might amount to an expenditure of content, and service provider com- and perhaps government investment,
some $15,000 (U.S.) per year, per root munity. Therefore, it will be limited to foster a robust physical infrastructure.
server installation within the country. operators, vendors, researchers, and ˲˲Similarly, take steps to ensure a di-
(It’s worth noting that all of the in- people in the FIRST community work- versity of international connections.
vestments required for cyberwarfare ing to stop NSP security incidents.”3 ˲˲Encourage (or directly sponsor)
defense are equally applicable to gen- New members of the “culture of creation of one or more IXPs.
eral economic development. Just as security” come out of academic and ˲˲Ensurethe domestic availability of
the cyberwarfare field of conflict is a training programs (which must be es- DNS resolution, through root servers.
private-sector space, this, too, is un- tablished), intern in a CER T (interna- ˲˲ Foster the growth of a collaborating
like traditional military expenditures. tionally or domestically), and go on to community of security professionals.
A tank or a bunker is purely a cost cen- careers as CSOs (chief security officers) A diversity of interconnections,
ter, whereas an IXP or domain name in CERTs, academia, law enforcement, both international and domestic, fa-server is a profit center, generating or government. This is fundamentally cilitated by the efficient peering af-new, concrete, and monetized value analogous to the peopling of a national forded by IXPs, provides a more robust
for its users from the moment it’s es- health environment with doctors. logical infrastructure, and local DNS
tablished. The return on investment of In the U.S., the Department of resolution further lessens depen-a newly established IXP is typically less Homeland Security has included dence on more exposed international
than three weeks, and often less than CERTs and information assurance an- connections. With that technical in-one week.) alysts and operators in a new research frastructure ensured, nations should
The CERT is a widely employed and development solicitation. In a thenfosterdevelopmentofthehuman
model for computer and network in- draft of the solicitation, DHS notes, infrastructure, the information secu-cident response. CERTs are directly “While we have a good understand- rity personnel needed to anticipate
responsible for systems under their ing of the technologies involved in [cy- threats, the ability to intercede inven-own control, and, with other CERTs, bersecurity incident response teams], tively to restore services, and the abil-collaborate on collective network se- we have not adequately studied the ity to support incident forensic collec-curity. FIRST (Forum of Incident Re- characteristics of individuals, teams, tionandanalysis.
sponse and Security Teams), an asso- and communities that distinguish
ciation of CERTs, brings CERTs and the great [cybersecurity incidence] re-
their staffs together to build the most sponders from the average technology
fundamental links in a web of trust.1 A contributor. In other areas where indi-
Cybercrime 2.0: When the Cloud Turns Dark
CERT should also have already estab- vidual contributions are essential to
Niels Provos, Moheeb Abu Rajab,
lished lines of communication with success, for example, first responders,
ISPs, law enforcement, and other ele- commercial pilots, and military per-
ments of government concerned with sonnel, we have studied the individual
CTO Roundtable: Malware Defense
infrastructuresecurity. and group characteristics essential
Network operators’ groups pro- to success. To optimize the selection,
The Evolution of Security
mote community and cooperation training, and organization of CSIR per-
Daniel E. Geer
between a country’s Internet opera- sonnel to support the essential cyber
tors and their foreign counterparts. missions of DHS, a much greater un-Participation in Inter-network Opera- derstanding and appreciation of these
tions Center Dial-by-ASN (INOC-DBA) characteristics must be achieved.”
1. FIrst; http://first.org/about/.
and Network Service Provider Security
2. Inter-network operations Center Dial-by-asn
(InoC-Dba), a resource for the network operator
(NSP-SEC) can also aid in coordinat- conclusion Community; http://www2.computer.org/portal/web/
ing incident response. INOC-DBA is It would be fair to describe these two
3. nsP security Forum; http://puck.nether.net/mailman/
a voice over Internet Protocol (VoIP) incidents—Estonia in 2007, and Geor- listinfo/nsp-security.
hotline system, interconnecting net- gia a year later—as “cyberskirmish-
work operation centers; it uses the ing.” The attacks on Estonia amounted
Bill Woodcock is a founder and research director of
networks’ own numeric identifiers as to little more than a nuisance, though a Packet Clearing house, a nonprofit research institute
dedicated to understanding and supporting Internet traffic
dialing numbers so that a NOC op- quite visible and much discussed one.
exchange technology, policy, and economics. he entered
erator observing problematic traffic Georgia had far greater problems to the field of Internet routing research in 1989 while serving
as the network architect and operations director for an
can merely enter the address of the deal with in an armed incursion into
international multiprotocol service-provision backbone
offending network to place a call to its territory, and the Internet was not a
network. woodcock has participated in the establishment
of more than 70 public Internet exchange points in
the responsible party.2 NSP-SEC is an factor in that fight.
europe, africa, asia, and the americas.
informal organization of security pro- The difference in responsiveness
Ross Stapleton-Gray is research program manager at
fessionals at the largest Internet infra- between the two, however, recom- Packet Clearing house. Prior to joining PCh, he served as
an intelligence analyst for the CIa, in information policy
structure providers: “Membership in mends that the small nation-state
positions with the american Petroleum Institute and the
NSP-SEC is restricted to those actively ought to make investments in Inter- university of California office of the President, and has
worked with several It security start-ups, including as a
involved in the mitigation of [Network net defensibility akin to those seen in
cofounder of sandstorm enterprises.
Service Provider] security incidents Estonia:
within organizations in the IP transit, ˲˲ Through policy and regulation, © 2011 aCm 0001-0782/11/0300 $10.00
MArch 2011 | vol. 54 | no. 3 | coMMunications of the acM