[ISN] President's advisor predicts cyber-catastrophes unless security improves

From: InfoSec News (isnat_private)
Date: Wed Jul 10 2002 - 05:20:59 PDT

  • Next message: InfoSec News: "[ISN] Black Hat Briefings Keynotes Include NSA Director and Special Advis. to Bush"

    Forwarded from: "eric wolbrom, CISSP" <ericat_private>
    By Ellen Messmer 
    Network World Fusion
    NEW YORK - In his keynote address at an information technology
    auditing conference here, Howard Schmidt, President Bush's advisor on
    cyber-security, predicted that networks operated in the U.S. and
    abroad are likely to be brought down by catastrophic events unless
    security greatly improves.
    "By 2009, there will be over 2 billion Internet-enabled devices, each
    with an IP address, in the U.S. alone, and 6 billion altogether,"
    predicted Schmidt, vice chair of the President's Critical
    Infrastructure Protection Board, in his keynote before the 30th annual
    international conference of the Information Systems Audit and Control
    Association (ISACA). The conference was attended by nearly 300
    security professionals from 37 countries.
    The devices on the IP packet-based network of the future, predicted
    Schmidt, will include not just computers, but also traffic lights,
    elevators, appliances and even pacemakers. But the IP networks of 2009
    will be unstable, subject to "constant security outages," unless both
    governments and private industry focus on eliminating network
    vulnerabilities through research and better practices. Advertisement:
    "The routing tables of the future will be unmanageable; there will
    slowdown and failures, and malicious and criminal activity between
    2002 and 2009 all mean the Internet quits working," warned Schmidt. He
    even forecast a future in which "special aircraft will be flying the
    routing tables" physically to servers after periodic network
    In addition, computer viruses, the "zero-day viruses and affinity
    worms," will be surreptitiously entering IP devices, causing
    widespread devastation by wiping out business records.
    "In a major brokerage house, it will enter through the CEO's house by
    infecting the CEO's PC, then the corporate network, and scrambling the
    brokerage house trading records," said Schmidt, who was formerly chief
    of security at Microsoft before joining the President's Critical
    infrastructure Protection Board in December.
    Electrical power grids, controlled by networks, could collapse in 2005
    due to distributed denial-of-service attacks that block traffic to
    IP-based management devices, Schmidt said. Economically, all these
    disruptions will take a toll by 2009, with the Federal Reserve coming
    to the conclusion that cyberattacks are depleting growth. Then,
    Fedwire, the government-run network for monetary transfers to banks,
    will be hit by a database scrambler attack and there will be an
    unscheduled bank holiday to clean up the mess.
    "That's where we're headed if we don't turn this ship around," Schmidt
    The federal government is monitoring a situation that arose during the
    past year in which it was discovered that vulnerabilities in the
    Simple Network Management Protocol (SNMP) would allow attackers to
    take over SNMP-based routers, switches, applications and firewalls.
    This vulnerability, detailed by Finnish researchers, has been traced
    back to what's called ASN.1 encoding, which caused dozens of network
    and applications vendors to issue software patches in a race to fix
    networks before hackers exploited the vulnerability.
    ASN.1 constitutes a layer of network coding that is used in many
    network protocols other than SNMP, and there are suspicions that
    implementations of ASN.1, which Schmidt likened to "a bad gene in the
    DNA of complex programs," may be at risk as well.
    So far, Schmidt disclosed, the ASN.1 buffer-overflow vulnerability has
    also been discovered to affect telecommunications microwave equipment,
    which the industry has quietly addressed. "We're monitoring that,"
    Schmidt said.
    Working with industry, the government has wanted to keep information
    about major vulnerabilities quiet until industry had the needed
    remediation prepared.
    For that purpose, the Bush administration is supporting legislation
    that would somewhat restrict the Freedom of Information Act (FOIA),
    which allows individuals to petition for release of government-held
    documents, by not requiring federal agencies to release information
    about security vulnerabilities disclosed by industry to government.
    The goal is to establish what's know being called the "Cyber Warning
    and Information Network" between government and industry to share
    information about serious security threats quickly. "We want a limited
    FOIA exception for this," Schmidt said.
    The 20-member President's Critical Infrastructure Protection Board,
    created by President Bush last October, is the organization expected
    to coordinate security strategies with both agencies and
    private-sector companies. Its concerns cover the safety, both physical
    and electronic, of industry sectors that include telecommunications,
    energy, transportation, banking, healthcare, manufacturing, and water
    The CIIP board expects to publish its cyberstrategy report on Sept.
    19, initially to ask for public input on its recommendations. These
    recommendations are expected to include a statement of "best
    practices" for federal agencies, asking them to adhere to guidelines
    for security auditing, vulnerability assessment, intrusion detection
    and other tasks, Schmidt said.
    In addition, the report will recommend proposed research areas where
    more work needs to be done to improve the Internet's somewhat shaky
    foundation, particularly as pertains to older protocols such as Domain
    Name Server and Border Gateway Protocol.
    "DNS and BGP are not designed for use in an open environment with the
    kind of threats we have today," said Schmidt. "We need Secure DNS and
    Secure BGP. And we have to start securing the future systems,
    beginning with wireless."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Jul 10 2002 - 08:25:35 PDT