[ISN] Former CIA chief sees need for greater network resilience, market incentives

From: InfoSec News (isn@private)
Date: Thu Oct 30 2003 - 02:01:39 PST

  • Next message: InfoSec News: "[ISN] Orbitz investigates security breach"

    http://www.computerworld.com/securitytopics/security/story/0,10801,86638,00.html
    
    By DAN VERTON 
    OCTOBER 29, 2003
    Computerworld
    
    NEW YORK -- The war on terrorism will be a "war to the death"  likely
    last several decades, requiring the government and the private sector
    to focus immediately on making critical infrastructures and systems
    more resilient rather than immune to deliberate attacks, a former CIA
    director said today.
    
    Speaking here to several hundred government and private-sector
    security experts at the Maritime Security Expo, James Woolsey said
    Americans should be prepared for the war on terrorism to last at least
    as long as the Cold War and for continued terrorist attacks on the
    soft spots in the nation's critical physical and cybernetworks.  
    Woolsey, now a vice president of the Global Strategic Security
    practice at Booz-Allen & Hamilton Inc. in McLean, Va., served as
    director of the CIA from 1991 to 1993.
    
    "You shouldn't rely too much on intelligence to solve this problem,"  
    said Woolsey. "We're not going to get real-time intelligence on
    specific attacks in most cases. That's why it's so important to build
    resilient protections into the infrastructure so that when an attack
    comes, we can abort it part of the way through, or if it succeeds, it
    doesn't have cascading effects on other infrastructures."
    
    Some of the most important work to prevent cascading failures involves
    enhancing the security of supervisory control and data acquisition
    systems, the real-time control computers that are used to manage the
    electric power grid, Woolsey said.
    
    The former CIA chief also wants to see the government more
    aggressively push the development of cybersecurity technologies "that
    work," as opposed to firewalls, which, he said, do not work. "Internet
    protocol address hopping, for example, which is the IT equivalent of
    radio frequency hopping that is used in military radios, is an example
    of what I find very exciting."
    
    Industry must also do its part by devising "incentives" to get the
    companies that own and operate more than 85% of the nation's critical
    infrastructure to make the necessary investments in new and innovative
    security tools, he said.
    
    "There are a number of things that can be done," he said in an
    interview with Computerworld. "One way to work is through the
    insurance industry, giving the insurance industry incentives to write
    coverage plans that offer companies lower premiums if they make
    certain investments in security. It's sort of like seat belts for
    automobiles."
    
    He cautioned that such changes will take a long time.
    
    During the World War II era, the government was able to federalize
    portions of the economy and shift private-sector production to war
    production. But that level of government intervention is
    "unimaginable" in the current economy, Woolsey said, although the
    government will have a hand in setting the standards by which
    companies are measured.
    
    In the area of port and container security, the main focus of this
    two-day conference, the U.S. government has been pushing a
    "smart-container" initiative. Even so, it's unlikely to set specific
    mandates or timelines to force the shipping industry to adopt any
    particular technology to meet the requirements of the initiative, said
    Richard Biter, deputy director of the office that sets policy for the
    integration of all air, land and sea transportation networks at the
    Department of Transportation (DOT).
    
    The smart-container initiative involves retrofitting all of the 6
    million shipping containers that enter the country every year with
    state-of-the-art IT sensors and tracking systems.
    
    "We don't have an answer yet," said Biter, referring to the time it
    will take to update the containers. Whatever the timeline, Biter said
    the industrywide retrofit will likely be "incremental"—and not be
    dictated by the government.
    
    Although the DOT is working with the Department of Homeland Security
    to test new technologies such as radio frequency ID (RFID) tags and
    ultra-wideband communications systems for container tracking, Biter
    acknowledged that more than two years after the Sept. 11, 2001,
    terrorist attacks "we have not come up with the requirements for the
    capabilities that a smart container should have."
    
    In fact, officials are still debating whether a smart container should
    provide a complete electronic manifest on the container or whether
    that data should be maintained in back-end systems operated by the
    shipping companies, said Biter.
    
    "The smart container has yet to be defined," he said.
    
    He did note that the government is studying the decision by Wal-Mart
    Stores Inc. to require RFID tags down to the package level in its
    supply chain, a process Biter called "nesting." In this way, "the
    package talks to the pallet, the pallet talks to the container and the
    container talks to the truck or the ship."
    
    According to Woolsey, such a process is critical, given that harmless
    nuclear material has already been successfully shipped into the U.S.  
    on at least two occasions during security tests.
    
     
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Oct 30 2003 - 04:31:57 PST