DHS Cybersecurity: The Interactive Night-mare

The lead defender in protecting the critical infrastructure is the Department of Homeland Security, a collection of 23 agencies that began operations in January 2003.

1 2 Page 2
Page 2 of 2

Yoran disagrees about the access issue. "I'm there [at the White House] at least once a week, more frequently twice a week. I can assure you cybersecurity has visibility at the most senior levels of the White House and has their attention. Folks who've spent time in Washington know it's very clear the White House doesn't have an operational role. Actual operations take place in the agencies. Placing cybersecurity in DHS very clearly demonstrates we're in the implementation phase of the national strategy," he says. Lewis concurs. "Cybersecurity only makes sense if it's integrated into the larger critical infrastructure strategy. They did the right thing by putting it in Liscouski's group," he says.Is the National Strategy Sensible or Toothless?The National Cyber Security Division has a smorgasbord of responsibilities as it continues ramping up. It's tasked with responding to major incidents, conducting cyberspace analysis, improving information-sharing, issuing alerts and warnings, and aiding in national recovery efforts. The division is also charged with implementing the Homeland Security Act of 2002 and the National Strategy to Secure Cyberspace. In announcing creation of the division last June, Ridge said that its work would focus on "the vitally important task of protecting the nation's cyberassets so that we may best protect the nation's critical infrastructure."

The strategy document, like many of the things associated with DHS, has its share of passionate supporters and critics. It lays out five critical priorities:

  • Developing a national cyberspace security response system
  • Developing a national cyberspace security threat and vulnerability reduction program
  • Developing a national cyberspace security awareness and training program
  • Securing the cyberspace of all levels of government
  • Assuring national security and international cyberspace security cooperation

In fall 2002, Clarke was set to release the document at a Stanford University ceremony. But before the release, the strategy was put on the back burner. Lobbyists for businesses likely to be affected by the report (including those in the software, security and telecom industries) had successfully squelched certain provisions in earlier drafts. One, for example, called for ISPs to provide users with personal firewalls; another mandated improved wireless security. When the strategy was finally released in February 2003, some complained it had been left with little bark and even less bite. Its main cornerstone was that cybersecurity should, for the most part, be left to the private sector. While business generally applauded the strategy, many security experts derided the reliance on voluntary action as a capitulation to powerful lobbying interests.

Clarke defends the strategy. Referring to those who think it lacks teeth, he says, "That's kind of a trite criticism. People who say that, one assumes, are advocates of government regulation. If there is one-size-fits-all government regulation on cyberspace, you'll have a least-common-denominator solution. Over time, that won't work. Hackers and other criminals will work their way around whatever homogenous solution you come up with."

Schmidt points out that the government sought plenty of input from around the country. "We did 12 town meetings. We met with the public, CEOs, home users and security technicians. Never before had [a strategy] been vetted so thoroughly." Like Clarke, Schmidt says the result was "a good, balanced approach to the problem."

Paller begs to differ. "It lacks teeth, " he says simply, noting that between the first and final drafts, most of the good ideas were lost. "That was the pinnacle of the business power movement in cybersecurity, the last editing of the plan," he says. "The specific proposals—the 'we will' and 'you must'—disappeared."Assessing the ThreatHow vulnerable is the United States to a massive cyberattack on its critical infrastructure? What are the bad guys zeroing in on? "It's absolutely feasible for a massive attack to take out huge segments of the Internet," says Paller. But he adds that the probability of that happening is pretty low. One reason, he says, is that the bad guys earn a living from cybercrime. Taking down the Net would damage their lifeblood, the digital hand that feeds them. Paller thinks a more likely event would be on a smaller scale, such as taking out the electrical system in some areas.

Tom Longstaff, manager of survivable network technologies at the CERT research and analysis center, is currently focusing on how to look at sensors all over the nation's computer networks to see what kinds of problems are lurking there. The biggest threats he sees fall into two categories. The first is aimed at the Internet itself. "We're seeing attacks targeting specific points in the infrastructure, not necessarily to bring it down, but to control it. These kinds of attacks focus on the mechanisms that make the Internet work," he says. One kind of attack he's seeing more of targets domain name services, undermining trust that the typed URL will bring a user to a legitimate webpage, or that an e-mail will actually go to its intended recipient.

The second worrisome category of attacks involves the interfaces between the cyber and physical worlds: Scada (supervisory control and data acquisition) systems and other process control systems that connect to power grids, gas lines and manufacturing plants. Longstaff notes that in the past, these sorts of physical systems weren't well connected to the Internet. Now, though, as companies have cut personnel and installed technology to make them more automated and efficient, the physical components of the critical infrastructure are much more vulnerable to cyberattack. "There are small computers in the field or in a manufacturing line feeding into larger computers [that] feed into business computers that are connected to the Internet.... In some cases the security is very good. But that's far from the industry standard," he says.

Schmidt sees a huge challenge in trying to understand the interdependencies that exist where electronic networks interface with the physical world. When the Slammer worm hit in January 2003, for example, people couldn't get cash out of some ATMs that connected to back-end databases compromised by the worm. Schmidt worries that the relationship between the cyber and physical infrastructure isn't well understood. He recalls that when he used to ride the train between Washington and New York, he took notice of a bunch of nondescript brick buildings along the tracks in Philadelphia. When he asked local law enforcement officials what they were doing to secure those buildings, he was told, "We're not doing anything. Nobody wants to break into those; they're just computers."Carrot or Stick?Last December, DHS, along with four business associations (the Information Technology Association of America, Business Software Alliance, TechNet and the U.S. Chamber of Commerce), organized a National Cyber Security Summit in Santa Clara, Calif. Some 350 people from government, academia and industry attended the closed event. Working groups were formed to deal with establishing a cybersecurity early warning system; developing technical standards and common criteria around information security; making management of cybersecurity an integral part of corporate governance; creating better security awareness among home computer users and businesses; and increasing security in software development, installation and patch management.

This sort of private-sector outreach is part of DHS's mission, which emphasizes building a strong public-private partnership to tackle cybersecurity. But all wasn't lovey-dovey in Santa Clara, according to Dan Burton, vice president of government affairs for Entrust, a digital identity security company. DHS's Liscouski delivered a stern message to the attendees. "He basically said we're at war. Industry is not doing enough, and we have no qualms about going to Congress and passing legislation to change [industries'] ways. It was a broadside toward industry at large," Burton says.

"That's not the best way to come across to the [private] sector," says Suzanne Gorman, who chairs the financial services ISAC and attended the summit. But with viruses, worms and other attacks sure to continue—and likely become more destructive—DHS seems to be delivering a not-so-subtle message: Industry secure thyself, or we'll start lighting fires under your feet. The five working groups delivered reports last month, and another summit is planned for September. If DHS determines then that enough progress hasn't been made, businesses may hear unpleasant news from Washington.

Waiting in the wings on Capitol Hill, and casting a keen eye on the task forces' progress, is Rep. Adam Putnam (R-Fla.), the youngest member of Congress. Last fall Putnam, who chairs a House subcommittee on technology and information policy, drafted legislation (the Corporate Information Security Accountability Act of 2003) that calls for companies to disclose annually to the SEC an audit of how they're doing on information security. Compliance with Putnam's legislation could involve performing independent corporate security and risk assessments, and developing risk-mitigation, incident-response and business-continuity plans.

Putnam circulated the draft for feedback from industry and other groups. Not surprising, it generated a number of concerns, including the view that more regulation isn't the answer. Says Bob Dix, the subcommittee's staff director, Putnam listened to the private-sector feedback and decided to hold his legislation in abeyance for a period of time. Putnam, Dix says, challenged corporate America to come up with an alternative approach to "meaningfully move the ball down field to get significant improvements." In the meantime, Putnam and his staff assembled a working group from the private sector and academia to report back to him on ways that corporate information security can be improved. His report was due out around the same time as the findings from the Cyber Security Summit working groups.

While Putnam sees regulation as a last resort, Dix implies it's up to the private sector to take action. "The potential for a combined cyber and physical attack is frightening," he says. "We have reason to believe there are vulnerabilities that exist in the critical infrastructure that need to be addressed now."

Copyright © 2004 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
22 cybersecurity myths organizations need to stop believing in 2022