http://www.computerworld.com/storyba/0,4125,NAV47_STO69866,00.html By DAN VERTON April 08, 2002 While cyberterrorism may not be an immediate threat, it would be foolish not to recognize that the U.S. is facing a "thinking enemy" who will adapt to attack our critical infrastructures and vulnerabilities, says Ruth David, former director for science and technology at the CIA. David is now president and CEO of Analytic Services Inc., an independent, not-for-profit, public service research institution in Arlington, Va. She and Bill Crowell, CEO of Santa Clara, Calif.-based security firm Cylink Corp. and a former deputy director of the supersecret National Security Agency, each participated in rare interviews with Computerworld's Dan Verton. They discussed the threats posed by cyberterrorist attacks and the steps that the public and private sectors should take to thwart them. There's been speculation, even before Sept. 11, about the U.S.'s vulnerability to an "electronic Pearl Harbor" or cyberterrorist attack. How has this changed since Sept. 11, and how vulnerable are the various economic sectors to cyberterrorist attacks? David: While it is true that major terrorist attacks to date have targeted human lives, I would not blindly extrapolate that behavior into the future. After all, on Sept. 10, we would not have expected a hijacker to turn a commercial airplane full of passengers into a guided missile, and even on Sept. 12, we did not envision exploding shoes as a threat to aviation. In the aftermath of the 9/11 attacks, those adversaries almost certainly observed the immediate effect of service interruptions as well as the prolonged economic impact of infrastructure disruptions. While the weapon used was explosive rather than cyber, it doesn't take much imagination to see that similar effects could be achieved through cyberterrorism. Crowell: Clearly, the vulnerabilities of the nation to cyberattack are growing. Critical national functions like banking, financial services, health, water and communications are increasingly dependent on highly automated systems that connect the many nodes of their operations. These changes in the degree to which business and the government are dependent on public networks have been occurring for about a decade. The disturbing thing is that all of the trends are in the wrong direction. Business is moving more and more critical functions to networks. The speed and complexity of the deployments make it difficult for them to employ good defenses rapidly. Diversity is decreasing as we migrate more to common operating systems and common network systems. To what extent is the war on terrorism, particularly the battle for improved homeland security, a technology problem? What roles do you see the government, corporate America and the IT vendor/developer community playing? David: Technology is only one component. Without supporting policy, effective processes and well-trained people, technologies solve nothing. Deployment of facial recognition technologies at border entry points will not ensure apprehension of terrorists. Corporate America will play an increasingly important role in developing security technologies to protect nongovernmental personnel and property that may be targeted by terrorists attacking what we are as a nation rather than what we do as a government. Crowell: The battle for improved homeland security involves both technology and processes. Technology can be used to make the processes more efficient, predictable and effective. The Transportation Security Agency, [Federal Aviation Administration] and Department of Transportation are all looking for ways to improve [airport security]. However, I am particularly concerned that many of the critical processes are now using technologies that are more vulnerable, not less. An example is the use of wireless LANs for the tracking of baggage. Without proper encryption and authentication, the baggage handling system will not prevent either insider or outside attack. Some have said that the government's push to create a separate and secure intranet (GovNet) for sensitive government operations and possibly e-commerce is tantamount to throwing in the towel on Internet security. Are there viable alternatives to disconnecting from the Internet? David: To the extent that terrorists attack symbols of America, seek to shake the confidence of the public in our government's ability to protect [citizens], and/or seek to inflict economic damage, GovNet solves nothing, since many valuable cybertargets would be left undefended. In fact, a separate network might actually impede the homeland security mission since it could further isolate government from industry and the American public at a time when communication and collaboration are desperately needed. In particular, I believe the absence of a coherent governmentwide security policy has significantly limited our ability to protect sensitive government operations. Crowell: I think that the GovNet initiative has been misrepresented in the press. Perhaps this is because the government did not carefully lay out the principles in the beginning of the discussion. [The government has] advocated that the core mission systems be on separate private networks that are highly protected from denial-of-service attacks and from hacking and cyberattacks. The Internet would be used for e-government to enjoy the enormous reach it provides to the public. These are not new concepts. In banking and financial services, these policies have long been the basis for their risk management practices. Howard Schmidt, the deputy chairman of the President's Critical Infrastructure Protection Board, said recently that the next national plan for protecting the country's critical systems and networks will be written with the help of the private sector. What do you think the immediate priorities and focus should be for such a public/ private plan? David: If I were to offer a top priority, it would be to establish trust between government and industry and among the key industry sectors. This means first and foremost to create a safe environment for the sharing and analysis of information regarding cyberattacks and discovered vulnerabilities. My next priority would be to bolster our intrusion-detection capabilities. I worry less about the overt attacks that disrupt service than the subtle attacks designed to steal or corrupt data - attacks that may go undetected until disaster occurs. Crowell: I think that there are two elements that should be part of the plan. The first is that the government should be a leader in network security and move quickly to employ the best practices for both GovNet and e-government. The second is that the [Securities and Exchange Commission] should establish the same risk disclosure rules for network security that it used to focus attention on Y2k and on disaster recovery. Without such a mechanism, there is a strong likelihood that the vulnerabilities and risks in network-based business won't get the attention that [they need] until there is a disastrous event. I think that the disaster recovery systems of the financial businesses in the World Trade Center saved many of them from total collapse. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Apr 09 2002 - 03:31:52 PDT