CONSIDER THE following scenario. Members of a terrorist organization announce one morning that they will shut down the US Pacific Northwest electric power grid for six hours starting at 4 pm; they then do so. The same group then announces that it will disable the primary telecommunications trunk circuits between the US East and West Coasts for a half day; they then do so, despite the best efforts to defend against them. Then, they threaten to bring down the air traffic control system supporting New York City, grounding all traffic and diverting inbound traffic; they then do so. Finally, they threaten to cripple e-commerce and credit card services for a week by using several hundred thousand stolen identities in millions of fraudulent transactions. Their list of actions is then posted in The New York Times, threatening further action if their demands are not met. Imagine the ensuing public panic and chaos.
Alarmist, perhaps? Far from it. The scenario is actually quoted from a letter sent by a group of concerned scientists to President Bush in February 2002. Signatories included O Sami Saydjari, founder of the Cyber Defense Research Center; Matt Donlon, former director of the security and intelligence office at the Defense Advanced Research Projects Agency; and Robert T Marsh, a retired Air Force general and former chairman of the President's Commission on Critical Infrastructure Protection. The scientists don't mince words about the cyberthreats facing the nation: "The critical infrastructure of the United States, including electric power, finance, telecommunications, health care, transportation, water, defense and the Internet, is highly vulnerable to cyberattack. Fast and resolute mitigating action is needed to avoid national disaster."
While the group's scenario was meant to grab attention, it also was grounded in reality. Each of the events depicted has happened (though not concurrently); some resulted from government-sponsored exercises, some from technical failures and some from actual cyberattacks. All could plausibly be triggered by a few knowledgeable people using some PCs and Internet access.
The cyberthreat to the nation's security and economy may not be as well understood to the general public as a dirty bomb or a vial of ricin in the wrong hands. But to experts in cybersecurity — those who know the vulnerabilities of the Internet and do daily combat with hackers, criminals and foreign governments trying to probe our critical infrastructure and military networks — the threat is vividly real. Indeed, the 54 scientists who signed the letter believe that a professionally coordinated cyberattack on the critical infrastructure could ravage not only the US economy (to the tune of hundreds of billions of dollars in damage) but also undermine public confidence in the government's ability to protect its citizens. In fact, although a cyberattack alone may lack the awful human destruction that can accompany a physical attack, because the systems controlling the critical infrastructure are often densely interconnected, such an attack could have more destructive and widespread consequences.
The lead defender in protecting the critical infrastructure is the Department of Homeland Security, a collection of 23 agencies that began operations in January 2003. Spearheading the effort is the National Cyber Security Division, led by Director Amit Yoran. Like the rest of DHS, Yoran and his staff face a steep uphill climb in accomplishing the department's mission. Eight-five percent to 90 percent of the critical infrastructure rests in private hands. Yet in the absence of regulation, which the private sector often views as a poison pill, DHS has no whip; rather, it must play the role of prodder and pleader, reaching out to a leery private sector that knows it needs to harden security but wonders where the money is coming from to pay for it. As a result, many of those private-sector companies may not feel compelled to move as quickly as DHS might like. Compounding the fledgling division's challenges is its organizational immaturity: At the same time it's trying to boost cybersecurity, it's also dealing with the headaches of hiring staff, integrating IT systems, figuring out how to analyze the boatloads of data coursing through its pipelines and how to share that information. All that will take months — some say years — to sort out.
This story looks at the challenges facing DHS and its cybersecurity team, and how they're working with the private sector to address them. While regulations remain a political third-rail within the US business community, DHS and some in Congress are sending signals to CEOs that serious progress had better happen fast or else regulation may turn from threat to reality.
Cybersecurity Makes a Name for ItselfGiven the relatively brief history of ubiquitous computing, cybersecurity wasn't addressed at the presidential level until Ronald Reagan signed the Computer Security Act of 1987, a measure aimed at protecting the security and privacy of sensitive information in the federal government's computer systems. Recognizing the growing dependence of the critical infrastructure on information technology, President Clinton formed the President's Commission on Critical Infrastructure Protection in 1996. Led by Robert Marsh (a signatory of the aforementioned letter), the commission, consisting of both public- and private-sector members, set out to develop a national policy and implementation strategy to protect the critical infrastructure from physical and cyberattacks. In 1997, the commission, which focused primarily on the cyberthreat, issued a report that recommended improving structures and processes to promote information-sharing between government and industry, educating citizens on cybersecurity issues, revising certain statutes to address infrastructure assurance concerns and greatly improving funding for R&D into infrastructure protection.
The White House took the report and the growing infrastructure threat to heart. In May 1998, President Clinton issued Presidential Decision Directive 63 (PDD 63), which set forth a framework to address the Marsh Commission's findings. It created the National Infrastructure Protection Center (NIPC) at the FBI; the Critical Infrastructure Assurance Office (CIAO) at the Department of Commerce; and the National Infrastructure Assurance Council (NIAC), consisting of representatives from both the public and private sectors. It also called for the establishment of Information Sharing and Analysis Centers (ISACs). As with the Marsh report, PDD 63 emphasized that infrastructure protection need not be dictated by government but by market forces. Also that month, the president appointed Richard Clarke as the first national coordinator for security, infrastructure protection and counterterrorism.
In January 2000, the White House issued its National Plan for Information Systems Protection, the first stab at creating a comprehensive cyberdefense strategy. The following year, a month after September 11, President Bush established the President's Critical Infrastructure Protection Board to coordinate protection of critical infrastructure information systems and to recommend policies. Clarke, who was appointed special adviser for cyberspace security that same month, chaired the board. But as much as the Clinton and Bush administrations understood the need for better policy coordination, the federal government was, in fact, a hodgepodge of cybersecurity activities. A July 2002 report by the General Accounting Office identified at least 50 organizations involved in national or multinational critical infrastructure cyberprotection efforts.
As the fallout from 9/11 continued, some members of Congress began calling for a Department of Homeland Security to centralize the nation's counterterrorist efforts and protect the homeland. The Homeland Security Act of 2002, which created the department, established the Information Analysis and Infrastructure Protection Directorate (IAIP) within DHS as the place where cybersecurity efforts would now be coordinated.
DHS as Chief CybercopAs DHS tried to hit the ground running, it needed to spend a good chunk of time just lacing up its shoes. Some observers expressed serious concerns last year when the department absorbed a number of existing organizations that had been making steady progress on cybersecurity in the critical infrastructure. In March 2003, NIPC (except for the Computer Investigations and Operations Section), CIAO and the Federal Computer Incident Response Center were transferred to DHS. Getting those groups under the same umbrella made sense. But Michael Vatis, the founder and former director of NIPC, testified before Congress last April that even though more than 300 positions were transferred from NIPC to DHS, most of the incumbent staffers found other positions in the FBI; only 10 to 20 actually made the move. Further complicating recruitment, DHS had not yet created its National Cyber Security Division.
Whether recruiting has improved is open for debate. James Lewis, senior fellow and director of technology policy at the Center for Strategic & International Studies, says getting talented people to join DHS is still a tough sell. "The problem they have is that DHS is relatively weak, as agencies go. It routinely gets beaten out by the FBI or CIA.... It's the new kid on the block," he says.
On the other hand, Alan Paller, director of research at the SANS Institute, believes Yoran has nabbed a bunch of good hires. "They're building a high-quality technical team — that's what Amit is doing. He knows how to hire really solid technical people and motivate them," Paller says, adding that employees like working with Yoran because, rather than being an inexperienced appointee, he comes from a cybersecurity background. (Yoran, a former military officer, worked at Symantec before joining DHS.)
As the agency struggled to begin operations, it also had to absorb the loss of Clarke, one of the country's foremost cyberterrorism experts. Clarke resigned just before the president removed the position of cybersecurity czar from the White House. Although many observers speculated that Clarke resigned in frustration at the loss of his White House post, he vehemently denies that. "I was not about to be absorbed — anybody that says that doesn't know what they're talking about." Clarke, now chairman of Good Harbor Consulting, says he left "because I'd completed 30 years of government service, because I'd just finished the project I had undertaken for the president, which was developing the National Strategy to Secure Cyberspace."
Howard Schmidt, the former CSO of Microsoft and vice chair of the infrastructure board at the time, succeeded Clarke as a White House adviser on cybersecurity. But within a few months, Schmidt resigned as well, becoming CISO of eBay.
After a long search, DHS Secretary Tom Ridge appointed Yoran to head the new National Cyber Security Division. Yoran, who reports to Assistant Secretary for Infrastructure Protection Bob Liscouski, took office in October.
Even though Yoran has been crowned the new cybersecurity czar, critics worry his kingdom has lost some power. The departures of Clarke and Schmidt and the removal of the cybersecurity position from the White House prompted questions about the administration's commitment to the issue. Clarke himself believes cybersecurity has fallen somewhat off the administration's radar. "Basically, what we've done is taken the former position we had until a year ago — where the senior person worrying about cybersecurity was a special adviser — and now that person is an office director," Clarke says. "That sent a message that was very widely interpreted by industry of the administration downgrading the importance of the issue."
Jeffrey Hunker, former senior director for critical infrastructure in the White House and now a professor of technology and public policy at Carnegie Mellon, agrees. "Now you're putting it essentially below a secretary, several layers down in a big department," he says. "My experience has been that what it really means is a lack of access, or that it limits access to the Cabinet and the presidential level."
Yoran disagrees about the access issue. "I'm there [at the White House] at least once a week, more frequently twice a week. I can assure you cybersecurity has visibility at the most senior levels of the White House and has their attention. Folks who've spent time in Washington know it's very clear the White House doesn't have an operational role. Actual operations take place in the agencies. Placing cybersecurity in DHS very clearly demonstrates we're in the implementation phase of the national strategy," he says. Lewis concurs. "Cybersecurity only makes sense if it's integrated into the larger critical infrastructure strategy. They did the right thing by putting it in Liscouski's group," he says.
Is the National Strategy Sensible or Toothless?The National Cyber Security Division has a smorgasbord of responsibilities as it continues ramping up. It's tasked with responding to major incidents, conducting cyberspace analysis, improving information-sharing, issuing alerts and warnings, and aiding in national recovery efforts. The division is also charged with implementing the Homeland Security Act of 2002 and the National Strategy to Secure Cyberspace. In announcing creation of the division last June, Ridge said that its work would focus on "the vitally important task of protecting the nation's cyberassets so that we may best protect the nation's critical infrastructure."
The strategy document, like many of the things associated with DHS, has its share of passionate supporters and critics. It lays out five critical priorities:
— Developing a national cyberspace security response system
— Developing a national cyberspace security threat and vulnerability reduction program
— Developing a national cyberspace security awareness and training program
—Securing the cyberspace of all levels of government
— Assuring national security and international cyberspace security cooperation
In autumn 2002, Clarke was set to release the document at a Stanford University ceremony. But before the release, the strategy was put on the back burner. Lobbyists for businesses likely to be affected by the report (including those in the software, security and telecom industries) had successfully squelched certain provisions in earlier drafts. One, for example, called for ISPs to provide users with personal firewalls; another mandated improved wireless security. When the strategy was finally released in February 2003, some complained it had been left with little bark and even less bite. Its main cornerstone was that cybersecurity should, for the most part, be left to the private sector. While business generally applauded the strategy, many security experts derided the reliance on voluntary action as a capitulation to powerful lobbying interests.
Clarke defends the strategy. Referring to those who think it lacks teeth, he says, "That's kind of a trite criticism. People who say that, one assumes, are advocates of government regulation. If there is one-size-fits-all government regulation on cyberspace, you'll have a least-common-denominator solution. Over time, that won't work. Hackers and other criminals will work their way around whatever homogenous solution you come up with."
Schmidt points out that the government sought plenty of input from around the country. "We did 12 town meetings. We met with the public, CEOs, home users and security technicians. Never before had [a strategy] been vetted so thoroughly." Like Clarke, Schmidt says the result was "a good, balanced approach to the problem."
Paller begs to differ. "It lacks teeth, " he says simply, noting that between the first and final drafts, most of the good ideas were lost. "That was the pinnacle of the business power movement in cybersecurity, the last editing of the plan," he says. "The specific proposals — the 'we will' and 'you must' — disappeared."
Assessing the ThreatHow vulnerable is the United States to a massive cyberattack on its critical infrastructure? What are the bad guys zeroing in on? "It's absolutely feasible for a massive attack to take out huge segments of the Internet," says Paller. But he adds that the probability of that happening is pretty low. One reason, he says, is that the bad guys earn a living from cybercrime. Taking down the Net would damage their lifeblood, the digital hand that feeds them. Paller thinks a more likely event would be on a smaller scale, such as taking out the electrical system in some areas.
Tom Longstaff, manager of survivable network technologies at the CERT research and analysis centre, is currently focusing on how to look at sensors all over the nation's computer networks to see what kinds of problems are lurking there. The biggest threats he sees fall into two categories. The first is aimed at the Internet itself. "We're seeing attacks targeting specific points in the infrastructure, not necessarily to bring it down, but to control it. These kinds of attacks focus on the mechanisms that make the Internet work," he says. One kind of attack he's seeing more of targets domain name services, undermining trust that the typed URL will bring a user to a legitimate Web page, or that an e-mail will actually go to its intended recipient.
The second worrisome category of attacks involves the interfaces between the cyber and physical worlds: Scada (supervisory control and data acquisition) systems and other process control systems that connect to power grids, gas lines and manufacturing plants. Longstaff notes that in the past, these sorts of physical systems weren't well connected to the Internet. Now, though, as companies have cut personnel and installed technology to make them more automated and efficient, the physical components of the critical infrastructure are much more vulnerable to cyberattack. "There are small computers in the field or in a manufacturing line feeding into larger computers [that] feed into business computers that are connected to the Internet.... In some cases the security is very good. But that's far from the industry standard," he says.
Schmidt sees a huge challenge in trying to understand the interdependencies that exist where electronic networks interface with the physical world. When the Slammer worm hit in January 2003, for example, people couldn't get cash out of some ATMs that connected to back-end databases compromised by the worm. Schmidt worries that the relationship between the cyber and physical infrastructure isn't well understood. He recalls that when he used to ride the train between Washington and New York, he took notice of a bunch of nondescript brick buildings along the tracks in Philadelphia. When he asked local law enforcement officials what they were doing to secure those buildings, he was told, "We're not doing anything. Nobody wants to break into those; they're just computers."
Carrot or Stick?Last December, DHS, along with four business associations (the Information Technology Association of America, Business Software Alliance, TechNet and the US Chamber of Commerce), organized a National Cyber Security Summit in Santa Clara, California. Some 350 people from government, academia and industry attended the closed event. Working groups were formed to deal with establishing a cybersecurity early warning system; developing technical standards and common criteria around information security; making management of cybersecurity an integral part of corporate governance; creating better security awareness among home computer users and businesses; and increasing security in software development, installation and patch management.
This sort of private-sector outreach is part of DHS's mission, which emphasizes building a strong public-private partnership to tackle cybersecurity. But all wasn't lovey-dovey in Santa Clara, according to Dan Burton, vice president of government affairs for Entrust, a digital identity security company. DHS's Liscouski delivered a stern message to the attendees. "He basically said we're at war. Industry is not doing enough, and we have no qualms about going to Congress and passing legislation to change [industries'] ways. It was a broadside toward industry at large," Burton says.
"That's not the best way to come across to the [private] sector," says Suzanne Gorman, who chairs the financial services ISAC and attended the summit. But with viruses, worms and other attacks sure to continue — and likely become more destructive — DHS seems to be delivering a not-so-subtle message: Industry secure thyself, or we'll start lighting fires under your feet. The five working groups delivered reports last month, and another summit is planned for September. If DHS determines then that enough progress hasn't been made, businesses may hear unpleasant news from Washington.
Waiting in the wings on Capitol Hill, and casting a keen eye on the task forces' progress, is Rep. Adam Putnam (R-Fla.), the youngest member of Congress. Last fall Putnam, who chairs a House subcommittee on technology and information policy, drafted legislation (the Corporate Information Security Accountability Act of 2003) that calls for companies to disclose annually to the SEC an audit of how they're doing on information security. Compliance with Putnam's legislation could involve performing independent corporate security and risk assessments, and developing risk-mitigation, incident-response and business-continuity plans.
Putnam circulated the draft for feedback from industry and other groups. Not surprising, it generated a number of concerns, including the view that more regulation isn't the answer. Says Bob Dix, the subcommittee's staff director, Putnam listened to the private-sector feedback and decided to hold his legislation in abeyance for a period of time. Putnam, Dix says, challenged corporate America to come up with an alternative approach to "meaningfully move the ball down field to get significant improvements." In the meantime, Putnam and his staff assembled a working group from the private sector and academia to report back to him on ways that corporate information security can be improved. His report was due out around the same time as the findings from the Cyber Security Summit working groups.
While Putnam sees regulation as a last resort, Dix implies it's up to the private sector to take action. "The potential for a combined cyber and physical attack is frightening," he says. "We have reason to believe there are vulnerabilities that exist in the critical infrastructure that need to be addressed now."
SIDEBAR: Bunch of Hacks
How vulnerable are the US's computer networks? How much devastation can cyberattacks wreak? According to Mi2g, a digital security company, digital attacks caused an estimated $US185 billion to $US226 billion in economic damage in 2003. Here are some events from recent history that show why.
Eligible Receiver. This is the code name for a 1997 Defense Department exercise. DoD assigned a team from the National Security Agency to see if it could hack into Pentagon computer networks using only publicly available computers and hacking software. No problem, as it turned out. The team took control of Pacific Command Center computers, as well as power grids and 911 systems. A few years later, on the PBS series Frontline, John Hamre, deputy secretary of defense from 1997 to 1999, acknowledged that for "the first three days of Eligible Receiver, nobody believed we were under cyberattack."
Moonlight Maze. The Defense Information Systems Agency discovered that computer systems at the Pentagon, NASA, other government agencies, universities and research labs had been under attack for nearly two years, since March 1998. The attackers broke into hundreds of computer networks, stealing information on contracts, research and unclassified military data, including troop data and maps of military installations. Investigators, who dubbed the investigation Moonlight Maze, traced the hackers to Russia, but the Russian government denied any knowledge of the attacks. Because of the sophisticated "back doors" the attackers built, they continued stealing data for at least three years after the break-ins were discovered.
Code Red. This fast-propagating worm, which struck in July 2001, infected some 260,000 computers in its first 12 hours by exploiting a hole in Microsoft IIS Web servers. In its first variation, affected computers were used to bombard the White House Web site in a denial-of-service attack-which was thwarted. Many other Web sites were defaced with the words, "Hacked by Chinese."
Nimda. "Admin" spelled backward. This worm disrupted the US financial sector a week after September 11. Like Code Red, it exploited flaws in Microsoft IIS Web servers, though on a much broader scale. It spread via e-mail attachments, infected Web pages and other computers linked on a network. Despite the timing, the worm was not linked to the September 11th terrorist attacks.
Slammer. This worm hit computers on January 25, 2003, by exploiting a flaw (for which a patch had been written) in Microsoft's SQL Server 2000 software. It disrupted ATM systems and airline reservation systems, infected a number of large financial institutions and snarled the Internet. Ninety percent of its damage was done in the first 10 minutes, making it, at that time, the fastest cyberattack in history.
Blaster. Aimed mainly at businesses, this worm also was designed to overwhelm one of Microsoft's technical assistance Web sites. It infected computers running Microsoft Windows.
SoBig.F. Bigger than big. Launched in August 2003, it sent itself to all the e-mail addresses in a user's computer, propagating so rapidly that, for a time, one of every 17 e-mails of total e-mail traffic was a copy of the worm.
Mydoom. SCO Group, a Utah-based software company that has made news by claiming IBM is illegally running pieces of its Unix code in their Linux system, was the target of this worm. It struck in January and succeeded in shutting down SCO's Web site, as well as clogging e-mail systems all over the country.
SIDEBAR: Cybersecurity Timeline
1987JAN. President Reagan signs the Computer Security Act.
1997OCT. The President's Commission on Critical Infrastructure Protection (known as the Marsh Commission) recommends new cyberdefense initiatives.
1998MAY President Clinton issues Presidential Decision Directive 63, which creates NIPC, CIAO and NIAC.
2000JAN. The White House issues its National Plan for Information Systems Protection, the first attempt to create a national cyberdefense strategy.
2001OCT. President Bush establishes the President's Critical Infrastructure Board and names Richard Clarke as its chairman.
2003JAN. The Department of Homeland Security begins operations.
FEB. The White House releases the National Strategy to Secure Cyberspace. Clarke resigns; President Bush dissolves the position of cybersecurity czar in the White House.
MARCH DHS absorbs CIAO, the Federal Computer Incident Response Center and most of NIPC.
JUNE DHS creates the National Cyber Security Division (NCSD), located in the Information Analysis and Infrastructure Protection Directorate, and later appoints Amit Yoran to lead it.
DEC. DHS cohosts with four industry associations a National Cyber Security Summit in California; five working groups are established to address specific areas of cybersecurity.