ddos

Debunking Errors in a Proposed Philippine Cybersecurity Framework

Myopia.

This is the inescapable conclusion one will have upon reading Francis Domingo’s opinion piece in the November 18, 2013 issue of Philippine Daily Inquirer, “Points to consider in securing Philippine cyberspace”. While Domingo raises a valid concern on the continual growth of the cybersecurity threat, his recommendations fail to address it. Worse, if followed, his recommendations may prove disastrous.

 

The Cybersecurity Threat Continuum 

“More people may decide to engage in cyber-attacks because of the low barriers to entry, anonymity and presence of others involved in similar activities.

“Performing various operations in cyberspace is not difficult because the resources and knowledge required to exploit and disrupt infrastructure are modest compared to the requirements of exploiting other domains of conflict such as land, sea, air and even space.

“Any individual with sufficient technical knowledge and has access to information communication technologies can execute cyber-attacks.”

F. Domingo, Philippine Daily Inquirer, November 18, 2013

Domingo points out correctly that cyberattacks will continue to grow in number, scope, and impact; he correctly points out that performing such attacks are less difficult than physical violence, and puts forward a valid observation that anonymity may be a factor in choosing to perpetrate crime or fraud, destruction and disruption, or enter into conflict via cyberattacks over conventional means.

The possibilities available, however, do not constitute a simple menu of choices. Cybersecurity threats are more accurately depicted in a continuum:

cyber-threat

From left to right, the diagram describes two parallel concepts: first, that of actors — from an individual, through loosely-affiliated groups, to large, structured organizations — and, second, that of level of skill — how the increasing availability of skills and/or skilled manpower can be used as resources to plan, execute, and follow-through on a cyberattack.

From bottom to top, the diagram describes the potential damage that can result, especially from a deliberate cyberattack. For instance, the potential damage that can be caused by a prankster will be less than that of a dupe, as the former may be restrained by conscience while the latter is subject to the will of another person or group, who may feel no such restraint. Likewise, it is understandable that organized groups with larger pools of manpower and skillsets, as well as the drive to gain such skills and employ them, will have higher scales of potential damage than amorphous groups or individuals. It is equally interesting that the individuals and groups moving up the potential damage scale can be classed together into fairly distinct sets of motivations for cybercrime and cyberattack, as shown by the right-hand scale.

The cybersecurity continuum is by no means theoretical. Domingo appears to be familiar with the modes of cyberattack that have been used both locally and abroad, as well as the suspected perpetrators. As such, it is strange that Domingo clings to the notion that cyberattacks have limited impact; perhaps we must first define what a cyberattack is.

 

What is a Cyberattack?

In his opinion, Domingo provided no clear definition of a cyberattack. This vagueness may be the culprit of the erroneous premises upon which his arguments are based.

A US National Research Council’s report defines cyberattacks as “deliberate actions to alter, disrupt, deceive, degrade, or destroy computer systems or networks or the information and/or programs resident in or transiting these systems or networks.”[2] Taking off from this definition, an article “The Law of Cyber-Attack” in the California Law Review proposes that a cyberattack “consists of any action taken to undermine the functions of a computer network for a political or national security purpose.”[3]

These definitions are so broad that they seem to conflate cyberattacks and cybercrime. In crafting the Magna Carta for Philippine Internet Freedom (#MCPIF) bill, the group Democracy.Net.PH and other contributors agreed to separate the definitions of cybercrime and cyberattack. The bill defines cyberattack as:

“[A]n attack by a hostile foreign nation-state or violent non-state actor on Philippine critical infrastructure or networks through or using the Internet or information and communications technology.”[4]

The bill includes in the definition of cyberattack as also possibly this:

“[A]n assault on system security that derives from an intelligent threat, i.e., an intelligent act that is a deliberate attempt to evade security services and violate the security policy of a system.”[5]

The definition proposed in the #MCPIF acknowledges the cybersecurity threat continuum. This definition will serve as our basis in clarifying the flaws in Domingo’s op-ed piece.

 

A Cyberattack’s Impact Can be Lethal

“[C]yber-attacks have a limited impact on nation-states because the attacks rely on an electromagnetic spectrum, require man-made technology to function, and do not involve lethal action and physical violence.”

F. Domingo, Philippine Daily Inquirer, November 18, 2013

Domingo cites the distributed denial-of-service (DDoS) attack against Estonia in 2007 and the Stuxnet worm — used supposedly targeting Iran’s Natanz uranium enrichment facility and whose escape into the wild in 2010 led to its detection — as examples of cyberattacks. The modes exemplified by the Estonia attack[6] and Stuxnet[7] are similar to the Shamoon malware cyberattack on the state-owned oil firm Saudi Aramco[8], the DDoS attacks on US banks in 2012[9], the cyberattack on South Korean media and banking firms just this year[10], and so on.

It appears that Domingo’s position is that there has been no significant injury, loss of life, nor widespread physical damage to infrastructure. Ergo, damage is “limited.”

This is another shortsighted view.

While it is true that few, if at all, have so far been physically hurt by cyberattacks, the impact is nonetheless significant. The “ILOVEYOU” virus outbreak in 2000, a brainchild of one Onel de Guzman[11], a student of AMA Computer College, affected at the time about 45 million computers worldwide[12] and caused an estimated $10 billion dollars in damage[13]. The scale of damage caused by the ILOVEYOU worm, adjusted for inflation, is on a par with the scale of damage caused by Typhoon Yolanda.[14]

The perceived absence of injury to human beings does not render the damage from cyberattack limited; rather, such makes cyberattacks even more sinister. The disruption of networks that will result in the breakdown of services of government, power, communications, transport, finance, and other critical infrastructure can result in chaos in society. Instead of directly harming the populace, the attacker can create an environment where the populace will be motivated to destroy each other and themselves. Such damage mirrors that caused by enhanced radiation weapons, such as cobalt and neutron bombs, which are designed to kill but leave infrastructure and equipment relatively undamaged.[15]

Still eerily similar to atomic weapons of mass destruction, but to an even more sinister degree, is the ability of an attacker to design and control the degree of damage that is caused by the cyberattack. “Dial-a-yield” is the catchphrase often used to describe the capability to adjust a weapon to a desired scale of damage.

Domingo appears to make the error of failing to recognize that, with a cyberattack, the attacker not only can design the implementation but can practically specify the extent of damage from the narrowest of scopes up to unrestricted levels. Stuxnet was designed to go after a specific piece of equipment. Thus, the damage was limited only to the systems where the equipment was installed. If the global positioning system (GPS) navigation can be subject to an unrestricted cyberattack, which is now considered to be a distinct possibility[16], airplane crashes, ship groundings, and fatal mistaken identity incidents could occur at scales more horrific than simultaneous occurrences of incidents analogous to 9/11, Exxon Valdez, Aeroflot Flight 8381/ СССР-26492, MV Doña Paz/ MT Vector, and Korean Airlines Flight 007 combined.

There is no logical reason to wait until such catastrophic incidents occur, until lives are lost due to the lethality programmed into a cyberweapon, before establishing a robust cybersecurity framework.

 

Cyberattacks Do NOT Require High Technology; Cybersecurity Must Not Be Merely Technology-Centric

“[C]yber-attacks will not be successful if the spectrum is controlled or access to critical networks is blocked by accountable government units.”

F. Domingo, Philippine Daily Inquirer, November 18, 2013

Domingo mentions Stuxnet as a cyberattack; however, he may not be aware that the attack vector of Stuxnet was through the physical connection of an infected USB flash drive to a computer connected to the target network.

This, in hacker parlance, was a “sneakernet” attack. This attack was made via the crudest method of compromising a system — accessing the physical layer. The legal control of the allocation of the usable frequencies within the electromagnetic spectrum (for there is no means at present that can control the electromagnetic spectrum, short of repealing the laws of physics) by no means can prevent a sneakernet attack, or many other modes of attack for that matter. Restricting access to critical networks willy-nilly cannot likewise prevent such an attack since, by using the physical layer as the means of compromising the system, the data link, network, transport, session, presentation, and application layers are effectively bypassed.

Clearly, it is erroneous for Domingo to have posited that cyberattacks are solely technology-dependent, and thus for cybersecurity to be technology-centric.

In ensuring cybersecurity, there are two other aspects that must be considered and implemented. A cybersecurity plan must be based on a holistic combination of physical security, behavioral security, and electronic security means, policies, and procedures; to focus on a single defense aspect or potential threat axis would be analogous to building an iron door for a bank vault whose walls are made of paper.

Domingo has fallen into the trap of seeing a few trees and missing the forest.

 

Cybersecurity is Not Merely a Convenient Buzzword

“Security strategies are not definitive.”

F. Domingo, Philippine Daily Inquirer, November 18, 2013

Given that cybersecurity threats belong in a continuum, and that the actors, their motivations, the degrees of damage intended and programmed, and the level and breadth of skillsets are not one-dimensional – as he erroneously paints them to be – Domingo’s position of a one-size-fits-all approach to securing Philippine cyberspace is untenable.

Cybersecurity cannot be as casually relegated as Domingo proposes. The range of potential threats to the physical security of the Filipino citizen run the gamut of petty crime, organized crime, terrorism (domestic and otherwise), to unfriendly acts of foreign governments; it is well understood that the mandates to protect the life, liberty, and property of each Filipino that are given to the Philippine National Police, the National Bureau of Investigation, and the Armed Forces of the Philippines differ in level of threat and scope of action.

So, too, should be the cybersecurity mandate.

This is the approach taken by the drafters of the Magna Carta for Philippine Internet Freedom. The #MCPIF proposes that the Department of Justice (DOJ), the National Bureau of Investigation (NBI), and the Philippine National Police (PNP) shall be the competent law enforcement agencies to protect Filipino citizens from cybercrime, corollary to their mandates to protect Filipino citizens from non-ICT enabled or perpetrated crimes. Likewise, these law enforcement agencies, supported by other government offices—including the Department of Defense (DND) and the Armed Forces of the Philippines (AFP)—will be tasked with protecting the country from cyberterrorism and cyberespionage. This is no different from the current mandates given to the respective agencies of government to protect the country from terrorism and espionage.

As they are tasked with national defense and the protection of national critical infrastructure, it is therefore likewise logical that that the DND and the AFP will be tasked with national cyberdefense and the protection of national critical ICT infrastructure.

It should be pointed out that while he is correct that the Information Systems Security Society of the Philippines (ISSSP), the Information Systems Audit and Control Association (ISACA), and the Philippine Computer Emergency Response Team (PH-CERT), as well as scholars and government experts, can be resources and have actually been providing technical expertise on cybersecurity as private companies like Symantec, McAfee, and IBM, Domingo is wrong in saying that they can be agents to implement Philippine cybersecurity action and policy. There is no logic in this thinking, as it is analogous to using security guards as frontline troops in internal security operations against the New People’s Army. Security planning, while it may be enriched by inputs from those with the appropriate competencies and skills, is best put together by those who can see the forest and not just the trees.

 

RA 10175 is NOT a Good Basis for a Philippine Cybersecurity Framework

 

“[P]eople must be made aware of the rationale and scope of Republic Act No. 10175 and other laws that protect Philippine cyberspace.”

F. Domingo, Philippine Daily Inquirer, November 18, 2013

There is some merit, however limited, in Domingo’s vague proposals on how to implement cybersecurity for the Philippines, in so far as developing a culture of cybersecurity through education and information campaigns, ensuring resilience of institutions, and the development of multidisciplinary, multistakeholder teams for plans, policies, and programs to promote national cybersecurity. Clear proposals have been presented by the drafters of the Magna Carta for Philippine Internet Freedom and constitute an integral part of the bill.

Unfortunately, Domingo goes astray in promoting Republic Act No. 10175, or the Cybercrime Prevention Act of 2012, as a basis for promoting cybersecurity.

The oft-quoted maxim of Benjamin Franklin, “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety,” points out the fatal flaw in Domingo’s promotion of the Cybercrime Prevention Act. As the law – fortunately suspended in its application – promotes such assaults into civil liberties such as the right to privacy, the right to due process of law, and the freedom of expression, it cannot be the basis for establishing cybersecurity for the Filipino people.

To be succinct: our rights online are our rights offline. Our cybersecurity thinking must be no different, therefore, from how we think of ensuring our physical security – holistic, properly-calibrated, competent, and rights-based.

To reduce it to vague buzzwords would be to endanger ourselves.

 

Endnotes: 

[1] Engr. Pierre Tito Galla, PECE, is one of the convenors of Democracy.Net.PH, an ICT and civil rights advocacy group that spearheaded the drafting of the Magna Carta for Philippine Internet Freedom. He is a practicing Professional Electronics Engineer with nearly a decade and a half in the information and communications technology sector, and is currently an executive in a Fortune 500 multinational whose networks span the globe.

[2]  Hathaway, et al. “The Law of Cyber-Attack.” <http://www.law.yale.edu/documents/pdf/cglc/LawOfCyberAttack.pdf>.

[3]  Ibid.

[4] Democracy.Net.PH. “Full text of the Magna Carta for Philippine Internet Freedom.” <http://democracy.net.ph/mcpif/full-text/>.

[5] Ibid.

[6] The Associated Press. “A look at Estonia’s cyber attack in 2007.” NBCNews.com. 8 July 2009. <http://www.nbcnews.com/id/31801246/#.Up3wE8RDtXg>.

[7] Kushner, D. “The Real Story of Stuxnet.” IEEE Spectrum. 26 February 2013. <http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet>.

[8] Perlroth, N. “In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back.” The New York Times. 23 October 2012. <http://www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-oil-firm-disquiets-us.html?_r=0>.

[9] Ibid.

[10] Waterman, S. “Cyberattack hits South Korea’s banks, media.” The Washington Times. 20 March 2013. <http://www.washingtontimes.com/news/2013/mar/20/cyberattack-hits-s-koreas-banks-media-highlights-r/?page=all>.

[11] Cluley, G. “Memories of the Love Bug worm.” Naked Security. 4 May 2009. <http://nakedsecurity.sophos.com/2009/05/04/memories-love-bug-worm/>.

[12] Ward, M. “A decade on from the ILOVEYOU bug.” BBC News. 4 May 2010. <http://www.bbc.co.uk/news/10095957>.

[13] Landler, M. “A Filipino Linked to ‘Love Bug’ Talks About His License to Hack.” The New York Times. 21 October 2000. <http://www.nytimes.com/2000/10/21/business/a-filipino-linked-to-love-bug-talks-about-his-license-to-hack.html>.

[14] RSJ/ GMA News. “NDRRMC: Yolanda death toll continues to rise, now at 5,759; damage surpasses P35B.” GMA News Online. 5 December 2013. <http://www.gmanetwork.com/news/story/338384/news/nation/ndrrmc-yolanda-death-toll-continues-to-rise-now-at-5-759-damage-surpasses-p35b>.

[15] Snow, D. “Strategic Implications of Enhanced Radiation Weapons.” Air University Review. July-August 1979. <http://www.airpower.maxwell.af.mil/airchronicles/aureview/1979/jul-aug/snow.html>.

[16] Neal, R. “GPS Terrorism: Hackers Could Exploit Location Technology to Hijack Ships, Airplanes.” International Business Times. 29 July 2013. <http://www.ibtimes.com/gps-terrorism-hackers-could-exploit-location-technology-hijack-ships-airplanes-1362937>.