Cybersecurity Group Project 2

Overview

The ever increasing number geopolitical conflicts since the pandemic, combined with the development of more sophisticated malwares than ever, makes the number of total cyberattacks increase like never before in recent years. It is estimated that the cost of cybercrimes worldwide will reach $10.5 trillion annually by 2025, and all types of cyberattacks, including ransomware, phishing, supply chain attacks are expected to be much more widespread. With this concerning trend developing fast, it is of vital importance for every member of modern society to have at least a basic understanidng of cybersecurity issues, what are common types of attacks, how to defend them, how to mitigate the damage, and most importantly, how to actively look out for them and stop them at the doorstep.

Like ocean, sky and land, cyberspace would also be a critical frontline of conflicts. The Cyber Challenge is a set of games presented by US Military Department of Defense aimed to helping the general public to build an understanding of cyber-related practices in US Military. In total, there is a set of 4 games, each corresponds to a critical aspect of cybersecurity:

• Protect, where players are tasked to build a secure military cyber system at different locations like command center, warships, planes, and satellite stations in a 3-stage process. Each stage consists of 4 tasks, and a balance between personnel, risk level and budget must be maintained.
• Defend, where players need to deny or grant access to various access requests of different nature. Some requests need to be denied because of their abnormally high frequency in requesting/accessing data.
• Analyze, where players need to decipher secret messages and figure out entities of interest based on the exerpt from player’s “supervisor”.
• Strike, where players coordinate cyber counter attacks by matching decimal numbers with their binary equivalent, in the form of a 4-part IP address.

These games are highly interactive and provided a good insight into the issues within cybersecurity domain. Each of these games approach cybersecurity from different angles, involving threats, vulnerabilities of different natures.

Key cybersecurity threats and vulnerabilities

Cybersecurity threats and vulnerabilities are mainly embodied in the Protect, Defend and Analyze phase.

1. In the Protect part:

• In Discover and Analyse, the project brief that the commanding officer provided might not be specific enough, stakeholders have difficulty understanding the whole system, or might challenge the rationale for building a new system if their current system is working fine.
• In Design and Develop, threats include the previously discussed components might turn out to be not implementable, new concerns might arise during development of a system, new attacks might arise from the wild, hardware resources might not meet the demand of cybersecurity system, and much more.
• In Deploy and Maintain, new defects that hid themselves in previous phases might arise and affact a portion of end users, software vendor might have misplaced user credentials and put them under increased risk of being leaked, or in some extreme cases, servers that are running the software are not responding.

2. In the Defend part, most threat involves the frequent edit, deletion, addition or access of sensitive information. Actions like accessing databases, requesting new passwords, requesting encryption keys, uploading / downloading files, sending email to everyone are all operations that have the power to compromise the confidentiality, integrity and accessibility of information, some of which can be highly sensitive and critical.
3. In the Analyze part, after decoding the message, entities in the message including time, location, origin, destination and actions are compared with a log that contains current number of attacks from that entity. In one message, the origin FM station might have conducted tens of attacks previously, making the message we are currently evaluating highly suspicious. Sometimes, many attacks might happen on a specific day, and to ensure a safe cyberspace, all messages from that date might be flagged.

Analysis of strategies to mitigate risks

During the whole gaming process, the majority of strategies are used during the protect, defend and analyze phase.

1. In Protect phase, they turned out to be rather challenging for me. In each subprocesses there are 4 tasks that must be accomplished, each of them is related to a certain level of increase in risks and budgets. Each incidents have various solutions, but their impact on risk and budget varies significantly. The time needed for them is also a huge factor when considering the choice of strategies.

• during the Discover and Analyze process, there was an incident where several stakeholders say that their current system works fine and there’s no need to upgrade it. The two options are whether to organize Q&A workshops to educate stakeholders about them, or to ignore them. Educating them will decrease risk, but it costs a medium amount of time. Ignoring them will increase the risk of the system being compromised, but it is done instantly. A trade off is clearly present here, the choice need to ba made whether to value a low risk profile or prioritize the timely development of the system. In real life, such situations can be highly sophisticated because of different interests of stakeholders, and a balance among them must be established.
• Such tradeoffs also exist regarding the handling of DDoS attacks. We can direct the team to configure network settings to defend against the attack, update the infrastructure and equip it with firewalls, or disregard it altogether. Disregarding the attack significantly increases the risk, but requires no investment an can be done instantly. Updating infrastructure can be done instantly too, but it need investments. Configuring network settings requires no investment, but requires a longer time to finish.

Throughout this part of the game, the optimal choices cannot be made without a thorough analyze of current budget and risk profile. During one playthrough, we tried to bring down the risk since it’s way too dangerous for our preference, but this decision in turn drove budget up by 5%. In the end, the total budget spent is 104%, exceeded 100%.

In the Defend part, Most threat involves the frequent edit, deletion, addition or access of sensitive information. Actions like accessing databases, requesting new passwords, requesting encryption keys, uploading / downloading files, sending email to everyone are all operations that have the power to compromise the confidentiality, integrity and accessibility of information, some of which can be highly sensitive and critical.

In the Analyze part, after decoding the message, entities in the message including time, location, origin, destination and actions are compared with a log that contains current number of attacks from that entity. In one message, the origin FM station might have conducted tens of attacks previously, making the message we are currently evaluating highly suspicious. Sometimes, many attacks might happen on a specific day, and to ensure a safe cyberspace, all messages from that date might be flagged.

Ethical considerations and responsible cybersecurity behavior

This part is mainly manifested in the Attack phase. In the setting of the game, counterattacks are executed by matching the decimal representation of IP addresses with their binary equivalents, and is relatively straightforward compared to other phases. However, this can be much more complicated in real life, because of the ethical considerations:

• Critical civilian infrastructures might fall victim of counter attacks;
• Counter attacks might escalate the tension further and result in a more tense geopolitical environment;
• Entities carrying out counterattacks should be prepared to take full responsibility of potential consequences of counter attacks;

    And many more.

One famous example is the deployment of Stuxnet, a worm believed to be developed by United States and Isreal, targeted to disrupt Iran’s uranium enrichment facilities. The worm is initially designed to infect the industrial systems that were specifically used by Iranians in nuclear facilities and would not carry out the attack until several conditions are met to ensure that it’s indeed infecting a nuclear facility. However, a later update to the worm rendered the safeguards less effective, and the worm spread across the world.

As a result, many infrastructures that turned out to be using the same type of industrial control systems also get infected. Some of the infected systems are critical infrastructures like the system responsible for generation and distribution of electricity. If the worm initiate its payload in these systems, millions of innocent civilians might face a black out for days or even weeks, leading to considerable regional unrest or even humanitarian complexities. More concerningly, such types of worm could serve as a precedent and be replicated by other parties, creating a counter-counter attack. If a worm like Stuxnet infected the systems in United States, the damage is estimated to be in billions of dollars, and the recovery could cost even more.

In real life scenarios, the counter attacks should be done with a systematic evaluation of all these risks involved.

Conclusion

This set of games can provide valuable intuitions about a wide range of cybersecurity issues for the general public. It covered 4 different main aspects of practices in cyber related field, with each of them bearing risks and threats specically present in those stages. It covered course materials in a systematic way, linking concepts about types of cyberattacks, cybersecurity project management, cyber governance, as well as touching ethical concerns of countermeasures.