New approaches needed to fight emerging types of cybercrime

In his address at RSA Conference Europe 2010, Richard Clarke gave examples of emerging types of cybercrime, and what defence strategies need to be adopted.

LONDON -- Richard Clarke, a former top cybersecurity advisor in the White House under former Presidents Bill Clinton and George W. Bush, used the RSA Conference to deliver a stinging attack against Eastern European authorities that turn a blind eye to cybercrime and on Western governments that allow it to happen.

We need to ... fund research for the next protocol that is more secure. The cost of [research and development] would be a mere fraction of what we're paying for the crap that doesn't work any more.

Richard Clarke
former top cybersecurity advisor in the White House

"Law enforcement agencies in places such as Russia, Moldova and Belarus don't collaborate with the West, because they take kickbacks from the hackers," he said. "And their governments are happy to employ friendly hackers to mount attacks on places such as Georgia and Estonia, and then deny any responsibility."

In the meantime, he said that Western governments are "content to have citizens lose money and do little to complain." He also dismissed the importance of recent arrests in the US and UK of 20 people involved in laundering money stolen using the Zeus banking Trojan. "It was the people on the lowest level, the money mules, who were caught," he said.

Financial crime is only part of the larger cybercrime problem. Different types of cybercrime, such as cyberespionage and cyberwar, are also becoming real threats, Clarke said, and not just the purview of TV spy thrillers.

He said that companies are hiring cybercriminals to carry out industrial espionage for them, on the understanding that if the crime is detected, the companies can deny all knowledge. By these means, valuable design information is being siphoned off from industries ranging from chemicals to aerospace, but theft of intellectual property happens in less technical industries, too: Clarke gave an example of a running shoe manufacturer that had its new designs stolen, and the thieves released counterfeit shoes two months ahead of the official launch.

The trouble with data theft is that the victim may not even know a crime has been committed. Clarke quoted the recent Verizon Data Breach Investigations Report, which found that 80% of victims did not discover the data breach themselves, but had to be informed by some outside body: either a penetration tester, or a hacker using the information he or she had stolen.

It takes just a few extra keystrokes to move from cyberespionage into cyberwarfare, said Clarke, which he defined as "getting into a network with intent to damage, disrupt or destroy."

He gave one example wherein the Israeli Air Force had been able to launch an attack on Syria because it had penetrated the Syrians' air defence systems and ensured its monitors failed to display the attacking jets.

Clarke has covered these and other such events extensively in the past, most notably in his book Cyber War, which was published earlier this year. Critics have accused him of exaggerating the threats in his book and in his public speeches, but Clarke insists the dangers are real.

He also mentioned some recent events, the causes of which are still unexplained: a pipeline explosion near San Francisco; a major malfunction on the New York Stock Exchange that sent stock prices reeling; and the shutting down of India's Insat-4B satellite.

In the case of the satellite, there is strong suspicion the failure was caused by the Stuxnet worm. "It is proof in the public domain that you can have cyberwar today, and that malware can cause physical things to blow up," Clarke said.

But the danger is not always immediate, he said. Nation states are more likely to store such a weapon until time of need, as they do with nuclear weapons, but Clarke predicted that if, for example, the US and Israel were to attack Iran on account of its nuclear plans, Iran might feel tempted to unleash malware against critical national infrastructures in the West.

"They could cripple systems in the US, which has no effective defence against [such malware]," Clarke alleged. "Western countries have no real plans; the rules and responsibilities are unclear."

So what is the answer? Clarke proposed two courses of action, one political and the other technical.

On the political front, he said the international community should apply more pressure to persuade rogue nations to fall into line and put an end to cybercrime by restricting their connections to the Internet and by applying extra filtering.

To offset the chance of cyberwar, he suggested a policy of "arms control" along the same principles as those governing nuclear or biological weapons. "It takes a while, and we need to start with baby steps, but we need arms control treaties to make us safer," he said.

On the technical front, Clarke advocated a radical rethinking of the network architectures we use. He said that adding yet more antivirus, IDS and firewalls was just "throwing good money after bad."

He concluded: "We need to re-architect our networks and fund research for the next protocol that is more secure. The cost of [research and development] would be a mere fraction of what we're paying for the crap that doesn't work any more."

Read more on Hackers and cybercrime prevention