[ISN] Outflanking The Cyberterrorist Threat

From: InfoSec News (isnat_private)
Date: Tue Apr 09 2002 - 00:52:02 PDT

  • Next message: InfoSec News: "[ISN] Single Points of Internet 0wnership"

    http://www.computerworld.com/storyba/0,4125,NAV47_STO69866,00.html
    
    By DAN VERTON 
    April 08, 2002
    
    While cyberterrorism may not be an immediate threat, it would be
    foolish not to recognize that the U.S. is facing a "thinking enemy"  
    who will adapt to attack our critical infrastructures and
    vulnerabilities, says Ruth David, former director for science and
    technology at the CIA.
    
    David is now president and CEO of Analytic Services Inc., an
    independent, not-for-profit, public service research institution in
    Arlington, Va. She and Bill Crowell, CEO of Santa Clara, Calif.-based
    security firm Cylink Corp. and a former deputy director of the
    supersecret National Security Agency, each participated in rare
    interviews with Computerworld's Dan Verton. They discussed the threats
    posed by cyberterrorist attacks and the steps that the public and
    private sectors should take to thwart them.
    
    
    There's been speculation, even before Sept. 11, about the U.S.'s
    vulnerability to an "electronic Pearl Harbor" or cyberterrorist
    attack. How has this changed since Sept. 11, and how vulnerable are
    the various economic sectors to cyberterrorist attacks?
    
    David: While it is true that major terrorist attacks to date have
    targeted human lives, I would not blindly extrapolate that behavior
    into the future. After all, on Sept. 10, we would not have expected a
    hijacker to turn a commercial airplane full of passengers into a
    guided missile, and even on Sept. 12, we did not envision exploding
    shoes as a threat to aviation.
    
    In the aftermath of the 9/11 attacks, those adversaries almost
    certainly observed the immediate effect of service interruptions as
    well as the prolonged economic impact of infrastructure disruptions.  
    While the weapon used was explosive rather than cyber, it doesn't take
    much imagination to see that similar effects could be achieved through
    cyberterrorism.
    
    Crowell: Clearly, the vulnerabilities of the nation to cyberattack are
    growing. Critical national functions like banking, financial services,
    health, water and communications are increasingly dependent on highly
    automated systems that connect the many nodes of their operations.
    
    These changes in the degree to which business and the government are
    dependent on public networks have been occurring for about a decade.  
    The disturbing thing is that all of the trends are in the wrong
    direction. Business is moving more and more critical functions to
    networks. The speed and complexity of the deployments make it
    difficult for them to employ good defenses rapidly. Diversity is
    decreasing as we migrate more to common operating systems and common
    network systems.
    
    
    To what extent is the war on terrorism, particularly the battle for
    improved homeland security, a technology problem? What roles do you
    see the government, corporate America and the IT vendor/developer
    community playing?
    
    David: Technology is only one component. Without supporting policy,
    effective processes and well-trained people, technologies solve
    nothing. Deployment of facial recognition technologies at border entry
    points will not ensure apprehension of terrorists.
    
    Corporate America will play an increasingly important role in
    developing security technologies to protect nongovernmental personnel
    and property that may be targeted by terrorists attacking what we are
    as a nation rather than what we do as a government.
    
    Crowell: The battle for improved homeland security involves both
    technology and processes. Technology can be used to make the processes
    more efficient, predictable and effective.
    
    The Transportation Security Agency, [Federal Aviation Administration]
    and Department of Transportation are all looking for ways to improve
    [airport security]. However, I am particularly concerned that many of
    the critical processes are now using technologies that are more
    vulnerable, not less. An example is the use of wireless LANs for the
    tracking of baggage. Without proper encryption and authentication, the
    baggage handling system will not prevent either insider or outside
    attack.
    
    
    Some have said that the government's push to create a separate and
    secure intranet (GovNet) for sensitive government operations and
    possibly e-commerce is tantamount to throwing in the towel on Internet
    security. Are there viable alternatives to disconnecting from the
    Internet?
    
    David: To the extent that terrorists attack symbols of America, seek
    to shake the confidence of the public in our government's ability to
    protect [citizens], and/or seek to inflict economic damage, GovNet
    solves nothing, since many valuable cybertargets would be left
    undefended. In fact, a separate network might actually impede the
    homeland security mission since it could further isolate government
    from industry and the American public at a time when communication and
    collaboration are desperately needed.
    
    In particular, I believe the absence of a coherent governmentwide
    security policy has significantly limited our ability to protect
    sensitive government operations.
    
    Crowell: I think that the GovNet initiative has been misrepresented in
    the press. Perhaps this is because the government did not carefully
    lay out the principles in the beginning of the discussion. [The
    government has] advocated that the core mission systems be on separate
    private networks that are highly protected from denial-of-service
    attacks and from hacking and cyberattacks.
    
    The Internet would be used for e-government to enjoy the enormous
    reach it provides to the public. These are not new concepts. In
    banking and financial services, these policies have long been the
    basis for their risk management practices.
    
    
    Howard Schmidt, the deputy chairman of the President's Critical
    Infrastructure Protection Board, said recently that the next national
    plan for protecting the country's critical systems and networks will
    be written with the help of the private sector. What do you think the
    immediate priorities and focus should be for such a public/ private
    plan?
    
    David: If I were to offer a top priority, it would be to establish
    trust between government and industry and among the key industry
    sectors. This means first and foremost to create a safe environment
    for the sharing and analysis of information regarding cyberattacks and
    discovered vulnerabilities.
    
    My next priority would be to bolster our intrusion-detection
    capabilities. I worry less about the overt attacks that disrupt
    service than the subtle attacks designed to steal or corrupt data -
    attacks that may go undetected until disaster occurs.
    
    Crowell: I think that there are two elements that should be part of
    the plan. The first is that the government should be a leader in
    network security and move quickly to employ the best practices for
    both GovNet and e-government. The second is that the [Securities and
    Exchange Commission] should establish the same risk disclosure rules
    for network security that it used to focus attention on Y2k and on
    disaster recovery.
    
    Without such a mechanism, there is a strong likelihood that the
    vulnerabilities and risks in network-based business won't get the
    attention that [they need] until there is a disastrous event. I think
    that the disaster recovery systems of the financial businesses in the
    World Trade Center saved many of them from total collapse.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Apr 09 2002 - 03:31:52 PDT