http://www.wired.com/wired/archive/11.05/schmidt.html By Douglas McGray Issue 11.05 - May 2003 WIRED: If there's a big cyberattack, is it likely to be by accident or by design? A hacker's project gone awry or a coordinated terrorist attack? SCHMIDT: The big one is likely to be very, very focused and very designed. We have this debate internally on a regular basis. WIRED: Who is the most likely perpetrator? SCHMIDT: Our perspective is, it doesn't make any difference whether it's from a source in the Mideast or from one in the Midwest. WIRED: Your predecessor, Richard Clarke, used to talk about the likelihood of a digital Pearl Harbor. Others have dismissed cyberattacks as weapons of mass annoyance. That's a pretty wide spectrum. SCHMIDT: I use the term weapons of mass disruption. Is it possible that we could have a catastrophic failure on a regional basis? Absolutely. Could we see that on a universal basis? That likelihood has been reduced significantly. WIRED: What worries you, then? SCHMIDT: An unknown vulnerability in a system that someone chooses to exploit in conjunction with some sort of a physical attack. WIRED: Wouldn't it be difficult to coordinate a cyberattack with a physical attack like a bombing? SCHMIDT: If you have something that can proliferate quickly, like the Slammer, it would be relatively easy to orchestrate. WIRED: Most of the big hacks have affected data, rather than control systems. Why is it easier to fry bank records than to knock out the power grid? SCHMIDT: The technology that runs the banking system and the Internet is very public. A lot of it has come from a foundation of open standards, so we understand it much better, whereas digital control systems run in a proprietary manner. You need specific knowledge about what it does and how it does it. There has been a shift - appropriately so, for cost efficiencies and everything else - to enabling some of those open technologies in control systems, but we need to protect against those things becoming a failure point. WIRED: Walk me through the first moments of a big cyberattack. The Slammer worm, for instance. SCHMIDT: The private sector sees what's going on long before the government catches on. Generally, they'll see a spike in activity at some of the main Internet monitoring points. Nanog [North American Network Operators Group] was one of the first groups to post on an email list that they saw something strange. WIRED: Would ISPs investigate? SCHMIDT: They're the ones monitoring the health of their networks. They figure, jeez, this isn't something where someone has inadvertently turned off the DNS. This is something malicious, and it's moving at an alarming rate. WIRED: Then what? SCHMIDT: The next step is to identify how the maliciousness is manifesting itself. Is it a worm? Something that somebody sent out via email? Within the first hour or so, there's analysis of the code. Then some of the downstream providers are notified, and the government is brought online. WIRED: Who in Washington gets the call? SCHMIDT: Right now, it's not as clean as we'd like. In the future, one of the first calls will go to the Department of Homeland Security. [Now] the person on my staff who monitors Nanog gets the call. Simultaneously, the National Communications System is notified and, of course, the FBI's National Infrastructure Protection Center. WIRED: Clarke wrote in a memo that the fast-moving Slammer was a dumb worm that was easily and cheaply made. And that, with slight modifications, the results of the worm would have been more significant. SCHMIDT: It had no payload. This was strictly a denial-of-service activity in which it was looking for the port and using the worm to propagate a subnetwork connection. The effect of that was some restriction in the use of ATM machines and databases that provide airline reservations. And in one case, a voice-over-IP system for a 911 dispatcher was affected. WIRED: What could a loaded Slammer have done? SCHMIDT: One payload could have injected other code, which would have opened system backdoors under the context of administrator root privileges. Hundreds of thousands of systems could have been taken over. WIRED: Critics have said that your strategy relies too much on the goodwill of big business, that without new regulations, it has no teeth. SCHMIDT: What would you legislate? From this moment forward, you will not have more than 10 vulnerabilities during a year? And then what happens? Do we fine you? We have to be very practical when we look at this. WIRED: Are there ways besides regulation that the government can enforce its priorities? SCHMIDT: The power of the government's purchasing dollar. The Office of Management and Budget now asks, You want to spend money on an IT project? Give me your security plan, or you don't get the money. WIRED: How tough will the government really be? Five years from now, if Microsoft still has the vulnerabilities it does today, will you cut it off? SCHMIDT: I wouldn't say any particular company... WIRED: But Microsoft is a good example, because the government is its biggest client. SCHMIDT: If you're not going to provide good security, and you're not going to provide good quality control in engineering in the products you provide us, we're not going to buy it. Douglas McGray interviewed Andrew Marshall in Wired 11.02 - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Apr 10 2003 - 02:54:29 PDT