http://www.washingtonpost.com/wp-dyn/articles/A12893-2004Feb4.html By Jennifer Barrett Newsweek February 4, 2004 The Department of Homeland Security didn't have to wait long to test out its new National Cyber Alert System. Hours after the system went online Wednesday, it issued its first major alert, warning of a variation of a new virus called MyDoom. Nonetheless, by the next day, security experts said MyDoom had become the world's fastest-spreading virus ever, sending out more than 100 million infected e-mails in its first 36 hours. And this may be just the beginning. Last year brought a record number of viruses, worms and other cyberattacks. Security experts say 2004 could be even worse. The attacks are increasingly sophisticated. They don't just cause headaches when they crash e-mail systems or shut down servers, they cost millions of dollars. Should hackers shut down government servers or break into sensitive sites and steal financial or security data, the results could be devastating. Recognizing the increasing security threat, President George W. Bush handed the task of keeping cyberspace secure to the Department of Homeland Security last year, creating a National Cyber Security Division. But it got off to a rough start. Earlier this month, Democrats on the House Homeland Security Select Committee criticized the administration, saying the implementation of recommendations in Bush's National Strategy to Secure Cyberspace is behind schedule. They also noted that the administration's top cybersecurity position was open for months last summer after the first two appointees stepped down--the second, just a few months after being named to the post. Finally, early last fall, Amit Yoran was hired away from his executive position at the security firm, Symantec. NEWSWEEK's Jennifer Barrett spoke to Yoran about the new National Cyber Alert System and the division's other plans for improving cyber security. Excerpts: NEWSWEEK: How does the new National Cyber Alert System benefit the average computer user? Amit Yoran: It provides each user of cyberspace--basically, everyone on the Internet--with timely information [about viruses], which is accurate and actionable, so they know what they can do to protect themselves. [See www.us-cert.gov/press_room/cas-announced.html.] This, at a time when these threats are on the rise. This week's MyDoom virus is said to be the fastest-spreading e-mail virus ever. How are viruses like this getting through? Well, just because it's the fastest spreading doesn't mean that it is the most damaging. That's true, and an important distinction. But how are these viruses getting worse--or more prolific--despite our efforts to stop them? The people who spend time creating viruses are spending a lot of time exercising their creativeness to find new ways of propagating their way through the system and making them more difficult to detect. It's a game of cat and mouse. How serious a threat do these viruses pose? This threat was one of the most efficient at spreading itself throughout the Internet. But I want to add that, in spite of it being one of the most sophisticated viruses, our nation is better prepared to deal with this now than we were a few years ago. A few years ago, we experienced significant outages in our businesses from Love Letter and Melissa and other viruses. Today, even with a more sophisticated threat, the reports of outages [like networks going down, e-mail servers being shut down] is far below where it was a few years ago with those less-sophisticated viruses. The message here is that we have a lot of work to do but our overall preparedness is improving. It's been reported that the government basically warned leaders in the technology field last month that if they don't start taking control of the responsibility of making cyberspace secure, that the government will be forced to take control. Do you think that's going to happen? Clearly, that's not my position. That was reported as being the message delivered at the National Cyber Security Summit [held last month with the private sector]. It's not an accurate depiction. The summit represented a transition from an agreement on a national strategy--on how we want to go about protecting our shared information, for example--to now [when] we are in the implementation mode. Now, it's what initiatives are underway so that this strategy moves forward and gets implemented? That was really the focus of the summit. I think there is a tremendous amount of enthusiasm to collaborate from the private and the public sectors. What role do you envision the private sector playing in improving security? If you go to the Website for US-CERT [the United States Computer Emergency Readiness Team, established in September as a government partnership with the private sector], we've issued an alert early last evening [about MyDoom] and much of the information came from private-sector companies like F-Secure and iDEFENSE. That is just one example of this public-private partnership. We are working with the software vendors to make sure they are producing patches and fixes before the vulnerability becomes public. Making people aware of a vulnerability is not our goal, but to provide information that is actionable so there are patches available. We're not producing our own antivirus software. We're quite busy, thank you. But we refer people to their security provider and to antivirus vendors. What about proposals like requiring Internet service providers [ISPs] to provide free antivirus and firewall software to their customers? I've not spoken with them [ISPs] about that. I do think there is some value-added services which some ISPs are providing. It's good that these issues are receiving public attention. Why do you think it took so long for cyberattacks to be classified as a serious threat to homeland security? I think in many cases, without having a focal event like a September 11, or like the blackout in the Northeast and Midwest last summer--some highly visible, focal event that caused a direct impact to many people in the public--it's often difficult to increase awareness. But we have made significant progress in the past few years. I'm not implying that the road ahead is rosy. But I am optimistic that by increasing our preparedness, we increase the likelihood that we will not be struck by a digital Pearl Harbor or an electronic 9/11. The key is preparedness. The key is making improvements. Can you give some examples of those improvements? It has to be a holistic approach. Antivirus vendors have made fantastic progress with new logarithms to identify viruses and more efficient ways of pushing out updates of their signature files (many antivirus technologies rely on fingerprints, or signatures, of viruses, so they can identify if it's the same fingerprint of another virus). Candidly, you are only protected for the threats your antivirus program knows about, so if your signature file is two years [old] you are in bad shape. The antivirus community has gotten much more efficient, though, and users have gotten much more aware, and corporations have gotten much more aware of the importance of updating their software. That is one more important piece of the puzzle. But there are really a number of things. You took the position of cybersecurity division chief in October after two other appointees had stepped down, and left the post vacant for a few months. Are you enjoying the job? There's no shortage of work to be done. But the task is an important one, and I'm encouraged by the level of commitment in the public sector and in the private sector that are working on these issues. It is certainly a challenging job. Earlier this month, Democrats on the on the Homeland Security Select Committee criticized the administration's cybersecurity efforts, saying that implementation of the recommendations in the National Strategy to Secure Cyberspace (released last February) is behind schedule, among other things. How would you respond to that? We're measuring ourselves in the National Cyber Security Division on very tight time frames. I'm not going to address specific criticisms, but I can tell you that we are moving very aggressively. The Department of Homeland Security was created in March. The National Cyber Security Division was created in June. In September, the US-CERT was created. We have conducted the live-wire exercise. What was that? That's where not only federal, but state and local entities participated, as well as the private sector, in a large-scale national cyberexercise where our nation was under simulated attack using cybertechniques. And we looked at how those attacks impacted some of our systems and some of our infrastructure. How did they [participants] react? How did the departments work with one another? How did they coordinate? How did they do? It was apparent that we need to increase the level of information exchange between the public and private sector. But, overall, I was very favorably surprised at how well coordinated we are. I'd give it a B-plus. That's not bad, given our state of development. There is a lot of work underway. I am confident that we're making rapid progress. What do you see as the biggest challenges ahead? Well, there's no shortages of challenges in our division, but we'll stay very focused on implementation and execution and collaborating with the private sector. Can you give some specific examples? We want to be sure that we bring our national resources to the table and make sure we are able to provide the actionable information from whatever source--it could be law-enforcement based, intelligence based, it can come out of the private sector. We want to bring the information in an actionable way to the operators responsible for protecting the public interest. By that, I mean that 85 percent of the critical infrastructure owner and operators are in the private sector. So the government would be willing to provide the private sector with sensitive data gathered by intelligence agencies? This is a new paradigm for the government to operate under. It had been focused on getting highly classified information just to the folks who needed it. But there's been a paradigm shift, and the warfighters now are more frequently on the private-sector side. The government is learning now how to do that [share information]--it's a front-and-center focal point. By the end of 2004, do you think we'll see a decrease in virus attacks like MyDoom? I think it's unlikely to expect that there will be fewer viruses written. Every indication we have is that it will only continue to rise and become more efficient in how they propagate themselves. But I think we will continue to improve our preparedness to deal with them. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Feb 05 2004 - 05:44:30 PST