[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Cybersecurity expert warns of post-9/11 vulnerability



http://www.post-gazette.com/pg/03252/219578.stm

By Dan Fitzpatrick
dfitzpatrick@xxxxxxxxxxxxxxxx 
Post-Gazette Staff Writer
September 09, 2003

Almost two years after the devastating attacks of 9/11, former Bush
White House adviser Richard Clarke sounded the alarm in Pittsburgh
about a cyberattack that could be just as damaging to the national
psyche, arguing that the federal government remains "slow" and "very
20th century" in its preparation for computer-based terrorist threats.

Clarke, in an interview yesterday on Carnegie Mellon University's
campus, singled out the U.S. Department of Homeland Security, led by
former Pennsylvania Gov. Tom Ridge, for being sluggish in making
cyberspace a true national security priority. The department, Clarke
noted, has yet to appoint a director and several key managers to its
National Cyber Security Division -- a group asked to implement a
protection plan Clarke developed before leaving the Bush
administration in February.

The problem, Clarke said, is that Homeland Security leaders still
"think of risks to our society in terms of things that explode and
incidents that have body bags. In the 21st century, as the power
blackout of Aug. 14th proved, a great deal of damage to our economy
and disruption to our way of life can be done without anything
exploding or anybody being killed."

Clarke's insistence that the country pay attention to cybersecurity
has made him a polarizing figure in the computer industry and
Washington D.C., where he has worked for the last four presidents and
advised three of them on intelligence and national security matters.

He left the White House as Bush's cybersecurity czar in February, to
become a consultant. Known for his contempt of bureaucracy and his
critique of pre-Sept. 11 intelligence failures, Clarke emerged after
9/11 as the digital Paul Revere, warning that the country's electrical
power, finance, telecommunications, transportation, water and
especially the Internet are all vulnerable to cyberattack.

In making his case for shoring up the nation's electronic
infrastructure, Clarke is getting support from Pittsburgh and
specifically, CMU. With Clarke's assistance, CMU computer scientist
Roy Maxion sent a letter last year to President Bush warning that "our
nation is at grave risk of a cyberattack that could devastate the
national psyche and economy more broadly than did" the 9/11 attacks.

The letter, cosigned by Maxion's CMU colleague John McHugh and more
than 50 of the country's top computer scientists, laid out a
nightmarish scenario involving the sudden shutdown of electric power
grids, telecommunications "trunks," air traffic control systems and
the crippling of e-commerce and credit card systems with the use of
several hundred thousand stolen identifies. "We would wonder how, as
nation, we could have let this happen," the letter said.

Maxion and his co-signers proposed a five-year cyberwarfare effort
modeled on the World War II Manhattan Project, requiring an investment
ranging from $500 million to $1 billion per year. "The clock is
ticking," the letter said.

Some critics maintain that Clarke and institutions such as CMU, which
was awarded $35 million in federal funds last year to fight
cyberterrorism, are hyping a threat that does not really exist --
especially in the case of al-Qaida, the organization that carried out
the attacks of 9/11.

Dorothy Denning, one of the country's top cybersecurity experts and a
professor at the U.S. Naval Post Graduate School in Monterey, Calif.,
said she did not sign her name to Maxion's White House letter because
"I had a certain amount of reservation about whether or not it needed
to be bought to that level of attention."

Denning has not "seen the kind of devastating attacks people are
worried about," and she hasn't "seen terrorists actively pursing" the
Internet as a weapon. Clarke, Denning added, is right to point out the
"vulnerabilities in our infrastructure that could be exploited" by
everyday hackers and admitted that "bad things could happen." But
"until those things do happen, no one knows what the cascading effect
might be."

Another skeptic, George Smith, is more harsh in his appraisal of
Clarke's admonitions.

"I can't think of a single Clarke prediction or warning that was right
or of any lasting value," said Smith, senior fellow with Alexandria,
Va.-based defense think tank GlobalSecurity.Org.

He added: "In 2003, it takes no great intellect to say the nation is
in great danger from the electronic frontier. The fantastic claim
always gets attention, diverts the mind from thornier but mundane
problems ... Far easier to say al-Qaida is looking to turn off the
power. You don't ever have to prove if there is even a small nugget of
truth to it."

Terrorists, Smith said, "are interested in creating bloodshed and
terror. The Internet doesn't rise to this level of impact in a way
that a truck bomb does."

Referring to the e-mail virus that has been plaguing computer systems
of late, Smith argued that "you can get three or four hundred copies
of SoBig in your e-mail box a day -- a thousand, two thousand -- and
it just has no physical impact no terror juice to it."

But Clarke, who was in Pittsburgh yesterday to speak at a computer
intrusion detection conference, said he has been in this position
before, warning of national security threats that some would not take
seriously. Clarke, a counterterrorism coordinator under President
Clinton, was among those who worried about Osama Bin Laden's
capabilities before the events of 9/11.

"An awful lot of people, unfortunately, don't believe (a cyberattack)  
will happen," he said. "And as with terrorism itself, we learned from
9/11 that you can yell and yell and yell and imagine something
happening and say it is going to happen, as I did with regard to
al-Qaida, and no one believes you enough to act until it happens."

As for al-Qaida, Clarke claims that some of its followers have
master's degrees in computer science, and that "there is lots of
evidence that al-Qaida has downloaded sophisticated hacking tools
because we have seized their computers and know what's on them. So, I
do think there is grounds for concern."

But focusing on al-Qaida is missing the point, he said. "I don't think
it is terribly important who the enemy is. It doesn't matter. What you
need to worry about is the vulnerabilities."

There are some encouraging signs that the country may be safer from
cyberattacks than it was before 9/11, according to Clarke.

There is anecdotal evidence, he said, that the companies that control
much of the country's electric power generators, telecommunications
lines, rail terminals and shipping containers are taking the voluntary
security steps asked of them in Bush's National Plan for Protecting
Cyberspace, developed by Clarke and released earlier this year.

Bush's plan relies on U.S. business, rather than the federal
government, to shore up the nation's computer security infrastructure.  
Clarke, in fact, came to Pittsburgh twice last October to drum up
support for the plan, making the point that for U.S. businesses the
increased costs of preparing for an attack do not have to drain a
company's productivity.

Some critics, responding to requests from the Bush administration that
U.S. firms make themselves more secure, argued that companies have
little incentive to pay for such measures in a slow economy.

Others said the plan itself lacked federal firepower.

"If (Clarke) had made it to correspond with the urgency of his
warnings, it would have been a strong strategy with teeth in it,
capable of compelling the private sector to improve security practices
in many different ways," said Smith, the senior fellow with think tank
GlobalSecurity.Org. "However, when unfurled, it had no power. It might
as well have not been written."

But Clarke maintained yesterday, in an interview, that U.S. companies
and the federal government are spending more money on cybersecurity
and that the viruses that plagued computers this summer are forcing
CEOs to pay more attention to the problem. Clarke, during his speech
yesterday at CMU, even expressed confidence that this issue is making
its way into pop culture, citing the recent movies "Terminator 3" and
"Matrix Reloaded."

In the latter, Keanu Reeves' character Neo takes a tour of Zion, the
last human city to survive outside the computer-generated Matrix, and
is told that Zion's citizens do not think about the machines that
power the city until the machines stop working.

Paraphrasing Neo, Clarke said, "People need machines. But, machines
need people, too."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo@xxxxxxxxxxxxx with 'unsubscribe isn'
in the BODY of the mail.