DHS Cybersecurity: The Interactive Nightmare

The lead defender in protecting the critical infrastructure is the Department of Homeland Security, a collection of 23 agencies that began operations in January 2003

Clarke defends the strategy. Referring to those who think it lacks teeth, he says, "That's kind of a trite criticism. People who say that, one assumes, are advocates of government regulation. If there is one-size-fits-all government regulation on cyberspace, you'll have a least-common-denominator solution. Over time, that won't work. Hackers and other criminals will work their way around whatever homogenous solution you come up with."

Schmidt points out that the government sought plenty of input from around the country. "We did 12 town meetings. We met with the public, CEOs, home users and security technicians. Never before had [a strategy] been vetted so thoroughly." Like Clarke, Schmidt says the result was "a good, balanced approach to the problem."

Paller begs to differ. "It lacks teeth, " he says simply, noting that between the first and final drafts, most of the good ideas were lost. "That was the pinnacle of the business power movement in cybersecurity, the last editing of the plan," he says. "The specific proposals—the 'we will' and 'you must'—disappeared."Assessing the ThreatHow vulnerable is the United States to a massive cyberattack on its critical infrastructure? What are the bad guys zeroing in on? "It's absolutely feasible for a massive attack to take out huge segments of the Internet," says Paller. But he adds that the probability of that happening is pretty low. One reason, he says, is that the bad guys earn a living from cybercrime. Taking down the Net would damage their lifeblood, the digital hand that feeds them. Paller thinks a more likely event would be on a smaller scale, such as taking out the electrical system in some areas.

Tom Longstaff, manager of survivable network technologies at the CERT research and analysis center, is currently focusing on how to look at sensors all over the nation's computer networks to see what kinds of problems are lurking there. The biggest threats he sees fall into two categories. The first is aimed at the Internet itself. "We're seeing attacks targeting specific points in the infrastructure, not necessarily to bring it down, but to control it. These kinds of attacks focus on the mechanisms that make the Internet work," he says. One kind of attack he's seeing more of targets domain name services, undermining trust that the typed URL will bring a user to a legitimate webpage, or that an e-mail will actually go to its intended recipient.

The second worrisome category of attacks involves the interfaces between the cyber and physical worlds: Scada (supervisory control and data acquisition) systems and other process control systems that connect to power grids, gas lines and manufacturing plants. Longstaff notes that in the past, these sorts of physical systems weren't well connected to the Internet. Now, though, as companies have cut personnel and installed technology to make them more automated and efficient, the physical components of the critical infrastructure are much more vulnerable to cyberattack. "There are small computers in the field or in a manufacturing line feeding into larger computers [that] feed into business computers that are connected to the Internet.... In some cases the security is very good. But that's far from the industry standard," he says.