Support
Service
Consulting
Hardware
Internet
Networks

The PC Support Source
The PC Lifesaver Since 1992

(847) 259-0410

Call Anytime. The first 10 minutes are free!

Business
Home Office
Residential
On-site
Remote
Chicago
and Suburbs

In This Section:

Cyber-Terror

Why Are We Are Ignoring the Next 9/11?

Opinion: Christopher Cooley - President

Background

Sometime during my first encounter with viruses in the late 80's one of my colleagues remarked that a tiny program of less than two lines of computer code was enough to permanently destroy all the data on any computer. "But I doubt if a hacker would ever be so incredibly malicious", we both concurred, but that offhand remark has remained in the recesses of my mind as an object warning that if it could happen, then someday it actually might. Needless to say, the audaciousness and sheer brutality of 9/11 have given me plenty of pause anew. I'm by nature an optimistic realist, but events of late have forced me (and all of us) to seriously consider the once unthinkable as now possible or even inevitable. To do otherwise has shown to be folly. Unfortunately, events unfolding in Washington may be leading us there all over again.

On Oct. 1st, 2004, Amit Yoran resigned with one day's notice as director of the National Cyber Security Division of the Department of Homeland Security. His departure frames a debate which is eerily reminiscent of the period preceding the attacks on 9/11. The same disorganized resources, misplaced priorities, and lack of focus that contributed to the September attacks are happening now within the NCSD. Just months after the 9/11 commission issued it's damning damning post mortem, the whole scenario may be playing again - this time with our Cyber-Security.

While Yoran maintained that his mission was accomplished and all was well, his hasty departure was ample evidence that all was indeed not well with his division at the DHS.

One of Yoran's main tasks was to implement recommendations in President Bush's "National Strategy to Secure Cyberspace," initiatives that relied heavily on the private sector. He was also responsible for establishment of the U.S. Computer Emergency Readiness Team (US-CERT) to coordinate national and global initiatives to thwart computer network attacks.

From the beginning, industry officials pushed for the director to be ranked as assistant-secretary, answering directly to Secretary Tom Ridge, but the position wound up several steps down, in a job that answers to Robert Liscouski, assistant secretary for infrastructure protection. The division has a staff of just 60 and a $69 million budget this year.

"There was a sense it was essentially a powerless position," said Kevin Poulsen, news editor at SecurityFocus.com. "In an age of physical terrorism and real-world threat, they're not giving cyber-security much attention."

So Yoran had a heavy mandate, but no title and attendant authority to get things done - both of which mean everything in Washington.

Yoran's departure prompted some members in the house to attempt to elevate the position, but it has of this writing made no headway. Even if it does, there is little evidence that any initiatives to prioritize Cyber-Security issue are likely anytime soon. The reason is that nobody seems to agree on the extent of the threat, and that there are fundamental disagreements in how to deal with it. In the meantime, the clock ticks.

How real is the threat?

The assessment of the threat of cyber-terrorism largely depends both where you stand on the the nature of what is terrorism is and where you stand on computers in general. In general, computer people tend to emphasize the risks, and non-computer people to dismiss them. Similarly, agencies like Yoran's NCSD prioritize it, while "boots on the ground" agencies like the FBI and most law enforcement see their priorities as 9/11 types of attack. As it is with the debate on terrorism itself, the range and extent of the threat aren't really understood until the attack itself happens, so speculation is rampant on either side. A few things are clear, however.

Critical systems of our defense and infrastructure are vulnerable to hacking. Virtually every large scale attempt instituted by government and private sector security teams (so called red-hat hackers) to probe and gain entry to the systems that they are testing has succeeded.
A blended threat - where a physical terrorist attack is coupled with an attack on the electric grid, 911, or other electronic emergency response resources could enhance the attack's potential for devastation many orders of magnitude.
A major cyber-terror attack carries the potential for disastrous economic effects on the national economy. The Slammer worm of Jan. 25th 2003 hit over 60,000 servers throughout the business and financial community in less than 10 minutes, taking ATMs and huge sections of the worldwide internet and financial community offline . The ultimate cost of over $1B was considered cheap compared to $9B (Klez), $8.8B (LoveLetter) and 2.6B (Code Red). Many in the government and business community cite that while those costs are high, they in no way constitute a real risk to our national security. It is absolutely critical to understand, however, that none of these threats has yet carried a destructive payload. Remember that two line program I started with? Loading a patch to fix 60,000 servers is one thing. Finding all 60,000 with their data completely erased is something else altogether. In addition, every threat model we have dealt with so far has had single attacks of one variant coming one at a time. A concerted, well coordinated effort could very well be much larger, with multiple attacks on multiple targets and include subterfuge (such as used in real-world tactics of multiple bombs timed to kill early responders).

How Are We proceeding?

The solutions side of the question is not only framed by the viewpoints set out above, but adds the political aspect as well - the government vs. private sector debate. The current administration is committed to working with private industry to plug security leaks, and letting market forces dictate security for what it sees is predominantly a private sector enterprise. Proponents of more government intervention point out that the internet itself is a national security priority, and that security regulation that may be inevitable be enacted now, before the devastating attack that will eventually mandate them. Amit Yoran resigned in response to the gridlock that has essentially tied the hands of the NCSD.

Essentially the government says private industry will act in their own interest to protect their systems, and thus protect the Internet overall. After all, the loss of these systems is potentially devastating to their interests, so why wouldn't they? Sounds good, and the vast majority of companies place security high on their list of priorities. On paper. In truth, when it comes to the bottom line in the real world of corporate budgeting, security gets a very low priority. After all, that $1B for Sasser was distributed by thousands of companies, right? Trying to plan for some as yet unknown disaster that may or may not happen doesn't cut it on corporate balance sheets. Some market forces are emerging, as more and more insurance carriers drop data protection or now are raising premiums for it, but most are based on existing actuarial models, and not on what could happen. So essentially, the market forces wait until the next attack does come, and will respond after that.

Advocates of an intervening cyber-security policy say this approach is not only fundamentally flawed, but actually poor governance. They argue the government's first priority is protecting it's citizens from potentially devastating attacks before they happen, and this qualifies mightily. Proposals range from prioritizing resources and authority of NCSD, to product liability class actions suits for security violators like Microsoft, to mandated encryption and other draconian measures.

Both agree that a public-private partnership is absolutely essential to solve the problem, as it is not bound solely to one or the other. It affects both, and both should be accountable. But if nothing changes in the current climate, when the big attack comes, both will blame each other and neither will accept accountability.

How Should We Proceed?

As in any task management, the question of "what will it cost not to do this", should first set our national priorities. As in the case of physical terrorism, we have to ask what if the worst case happens. The worst case for nuclear proliferation is a bomb in one of our cities. The worst case in cyber-terrorism? A sophisticated and merciless attack like 9/11 could do anything from paralyze our economy to launch missiles. It is a great unknown. And as such it should be considered a great threat. So, what to do?

Take this threat seriously, and treat it such. Prior to 9/11 the debating society within the government went on and on as Osama Bin Laden prepared to strike. Give cyber-security the resources, authority and priority commensurate with the threat now, before we are doing yet another post mortem on why one agency or another is to blame. We are currently re-organizing the defenses for terrorism so there is centralized authority to coordinate and act. Do the same with the other fiefdoms throughout the government authorities to create centralized command for securing all government systems.
Don't be naive about the role of good government in protecting the people and the resources of the country regarding the internet. It is critical to set national security objectives to protect national interests. The market based model doesn't fit here, and no amount of rhetoric will make so. Insurance premiums go up after hurricanes, not before them.
The public - private partnership needs to run both ways. Currently, information the government culls from business on the quality of service and security of networks is a one way street with little incentive for business to share information. Ways need to be found to share information while still protecting sensitive corporate secrets, and vice versa. In short, both must see a benefit to cooperation, on this and other joint issues.
Benchmarks and timetables for very specific action need to be set, just as in any good business plan. Policy goals and vague guidelines won't cut it. Once the targets are established, hold all parties accountable. This means putting teeth in the agreements - whether the violator is Microsoft or Michigan. We do the same with polluters who jeopardize our air and water, why not those who jeopardize the jewel of our national economy?
Don't assume the best ideas can only come from the captains of US industry and government. Everyday people working in the industry around the world can provide valuable insight to the means and methods emerging on the streets, schools, and internet cafes from Peoria to Pakistan. And just as it is with espionage, the even the anarchistic hackers and crackers can be valuable resources if handled with care.

Yes, this sounds like a lot of work and effort. Given the polarized climate of today's politics it may seem like a Sisyphean task. But everyone should take notice and get started anyway. This should be a national priority. If there is conflict and debate, that's fine. The more the better, because great debate demands personal investment, and investment leads eventually to commitment. Then somewhere in this messy process solutions arise and action gets taken.

The alternative is to wait and do nothing. And when it's over, everyone will remember exactly where they were, and just what they were doing - when those two lines of code hit us.

We welcome your views
enter feedback here