U.S. cybersecurity due for calamity?

U.S. cybersecurity due for calamity?

Summary: It's safe to say that a large-scale cybersecurity calamity will occur, just as hurricanes, earthquakes and terrorist attacks torment the people of the planet earth. Mini security calamities hit computers almost every day in the form of worms and other vulnerabilities.

TOPICS: Security

It's safe to say that a large-scale cybersecurity calamity will occur, just as hurricanes, earthquakes and terrorist attacks torment the people of the planet earth. Mini security calamities hit computers almost every day in the form of worms and other vulnerabilities. Although enterprises are getting better at handling the daily deluge, the U.S. response to a large-scale cyber attack would be about the same as FEMA's grossly inadequate response to Katrina, according to an article by news.com's Declan McCullagh and Anne Broache. "The nation is applying Band-Aids, rather than developing the inherently more secure information technology that our nation requires," said Ed Lazowska, a computer science professor at the University of Washington who co-chaired the president's Information Technology Advisory Committee. The DHS has a lot of battles to fight, including many organizational, internal and political conflicts, and cybersecurity gets lost in the shuffle. We'll suffer a major cyber meltdown, and then we'll have investigations and hearings to find out what went wrong. In this case, real weapons of mass disruption do exist, and there is no excuse for not doing more than applying band-aids.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Do what exactlly?

    The truth is that when you have hackers and spyware makers laughing at law enforcement the problem is not in the software/hardware.
    • And...

      ...when you have a large segment of the IT community itself applauding the malware writers as 'public heroes' and proclaiming that users 'deserve what they get', it's hard for law enforcement (or public officials) to take the problem seriously.

      Carl Rapson
      • I know of no professional that agrees.

        Yes there are a bunch of wanna be proffesionals here making these silly posts but in all of my clients not a one agrees with what you said. Most of them think a public beating should be the starting point for hackers and spyware writers.
        • Yep

          I have to agree with Ax on that one. Most of the IT staffers that I speak with would like to do to hackers and spyware writers what the characters did to that fax machine out in the field in Office Space.
        • Hackers are similar to common vandals and ....

          should be treated as vandals or in some cases thieves. In a perfect
          world there would be no need for security of any kind, but as
          everyone knows we don't live in a perfect world.

          Do you think that caning and flogging might be appropriate?
          • No

            "Do you think that caning and flogging might be appropriate?"

            Not if they put it on TV and called it, "World's Wackiest Hacker Butt Whoopings". Now that's reality TV I might actually watch.
        • I know of no professional that agrees.

          Actually they should be place in jail. Left their for life and the doors welded shut. And not let out for illness. The should be given one cup of water a day; and one peice of bread a day.

          The only time they should be let out is when the undertakers comes to get the body.
    • And your solution is?

      I didn't see it.
  • Since today's Internet is no longer

    of the same design as the original, it is very open to calamity. Large ISP are having to curtail its usefulness by blocking ports to try to clean it up. This shows how trully unmanageable the Internet has become. It wouldn't take much to bring it to a total standstill. Take out a few backbone routers and it drops like a rock.

    This won't happen as long as the "bad guys" are harvesting data. They don't want it to go down. But when they can no longer or no longer wish to harvest data, the Internet will be at their mercy.
    • US Law enforcement can't do it.

      They can't do it because they don't have jurisdiction and fortunately we don't have a world Government. No police force in the world can do it on their own and it's even difficult for organizations like Interpol to catch the internet criminals.

      Part of the problem is that the internet was not designed it's self with security in mind. It was assumed to be a hostile place where anyone who connected would look after their own security. While the internet was primarily in the control of the academics this worked quite well. Since then much has changed except the internet, it is really a hostile place, brought about by not having robust protocols and built-in security.

      As mentioned many ISP's have closed ports in an attempt to reduce the risks, this inconveniences many users and takes away part of what we expect from the internet. One example I am sure we all know is port 25 smtp, there are many ways that ISP's could have avoided closing the port and limited the risk. However closing the port is by far the cheapest current solution. The real solution would be to rework smtp with proper built-in security, which would guarantee end to end authentication. Not an easy task, even creating the "better" system. Then you have to deploy it and take down the old.

      All that inconvenience and it will still probably have problems.
      • We could always

        treat cyber attacks originating from other countries as direct hostile action by that country. The fact is while people compared hackers to theives I would submit they are more akin to terrorists who attack people at random just because they can. We should treat the countries that allow this kind of behaviour as hostile and apply such force as needed to get them to see the error of their ways.

        This isn't a technology problem it's people/government issue.
  • But Americans don't want cybersecurity!

    They want ease of use, point and click and easy solutions! When was the last time you heard someone say 'I want mandatory access controls' or 'I want process isolation' or 'I want my applications to run slowly and have massive security auditing'? Americans don't mind the rest of the world laughing at them for being so lax that one can get all sorts of records on individuals (financial, etc.). Americans would be lost without Windows based malware and viruses, they just love to whine and mgive lip service to security rather than force their software makers to make hardened and secure systems!
    • Nice...

      ...stereotyping. I'm sure that 100% of Americans are exactly like that. In a country of over 250 million people, there are none who think differently. Aren't Americans the ones who are criticized for stereotyping the rest of the world?

      Using that same logic, all Europeans are exactly alike, and all Africans are exactly alike, and all Muslims are exactly alike, and ...

      Carl Rapson
    • So why is *nix being hacked so much.

      Or are you trying to suggest that records for millions of credit cards and bank transactions are only stored on Windows machines? I think you should do some homework for making such silly statements...
      • Americans appear to want lax security on both platforms!

        Some 'hacker' out of St.Petersburg, Russia, writes a piece of code that attacks micorsoft.com (think back if you don't remember this) and all that Americans do is give lip service to security and nothing is done. Europeans laugh at the lax security, Americans take it in the a$$.

        Some lazy admin doesn't harden his externally visible *nix box and it get's hacked. This makes the news but will the admin (or the instution running the host(s)) go to any lengths to harden the system if it means making it harder to use (and thus more secure) from an administrative or remote user perspective? Most likely it will not happen.

        History says I am correct and you are just part of the problem (based upon your response).

        The machines that are getting hit are servers, the deployment metheodology for a DoS attack is by using multiple people Windows PC's (usually) or exploiting bad security practices on either Windows or Unix based systems.
      • Some are ...

        but the zombot armies that are used for DOS attacks on all platforms sure are not *nix boxes!!!
    • Point & Click != Buffer overflow

      Easy-to-use software and Hard-to-crack software are not mutually exclusive. In fact, one has nothing to do with the other. Good code is good code and bad code is just bad. It has nothing to do with ease-of-use.

      Unix and Linux machines have their fair share of hacking incidents. The mega-patches coming out of Apple is starting to make Microsoft look good. These are facts that cannot be disputed.
      • Security is a process!

        George, I would expect that you understood that!

        I have pointed out that (even today) people don't ask for security, they ask for ease of use and low user overhead. There are many ways to make a systems secure (beyond just closing ports, installing a firewall and other 'cute' software). The standard Unix security is called a DAC (discressionary Access Control) and is not anywhere as secure as a MAC (mandatory Access Control), RBAC (Role Based Access Control), TE (Type Enforcement) or process isolation (jails).

        The average user and many corporations don't bother with this (which is security) and rather opt for easy to sue and simple solutions. Occasionally they will go for something like CheckPoint Firewall-1/VPN-1 (for businesses) or Cisco PIX, perhaps a distributed IDS, but that is only part of making a systems secure. There are 7 stages to security and this is not a prepackaged point-and-click solution!

        Much of this has to do with a lack of security knowledge by those that are chartered to take care of security and vast security ignorence by the majority of users (especially Americans). Point-and-click security is more generally aimed at people with very linmited knowledge and skills as far as security is concerned! The platform does not matter in this, they just don't have the required skills or motivation!

        Thus security becomes reactive rather than proactive process. Rather than dealing with audits, checking logs and actually doing the work required to make somethig secure (7 steps), they go after something that is 'plug-and-play', set it and forget it until something happens that requires them to get off of their lazy a$$es!

        If you worked for me and tried half the crap you usually pontificate about here, I would fire you for incompetence and find someone who actually took security seriously!
        • I never suggested not using least privilege rights

          I ALWAYS tell people to go in to non-admin mode. If not non-admin mode, I tell people to use a utility called Drop-my-rights until Vista comes out with limited user rights support.

          If you need to make up things to shove in my mouth things I didn?t say, you don?t have a leg to stand on. All you're doing is changing the subject and not addressing the point that good security is not inversely related to ease of use. It can even be argued that good security is harmed by a difficult user interface since no one can make use of it.

          P.S. I don?t work for you.
        • Thinking is a process too

          "I have pointed out that (even today) people don't ask for security, they ask for ease of use and low user overhead."

          Yes and I am sure it is ONLY Americans that ask for this. Systems get hacked worldwide and not just in the United States.