Even the most hardened anti-Washington, laissez-faire libertarian types generally concede at least one role for government in cyberspace: the duty to protect us from hackers and vandals and things that go bump on the Net. Unfortunately, events last week clearly demonstrated that the feds are not yet up to the task — and probably wont be for the foreseeable future.
The most embarrassing public acknowledgement of failure was the distributed denial-of-service attack that took out the Web site of the taxpayer-financed Computer Emergency Response Team, based at Carnegie Mellon University — the very guys who are supposed to be our early warning system in the never-ending war between hackers and civilization. It was analogous to burglarizing the police precinct station; the reward was clearly not financial gain, but bragging rights among the shadowy cadre of misfits who torment the global network with everlasting mischief.
What was most disturbing about the CERT incident was that even the most sophisticated network cops on the planet couldnt protect their little piece of the Net.
A new report by researchers at the University of California at San Diego estimates that some 4,000 sites come under denial-of-service attacks each week. Some of the largest and most popular business and government sites are under constant assault.
And there is no known cure. Rich Pethia, director of the part of the Software Engineering Institute at Carnegie Mellon that runs CERT, told The New York Times, "There is no good way to defend against it or stop it once its started." Translation: Learn to live with anarchy. Factor it into your budgets and planning. Expect to be attacked — and expect to lose.
On the same day that CERT was crippled, the General Accounting Office released its assessment of the Internets top law enforcement effort, the FBIs National Infrastructure Protection Center. While not particularly critical of the centers efforts, the GAO also left us little to cheer about. In a report to the Senate Subcommittee on Technology, Terrorism and Government Information, the agency painted a picture of an effort that is underfunded; ignored by other police, intelligence and defense agencies; and generally ineffective.
"While the NIPC has taken some steps to develop analysis and warning capabilities, the strategic capabilities described in [its charter] have not been achieved," the GAO summarized.
Whats scary about the GAO report is that its not dealing with just mundane issues such as trashed Web sites, but with serious national security threats as well.
"Malicious attacks, in particulAar, are a growing concern," the GAO reported. "The National Security Agency has determined that foreign governments already have or are developing computer attack capabilities, and that potential adversaries are developing a body of knowledge about U.S. systems and methods to attack them. In addition, reported incidents have increased dramatically in recent years. As a result, a clear risk exists that terrorists or hostile foreign states could launch computer-based attacks on systems supporting critical infrastructures to severely damage or disrupt national defense or vital public operations or steal sensitive data."
In other words, as the worlds most technology-dependent nation, were clearly the most vulnerable to information warfare and crime, yet we have only a token first line of defense. The NIPC, largely through inept leadership, has failed to win the confidence and cooperation of other government agencies.
If there was any bright spot in last weeks news, it was the announcement of a government plan to provide $8.6 million in scholarships for a "cybercorps" of 200 computer security students who would agree to take government jobs upon graduating. Of course, this is a very slow way to build an army capable of protecting us from growing hordes of Goths, Huns and Vandals at the gates. But at least its a start.