-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tonight I attended the Chicgo hop of the President's Critical Infrastructure Protection Board Town Hall Meeting. The panel included Howard Schmidt, Ron Dick, Chris O'Brien, Jim McNulty, Steve Hunt, and Alan Paller, with moderation from Andy Briney. I should mention here that I ran into quite a few ISN readers in the crowd, Kevin, Christian, Clint, Jan, Lew and I could see a few others, its always nice to put a face on an email address! If you were in attendence and were wondering where I was, I was the fellow in the right corner of the room, doing my best Gene Spafford imitation with the blue blazer and bowtie, probably the only one wearing a one. It was scheduled as a two hour meeting with about an hour of listening to the various panelists views on the future of critical infrastructure, as it deals with the Internet, health care and the related subject areas. A few things caught me as odd, one being that the panel kept mentioning the names of various security incidents over the years, (Code Red, ILOVEYOU, the Melissa Virus, the SQL worm) all without mentioning that the underlying operating system that brought us all those headaches was none other than Microsoft, but if you have a problem with the security of a product, that you should bring it up with your vendor. Andy Briney then opened up the floor for questions from the audience, and while I have no problem teaching to a class of less than 30 or so, it was a pretty full room and I lost my nerve to pose a question to the panel, but after hearing the last comments from two of the panelists (Schmidt and Dick) and talking to others in the audience afterward got me really thinking, so I will float off a balloon to all of you, and hope some of it might sink in. Howard Schmidt and Ron Dick both said the one thing that keeps them awake at night is the thought of cyberterrorism being launched against the U.S.A. by foreign states bent on disruption. Since they didn't elaborate on which states that would be, my guesses would be China, North Korea, and as the DIA has pointed out recently: Cuba. I'm personally worried about the non-state actors (or whatever the State Department is calling them now) that are thinking about cyberterrorism. (Al Qaeda, The Trusted Insider, Little Johnny) While terrorism is defined by The American Heritage Dictionary as... "The unlawful use or threatened use of force or violence by a person or an organized group against people or property with the intention of intimidating or coercing societies or governments, often for ideological or political reasons." But many have pointed out that cyberterrorism is a myth, why would terrorists want to use the Internet to attack the U.S. and its allies when it pushes their goal of terror to walk a homicide bomber into a pizza parlor and have all that carnage covered by the major television networks dinner-time news. You then have to ask the question, what is it if someone is doing a massive distributed denial of service attack on the world's financial markets? Jim McNulty, the president of the Chicago Mercantile Exchange pointed out that last year on the average they were doing over $2.5 million in transactions per second. Take an eBay like attack like from February 2000 of between 1-3 hours and we would be talking of a loss of anywhere around $150-500 million dollars on just one institution. Would that be cyberterrorism? I would think so. The other point that I walked away with is the problem with awareness, especially with younger users, teaching cyber ethics at a very early age would be a definate start. Now I will date myself, when I was going to kindergarten in Cook County, there was an officer from Sheriff Elrod's office warning us all about 'Stranger Danger', now I am in my early thirties, but I am still aware of strangers, further on with my schooling from about 6th grade and throughout high-school we spent about a week every year on the Holocaust, and learning about genocide. The images of the camps haunt me to this day as we should never let this happen again. The kids using computers are getting younger and younger every day, my 3 year old nephew sees his mother (my sister) working away on her computer and he wants to get on my computer and work. As Alan Paller pointed out, kids think hackers are cool, and why not, if you look at Hugh Jackman's performance in 'Swordfish' breaking into a DoD computer while getting ahh, well if you have seen the movie you know what I am getting at, they can do all sorts of neat things with computers, and as Dan Verton's book (which I'm reading and reviewing for ISN) is pretty much about malicious teenage hackers. All the headline grabbing security events in the past have had for the most part a teenager under 18 as the instigator, many not having the ethics to know this is bad, that you could still be a hacker but not for malicious purposes, or aren't aware that running a script can take down a major e-commerce site for hours on end. I don't see a reason in the world why we can't start teaching some form of cyber ethics in kindergarten through high-school, hopefully the right instruction can implant the notion that hacking other computers that you don't own is a bad thing, just like taking candy from strangers or allowing acts of genocide to happen. So where do we get the money in private industry to do the research in stopping cyberterrorism without having to hire three grant writers, or teach cyber-ethics in school without scrapping the budget for the music, art or gym classes? Easy, I hope, and this is where I float the ballon off to the powers that be on this list. I was reading that as part of the settlement for Microsoft's antitrust problems would have Microsoft spending over $1 Billion in money, software, services and training to about 12,500 underprivileged public schools. The company also would have given about one million Windows licenses for refurbished PCs donated to the schools. While a good idea on paper, the problem today with computers in the classroom is that for the most part, the students know more about computers than the woefully underpaid teachers do. With a number of other reasons, the judge tossed this idea out, BUT, why can this same amount of money be put towards a grant fund for private cybersecurity research, and for spending a few days or a week every year teaching cyber ethics in the classroom so some of these kids don't end up in the courtroom? This solution would be ideal for everyone, The DoJ and the various states can see some large fine levied against Microsoft for their monopolistic actions over the years, small private security companies and groups can have the money and resources that normally are only the domain of large, well funded organizations, or government, and lastly, having the opportunity to nip in the bud a problem that if left alone could snowball into something that would keep us all up at night but with education and awareness at an early age, maybe harness that into something paying real dividends in the future. William Knowles wkat_private May 31st, 2002 *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: C4I.org - http://www.c4i.org/ iQA/AwUBPPgM8XTNFgcrbjoFEQJjXACffj5E2Rs1+m5QBp8uJnZbf0m9TM4AoJ8d 7JuFm0bpvuuU4lLNxQmZBLAd =LvCl -----END PGP SIGNATURE----- - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri May 31 2002 - 08:08:51 PDT