[IWAR] Editorial by William Church

From: Betty G.O'Hearn (bettyat_private)
Date: Fri Feb 06 1998 - 07:11:39 PST

  • Next message: Michael Wilson: "[IWAR] Church editorial, iwar.org"

    This is an excellent piece.   William Church has taken infrastructure
    protection to a more defined level where it needs to be. 
    It is  Infrastructure Protection, Stupid; not Computer Security
    It is hard to blame corporations for confusing computer security with
    infrastructure protection;  after all, the President's Commission on
    Critical Infrastructure Protection spent $20 million and produced a report
    on computer security and not infrastructure protection.
    How can you blame either of them with all the talk of firewalls, hacking,
    cracking, anti-virus, sync floods? In military terms, the problem is
    similar to placing a guard in front of every building and calling that a
    defense plan.  The vulnerability is the relationship of the infrastructure
    and its individual parts as a whole and its internal and external links.
    The focus on computer security fails to recognize that systems can be
    affected by destroying a crucial system link without directly touching the
    targeted system.  What good is a secure computer if the data transmission
    lines are unsecured and public?  How do you protect an electric power
    distribution system if the operating system is shared with similar systems
    throughout the world?
    Infrastructure protection requires a systemic approach which accounts for a
    wide range of vulnerabilities that could be both "information/cyber" and
    physical attacks.  According to our records, more credit cards are stolen
    every year by physical theft-stealing a computer-than by what is commonly
    called hacking.  
    There is no need to destroy a competitor's production control computer if a
    linked systems is blocked from providing data about key variables used to
    calculate a final formula.  Just as there is no need to destroy a electric
    power system if you can block the delivery of coal to the power plant, and
    that may be the best example today of  infrastructure vulnerability.
    The Union Pacific merger with Southern Pacific resulted in significant
    infrastructure problems.  Today, the United States Army has issued an order
    suspending the use of Union Pacific to ship supplies because of the high
    accident rate and lost cargo problems.  The media has reported problems
    that range  from coal not getting delivered to power plants to corn rotting
    in silos because Union Pacific can't track its railroad cars.  And this
    isn't counting  the five accidents they have had with multiple fatalities.
    This best represents the real infrastructure threat and it is complex with
    no simple solution.  It demonstrates that a corporation or nation can be
    hurt by an indirect hit and that is why a systemic approach is necessary.
    Unfortunately, everyone wants a simple fix.  No one organization can see
    the whole picture so it looks unsolvable.  The computer department takes
    responsibility by putting up a firewall.  The telecom department takes
    responsibility by securing its network.  But no one thinks outside their
    area about related vulnerability.
    Why is this important?  For the United States the next large infrastructure
    test will be the transition associated with the Year 2000 problem.  A Y2k
    fix requires not only internal system focus but a fix of all systems linked
    together to eliminate any possible correction of the data.  For example, an
    internal scientific system may look up a date table in an external system,
    and this could be a source of corrupted data.
    The outcome is certain.  As a society becomes more reliant on an
    interconnected infrastructure, the chance for a systemic failure becomes
    higher. On that date, true computer security will be reached.  Systems will
    be isolated;  therefore, finally secure.
    William Church
    Managing Director
    Editor, CIWARS
    The Centre for Infrastructural Warfare Studies
    Affiliate:  The Infrastructure Assurance Institute
    Betty O'Hearn
    Assistant to Mr. Winn Schwartau
    813-360-6256 Voice
    813-363-7277 FAX
    Everybody gets so much information all day long that they
    lose their common sense.
             - Gertrude Stein, American author (1874-1946). 

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:04:24 PDT