ORLANDO, Florida—Cyber-security and counterterrorism analyst Roger Cressey on Monday pleaded with IT executives not to underestimate the threat of "national cyber-event" targeting critical infrastructure in the United States.
During a keynote address at the InfoSec World 2005 conference here, Cressey warned against discounting the danger of the Internet being used in a terrorist-related attack.
"It may not be a terrorist attack, but a cyber-event is a very, very serious possibility. When it happens, it will have serious economic impact on our critical infrastructure."
Cressey, who served as chief of staff to the presidents Critical Infrastructure Protection Board at the White House, said there was enough evidence that U.S. enemies were actively using the Web to recruit, organize and communicate terrorism activities.
"I dont see the Internet as a means to a mass attack [on human lives] but we have to be aware that cyber-crime is a key component of the terrorism setup. We would be foolish not to assume a targeted attack on some aspects of national infrastructure. I dont know if we can protect against this type of event today," Cressey said.
The on-air counterterrorism analyst for NBC News said the rapid rate in which Internet security vulnerabilities was being detected only adds to the worry.
"Software vulnerabilities are being discovered at amazingly fast rates. [The] time to exploit continues to shrink. Were getting closer and closer to zero-day exploits," Cressey warned, adding that computer operating systems had become a target-rich environment.
"Before 9/11, we thought we had it all covered, but we had no idea what were missing. There were warnings, but we never took them seriously. Thats the mind set we need to have today regarding a cyber-event. We need to assume that it will happen and get ready to deal with it."
He said the increase in identity theft, spam and phishing attacks has already caused a "crisis of confidence" in the e-commerce sector.
"Consumers go on the Internet to read the news, but they get scared to shop online. E-commerce will never reach its full potential," he said.
Cressey said the U.S. governments DHS (Department of Homeland Security) made a fundamental mistake in the early days when it threw resources on physical security assets without similar investments in critical security IT infrastructure.
"The result is they sent mixed signals to the industry. Silicon Valley and the private sector looked at what was happening and figured the government was only talking the talk without walking the walk."
He said the DHS must prioritize the risks before deciding on the level of spending on security and must show leadership in the area of information-sharing and advance warnings on Internet security vulnerabilities.