Experts grapple with US cyber security
DENVER -- Richard Clarke, senior director of the National Security Council, this morning at Gartner's Spring Symposium/ITxpo outlined the gist of a White House statement calling for the government to prepare a new national plan to protect cyberspace.
This plan, he said, will be written by the government and the private sector, with input from the power, banking, and transportation industries and from users of the Internet. The goal is to create a plan based on a consensus of what cyber security should be.
"We are moving into a new national infrastructure -- one that is converging from ATM and frame relay to IP," said Clarke, in his opening remarks on Gartner's Masterminds panel on cyber crime, corporate privacy and the national interest.
Clarke went on to describe the convergence under way in the wireless arena, where there will be one wireless, Internet-connected device, and in the optical space, where there will be a larger optical network "reaching into every office in the country."
He called for a new approach to cyber security: "We can do something we've never done before: identify the vulnerabilities and try to mitigate them and build security into the infrastructure instead of glomming it on. We have insecure enterprises and networks. We want to solve cyber crime not by teaching the FBI how to use computers, but by paying the money it takes in budgets to secure our facilities. It is not a crime problem, but an infrastructure problem."
Also participating in this morning's panel was Fred Smith, former trial lawyer and cyber crime law expert. Smith described a change in the justice system in the way that evidence is collected, preserved, analyzed and presented. "Experts have now taken over," he said.
Smith went on to describe the issues that arise because cyber crimes remain underreported.
"How do we find the real proof of what happened in these networks?" he asked. And he cited a common legal consequence that occurs when new technologies become widely adopted. "Each massive embrace by American society of a new technology has been followed by an increase in tort litigation," he said.
The Egghead hack
Also on the panel was Jeff Sheahan, president and CEO of Egghead.com. Sheahan described the Christmas break-in of Egghead systems by hackers who presumably were seeking customer account information. Despite the best efforts of Egghead's IT staff, along with forensic security experts and the FBI, it took two weeks to determine that customer credit-card information was not extracted from Egghead databases. (The FBI is still trying to determine the identity of the hackers.)
Sheahan said that he believes in personal accountability, and that belief led Egghead to quickly contact customers to warn them that their credit-card information may have been stolen.
"It's a double-edged sword going public. You become the bad guy," said Sheahan. He said the typical reaction was, "How could we let our guard down?"
French Caldwell, Gartner research director, asked the panelists whether individual accountability would be the norm. Clarke said, "There will be 170 million wireless devices. Even with a VPN you're in the (Internet) cloud. You can be vulnerable despite your best efforts because of that. It is not secure. The national architecture is vulnerable."
Caldwell also asked what "mass victimization" would look like. Answered Clarke: "Ten thousand or more zombie machines doing distributed denial of service attacks against the air traffic control system -- or national DNS servers. ... It's not inconceivable that whole sections of the country could lose their Internet access."