As the investigation into last week's Internet attacks continues, the White House is expected to propose a new Internet security centre following a meeting on Tuesday between President Clinton and high-tech executives. The Cyber National Information Center, to be known as Cyber NIC, will be a place where companies "can work together to address cyber security problems and crises," according to a planning document. In addition, the White House is asking its science adviser, Neal Lane, to take the lead in establishing a think tank supported by both the public and private sectors to consider online security issues.
These modest steps reflect the lack of consensus about how the government should respond to last week's incidents, in which numerous Web sites were brought down after being deluged with meaningless data. Some industry representatives have been concerned that federal law enforcement agencies may use the attacks to pressure companies into taking security steps that are either costly or unpopular with Internet users.
The private and public sectors tend to take different approaches to security issues, with companies emphasising narrow technical changes, such as better protocols at Internet-service providers. Government, on the other hand, has stressed increased law enforcement activities and the like.
However, since last week's attacks, both sides have been trying to find common ground. Officials from the US Department of Commerce, for example, have had numerous telephone discussions with industry representatives in the days since the attacks to work out security approaches. Following the calls, one official said that they were designed, as much as anything, to get companies talking to each other. "We're not bringing much to the table outside of a desire to be helpful," said the official. "We want the private sector to solve its own problems. After all, they're the ones who own the infrastructure. This is just not a realm that is conducive to a top-down, government czar approach."
Still, there are concerns. A spokesperson attending the session commented that several of the top executives invited to the White House have been reluctant to attend the meeting out of fear of being pressured into making security steps they'd rather avoid, and are therefore sending lower-level executives who lack the authority to make commitments for their companies. On Monday (14 Feb) The White House was insisting that only "principals" attend for companies, according to one invitee. Among the companies expected to attend are Microsoft, IBM, AOL, Yahoo!, Electronic Data Systems, Lucent Technologies, eBay, Nortel Networks, Iridium LLC and AT&T.
In an online interview with CNN.com, President Clinton said that he found last week's attacks "very disturbing" and hoped to use Tuesday's summit as a way to promote Internet security. The White House plans to refocus on a few existing programs during the summit as well, including a proposal to spend $9m (£5.5m) on education and training for computer-security specialists. The money, earmarked for this year, was included as a supplemental item in President Clinton's 2001 budget proposal. Administration officials say their efforts to boost critical infrastructure protection have been hampered by a severe shortage of trained computer security experts.
In the private sector, the Information Technology Association of America, a trade group, said that in preparation for the session it had coordinated support for "best practices" that its tech company members should adopt to keep hackers at bay. The association said most tech companies had long been concerned with security issues, but they may need to become even more vigilant. "The recent incidents are a 2-by-4 across the head of the entire industry, and helped push the issue high up on everybody's list," a spokesman said. A statement to be issued by the group calls for the establishment of "a mechanism for the systematic and protected sharing" of information on cyber attacks, security vulnerabilities and countermeasures.
Meanwhile, security experts said a monetary reward might be needed in addition to the technical detective work that's being used to track down the perpetrators. Financial rewards are commonly used to solve criminal cases, and some experts are now starting to push the idea as a way to crack last week's attacks. "This thing needs a million dollar bounty if it is going to be solved," said Michael D Allison, chief executive of security consultants, Internet Crimes Group. "That's one way of turning the firepower of the hackers against themselves," he added.
Allison and others cite two reasons in advocating rewards. For one, skilful hackers know how to hide their tracks. Mixter, the German hacker who wrote one of the programs involved in last week's attacks -- but who isn't suspected of actually launching them -- has told interviewers that the chance of finding the person who used the program is slim unless he made a serious mistake. What's more, hackers routinely talk to each other over communications links known as IRC channels, and tend to know about the activities of others. In fact, people familiar with the hacker world say that bragging rights are a major motivation for Web attacks in the first place. Also, there are many well-known rivalries among hackers, suggesting that this could be exploited by offering a reward. "This case is probably going to be solved by an informant, and not by any technical tools," said Steve Bellovin, a prominent expert in network security issues at AT&T.
On the eve of the online security summit, further attention was being drawn to the Internet's vulnerability to mischief. On Monday night, Reuters reported that online hecklers posted irreverent queries to the CNN.com Internet site during its interview with President Clinton, and that "ribald remarks" under Clinton's name slipped through a network filter designed to block inappropriate questions.
A representative at CNN would neither confirm nor deny the report.
What do you think? Tell the Mailroom and read what others have to say.
Take me to the Hackers News Special
For full coverage, see the Denial of Service Roundup.