Thursday, July 9, 2009

A Federal CloudBursting & Cyber Defense Contingency Plan

Over the last week several US government websites have been repeatedly attacked by a foreign botnet. A lot of folks in the media are now saying this is may actually be cyber war. I would argue that this isn't anything new, just more publicized. But if this Internet attack on U.S. federal web sites is an actual assault by North Korea or some other foreign government, what are the legitimate responses available in America's arsenal -- either traditional or cyber? Sadly right now the answer is, not many.

The question remains, how do you attack a botnet that may include zombies that exist within your own infrastructure. How do you tell who is good and who is bad? In reality you can't attack the problem using traditional military tactics. Instead of focusing on an offensive response, we should focus on limiting the effects that these cyber attacks cause. For the most part these cyber denial of service attacks are more of a nuisance then actual physical threat.

Now that governments around the globe are starting to embrace cloud computing, I feel the next logical step is to actually start defining how to actually recover from serious Cyber attacks with a minimum level time cost and disruption. Yes, it's time for a Federal CloudBursting Contingency Plan.

In 2002 The National Institute of Standards and Technology (NIST) published a contingency planning guide for Information Technology Systems. The guide provides instructions, recommendations, and considerations for government IT contingency planning. It outlines contingency planning for interim measures to recover IT services following an emergency or system disruption. The document details so called "interim measures" may include the relocation of IT systems and operations to an alternate site, the recovery of IT functions using alternate equipment, or the performance of IT functions using manual methods.

What it does not do is outline any sort of on demand or cloud computing capabilities to help negate the effects of a prolonged cyber attack. This is mainly because the guide was written in 2002 and was never subsiquently updated. The guide completely lacks any real insight into the advantages that cloud computing offers the modern IT infrastructure. This is made plainly obvious with a note on page 6.
Responses to cyber attacks (denial-of-service, viruses, etc.) are not covered in this document. Responses to these types of incidents involve activities outside the scope of IT contingency planning. Similarly, this document does not address incident response activities associated with preserving evidence for computer forensics analysis following an illegal intrusion, denial- of-service attack, introduction of malicious logic, or other cyber crime
So basically the document only outlines the requirements for a physical disaster but lacks any real insights into cyber defenses or the need for a cloud centric contingency plan. I believe the simplest and most effective response for a good portion of the problems plaguing the current federal IT and web infrastructure may be resolved with a clear and concise plan of action. This means creating an official federal CloudBursting & Cyber defense contingency plan. This plan could also address specific strategies and actions to deal with a threat in realtime. Most traditional contingency plan such as ones for nature disasters include a monitoring process and “triggers” for initiating planned actions. Why not include similar planning for if and when federal IT infrastructure is under attack?

There has been some work done in the space, specifically by the National Science and Technology Council in a document called the Federal Plan for Cyber Security and Information Assurance Research and Development. Which takes the first step toward developing that agenda. Mostly focused on R&D the plan and proposal responds to recent calls for improved Federal cyber security and information assurance. The document was developed by the Cyber Security and Information Assurance Interagency Working Group (CSIA IWG), an organization under the National Science and Technology Council (NSTC), the Plan provides baseline information and a technical framework for coordinated multiagency R&D in cyber security and information assurance. Other areas – including policy making (e.g., legislation, regulation, funding, intellectual property, Internet governance), economic issues, IT workforce education and training, and operational IT security approaches and best practices. It's a pretty good read, but completely misses the opportunity for Cloud Computing and more specically cloudbursting scenarios to help avoid some of the most obvious DoS style attacks.
Reblog this post [with Zemanta]

#DigitalNibbles Podcast Sponsored by Intel

If you would like to be a guest on the show, please get in touch.