IN THIS STORY:
>Defining cyberterrorism
>Supporting the private sector
>Cyberdefense

Printable version

Supporting the private sector
Private-sector professionals bear the lion's share of the responsibility for protecting our networks from cyberthreats. As much as 90 percent of our nation's critical infrastructure lies within the private sector, including telecommunications, banking networks, transportation, emergency services, the electrical power grid, and oil, gas, and water systems. 

During the 1980s and early 1990s, some utility companies and public agencies began linking their systems to the Internet, citing increased efficiencies and cost savings. At the time, many failed to realize the security weaknesses inherent in a public network. 

"People need to think every time they move a function that relies on the Internet about what they've done about security, what they've done to ensure redundancy, and what they've done in terms of a backup plan," says Lewis.

Thankfully, many critical computer systems aren't linked to the Internet, the gateway commonly used by hackers to gain access to a system. Classified systems, such as those operated by DoD, operate independently or as part of a secure network, and personnel access is restricted. Still, Lewis acknowledges that cybersecurity has become a very real concern to both government agencies and companies in the private sector. 

In January 2003, an attacker used the Internet to seek out and infect vulnerable computers using a known flaw in a popular database software program from Microsoft Corp., called SQL Server 2000. The attack caused damage by rapidly replicating itself and clogging the Internet. A number of Web sites shut down temporarily, including the Countrywide Financial Corp. site, the nation's largest residential mortgage firm, and American Express Co. In addition, dispatchers at several 911 centers in the Seattle area had to revert to pen and paper when their systems were disrupted, and Bank of America Corp. customers were unable to use the company's automatic teller machines for a day. 

The incident illustrated that emergency response and banking systems that should be immune from traditional Internet outages and attacks might be vulnerable. Indeed, the security decisions one company makes about its networks, which are linked to other networks that are linked to still more networks, make the outcome of a cyberattack difficult to predict. 

"What we really have to do is sort of map out where the actual vulnerabilities are, and that will require cooperation with companies in the private sector," says Lewis.

However, most private-sector companies have been reluctant to share such information - and with good reason. Financial institutions that report intrusions often end up losing customers. News of a successful cyberattack also can influence investors' confidence and adversely affect a company's stock prices. 

"When CD Universe suffered a large and public theft of credit card numbers in early 2000, it cost [the company] dearly in [its] war for market share against Amazon.com and CDNow," says Schneier. "In the aftermath of public corporate attacks, companies often spent more money and effort containing the public relations problem than fixing the security problem."

The biggest challenge facing most companies, however, is lack of training. This is particularly true among small businesses.

In early July 2003, a group announced it would be holding a hacking contest that could disrupt traffic on the Internet. Although the contest received much media coverage, the event proved to be less than alarming with no reports of vandalism involving large Internet sites being reported. However, hundreds of Web sites maintained by small business owners were affected, proving that although online security has improved inside large corporations and government agencies, many mom-and-pop operations lack the manpower or resources needed to secure their computer systems.

Even in large organizations, nontechnical staff members often don't possess the training needed to protect their companies' networks. Recently, the Information Technology Association of America (ITAA) in Arlington, Va., unveiled the Information Security Awareness Certification (I-ACERT) program, which is designed to help organizations assess their cybersecurity strengths and weaknesses. 

"Information security is a matter of people, processes, and technology," says ITAA President Harris Miller. "Several certification programs exist to test the information security skills of technical professionals. The I-ACERT program is a testing resource for the rest of us - nontechnical individuals who use a computer and network every day to get the job done."

These factors have left people with an unsettling feeling about the security of many critical systems. However, IT professionals like Schneier say most people tend to overestimate the risks of cyberterrorism while they underestimate the risks of cybercrime.

"There are several organizations that track attacks over the Internet," says Schneier. "Over the last six months, less than 1 percent of all attacks originated from countries on the U.S. government's Cyberterrorist Watch List, while 35 percent originated from inside the United States."

Cyberdefense
Congress first addressed the problems being caused by computer hackers back in 1986 when it passed the Computer Fraud and Abuse Act, which makes it a crime to break into computer systems. Many other laws that make computer intrusions a crime later were passed, including the1996 National Information Infrastructure Protection Act and the Cyber Security Enhancement Act of 2002. However, these laws haven't deterred ambitious computer hackers who live in the United States and overseas. 

The U.S. government also is stepping up its efforts to curb cyberattacks and improve cybersecurity. In June 2003, Homeland Security Secretary Tom Ridge created the National Cyber Security Division (NCSD). The NCSD will operate 24 hours a day, seven days a week and will perform a variety of functions, including conducting cyberspace analysis, issuing alerts and warnings, improving information sharing, responding to major incidents, and aiding in national-level recovery efforts. The NCSD consolidates a number of federal agencies that have addressed cybersecurity issues in the past, including the Federal Bureau of Investigation's National Infrastructure Protection Center, the Department of Commerce's Critical Infrastructure Assurance Office, and the General Services Administration's Federal Computer Incident Response Center. 

Legislative efforts and government agencies only can do so much, however. True cybersecurity rests in the hands of technical and nontechnical employees who work both in the government and in the private sector. It rests in the hands of the companies that sell software that contains known security flaws and among the IT professionals and business owners who fail to provide adequate security for their computer systems. 

"Fraud and espionage are serious problems," says Schneier. "Luckily, the same countermeasures aimed at cyberterrorists also will prevent hackers and criminals. If organizations secure their computer networks for the wrong reason, it still will be the right thing to do."