As the United States and its allies continue to wage the war on terror, the private sector is working in concert with branches of the federal government to develop new defenses against foreign-borne cyber-attacks designed to either cripple our mission-critical systems or steal from our private citizens. These threats may vary in their end goal, but whether financially or politically motivated, all cyber-crime requires a coordinated, vigilant, preventive effort by the private sector. However, to implement defenses against these types of attacks, we must understand the current landscape and the motivations of these cyber-terrorists and criminals.

Here are some important things to know about our nation’s cyber-security landscape:

First, threats to our nation’s critical infrastructure and economy are absolutely real and, without a doubt, growing. The expansive growth of new Internet technologies, from wireless access to voice-over-Internet telephony, has engendered new threats that have been outpacing the security responses of private and governmental users on the whole.

Second, the intelligence, protocols, and technologies necessary to protect against emerging cyber-threats are, by and large, robust and widely available. Now more than ever, we have the tools at our disposal to safeguard our critical infrastructure, including control systems like the supervisory control and data acquisition (SCADA) networks, which monitor and control industrial systems such as oil and gas, water management, and power generation. While it’s true that these systems don’t represent vulnerabilities to threats as high-profile as the attacks of 9/11, a breach of security by malevolent parties in these types of control systems could wreak untold havoc on civilian life. Despite our knowledge of these threats and our overall ability to protect ourselves, we need to concentrate our efforts on a consistent basis to preempt the types of attacks that could debilitate our critical networked infrastructure.

The Changing Face of Danger

Cyber-threats to our nation’s critical infrastructure have not been overstated. The stereotypical computer hacker of old—solitary and motivated by personal challenge or fun—has evolved into something much more sinister and mature. Today, the average hacker has transformed into a technically sophisticated criminal who is often part of a larger, confederated crime operation or terrorist organization and is motivated by either money or politics. For the former, the rules of criminal hacking have been shaped by economics, opportunity, incentive, and risk—no different from ordinary theft, burglary, or extortion.

But these crimes are not on a small scale when translated onto the global Internet stage. A prime example of this is the way in which highly sophisticated phishing scams are plaguing the financial services industry. Cyber-criminals impersonate financial institutions via some form of Internet communication and attempt to defraud consumers of their savings. In fact, the growth the private sector has seen in phishing attacks is emblematic of a trend in cyber-crime—that is, the movement away from individual entities launching viruses and worms, and the movement toward highly sophisticated, transactional forms of Internet-based theft and fraud. These attempts run the gamut from click-through fraud—which impacts 15% of all online advertising—to wide-scale identity theft. In early 2007, there were allegations that organized crime elements in Russia were systematically attempting to subvert the ATM system and unscramble encrypted PIN traffic.

Blackmail has also become a common tactic employed by cyber-crooks. Botnet operators (a botnet is a collection of compromised computers combined to run exploits together) have long been extorting money from large financial institutions by threatening to launch denial-of-service attacks, which would bring down customer-facing network applications and cost businesses lost revenue as well as create customer dissatisfaction. On the horizon, the private sector will also need to combat mobile and wireless threats, particularly on the Symbian platform. The current thinking dictates that future threats will be financially motivated attacks against proximity-based services like Bluetooth.

Another type of threat that will continue to evolve is “spear phishing” (targeted attacks against online consumers), which will move beyond simply targeting online banking users and will aim at several other sources, including 401K sites, investment portfolios, and healthcare benefit sites. The next generation of these types of ID theft malware will continue to get smarter and build user profiles for hacked accounts in an attempt to automatically log in to multiple sites with the same stolen credentials.

Perhaps the aspect of these threats that makes them most dangerous is the fact that malware sharing has become more organized. The advent of managed exploit providers—individuals or companies that charge a subscription fee in exchange for providing constantly updated catalogs of the newest exploits—is creating quicker time to market for these types of attacks. The subscribers are any of the thousands of thieves who host malware on their websites, who either don’t have the time or the ability to find new exploits on their own. The managed provider is paid to provide customized service to the malware host, tailoring the solutions they provide to the needs of the customer.

Hackers Get Organized

Overall, there is a certain level of professionalism in cyber-crime that is unnerving for several reasons. And while financial institutions have been a prime and growing focus of these crimes, other components of our critical infrastructure, such as power and water facilities, have likewise been targeted. The indication is that there is a very real threat to the control systems and SCADA networks that monitor and regulate these industrial systems. Like the financial institutions that are being exploited daily, these control systems are Internet connected and are therefore susceptible to any number of malicious attacks. Private-sector security firms have conducted real-world penetration tests with large power plants, oil companies, manufacturers, and other users of control systems and have demonstrated that these systems are indeed at risk to Internet-based attacks.

Compounding the problem is the rapid advancement of Internet search technology, which has unwittingly allowed would-be attackers to access a greater degree of information on where and how to practice their hacking procedures and techniques far away from the watchful eye of the federal government. While it can also be used as a great tool in fighting cyber-crime—discovering vulnerabilities that need to be patched—the Internet offers criminals and malicious organizations anonymity and the ability to commit crime remotely in an untraceable way. It also enables criminals to use computer systems owned by others (as with botnets) as the vehicle to commit crime, house illicit materials, or commit terrorist acts.

Just as the motivations of cyber-criminals have evolved, so have their techniques. More and more, security researchers are battling zero-day exploits, when they become aware of vulnerabilities in vendor software at the same time as the public. Cyber-criminals exploit these windows of opportunity to launch attacks before there has been time to deploy patches to protect the software and its users. This is just one of many new threats pushing vulnerability research labs to work faster and smarter. There has also been an increase in polymorphism techniques. Attacks can now change on command to circumvent signature detections. Fuzzing, also on the rise, is another technique wherein data fields are tested for vulnerabilities by generating and filling them in with a barrage of unusual text strings until they break.

Vulnerabilities on the Rise

For all of the serious efforts by the private sector since 2001 to make products and networks that are more secure, the number of vulnerabilities found in computer systems today is growing. According to the Computer Emergency Response Team (CERT) Coordination Center, the number of known vulnerabilities climbed from roughly 2,500 in 2001 to nearly 6,000 in 2005, and 2006 broke that record easily. There were 7,247 new vulnerabilities recorded and analyzed by the IBM Internet Security Systems X-Force research and development team in 2006, which equates to an average of 20 new vulnerabilities per day. This total represents a nearly 40% increase over what Internet Security Systems reported in 2005. Those numbers do not even include the number of known viruses, worms, and spam. Since our critical infrastructures are essentially a complex web of interdependent computer systems, weaknesses in those systems can easily translate into weaknesses in our critical infrastructure. Generally accepted estimates are that 5% to 7% of Internet-connected systems are compromised.

Some would venture to say that the rapid increase in vulnerabilities may well be party due to the fact that vulnerability assessment researchers are investigating vulnerabilities more aggressively than ever before and are therefore aware of more bugs. Although this is partly true, the more likely answer lies in the fact that we have seen a proliferation of new technologies in recent years. Burgeoning technologies that enable wireless, voice-over-Internet protocol and instant messaging contain little or no security features, and those that do are weak at best. Adoption of security to address these emerging technologies is a slow process. That fact, along with an extraordinary increase in the use of the Internet to advance business productivity and a surge in the number of software applications used to conduct business, has opened many new avenues of attack.

Keeping pace with this mountainous increase in vulnerabilities is a tall order. The private sector is continuing to witness and track a shrinking time between when a vulnerability is discovered and when it is exploited by criminal factions. The Internet has become the site for the modern-day bank robbery. The place where most transactions occur, even if it is in cyber-space, is where our economy actually exists. Besides the dollars and cents that are at risk, we must also be aware that intellectual property, trade secrets, and even the pathway to physical disruption are at stake.

But There Is Hope

Our nation already has in place the technological capabilities to protect its critical infrastructure and consumer interests. Between myriad private-sector, academic, and government experts, we know where our cyber-vulnerabilities lie. Recognizing the portals that provide entry points for cyber-criminals and malicious threats is the first step, and it is reassuring to know that we have the means and expertise to shore up our defenses.

The private sector has taken on the responsibility of identifying threats before they are exploited and of arming private business, consumer interests, and government agencies alike with the tools they need to preempt these dangers. And work is being done to streamline information sharing with governments and targeted industries worldwide to take advantage of the vast amounts of cyber-intelligence that the private sector gathers daily and put it to use. There are security practitioners and technical experts whose sole responsibility is to work with governmental authorities and affected industries to apprise them of potential cyber-threats. This advisement goes all the way to the highest levels of government, such as the President’s National Infrastructure Advisory Council (NIAC), where such recent documents as the NIAC Intelligence Coordination Report and the NIAC Evaluation and Enhancement to Information Sharing and Analysis Report made recommendations from NIAC to the Department of Homeland Security. These reports’ recommendations are critical to strengthening the processes and protocols needed to prevent a serious cyber-incident.

Countless public-private efforts to protect cyberspace are under way, including the Information Sharing and Analysis Centers, which transmit cyber-information intelligence between the private sector and the federal government; the CERT Coordination Center, a federally supported, privately administered clearinghouse for information about computer vulnerabilities; myriad protocols established between federal agencies, such as the Department of Homeland Security, and private security developers, vendors whose software they developed, and important segments of our critical infrastructures; and more advisory boards, information-sharing councils, and expert groups than can be imagined.

One of the greatest opportunities we have for improving cyber-protection might be to facilitate faster deployment of patches from the manufacturer to the customer and quicker application of patches and upgrades by the customer to its network. We know from anecdotal evidence that most organizations do not patch or upgrade their systems right away and that a majority do not do so until somewhere between 30 and 80 days after public announcement. On the flip side, we know that the criminal cyber-attackers have new malware available within 24 to 48 hours after public announcement. Unfortunately, most of the security that all users have does not have a deployed fix available until about 24 hours later. That means that many of our Internet users, from government agencies to businesses to consumers, are without any protection at all for days or even weeks after attacks begin. The most crucial point in vulnerability coordination in which we can all make great strides is in providing protection to consumers around the globe more quickly and in stressing to end users the importance of immediately loading those patches to prevent security breaches.