For nearly a year, federal officials have been telling anyone willing to listen that terrorists have the knowledge and equipment to carry out sophisticated information warfare attacks against targets in the United States. This declaration is usually followed by an ominous warning that a “digital Pearl Harbor” is around the corner.
Bureaucrats have used this rallying cry to play on the fear and ignorance of elected officials and the public, pushing for harsher penalties for hackers, billions of dollars in increased funding for cyber-terrorism prevention and even an antitrust exemption for organizations sharing sensitive data with one another.
And now, there are plans to bring all the governments information security organizations under the umbrella of the proposed Department of Homeland Security, an effort to improve coordination and response.
All these efforts should help improve the security of government and private networks. But a growing number of people in the security community say the threat of cyber-terrorism is remote at best.
Richard Clarke, chairman of the Presidents Critical Infrastructure Protection Board and a respected expert on combating conventional terrorism, has been the administrations point man on cyber-terrorism. Clarke has crisscrossed the country, meeting security experts, state and federal officials, and private-sector executives to warn of imminent danger from overseas.
To Clarke, it is a question of when, not if, foreign terrorists launch a large-scale attack on U.S. networks.
“We have the role of playing Paul Revere and waking people up,” Clarke said last month at the Black Hat security conference in Las Vegas. “Were going to spend $20 billion on security in fiscal 2004 through 2006. If a cyber-war comes—and come it will—we want to be prepared. Why does it always have to be we do a great job after were hit?”
Of particular concern to Clarke and others in the Bush administration is the possibility of attacks on the nations electric power grid and other utilities or on the banking and financial system. Bringing down the computers that control a water filtration plant, for example, could have disastrous consequences, they warn.
And while no one disputes these claims, some security experts say such attacks are unlikely.
: How Real Is the Threat?”>
“I dont think were as vulnerable as [Clarke] says we are,” said Scott Blake, vice president of information security at BindView Corp., in Houston. “If Im a terrorist, I want pictures on TV. You dont get that if you knock out the stock markets computers. And, the time to recovery [with a computer attack] is vastly shorter than with a physical attack.”
A case in point is the recent warning issued by the FBIs National Infrastructure Protection Center regarding the possibility of wide-scale attacks from Western Europe against ISPs and Web servers. A handful of ISPs reported traffic spikes consistent with DoS (denial-of-service) attacks, but there were no reported service outages, and the service providers handled the incidents without a problem.
Even the rash of distributed-DoS attacks in 2000 on sites such as Amazon, Yahoo and CNN were at worst an inconvenience for most Internet users. The attacks cost the sites involved money in terms of lost traffic, lost revenue and cleanup. But for the most part, service was restored within a day or so.
However, even those who dont see much of a threat to computer networks from foreign terrorists said Clarkes warnings could do good in the long run.
“I think some of that [rhetoric] is for effect. But these systems, as theyre deployed, are vulnerable,” said Jack Reis, CEO of NFR Security Inc., a Rockville, Md., intrusion detection vendor that does a lot of work with the federal government. “Attacks are happening. You dont see lot of press about it because people dont want it known. More sophisticated attacks are coming, and more sophisticated defenses need to be created. We have to continue to invest in security technology, to the point where it becomes an integral part of everything we do.”
The one policy for which Clarke enjoys near-total support in the security community is his pledge to do everything he can to avoid government regulation and control of the Internet.
“The government, having helped facilitate the Internet, has kind of walked away from it,” Clarke said, “and thats a good thing because if it was a government project, it would work worse than it does. I dont want the government controlling or regulating the Internet.”
Clarke has said, however, that if software vendors dont improve the quality of their products, the government may have to step in to protect consumers and the countrys networks. This idea has gotten less support.
“Im not sure how you would regulate software safety, even if you wanted to. Metrics are difficult to come by, and there is no way to avoid bugs in software,” said Avi Rubin, principal researcher at AT&T Labs-Research, in Florham Park, N.J., and an expert on network security. “The main reason is that there is no easy way to measure software security. How would you regulate this? You couldnt say, Software must be at least 57 [percent] secure.”
- Clarke Lambastes Software Industry
- Editorial: Security: The Feds Can Help
- Congress Zeros In on Cyber-security
- Feds Talk Security