Dr. Tarek Saadawi is the Director of the Center for Information Networking and Telecommunications (CINT) and a professor at the City College of New York (CCNY). Dr. Saadawi has published extensively in the area of information networks and network security. He is a co-editor of the book “Cyber Infrastructure Protection” Strategic Study Institute, volume 1, May 2011, Volume 2 May 2013, and volume 3 (expected 2016), and the lead author of the book, Fundamentals of Telecommunication Networks,” John Wiley & Sons, 1994. The latter is considered a seminal work in the field and translated into Chinese. His most recent work has focused on network security, the vulnerability of wireless networks, denial of service attacks, mitigation strategy, resilient routing protocols for ad-hoc wireless network, connected vehicles security, and smart grid vulnerability analysis and its intrusion detection schemes.
Foreign Policy Concepts spoke with Dr. Saadawi about internet infrastructure security in North America.
I’d like to start by asking about a seemingly basic but crucial topic in internet infrastructure, and that is why it is so easy in the U.S. and Canada to sever fiber optic cables in an age that much of our economy relies on them?
Fiber optic lines are the main pipes that carry all of our internet traffic, whether our homes, our institutions, or our offices all the way to the core of the network. The fiber optic network in North America is truly massive. Anywhere you go – the streets, the railroad, energy pipes – fiber lines are available everywhere. Fiber optic cables carry many strands of optical lines in them, which contain trillions of bits of information. A single fiber optic cable can carry typical values of 46 or 96 strands of fiber optic. There are also fiber lines connected globally – whether under the streets or under the sea! There are approximately 500,000 miles of undersea fiber lines that connect the whole globe. They all come—depending on their destination—to landing points by the shore.
These fiber optic cables, whether in the U.S., Canada, or around the globe, can easily be cut physically through vandalism, or through cyber-hacking the software. Therefore, when we look at cyber security, it’s not just about software hacking, but it’s also about the physical cutting of cables, switches and other physical assets. We call this the whole stack of communications networking – this includes switches, cables, hardware, and the software.
So do we need new and additional legislation that would enable greater security of our internet infrastructure?
While there are tons of existing laws that deal with the cyber security issues including fiber cuts, vandalism and theft, cyber-attacks are on the rise and cyber hackers continuously exploit the system’s vulnerabilities. They steal, misuse, and/or alter our information and credentials. Examples of such cyber-attacks and hacks have included the loss of 15 million records of T-Mobile customers; the Ashley Madison cyber hack with loss of millions of records; US Office of Personnel Management (OPM) with loss of 20 million records; Anthem Health Care with loss of 80 million records; and Sony Pictures Entertainment hack, which caused tremendous financial and reputational damage. We also see a rise in the market value of identity theft and stolen data.
Cybercrime and cyber vandalism target individuals, commercial institutions, industrial zones, and government institutions. The malware industry is growing where we see sophistication in the attack tools complexities and resources, and increase in automation and acceleration of the attack. We are dealing with determined and sophisticated cyber criminals. For example, as we saw in the recent sad & unfortunate Paris attacks, the terrorists either 1) used end-to-end encryption for their communications needs to avoid law-enforcement surveillance, or 2) used the dark web, where their identity and origination addresses are hidden, or 3) used untraditional ways of communication that use the internet infrastructure to conduct such heinous attacks.
So while there are strong domestic laws in North America, there is not similar strong cyber legislature at the international level. What is missing is an international deterrence capability, where international cyber laws can be established and where there is a platform to exchange and share information amongst countries. Whether such cyber-attacks happen in North America or from outside, you need to be able to prosecute cyber criminals and placing the right penalties for such unlawful activities.
This was the motivation for our paper in the Georgetown Journal of International Affairs, where we stressed the idea of starting an international platform, referred to simply as the International Cyber Union (ICU), that can bring all the nations together with their cyber space expertise to address the issues of cybersecurity from the physical layer to the fiber hacking and cutting all the way to the software issues we are dealing with, to discuss policies, share information, and develop international laws.
With coordinated cyber-attacks occurring in different parts of the world, it’s time that the international community become more proactive about cybersecurity and start developing international laws and exchange R&D side of cybersecurity, a side which many countries lack.
As you mentioned, we have a vast fiber network infrastructure in North America. Do you think we have a thorough understanding of our network assets and the physical vulnerabilities they face?
Indeed, we have a vast fiber network infrastructure – which is composed of not only hardware and software, but also physical localities and assets. It’s crucial, therefore, to have a thorough understanding of our network maps and assets, especially because hackers need to find only one weak entry point to enter and wreak havoc. The U.S. Department of Homeland Security (DHS) is doing an excellent work in developing what is known as ‘critical cyber infrastructure’ and defining each component of this infrastructure. This is a great first step to developing a strategy on the cyber infrastructure. Of course, the system is not perfect yet. There needs to be more attention focused on understanding the network’s physical assets and how we can better protect them.
Network physical asset protections are important issues especially in light of the recent developments in northern California, where there were multiple fiber cuts, which resulted in the unavailability of the Internet in these areas. But we also need to pay attention to our Internet exchange points (IXPs), which are major junctures in the architecture of the internet and work as aggregating points. IXPs are scattered in different cities, which number more than 100 IXP’s in North America from small cities to major metropolitans such as the well-known ones in Toronto, Miami, and New York.
If we actually make the comparison to data centers, where there are heavy regulations on building security, access, heating and many other issues, we need to make similar rules for IXPs to enhance their security and physical well-being. When you look at the assets of IXPs and their functions you see that they shoulder very heavy internet traffic and also act as content distribution points. So it would be a worthwhile effort to apply some of those data center standards to IXPs.
High profile cyberattacks over the past several years highlight the vulnerability of our critical infrastructure such as the power grid, financial institutions, transportation networks and utilities. Do you think software coding has played a role in enabling some of these attacks?
Information and communications technology (ICT) has always been evolving and continuously introducing new products and new versions. And now we start the era of “Internet of Things (IoT)”. In the next five years, we expect to have billions of IoT devices connected to the Internet and we need to make sure these devices are cyber-secure. For example, in the coming years, cars will be connected to the Internet (connected vehicles), and we have been conducting research on the detection of cyber-attacks and how to mitigate its effects on connected vehicles. We will be dealing with humongous amounts of internet traffic, which will continue to rise with the growth and development of applications. Our group is applying new techniques which are based on the human body’s immune system and how the human body deals with viruses through its own built-in immune system. This new area of cyber security focuses on modeling the system as a human body and developing an artificial immune system. So by building an artificial immune system, these networks would be better protected against attacks.
We also need to learn to deal with the evolution of software products in the form of version 1, version 2, and so on. So, for example, if a system/network administrator doesn’t keep up with the software updates, there is vulnerability in the system, and thus an entry point for the hacker. So when a new product is introduced to the market and consumers start using it, if a hacker discovers a hole in the software, which the vendors are not aware of yet, it is an opportunity for the hacker(s) to penetrate the system and this period could take place for several days or months. This is referred to as a ‘zero day attack’. Some of the zero day attacks are known to have lasted for over a year before they were discovered! Now with the future generation of networks we see the emergence of a new technology of Software Defined Network (SDN), whose purpose it is to enhance the network performance and security.
There are usual human errors in any configuration and systems – caused by network administrators, IT professionals and users alike. In fact, users’ errors account for nearly 30 percent of cyberattacks. The combination of these factors makes the system vulnerable.
What do you mean by saying that we should integrate technology and policy, that we should address the technology of attack and the social and political organizations of attackers?
Technologists and engineers work on designing and building tools and systems that enable the normal and secure performance of the cyberspace. So all this technical work requires an integrated and multidisciplinary effort to address the problems, threats, and challenges facing the cyber space security. Cyber security problems can’t be solved only by engineers and technologists only; nor can they be solved only by policy makers, economists, or lawyers. They need to be solved and minimized with an integrated multidisciplinary approach and by understanding different prospects for the cyber domain security.
Institutions have policies regarding the use of technology. For example, organizations place restrictions on the use of flash memory cards or on browsing any site on the Internet. We as technologists can develop tools to monitor and administer how these policies are implemented. So there is an inseparable correlation between the two.
By the same means, if a cybercriminal is identified and captured, proper laws are there that govern the punishment that he/she deserves. Since 2009, we have been holding an annual conference at the City University of New York (CUNY) with people participating from a variety of disciplines including technology, economics, law and public policy. For example, understanding the economics of the hacker industry helps us develop policies, tools and techniques to deal with disrupting financial networks. We need to be aware of all sides involved in cyber domain.
As I argued, we need to establish an international cyber union (ICU) that can provide leadership in combating cyber-attacks, where all people with similar concerns can establish a platform to share and exchange information. Such a body can address issues that are of concern to the global community when it comes to cyber domain security. The ICU’s objectives are to promote cyber cooperation and data sharing on attacks and mitigation, to establish a set of cyber policies and laws, and to collaborate on technology development research and education. Today’s cyber-attacks and vandalism are becoming militarized and therefore impact our economy, our cities, and critical infrastructure and the services they offer. There are many organizations working to enhance the security of the cyber domain. For example, CERT (Computer Readiness and Emergency Response), and standards organizations such as IEEE, IETF, and ITU.
Additionally, there are many regional cybersecurity consortiums, such as Center for Infrastructure Assurance and Security (CIAS) and Cybersecurity Research Consortium (CRC) in the United States, System Security (SYSSEC) in Europe, and India Infosec Consortium (IIC) in Asia. There are also global and international consortiums that are addressing cybersecurity issues, such as Consortium for Cybersecurity Action (CCA).
Going forward, we need a centralized platform, such as the ICU, to bring these organizations and groups together in a coordinated way to develop international policies, standards and laws.
What is deterrence theory and how is it utilized against cyber threats and attacks?
Deterrence theory posits that a nation’s best defense is international deterrence cooperation. We literally need to be able to share information about attacks and hacks. As nations, we need to be able to share technical information on the nature of attacks. The goal is to get institutions share information with law enforcement on the nature and frequency of attacks in a protected environment information about hacking. We also need to be aware of the fine line between technical issues being shared among member parties and privacy issues while being mindful of potential liabilities.
Are municipal networks (community networks) today playing an important role in the nation’s internet infrastructure? How independent are their management and security measures from those of incumbent networks?
Community networks are still growing and many cities are pushing toward developing their own networks for greater independence from incumbent service providers. This is closely related to the longstanding discourse on the digital divide and on making internet more accessible to the masses. Many corporations are also contributing to community networks, as part of their corporate social responsibility. For example, in New York City, we proposed providing open and free internet access across the city.
This concept of ‘free internet access’ is related to economic prosperity and is a concept gaining strength in large cities, such as New York. While an excellent concept that can bring the benefits of the internet into local communities, there also needs to be efforts by community networks to develop management and security measures.