[ISN] Cybersecurity expert warns of post-9/11 vulnerability

From: InfoSec News (isnat_private)
Date: Tue Sep 09 2003 - 23:16:49 PDT

  • Next message: InfoSec News: "[ISN] NY Times hacker surrenders, is released"

    http://www.post-gazette.com/pg/03252/219578.stm
    
    By Dan Fitzpatrick
    dfitzpatrick@post-gazette.com 
    Post-Gazette Staff Writer
    September 09, 2003
    
    Almost two years after the devastating attacks of 9/11, former Bush
    White House adviser Richard Clarke sounded the alarm in Pittsburgh
    about a cyberattack that could be just as damaging to the national
    psyche, arguing that the federal government remains "slow" and "very
    20th century" in its preparation for computer-based terrorist threats.
    
    Clarke, in an interview yesterday on Carnegie Mellon University's
    campus, singled out the U.S. Department of Homeland Security, led by
    former Pennsylvania Gov. Tom Ridge, for being sluggish in making
    cyberspace a true national security priority. The department, Clarke
    noted, has yet to appoint a director and several key managers to its
    National Cyber Security Division -- a group asked to implement a
    protection plan Clarke developed before leaving the Bush
    administration in February.
    
    The problem, Clarke said, is that Homeland Security leaders still
    "think of risks to our society in terms of things that explode and
    incidents that have body bags. In the 21st century, as the power
    blackout of Aug. 14th proved, a great deal of damage to our economy
    and disruption to our way of life can be done without anything
    exploding or anybody being killed."
    
    Clarke's insistence that the country pay attention to cybersecurity
    has made him a polarizing figure in the computer industry and
    Washington D.C., where he has worked for the last four presidents and
    advised three of them on intelligence and national security matters.
    
    He left the White House as Bush's cybersecurity czar in February, to
    become a consultant. Known for his contempt of bureaucracy and his
    critique of pre-Sept. 11 intelligence failures, Clarke emerged after
    9/11 as the digital Paul Revere, warning that the country's electrical
    power, finance, telecommunications, transportation, water and
    especially the Internet are all vulnerable to cyberattack.
    
    In making his case for shoring up the nation's electronic
    infrastructure, Clarke is getting support from Pittsburgh and
    specifically, CMU. With Clarke's assistance, CMU computer scientist
    Roy Maxion sent a letter last year to President Bush warning that "our
    nation is at grave risk of a cyberattack that could devastate the
    national psyche and economy more broadly than did" the 9/11 attacks.
    
    The letter, cosigned by Maxion's CMU colleague John McHugh and more
    than 50 of the country's top computer scientists, laid out a
    nightmarish scenario involving the sudden shutdown of electric power
    grids, telecommunications "trunks," air traffic control systems and
    the crippling of e-commerce and credit card systems with the use of
    several hundred thousand stolen identifies. "We would wonder how, as
    nation, we could have let this happen," the letter said.
    
    Maxion and his co-signers proposed a five-year cyberwarfare effort
    modeled on the World War II Manhattan Project, requiring an investment
    ranging from $500 million to $1 billion per year. "The clock is
    ticking," the letter said.
    
    Some critics maintain that Clarke and institutions such as CMU, which
    was awarded $35 million in federal funds last year to fight
    cyberterrorism, are hyping a threat that does not really exist --
    especially in the case of al-Qaida, the organization that carried out
    the attacks of 9/11.
    
    Dorothy Denning, one of the country's top cybersecurity experts and a
    professor at the U.S. Naval Post Graduate School in Monterey, Calif.,
    said she did not sign her name to Maxion's White House letter because
    "I had a certain amount of reservation about whether or not it needed
    to be bought to that level of attention."
    
    Denning has not "seen the kind of devastating attacks people are
    worried about," and she hasn't "seen terrorists actively pursing" the
    Internet as a weapon. Clarke, Denning added, is right to point out the
    "vulnerabilities in our infrastructure that could be exploited" by
    everyday hackers and admitted that "bad things could happen." But
    "until those things do happen, no one knows what the cascading effect
    might be."
    
    Another skeptic, George Smith, is more harsh in his appraisal of
    Clarke's admonitions.
    
    "I can't think of a single Clarke prediction or warning that was right
    or of any lasting value," said Smith, senior fellow with Alexandria,
    Va.-based defense think tank GlobalSecurity.Org.
    
    He added: "In 2003, it takes no great intellect to say the nation is
    in great danger from the electronic frontier. The fantastic claim
    always gets attention, diverts the mind from thornier but mundane
    problems ... Far easier to say al-Qaida is looking to turn off the
    power. You don't ever have to prove if there is even a small nugget of
    truth to it."
    
    Terrorists, Smith said, "are interested in creating bloodshed and
    terror. The Internet doesn't rise to this level of impact in a way
    that a truck bomb does."
    
    Referring to the e-mail virus that has been plaguing computer systems
    of late, Smith argued that "you can get three or four hundred copies
    of SoBig in your e-mail box a day -- a thousand, two thousand -- and
    it just has no physical impact no terror juice to it."
    
    But Clarke, who was in Pittsburgh yesterday to speak at a computer
    intrusion detection conference, said he has been in this position
    before, warning of national security threats that some would not take
    seriously. Clarke, a counterterrorism coordinator under President
    Clinton, was among those who worried about Osama Bin Laden's
    capabilities before the events of 9/11.
    
    "An awful lot of people, unfortunately, don't believe (a cyberattack)  
    will happen," he said. "And as with terrorism itself, we learned from
    9/11 that you can yell and yell and yell and imagine something
    happening and say it is going to happen, as I did with regard to
    al-Qaida, and no one believes you enough to act until it happens."
    
    As for al-Qaida, Clarke claims that some of its followers have
    master's degrees in computer science, and that "there is lots of
    evidence that al-Qaida has downloaded sophisticated hacking tools
    because we have seized their computers and know what's on them. So, I
    do think there is grounds for concern."
    
    But focusing on al-Qaida is missing the point, he said. "I don't think
    it is terribly important who the enemy is. It doesn't matter. What you
    need to worry about is the vulnerabilities."
    
    There are some encouraging signs that the country may be safer from
    cyberattacks than it was before 9/11, according to Clarke.
    
    There is anecdotal evidence, he said, that the companies that control
    much of the country's electric power generators, telecommunications
    lines, rail terminals and shipping containers are taking the voluntary
    security steps asked of them in Bush's National Plan for Protecting
    Cyberspace, developed by Clarke and released earlier this year.
    
    Bush's plan relies on U.S. business, rather than the federal
    government, to shore up the nation's computer security infrastructure.  
    Clarke, in fact, came to Pittsburgh twice last October to drum up
    support for the plan, making the point that for U.S. businesses the
    increased costs of preparing for an attack do not have to drain a
    company's productivity.
    
    Some critics, responding to requests from the Bush administration that
    U.S. firms make themselves more secure, argued that companies have
    little incentive to pay for such measures in a slow economy.
    
    Others said the plan itself lacked federal firepower.
    
    "If (Clarke) had made it to correspond with the urgency of his
    warnings, it would have been a strong strategy with teeth in it,
    capable of compelling the private sector to improve security practices
    in many different ways," said Smith, the senior fellow with think tank
    GlobalSecurity.Org. "However, when unfurled, it had no power. It might
    as well have not been written."
    
    But Clarke maintained yesterday, in an interview, that U.S. companies
    and the federal government are spending more money on cybersecurity
    and that the viruses that plagued computers this summer are forcing
    CEOs to pay more attention to the problem. Clarke, during his speech
    yesterday at CMU, even expressed confidence that this issue is making
    its way into pop culture, citing the recent movies "Terminator 3" and
    "Matrix Reloaded."
    
    In the latter, Keanu Reeves' character Neo takes a tour of Zion, the
    last human city to survive outside the computer-generated Matrix, and
    is told that Zion's citizens do not think about the machines that
    power the city until the machines stop working.
    
    Paraphrasing Neo, Clarke said, "People need machines. But, machines
    need people, too."
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Sep 10 2003 - 18:12:09 PDT