Alarmist, perhaps? Far from it. The scenario is actually quoted from a letter sent by a group of concerned scientists to President Bush in February 2002. Signatories included O. Sami Saydjari, founder of the Cyber Defense Research Center; Matt Donlon, former director of the security and intelligence office at the Defense Advanced Research Projects Agency; and Robert T. Marsh, a retired Air Force general and former chairman of the President's Commission on Critical Infrastructure Protection. The scientists don't mince words about the cyberthreats facing the nation: "The critical infrastructure of the United States, including electric power, finance, telecommunications, health care, transportation, water, defense and the Internet, is highly vulnerable to cyberattack. Fast and resolute mitigating action is needed to avoid national disaster."

While the group's scenario was meant to grab attention, it also was grounded in reality. Each of the events depicted has happened (though not concurrently); some resulted from government-sponsored exercises, some from technical failures and some from actual cyberattacks. All could plausibly be triggered by a few knowledgeable people using some PCs and Internet access.

The cyberthreat to the nation's security and economy may not be as well understood to the general public as a dirty bomb or a vial of ricin in the wrong hands. But to experts in cybersecurity—those who know the vulnerabilities of the Internet and do daily combat with hackers, criminals and foreign governments trying to probe our critical infrastructure and military networks—the threat is vividly real. Indeed, the 54 scientists who signed the letter believe that a professionally coordinated cyberattack on the critical infrastructure could ravage not only the nation's economy (to the tune of hundreds of billions of dollars in damage) but also undermine public confidence in the government's ability to protect its citizens. In fact, although a cyberattack alone may lack the awful human destruction that can accompany a physical attack, because the systems controlling the critical infrastructure are often densely interconnected, such an attack could have more destructive and widespread consequences.

Amit Yoran, director of DHS's National Cyber Security Division, is said to be building a high-quality technical team at the fledgling agency.

This story looks at the challenges facing DHS and its cybersecurity team, and how they're working with the private sector to address them. While regulations remain a political third-rail within the business community, DHS and some in Congress are sending signals to CEOs that serious progress had better happen fast or else regulation may turn from threat to reality.


Cybersecurity Makes a Name for Itself
Given the relatively brief history of ubiquitous computing, cybersecurity wasn't addressed at the presidential level until Ronald Reagan signed the Computer Security Act of 1987, a measure aimed at protecting the security and privacy of sensitive information in the federal government's computer systems. Recognizing the growing dependence of the critical infrastructure on information technology, President Clinton formed the President's Commission on Critical Infrastructure Protection in 1996. Led by Robert Marsh (a signatory of the aforementioned letter), the commission, consisting of both public- and private-sector members, set out to develop a national policy and implementation strategy to protect the critical infrastructure from physical and cyberattacks. In 1997, the commission, which focused primarily on the cyberthreat, issued a report that recommended improving structures and processes to promote information-sharing between government and industry, educating citizens on cybersecurity issues, revising certain statutes to address infrastructure assurance concerns and greatly improving funding for R&D into infrastructure protection.

The White House took the report and the growing infrastructure threat to heart. In May 1998, President Clinton issued Presidential Decision Directive 63 (PDD 63), which set forth a framework to address the Marsh Commission's findings. It created the National Infrastructure Protection Center (NIPC) at the FBI; the Critical Infrastructure Assurance Office (CIAO) at the Department of Commerce; and the National Infrastructure Assurance Council (NIAC), consisting of representatives from both the public and private sectors. It also called for the establishment of Information Sharing and Analysis Centers (ISACs). As with the Marsh report, PDD 63 emphasized that infrastructure protection need not be dictated by government but by market forces. Also that month, the president appointed Richard Clarke as the first national coordinator for security, infrastructure protection and counterterrorism.

As the fallout from 9/11 continued, some members of Congress began calling for a Department of Homeland Security to centralize the nation's counterterrorist efforts and protect the homeland. The Homeland Security Act of 2002, which created the department, established the Information Analysis and Infrastructure Protection Directorate (IAIP) within DHS as the place where cybersecurity efforts would now be coordinated.


DHS as Chief Cybercop
As DHS tried to hit the ground running, it needed to spend a good chunk of time just lacing up its shoes. Some observers expressed serious concerns last year when the department absorbed a number of existing organizations that had been making steady progress on cybersecurity in the critical infrastructure. In March 2003, NIPC (except for the Computer Investigations and Operations Section), CIAO and the Federal Computer Incident Response Center were transferred to DHS. Getting those groups under the same umbrella made sense. But Michael Vatis, the founder and former director of NIPC, testified before Congress last April that even though more than 300 positions were transferred from NIPC to DHS, most of the incumbent staffers found other positions in the FBI; only 10 to 20 actually made the move. Further complicating recruitment, DHS had not yet created its National Cyber Security Division.

Whether recruiting has improved is open for debate. James Lewis, senior fellow and director of technology policy at the Center for Strategic & International Studies, says getting talented people to join DHS is still a tough sell. "The problem they have is that DHS is relatively weak, as agencies go. It routinely gets beaten out by the FBI or CIA.... It's the new kid on the block," he says.

On the other hand, Alan Paller, director of research at the SANS Institute, believes Yoran has nabbed a bunch of good hires. "They're building a high-quality technical team—that's what Amit is doing. He knows how to hire really solid technical people and motivate them," Paller says, adding that employees like working with Yoran because, rather than being an inexperienced appointee, he comes from a cybersecurity background. (Yoran, a former military officer, worked at Symantec before joining DHS.)

As the agency struggled to begin operations, it also had to absorb the loss of Clarke, one of the country's foremost cyberterrorism experts. Clarke resigned just before the president removed the position of cybersecurity czar from the White House. Although many observers speculated that Clarke resigned in frustration at the loss of his White House post, he vehemently denies that. "I was not about to be absorbed—anybody that says that doesn't know what they're talking about." Clarke, now chairman of Good Harbor Consulting, says he left "because I'd completed 30 years of government service, because I'd just finished the project I had undertaken for the president, which was developing the National Strategy to Secure Cyberspace."

Howard Schmidt, the former CSO of Microsoft and vice chair of the infrastructure board at the time, succeeded Clarke as a White House adviser on cybersecurity. But within a few months, Schmidt resigned as well, becoming CISO of eBay.

After a long search, DHS Secretary Tom Ridge appointed Yoran to head the new National Cyber Security Division. Yoran, who reports to Assistant Secretary for Infrastructure Protection Bob Liscouski, took office in October.

Howard Schmidt, a former White House adviser on cybersecurity, worries that the relationship between the cyber and physical infrastructures isn't well understood.

Jeffrey Hunker, former senior director for critical infrastructure in the White House and now a professor of technology and public policy at Carnegie Mellon, agrees. "Now you're putting it essentially below a secretary, several layers down in a big department," he says. "My experience has been that what it really means is a lack of access, or that it limits access to the Cabinet and the presidential level."

Yoran disagrees about the access issue. "I'm there [at the White House] at least once a week, more frequently twice a week. I can assure you cybersecurity has visibility at the most senior levels of the White House and has their attention. Folks who've spent time in Washington know it's very clear the White House doesn't have an operational role. Actual operations take place in the agencies. Placing cybersecurity in DHS very clearly demonstrates we're in the implementation phase of the national strategy," he says. Lewis concurs. "Cybersecurity only makes sense if it's integrated into the larger critical infrastructure strategy. They did the right thing by putting it in Liscouski's group," he says.


Is the National Strategy Sensible or Toothless?
The National Cyber Security Division has a smorgasbord of responsibilities as it continues ramping up. It's tasked with responding to major incidents, conducting cyberspace analysis, improving information-sharing, issuing alerts and warnings, and aiding in national recovery efforts. The division is also charged with implementing the Homeland Security Act of 2002 and the National Strategy to Secure Cyberspace. In announcing creation of the division last June, Ridge said that its work would focus on "the vitally important task of protecting the nation's cyberassets so that we may best protect the nation's critical infrastructure."

The strategy document, like many of the things associated with DHS, has its share of passionate supporters and critics. It lays out five critical priorities:

• Developing a national cyberspace security response system

• Developing a national cyberspace security threat and vulnerability reduction program

• Developing a national cyberspace security awareness and training program

• Securing the cyberspace of all levels of government

• Assuring national security and international cyberspace security cooperation

In fall 2002, Clarke was set to release the document at a Stanford University ceremony. But before the release, the strategy was put on the back burner. Lobbyists for businesses likely to be affected by the report (including those in the software, security and telecom industries) had successfully squelched certain provisions in earlier drafts. One, for example, called for ISPs to provide users with personal firewalls; another mandated improved wireless security. When the strategy was finally released in February 2003, some complained it had been left with little bark and even less bite. Its main cornerstone was that cybersecurity should, for the most part, be left to the private sector. While business generally applauded the strategy, many security experts derided the reliance on voluntary action as a capitulation to powerful lobbying interests.

If there is one-size-fits-all government regulation on cyberspace, you'll have a least-common-denominator solution. Over time, that won't work. —RICHARD CLARKE

Schmidt points out that the government sought plenty of input from around the country. "We did 12 town meetings. We met with the public, CEOs, home users and security technicians. Never before had [a strategy] been vetted so thoroughly." Like Clarke, Schmidt says the result was "a good, balanced approach to the problem."

Paller begs to differ. "It lacks teeth, " he says simply, noting that between the first and final drafts, most of the good ideas were lost. "That was the pinnacle of the business power movement in cybersecurity, the last editing of the plan," he says. "The specific proposals—the 'we will' and 'you must'—disappeared."


Assessing the Threat
How vulnerable is the United States to a massive cyberattack on its critical infrastructure? What are the bad guys zeroing in on? "It's absolutely feasible for a massive attack to take out huge segments of the Internet," says Paller. But he adds that the probability of that happening is pretty low. One reason, he says, is that the bad guys earn a living from cybercrime. Taking down the Net would damage their lifeblood, the digital hand that feeds them. Paller thinks a more likely event would be on a smaller scale, such as taking out the electrical system in some areas.

Tom Longstaff, manager of survivable network technologies at the CERT research and analysis center, is currently focusing on how to look at sensors all over the nation's computer networks to see what kinds of problems are lurking there. The biggest threats he sees fall into two categories. The first is aimed at the Internet itself. "We're seeing attacks targeting specific points in the infrastructure, not necessarily to bring it down, but to control it. These kinds of attacks focus on the mechanisms that make the Internet work," he says. One kind of attack he's seeing more of targets domain name services, undermining trust that the typed URL will bring a user to a legitimate webpage, or that an e-mail will actually go to its intended recipient.

CERT's Tom Longstaff sees a growing risk to Scada systems controlling physical processes at infrastructure elements such as power grids, gas lines and manufacturing plants.

Schmidt sees a huge challenge in trying to understand the interdependencies that exist where electronic networks interface with the physical world. When the Slammer worm hit in January 2003, for example, people couldn't get cash out of some ATMs that connected to back-end databases compromised by the worm. Schmidt worries that the relationship between the cyber and physical infrastructure isn't well understood. He recalls that when he used to ride the train between Washington and New York, he took notice of a bunch of nondescript brick buildings along the tracks in Philadelphia. When he asked local law enforcement officials what they were doing to secure those buildings, he was told, "We're not doing anything. Nobody wants to break into those; they're just computers."


Carrot or Stick?
Last December, DHS, along with four business associations (the Information Technology Association of America, Business Software Alliance, TechNet and the U.S. Chamber of Commerce), organized a National Cyber Security Summit in Santa Clara, Calif. Some 350 people from government, academia and industry attended the closed event. Working groups were formed to deal with establishing a cybersecurity early warning system; developing technical standards and common criteria around information security; making management of cybersecurity an integral part of corporate governance; creating better security awareness among home computer users and businesses; and increasing security in software development, installation and patch management.

This sort of private-sector outreach is part of DHS's mission, which emphasizes building a strong public-private partnership to tackle cybersecurity. But all wasn't lovey-dovey in Santa Clara, according to Dan Burton, vice president of government affairs for Entrust, a digital identity security company. DHS's Liscouski delivered a stern message to the attendees. "He basically said we're at war. Industry is not doing enough, and we have no qualms about going to Congress and passing legislation to change [industries'] ways. It was a broadside toward industry at large," Burton says.

"That's not the best way to come across to the [private] sector," says Suzanne Gorman, who chairs the financial services ISAC and attended the summit. But with viruses, worms and other attacks sure to continue—and likely become more destructive—DHS seems to be delivering a not-so-subtle message: Industry secure thyself, or we'll start lighting fires under your feet. The five working groups delivered reports last month, and another summit is planned for September. If DHS determines then that enough progress hasn't been made, businesses may hear unpleasant news from Washington.

Waiting in the wings on Capitol Hill, and casting a keen eye on the task forces' progress, is Rep. Adam Putnam (R-Fla.), the youngest member of Congress. Last fall Putnam, who chairs a House subcommittee on technology and information policy, drafted legislation (the Corporate Information Security Accountability Act of 2003) that calls for companies to disclose annually to the SEC an audit of how they're doing on information security. Compliance with Putnam's legislation could involve performing independent corporate security and risk assessments, and developing risk-mitigation, incident-response and business-continuity plans.

Putnam circulated the draft for feedback from industry and other groups. Not surprising, it generated a number of concerns, including the view that more regulation isn't the answer. Says Bob Dix, the subcommittee's staff director, Putnam listened to the private-sector feedback and decided to hold his legislation in abeyance for a period of time. Putnam, Dix says, challenged corporate America to come up with an alternative approach to "meaningfully move the ball down field to get significant improvements." In the meantime, Putnam and his staff assembled a working group from the private sector and academia to report back to him on ways that corporate information security can be improved. His report was due out around the same time as the findings from the Cyber Security Summit working groups.

While Putnam sees regulation as a last resort, Dix implies it's up to the private sector to take action. "The potential for a combined cyber and physical attack is frightening," he says. "We have reason to believe there are vulnerabilities that exist in the critical infrastructure that need to be addressed now."

Senior Editor Todd Datz can be reached at tdatz@cxo.com.

PHOTO OF YORAN BY DRAKE SOREY; SCHMIDT BY JAY BLAKESBURG; LONGSTAFF BY RIC EVANS

The Interactive Nightmare

The best thing about the modern computer network is also its chief liability: Everything's connected, with on-ramps conveniently located everywhere.  BY TODD DATZ

http://www.csoonline.com/read/040104/nightmare.html?action=print
All Credit to 2002-2007 CXO Media Inc.