Nation's infrastructure far from secure
Summary
Topics
The 23-year Marine veteran--and current Cisco Systems executive--is president and chairman of the Partnership for Critical Infrastructure Security, an 80-company organization that identifies vulnerabilities in the private sector's cyberinfrastructure. His conclusion so far: In this escalating arms race, the nation's critical services are far from secure.
How well are we moving toward securing the nation's infrastructure?
We have made a lot of progress, but it is an arms race. I don't knowwhen the next attack is going to be. I don't know when the nextbreakthrough in defenses is going to happen, but everyone I have talkedto in the infrastructure sectors is aware of the issue and ismotivated to do everything they can to not only protect themselves, but alsoprotect our country and other countries of the world.
What are the biggest security issues facing the Internet and thenation?
The Internet knows no borders. This is not just a national problem; itis an international problem. We are working together to try to raise thebar for security worldwide. The U.S. government knows this, but it is aparadigm shift for them. And it is difficult institutionally for the U.S.government to think globally when they are talking about their ownnational security. We think that the formation of the Department of Homeland Security is going to help a lot because it will provide focus.
How so?
One division is dedicated to information analysis and infrastructureprotection. That'll help. And if you look at the structure of the draftnational strategy (the Bush administration's "National Strategy to Secure Cyberspace" document), you'll see there is prettystrong global emphasis there, too. So thinking globally is a challengethat we are overcoming, both on the national front and with industry.
As far as industry and government, there is a definite business case forindustry to be involved and there's a definite national securityinterest. This is the first national security issue that the governmentcan't solve alone. The Department of Defense can't defend against acyberattack on a power plant in Omaha. They just don't have thetools; they don't have the access. They don't have theauthorization--sometimes they don't even have the intelligence becausethe attacks appear in corporate networks before the DOD or intelligenceagencies are even aware it's going on. There is a real mandate forcooperation. Businesses are beginning to understand that (they)may represent the first line of defense against an attack on thecountry, because all the interconnectedness and all theinterdependencies show that businesses may be prime attacks. After all,al-Qaida attacked the World Trade Center, which is a financial center.And that was not the government.
Because the majority of the Internet is hosted and used in theUnited States, can we take charge and at least secure our ownterritory?
The initial focus is U.S.-centered; at least as far as the U.S.government is concerned. Already, it is pretty successful. They haveoutlined strategic areas to think about: research; work forcedevelopment, education and training; awareness; and incident responsecoordination and information sharing. All of those areas are beingpursued. We are beginning to reach out to Europe and the Far Eastbecause they also have significant interest in this area. So thedialogue is beginning there, too.
We have recommendations suggesting that certain infrastructures bemore secure. Do you think we need certifications and regulations, orwill the hands-off approach work?
I think the hands-off approach will largely work. I really do. Andwe think it's forward thinking of the government to eschew newregulation. It's not being vendor-friendly; it's the best way to solvethe problem. Dick Clarke (President Bush's special adviser forcybersecurity) has said many times that he thinks regulation would betoo slow and actually wrong when it's implemented to solve problems thatcan largely be solved by the market. On the other hand, I don't thinkthe market can provide a 100 percent solution. But it is up to us towork with the public-private partnership to identify how much the marketcan provide and where the remaining gap's going to be that will have tobe either (incited) or funded by the government to finish.
When you talk about certification (of information-security workers),there is a real need for standards. There are several companies in theinsurance industry that are providing information-security protectionproducts but they don't have any actuarial data to stand on. So they areout on a limb a bit, taking a risk of their own to provide thatkind of insurance product to industry.
Do you think that over the next few years we need to develop astandardized way of looking at security? Do you think it is evenpossible?
I think it is possible. I wouldn't characterize it as a standardized wayof looking at security. I would characterize it as a set ofindustry-based system standards.
We have had defacements galore, the DNS (domain name system)root-server attacks, worms and denial-of-service attacks. Do you see thethreats getting worse before they get better?
Old attacks never go away. There are new attack types. People get moreand more sophisticated and the attacks are easier and easier to use. Youcan type some keywords in your browser and pull down point-and-clickhacking tools, if you like. Some of them are illegal, depending on howyou used them, but I think the number and types of attacks are going toincrease, and they are going to increase in complexity. We are really inan arms race, building defenses and trying to figure out how to identifyattacks in progress and respond quicker than we have in the past.
There has always been talk of dire attacks, such as "digital Pearl Harbor." Do you think we will see something like that before we get secured, or can we move fast enough to secure the infrastructure?
That's really hard to answer. You are basically asking me what keeps meup at night. And to answer that, I wouldn't say this is going to be themother of all attacks. Who knows what they are going to try? You sawthat even the attacks on the top-level domains didn't have much of aneffect. I think they demonstrated the robustness and resiliency of theInternet in general.
The worst threat is a combination of a physical attack and then a cyberattack that would disable the response. So if there was anotherhorrendous bombing attack and then someone disabled 911 emergencyresponders or screwed with the traffic lights, that would be a pretty significant nightmare scenario.
But we are working as hard as the bad guys are. And the fact that we have a dialogue, cross-sector with the PCIS (Partnership for Critical Infrastructure Security), and each of the ISACs (Information Sharing and Analysis Centers) isbecoming more mature in its trending and analysis, keeps usbetter able to respond.
The national plan under President Clinton and the national strategyunder President George W. Bush have both emphasized education andresearch. What dividends do you expect to see from those initiatives inthe next few years?
I have always said that the two strategic areas in this field areresearch and education. If you look at what we call the (technical)skills gap, it keeps getting wider. All the training and educationprograms in the world can't produce enough highly qualified individualsto meet the demand. And that's true for networking in general and it'seven more true for security. So the government getting out in front andproviding a cybercore scholarship program and working with the NSA(National Security Agency) to identify centers of academic excellenceand information assurance education is really helpful.
On the research side, we think it's a great idea that the
What about our response to events? Are there deficiencies in how werespond to these threats and will we see changes in how we deal withthem?
The general awareness is going to keep going up. And if you look at theway (Internet) service providers are responding now, they are doing morefiltering at the edge, they are doing more rate limiting and they aredoing more cooperative traceback with each other that they weren't doinga year ago. I think that's going to improve security and that will helpthe service provider segment respond to attacks like that. There arealso companies developing specific anti-DDoS (distributed denial-of-service attack) and DoS (denial-of-service attack) tools that Ithink will mature and be used by people in the Internet industry toprovide even better defenses.
Do you think we are going to see an automated trace-back system? Anddo you think we need to expand on current systems to better fightthreats in the future?
Well, some service providers and others already have some tracebackcapabilities. Traceback helps you identify where things come from,but there are jurisdictional issues and I don't know all the legalramifications of where that has to go to be solved.
I hope they do. The ISACs are still new. One of the difficulties I seeacross industry sectors is how to integrate this new tool in normalbusiness operations. Part of the awareness of this issue is getting thecompanies that join ISACs to figure out how to integrate the ISAC intotheir business. Once they solve that, once they see that they can gainknowledge from all of their fellow members...then they are better off aspart of the ISAC than without the ISAC.
I think the ISACs will need to evolve to something that providestrending and analysis and more proactive solution distribution than justanother warning mechanism, like CERT (Computer Emergency Response Team), the NIPC (National Infrastructure Protection Center), and the other organizations.
Talkback - Tell Us What You Think
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
Facebook Activity
