17 Mar 2010 | SearchSecurity.com
Internet service providers have the ability to wipe nearly all malicious activity in their network without stepping on individual privacy and civil liberties, said Adam Rice, chief security officer at Mumbai-based Tata Communications Ltd., India’s largest ISP which conducts operations in 80 countries. Rice said most tier-1 ISPs focus on tangible threats when conducting risk assessments, such as natural disasters, which can disrupt service, while botnet herders and other cybercriminals are a juggernaut to law enforcement. Rice said the technology is available to get a handle on many of the known threats.
You participated in a recent cybersecurity study from the Center for Strategic and International Studies (CSIS) and McAfee Inc. that surveyed CISOs about the state of critical infrastructure globally. Was there anything that stood out to you in that report?
Adam Rice: When the final paper was published, there were no big surprises to me. The reason for that, in my opinion, is that at Tata Communications, when it comes to gauging the threat landscape, we rate risks to our companies and our critical infrastructure more along risks to revenue. Obviously we, especially in this economy, have limited resources that we can bring to bare to do the physical security at our facilities, but when we make decisions on where to put those resources, we tend to do it more with an eye on risk to revenue. If we have a large cable landing facility that is terminating lots and lots of STM-1 circuits, we see that as a higher priority facility than an outlying facility that does not carry as much traffic. Our whole risk model tends to be based more around revenue, because we are a business whereas the federal government is in the position of not owning any of the infrastructure, but also their threat landscape is more of a strategic national interest. They see the aggregate of many cable landing facilities that provide your transpacific and transatlantic and even your terrestrial Internet backbone in America. They see that as a larger animal. They don’t look at just one or two utilities; they look at all the utilities as critical infrastructure. That threat surface for them and that equation is different for the government.
When we try to determine risk, we look at the threat and the consequence of that threat being exercised, but we also have to look at the probability of it occurring. After the attacks in Mumbai last year, we have facilities that were right within that danger area and the terrorists literally walked right by them. We were analyzing what we should do and the answer was that it would be difficult for us, using a standard, objective risk model to justify turning those cable landing facilities into military camps with [extremely high security], for an event that nobody with any kind of statistical analysis could say was even remotely possible. Meteors can fall out of the sky, but that doesn’t mean we’re all going to walk around with steel umbrellas.
Is there information sharing among the telecommunications providers in which you can share data on possible threats and the risks they pose on a regular basis?
Rice: Our biggest threat against our infrastructure is by no means terrorism, it’s natural catastrophes. For example, the recent earthquake in Chile and then the Pacific-wide tsunami threat that was issued by the National Oceanic and Atmospheric Administration, those threats happen more often, and if that tsunami had turned out to be something to deal with, that represents a much more tangible threat to our network given our cable facilities in the Pacific. We have all the contingencies in place to deal with events like that, including a terrorist attack. As a matter of formal information sharing between us and other ISPs, we don’t. There isn’t a round-table or forum — either formal or informal — to share timely threat information.
Would a formal information sharing process be helpful or be inadequate for obvious business and competitive reasons?
Rice: I would suspect that like myself, the other ISPs really don’t have a lot to share, when it comes to threats that are in that category to national security. We don’t have an intelligence service like the federal government.
Occasionally we do hear about an underwater cable being severed, halting communications to a country, explain how vulnerable certain countries are. Is it really that easy? An underground cable can be severed causing major disruption?
Rice: If the end customer has critical infrastructure and it’s not multi-tiered, in which they get their service from more than one ISP, or if they can’t route around the break, there could be an extended outage. Specifcally a terrestrial cable break under a manhole can be fixed in hours. If it’s an undersea cable break, depending on the location of the break and the relative distance of the dispatched ship that has to go out and pull the cable up and split it, then the outage is longer. It happens several times a year. A real problem in the Pacific rim is undersea earthquakes break the cable.
In terms of cybersecurity, the federal government would really like to get its hands on some of the data that ISPs like Tata has on many of the threats out there from major botnets, malware and different attacks taking place. You have that kind of data, don’t you?
Rice: Yes. Technology has increased over the last couple of years and there are watchdog organizations that actually have a pretty good idea on who the bad guys are and where they’re going and where it’s coming from. These watchdog organizations leverage the realities of the network against these bad people. Their bad traffic, in terms of DDoS, botnets or other malicious activity has to route across the Internet. It has to have a source and a destination address. The way that most of the bot variants communicate is hard coded within the bot code so they have a pretty good idea of where these things are talking to and the ports and signatures that are associated with it. I’m not speaking for Tata specifically, but generally the technology exists for any Tier-1 ISP to listen in and sample their core and paint a pretty complete picture on not only malicious traffic that might be transiting their network, but also stuff that is originating or terminating within the network. That technology is not prohibitively expensive, and because it’s based on flow data, there’s a really good chance that it’s not going to violate too many privacy laws either, because it’s really just looking at the outside of the envelope. It doesn’t include an analysis of the payload, it’s just looking at the IP header information. We use this technology internally right now to be able to see and stop denial-of-service attacks on our network. We offer it as a paid service to our large connecting customers and our hosting enterprise customers. We can actually mitigate many gigabytes per second of DDoS traffic that might be destined for their network, by seeing it at the edge of our network using this technology and then redirecting it to scrubbers and actually by the time they get the traffic delivered to them it’s cleaned. That same general approach can be done to see all kinds of traffic.
The experts I’ve talked to say malware isn’t getting more sophisticated, it’s the amount of malware being detected. Some experts are pointing to automatic tools enabling more of these kinds of attacks. Do you agree with that?
Rice: Yes I agree. Since I’ve been in the network security business for just about as long as there’s been a network security business, there hasn’t been any kind of new news in the approach in combating [malware]. It’s always about the reliance on people to patch their computer, have the antivirus and pay attention to things. These bots infect millions and millions of residential PCs that are not necessarily part of organizations that have the resources or the expertise to make sure the remediation steps occur. It’s so damn easy to do. The cost to get into the [malware] business is reasonably low. It’s a zero-risk enterprise and since there’s money involved, if things continue the way they are, there’s no way that this is going to be less of a problem in the future. It’s damn near free to get into the botnet business, you’re almost certainly not going to go to jail over it and if you spend the time and build your bots up, you can make a descent living doing it. We’re not moving away from a global network. In the short time that the Internet has been up and running, our global economy has moved squarely into the global network.