|
The House Committee on Science recently held a hearing to “examine the extent of U.S. vulnerability to cyber attacks on critical infrastructure such as utility systems, and what the federal government and private sector are doing, and should be doing, to prevent and prepare for such attacks.”
Specific issues addressed at the hearing included whether: 1) the U.S. is able to detect, respond to, and recover from cyber-attacks on critical infrastructure; and 2) is there a clear line of responsibility within the federal government to deal with cybersecurity.
Chairman Boehlert started the hearing by comparing a cyber-attack with the effects of a hurricane and noting that “given the increasing reliance of critical infrastructures on the Internet, a cyber attack could result in deaths as well as in massive disruption to the economy and daily life.” As the Chairman explained, I never want to have to sit on a special committee set up to investigate why we were unprepared for a cyber attack. We know we are vulnerable, it’s time to act.”
A senior official from the Department of Homeland Security discussed the agency’s mission, goals and participation in a vast array of cybersecurity-related projects and initiatives. CIOs from major corporations warned the Committee “that the nation’s critical infrastructure remains vulnerable to cyber attack. The witnesses testified that “the economy is increasingly dependent on the Internet and that a major attack could result in significant economic disruption and loss of life.”
It’s good to see that the Executive Branch, Congress and industry recognize the magnitude of danger that a cyber-attack could pose to the nation’s critical infrastructure and are also taking steps to protect the country from such an attack. Coordinated protective measures by government and industry is essential for securing cyberspace and, with it, our national security and the global economy. However, a well planned, organized cyber-attack could potentially overwhelm or circumvent even the best defenses.
Along with protecting against cyber-attack, it is also important that the government recognizes that potential attackers live in real spaces, not just in cyberspace. The real world addresses of current and potential cyber-adversaries may be very well disguised but they do exist. One of the government’s priorities should include locating those addresses, verifying them, and then considering appropriate action.
Sponsored byCSC
Sponsored byVerisign
Sponsored byRadix
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byWhoisXML API
Comparing “Cyber attack” to the effects of a hurricane? That is such a sick analogy.
The level of rhetoric at these meetings does seem to depend on how vendor driven the agenda is, I’ve found.
Yes, there are practical, hard headed measures being proposed and accepted too - but very few of them, compared to a lot of vendor fueled marketing tripe aimed at promoting their latest “highly secure” products.
I agree this is an issue, and there are some government agencies/contractors such as CERT, with responsibilities in this area. Might I ask if you feel that CERT should take on additional responsibilities, or if you think it’s structurally wrong for some missions? I’ll have to say that having worked with critical infrastructure before the formation of DHS, I’m not sure that the scope of DHS is workable for all things.
What do you consider the major threats, and especially which ones should stay under surveillance, or (if any) attacked preemptively? For example, can it be assumed a large BOTNET army is inherently a threat and should be attacked whenever found? Given that miscreants often struggle for control of one anothers’ BOTNETs, counterattacks may be quite deniable given that they go on constantly among “black hats”.
Any specifics on the Internet routing architecture? Should S-BGP, SO-BGP, or both be made priorities? Given that these are likely to be a performance hit on existing carrier routers, should the ISPs fund this themselves, get discounts from business insurers or their self-insurance planners, or, much as the AT&T long-haul switching infrastructure got government subsidies for hardening in the Cold War, should there be any assistances? Has the potential vulnerability of MD5 risen to critical levels?
What do you mean by “Should”? Is it possible? Ethical? A good idea?
I can think of a couple highly effective offensive cyber-attack strategies the US could use in a war with another country.
Given that the US doesn’t care what citizens think, the title question is academic.
Phishing websites could be attacked with ‘whitehat’ botnets, but this is a dumb idea; signed mail is a simpler and better solution.
(The folks who provide identity protection to banks and such are guilty of gross neglect for not pushing this…)
Excuse me while I adjust my tinfoil/devil’s advocate hat, but isn’t it odd that there have been lots of viruses (viruses, worms or trojans, that is) that were
A) very destructive (i.e. that delete or corrupt data (and a few that can damage hardware - see http://en.wikipedia.org/wiki/Power_virus)
OR
B)very virulent,
but not both A and B?
What better way to get computers secured than cause enough damage to prod defenses to be put in place, but not disable the economy, by releasing such viruses, but not releasing viruses that are both very virulent and destructive enough to take down much of the Internet or economy. (Yes, I realize that there have been some fairly destructive highly virulent viruses.)