ORLANDO, Florida—Cyber-security and counterterrorism analyst Roger Cressey on Monday pleaded with IT executives not to underestimate the threat of “national cyber-event” targeting critical infrastructure in the United States.
During a keynote address at the InfoSec World 2005 conference here, Cressey warned against discounting the danger of the Internet being used in a terrorist-related attack.
“It may not be a terrorist attack, but a cyber-event is a very, very serious possibility. When it happens, it will have serious economic impact on our critical infrastructure.”
Cressey, who served as chief of staff to the presidents Critical Infrastructure Protection Board at the White House, said there was enough evidence that U.S. enemies were actively using the Web to recruit, organize and communicate terrorism activities.
“I dont see the Internet as a means to a mass attack [on human lives] but we have to be aware that cyber-crime is a key component of the terrorism setup. We would be foolish not to assume a targeted attack on some aspects of national infrastructure. I dont know if we can protect against this type of event today,” Cressey said.
The on-air counterterrorism analyst for NBC News said the rapid rate in which Internet security vulnerabilities was being detected only adds to the worry.
“Software vulnerabilities are being discovered at amazingly fast rates. [The] time to exploit continues to shrink. Were getting closer and closer to zero-day exploits,” Cressey warned, adding that computer operating systems had become a target-rich environment.
“Before 9/11, we thought we had it all covered, but we had no idea what were missing. There were warnings, but we never took them seriously. Thats the mind set we need to have today regarding a cyber-event. We need to assume that it will happen and get ready to deal with it.”
He said the increase in identity theft, spam and phishing attacks has already caused a “crisis of confidence” in the e-commerce sector.
“Consumers go on the Internet to read the news, but they get scared to shop online. E-commerce will never reach its full potential,” he said.
Cressey said the U.S. governments DHS (Department of Homeland Security) made a fundamental mistake in the early days when it threw resources on physical security assets without similar investments in critical security IT infrastructure.
“The result is they sent mixed signals to the industry. Silicon Valley and the private sector looked at what was happening and figured the government was only talking the talk without walking the walk.”
He said the DHS must prioritize the risks before deciding on the level of spending on security and must show leadership in the area of information-sharing and advance warnings on Internet security vulnerabilities.
VOIP on the front
Cressey used part of his keynote to call on VOIP (voice over IP) developers to put security on the front burner.
Describing VOIP security as the great challenge of this decade, he said it would be a “big mistake” for another nascent industry to emerge without built-in protections.
“VOIP is today where the Internet was 10 years ago. Everyone acknowledges that security is a big issue, but no one is making it a top priority. We know we need to worry about it, but were not doing anything about it,” he said.
The growth of VOIP in the enterprise has led to several vulnerabilities in the technology, including the ability to launch denial-of-service attacks, caller-ID spoofing or the hijacking or voice sessions.
“Nobody is baking security into the [VOIP] products just yet. If this truly becomes ubiquitous, it will be back to the future. Well be scrambling to fix it just like were scrambling today to deal with spam and viruses.”
Cressey urged enterprise IT leaders to take a holistic approach to managing risks, arguing that executives must resist the urge to use return on investment to drive spending on security.
“Instead of ROI, you should be adopting new acronyms like ROR [Reduction of Risk] or ROC [Return on Compliance].”