How well are we moving toward securing the nation's infrastructure?
We have made a lot of progress, but it is an arms race. I don't know
when the next attack is going to be. I don't know when the next
breakthrough in defenses is going to happen, but everyone I have talked to in the infrastructure sectors is aware of the issue and is
motivated to do everything they can to not only protect themselves, but also protect our country and other countries of the world.
What are the biggest security issues facing the Internet and the
nation?
The Internet knows no borders. This is not just a national problem; it
is an international problem. We are working together to try to raise the
bar for security worldwide. The U.S. government knows this, but it is a
paradigm shift for them. And it is difficult institutionally for the U.S.
government to think globally when they are talking about their own
national security. We think that the
formation of the Department ofHomeland Security is going to help a lot because it will provide focus.
How so?
One division is dedicated to information analysis and infrastructure
protection. That'll help. And if you look at the structure of the draft
national strategy (the Bush administration's "National Strategy to Secure Cyberspace" document), you'll see there is pretty
strong global emphasis there, too. So thinking globally is a challenge
that we are overcoming, both on the national front and with industry.
As far as industry and government, there is a definite business case for
industry to be involved and there's a definite national security
interest. This is the first national security issue that the government
can't solve alone. The Department of Defense can't defend against a
cyberattack on a power plant in Omaha. They just don't have the
tools; they don't have the access. They don't have the
authorization--sometimes they don't even have the intelligence because
the attacks appear in corporate networks before the DOD or intelligence
agencies are even aware it's going on. There is a real mandate for
cooperation. Businesses are beginning to understand that (they)
may represent the first line of defense against an attack on the
country, because all the interconnectedness and all the
interdependencies show that businesses may be prime attacks. After all,
al-Qaida attacked the World Trade Center, which is a financial center.
And that was not the government.
Because the majority of the Internet is hosted and used in the
United States, can we take charge and at least secure our own
territory?
The initial focus is U.S.-centered; at least as far as the U.S.
government is concerned. Already, it is pretty successful. They have
outlined strategic areas to think about: research; work force
development, education and training; awareness; and incident response
coordination and information sharing. All of those areas are being
pursued. We are beginning to reach out to Europe and the Far East
because they also have significant interest in this area. So the
dialogue is beginning there, too.
We have recommendations suggesting that certain infrastructures be
more secure. Do you think we need certifications and regulations, or
will the hands-off approach work?
I think the hands-off approach will largely work. I really do. And
we think it's forward thinking of the government to eschew new
regulation. It's not being vendor-friendly; it's the best way to solve
the problem. Dick Clarke (President Bush's special adviser for
cybersecurity) has said many times that he thinks regulation would be
too slow and actually wrong when it's implemented to solve problems that
can largely be solved by the market. On the other hand, I don't think
the market can provide a 100 percent solution. But it is up to us to
work with the public-private partnership to identify how much the market
can provide and where the remaining gap's going to be that will have to
be either (incited) or funded by the government to finish.
When you talk about certification (of information-security workers),
there is a real need for standards. There are several companies in the
insurance industry that are providing information-security protection
products but they don't have any actuarial data to stand on. So they are
out on a limb a bit, taking a risk of their own to provide that
kind of insurance product to industry.
The only way to get actuarial data is to compile databases and to know
what standards are. There is no security posture index, for example, for
a basically secured network. And how do you take a snapshot of a network
when it is a dynamic environment anyway? It's not an easy problem to
solve.
Do you think that over the next few years we need to develop a
standardized way of looking at security? Do you think it is even
possible?
I think it is possible. I wouldn't characterize it as a standardized way
of looking at security. I would characterize it as a set of
industry-based system standards. NIST (the National Institute of Standards and Technology) has put out some draft documents to address system-security assessment standards, which will help. That
is also a partnership where they are inviting industry participation.
We have had defacements galore, the DNS (domain name system)
root-server attacks, worms and denial-of-service attacks. Do you see the
threats getting worse before they get better?
Old attacks never go away. There are new attack types. People get more
and more sophisticated and the attacks are easier and easier to use. You
can type some keywords in your browser and pull down point-and-click
hacking tools, if you like. Some of them are illegal, depending on how
you used them, but I think the number and types of attacks are going to
increase, and they are going to increase in complexity. We are really in
an arms race, building defenses and trying to figure out how to identify
attacks in progress and respond quicker than we have in the past.
There has always been talk of dire attacks, such as "digital Pearl Harbor." Do you think we will see something like that before we get secured, or can we move fast enough to secure the infrastructure?
That's really hard to answer. You are basically asking me what keeps me
up at night. And to answer that, I wouldn't say this is going to be the
mother of all attacks. Who knows what they are going to try? You saw
that even the attacks on the top-level domains didn't have much of an
effect. I think they demonstrated the robustness and resiliency of the
Internet in general.
Not to say those attacks aren't going to get better, and we are going to
have to take greater measures to defend ourselves. But you look at
trends like digital control systems migrating to Internet accessible
remote management. We need to concentrate on providing security for that
and for anything else that implicates core business operations. Web site
defacements aren't that big a deal, but when you talk about impacting
core business operations, then you are talking about a real threat.
The worst threat is a combination of a physical attack and then a cyberattack that would disable the response. So if there was another
horrendous bombing attack and then someone disabled 911 emergency
responders or screwed with the traffic lights, that would be a pretty significant nightmare scenario.
But we are working as hard as the bad guys are. And the fact that we have a dialogue, cross-sector with the PCIS (Partnership for Critical Infrastructure Security), and each of the ISACs (Information Sharing and Analysis Centers) is
becoming more mature in its trending and analysis, keeps us
better able to respond.
The national plan under President Clinton and the national strategy
under President George W. Bush have both emphasized education and
research. What dividends do you expect to see from those initiatives in
the next few years?
I have always said that the two strategic areas in this field are
research and education. If you look at what we call the (technical)
skills gap, it keeps getting wider. All the training and education
programs in the world can't produce enough highly qualified individuals
to meet the demand. And that's true for networking in general and it's
even more true for security. So the government getting out in front and
providing a cybercore scholarship program and working with the NSA
(National Security Agency) to identify centers of academic excellence
and information assurance education is really helpful.
And several companies are going to be cooperating with those programs:
augmenting the scholarships and providing internships, giving ideas
for directed research projects, and donating equipment to enhance the
center of excellence program and the cybercore scholarship program to
help improve the work force.
On the research side, we think it's a great idea that the National
Infrastructure Simulation Analysis Center, the NISAC, is going to be
involved with the new Department of Homeland Security. Interdependency
modeling is probably one of the two top research topics that we need to
address. If you understand the interdependencies--the nodes that cross
bounds between, say, the electric power sector and the water sector and
railroads and the banks and the rest--and you know where those
dependencies are, then you can develop ways to defend them. You can
really harden the critical infrastructure.
The other critical research area is identity management. There are many
things that depend on identity to succeed in security. IPSec (Internet
Protocol Security), VPN Tunneling (using virtual private networks to
connect remote offices), a lot of things that are just rolling
out depend on knowing who is providing the message--you know, we are talking about
authentication and nonrepudiation. But how do you manage that, who is
the key authority, can you do cooperative public key management? That is
an area that needs to be addresses. And we and other companies and the
government are all looking at those issues. Though I would say
interdependencies and identity management are the two key research areas
for the next two years.
What about our response to events? Are there deficiencies in how we
respond to these threats and will we see changes in how we deal with
them?
The general awareness is going to keep going up. And if you look at the
way (Internet) service providers are responding now, they are doing more
filtering at the edge, they are doing more rate limiting and they are
doing more cooperative traceback with each other that they weren't doing
a year ago. I think that's going to improve security and that will help
the service provider segment respond to attacks like that. There are
also companies developing specific anti-DDoS (distributed denial-of-service attack) and DoS (denial-of-service attack) tools that I
think will mature and be used by people in the Internet industry to
provide even better defenses.
Do you think we are going to see an automated trace-back system? And
do you think we need to expand on current systems to better fight
threats in the future?
Well, some service providers and others already have some traceback
capabilities. Traceback helps you identify where things come from,
but there are jurisdictional issues and I don't know all the legal
ramifications of where that has to go to be solved.
How much is industry getting behind this push for security? And do
you think the ISACs will change from an advisory capacity to more of
a responder capacity?
I hope they do. The ISACs are still new. One of the difficulties I see
across industry sectors is how to integrate this new tool in normal
business operations. Part of the awareness of this issue is getting the
companies that join ISACs to figure out how to integrate the ISAC into
their business. Once they solve that, once they see that they can gain
knowledge from all of their fellow members...then they are better off as
part of the ISAC than without the ISAC.
I think the ISACs will need to evolve to something that provides
trending and analysis and more proactive solution distribution than just
another warning mechanism, like CERT (Computer Emergency Response Team), the NIPC (National Infrastructure Protection Center), and the other organizations.
Where do you weigh in on liability? Will it be an effective tool or
prod to get companies to secure themselves?
I really haven't dug into the liability that much. The PCIS has more to
say about the Freedom of Information Act. I will defer that.
On the Freedom of Information Act issue, do you believe that exemptions are needed for companies in order for the government to secure their cooperation?
(Editor's note: The FOIA allows any person to apply to certain government agencies for information regarding any topic. Companies fear that if they report hack attacks to the government the media will
uncover the information with FOIA requests and the company's stock will suffer.)
Yes. I would support a very narrowly written exemption. We don't want to
roll back any of the existing law. We think that the FOIA law is very
sound and we need an open government--that's what makes America unique.
However, many corporate lawyers are advising their CFOs and CEOs that
the existing exemptions don't give assurances that information
provided to the government will not be disclosed to someone with the
FOIA request. So I think if we had one very narrowly written exemption
for cyber-vulnerability information that's shared with the government for the
purpose of critical infrastructure assurance, and no other purpose, I
think you would see more voluntary sharing with the government. And that
would also go toward providing the data sharing that we need to build
actuarial data. All of our incident response capability would improve.
Back to Vision Series
intro
