[ISN] Thoughts on The White House Chicago Town Hall Meeting.

From: InfoSec News (isnat_private)
Date: Fri May 31 2002 - 05:01:15 PDT

  • Next message: InfoSec News: "[ISN] FC: Congress publishes father-knows-best "cybersecurity" report"

    Hash: SHA1
    Tonight I attended the Chicgo hop of the President's Critical 
    Infrastructure Protection Board Town Hall Meeting. The panel included 
    Howard Schmidt, Ron Dick, Chris O'Brien, Jim McNulty, Steve Hunt, and 
    Alan Paller, with moderation from Andy Briney.
    I should mention here that I ran into quite a few ISN readers in the
    crowd, Kevin, Christian, Clint, Jan, Lew and I could see a few others,
    its always nice to put a face on an email address! If you were in
    attendence and were wondering where I was, I was the fellow in the
    right corner of the room, doing my best Gene Spafford imitation with
    the blue blazer and bowtie, probably the only one wearing a one.
    It was scheduled as a two hour meeting with about an hour of
    listening to the various panelists views on the future of critical
    infrastructure, as it deals with the Internet, health care and the 
    related subject areas.
    A few things caught me as odd, one being that the panel kept
    mentioning the names of various security incidents over the years,
    (Code Red, ILOVEYOU, the Melissa Virus, the SQL worm) all without
    mentioning that the underlying operating system that brought us all
    those headaches was none other than Microsoft, but if you have a
    problem with the security of a product, that you should bring it up
    with your vendor.
    Andy Briney then opened up the floor for questions from the audience, 
    and while I have no problem teaching to a class of less than 30 or so,
    it was a pretty full room and I lost my nerve to pose a question to
    the panel, but after hearing the last comments from two of the
    panelists (Schmidt and Dick) and talking to others in the audience    
    afterward got me really thinking, so I will float off a balloon to all
    of you, and hope some of it might sink in.
    Howard Schmidt and Ron Dick both said the one thing that keeps them
    awake at night is the thought of cyberterrorism being launched against
    the U.S.A. by foreign states bent on disruption. Since they didn't
    elaborate on which states that would be, my guesses would be China,
    North Korea, and as the DIA has pointed out recently: Cuba.
    I'm personally worried about the non-state actors (or whatever the 
    State Department is calling them now) that are thinking about 
    cyberterrorism. (Al Qaeda, The Trusted Insider, Little Johnny)
    While terrorism is defined by The American Heritage Dictionary as...
    "The unlawful use or threatened use of force or violence by a person
    or an organized group against people or property with the intention of
    intimidating or coercing societies or governments, often for
    ideological or political reasons."
    But many have pointed out that cyberterrorism is a myth, why would
    terrorists want to use the Internet to attack the U.S. and its allies
    when it pushes their goal of terror to walk a homicide bomber into a
    pizza parlor and have all that carnage covered by the major television
    networks dinner-time news.
    You then have to ask the question, what is it if someone is doing a
    massive distributed denial of service attack on the world's financial
    markets? Jim McNulty, the president of the Chicago Mercantile Exchange
    pointed out that last year on the average they were doing over $2.5
    million in transactions per second. Take an eBay like attack like from
    February 2000 of between 1-3 hours and we would be talking of a loss
    of anywhere around $150-500 million dollars on just one institution.  
    Would that be cyberterrorism? I would think so.
    The other point that I walked away with is the problem with awareness,
    especially with younger users, teaching cyber ethics at a very early
    age would be a definate start. Now I will date myself, when I was
    going to kindergarten in Cook County, there was an officer from
    Sheriff Elrod's office warning us all about 'Stranger Danger', now I
    am in my early thirties, but I am still aware of strangers, further on
    with my schooling from about 6th grade and throughout high-school we
    spent about a week every year on the Holocaust, and learning about
    genocide. The images of the camps haunt me to this day as we should
    never let this happen again.
    The kids using computers are getting younger and younger every day, my
    3 year old nephew sees his mother (my sister) working away on her
    computer and he wants to get on my computer and work. As Alan Paller
    pointed out, kids think hackers are cool, and why not, if you look at
    Hugh Jackman's performance in 'Swordfish' breaking into a DoD computer
    while getting ahh, well if you have seen the movie you know what I am
    getting at, they can do all sorts of neat things with computers, and
    as Dan Verton's book (which I'm reading and reviewing for ISN) is
    pretty much about malicious teenage hackers.
    All the headline grabbing security events in the past have had for the
    most part a teenager under 18 as the instigator, many not having the 
    ethics to know this is bad, that you could still be a hacker but not 
    for malicious purposes, or aren't aware that running a script can take 
    down a major e-commerce site for hours on end.
    I don't see a reason in the world why we can't start teaching some
    form of cyber ethics in kindergarten through high-school, hopefully
    the right instruction can implant the notion that hacking other
    computers that you don't own is a bad thing, just like taking candy
    from strangers or allowing acts of genocide to happen.
    So where do we get the money in private industry to do the research in 
    stopping cyberterrorism without having to hire three grant writers, or 
    teach cyber-ethics in school without scrapping the budget for 
    the music, art or gym classes?
    Easy, I hope, and this is where I float the ballon off to the powers
    that be on this list. I was reading that as part of the settlement for
    Microsoft's antitrust problems would have Microsoft spending over   
    $1 Billion in money, software, services and training to about 12,500
    underprivileged public schools. The company also would have given   
    about one million Windows licenses for refurbished PCs donated to the
    While a good idea on paper, the problem today with computers in the 
    classroom is that for the most part, the students know more about 
    computers than the woefully underpaid teachers do.
    With a number of other reasons, the judge tossed this idea out, BUT,
    why can this same amount of money be put towards a grant fund for
    private cybersecurity research, and for spending a few days or a week
    every year teaching cyber ethics in the classroom so some of these
    kids don't end up in the courtroom?
    This solution would be ideal for everyone, The DoJ and the various  
    states can see some large fine levied against Microsoft for their   
    monopolistic actions over the years, small private security companies
    and groups can have the money and resources that normally are only the
    domain of large, well funded organizations, or government, and lastly,
    having the opportunity to nip in the bud a problem that if left alone
    could snowball into something that would keep us all up at night but
    with education and awareness at an early age, maybe harness that into 
    something paying real dividends in the future.
    William Knowles
    May 31st, 2002
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    Version: PGP 6.5.8
    Comment: C4I.org - http://www.c4i.org/
    -----END PGP SIGNATURE-----
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri May 31 2002 - 08:08:51 PDT