Pierluigi Paganini November 27, 2012

Governments all around the world are committed for the definition of a proper cyber strategy that represents an optimum balance between a good cyber offense and an efficient cyber defense.

Cyber conflicts are characterized by the necessity of an immediate cyber response to the incoming cyber threats, in many cases the reaction must be instantaneous to avoid the destruction of assets and resources.

Human factor and human capacity of judgment could represent element of delay not acceptable in an electronic disputes that happen in real time, due this reason is assuming fundamental importance the concept “proactive defense“.

The massive introduction of technologies in every object the surround us has increased nation attack surface, power grids, telecommunications and any other critical infrastructure are still vulnerable to cyber attacks.

Recently researchers at Italian security firm ReVuln published a meaningful video showing off a number of zero-day vulnerabilities in SCADA applications designed by manufacturers such as GE, Siemens and Schneider Electric.

The event is not isolated, a researcher at Exodus Intelligence announced to have discovered more than 20 flaws in SCADA packages is few hours’ of test. Aaron Portnoy, the vice president of research at Exodus, declared:

“The most interesting thing about these bugs was how trivial they were to find. The first exploitable 0day took a mere 7 minutes to discover from the time the software was installed. For someone who has spent a lot of time auditing software used in the enterprise and consumer space, SCADA was absurdly simple in comparison. The most difficult part of finding SCADA vulnerabilities seems to be locating the software itself,”

The protection of national infrastructures is one of the primary goals for cyber strategies, but due nature of the possible offense, instantaneous and unpredictable, has highlighted the need to develop systems for automatic defense that can independently respond to a cyber threats from cyber space, but this option introduces significant problems in terms of “devolution of decision” and “rule of engagement”.

Are we ready to trust in such critical decisions taken by the machines?

The Homeland Security Department In September has released REQUEST FOR INFORMATION – RFI-OPO-12-0002 titled “Developing a Capability Framework for a Healthy and Resilient Cyber Ecosystem Using Automated Collective Action” to gather information from Industry to evaluate the current state of technology in the cyber ecosystem environment.

This Department is working with NIST to develop system capable of using a defensive concept called Automated Collective Action, following the definition provided in the document:

“Automated collective action refers to processes in a cyber ecosystem or community of interest (COI) that select (and perhaps formulate) automated courses of action that will be performed by the ecosystem or COI in response to cybersecurity events. Policies, procedures, technology, and a high level of trust are necessary to enable automated collective action. An appropriate level of human intervention might be required to ensure unintended consequences do not result from flawed courses of action. Determining which cybersecurity events are normal and which are unauthorized or malicious remains a major challenge. “

The officials of DHS declared that US need to respond in automated fashion to automated attacks from cyber space. The researches need to evaluate the feasibility of a system completely independent in the detection of anomalous situations and able to respond in a proportionate manner, the solution thanks to automated processes have to be able to monitor and respond to cyber threat while maintaining mission-critical operations.

The final target is the substitution of humans into the decision loop to respond to increasingly sophisticated attacks. Despite human response times appears no longer adequate to mitigate the cyber threats, a totally automated system could generate a serious of unmanageable problems due false positives, a future in which machines will decide for us is scaring and humans aren’t yet prepared to this scenario.

In the past similar solutions have been already approached by US, the NIST  developed in the form of standards and best practices the Security Content Automation Protocol (SCAP) for use by agencies in assessing, monitoring and reporting on system security status.

What does the future hold?

Of course, the best solution will be represented by the balance between human intervention and fully automatic process, it is normal to expect that such a boundary for various reasons will move to fully automated solutions.

The risks are high but the only way to preserve critical assets from automated attacks is to have proactive defense solutions, critical will be the test phase of these systems that must be able to substitute human intervention in critical situation evaluating real time every possible consequence.

humans or machines … that’s the question

Pierluigi Paganini