On Alert

Name: Terry Benzel
Title: VP, Network Associates Inc.
Web Info: www.pgp.com/research/nailabs/default.asp
Claim To Fame: Information security researcher

Call Terry Benzel an unwilling prophet of potential disaster.

Benzel, a vice president with Network Associates Inc. and director of that companys NAI Labs, testified last month before Congress on the nations cyber vulnerabilities. Since then, a number of news outlets including CNN, the Associated Press and the British Broadcasting Corporation have liberally quoted her warnings. A BBC news item including her views ran under the headline, “Doomsday fears of terror cyber-attacks.”

With 20 years of experience in computer security, Benzel doesnt believe in fear mongering, which she calls irresponsible. But she does believe the country needs to wake up to the cyber security threat. For starters, she believes Congress should commission a study to assess the problem. “We dont even know how vulnerable we are,” she said in a recent interview.

She is especially concerned about the prospects of a coordinated attack on physical infrastructure (a water supply, for example) and its supporting information systems (a computer-controlled monitoring system). Financial, energy, transportation, and public safety systems are other examples of “critical infrastructure systems.” If attacks on such systems are successful, “people will die, the nations economy will be crippled and protective services systems will be weakened,” she said in testimony before the House Science Committee.

To get a better handle on the scope of the problem—and insight into protections—the nation needs to dramatically boost the research and development dollars it spends on information security, according to Benzel. She identifies three key areas for research: interdependency, converged networks, and embedded control systems.

Interdependency research would address the links among critical infrastructure systems. Benzel notes that such systems are increasingly dependent on each other for correct operation. Converged networks, meanwhile, also raise interdependency issues in the case of data/telephony networks. Control systems also call for inquiry, she argues, given the lack of security technology for embedded systems.

“Weve identified some hard problems,” Benzel says, noting her work with the Partnership for Critical Infrastructure Security (PCIS), a government-industry forum on security issues.

Benzel says she would like to see greater coordination among government, industry, and academia in exploring information security problems and developing a “road map” on how to solve them. She says groups like PCIS provide a role model for collaboration but are “no where near enough” to unite the various organizations pursuing security research.

Benzel knows whereof she speaks, having worked for years with industry and government research entities. She spent a decade at security specialist Trusted Information Systems, where she direct research sponsored by the Defense Advanced Research Projects Agency (DARPA).

After Network Associates acquired Trusted Information Systems, Benzel became director of NAI Labs, a security R&D organization with 120 employees.

NAI Labs research is funded through DARPA, the military services, and the National Security Agency among others.

Benzel recalls a time when certain agencies with three-letter acronyms were about the only customers interested in information security. “Only a few spooks somewhere around Fort Meade [home of the NSA] cared about it,” she says. “Now, to have a major committee in Congress ask about it is very rewarding.”

She calls her opportunity to bring security concerns to the Hill as “enormously fulfilling.” But she also acknowledges the episodic nature of interest in security: the heightened attention a calamity can bring to subject can dissipate over time.

Benzels current wish: that the nations focus on security will “live past the current frenzy.”