|
 |
Homeland Security Focus Areas
Cyber-terrorism/Security
Cybersecurity Weakened by Government Restructuring to Form DHS
Restructuring federal agencies to form the Department of Homeland Security
(DHS) has weakened the government's ability to carry out cybersecurity
measures, leaving it up to the private sector to cover gaps, Richard Clarke,
the former White House cyber security advisor said at a press conference
on 15 July, the Orlando Business Journal reported. Clarke, who is now
the chairman of the Arlington, Virginia-based Good Harbor Consulting firm,
said, "The reorganization we thought would make things better has,
at least in the short term, made us less capable of securing...networks."
That, he said, is due to the fact that combining the cybersecurity efforts
of five separate agencies has actually resulted in fewer people working
on cybersecurity now than a year ago. He explained, for example, that
some cybersecurity experts in the Federal Bureau of Investigation (FBI)
chose to stay with the FBI instead of transferring to DHS, while their
jobs, which did transfer to the new department, have gone unfilled there.
This has occurred at a time when "the threat to the nation's critical
infrastructure is significant," CRN reported Clarke as saying. "The
number of software vulnerabilities is 'at an all-time high,' while the
time between the discovery of vulnerability and the creation of exploit
code is shortening," he said.
ANALYSIS: Since leaving the government, Clarke, who helped craft the
Bush administration's national cybersecurity strategy, has been outspoken
in his views about the government's inability to address cyber threats.
Earlier this month he told an audience of Chief Security Officers that
if they are "looking for the federal government to take the lead
on cybersecurity [they] should look elsewhere," according to an InfoWorld
report. Although DHS announced the establishment of its National Cyber
Security Division (NCSD) over a month ago, it has yet to find a director.
That may have something to do with the fact that the post is not senior
enough for its holder to have much impact. The lack of strong cyber security
leadership runs the risk of making the NCSD an "orphan within the
massive DHS," an EWeek article stated. That has also contributed
to a less than responsive private sector, which has balked at federal
regulation of its cybersecurity efforts. While in Florida, Clarke joined
several other IT security executives in announcing an alliance of technology
companies to secure the nation's critical infrastructure of power, oil,
transportation, banking and other systems. This effort could spur the
kind of action in the private sector that might help in shaping federal
regulation that Congressman Adam Putnam (R-Florida) recently promised
by year's end.
House Committee Chairman Promises Cybersecurity Regulations This
Year
The Chairman of the House Government Reform Committee's Subcommittee
on Technology, Information Policy, Intergovernmental Relations and the
Census put the private sector on notice on 10 July that cybersecurity
regulations could be the offing this year, according to several reports.
Speaking to a forum on cybersecurity and e-government, Congressman Adam
Putnam (R-Florida) said, "There are a couple of areas where I believe
the subcommittee will be drafting bills towards the end of this year that
will impact the private sector," according to InfoWorld. Putnam said
Congress should not take a "knee-jerk, let's legislate" approach
to regulating cyber security efforts, but that regulation was warranted
due to a lack of awareness, even by his congressional colleagues, of how
much of the critical infrastructure is controlled by computer networks.
He also said, "Frankly, I'm finding a lack of attention and a lack
of understanding by the Congress and the (Bush) administration as to the
serious nature of the threat." He faulted the private sector as well,
adding, companies "have not moved fast enough. It is incumbent on
the private sector to get its house in order to demonstrate that regulation
is not needed," Washington Technology quoted him as saying.
ANALYSIS: While Putnam was not specific about the kind of regulations
he would like to see, his intended effort appears to be motivated by a
general frustration with both government and the private sector to perceive
a major threat to cybersecurity and to respond accordingly. The Bush administration's
National Strategy to Secure Cyberspace does not recommend regulation of
the private sector, nor does it recommend a specific road map for the
private sector to follow. That the cybersecurity chief at the Department
of Homeland Security (DHS) was not given very senior status, among other
things, has been interpreted that the administration has not attached
a high enough priority to the issue. As Putnam sees the matter, "the
cyber threat has taken a back seat to the physical threat. I think that
is a dangerously lopsided approach to homeland security." Some regulation
may be the warranted as leadership from the federal government may be
long in coming. Richard Clarke, former special adviser to the president
for cyberspace security, told a group of Chief Security Officers in Boston
recently that if they are "looking for the federal government to
take the lead on cybersecurity [they] should look elsewhere." He
estimated that it would take five to seven years for the massive DHS,
the government's lead agency for addressing this issue, to functionally
become a real department, InfoWorld said.
July 7, 2003
Uneasiness About Security as Government Buys Software
By JOHN MARKOFF
Sitting at his laptop computer in a hotel near Toronto one day last October,
Gregory Gabrenya was alarmed by what he discovered in the sales-support
database of his new employer, Platform Software: the names of more than
30 employees of the United States National Security Agency.
The security agency, one of many federal supercomputer users that rely
on Platform's software, typically keeps the identities of its employees
under tight wraps. Mr. Gabrenya, who had just joined Platform as a salesman,
found the names on a list of potential customer contacts for Platform's
sales team. The discovery crystallized his growing concern that the company
was perhaps too lax about the national security needs of its United States
government customers, in the military, intelligence and research.
"Anyone who had an account on the system could see this list,"
Mr. Gabrenya recalled in a recent interview. "They shouldn't be seeing
this information and I shouldn't be seeing it."
What really worried him, Mr. Gabrenya said, was that Platform, although
based in Markham, Ontario, maintains a software maintenance and testing
operation in Beijing - which he was not sure the company had made clear
enough to its American government customers.
He repeatedly raised the concerns with Platform executives, who say his
fears were unfounded. In March, Mr. Gabrenya, who had previously worked
for nearly 10 years as a salesman for the supercomputer maker Silicon
Graphics, was let go by Platform. The company said he had not met sales
goals. Mr. Gabrenya said his whistle-blowing led to his dismissal.
Mr. Gabrenya, a 42-year-old American, stressed that he had seen no evidence
of espionage or other wrongdoing by Platform employees either in Canada
or China. But he said that he was concerned about two possibilities, that
sensitive government information was not receiving adequate protection
and that the Chinese software operation could be infiltrated by foreign
agents who could tamper with software being used by United States government
agencies.
The issues Mr. Gabrenya raised are part of a tension in the information
technology industry, as crucial computer programming is increasingly performed
outside the United States, either in the form of jobs exported from this
country or by a growing array of foreign competitors.
The trend poses risks, in the view of some American government officials,
because of the potential for foreign spies to sneak illicit code into
critical programs, and simply because the United States is increasingly
losing dominance in information technology.
"Software is so goofy because there is so many lines of code that
hiding Trojans inside the system is the easiest thing in the world to
do," said Keith A. Rhodes, the chief technologist of the General
Accounting Office. "Setting aside national security, we're also talking
about a tremendous advantage you give to your national competitors."
The concerns cut both ways. The Chinese government has repeatedly accused
the United States military and intelligence organizations of attempting
to conduct espionage by manipulating American products sold in China.
The tracking features in Intel's microprocessors and Microsoft's operating
system software are of particular concern to Chinese officials, which
is one reason China is intent on expanding its own technology industry.
"The Chinese emergence as a global workshop for information technology
presents us with a new area of export control challenges," said James
Mulvenon, an analyst at the RAND Corporation.
Hong Chen, a Chinese technologist in Silicon Valley, who is not affiliated
with Platform Software, said that there were software technologies that
the United States should jealously guard and not develop overseas, but
that Platform's was not among them.
"I don't think the technologies at stake here are crucial to national
security," said Mr. Chen, an executive who heads the Hua Yuan Science
and Technology Association, a Silicon Valley group of more than 1,000
entrepreneurs and technologists who were born in mainland China.
For the most part, Mr. Chen said, the United States and China should freely
exchange technologies.
Platform Software dominates the market for software that enables clusters
of powerful computers to work together. It has dozens of United States
federal customers, and computer makers including Dell, I.B.M. and Silicon
Graphics also sell its software to federal customers. The company was
co-founded in 1992 by a Chinese-born computer scientist, Songnian Zhou,
who received his Ph.D. from the University of California at Berkeley,
and who remains Platform's chief technology officer.
Mr. Gabrenya, who lives in Northern California, is still looking for work.
He said that shortly after he was hired by Platform, he began raising
his concerns with company executives, first in person and then in writing.
In January, he spelled out his concerns in an e-mail message to his boss:
"After spending a little over 90 plus days here at Platform, I find
myself less comfortable in this job than when I began. The reason? Our
China office. It's clear that we now have people in Beijing doing important
development work and we are not, as a company, telling our U.S. government
customers. That's a problem in my mind. Is this illegal?"
The e-mail message and his persistent queries led the company to blackball
him, Mr. Gabrenya said. His relationship with Platform deteriorated, he
said, after he told the company that his security concerns made him uncomfortable
trying to sell its products to the NASA Ames Laboratory, a government
research center in Silicon Valley.
Executives at Platform Software dispute Mr. Gabrenya's charges, saying
the company has stringent rules in place to separate its foreign operations
from its domestic software development process and computer systems. The
company says that none of its software for customers in the American government
is developed in China and that it has carefully informed those customers
about its test and maintenance organization in China.
"What I did say to Greg at the time is that there is clear demarcation
with respect to development of software and no code goes to China,"
said Ian Baird, vice president for sales and marketing operations at Platform.
The company also does not make customer information stored in its sales
support database generally available within the company, he said, adding
that it was unclear how it would have been possible for Mr. Gabrenya to
have the authorization to view the security agency customer data.
A security agency spokeswoman said last week that the agency was not prepared
to comment.
But several of the company's other United States government customers
said they were aware of Platform's operation in China and were not concerned.
A spokesman for one customer, the Los Alamos National Laboratory in New
Mexico, said that dealing with software written outside of the United
States was now a normal occurrence.
"Of course we knew that Platform has subsidiary offices all over
the world, including China," said Kevin Roark, a spokesman for the
Los Alamos laboratory. He said the lab reviewed all of the basic programmer
instructions, known as source code, before running software used in classified
applications. "The reality of software in the 21st century,"
he said, "is you count on software having source from foreign sources."
Even before Mr. Gabrenya's complaints, Platform Software said, it had
been taking steps to isolate its overseas divisions from the sale of its
software technology to customers in the United States with classified
military and intelligence applications. The company recently created a
separate board for its unit that sells to the United States government.
The board includes two former government officials: Oliver Revell, president
of the Revell Group International and former assistant director of the
Federal Bureau of Investigation, and Harry Soyster, vice president of
the Washington consultants Military Professional Resources Inc. and a
former lieutenant general in the Army who directed the Defense Intelligence
Agency.
Mr. Revell said he was unfamiliar with the details of Mr. Gabrenya's dispute
with Platform, but said he thought the company had taken the necessary
steps to insulate itself from potential foreign intelligence operations.
"I've spent 35 years defending my country and I would not participate
or allow my name to be used in a company that had any potential risk to
the United States," Mr. Revell said. "As far as I'm concerned
the software provided will be thoroughly checked and all of the U.S. government
customers are aware of what's being done and where it's being done."
Mr. Gabrenya, for his part, said he could have gone to a lawyer and attempted
to reach a financial settlement with the company for what he considers
his wrongful termination, but that "it was not about money."
"I have some moral concerns," he said. "This is about doing
the right thing."
Military Launches Cyber Security Effort
By JIM PAUL
The Associated Press
Thursday, July 3, 2003; 4:23 PM
URBANA, Ill. - Hoping to thwart hackers, the military is launching a
new research effort at the University of Illinois to improve the security
of battlefield computers and communications systems.
Officials at the school's National Center for Supercomputing Applications
on Thursday announced an initial $5.7 million grant from the Office of
Naval Research to establish a new research center to develop technology
against enemy hackers, NCSA director Dan Reed said.
Other research projects will include developing remotely programmed radios
and refining ways for monitoring battlefield environments.
The NCSA, located at the university's Urbana-Champaign, Ill., campus,
is a high-performance computing center that develops and deploys computing,
networking and information technology for government and industry.
Software developers will try to determine the best way to share information
among military forces without fear of interception. The government also
is seeking a framework for determining quickly when and how a computer
network is under attack, Reed said.
They also will work to ensure the integrity of sensors deployed to monitor
battlefield environments, so forces can rely on their data without worrying
about misleading information planted by the enemy.
The same kind of sensors could be used to monitor the integrity of bridges
or the movement of traffic, making the research applicable to nonmilitary
use, Reed said.
Another project involves the development of portable, remotely programmed
radio systems.
Instead of using electronic hardware to control a radio's frequency,
the radio could be remotely programmed using computer software, making
it easily adaptable and secure because it could be instantly deprogrammed
if lost to the enemy, Reed said.
Such "software-designed" radios also could make it easier for
civilian emergency-response teams to communicate because they wouldn't
be hampered by devices operating on incompatible frequencies, Reed said.
Government Warns of Mass Hacker Attacks
By TED BRIDIS
The Associated Press
Wednesday, July 2, 2003; 2:03 PM
WASHINGTON - The government and private technology experts warned Wednesday
that hackers plan to attack thousands of Web sites Sunday in a loosely
coordinated "contest" that could disrupt Internet traffic.
Organizers established a Web site, defacers-challenge.com, listing in
broken English the rules for hackers who might participate. The Web site
appeared to operate out of California and cautioned to "deface its
crime" - an apparent acknowledgment that vandalizing Internet pages
is illegal.
The Department of Homeland Security said Wednesday it was aware of the
hackers' plans but did not expect to issue any formal public warnings.
The Chief Information Officers Council, part of the Office of Management
and Budget, cautioned U.S. agencies and instructed experts to tighten
security at federal Web sites.
"Frankly, hacker challenges occur frequently, and we don't think
they all rise to the level of a warning," Homeland Security spokesman
David Wray said.
Home Internet users, who typically do not operate Web sites, probably
would not be affected directly, said Oliver Friedrichs, the senior manager
for security response at Symantec Corp.
An early-warning network for the technology industry, operating with
Homeland Security, notified companies that it received "credible
information" about the planned attacks and already has detected surveillance
probes by hackers looking for weaknesses in corporate and government networks.
"We emphasize that all Web site administrators should ensure that
their sites are not vulnerable," wrote Peter Allor of Internet Security
Systems Inc., the Atlanta-based company that runs the Information Technology
Information Sharing and Analysis Center.
Friedrichs, though, said Symantec's global monitoring network wasn't
detecting unusual probes.
"We really haven't seen any of that activity," he said. "We're
certainly going to keep watching and looking."
Separately, the New York Office of Cyber-Security and Critical Infrastructure
Coordination warned Internet providers and other organizations that the
goal of the hackers was to vandalize 6,000 Web sites in six hours.
New York officials urged companies to change default computer passwords,
begin monitoring Web site activities more aggressively, remove unnecessary
functions from server computers and apply the latest software repairs
from vendors such as Microsoft Corp.
Chris Rouland, director of the X-force security team at ISS, said researchers
monitoring underground chat rooms and other Internet activity detected
a drop in the numbers of vandalized Web sites recently and an increase
in the types of surveillance scans that typically precede computer break-ins.
"It's kind of a sand-bagging period," said Rouland, who predicted
that hackers were quietly breaking into computers and waiting to vandalize
them on Sunday.
The purported "prize" for participating hackers was 500-megabytes
of online storage space, which made little sense to computer experts.
They said hackers capable of breaking into thousands of computers could
easily steal that amount of storage on corporate networks.
June 25, 2003
Warning center for cyber attacks is online, official says
By Bara Vaida, National Journal's Technology Daily
A national early-warning network and analysis center for cyber attacks
is operating in 30 locations, a senior White House official said on Wednesday.
Paul Kurtz, a special assistant to President Bush and senior director
for critical infrastructure protection in the Homeland Security Council,
said the Cyber Warning and Information Network (CWIN) has begun operating,
and administration officials are working to add state and local officials
to the network.
"It's not a first-responders network," Kurtz said at a cybersecurity
conference organized by the Center for Strategic and International Studies
and the Information Technology Industry Council. "But we've been
hearing a lot of questions about how we'll share information ... and CWIN
is just the beginning" of that information-sharing effort.
CWIN was an idea of former White House cybersecurity adviser Richard
Clarke, who in October 2001 said creating such an early-warning system
would be a top priority as part of the government's efforts for bolstering
network security. Two information-sharing and analysis centers for various
sectors of the economy already have joined the network, with more expected
to join by year's end.
CWIN was to be modeled after the existing National Operations and Intelligence
Watch Offices Network, which connects senior officials at the Pentagon,
National Security Agency, White House, State Department and CIA by phone
within 15 seconds, Clarke said in 2001.
CWIN "is being used just a little bit ... and we will need greater
assistance" from the private sector, Kurtz said. "But there
is movement on the ground."
Kurtz also outlined the role of the White House Homeland Security Council,
which is modeled after the National Security Council. He said the Homeland
Security Council's main goal is to make sure the Homeland Security Department
is successful, as well as to work with all federal agencies to coordinate
homeland security efforts.
He emphasized the importance of the private sector continuing to work
with the government to answer ongoing questions, such as "what is
the cyber infrastructure, what is the role of the federal government and
what is the proper role of state and local officials in protecting computer
networks?" He also said the Bush administration philosophy is to
let the private sector find market-based solutions to security before
seeking "government remedies."
Other panelists at the event spoke about their companies' efforts to
play a role in homeland security. For example, Frank Koester, vice president
of technical operations at Eastman Kodak, highlighted a technology standard
called JPEG 2000 that enables the sharing of digital imaging to help emergency
workers do their jobs.
Tom Richey, director of homeland security at Microsoft, noted that his
company's software has met national security standards for intelligence
sharing and that his firm is bolstering the security of its current systems
and products. And Bill Boni, chief information security officer at Motorola,
outlined his firm's efforts to make wireless systems more secure.
June 24, 2003
Agencies granted faster hiring authority for cybersecurity, medical employees
By Kellie Lunney
mailto:klunney@govexec.com
Agencies can hire cybersecurity specialists and medical personnel without
going through standard government job competitions, the Office of Personnel
Management announced on Friday.
Office of Personnel Management Director Kay Coles James on Friday granted
direct hire authority for those occupations because agency officials have
said they have trouble getting good people quickly for such slots. James
used the direct hiring authority created in the 2002 Homeland Security
Act to approve the swift governmentwide hiring of information technology
specialists, doctors, nurses and pharmacists. James also used the authority
to grant hiring flexibility to the Securities and Exchange Commission
to hire accountants, economists and securities compliance examiners directly
until June 20, 2005.
“I am not waiting to be asked in those situations where the shortages
and critical needs are well known and a direct-hire authority can make
a real difference,” said James. Prior to the Homeland Security Act,
agencies had to ask OPM for special hiring authority to fill critical
positions. Agencies can still ask for special authority, but now OPM can
also grant that power whenever OPM officials see a critical hiring need
for specific jobs.
SEC officials have said that they need about 800 accountants, compliance
examiners and economists in the next several months to handle more than
2,200 investigations following financial scandals at Enron Corp., WorldCom
Inc. and other companies. Shortages of medical personnel have been “a
long-standing problem” at many federal agencies, according to an
OPM statement. And growing cybersecurity concerns have increased the demand
for information technology specialists in the federal government.
Under normal government hiring procedures, an agency must publicize a
job and then rate and rank candidates using a structured assessment process.
Such hiring procedures can take months to complete. Under direct hire
authority, agency managers could, theoretically, place an ad in the newspaper
and hire the first person who responds. Veterans preference does not have
to be considered under direct hire authority.
In addition to direct hiring authority, the Homeland Security Act gave
agencies across government several new personnel flexibilities http://www.opm.gov/pressrel/2003/MO-Hiring.asp,
including categorical ranking and broader authority to offer some employees
the opportunity to retire early.
The Federal Register published interim rules on the new personnel flexibilities
http://a257.g.akamaitech.net/7/257/2422/14mar20010800/edocket.access.gpo.gov/2003/03-14971.htm
on June 13.
June 23, 2003
Companies outline efforts to practice, preach cybersecurity
By Bara Vaida, National Journal's Technology Daily
Executives from companies in the Internet Security Alliance (ISA) on
Monday outlined their efforts to bolster cybersecurity and privacy as
the number of computer attacks continues to rise.
At a congressional briefing, executives from AIG Cyber Insurance, Nortel
Networks, Verizon Communications and Visa all outlined how they are encouraging
cybersecurity while also educating lawmakers on the need for the government
to urge companies and individuals to invest in cybersecurity.
"A role the government can play is in public awareness," said
Larry Clinton, deputy executive director of the ISA, which is managed
by the Electronic Industries Alliance. "Consumers need to develop
sensibility" to cybersecurity.
The Bush administration's strategy to protect cyberspace notes that because
85 percent to 90 percent of the nation's computer networks are privately
held, the private sector will play a large role in protecting computer
networks.
Ty Sagalow, executive vice president and chief operating officer at AIG
Cyber Insurance, explained how his company has been providing incentives
for firms to increase cybersecurity. He said companies that are interested
in purchasing cyber insurance first must subject their security programs
to thorough examination by independent teams of cyber experts.
The teams produce 25-page reports for the companies and recommend ways
to improve security. Each company also receives a grade, and then AIG
determines what types of insurance to provide and at what cost. Sagalow
said 75 percent of companies that seek insurance do purchase some type
of it from AIG.
Sagalow also said AIG provides insurance discounts for companies that
follow ISA's "best practices" for cyber protection, and for
purchasing certain types of technologies and equipment.
Rod Wallace, director of network security at Nortel Networks, said his
company requires all its vendors to meet cyber-security requirements.
And Linc Howell, Verizon Communications' assistant vice president for
Internet technology policy, said his company provides packages of cyber-security
protection for its high-speed Internet users.
Mark MacCarthy, Visa's senior vice president for public policy, said his
company requires all of the top 100 e-commerce destinations on the Internet
to follow Visa's privacy and cyber-security guidelines if they plan to
use Visa's financial system. The company also requires that of smaller
companies in the United States and has begun the program in the European
Union.
MacCarthy said that now almost all 100 of the e-commerce sites follow
Visa's rules on protecting consumers' Visa numbers.
All the panelists agreed that the best thing the government could do is
highlight the need for cybersecurity.
AIG's Sagalow said that some companies also would like Congress to revisit
the Freedom of Information Act (FOIA) again to strengthen the exemption
from the law for companies that voluntarily provide information on critical
infrastructure protection information to the government. The FOIA exemption
in the 2002 law that created the Homeland Security Department did not
go far enough, they argue.
Homeland Security Info Sharing to Take Time
By STEVEN K. PAULSON
The Associated Press
Wednesday, June 18, 2003; 10:05 PM
COLORADO SPRINGS, Colo. (AP) - It would be a daunting challenge for
even the sharpest programming wizards: set up a secure computer network
for the 190,000 workers in the Homeland Security Department.
It will take years to design and build a new system that unifies information-sharing
at the reconstituted agencies now under one umbrella, said Edward Kinney,
director of information technology for Customs & Border Protection.
Compounding the challenge will be the task of keeping existing networks
operational and secure during the transition.
Kinney spoke Wednesday at a conference that put government and private
computer company representatives together to discuss security. He declined
to provide specifics about the new network.
The Homeland Security Department became operational in February in the
largest government reorganization since 1947. It merged 22 agencies scattered
across the nation and in some foreign countries.
They patrol borders, analyze U.S. intelligence, respond to emergencies
and guard against terrorism, among other tasks.
Computer experts working on the new system had to figure out how employees
could share critical information while protecting it from prying eyes
that could compromise national security and trade secrets, Kinney said.
The government needs to make sure information is protected because the
new network creates serious privacy issues by allowing "virtual dossiers"
to be compiled on employees, said Wayne Madsen, a senior fellow at the
Electronic Privacy Information Center.
"Until they have a mechanism to make sure there are no abuses, they
should go slow putting this information into a database," he said.
Department officials routinely test the networks to make sure they are
hacker-proof, Kinney said.
They also are focusing on government employees stationed overseas, such
as U.S. Customs workers who must inspect cargo headed for the United States.
"If we cannot bring goods and services across our borders, our economic
security will be significantly impaired," Kinney said.
It also has been a challenge to change computer culture among government
workers. Following the Sept. 11 attacks, computer managers had to tell
federal workers to stop e-mailing pictures of waving flags from unauthorized
sites to their colleagues.
Cybersecurity Starts in the Office
Survey Finds Workers Doubting Peers' Savvy on the Issue
By Ellen McCarthy
Washington Post Staff Writer
Tuesday, June 17, 2003; Page E05
When the office networks crash and work comes to a halt, there's probably
an irresponsible co-worker somewhere in the building to blame. That's
the sentiment many employees expressed in a survey on individual cybersecurity
competence released today.
Sixty-four percent of American workers referred to themselves as "interested
and proactive" in protecting their office computer systems, but employees
have significantly less confidence in their peers, according to a survey
by the Information Technology Association of America and Brainbench, a
Chantilly firm and ITAA member company that sells skill tests online.
About 760 people responded to the Internet-based survey distributed in
May, including 403 Americans.
When asked about the contributions co-workers are making to protect workplace
networks, only 35 percent of Americans said their peers know what to do
and are doing it. The rest believe their peers are not aware of the issue,
don't know how to deal with it or just won't bother.
"Security is a function of people, processes and technology,"
said Mike Russiello, president of Brainbench. "Everybody recognizes
that people are the weakest link."
Two-thirds of employees believe their co-workers are a bigger threat to
customer security than hackers, according to a survey of 500 people released
earlier this month by Harris Interactive Inc. And even though 74 percent
of those surveyed by Harris said the security protecting customer information
on their companies' networks was secure, very secure or extremely secure,
about 45 percent also said it would be easy, very easy or extremely easy
for someone at work to remove sensitive customer data from the network.
More than half of U.S. workers said their employers do an adequate job
providing information about cybersecurity threats and protection methods,
the Brainbench/ITAA poll said, but only 39 percent said their own knowledge
of the issue was accrued on the job.
In February, the Bush administration released a strategy for combating
network attacks and viruses that suggests information sharing and cooperation
among private corporations.
To push corporations to take greater responsibility for employee training,
the ITAA and Brainbench are introducing a new certification program requiring
individuals to pass an Internet-based test on cybersecurity procedures.
Once 90 percent of the employees have taken the test -- and 85 percent
of those workers pass it -- the firm receives an Information Security
Awareness Certification.
"If people say, 'Oh, cybersecurity is important,' but then don't
train people who are sitting at their desks or train them but don't test
them, I don't think they are really indicating a serious commitment,"
said Harris N. Miller, ITAA president. "We want to give corporations
and individuals the chance, through taking this test and getting this
certification, to show they are really focused on cybersecurity."
From the "Congressional Quarterly Homeland Security Daily,"
13 June:
Freight Systems Vulnerable to Terrorist Penetration, Study Says
A new report from the National Research Council outlines possible cybersecurity
threats to the air, rail and trucking freight industry. Among the potential
dangers are terrorists hacking into computerized data systems to track
shipments of hazardous material, plan attacks or acts of sabotage, such
as taking control of railroad switches or signals, according to the report.
A potentially more dangerous situation is the possibility that terrorists
could hack into a system and mask a weapon of mass destruction as a benign
piece of freight as it makes its way into the country. The complexity
of the freight industry, with a large number of companies and modes of
transportation, combined with its increasing reliance on information technology
systems, creates vulnerabilities, the NRC report said. The report was
prepared at the request of the Transportation Department. -David Clarke
Text of the
Report
Report: Freight Transportation Industry Vulnerable to Cybersecurity
Attacks
The National Academies of Science Transportation Research Board and
Computer Science and Telecommunications Board posted to their website
on 11 June a report that establishes a framework for a future study addressing
cybersecurity threats affecting the freight transportation industry. The
report, Cybersecurity of Freight Information Systems, indicates that the
freight transportation industry is especially complex due to various carrier
modes (trucks, trains, sea, air, and pipeline), the increasing reliance
on the Internet for communications, and the emergence of decentralized
systems. Cyber vulnerabilities in the industry can range from terrorists
taking control of railroad switches to hackers stealing information about
the transportation of hazardous materials in order to detonate them in
"high-consequence locations." The report indicated that terrorists
could also manipulate transportation information systems to surreptitiously
clear a shipment containing a weapon of mass destruction for entry into
the United States. The report emphasized in bold print that the "freight
transportation industry appears to offer unusual potential for both economic
and physical damage from terrorist cyberattacks."
ANALYSIS: While the report indicated that "the actual vulnerabilities,
risks, and consequences of such attacks have not yet been determined,"
the report recommended that public and private options for enhancing cybersecurity
should be further evaluated. The report underlined the need to identify
and prioritize security enhancements in "critical areas," due
to the broad and varied types of cyber vulnerabilities in the freight
transportation industry. The federal government has the potential to play
a large role in implementing new security guidelines based in part on
the willingness of private freight companies to cooperate in evaluating
potential cybersecurity risks. It remains to be seen if the Department
of Homeland Security's new cybersecurity office will play a role in this
task.
June 11, 2003
Former officials assess security needs on cyber front
By William New, National Journal's Technology Daily
A panel of former government experts in cybersecurity on Wednesday assessed
the need to address that issue.
At a Center for Strategic and International Studies conference, Ronald
Dick, director of strategic initiatives on information assurance at Computer
Sciences Corp., identified several drivers to improving cyber security
and protecting critical infrastructures. Dick once headed the FBI's National
Infrastructure Protection Center, whose functions were absorbed into the
Homeland Security Department this year.
Dick said the level of awareness of cybersecurity issues is high, with
reports of failures to protect information circulating every day. He said
regulations, standards and even legislation on the matter are proliferating.
He also cited "rumblings" in the legal community about challenging
the law that protects companies from liability even if something happens
involving their homeland security technology. And there is an increasing
attention to including safety procedures in cyber products, much like
safety belts eventually became required in automobiles.
Philip Reitinger, senior security strategist at Microsoft, said the recent
"brain drain" of top government cyber experts means getting
"the right folks" in place is a top priority. Reitinger also
pointed to the need for incentives for agencies to better protect cybersecurity,
and the need for appropriate technologies.
He suggested that government support the private sector's efforts to protect
critical infrastructures by identifying the gaps between what the marketplace
will take care of and what is needed. Then it should determine the best
way to close that gap with "tailored" government action that
poses the least possible intrusion into the marketplace.
John Tritak, former director of the Critical Infrastructure Assurance
Office, which also was absorbed into Homeland Security, applauded the
creation of a cybersecurity division at the department because he said
some high-level officials did not see the need for it. "It was not
a foregone conclusion," he said.
"If anyone's going to be kept up all night worrying about cybersecurity,
then it better be the Department of Homeland Security," he added.
Tritak said the department needs to "translate cyber risk into corporate
risk" by helping top executives see the importance of it, "or
the gap between where the market will go and what is needed is going to
be wide."
He said the national plan the department is mandated to develop would
be the "ultimate" guiding government document on cybersecurity.
Panelists also said the private sector would be more encouraged to share
security information with the government if it received more-and more
compelling-information on threats.
Stewart Baker, a partner at Steptoe and Johnson, said he was alarmed by
statutory language that lets the federal government share private-sector
information about cybersecurity with foreign governments as long as the
information is considered part of an investigation. "There is a lot
of reason to be worried about that," Baker said.
June 5, 2003
Bush administration to unveil cybersecurity initiative
By Maureen Sirhal, National Journal's Technology Daily
The Bush administration is set to announce a cybersecurity initiative
on Friday, prompting speculation by technology industry experts that officials
will unveil the hierarchy of a new government office on the subject.
Robert Liscouski, assistant secretary for infrastructure protection at
the Homeland Security Department, will host a roundtable to unveil the
initiative, said David Wray, a department spokesman. Word of the event
touched off talk that the White House has chosen a cybersecurity director
who will be placed within Homeland Security, but Wray cautioned that the
event would not be a "personnel announcement."
Sources close to the issue suggested that department officials are likely
to announce the structure of the office, however. These people said Homeland
Security will create a cybersecurity office within the information analysis
and infrastructure protection directorate, and that the head of that office
will report to either Liscouski or Frank Libutti, the directorate undersecretary.
The White House and Homeland Security have yet to select the person to
fill the job, sources said. "They are still vetting the names of
who they want to be cybersecurity czar," according to one industry
source.
The move is intended to allay concerns expressed by the high-tech industry
and critics on Capitol Hill that the Bush administration is not prioritizing
the issue of cyber security. Industry experts said that whomever assumes
leadership of the office must have the appropriate authority to execute
effectively recommendations outlined in the national cybersecurity strategy,
which the White House released in September.
Right now, "the Internet is being attacked," one source said,
adding that "the people responsible for protecting the Internet have
to be people recognized in the administration and the industry as credible
and effective."
William Harrod, director of investigative response for TruSecure, an
intelligence and security provider, said any role the federal government
has in trying to bolster cyber security will require organizations to
do it voluntarily, so a cybersecurity director has to have enough cachet
within the administration to reach out to senior executives in the largest
corporations and persuade them to follow the cybersecurity recommendations.
"It is really is going to require somebody at almost a Cabinet-level
position to administer a brokering between the federal government and
these organizations," he said.
He argued that the director needs both authority and a specific budget,
noting that cybersecurity advisers in the Bush administration historically
have lacked both.
Still, other industry sources said the anticipated announcement is a
positive development.
"The fact that they've agreed to build an organization around implementing
the national strategy, that it's to coordinate the cyber activities of
the various offices within the department and to serve as the central
point of contact for industry, that's what we've been asking for,"
the source said. "We're glad they're doing this."
June 3, 2003
Computer security officials discount chances of 'digital Pearl Harbor'
By Drew Clark, National Journal's Technology Daily
The notion that the cyberterrorism against the United States could create
a "digital Pearl Harbor" is fading faster than the stock prices
of dot-com startups did at the start of the decade, three computer-security
experts agreed on Tuesday.
"The first time I saw the phrase 'digital Pearl Harbor' was 1995,"
Jim Lewis, a Clinton administration technology policy official now with
the Center for Strategic and International Studies, said during a keynote
panel discussion at an information security summit. "There have been
more than 1,800 international terrorist attacks" since then.
"But you haven't seen the big headlines" about cyberterrorism
during the comparable period, he added. "Just as you had had inflated
stock valuations, you had inflated valuations of risk."
A top computer-security official at Carnegie Mellon's Software Engineering
Institute (SEI) and a Gartner Group analyst also on the panel agreed with
Lewis that disgruntled insiders, not foreign terrorists, pose the greatest
cybersecurity threat to companies.
Companies should implement "best practices" of information management
on their networks to guard against the theft of data and intellectual
property by individuals who seek either to profit or to vandalize from
security weaknesses, they said.
"Being a victim of cybercrime is like being a victim of sexually
transmitted diseases in the 1940s," Gartner analyst Richard Hunter
said. "It certainly happens to a lot of people, but you don't want
anyone to know about it."
But Hunter said businesses need to share information about computer vulnerabilities,
and he jokingly suggested that the time is right for public-service advertisement
featuring white-coated doctors reassuring chief executives and top security
officers that "the very best companies get cracked all the time."
"Do I accept [the notion of a] cyber Pearl Harbor? No, I don't,"
said Casey Dunlevy, senior member of the technical staff at SEI, which
runs the oldest coordination center for computer emergencies. "But
could [cyber terrorism] be a force multiplier in terrorist attacks"
by, for example, disabling all traffic lights after a bombing? "I
think we have to consider that."
In an interview after the discussion, Dunlevy said the al Qaeda terrorist
group exhibited a curious mix of high-tech and low-tech tactics by, for
example, creating compacts discs with instructions to operatives even
as they distributed the discs by hand. He said he had examined computers
recovered from Afghanistan demonstrating the terrorist group's use of
steganography, a technique for embedding secret data within pictures or
text.
"We will eventually see a cyber element to terrorist activity,"
Dunlevy said. But both he and Hunter said terrorist groups also are likely
to continue to engage in money laundering and cybercrime as a means of
purloining resources.
Companies must educate employees to be on guard against "social engineering,"
the practice of over-the-phone deception by skilled information thieves,
Hunter said. The most successful ways for foreigners to steal U.S. secrets
is to use such practices or to buy U.S. companies in possession of secrets,
he said, adding that computer hacking constitutes only 6 percent of theft
attempts.
OMB rates federal cyber security efforts
In its recently-released FY 2002 Report to Congress on Federal Government
Information Security Reform, the Office of Management and Budget (OMB)
found that while federal agencies have "made significant strides
in identifying and addressing long-standing information technology (IT)
security problems that are both serious and pervasive...much work remains."
The report, issued under the Government Information Security Reform Act
(GISRA), also concludes that "while the Administration has applied
more rigorous IT security reviews, more threats and vulnerabilities have
also materialized." According to the report, government-wide IT security
performance has increased significantly from FY '01 and FY '02 for the
percentage of systems "assessed for risk and assigned a level of
risk; that have an up-to date IT security plan; authorized for processing
following certification and accreditation; [and] with a contingency plan."
OMB noted progress across all six of the government-wide IT security weaknesses
identified in the FY 2001, and said that while "additional efforts
are still warranted, the Federal government is heading in the right direction."
Federal spending on IT security was $2.7 billion in FY 2002, and is expected
to increase to $4.2 billion in FY 2003, OMB said, while cautioning that
"spending more on IT security does not always improve IT security
performance."
ANALYSIS: The report cites several observations that are indicative of
"government-wide challenges," including "many agencies...finding
the same security weaknesses every year; some chief information officers
and inspectors general [having] different views in their separate evaluations
of an agency's security; many agencies...not prioritizing security for
existing systems before seeking funding for new ones; not all agencies...reviewing
all of their systems, despite the law's requirement that they do so; [and]
agencies...still not incorporating security responsibility and accountability
into every position across the agency," Federal Computer Week reported.
The FY 2002 report is OMB's last under GISRA. "From now on, agency
security efforts will be outlined as part of GISRA's follow-on legislation,
the Federal Information Security Management Act of 2002," according
to FCW.
Administration expected to announce new cybersecurity chief
The Bush administration is expected to announce a new cybersecurity chief
sometime in the next two weeks, who will be located in the Department
of Homeland Security (DHS), according to the Associated Press and CNN.
The press accounts noted that the intended "move reflects an effort
to appease frustrated technology executives over what they consider a
lack of White House attention to hackers, cyberterror and other Internet
threats." Even before anyone is appointed, the action is being criticized
because the position is not being given a status considered senior enough
to have an impact. "The nation's new cyberchief will be at least
three steps beneath Homeland Security Secretary Tom Ridge," AP reported.
Although an announcement is expected soon, reports indicated the administration
is "still looking for candidates for the new position."
ANALYSIS: The administration's impending announcement regarding a cyberchief
comes on the heels of another announcement by DHS Under Secretary for
Science and Technology Charles McQueary of the creation of a Research
and Development Cyber Security Center, although no specific date was given
for when the center would be established. The moves come after much criticism
of the administration approach to cybersecurity and the loss of its two
most recent White House advisers. Richard Clarke, former head of the White
House Office of Cyberspace Security, who helped fashioned the administration's
national strategy on cybersecurity, resigned in January and his deputy
who succeeded him, Howard Schmidt, resigned in April. Clarke has since
advocated for a Chief Information Security Officer who would be responsible
for oversight of all federal agencies. Schmidt resigned reportedly "after
an unsuccessful bid to get...Secretary Tom Ridge to create a high-ranking
cybersecurity czar position." AP noted that the status of the new
cyberchief "is consistent with Ridge's unease over elevating cyber
concerns above the security of airports, building, bridges, and pipelines."
Science Foundation Will Boost Cybersecurity Research, Director
Tells Congress
By DAN CARNEVALE, Of the Chronicle
Responding to Congressional criticism, the director of the National Science
Foundation told the U.S. House of Representatives Science Committee on
Wednesday that the agency would step up its cybersecurity research.
The testimony came after committee members told representatives of four
federal agencies that they were not spending enough money on studying
ways to secure the nation's computer infrastructure from electronic attacks
by hackers and terrorists.
Sherwood L. Boehlert, a New York Republican who is chairman of the committee,
used the hearing to check what progress has been made since Congress passed
the Cybersecurity Research and Development Act in November. The law authorizes
spending $902.8-million on computer-security research, much of which is
to be conducted at colleges and universities through the science foundation's
grants.
Mr. Boehlert said he wanted to know what federal agencies are doing.
"At first blush, the answer appears to be, Not nearly enough,"
he said. "Agencies have neither sought nor set aside adequate funding
to implement the Cybersecurity R&D Act."
Mr. Boehlert singled out the Department of Homeland Security and the
Defense Advanced Research Projects Agency for not taking advantage of
the act and spending more.
Representatives of DARPA, the Homeland Security Department, the National
Institute of Standards and Technology, and the science foundation described
how important cybersecurity research is and how more needs to be done,
and they gave their obligatory thanks to the House Science Committee for
its leadership on the issue.
Mr. Boehlert didn't appear flattered. "Thank you for your kind words
about the committee's leadership," he said. "I guess the question
we have is about the followership."
Rita Colwell, director of the science foundation, testified that the
agency is developing a "Cyber Trust" program for the 2004 fiscal
year. The program will finance cybersecurity projects from a number of
disciplines, including computer and social sciences, with grants worth
up to $3-million.
Ms. Colwell said the threat to computer networks is an international
problem that will require the cooperation of several countries.
"As a nation, we are not focused on this very real threat,"
she said. "We're beginning to understand how serious the problem
is."
Anthony Tether, director of DARPA, said the agency is conducting some
research, but researchers there are having trouble devising effective
ways to protect computer networks against hackers.
"We're more idea-limited, right now, than we are funding-limited,"
Mr. Tether said. "The whole military structure we're building for
the future is at stake."
Mr. Boehlert said he expects the agencies to pay more attention to cybersecurity.
"I assure you that this committee will continue pressing for more
action on cybersecurity R&D," he said. "This hearing is
only the beginning."
May 7, 2003
IT officials emphasize need for emergency backup systems
By Molly M. Peterson, National Journal's Technology Daily
Many government offices must do better at backing up their information
systems to preserve important data and ensure "continuity of operations"
in the event of a terrorist attack, several federal technology officials
said on Tuesday.
"We have not done all that much in this area, except for our national-level
systems," Robert Coxe, deputy chief information officer at the Federal
Emergency Management Agency (FEMA), said during a homeland security conference
sponsored by the Armed Forces Communications and Electronics Association.
"I think we have a lot of catching up to do."
Despite having effective backup capabilities for its largest systems,
FEMA's continuity-of-operations plan for many other systems is "very
poor" and typically amounts to "a pile of tapes" containing
archived data, according to Coxe.
"We've basically let those systems go one deep," he said, explaining
that before the Sept. 11, 2001, attacks, FEMA did not have the resources
to improve its backup capabilities. "Now, after 9/11, there's an
enormous amount of attention being paid to it."
Redundant communications and information systems proved invaluable after
the attacks on the World Trade Center and the Pentagon, according to Lt.
Gen. Harry Raduege, director of the Defense Information Systems Agency.
He recalled that one military agency, for example, avoided major data
losses during the Pentagon attack because its computer systems had "double
backup" capabilities. "Their critical data was all contained
in a facility in another state, and that [facility] was backed up by another
facility in a different state," Raduege said.
But he said officials in another Pentagon organization had stored "everything
they had" on only one system that was destroyed in the attack. "They
lost every bit of that data," he said.
The nation's intelligence agencies have made progress in preventing those
types of data losses, according to Allan Wade, chief information officer
for the CIA and the U.S. Intelligence Community.
"In modernizing our information technology infrastructure, we've
been able to do this very economically," Wade said. "We can
provide a relatively inexpensive backup system that we can use for testing
or trying new concepts and then switch it into the infrastructure in the
event that it's needed."
But Coxe, whose agency became part of the Homeland Security Department
two months ago, said counterterrorism and emergency management officials
are facing many other technology-related challenges.
"This is no small organization to try to get your arms around,"
he said of the department. "Success depends on an integrated approach
of business processes, development interoperability standards and a solid
approach to data management and information technology."
Coxe said Homeland Security officials are developing an "e-business
backbone" to facilitate the dissemination of counterterrorism information
to federal, state, local and private-sector officials.
"It must be capable of providing timely, accurate, relevant and
comprehensive assessments and predictions of all types of threats ...
as well as vulnerabilities of our critical infrastructures to attack,"
he said. "The department's information technology, the data management
and the knowledge-management infrastructures do not support these requirements
today."
Homeland Security CIO: No 'Digital Pearl Harbor' Likely
By Eric Chabrow, InformationWeek, InternetWeek
May 5, 2003 (2:40 PM)
It's highly unlikely that the United States will experience a crippling
"digital Pearl Harbor," the CIO of homeland security says. "While
this is a possibility, the probability is relatively low," Steven
Cooper said in an online chat sponsored by The Washington Post. "We
have done a lot in the federal arena to provide multilayered security
for our digital environments and continually 'red team' our networks and
applications to find vulnerabilities."
The government spends millions of dollars on technology to safeguard IT,
and Cooper said he isn't overly concerned about individuals who might
compromise the government's IT infrastructure. "I would agree that
it is always a risk," Cooper said. "However, all personnel working
in the department, including contractors, must pass a security clearance
and additional reviews and background checks, depending on level of clearance.
While not perfect, we are comfortable we have an adequate level of precaution
and review regarding our people."
Responding to a comment that homeland security appears as "one giant
organizational mess" because of major cutbacks in airport security--which
months earlier the government deemed important--and the fuss over duct
tape and plastic to safeguard against chemical attacks, Cooper said the
department is on the right track. "My 16-year-old daughter shares
your concern and advises me on this every day," he said.
Cooper contends that the nation is safer than it was a year ago, noting
that no terrorist incident has occurred in the United States since Sept.
11, 2001, and that a number of al-Qaida operatives and other terrorists
have been arrested. "We are doing a great many things right and the
country, you, and your family are safer that a year ago," he said.
"Having said that, we are also acutely aware that we have more to
do. We're not letting red tape get in the way of the things we must do
quickly to make us all safer. We are addressing chemical and bioterrorism
and have increased our detection capability across the country and at
points of entry."
The CIO addressed a number of other matters:
Among his top priorities for the department: complete its enterprise architecture
and road map, a first version of which should be available by September;
integrate various governmental terrorist watch lists and distribute the
integrated list to local law-enforcement agencies; create an information-exchange
environment with the first-responder community; share threat and intelligence
information with local law enforcement; and determine and model critical
infrastructure risks.
The department is taking a two-pronged approach to integrating the 22
agencies that form the Homeland Security Department. "In the short
term," Cooper said, "we'll go with whatever we can do quickly
and safely--meaning limit any harm to mission capability and delivery
of service. Longer term, we are moving to simplify and unify our IT world--this
means both integration and replacement with single solutions." In
addition, he said, the first version of Homeland Security's enterprise
architecture should be ready by September.
The department expects to hire skilled IT professionals later this year.
"We're in the process of doing a skills inventory across IT within
the department and hope to be complete this summer," Cooper said.
"This will help us identify skills gaps, and we will then look to
hire. These jobs will be posted on Office of Personnel Management's site
and our dhs.gov site."
Homeland Security is working with the Treasury and Justice departments
to create an integrated wireless network and with Health and Human Services
and Energy to create systems to address biological, chemical, and radiological
threats.
The government is moving to a single identity credential and smart card
for physical and logical access to facilities and computers and their
data.
Answering a question about getting federal, state, and local governments
to collaborate on implementing geospatial information systems programs,
Cooper jokingly suggested bribes. "Seriously," he continued,
"the way forward is a combination of shared objectives and dollars.
We must find common ground that state and local governments need every
day to run their environments that we could use in case of a terrorist
incident. This way we have a win-win for the fed-state-local-tribal governments."
Cyber War Game Tests Future Troops
By Brian Krebs
washingtonpost.com Staff Writer
Wednesday, April 23, 2003; 10:00 AM
In a basement lab littered with computers, monitors and chalkboard diagrams,
14 Naval Academy midshipmen are buzzing about the latest hacker assault
on the computer network they created.
Hackers have penetrated their network and erased a database. But lead
technician James Shey, stifling a yawn, says this attack is no big deal
-- his team saved a backup copy.
Shey has slept a total of five hours out of the last 36. He and the other
future Navy officers have been standing cybersecurity watch as part of
the third annual Cyber Defense Exercise. The midshipmen, along with teams
from the nation's four other service academies, are defending home-grown
computer networks from attack by specialists from the National Security
Agency, the United States's ultra-secretive surveillance and spy agency.
The war in Iraq drove home the fact that the U.S. military is heavily
dependent on sophisticated electronic communications and information technology.
As the Pentagon deploys even more advanced systems, planners are acutely
aware that a hacker could kill more U.S. soldiers with bits and bytes
than with bombs or bullets.
A porous military network deployed on the battlefield, for example, could
allow the enemy to inject misleading information about the location of
allied and enemy forces, leading to friendly fire casualties or an enemy
ambush, said U.S. Army Lt. Col. Daniel Ragsdale, assistant professor of
computer science at the U.S. Military Academy at West Point, and co-founder
of the exercise.
"We are so highly dependent on information technology that if we
don't do the hard work we're doing here, that could soon become a real
Achilles heel for us," Ragsdale said. "A network compromise
in the battlefield means we could be fed bad information, which could
easily cost lives."
Thus the cyber defense program was born to challenge the notion that cyberattacks
are an annoying but non-lethal threat to U.S. forces. Begun at West Point
in the late 1990s, the training program took off in 2000 when the NSA
sent computer scientist Wayne Schepens to the academy. Schepens offered
the services of the NSA's own computer security experts, who regularly
probe the Defense Department's networks for security holes.
The program is specifically a product of the service academies and the
NSA, and is not part of any Pentagon computer security of cyber-warfare
effort.
The excercises are, however, "a microcosm of what's going on in our
military overall today," said John Arquilla, associate professor
at the Naval Postgraduate School.
"Our military relies on advanced communications and technology to
know where the enemy is, and the destruction or disruption of that flow
of information can cripple them," he said. "The information
technologies that make us so strong are also our biggest weaknesses."
This year's exercise took place on closed "virtual private networks,"
rather than on the Internet. Teams of eight to several dozen students
-- mostly computer science majors -- defended their systems against the
NSA hackers from Monday morning to Thursday afternoon. The teams were
based at their respective military academies, while the "hackers"
operated from NSA headquarters at Fort Meade, Md. West Point and the Air
Force Academy competed in the first exercise in 2001. The Naval and Coast
Guard academies joined last year, and the Merchant Marine Academy joined
this year.
As with golf, the winner is the team with the least number of points.
Earning points is bad, because it means the enemy was able to bring down
part of the network or corrupt its contents.
"What you have here is an exercise in battlefield conditions, where
teams were assessed points for any sustained damage to their systems,
with each point considered equal to a loss of life," said Bradford
Willke of the government-funded CERT Coordinating Center at Pittsburgh's
Carnegie Mellon University, which provided the referees for this year's
exercise.
Technological Curveballs
Computer security experts know that the battle against hackers never ends.
To shake things up this year, the NSA changed the ground rules, adding
new twists like insider threats and "injection attacks," where,
for example, teams are asked to shut down the machine running their database
and e-mail servers and find other ways to provide those services within
a given amount of time.
Such tactics force even the most well prepared teams to improvise and
innovate under unforeseen, high-pressure situations, said Midshipman 1st
Class Jessie Grove, the leader of the Naval Academy team.
"Our network went from this big beautiful, complex, super-secure
system to something we were fixing on the fly and hoping we could just
make work," she said.
On Wednesday, the NSA told the teams to disable their firewalls for several
hours at a time. The request came after a period of relatively little
activity from the hackers, which led Midshipman Trevor Baumgartner to
boast that the Navy group's defense technologies had stymied the NSA hackers.
"I thought we were going to be fixing things left and right nonstop,
but [it] seems like they just got tired of trying to hit us," Baumgartner
said.
Thomas Hendricks, a visiting NSA professor at the Naval Academy, chuckled
at the notion that the NSA team used the firewall exercise as a last resort.
The loss of the firewall, he said, exposed an unsecured administrative
account on the Navy's network, allowing the NSA to wreak havoc.
"They were taught -- though I'm not sure how much they listened --
to protect as many layers of the network as possible," Hendricks
said. "This part of the exercise was designed to see how many layers
of protection they had in place."
Some in the Navy group also suspected that the hackers tried to use social
engineering to gain access to privileged information. That is, instead
of relying on their knowledge of computers, they tried to con their way
in.
Midshipman Jason Kolligs said he got a telephone call Thursday morning
from someone claiming to be a "white cell" member at the Coast
Guard team. The caller asked him to send an e-mail to test their message
server, but Kolligs and his teammates refused after agreeing that something
about the call didn't seem quite right.
"I just told the guy on the other end of the phone that our mail
server was down, too," said Kolligs.
Tomorrow's Online Defenders
This year's winning team won't be announced until later this week, but
Willke said that all of the teams exceeded expectations. "From the
folks at [CERT], I was told that the team that finishes last this year
would have won the competition hands down last year," he said.
The Coast Guard and Merchant Marine academies are the presumptive underdogs
because they do not have information security or computer science study
programs. The Coast Guard team members are electrical engineering majors,
and the majority of the Merchant Marine students are majoring in subjects
like maritime business and marine transportation.
Shashi Shah, the Merchant Marine Academy team's director, said he has
been "blown away" by the dedication of his 13-man team, which
prepared for the exercise by attending four days of weekend classes on
information assurance -- on top of their course load. They also set up
metal cots in the school's computer room to have at least one midshipman
manning the battle stations at any time, Shah said.
"I must say I am touched by dedication and devotion of midshipmen
who took part in this exercise, and I know each one of them has learned
far more than they expected," he said.
Many of the program's participants said that they think the training will
help them once they are serving on active duty. Erik Sarson, 22 , West
Point senior cadet from Latrobe, Pa., said he is going into the armored
branch, "but I'll be an important asset no matter where they place
me because the Army is becoming more digitized every day."
After the exercise ended, a handful of midshipmen from the Navy team gathered
around an xBox video game console to compete in the first-person futuristic
combat game "Halo." Baumgartner and others said they felt confident
they had kept their attackers at bay.
But outside the war room, Hendricks sounded a note of caution, saying
the team may not have spotted all of the NSA's attacks.
"A lot of these schools got a false sense of success last year and
left the exercise thinking they had beat the red team. But it was pretty
bad because the red teams were hardly trying," he said. "This
year, I think most of the schools may have gotten beat up quite a bit."
Information Security: Progress Made, but Challenges Remain to
Protect Federal Systems and Critical Infrastructures
Protecting the computer systems that support federal agencies’
operations and our nation’s critical infrastructures-such as power
distribution, telecommunications, water supply, and national defense-is
a continuing concern. Spurring these concerns were the dramatic increases
in reported computer security incidents, the ease of obtaining and using
hacking tools, the steady advance in the sophistication and effectiveness
of attack technology, and the dire warnings of new and more destructive
attacks, according to Robert F. Dacey, the GAO’s Director of Information
Security Issues, who on 8 April testified before the House Committee on
Government Reform, Subcommittee on Technology, Information Policy, Intergovernmental
Relations and the Census. View testimony:
http://www.gao.gov/new.items/d03564t.pdf
April 8, 2003
Former, current Bush officials battle on cybersecurity
By William New, National Journal's Technology Daily
The Bush administration's top information technology official and its
former cybersecurity czar locked horns Tuesday over the need for dedicated
senior officials for cybersecurity.
"I would ask, 'Who is the highest person who does nothing but cybersecurity
in the Department of Homeland Security, and in the [White House] Office
of Management and Budget, and how many people in OMB have that as a full-time
responsibility?'" said Richard Clarke, former special adviser to
the president for cybersecurity. "The answers to those are pretty
frightening."
Mark Forman, associate director for information technology and e-government
at OMB, said the issue was "thoroughly vetted" when the department's
directorate on information analysis and information protection was created.
He noted the intention to nominate Robert Liscouski as Homeland Security's
assistant secretary of infrastructure protection, with the responsibility
for physical and cybersecurity.
Forman said the new department's plan for cybersecurity will become clearer.
He added that the federal government is addressing the issue through the
chief information officers in the department who are being integrated
into cybersecurity activities.
But Michael Vatis, director of the Institute for Security Technology Studies
at Dartmouth College, said, "The worry I have is that if an official
is looking at physical and cybersecurity, cyber is going to get short
shrift."
Vatis, the former head of the National Infrastructure Protection Center
(NIPC), also predicted that it will take more than a year for the department
to get government back to its previous level of cybersecurity. He said
less than 20 of the 300 people from the former NIPC actually moved to
the department as part of that center's transition.
The experts spoke at a hearing of the House Government Reform Technology,
Information Policy, Intergovernmental Relations and the Census Subcommittee.
Clarke said the thought of the federal government's cyber policies "scares
me to death." He and Vatis recommended that that the Securities and
Exchange Commission require publicly traded companies to list the cybersecurity
measures they take on the reports they submit to the agency. Then the
companies would get grades from outside auditing firms, he said. That
strategy "had a great effect" amid concerns about possible computer
malfunctions dubbed the Y2K bug, he said.
Clarke disagreed with Vatis' suggestion that such data be made public,
however. Clarke said the focus should be on overall performance, with
breaches confidentially reported to a third party.
Forman resisted the idea, suggesting that market forces, in which customers
seek companies that have taken cybersecurity measures, are sufficient.
Clarke also recommended mandatory cyber insurance for companies, which
he said would require first that the insurance industry set standards.
Rates could reflect cybersecurity actions taken, he said. An actuarial
database would need to be established as well, he said.
Clarke further recommended that Congress act to secure the Internet domain-name
system and the border gateway protocol.
Clarke said cyberattacks are inevitable. "As long as we have major
cybersecurity vulnerabilities that would allow someone to screw up our
economy, then someone will," he said.
Mueller Gunning to Keep FBI in Cybersecurity Cockpit
When the U.S. government’s four primary centers for protecting
cybersecurity moved into the new Department of Homeland Security-including
the FBI’s National Infrastructure Protection Center-it seemed certain
the technology’s center of gravity had shifted away from the Justice
Department. Someone forgot to tell FBI Director Robert S. Mueller, III.,
though. In recent congressional testimony, he said cybersecurity ranked
as one of the Bureau’s top three priorities, alongside counterterrorism
and counterintelligence. “We have consolidated and created a new
cyber division at headquarters to manage investigations into Internet-facilitated
crimes,” Mueller testified before a House appropriations subcommittee.
“Forty-seven of our field offices have or will soon have a specialized
cyber squads.” For fiscal year 2004, the FBI is seeking $234 million
for cyber-based attacks and high-tech crimes, an increase of $62 million
and 194 new positions. “These resources will enable the FBI to staff
computer intrusion squads,” Mueller said. The Secret Service, another
new DHS unit, is also expanding its work against high-tech crime in concert
with the CERT computer security incident response center at Carnegie Mellon
University. -Jim McGee
(From the "Congressional Quaterly Homeland Security Daily,"
7 April 03)
March 27, 2003
Creation of cybersecurity post in administration appears imminent
By William New, National Journal's Technology Daily
The Bush administration appears poised to announce the creation of a
position designed to ensure that cybersecurity gets high-level attention,
officials said on Thursday.
Homeland Security Secretary Tom Ridge currently is seeking the best candidate
and the choice "will be coming sometime soon," said Sallie McDonald,
a senior official in the Homeland Security Department division focused
on information analysis and infrastructure protection. McDonald spoke
at an event of the Information Technology Association of America (ITAA).
But it is still unclear whether the new position will be focused on cybersecurity
throughout the government or as it relates to the work of Homeland Security.
Officials stressed that the issue will receive attention at both levels.
"At the department level, we will have a senior-level official working
oncyber security," McDonald said after the event. She said the person
would report directly to Ridge.
At the same time, cybersecurity is getting more attention at the White
House. Paul Kurtz, who is working on critical infrastructure protection
for the White House Homeland Security Council, formerly the Office of
Homeland Security, is "very interested" in cybersecurity, McDonald
said.
A tech industry source said the new Homeland Security Council, as an equivalent
of the National Security Council, has a policy-coordinating role for homeland
security issues. He said Kurtz is to be named a senior director to the
council for critical infrastructure policy and as the special assistant
to the president for critical infrastructure protection.
Kurtz is assembling a team that could include cybersecurity expertise,
the source noted. But industry would like to see a senior adviser for
critical infrastructure protection and cybersecurity at Homeland Security,
too, he said.
Howard Schmidt, the White House special adviser for cybersecurity, is
one candidate who appears to have the confidence of industry and government
officials. "Industry strongly supports Howard as a principal cybersecurity
adviser to Secretary Ridge or the White House," a software industry
source said at the event.
The administration has received pressure from industry and Congress to
separate and elevate its focus on cybersecurity since it eliminated the
position of White House adviser on cybersecurity held by Richard Clarke.
"Just because Dick Clarke left doesn't mean the whole thing's going
down the tubes," McDonald said. Instead, after the transition at
Homeland Security is complete, the administration's ability to address
cybersecurity will emerge stronger. "Just give us time," she
said.
"That's the kind of strong signal I'm talking about," replied
panel moderator Dan Burton, vice president of government relations at
Entrust and co-chairman of the ITAA information security committee.
Sen. Robert Bennett, R-Utah, expressed comfort with the administration's
progress on cyber security. He added that National Security Adviser Condoleezza
Rice is "eminently well-qualified," with a background in cybersecurity,
to give the issue attention at her "very high level," as well
as within Homeland Security.
Republican Reps. Sherwood Boehlert of New York and Tom Davis of Virginia
said they support more cyber-security focus, though not necessarily by
creating a departmental position.
March 31, 2003 - 7:58 p.m.
Nobody Home at Homeland Cybershop, IT Industry Complains
By Jim McGee, CQ Staff Writer
Only two months after President Bush laid out a grand strategy to protect
national computer networks, the cybersecurity industry is complaining
publicly about a lack of leadership by Homeland Security Secretary Tom
Ridge and disarray in his Directorate of Information Assurance and Infrastructure
Protection.
"If a major cybersecurity attack broke out today or tomorrow, who
would you call?" said Harris N. Miller, president of the Information
Technology Association of America (ITAA). "There is nobody in charge,
there is no leadership."
The industry's perception of drift at the Department of Homeland Security
arises from several factors, not least the abrupt resignation of former
White House cybersecurity advisor Richard E. Clarke, a no-nonsense career
counterterrorism official who had served in the Clinton administration.
To the industry, Clarke was a forceful and knowledgeable advocate who
spoke up for their share of the homeland security terrain.
"He really cared about security, so we lost a cheerleader,"
said Bruce Schneier, a prominent cryptographer and expert on computer
security. "What is being done is nothing, and it is unfortunate.
I see a whole lot of posturing and not a lot of action."
Needless to say, the Department of Homeland Security doesn't see it that
way.
David Wray, a spokesman for DHS' Information Analysis and Infrastructure
Protection Directorate, said the department has moved deliberately because
of Ridge's requirement that "we don't lose any functionality"
in the transition of such units as the National Infrastructure Protection
Center from the FBI to a new DHS facility.
In any event, should a ferocious cyber assault be detected, "You
call the same people," he said.
Wray also pointed out that Bush has nominated retired U.S. Marine Corps
general Frank Libutti, most recently New York City's deputy counterterrorism
chief, to quarterback cybersecurity as undersecretary of the directorate.
Robert Liscouski, formerly director of Information Assurance at the Coca
Cola Corp., is already in place as the assistant secretary handling the
cybersecurity account.
Wray acknowledged that DHS favors integrating its cybersecurity operations,
as opposed to having cybersecurity operate "as a stand-alone separate
entity."
Meager and Muddled?
Earlier this month, the industry newsletter SecurityFocus reported that
cybersecurity analysts "worry that only meager funding and muddled
goals remain" of an initiative they had helped get through Congress.
"The biggest concerns we have are not so much about what we know,
as what we don't know," said Will Rodger, public policy director
of the Computer and Communications Industry Association (CCIA) in Washington.
"There are concerns about the sort of inaction that seems to be continually
a problem."
Rep. Sherwood Boehlert, R-N.Y., chairman of the House Science Committee
and a strong Bush administration supporter who fought for the cybersecurity
provisions in the Homeland Security Act expressed his own disappointment
last week to an industry audience.
"Despite the clear legislative mandate, indeed obligation, to focus
on cybersecurity, DHS does not seem to be organized or funded in a way
that focuses sufficiently on this key vulnerability," according to
a prepared text of his speech.
Beryl Howell, Washington director of the cybersecurity firm Stroz, Friedberg,
LLC, attributes the sense of drift to provisions in the Homeland Security
Act that give Ridge little formal leverage.
Those limitations, she said, make it unlikely that DHS can move the cybersecurity
state-of-the-art much beyond its two most important functions. Those are
the 24/7 vigilance of the CERT Coordination Center at Carniege-Mellon
(which issues security alerts and software patches) and the after-the-fact
deterrence of criminal investigations by the FBI and the U.S. Secret Service.
Hat Trick
"Expecting the newly-created Department of Homeland Security to be
able to pull answers out of its hat is asking too much," Howell said.
"Private sector professionals will bear the lion's share of the responsibility
for protecting our networks from cyber threats."
To be sure, the current grousing comes from just one corner of a crowded
arena of contending political and economic interests. Miller's ITAA, for
example, represents the likes of Lockheed Martin, CACI International,
Inc., IBM and Microsoft, all vendors who would benefit from a surge in
government spending on cybersecurity.
The industry had harbored large expectations. Last year, Congress passed
Boehlert's Cyber Security Research and Development Act which authorized
$900 million for cybersecurity research.
Instead of harvesting newly ripened R&D contracts, however, the industry
faced the barren text of a fiscal year 2003 spending bill that did not
fund the new grants.
In early February, the industry took heart from Bush's national strategy,
which declared that "governments can lead by example in cyberspace
security, including fostering a marketplace for more secure technologies
throughout government."
Thereafter, the White House sent up a fiscal year 2004 budget request
that, according to CCIA's Rodger, steered a modest aggregate of $3 billion
into cybersecurity investments.
"It's really a drop in the bucket," he said.
Nevertheless, the industry took comfort when Bush issued separate but
equal strategies for cybersecurity and critical infrastructure protection,
treating them as distinct realms in the homeland security equation.
To the industry's recent dismay, though, Ridge concluded that the two
sectors are part of the same whole.
"We do not distinguish physical security from cybersecurity,"
he testified March 20 before the House Appropriations Subcommittee on
Homeland Security. Ridge attributed his deliberate pace to the complexity
of cybersecurity and the wealth of competing solutions.
"There's a balancing of many, many factors that we have to make and
decisions we have to make before we start allocating resources,"
he said. "I mean, it's a critical piece of the new department."
Turf Builders
The lack of strong leadership has allowed turf battles to flourish among
cybersecurity units with overlapping missions, Rodger said.
Eventually, he said, the industry will "Knock on DHS's doors, and
say, 'Okay we know you have been busy, but these problems are still out
there. So let's sit down and talk anew about instilling some discipline."
In this early grinding of gears, Howell said she sees the continuation
of an old debate over the appropriate role for government in protecting
cybersecurity.
"This is not an easy mission to define and that causes tensions,"
she said. "What power did Dick Clarke have - other than to yell?"
Florida launches cyber security partnership
Florida has launched what it calls the first state-level "partnership
between government and the private sector to address cyber-security issues."
Through the Secure Florida initiative, and its corresponding web site,
Florida residents "can register and receive cyber alerts directly
to their email inbox or as a text message to their cell phone." Florida
Department of Law Enforcement (FDLE) Commissioner Tim Moore said Secure
Florida "allows for better protection of cyber infrastructures across
Florida by reducing our vulnerability and increasing responsiveness to
any threat." In addition to the alerts, visitors to the web site,
www.secureflorida.org, can
view information on "a variety of cyber security subjects including
network intrusions and disaster recovery planning for cyber assets."
The initiative is directed toward small businesses and home computer users,
and is administered by the state Department of Law Enforcement, the State
Technology Office, the Office of Tourism, Trade, and Economic Development,
the National White Collar Crime Center, the Florida Chamber of Commerce,
and private sector groups.
ANALYSIS: The Secure Florida initiative is "a key element of the
Florida Infrastructure Protection Center (FIPC)," which is "charged
with anticipating, preventing, reacting to, and recovering from acts of
terrorism, sabotage, and cyber crime, as well as natural disasters."
In addition to the Secure Florida program, the NIPC also operates a Central
Analysis and Warning Point and a Computer Incident Response Team.
From the Congressional Quarterly Homeland Security Daily, March
20, 2003:
All Quiet on the Hacker Front - So Far
As the United States girded for potential terrorist reprisals for U.S.
attacks on Iraq, a Virginia-based computer security firm reported there
was no evidence that anti-American computer hackers were organizing themselves
to attack U.S. computer systems. “A coalition or drawing-together
of lower-level hacking activity among some pro-Islamic hackers, such as
occurred in part following the Sept. 11 al Qaeda terrorist attacks and
the subsequent creation of the Al Qaeda Alliance Online has not yet taken
place,” Reston-based iDefense Inc. said in a March 17 e-mail to
its clients. But Jim Melnick, director of threat intelligence at iDefense,
said in an interview Wednesday the assessment does not mean that attacks
by independent groups or individual hackers will not occur. The advisory
warned that hackers probably would make at least some attempt to disrupt
military or critical infrastructure computer networks and Web sites in
the United States, Israel, England and Spain if war breaks out. - D.C.
U.S. Heightens Cybersecurity Monitoring
By Robert MacMillan
washingtonpost.com Staff Writer
Tuesday, March 18, 2003; 1:19 PM
The Department of Homeland Security is boosting efforts to monitor the
Internet for cyberterrorist and hacking incidents as the nation readies
for war against Iraq.
The announcement was tied to the department's decision last night to
raise the national terrorist threat level to "code orange,"
indicating a high risk of terrorist attack. The level was raised after
President Bush set a 48-hour deadline for Iraqi leader Saddam Hussein
to leave his country or face a U.S.-led invasion.
"We will continue to monitor the Internet for signs of a potential
terrorist attack and state-sponsored information warfare," Homeland
Security Secretary Tom Ridge said in a press conference Tuesday morning
to announce Operation Liberty Shield, a broad effort to heighten security
throughout the country.
The department said it would work with other government agencies to guard
against cyberattacks, and asked the private sector and Internet users
at large to report "unusual activity or intrusion attempts to DHS
or local law enforcement."
Cybersecurity experts have said during the past several months that an
online attack is more likely as the nation moves toward to war.
"The thing that's interesting is that hacking attacks may not do
a lot of damage, but we'll probably see a lot of interest [from] skilled
programmers in the Middle East, China and Pakistan," said Jim Lewis,
director of the Technology Program at the Center for Strategic and International
Studies in Washington. "We probably will see an effort to do something
back [to us]."
Despite the higher possibility of online aggression, the DHS announcement
adds nothing new to the government's cyber-defense measures, said Alan
Paller, research director for the SANS Institute, a security research
and education group based in Bethesda, Md.
"It sounds like what they've been saying each time they raise the
alert level: We're alert, but we're going to be even more alert now,"
he said.
Homeland Security Department spokesman David Wray acknowledged that the
cybersecurity alert is "nothing different than our previous orange
alerts" issued by the agency.
"The whole purpose of a more active, defensive posture is to make
it more difficult to create the kind of mischief or direct harm that could
occur [from an attack]," he said.
There have been no "specific indications" of an attack, Wray
added.
Lewis called the DHS announcement a "feel-good" measure. "[I]t's
something you have to do. It's like on the airplanes when they take off
and they say, 'Does everyone have their seatbelt fastened?'"
Most hackers are often more interested in attention than destruction,
Lewis noted, citing "script kiddies" who might deface a government
homepage with the digital equivalent of graffiti.
More pernicious would be an assault on the Internet's underlying infrastructure.
Last October's denial-of-service attack on the Internet's key root servers
was labeled by some experts as the largest ever.
There have been several recent indications that hacking activity continues
unabated.
Last week, hackers exploited a previously unknown security flaw in Microsoft's
Windows 2000 Server to break into an undisclosed number of U.S. Army computers,
according to TruSecure, a Herndon, Va.-based security company.
The vulnerability resides in one of the Internet's most widely used Web
server platforms. Hackers can exploit the weakness to take control of
an unprotected computer, which then can be used to launch attacks against
other systems. The attack came days after security researchers warned
users to be on the lookout for a new version of the "Code Red"
virus, a worm that first appeared in the summer of 2001 that exploits
other holes in the same Microsoft software.
Much like its predecessor, the new Code Red virus is programmed to spread
for nearly three weeks before "waking up" and directing the
collective power of all infected machines to attack the White House Web
site. The worm is unlikely to do much damage, however, because it exploits
a well-known security hole that most system administrators have already
patched, security experts said.
The government recently consolidated many of its cybersecurity operations
into newly created Homeland Security Department in an attempt to centralize
its Internet monitoring and protection activities.
Among the additions to the department is the Global Early Warning Information
System, which will use data from the telecom sector to monitor the flow
of Internet traffic. Another project, the Cyber Warning Information Network,
is expected to function as a separate data network that government officials
and the communications industry can use as a hotline in case an attack
takes out the World Wide Web and traditional telephone communications.
washingtonpost.com staff writer Brian Krebs contributed to this report.
(c) 2003 TechNews.com
Expert Says Computer Virus Writers Mostly Obsessed Males
By Jennifer Tan
Reuters
Tuesday, March 18, 2003; 3:17 AM
SINGAPORE (Reuters) - Male. Obsessed with computers. Lacking a girlfriend.
Aged 14 to 34. Capable of sowing chaos worldwide.
That is the profile of the average computer-virus writer, an anti-virus
expert said on Tuesday.
About 1,000 viruses are created every month by virus writers increasingly
intent on targeting new operating systems, said Jan Hruska, the chief
executive of British-based Sophos Plc, the world's fourth-largest anti-virus
solutions provider. "So far, we've seen no indication of decreased
interest in virus writing," Hruska told Reuters in an interview.
"Virus writers are constantly looking for new vectors of infection,
targeting the vulnerabilities of operating systems to exploit them for
their creations," he said.
Hruska said the number of viruses created would continue to climb in the
coming years.
In almost all cases, virus writers were computer-obsessed males between
the ages of 14 to 34 years, he said.
"They have a chronic lack of girlfriends, are usually socially inadequate
and are drawn compulsively to write self-replicating codes. It's a form
of digital graffiti to them," Hruska said.
In January, Welsh virus writer and web designer Simon Vallor, 22, was
sentenced to two years' jail for spreading three mass-mailing computer
viruses that allegedly infected more than 27,000 computers in 42 countries.
EXPLOITING BUGS AND FLAWS
To create and spread cyber infections, virus writers explore known bugs
in existing software, or look for vulnerabilities in new versions.
"With more and more new OS (operating system) versions, there will
be more new forms of viruses, as every single software or OS will carry
new features, and new executables that can be carriers of the infection,"
Hruska said.
Executables are files that launch applications in a computer's operating
system, and feature more prominently in new platforms like Microsoft Corp's
Windows 2000 and Windows XP than they did in the older DOS or Windows
3.1, he added.
Earlier last month, the malicious Slammer worm spread across the globe
in 10 minutes, nearly cutting off Web access in South Korea and shutting
down some U.S. bank teller machines.
The virus, which exploited a flaw in Microsoft's SQL Server database software,
caused damage by rapidly replicating itself and clogging the pipelines
of the global data network.
The next target for the virus writing community could be Microsoft's .NET
platform for Web Services, which involves connecting different computer
systems to do business seamlessly over the Internet, Hruska noted.
Virus writers also share information to create variants of the same infection,
such as the Klez worm, which has been among the world's most prolific
viruses in the last 13 months, he said.
The Klez, a mass-mailing worm that originated in November 2001, propagates
via email using a wide variety of messages and destroys files on local
and network drives.
"The source code for the Klez could have been made widely available
on the Net, and budding virus writers would download the source code,
modify, and relaunch it as a different variant. It's one of those viruses
that refuse to go away," he said.
Network Reliability and Interoperability Council Receives Best
Practices Recommendations
At its quarterly meeting on 14 March, The Network Reliability and Interoperability
Council (NRIC) began consideration of more than 200 "best practices
to ensure the security and availability of the nation's communications
infrastructure," Government Computer News reported. The best practices
recommendations, which will be voted on by the full council on 28 March,
outline "steps to be taken by network operators, manufacturers and
service providers to help with service restoration on the event of man-made
or natural disruptions." The 56-member NRIC "was established
by the Federal Communications Commission [FCC] to bring together leaders
of the telecommunications industry and telecommunications experts from
academic, consumer and other organizations to explore and recommend measures
that will enhance network security, reliability, and interoperability,"
an FCC statement explains.
ANALYSIS: The Council has already approved several hundred other best
practices for securing networks against physical and cyber attack. The
approval of the last set of best practices will mark the end of the initial
phase of the Council's work under its current charter. FCC Chairman Michael
Powell called on the telecommunications industry at the 14 March meeting
to "act to adopt and implement these recommendations to ensure the
viability and operations of our communications services," Satellite
Today reported.
Firms Introduce Network Security Tool Integrating Smart Card,
Biometrics
Three companies announced on 4 March the availability of "the first
high-security logon solution to combine biometrics information with Smart
Card technology." Sun Microsystems, AC Technology, and Cross Match
Technologies each donated technologies to the security solution. According
to Government Computer News, the BiObex system "incorporates Sun
Ray, a smart-card technology developed by Sun for system hopping; AC Technology's
Biometric Access Control System, a Java-based enrollment software; and
Cross Match's Verifier E, a high-resolution fingerprint scanner."
ANALYSIS: According to GCN, "two intelligence agencies are testing
[the] network access system." The layering of security technologies
for information technology systems, as in the BiObex system, as well as
physical security, has become more common in response to increased incidence
of cyber attacks and the terrorist attacks of 11 September 2001. More
of these layered security solutions are likely to include combinations
of biometrics and smart card technologies in the future as these types
of technologies become more widely available at a lower price, and the
infrastructure to support them becomes more |
