Convergent Risk to Business and Government: Counterintelligence & Telecommunications Infrastructure
This was a final paper from the Spring of 2012 for INTR 290: Theory and Practice in Counterintelligence, taught by Professors Frank Plantan and Bruce Newsome.
The class was amazing opportunity: 50% of it was guest lectures from all over the intelligence community. This paper addresses the telecommunications industry, and how its cyber weaknesses pose strategic risks, challenges, and vulnerabilities to both business and government.
In this modern age of ever-increasing connectivity, the way the public and private sectors intersect is changing. For centuries, each sector has had to deal with risks, be they political, economic, strategic, etc. The concept of convergent risk applies to types of risk that both business and the government share. This can include risks inherent to public/private partnerships, as well as parallel risks that both sectors face individually. And as the world around these two sectors has changed, so too have the convergent risks they face. As interstate conflict has declined, non-state actors have increased in numbers to fill the gap, ranging in activities from cybertheft to terrorism and in between. A current analysis of convergent risks through the lens of counterintelligence seeks to understand how both business and the government can work together and learn from one another and appropriately address these new challenges.
This briefing paper will zero-in on one specific aspect of convergent risk: the critical infrastructure surrounding telecommunications. While the cyber security discussed in this class has centered on cyber as a means of intelligence and counterintelligence, this briefing paper will consider cyber as the ends of those efforts. In essence, think not of the hackers trying to get information, but rather those aiming at the very communication of that information. For example, consider the blackout that swept across north east North America in 2003 – fifty million people lost power and at least six lost their lives. Additionally, the entire incident cost an estimated six billion dollars. Now imagine if for two days the internet or portions of it simply stopped working, or if cell phones could no longer communicate with the satellites that carry their calls. The convergent nature of this risk is clear: both the government and businesses would shut down. This briefing paper will go on to describe this risk to telecommunications and propose ways that the government and business can work together to mitigate it.
II. TELECOMMUNICATIONS RISKS
In the wake of the 2008 terrorist attacks in Mumbai, TATA Telecommunications CSO Adam Rice commented, “if you want to do real damage to the global economy – to civilization, for that matter – the cables are a big target.” Rice is forthright about the reality of telecommunications risks: “it would be impossible to prevent every type of attack.” Cables that control government communications are just as vulnerable. General Keith Alexander – head of the US Cyber Command – fully admitted that when it comes to the military’s “patchwork quilt of 15,000 different networks…you can’t defend them all.”
Snow and Weckman note that the post-9/11 landscape has seen a dispersion of telecommunications centers, in an effort to equally disperse the risk. However, this dispersed network also requires highly dependable networks to facilitate communication and coordination amongst each center. At the same time, technological advances have resulted in a high degree of convergence – centers that previously held only voice, data, or video information now commonly house all three.
Telecommunications risks are both physical and cyber in nature. The former, involving real-world intrusion and attack, requires “hard” security measures, such as heavy, reinforced barriers, guards, and electric fences. The latter, involving virtual intrusion and cyber attack, requires “soft” security measures such as electronic locks and passcodes, as well as system configuration. But the risks don’t stop there. Both government and business rely on risk management companies like Nessus, Qualys, and Core Impact to more accurately assess the risks they face and provide actionable analysis and recommendations. Here, in the consulting sphere, convergent risks already are met with convergent solutions.
III. COUNTERINTELLIGENCE LESSONS
The domain of counterintelligence (CI) yields several lessons for the convergent risk to telecommunications infrastructure. Just as CI is bifurcated into defense and offense, so too must convergent risk management be divided. It is relatively easier to think of defensive, CI aspects to a telecommunications system – they were outlined as security measures in the previous section. However, the CI bureaucracy also reveals necessary steps to further secure telecommunications. Rather than taking a backseat to the primary mission of telecommunications is services, security must be considered at each and every step of the way, just as intelligence and CI are a hand-in-hand operation. In other words, after asking how each decision will increase connectivity and improve telecommunications, a follow-up CI question must be asked: “What new risks does this decision create and how do we mitigate them?”
From the offensive CI perspective, business and government should work together to create aggressive systems that will strike back at potential cyber adversaries. In the event that an ill-willed actor tries to harm some portion of telecommunications, security software needs to be in place to follow the CI creed: identify, assess, neutralize, and/or exploit. This type of software will introduce a previously nonexistent cost to would-be hackers and cyber terrorists, meaning that an attack they orchestrate could result in an even more destructive backfire.
IV. CURRENT COOPERATION
Under the United States Department of Homeland Security (DHS) already exists a National Communications System (NCS), which serves as the Sector Specific Agency (SSA) for the Communications Sector. There are two underlying divisions within this SSA: the Communications Sector Coordinating Council and the Communications Government Coordinating Council. The former council implements initiatives for the 45 private sector members (e.g. commercial and public broadcasters, satellite communication providers, etc.) while the latter council coordinates efforts within and across a number of public agencies (e.g. Department of Defense, Federal Bureau of Investigations, etc.). Both groups work together to foster public/private cooperation in the face of telecommunications risks. Specific policies and practices include: leveraging complimentary resources from both sectors, addressing issues related to response and recovery, and improving physical and cyber security of assets. As recently as 2010, the DHS published its Communications Sector-Specific Plan, which provides the current framework of public/private cooperation in protection telecommunications infrastructure.
In order for both business and government to better defend themselves against the convergent risks to telecommunications infrastructure, the three following policies should be adapted:
- More simulation defense models. In order to better understand both the potential ramifications of an attack on telecommunications and the readiness of the defense mechanisms in place, more simulations need to be run between the private and the public sectors. These rigorous run-throughs will be highly instructive and keep the sector’s security systems (and the individuals who command them) as close to the cutting edge as possible. Allowing the possibility for public and private groups to simulate attacks on one another would provide an additional layer of objectivity when assessing the results.
- Regularized Auditing Functions. The NCS should evolve from a policy-making body into a regulatory commission, drawing on both public and private members to create a joint task force whose mission it is to randomly test critical telecommunications infrastructure. The principal drawback of simulations is their pre-announced nature. This auditing commission within the NCS will overcome that shortcoming by probing into the security of both public and private agencies at various times to insure to the highest degree possible real-time security.
- Proactive security software. As mentioned earlier, the public and private sectors should work together to develop more aggressive security software that punishes a cyber intruder once inside a telecommunications domain. In this way, this sector can mimic the exploitative nature of counterintelligence by flipping would-be malware back on its operator(s). These measures should compliment pre-existing defensive security software, serving as the proverbial “barbed wire” atop a system’s firewall.
The nation’s telecommunications infrastructure presents a convergent risk to both the public and private sectors. Any attack – cyber or otherwise – that disrupts the flow of information within and across the government and businesses would wreak serious havoc for even a short period of time. Although recent trends indicate a dispersion of telecommunications centers, the convergence of technology and data sources has rendered the system nearly as vulnerable as ever. At present, the Communications Sector of the National Communications System serves to coordinate efforts among and between both government agencies and businesses. This cooperation demonstrates the shared nature of telecommunications infrastructure risks, and must be continued if such risks are to be even more mitigated in the future. In particular, counterintelligence practices yield numerous lessons for how to best secure telecommunications infrastructure, on both the macro (bureaucratic) and micro (practical) levels. Through the increased use of simulations, a higher functioning auditory commission, and more proactive security software, both the public and private sectors can continue to work together to deal with the convergent risks inherent to telecommunications.
 JR Minkel, “The 2003 Northeast Blackout–Five Years Later,” Scientific American, 13 August 2008. <http://www.scientificamerican.com/article.cfm?id=2003-blackout-five-years-later>.
 Bill Brenner, “Telecom infrastructure faces daunting risks, TATA CSO says,” CSO: Security and Risk, 28 January 2011. < http://www.csoonline.com/article/659377/telecom-infrastructure-faces-daunting-risks-tata-cso-says>.
 Noah Shachtman, “Military Networks ‘Not Defensible,’ Says General Who Defends Them,” Wired, 12 January, 2012. <http://www.wired.com/dangerroom/2012/01/nsa-cant-defend/>.
 Andy Snow and Gary Weckman, Lecture, “Protecting Critical Telecommunications and Networking Infrastructure,” The Ninth International Conference on Networking ICN 2010. <http://www.iaria.org/conferences2010/filesICN10/Snow_ICN10_Tutorial.pdf>.
 Snow and Weckman, Lecture.
 Department of Homeland Security, “Communications Sector-Specific Plan,” 2010. <http://www.dhs.gov/xlibrary/assets/nipp-ssp-communications-2010.pdf>.
- Banks, Utilities Seen as Targets of Syrian Cyber-Attacks (bloomberg.com)
- Syria cyber attacks may target banks, media (stuff.co.nz)