions copied data off government servers.
The Russian government asserted it had no responsibility for the cyberattacks. The Shadow Server Foundation, which tracks global Internet crime, speculates it could have been a grassroots effort to keep Georgian Web sites offline.
Computer and national security experts also point to the 2007 denial-of-service cyberattacks against Estonia as a new tactic in warfare and terrorism. The attack shutdown both government and commercial Web sites.
The GAO had 10 recommendations for the Department of Homeland Security (DHS), which houses US-CERT, in establishing a comprehensive national cyberanalysis and warning capability. DHS agreed with nine out of the ten recommendations but disagreed with the GAO's final recommendation to ensure "that there are distinct and transparent lines of authority and responsibility assigned to DHS organization with cybersecurity roles and responsibilities."
DHS responded that they had already satisfied the recommendation in an earlier concepts-of-operation document. The GAO says the document is still in draft and has no date for finalization or implementation.