(continued from previous page)
Can you offer an example?
I think wireless is a case in point. The banking and finance industries are working through their information-sharing and -analysis centers, creating a wireless security standard. I don't know how good the standard is, (but) from my perspective, that's what we want to have happen. Here's the private sector organizing itself--people who are going to define infrastructure owners and operations to create a standard, not government creating a standard. And that's always a good idea.
But then, infrastructure owners and operators are creating that standard and going to the vendors and saying, "If you are going to be manufacturing this, we want it this way. We are willing to pay for security." And that will allow us to get past this chicken-and-egg problem we had in the past where vendors of hardware and software went to the carriers and said (they) could offer security but no one wanted to pay for it.
We talked to the owners and operators of the infrastructure, and they have said they would rather buy secure systems than buy security. We need to somehow get the two together, and examples like having an industry sector create a standard in time for it to be incorporated into a technology--that's the kind of thing we need.
There are a lot of bad practices going on right now. For instance, a lot of the risks associated with distributed denial-of-service attacks could be mitigated if every ISP used source-egress filtering (letting only a PC connected to the ISP's network send packets with that PC's Internet address). Is there anything the government can do to get the industry to adopt these measures?
There are ways--simple ways--that you can mitigate the risk. I think that both my office and DARPA (the Defense Advanced Research Projects Agency) are going to be cooperating in bringing together people who can do something about denial-of-service attacks. That's the carriers, and it's also vendors of routers. We can go a long way to reducing the potential of denial-of-service attacks without having to do very much.
And the role of service providers?
(We have to) get the ISPs to start worrying about it, and to use anti-spoofing techniques that are available to them now--get the ISPs to start doing screening for viruses and worms. Some of them are doing it, but not all of them are doing it. And if we can get the carriers to want functionality in the routers, which is there to a certain point already, we can address denial-of-service attacks. We can't stop them, but we can put a dent in the effects that most of them have. Between DARPA and my office, we have been having conversations like that.
With the Office of Homeland Security starting up now--and you analyzing where the threats are, as far as critical infrastructure--calling it "cyberterrorism" seems to be hyping up the reality of these attacks. But obviously, there is some risk from attack. Where do you see those risks coming from?
We have to differentiate from an attack that has already happened and the kind of attack that will come. As far as the Sept. 11 terrorism, (it) presents a certain level of threat (and) made us realize that terrorism presents a much bigger form of threat. There is a parallel trend in IT security. Up to now, IT security threats have been...affordable, for the most part. They are the cost of doing business in modern times. And some people are under the mistaken impression that that's all it is or all it could be.
I think the message that we have to send out is that it can be much greater. At the same time, the nuisance levels that we see are not the catastrophic threat for IT security. And it doesn't matter what the actors involved are--terrorists or nations. From our perspective, we don't worry about when; we worry about what they can do and start locking doors.
Do you think we need to have more than one vendor of software like operating systems to improve security? Does the government want to support open-source initiatives in order to have options?
I think we do have more than one vendor. I don't think we, the government, need to support open source. People do have a choice today in most markets. There are niches where there is dominance by one company, whether you are talking about operating systems or routers or database systems or chips. You will find a dominant player in those areas. But you have a choice.
We have to realize that there are dominant players in these pieces of the IT spectrum, and to work with those dominant players, because they have legacy systems that are out there and will remain out there. (We have to work) with them to ensure that they do all they can to provide security functionality, not only for their new product but for their old products as well.
