Networks at Risk: Assessing Vulnerabilities

Although the network performed remarkably in the aftermath of the terrorist attacks on New York and Washington, D.C., the attacks reminded security experts, network providers and administrators, and policy makers that the world's miraculously robust telec

As Johna Till Johnson watched 7 World Trade Center collapse, burying Verizon Communications megacentral office in rubble, she had an epiphany.

"If they really wanted to do damage, they would have taken out the telco building," she said. "They went after the thing that had press potential."

Johnson wasnt alone in that assessment. Although the network performed remarkably in the aftermath of the terrorist attacks on New York and Washington, D.C., the attacks reminded security experts, network providers and administrators, and policy makers that the worlds miraculously robust telecommunications network remains extremely vulnerable.

Long-haul networks, central offices, peering points, telecom hotels and metro loops may fall victim to low-tech attacks by backhoes and bombs. Wireless networks that may wobble if a cell site or two is lost are only as good as the wireline network that supports them. At the edge of the network hangs a mishmash of computers and routers that are essentially an open door to a list of threats as vast as the imagination.

"I think our communications system is vulnerable to the things we dont consider, like terrorism," said Frances Clairmont, former director of Pacific Bells Network Access Point (NAP). "I dont think it is vulnerable to a kid that has a bad attitude."

U.S. intelligence and security policy experts have warned for several years that the open nature of the Internet has made the nations infrastructure assailable. But they acknowledged last week that little has been done to mitigate potential threats from disruption of emergency communications in cities across the country, damage of power grids, disinformation campaigns and the crippling of financial communications by dedicated and sophisticated attacks.

And yet, absent a coordinated government infrastructure security policy, private enterprise has managed to evolve its own set of protections. The points at which data and voice traffic are handed off from one network to another are hidden and geographically diverse, and key switching gear is housed in hardened buildings. Redundancies are built into networks, and the Internet is so widely distributed that it is literally hard to kill.

The nations backbones, for example, run on Synchronous Optical Network rings. If one node is knocked out, the system knows to find another route, explained CEO Henry Kaestner.

"It would take a highly intelligent attack on one carriers backbone. Theyd have to knock out two nodes simultaneously, and even that would take down only one carrier," Kaestner said. "We have much more protection than we once had, when all communications were moving over one carrier."

Johnson, chief technology officer of network engineering and consulting firm Greenwich Telecom Partners, said, "AT&T has been thinking about this for 50 years, and finding their data centers is almost impossible."

Additionally, the Federal Communications Commission established the Network Reliability and Interoperability Council 10 years ago, after a series of major outages in the telecom signaling system. The industry group works without government intervention to develop best network practices, attacking problems such as year 2000 and packet network reliability.

Doug Sicker, Level 3 Communications director of global architecture and chairman of the NRICs steering committee, said he doesnt expect major policy changes as the result of the terrorist attacks. And on some levels, he said, the Telecommunications Act of 1996 was the best infrastructure insurance policy the FCC could have taken out.

"The government has done the right thing in having a pro-market approach to telecom policy, which allowed for a diversity of infrastructure to exist. That diversity aids redundancy, and makes for a more reliable network," Sicker said. "That doesnt mean that we dont need a strategy."

Last weeks Nimda virus attack on the nations desktop shone a spotlight on how vulnerable the Internet infrastructure truly is. But that same structure - distributed and diverse - is also the networks strength.

"It runs on different platforms, on infrastructure built by different people. If the Net were built completely out of the same vendors piece of hardware, you could take it all down with a fell swoop," said Doug Jacobson, director of the Information Assurance Center at Iowa State University. "The virus today attacks Outlook, but not everyone uses Outlook, not everyone uses Windows and we all dont run Cisco [Systems] routers."

Nevertheless, its the only part of the network to which everyone has access.

"Its not really stretching the truth to say that the most patriotic thing a system administrator could do this week is make sure their machine is not subverted by a hacker," said David K. Black, manager of Accentures security consulting specialty in Reston, Va.