Elevate Information Security to the Level of National Security
China Times editorial (Taipei, Taiwan, Republic of China)
A Translation
February 27, 2014
Summary: Information warfare takes place on an invisible battlefield. It can determine the outcome of a war. The government must elevate information security to the level of national security. Offensive and defensive strategy should include a complete set of plans and drills. Only this can ensure that we do not fall behind. Reviewing the nation's progress in network information and Internet access is not just about speed or convenience. It is also about information security.
Full text below:
The newly implemented online household registry system was supposed to be a public convenience. But system instability, snail's pace connections and frequent crashes, have turned it into a public nuisance. What went wrong? Was it hardware or software design? Was it blunders by the contractors, the manufacturers, or officials? Public anger boiled over. Premier Chiang Yi-hua declared that "The search for administrative responsibility will be no respecter of rank." He ordered the Ministry of the Interior to review the report and make a presention this week. Interior Minister Li Hong-yuan has resigned. But information security issues cannot be ignored , The review must go on. Chiang Yi-hua must keep a close eye till the very end. He must uncover the truth.
Problems with eTag information security have already provoked considerable controversy. The new household registry system was contracted out. The information infrastructure is closely related to public welfare. When things go awry, they highlight potential security risks. The government must not view the household registry system crash only from a technical perspective. That would be negligent and slapdash. The crash should be viewed from a national security perspective, as a comprehensive review of domestic information security. Just exactly which information security vulnerabilities need reinforcement?
Take eTag. The Executive Yuan Information Security Office found that the outsourced contractor programming was faulty. There was also insufficient bandwidth. The result was traffic jams and gridlock, rather than distributed denial of service (DDOS) attacks by hackers. The eTag network has numerous external links. Yuantong failed to build a sufficiently high firewall. Yuantong itself is a "data tycoon." It possesses information on millions of vehicles on the national highways. There is no guarantee that hackers will not zero on on this fatted calf.
The household registry system is a closed network. It has no links to the outside. But staff or system vendors could plant a virus to steal data. Government officials used USB sockets on the PCs to charge their cell phones. The phones contained malware which then stole passwords. Audio files were sent out via USB devices.
Ministry of Defence information projects are outsourced. Huan An Da is the 2014 contractor for Department of Defense computer equipment maintenance. It is the 2014 contractor for its document management system, NSB telephone exchange system maintenance, national road traffic control systems, and Railway Bureau Information System maintenance. If people with ulterior motives intrude through the vendor, the consequences could be disastrous.
No national infrastructure Internet attacks have occurred so far. But if they had, they could have caused aircraft collisions, stopped water and electricity, caused traffic light failures, forced medical facilities to shut down, and wreaked havoc to the banking system. A "9-11 of the Internet" could well be part of any future war. Information warfare could be combined with military operations. First, hackers paralyze the infrastructure, including the electrical power grid. Then, troops invade.
North Korea may already have begun to use the Internet as a means of warfare. Late last March, computer networks for three television stations and six financial institutions in South Korea were hacked. South Korea tracked the hacker's IP address to the Mainland. They think North Korea may have launched an indirect attack on South Korea. They think the hackers may have used a complex Advanced Persistent Threat (APT) attack to paralyze their computer networks.
The Mainland Peoples Liberation Army already understands future war strategy. Mouse clicks are more important than trigger pulls. It is rapidly building up its "Internet Brigades." The United States and the European Union also hold regular information security exercises. They have upgraded Internet offense and defense to the level of military offense and defense, all in the name of national security. Many nations engage in cyberwarfare. In the past, they merely sole secrets. Now they have graduated. Now they access the infrastructure. They can then enter any time they wish. They can destroy or damage a hostile nation's transportation and financial systems.
The National Security Council and the Executive Yuan have established an information security office to coordinate overall national security. Information security exercises will be held annually. The Hengshan Command's annual political and economic military exercises include network attacks that paralyze transportation and administrative systems. But these by themselves are not sufficient.
Late last year the Executive Yuan Office of Information Security issued its "Internet Attack and Defense Scenarios," which noted that social networking engineering message drills show that some agencies open or click on as many as 20% of all webpages. They lack vigilance. It is clearly necessary to improve information security education. The Executive Yuan should develop incentive mechanisms to prevent civil servants from becoming Internet liabilities.
The Executive Yuan has divided government agencies into four categories. These include "defense, administrative, and academic," "water, electricity, oil , and natural gas," "transportation, communications, networking, ATC," and "financial, securities, GATT, medical." Information security protection systems will be built around them. But technological advances never end. Hacker tactics are constantly evolving. The government must provide budgets. It must regularly update its protection measures.
The government outsources its BOT projects. These include major construction projects such as high-speed rail and Yuantong ETC systems. These must be built according to government information security protection measures. These requirements must be written into contracts, and be applied to all future BOT projects. BOT project involve the outsourcing of operations. But most are part of basic infrastructure. If problems arise, they affect the rights of everyone. Therefore the government must assume responsibility.
How should we prevent information leaks? Take the technical perspective. An eTag system or household registry system may contain leaks. Hackers may be able to steal information through various channels. Therefore strengthening network information security is essential for confidentiality. Other nations have adopted the concept of differential privacy. Some information will deliberately be made ambiguous. This will avoid disclosing exact information when performing Internet searches or when making use of data.
Information warfare takes place on an invisible battlefield. It can determine the outcome of a war. The government must elevate information security to the level of national security. Offensive and defensive strategy should include a complete set of plans and drills. Only this can ensure that we do not fall behind. Reviewing the nation's progress in network information and Internet access is not just about speed or convenience. It is also about information security.
社論-從國安層級防範資安風險
稍後再讀
中國時報 編輯部 2014年02月27日 04:10
宣稱是便民措施的新戶政系統上線,卻因系統不穩、龜速連線、頻頻當機,結果變成擾民措施,到底是軟硬體設計、承包廠商施工或官員決策錯誤,哪一個環節出了紕漏?民怨沸騰下,行政院長江宜樺宣示「行政究責沒有層級限制」,要求內政部本周內提出檢討報告。內政部長李鴻源雖已去職,但資安問題不容輕忽,檢討工作不可停頓,江院長必須緊盯到底,讓真相水落石出。
eTag資安已引起重大爭議,新戶政系統又出包,這些與民眾息息相關的資訊基礎建設相繼出狀況,凸顯資安潛藏極大風險。政府若把戶政當機視為個案,僅從技術端來檢討,恐流於輕忽、草率,應從國安層級來全面檢視國內資安問題,到底還有哪些資安漏洞需要補強?
就以eTag為例,行政院資安辦公室認定委外包商程式設計不良,加上頻寬不足,才導致塞車癱瘓,而非是遭駭客阻斷式(DDos)攻擊。然而,不論eTag網路系統與外部連結,加上遠通並未建置高規格的防火牆,遠通本身已是「資料大亨」,握有每日上國道數百萬輛車子的資訊,難保不會成為駭客覬覦的肥羊。
至於戶政系統雖屬於封閉網路系統,並未與外部網路連結,仍可能透過工作人員或系統廠商接觸,植入病毒竊取資料。先前就有某政府機關官員,利用電腦USB讓手機充電,結果因為手機內部藏有惡意程式而中毒,導致內部電腦系統遭盜取密碼並錄音檔透過USB裝置傳送出去。
而國防部建置的資訊工程都是委外承包,光是「環安達」就承包國防部103年度電腦設備維護、後指部103年公文暨檔案管理系統、國安局電話交換機系統維護,還有國道交通管制系統、鐵路局資訊系統維護等多項工程,倘若有心人士透過廠商端入侵,後果不堪設想。
雖然尚未發生任何針對國家基礎設施的網路攻擊事件,但若發生,可能造成飛機相撞、斷水斷電、紅綠燈失靈、醫療設施停擺、銀行帳戶錯亂情勢;所謂的「網路911」,在未來戰爭是極可能發生的,而且是資訊戰結合軍事行動,先由網軍出擊癱瘓電力等基礎設施,接著派兵入侵。
北韓可能已經開始運用網路戰爭手段,去年3月下旬,南韓3家電視台和6家金融機構的電腦網路,遭駭客攻擊大當機;南韓追蹤出駭客的IP位址來自大陸,研判北韓可能間接對南韓發動網攻,而且駭客可能是以複雜的「進階持續性滲透攻擊」(APT)癱瘓電腦網路。
大陸解放軍早已了解未來的戰爭型態,「動滑鼠」比「扣扳機」還重要,急起直追建立網軍部隊;美國與歐盟也固定舉行資安演習,將網路攻防提升到國家層級的軍事演練。如今,許多國家的網軍攻擊型態,已從過去的單純竊取機密,慢慢變成對基礎設施的入侵,一旦需要的時候就可以進入、破壞,危害到敵對國的交通運輸和金融秩序等。
國安會與行政院已成立「資訊安全辦公室」統籌國家的整體安全防護,每年固定舉辦資安演習;在衡山指揮的年度政經兵推,也把網路攻擊、駭客癱瘓交通與行政系統列為演習想定,但這些作為仍有不足。
行政院資安辦公室去年底「網路攻防演練辦理情形」指出,社交工程郵件演練,居然有少數機關的開啟或點閱率高達20%,根本毫無警覺心,顯然有必要強化資安教育,行政院應擬定獎懲機制,避免公務員變成網路漏洞。
行政院雖把政府機關區分為「國防、行政、學術」、「水、電、石油、瓦斯」、「交通、通信、網路、航管」、「金融、證券、關貿、醫療」等4級來建置資安防護體系,但科技日新月異,駭客手法不斷翻新,政府更要編列預算,定期更新防護措施。
此外,政府委外BOT案,諸如重大建設如高鐵、遠通ETC等系統,也要比照政府機關的資安防護措施來建置,這些要求必須寫入合約,並適用於未來所有BOT案。因為BOT案雖是委外經營,大都屬於重大基礎建設,一旦出問題不僅影響民眾權益,政府也有相對責任。
至於如何防範個資外洩?從技術上看,不論是eTag或戶政系統都有漏洞,駭客仍可能透過各種管道來竊取大量的民眾資訊,因而強化網路資訊保密是最基本的要求。目前國外也開始推行差分隱私(differential privacy)的概念,刻意將某些資料模糊化,避免在查詢或使用資料時,透露確切的資訊。
資訊戰是一個看不見的戰場,卻能決定一場戰爭的勝負,政府除將資安提升至國安層級外,相關攻防戰略亦應有套完備計畫與演練,才不會落至後手;檢驗一個國家網路資訊進步程度,不只是網路速度或上網便利性,資安也是重要一環。
No comments:
Post a Comment