Suche innerhalb des Archivs / Search the Archive All words Any words

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[] Interview mit ehemaligen IT-Leuten von NSA und CIA,

Mit Dan Verton (Computerworld, Cyber Security Journal, 
- Ruth David, ehemalige Direktorin für Wissenschaft und Technologie der
- Bill Crowell, ehemaliger Vize-Direktor der NSA.
Themen: Cyber-Verwundbarkeit der USA, politische Prioritäten,

Outflanking The Cyberterrorist Threat

April 08, 2002

While cyberterrorism may not be an immediate threat, it would be
foolish not to recognize that the U.S. is facing a "thinking enemy"  
who will adapt to attack our critical infrastructures and
vulnerabilities, says Ruth David, former director for science and
technology at the CIA.

David is now president and CEO of Analytic Services Inc., an
independent, not-for-profit, public service research institution in
Arlington, Va. She and Bill Crowell, CEO of Santa Clara, Calif.-based
security firm Cylink Corp. and a former deputy director of the
supersecret National Security Agency, each participated in rare
interviews with Computerworld's Dan Verton. They discussed the threats
posed by cyberterrorist attacks and the steps that the public and
private sectors should take to thwart them.

There's been speculation, even before Sept. 11, about the U.S.'s
vulnerability to an "electronic Pearl Harbor" or cyberterrorist
attack. How has this changed since Sept. 11, and how vulnerable are
the various economic sectors to cyberterrorist attacks?

David: While it is true that major terrorist attacks to date have
targeted human lives, I would not blindly extrapolate that behavior
into the future. After all, on Sept. 10, we would not have expected a
hijacker to turn a commercial airplane full of passengers into a
guided missile, and even on Sept. 12, we did not envision exploding
shoes as a threat to aviation.

In the aftermath of the 9/11 attacks, those adversaries almost
certainly observed the immediate effect of service interruptions as
well as the prolonged economic impact of infrastructure disruptions.  
While the weapon used was explosive rather than cyber, it doesn't take
much imagination to see that similar effects could be achieved through

Crowell: Clearly, the vulnerabilities of the nation to cyberattack are
growing. Critical national functions like banking, financial services,
health, water and communications are increasingly dependent on highly
automated systems that connect the many nodes of their operations.

These changes in the degree to which business and the government are
dependent on public networks have been occurring for about a decade.  
The disturbing thing is that all of the trends are in the wrong
direction. Business is moving more and more critical functions to
networks. The speed and complexity of the deployments make it
difficult for them to employ good defenses rapidly. Diversity is
decreasing as we migrate more to common operating systems and common
network systems.

To what extent is the war on terrorism, particularly the battle for
improved homeland security, a technology problem? What roles do you
see the government, corporate America and the IT vendor/developer
community playing?

David: Technology is only one component. Without supporting policy,
effective processes and well-trained people, technologies solve
nothing. Deployment of facial recognition technologies at border entry
points will not ensure apprehension of terrorists.

Corporate America will play an increasingly important role in
developing security technologies to protect nongovernmental personnel
and property that may be targeted by terrorists attacking what we are
as a nation rather than what we do as a government.

Crowell: The battle for improved homeland security involves both
technology and processes. Technology can be used to make the processes
more efficient, predictable and effective.

The Transportation Security Agency, [Federal Aviation Administration]
and Department of Transportation are all looking for ways to improve
[airport security]. However, I am particularly concerned that many of
the critical processes are now using technologies that are more
vulnerable, not less. An example is the use of wireless LANs for the
tracking of baggage. Without proper encryption and authentication, the
baggage handling system will not prevent either insider or outside

Some have said that the government's push to create a separate and
secure intranet (GovNet) for sensitive government operations and
possibly e-commerce is tantamount to throwing in the towel on Internet
security. Are there viable alternatives to disconnecting from the

David: To the extent that terrorists attack symbols of America, seek
to shake the confidence of the public in our government's ability to
protect [citizens], and/or seek to inflict economic damage, GovNet
solves nothing, since many valuable cybertargets would be left
undefended. In fact, a separate network might actually impede the
homeland security mission since it could further isolate government
from industry and the American public at a time when communication and
collaboration are desperately needed.

In particular, I believe the absence of a coherent governmentwide
security policy has significantly limited our ability to protect
sensitive government operations.

Crowell: I think that the GovNet initiative has been misrepresented in
the press. Perhaps this is because the government did not carefully
lay out the principles in the beginning of the discussion. [The
government has] advocated that the core mission systems be on separate
private networks that are highly protected from denial-of-service
attacks and from hacking and cyberattacks.

The Internet would be used for e-government to enjoy the enormous
reach it provides to the public. These are not new concepts. In
banking and financial services, these policies have long been the
basis for their risk management practices.

Howard Schmidt, the deputy chairman of the President's Critical
Infrastructure Protection Board, said recently that the next national
plan for protecting the country's critical systems and networks will
be written with the help of the private sector. What do you think the
immediate priorities and focus should be for such a public/ private

David: If I were to offer a top priority, it would be to establish
trust between government and industry and among the key industry
sectors. This means first and foremost to create a safe environment
for the sharing and analysis of information regarding cyberattacks and
discovered vulnerabilities.

My next priority would be to bolster our intrusion-detection
capabilities. I worry less about the overt attacks that disrupt
service than the subtle attacks designed to steal or corrupt data -
attacks that may go undetected until disaster occurs.

Crowell: I think that there are two elements that should be part of
the plan. The first is that the government should be a leader in
network security and move quickly to employ the best practices for
both GovNet and e-government. The second is that the [Securities and
Exchange Commission] should establish the same risk disclosure rules
for network security that it used to focus attention on Y2k and on
disaster recovery.

Without such a mechanism, there is a strong likelihood that the
vulnerabilities and risks in network-based business won't get the
attention that [they need] until there is a disastrous event. I think
that the disaster recovery systems of the financial businesses in the
World Trade Center saved many of them from total collapse.

Liste verlassen: 
Mail an infowar -
 de-request -!
- infopeace -
 de mit "unsubscribe" im Text.