Americas computer infrastructure is highly vulnerable to attack and will likely be targeted in the near future, a panel of security experts told Congress today.
In a hearing called by the House Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations, leading security experts painted a grim picture of the ability of Americas critical infrastructure to withstand direct and sustained electronic attacks.
"The threat is even greater today than before Sept. 11," said Michael Vatis, director of the Institute for Security Technology Studies at Dartmouth College and former director of the National Infrastructure Protection Center.
Vatis said the likelihood of cyberattacks against U.S. and allied information infrastructures is high and could come from both nation states and terrorist sympathizers. Such strikes would be aimed at high-profile government and corporate networks and could use destructive worms, viruses, denial-of-service attacks and intrusions, all of which have proved to be devastatingly effective.
The Internet has been rocked in the past two months by several malicious worms, including Code Red and Nimda, which caused millions of dollars in damage to federal and corporate information systems. The perpetrators of the nefarious programs have not been identified or apprehended.
"The Nimda worm clearly points out multiple factors that contribute to Internet security problems," said Richard Pethia, director of the Computer Emergency Response Team Coordination Center at Carnegie Mellon University. "They include the vulnerability of technology on the Internet, the nature of intruder activity, the difficulty in fixing vulnerable systems and the limits of effectiveness of reactive solutions."
CERT received 1,090 vulnerability reports in 2000, double the number sent in 1999, Pethia said. More than 2,000 such reports are expected this year.
"These vulnerabilities are caused by software designs that do not adequately protect Internet-connected systems and by development practices that do not focus sufficiently on eliminating implementation flaws that result in security problems," he said.
Pethia had particularly harsh words for software developers who intentionally release products with certain vulnerabilities. "Until customers demand products that are more secure, or there are changes in the way legal and liability issues are handled, the situation is unlikely to change."
The sole upbeat voice in the hearing came from Ron Dick, director of the National Infrastructure Protection Center at the FBI.
"In the face of the tragic events of two weeks ago, I come before you today to relay a strong sense of optimism ... While the terrorists were building their networks, so, too, were we," Dick said.
He outlined the efforts of the NIPC to fight cybercrime and detailed its cooperative activities with the private sector and other federal agencies, including the CIA and National Security Agency.
But Dicks testimony did little to lift the gloominess delivered by Joel Willemssen, managing director of Information Technology Issues at the General Accounting Office, who testified on the continuing vulnerability of government computer systems.
"Despite the importance of maintaining the integrity, confidentiality and availability of important federal computerized operations, [they] have significant pervasive weaknesses and continue to put critical operations and assets at risk," Willemssen said.
The GAO audited 24 federal agencies in 1998 and 2000 and reported finding "significant information security weaknesses" in all of them.
In an annual review of federal computer safeguards released two weeks ago, the GAO said little has been done by any agency to address the security problems.
"We have known for several years that our governments critical computer systems are as vulnerable to attack as airport security," said subcommittee Chairman Stephen Horn, R-Calif. "It is now 2001 and the government has made little progress in addressing computer security issues. Are we going to wait until these vital systems are compromised, or worse?"