Project 6: Global Approaches to Cybersecurity Step 13: Compose Global Cybersecurity Environment Report

Global Cybersecurity Environment Report

Abstract

CMP 620 5041 Cybersecurity Governance

Table of Contents Introduction....................................................................................................................................3

Analyze Global Approaches to Cybersecurity............................................................................3

Analyze critical issues in global cybersecurity management and policy....................................3

Analyze critical issues in global cybersecurity technology policy..............................................4

Analyze the principles of warfare that underpin cyberwarfare theory and application..............4

International Cybersecurity Threat Matrix................................................................................5

Threat Matrix...............................................................................................................................5

Compare and contrast international cybersecurity standards bodies.........................................8

International Environmental Scan...............................................................................................9

Environmental Scan: Africa.........................................................................................................9

Identify key initiatives in international cybersecurity policy.....................................................10

Regional Cybersecurity Threat Fact Sheet................................................................................11

Africa Fact Sheet........................................................................................................................11

Assess cybersecurity policies and procedures for transnational legal compliance...................13

Assess and critique cybersecurity programs..............................................................................14

Assess the cross-cutting effects of policy, budget, and technological capabilities upon the ability to address cyberthreats at the enterprise, national, and international levels................15

Assess policy and technology trade-offs that must be considered and made when addressing cyberthreats at the enterprise, national, and international levels.............................................15

Assess and critique cybersecurity programs..............................................................................16

Botnet Evaluation........................................................................................................................16

Evaluation of Botnets.................................................................................................................16

Botnet Key Features...............................................................................................................16

Issues associated with Botnets...............................................................................................17

Global Cybersecurity Policy..................................................................................................17

Botnets Evolved over the Years..............................................................................................18

Botnets Impact on Policy.......................................................................................................18

Assess emerging cybersecurity issues, risks, and vulnerabilities..............................................19

Botnet Discussion.........................................................................................................................19

Botnet Discussion..................................................................................................................19

How Botnets have emerged, changed, over past 5-10 years.............................................19

Key Technical Features of Botnets.....................................................................................19

What Contributing Factors may cause Botnets to change, over the next 10 years.......20

Assess key cyberattack technologies..........................................................................................20

Botnet Conclusion........................................................................................................................22

Conclusion....................................................................................................................................23

Assess how the theories and principles of war apply to cyberwarfare and apply those theories to understand cyberoffense and cyberdefense challenges.........................................................23

References......................................................................................................................................24

Table of Contents

Introduction Global Approaches to Cybersecurity

There is no need to buy more resources and products, we will never manage every single threat, and there will be security gaps between products. Concerning detection, malware moves to quickly and it could take days, months to remedy the problem. The correct approach, “prevention and consolidation, it looks at the entire organization and focuses on creating a single architecture that covers all environments and is managed by a unified platform”. It “keeps every entry point to the organization secured all the time, be it the traditional network, the data center, mobile devices or the cloud server”. The “attack indicators are shared among all environments”. All “technologies are synchronized to provide multiple-layers of protections, and all entry points are protected with no security gaps between”. There is also a need to deliver actionable threat intelligence between every device, network, branch office or endpoint, so that even if one environment will be targeted – all the others will be able to identify the same threats and block it” [ CITATION For17 \l 1033 ].

The “Global Conference on Cyberspace (GCCS), recommended a cybersecurity approach that includes the three cyberspace powers, the United States, China & Russia”. In this approach, the “multi-stakeholder model mirrors the traditional technical management of the Internet, which has proven to be very effective in maintaining the resilience of cyberspace”. It is a “bottom-up consensus, fosters a collective sense of management, and stresses the promotion of trust and international cooperation”. At this present time, the United States, China & Russia “have not agreed on a common treaty to harmonize national laws or facilitate cooperation in cyberspace” [ CITATION wef15 \l 1033 ].

Analyze Global Approaches to Cybersecurity

Analyze critical issues in global cybersecurity management and policy

There are no global cybersecurity policies to manage or stop Nation-states associated with cyberthreat actors, like, Russia, China, and Iran (UMUC, 2019). The United States policies for cybercrime and cyberwarfare do not apply to state actors. Cybersecurity policies have no international legal frameworks that can be managed globally and with trust. Some of the critical issues at hand are the absence of “international frameworks and standards, the lack of sharing global data about security incidents, an international approach to developing offensive cyber capabilities by both state and non-state actors, and the importance of global

government decision-makers” collaborating on cybersecurity, cybercrime, cyberdefense, and cyber awareness [ CITATION Ter17 \l 1033 ].

Analyze critical issues in global cybersecurity technology policy

The Information Technology Industry Council (ITI) “supports policies that increase security while maintaining the benefits of cyberspace”. ITI “works to ensure that cybersecurity policies in the United States and around the world reflect the interconnected and interoperable global nature of today’s digital environment”.” In order to secure cyberspace, ITI advocates for cybersecurity policies that are adaptable to rapidly emerging threats, technologies, and business models” [ CITATION iti19 \l 1033 ]. Cybersecurity Tech Accord (CTA) “promotes a safer online world by fostering collaboration among global technology companies committed to protecting their customers and users and helping them defend against malicious threats” [ CITATION cyb19 \l 1033 ]. Some critical issues are lack of global tools to assist with cyberthreats, no global policies that “prioritize security, privacy, integrity and reliability, and in turn reduce the likelihood, frequency, exploitability and severity of vulnerabilities” [ CITATION cyb19 \l 1033 ].

Analyze the principles of warfare that underpin cyberwarfare theory and application

Concerning theory, “all state-sponsored military operations are conducted for the purpose of accomplishing nation-state political or military objectives, cyberspace, inherent to the initial design of the Internet, is formulated upon lines of communication designed to transport information from point A to point B, and there are key targets within cyberspace for which position and possession yield a decisive military advantage”. “Any comprehensive theory that seeks to develop a national strategy to conduct cyberwarfare should include as a primary objective the need to secure critical cyber lines of communication, both physical (fiber optic cable, SATCOM, ISPs, etc.) and logical (network domains, routers, servers, etc.)” [ CITATION Geo14 \l 1033 ]. Concerning application, Nation-state and non-state actors must be willing to collaborate and agree on cybersecurity terminology and concepts. The “application of cyber war capabilities has become increasingly prominent due primarily to the fact that as many as 120 international governments are pursuing information warfare programs” [ CITATION Far10 \l 1033 ]. In

response to other nation-states’ cyber programs, the 2006 Quadrennial Defense Review (QDR) requested that the Department of Defense (DoD) develop a capability to shape and defend cyberspace” [ CITATION Far10 \l 1033 ].

International Cybersecurity Threat Matrix Threat Matrix

Country: China Cyber Culture

(i.e., How does the country view cyber threats? Is this consistent

with the general country culture?)

Cybersecurity Threats

Cyber Legal Perspective/Cyber Economic

Perspective

Response to Cyberterrorism/Recruiting

A practice of “defending forward” can look a lot like attacking forward when one is on the receiving end of a hacking operation. One nation’s development of additional cyber capabilities and loosening of authorities can be seen by other nations as an unavoidable threat. Interactions in cyberspace can foster trust and cooperation, but they also have the potential to provoke suspicion, competition and conflict. The deepening cybersecurity dilemma is due not just to American action. It is in part due to threats the United States perceives from China, a topic her account largely glosses over.

Points of aggregations refer to managed service providers (MSPs), which are companies that manage other firms’ information technology (IT) infrastructure systems. These could include small and medium-sized MSPs, as well as large technology firms such as IBM [ CITATION Fan19 \l 1033 ]. China’s national intelligence law, also effective in 2017, requires every Chinese organization and citizen to assist and cooperate with Beijing’s national intelligence efforts. The broad and vague definition of “national intelligence” means that companies and citizens must answer to the Chinese regime when called upon (Fang, 2019). In 2010, “Chinese actors attacked Adobe Systems, Yahoo, Symantec, Northrop Grumman, Morgan Stanley, and Dow Chemical (Bengali, et. al) using an advanced persistent threat (APT) that appeared to be based in Beijing”. The “massive theft of tens of millions records

China’s national intelligence law, also effective in 2017, requires every Chinese organization and citizen to assist and cooperate with Beijing’s national intelligence efforts. The broad and vague definition of “national intelligence” means that companies and citizens must answer to the Chinese regime when called upon [ CITATION Fan19 \l 1033 ].

Most Chinese have the same concerns as much of the rest of the world about harmful cyberactivity’s, including: efforts to crash, slow, or paralyze vital cyber-based Infrastructure; the promulgation of information or images harmful to the polity, society, or the economy (such as pornography, false or misleading commercial information, and the advocacy of violent political revolution); espionage; the theft of proprietary commercial data or information; and specific actions designed to weaken the capacity of the state to defend itself through military and other means. Thus, both authoritative and other Chinese observers believe that “cyber security is an international . . . issue and hacker attack is a common challenge facing the whole world” [ CITATION Swa13 \l 1033 ].

from the Office of Personnel Management (OPM) in 2014 is attributed to the Chinese, as is the 2015 theft of millions of records from Anthem. This represented the most significant theft of healthcare records to date”. “Chinese attacks against US interests became so prolific and bold that the US took the unprecedented step of publicly accusing China of attacking US government systems” [ CITATION UMU1914 \l 1033 ].

The 2015 agreement between the United States and China on commercial cybertheft seems to have failed to appreciably slow the widespread hacking of American targets by state-affiliated Chinese operators, though it may have caused them to increase their operational security in a bid to evade detection.

Global dominance, arms races, Preparations for Military Struggle (PMS), international strategic competition in cyberspace [ CITATION Jin19 \l 1033 ]

The new law sets forward, important network equipment and software will have to receive government certifications. This means that specific pieces of intellectual property or technical features will have to be divulged, which could easily be passed on to Chinese companies by the regulators behind cybersecurity [ CITATION Hao16 \l 1033 ].

China is taking action to “protect its state interest in the event of cyberattacks, new rules will mandate strict data surveillance and storage for firms working in the country” [ CITATION Hun17 \l 1033 ].

With diplomacy and deterrence not working as well as the Pentagon would like, disruption of malicious cyber activity has become an option that is attractive to policymakers, even if it carries risks of its own.

cyberspace situation awareness, cyber defense, support for the country’s endeavors in cyberspace, and participation in international cyber cooperation [ CITATION Jin19 \l 1033 ]

This law is also counterproductive because companies gathering data in so-called “critical areas” will have to store that data inside China. At this stage, the definition of “critical” is worryingly broad. Complying with this requirement will force international firms to make expensive investments to build duplicate facilities within China [ CITATION Hao16 \l

The “West really does not know how China might handle a nuclear terrorism crisis. There are some scholars who believe Chinese decision making is purposely vague. In fact, the Chinese may have no plans for crisis management. For example, it is not clear to this writer whether the Chinese believe a nuclear terrorism incident would be a law enforcement or a military problem. True, that kind of concern mirrors a Western way of thinking. And it is possible in a tightly controlled society, like China’s, there may be little time or inclination for any

1033 ]. bureaucratic or turf battles about such a matter” [ CITATION Gro09 \l 1033 ].

China likely sees U.S. cyber activities—whether intended to be defensive or offensive—as intrusive and threatening. It may well launch hacking operations to attempt to disrupt American efforts.

The Chinese government’s monitoring of the internet and social media is based on its potential use as a platform to disseminate information that could cause similar social unrest to spread, which could lead to large-scale social and political instability [ CITATION Jin19 \l 1033 ].

International companies will have to weigh this risk against the opportunity to do business in China. China has had a long reputation for ‘copying’ without getting insider access, and this law could only open the ease to which China’s business sector can review competition. For international companies there is no easy way forward as the choice is black or white. Either foreign companies will comply, knowing China has a way to peek into what previously was private, or they will chose to stand by principles of privacy at the risk of being excluded from the Chinese market [ CITATION Hao16 \l 1033 ].

The Chinese actors are not concerned with the United States view concerning cyberterrorism. “An increase in Chinese capability has opened the way "for bigger data storage, for bigger data theft," he said. "And when you can gain it in bulk, you take it in bulk" [ CITATION Nak15 \l 1033 ].

or all the dangers of the cybersecurity dilemma, the United States and China do have areas of mutual interest in the digital domain. For example, they share interests in the integrity and stability of the global financial system, in not being misled into great-power conflict with one another by a third-party malefactor, in not letting cyber weapons get into the hands of malicious non-state actors, in better understanding how each side approaches cyber-policy questions such as the definitions of “armed conflict” or “critical infrastructure,” and in cooperating to combat transnational cybercrime [ CITATION Buc18 \l 1033 ]. Yes, this is consistent with the general country culture.

China is more and more dependent on information networks in all aspects, including in defense. China uses the term “eight King Kongs” to describe the top internet companies in its domestic supply chain: Apple, Cisco, Google, IBM, Intel, Microsoft, Oracle, and Qualcomm. Heavy dependence on these companies’ products makes it necessary to work towards developing the domestic technology industry and its capabilities, and to thereby make the country’s internal internet infrastructure more secure

U.S. companies have already began to strongly lobby against the law, as well as China’s position that the Internet must be managed by authorities. But despite the efforts of any company, Chinese or other, the cybersecurity law is just a piece in a larger ongoing political puzzle that companies will have to deal with [ CITATION Hao16 \l 1033 ].

China is a persistent collector of data, especially rom the United States, it is my belief that China will do whatever it takes to protect and defend itself from the United States, even if it means cyberterrorism [ CITATION AnI13 \l 1033 ].

[ CITATION Jin19 \l 1033 ].

Compare and contrast international cybersecurity standards bodies

When identifying the most useful best-practice standards and guidance for implementing effective cybersecurity, it is important to establish the role that each fulfils, its scope, and how it interacts (or will interact) with other standards and guidance. The “Cybersecurity Framework (CSF) is a voluntary framework primarily intended for critical infrastructure organizations to manage and mitigate cybersecurity risk based on existing standards, guidelines, and practices, while ISO/IEC 27001 is the international Standard for best-practice information security management systems (ISMSs)”. The “NIST SP 800-53 “Security and Privacy Controls for Federal Information Systems and Organizations” details which controls it recommends for all US federal information systems (excluding those in national security), while ISO/IEC 27032 is the international Standard focusing explicitly on cybersecurity”. HIPAA “established a national standard for the security of electronic health information, including the protection of individually identifiable health information, the rights granted to individuals, breach notification requirements, and the role of the OCR (Office of Civil Rights), while ISO/IEC 27035 is the international Standard for incident management, and ISO/IEC 27031 is the international Standard for ICT readiness for business continuity” [ CITATION itg19 \l 1033 ].

International Environmental Scan

Environmental Scan: Africa

Unique characteristics, that make cyberspace issues more challenging. Africa’s cybersecurity measures are underdeveloped. African networks are easy targets because their networks are not well protected. African-inspired cyber threats are mostly associated with financial gains (UMUC, 2019).

Role of NATO. The North Atlantic Treaty Organization (NATO) “has made clear its objective to ensure that its operational and mission-related information systems are protected from cyberthreats while the organization continues to help member nations increase the security of their own national networks” (UMUC, Cybersecurity International Policy, 2019). NATO offers

education, training, and exercises to support member nation needs. It is important that each member nation raises the bar on its own cyberdefense capabilities because the alliance as a whole is only as strong as its weakest member nation (UMUC, Cybersecurity International Policy, 2019).

Role of United Nations. The “mission of the United Nations is as follows: maintain international peace and security develop friendly relations among member nations based on respect for equal rights achieve international cooperation in solving international problems to be a center for harmonizing actions of nations in attaining common goals” (United Nations Cybersecurity Approaches, 2019).

Cybersecurity Changes in the Next Decade. Based on current African cybersecurity threats, my predictions for the next decade, center around improved protection measures for financial transactions, implementation of technology that protects data and networks, and the ability to collaborate with the United States cybersecurity programs, education and regulations to support their internal industries.

Catalyst(s) for change. A catalyst for change could be the continued onslaught of State sponsored attacks, organized crime, risks, threats, and vulnerabilities leading to serious financial problems and a failure in protecting the countries government and infrastructure as a whole (3tsconsulting.com, 2017).

Economic Perspective; Africa’s approach about cyberspace. Africa will change with the rest of the world. Cybersecurity issues are global issues. “We live in a connected world made smaller each day by the exponential growth of technology. Individuals, companies and countries rely on cyberspace for everything from cell phone card recharge transactions to business partnership arrangements or the movement of military forces from one country to the other”. “Safeguarding cyberspace is a crucial discipline” for all countries (3tsconsulting.com, 2017).

Criminality Perspective; Africa can do more in the cyberspace area. African networks are not protected; therefore “Cybercriminals are using the path of least resistance, thus bypassing security investments that organizations have made in their infrastructure”. A “first defense” for Africa would be “security awareness and public training” (3tsconsulting.com, 2017). The “ultimate goal is to enable all countries in the region to have adequate legislation in place in order to achieve a higher level of legal and policy interoperability” (3tsconsulting.com, 2017).

Changes and Suggestions, if I were the US ambassador to Africa. My first meeting would be to develop a team of serious technicians and technical engineers to review the United Nations policies, NATO, and the United States recommendations to improve information systems. I would look at developing a version of African National Institute Standards and Technology publications and set up some Federal Information Security Management Acts specific to Africa, along with enacting new laws for cybercrime and cybercriminals.

Potential Impact of My recommendations. The “2017 cyber security survey shockingly reveals that over 95% of African businesses are operating below the cybersecurity “poverty line” (Kaimba, 2017). My recommendations can limit and control the number of would be cyber

criminals and adversaries. Lower the number of Denial-of-Service attacks (Dos) and Distributed- Denial of service attacks (DDoS). Positively affect the nations cyber debt. The new NISTs, African FISMA, Standards and training will bring the cyber security poverty line above the line and allow African business to compete with other countries. The financial, manufacturing, hospitality, government institutions and other private organizations will benefit and function at a higher level, and consumer confidence will be at its highest.

Identify key initiatives in international cybersecurity policy

The key initiatives in cybersecurity policy are the “International Telecommunication Union (ITU) an agency of the United Nations (UN) whose purpose is to coordinate telecommunication operations and services throughout the world”; ITU “Global Cybersecurity Agenda (GCA) a framework for international cooperation aimed at enhancing confidence and security in the information society” [ CITATION UMU1921 \l 1033 ].

The “GCA is designed for cooperation and efficiency, encouraging collaboration with and between all relevant partners and building on existing initiatives to avoid duplicating efforts”; the “ITU Toolkit for Cybercrime Legislation, which addresses the first of the seven strategic goals of the ITU Global Cybersecurity Agenda (GCA), also includes the elaboration of strategies for the development of cybercrime legislation that is globally applicable and interoperable with existing national and regional legislative measures by providing a model law for countries” (cyberdialogue.ca, 2010). Regional law enforcement and multinational government groups like the European Police Office (Europol), the Association of Southeast Asian Nations (ASEAN), and the Organization for Economic Co-Operation and Development (OECD) have also developed initiatives to cooperate on cybercrime” [ CITATION UMU19 \l 1033 ].

The E-government initiatives are the Federal Information Security management Act, the National Science Foundation, the Computer Fraud and Abuse Act, the Electronic Signatures in Global and National Commerce Act, and the Federal Desktop Computer Configuration

Regional Cybersecurity Threat Fact Sheet Africa Fact Sheet

Cybersecurity threat experienced in Africa. “Attacks range from simple email scams to large- scale theft of customer data using malware, ransom attacks and disinformation or fake news”. Africa’s cyber-attacks effect financial institutions destroys their business reputation and interferes with corporate and government operations (Yusuf, 2019).

Evolution of the associated malware and implications. Dorkbot has been a problem for Africa for several years. “Dorkbot is designed to steal passwords for online accounts, including such social networks as Facebook and Twitter, as well as to install additional malware that can turn infected endpoints into nodes in a DDoS attack or part of a spam relay” (Schwartz, 2015). “African businesses, specifically, find themselves at a crossroads, where they must balance digital transformation with a greater focus on security policies and how to protect customer data” (Croock, 2016). With Africa's digital economy continuing to scale up rapidly, the need is becoming more apparent for regulation and legislation to match (Croock, 2016). South Africa has introduced a number of legislative measures to address the growing threat of cyber terrorism and terrorist financing such as the Prevention of Organized Crime Act 38 of 1999 (“POCA”), the Financial Intelligence Centre Act 38 of 2001 (“FICA”), the Electronic Communications and Transactions Act 25 of 2002 (“ECT), the Regulation of Interception of Communications and Provision of Communications-Related Information Act 70 of 2002 (“RICA”) and the Protection of Constitutional Democracy against Terrorism and Related Activities Act 33 of 2004 (“PCDTRA”) (Cassim, 2012).

The “international community, must devote more attention to the development of central authorities in critical regions such as the Middle East, North Africa, and the Sahel”. The “engines that give life to the international treaty framework must be built, serviced, and properly maintained”. Otherwise, efforts to address transnational crime and terrorism through a rule of law framework will remain stymied” (Stigall, 2016).

Global cybersecurity policies might be used to counter the effects. The president's International Strategy for Cyberspace, which is to promote a strategic framework of international cyber stability. This framework is designed to achieve and maintain a peaceful cyberspace environment where all states are able to fully realize its benefits, where there are advantages to cooperating against common threats and avoiding conflict, and where there is little incentive for states to engage in disruptive behavior or to attack one another (US-Cert.gov, 2003). The International Strategy for Cyberspace, spelled out key global policy areas that will promote international standards, build relationships, and safeguard the free flow of information, and promote the global interoperability of networks (International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World, 2011).

Characteristics of Dorkbot Malware. A “family of malware worms that typically spreads through instant messaging, USB removable drives, websites or social media channels like Facebook and Twitter. Downloading and installing Dorkbot malware results in its opening a backdoor on infected computers, allowing for remote access and potentially turning the computer into a botnet” (Stroud, 2019). The “Dorkbot worm gained publicity in late 2011 for an attack on Facebook’s chat system, with users receiving a message with a bogus link that appeared to come from one of their Facebook friends” (Stroud, 2019). In “2012, Dorkbot targeted Skype users, by installing ransomware, that would threaten to lock a user out of being able to use their computer and demand a payment of several hundreds of dollars be made within a limited timeframe or have files on the computer deleted” (Stroud, 2019) . Attribution is difficult, since Dorkbot can use backdoors, steal information from victims, and post malicious links in instant messages and social media sites (F-secure.com, 2016).

Contributing factors to change characteristics over the next 10 years. 5G Security will contribute change to all networks, by cross-layer security, end-to-end security, cross-domain security, and secure-by-design measures (sdxcentral.com, 2012-2019). The “5G standard promises to embody a mobile-connectivity revolution, providing enhanced broadband connectivity and speed for a wide swath of customers” (sdxcentral.com, 2012-2019).

Technologies will counter global cybersecurity policy controls in the future. The “Center for Strategic & International Studies (CSIS) Technology Policy Program has compiled an index of existing cyber strategies and laws by country and territory. The index includes national strategies addressing civilian and military national cyber defense, digital content, data privacy, critical infrastructure protection, e-commerce, and cybercrime. This provides policymakers and diplomatic officials a unified, at-a-glance database of global legal and policy frameworks to help the global community understand, track, and harmonize regulations internationally” (CSIS.org, 2019).

“National regulations obviously do not replace the need for international negotiations and agreements on measures to increase stability and security in cyberspace. CSIS, in partnership with the UN Institute for Disarmament Research, organized three expert workshops to open and broaden the discussion of international norms for responsible State behavior in cyberspace and to identify new ideas to support further progress by the international community” (CSIS.org, 2019). If countries and territories are willing to collaborate and work with trust, technologies will improve with security.

Recommendations. Cybersecurity policy is important because government, military, corporate, financial, and medical organizations collect, process, and store unprecedented amounts of data on computers and other devices. Policy determine how an organization will protect its information and information assets. Best security practices are generally accepted as superior to any other methods or means.

In my opinion, there would be no need for security, cybersecurity, physical security, information security, application security, operational security and any other security, if man would could, consider other as themselves or treat one as one would like to be treated in return.

Assess cybersecurity policies and procedures for transnational legal compliance.

Global policies are needed for Internet governance, the decision-making process for developing secure architectures, technical standards, administrative procedures, and best practices at the international level and to ensure the secure, resilient operation of the Internet” [ CITATION acl19 \l 1033 ]. “Cyberspace now constitutes the primary domain for global communications and commerce, it has become a critical national asset for many nations”. This “criticality may lead to reexamination of traditional questions of public international law and military doctrine”. The “global nature of communications networks, an array of public policy, regulatory, and law enforcement issues that are being addressed within independent domestic jurisdictions have wider ramifications for the United States and other countries” [ CITATION acl19 \l 1033 ]. Transnational legal compliance issues must start at the federal government level, and include the Federal Information Security Act (FISMA), the Office of Management and Budget (OMB), and the NIST Cybersecurity Framework, which provides a policy framework for computer security guidance, and how private sector organizations in the United States can assess and improve their ability to prevent, detect, and respond to domestic and global cyber-attacks.

The North Atlantic Treaty Organization (NATO) is a “formal alliance between the territories of North American and Europe”. NATO’s “main purpose is to defend against the possibility of communist Soviet Union taking control of their nation” [ CITATION col19 \l 1033 ]. The following organizations are “cybersecurity policy making and decision making under NATO:

The North Atlantic Council, Defence Policy and Planning Committee, NATO Consultation, Command and Control Board, NATO Military Authorities and Consultation, Command and Control Agency, NATO Communication and Information Systems Services Agency” [ CITATION UMU1925 \l 1033 ].

Cybersecurity “challenges for international bodies like NATO, the United Nations or the European Union--are unique as determined by the governing principles and membership of each body” [ CITATION UMU1924 \l 1033 ]. The

“NATO Policy on Cyber Defence will be implemented by NATO’s political, military and technical authorities, as well as by individual allies” [ CITATION UMU1925 \l 1033 ].

Assess and critique cybersecurity programs.

The benefits of a cybersecurity program are “common grounds for cybersecurity risk management measures, provides a list of cybersecurity activities that can be customized to meet the needs of any organization, provides a risk-based approach to identifying cybersecurity vulnerabilities, provides a systematic way to prioritize and communicate cost-effective improvement activities among stakeholders, and provides a frame of reference on how an organization views managing cybersecurity risk management” [ CITATION Cha18 \l 1033 ]. No matter how great our cybersecurity programs are, “The United States is not close to raising its defenses adequately and likely will not in the foreseeable future. Offense has too great an advantage over defense” [ CITATION aei18 \l 1033 ]. The “United States has the most powerful military in the world, including the greatest capacities in offensive cyber. . . [But] the United States significant digital dependencies mean that it loses in escalation in cyber because, as President Obama explained, “our economy is more digitalized and it is more vulnerable, partly because we are a wealthier nation and we are more wired” [ CITATION aei18 \l 1033 ].

“Maintaining and improving U.S. technical expertise would be an effective step towards countering cyberterrorism” [ CITATION UMU1921 \l 1033 ]. The present cybersecurity programs must educate users, and would be victims, if we are going to get ahead of cybercriminals and stop cyberterrorism.

Assess the cross-cutting effects of policy, budget, and technological capabilities upon the ability to address cyberthreats at the enterprise, national, and international levels.

“Cross-border enforcement policies, cross-border collaboration policies and cross border global enterprise frameworks can limit and mitigate cyberthreats. The international levels require more collaboration and understanding between, states, nation-states and non-state actors. “Global issues are typically handled either through the establishment of a member-state treaty that governs the issues or

through the formation of a global body that directs activities” [ CITATION UMU1921 \l 1033 ].

The “Internet is a conduit for crime, terrorism, espionage, intellectual property theft, and international offensive maneuvers”. The “Tallinn Manual provides some broad guiding principles to assist NATO towards developing strategies and polices, along with the Law of Armed Conflict (LOAC), the International Court of Justice (ICJ) and the Permanent International Court of Justice (PICJ)” [ CITATION UMU1925 \l 1033 ].

Assess policy and technology trade-offs that must be considered and made when addressing cyberthreats at the enterprise, national, and international levels.

Every decision involves trade-offs. “Some of the tradeoffs for enterprise would include direct or indirect cyber-security related losses”. “Direct impact comes from “successful” breaches achieved by hackers, while indirect impacts come from displaced resources, increased caution of moving forward with the new technology-enabled innovations and inefficiencies caused by the necessary cyber- security reviews” [ CITATION Nel17 \l 1033 ]. At the “national level, tradeoffs include acknowledging difficulties of defining covered activities and the technical difficulties of attribution and verification” [ CITATION aei18 \l 1033 ]. At the International level, tradeoffs might include measures to “reduce use of offensive operations in cyberspace as an instrument to advance U.S. interest” [ CITATION Dav14 \l 1033 ]. The “need to manage multiple common interests with China or Russia or any other nation generally requires policy makers to make tradeoffs” [ CITATION Dav14 \l 1033 ].

Assess and critique cybersecurity programs.

The benefits of a cybersecurity program are “common grounds for cybersecurity risk management measures, provides a list of cybersecurity activities that can be customized to meet the needs of any organization, provides a risk-based approach to identifying cybersecurity vulnerabilities, provides a systematic way to prioritize and communicate cost-effective improvement activities among stakeholders, and provides a frame of reference on how an organization views managing cybersecurity risk management” [ CITATION Cha18 \l 1033 ]. No

matter how great our cybersecurity programs are, “The United States is not close to raising its defenses adequately and likely will not in the foreseeable future. Offense has too great an advantage over defense” [ CITATION aei18 \l 1033 ]. The “United States has the most powerful military in the world, including the greatest capacities in offensive cyber. . . [But] the United States significant digital dependencies mean that it loses in escalation in cyber because, as President Obama explained, “our economy is more digitalized and it is more vulnerable, partly because we are a wealthier nation and we are more wired” [ CITATION aei18 \l 1033 ].

Humans are the weakest link, “Break the people, break the system” [ CITATION UMU1921 \l 1033 ]. Northrop Grumman, “believes and recommends intensive training for organizations with the goal of creating a global, integrated battle-management network composed of virtual, real-time, geographically distributed battlefield down to the desk level” [ CITATION UMU1921 \l 1033 ].

Anything connected to the Internet is on the frontline. For example, U.S. electrical grids, water supply systems, transportation networks, covered entities, entertainment, and major broadcasting networks are on the front line. The United States cybersecurity program is not up to par, and will not be able to stop a huge cyberspace attack, we will just respond and try to recover.

Botnet Evaluation

Evaluation of Botnets. Botnet Key Features.

A botnet is a “network of computers, or "bots," that are maliciously infected with malware that allows them to be controlled as part of a network”. Botnets “are used to infect other networks or systems, to launch malicious e-mail (spam), and to conduct distributed denial-of-service (DDoS) attacks”. Botnets “generally leverage computers without the knowledge of the owner, using the computers to increase the capacity of the botnet to wreck damages”. As with other networks, botnets can operate using several different configurations, including peer-to-peer, hierarchical, or hub and spoke”. Botnets “operate under the command and control of a lead or central computer”. A “botnet has a bot herder, or botmaster, that controls botnets remotely, usually through an Internet Relay Chat (IRC), which is a means of real- time communication over the Internet or through peer-to-peer (P2P) networking communications”. The “command and control (C&C) occurs at the server, a typical bot runs without being detected using covert channel standards, such as Instant Messaging to communicate with the (C&C) server” [ CITATION UMU1919 \l 1033 ].

Issues associated with Botnets.

The “use of botnets is on the rise. Industry experts estimate that botnets attacks have resulted in the overall loss of millions of dollars from financial institutions and other major US businesses”. Once “the malware is on your computer, it's hard to detect. In addition to your computer being commanded to link up with other compromised computers to facilitate criminal activity, the bot can also collect and send out your personally identifiable information—like credit card numbers, banking information, and passwords—to the criminals running it” [ CITATION UMU1920 \l 1033 ]. Through the “NCIJTF and in alliance with its US government (USG) partners, international partners, and private sector stakeholders, the FBI has worked collaboratively in developing a multipronged effort aimed at defeating the world's most dangerous botnets” [ CITATION UMU1920 \l 1033 ]. It is difficult to combat Internet organized crime with the rapid development of mobile devices and their inability to prevent hackers from linking them to “botnets and crimeware toolkits” [ CITATION UMU1918 \l 1033 ]. The goal is to educate users, so they are aware of suspicious links and illegal Internet activity.

Global Cybersecurity Policy.

Global law enforcement activities can help combat some of the cybercrimes, but countries must be willing to work together. The “Council of Europe Convention on Cybercrime is the first treaty to cover network security violations, copyright infringement, computer-related fraud, and child pornography” [ CITATION UMU1921 \l 1033 ]. The United Nations Office on Drugs and Crime (UNODC) has focused much attention on cybercrime. Its position is that cybercrime is transnational, and that active transnational cooperation is needed to make the investigation of criminal cases feasible, but the disagreements on matters such as privacy, intellectual privacy, and criminal prosecution vary from country to country, which means years before laws are passed and agreed upon.

The “ITU created a Global Cybersecurity Agenda (GCA) in 2007 to initiate a global approach to increasing cybersecurity effectiveness and reducing risks and threats in cyberspace”. The “ITU has also created a toolkit for cybercrime legislation, to promote strategies for developing cybercrime legislation that is

globally applicable and interoperable with existing legislative measures” [ CITATION UMU1921 \l 1033 ].

The United States must work hard and fast to face the number of cyberthreats critical to the infrastructure. One way is by “partnership with private and government sectors, and creation of global agreements” [ CITATION UMU1921 \l 1033 ].

Botnets Evolved over the Years.

There was a time when botnets were a difficult task, but now “putting together a botnet is as easy as ABC,123, IoT”. With the “availability and vulnerability of IoT devices and new advances in malware, it’s now relatively easy for botnet owners who know what they’re doing to build botnets that consist of hundreds of thousands of devices, allowing hackers to create massive botnets and launch massive cyber-attacks” [ CITATION IoT18 \l 1033 ].

Botnets Impact on Policy.

Regulatory policies are a must, “but the rapid spread and evolution of Internet technologies around the world, make building consensus on regulatory policies impossible” [ CITATION UMU1921 \l 1033 ]. The question isn’t if we need global law enforcement, but how and who will regulate policy around the world. The use of bots and botnets have created an emergency need for the Federal Bureau of Investigations (FBI), the Secret Service, the National Counterterrorism center (NCTC), the Central Intelligence Agency (CIA), the Department of Homeland Security (DHS), the National Coordinating Center for Telecommunications (NCC) and the United States Computer Emergency Readiness Team (US-CERT) to come together and work together, to solve these issues.

Assess emerging cybersecurity issues, risks, and vulnerabilities.

The major issue, no one is really concerned with ransom attacks until they hit close to home. The average Internet user knows little about cybersecurity, let alone security. Some of the risk associated with the lack of concern for security is no security awareness training for your average user, which means more personal cyberattacks, distributed denial of service (DDoS) attacks, malware attacks, and Internet of Things (IoT) attacks. In 2019, as technology move to 5G (fifth generation cellular network technology that provides broadband access) more

vulnerabilities will hit the market, and attacks will include “crypto jacking, cross- site scripting, and mobile malware” [ CITATION DeN19 \l 1033 ].

Botnet Discussion Botnet Discussion

Global Nature of Botnets. The “botnet begins with the infection process, were codes attach spam to email or instant messages. The next step is rallying, were the bot connects to a C&C server and establishes a zombie. The next stage is commands and reports, were the bots get new commands and execute orders and the results are reported to the C&C server. If the bandwidth is too low, the bot will abandon by the botmaster. If the bandwidth is acceptable, the next step is to secure the botnet, bots and botnets are dynamic and flexible in nature. Botnets are continuously being updated and their codes change day to day” [ CITATION Esl19 \l 1033 ]. The stages are sometime referred to as spreading and injection, communications stage, and the attack stage [ CITATION Rah14 \l 1033 ].

How Botnets have emerged, changed, over past 5-10 years. Botnet strategies, technologies, and techniques are constantly evolving and adapting in response to mitigation measures [ CITATION int15 \l 1033 ].

Key Technical Features of Botnets. Bots “lengths of command packets are typically very small, and bots reply to the Botmaster’s command very fast” [ CITATION Rah14 \l 1033 ]. Botnets are “perfect for striking DDoS attacks, and attribution or tracing botnet masters is difficult”. The “cheap and lazy botnets get dismantled, meaning the ones we have left are highly resilient against technical and legal take down” [ CITATION Mon16 \l 1033 ].

Example Botnets.

1. “Star Wars, known as a twitter botnet. Star Wars sends unsolicited spam, creates fake trending topics to sway public opinion, and launches certain cyberattacks,

2. Hajime, known as a Malware botnet. This Japanese botnet is protecting IoT devices from being infected by additional malware,

3. WireX Android Botnet, a malicious app that has been rampant for years, because the apps themselves do not appear malicious after users install them, they evade initial detection,

4. The Reaper IoT Botnet, known to quietly target vulnerabilities in wireless IP-based cameras and other IoT devices by running a list of known usernames and passwords against the device,

5. Satori IoT Botnet, Japanese botnet, Satori botnet spreads by exploiting a zero-day vulnerability in routers and use a “remote code” execution bug instead of relying on a Telnet scanner to find vulnerable devices to infect with malware” [ CITATION pen17 \l 1033 ].

6. “Mirai is a malware botnet known to compromise Internet of Things (IoT) devices in order to conduct large-scale DDoS attacks. Mirai is dropped after an exploit has allowed the attacker to gain access to a machine” [ CITATION cis19 \l 1033 ].

What Contributing Factors may cause Botnets to change, over the next 10 years. “Cross-border enforcement, cross-border collaboration can be facilitated by laws that make botnets and their malicious activity illegal and permit appropriate information collection and sharing for mitigation and enforcement”[ CITATION int15 \l 1033 ]. “Anti-Botnet Initiatives like botfrei.de from Germany which detects and notifies infected customers and provides disinfection assistance” [ CITATION UMU1919 \l 1033 ]. The “Dutch Anti-Botnet Treaty from the Netherlands, and the Danish Botnet Memorandum of Understanding, which recommends the exchange of relevant tools and information among Internet Service Providers (ISPs), and the use of quarantine tools to isolate infected computers and the requirement to notify end users of the ISPs when botnets are found in their networks” [ CITATION UMU1919 \l 1033 ].

Assess key cyberattack technologies. The Top ten most common cyber-attacks:

1. Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks. A denial-of-service attack overwhelms a system’s resources so that it cannot respond to service requests [ CITATION Mel18 \l 1033 ]. 2. Man-in-the-middle (MitM) attacks A MitM attack occurs when a hacker inserts itself between the communications of a client and a server [ CITATION Mel18 \l 1033 ]. 3. Phishing and spear phishing attacks Phishing attack is the practice of sending emails that appear to be from trusted sources with the goal of gaining personal information or influencing users to do something. It combines social engineering and technical trickery [ CITATION Mel18 \l 1033 ]. 4. Drive-by attacks Drive-by download attacks are a common method of spreading malware. Hackers look for insecure websites and plant a malicious script into HTTP or PHP code on one of the pages. This script might install malware directly onto the computer of someone who visits the site, or it might re-direct the victim to a site controlled by the hackers. Drive-by downloads can happen when visiting a website or viewing an email message or a pop-up window [ CITATION Mel18 \l 1033 ]. 5. Password attacks Brute-force password guessing means using a random approach by trying different passwords and hoping that one work Some logic can be applied by

trying passwords related to the person’s name, job title, hobbies or similar items [ CITATION Mel18 \l 1033 ]. A dictionary attack, a dictionary of common passwords is used to attempt to gain access to a user’s computer and network. One approach is to copy an encrypted file that contains the passwords, apply the same encryption to a dictionary of commonly used passwords, and compare the results [ CITATION Mel18 \l 1033 ]. 6. SQL injection attacks A successful SQL injection exploit can read sensitive data from the database, modify (insert, update or delete) database data, execute administration operations (such as shutdown) on the database, recover the content of a given file, and, in some cases, issue commands to the operating system [ CITATION Mel18 \l 1033 ]. 7. Cross-site scripting (XSS) attacks XSS attacks use third-party web resources to run scripts in the victim’s web browser or scriptable application. Specifically, the attacker injects a payload with malicious JavaScript into a website’s database. When the victim requests a page from the website, the website transmits the page, with the attacker’s payload as part of the HTML body, to the victim’s browser, which executes the malicious script [ CITATION Mel18 \l 1033 ]. 8. Eavesdropping attacks Eavesdropping attacks occur through the interception of network traffic. By eavesdropping, an attacker can obtain passwords, credit card numbers and other confidential information that a user might be sending over the network. Eavesdropping can be passive or active: Passive eavesdropping — A hacker detects the information by listening to the message transmission in the network. Active eavesdropping — A hacker actively grabs the information by disguising himself as friendly unit and by sending queries to transmitters. This is called probing, scanning or tampering [ CITATION Mel18 \l 1033 ]. 9. Birthday attacks Birthday attacks are made against hash algorithms that are used to verify the integrity of a message, software or digital signature. A message processed by a hash function produces a message digest (MD) of fixed length, independent of the length of the input message; this MD uniquely characterizes the message. The birthday attack refers to the probability of finding two random messages that generate the same MD when processed by a hash function. If an attacker calculates same MD for his message as the user has, he can safely replace the user’s message with his, and the receiver will not be able to detect the replacement even if he compares MDs [ CITATION Mel18 \l 1033 ].

10. Malware attacks “Malicious software can be described as unwanted software that is installed in your system without your consent. It can attach itself to legitimate code and propagate; it can lurk in useful applications or replicate itself across the Internet” [ CITATION Mel18 \l 1033 ].

Assessing the above cyber-attacks individually can be difficult, each attack can cause some loss of either confidentiality, integrity, and or availability (CIA) of a network. My best advice is the proper use of “firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), network access control (NAC), web filters, proxy servers, anti-DDos devices, load balancers, and spam filters” [ CITATION Net19 \l 1033 ]. The proper security policy will address each specific attack. For example, the implementation of a strong network security policy, incident response policy, acceptable use policy, Computer, Internet and E-mail usage policy, privacy policy, third-party access policy, account management policy, user monitoring policy, and a password management policy will provide guidance for each of the above types of threats and attacks.

Botnet Conclusion Botnets are serious malware attacks, governments, private sectors and allied

and unallied countries must work together to stop cybercrime and organizations that promote use of botnets as a threat. Information security specialist should ensure they are well trained are aware of botnet features and attack measures. Together we can detect botnets, prevent infections, and identify when a compute has been taken over and assist with the clean-up/restore process.

Conclusion Assess how the theories and principles of war apply to cyberwarfare and apply those theories to understand cyberoffense and cyberdefense challenges.

It is difficult to determine who is attacking who, attribution. Cyberwarfare is a “battle for control over information and communication flows, with the ultimate goal of taking advantage of your opponent” [ CITATION Rob15 \l 1033 ]. Cyberwarfare or “information warfare can be seen as a game, played between defenders and attackers who are in direct competition”. “Defenders perform defensive operations to protect information in any form, seeking to maintain its confidentiality, integrity and availability”. “Attackers perform o ensive operations,ff

seeking to damage that confidentiality, integrity and availability”. “Cyberspace blurs the line between o ense, and defense and that this principle therefore can’t ff be applied to cyberwarfare” [ CITATION Rob15 \l 1033 ]. Understanding how cyber offensive measures, which deploys a proactive approach to security using ethical hacking, and cyber defensive measures, which uses a reactive approach to security that focuses on prevention, detection, and response to attacks is the key to cybersecurity challenges.