Friday, December 03, 2004

"[U]ltimately the Wild West must give way to governance and control."

Analysis: Tenet calls for tough cyber security rules

By Shaun Waterman
UPI Homeland and National Security Editor
Published December 2, 2004


WASHINGTON -- Former CIA Director George Tenet called Wednesday for tough new security measures to guard against attacks on the United States using the Internet, which he called "a potential Achilles heel for our financial stability and physical security."

"I know that these actions will be controversial in this age when we still think the Internet is a free and open society with no control or accountability," Tenet told an IT security conference in Washington, "but ultimately the Wild West must give way to governance and control."

The national media, including United Press International, were excluded from the event at Tenet's request, organizers said, but UPI was given an account of the speech by a member of the audience. The quotes were verified by a source close to the former director.

Tenet's speech articulated widely shared concerns among U.S. intelligence and homeland security officials that telecommunications -- and specifically the Internet -- represent a backdoor through which terrorists and other enemies of the United States can attack the country, even though some progress has been made in securing the physical infrastructure.

The Internet, Tenet said, "represents a potential Achilles heel for our financial stability and physical security if the networks we are creating are not protected."

"Efforts at physical security will not be enough," he argued, "because the thinking enemy that we confront is going to school on our network vulnerabilities," leveraging the possibility that the Internet gave them to "work anonymously and remotely" with little risk of apprehension.

He said that there were "known adversaries conducting research on information attacks," including "intelligence services, military organizations and non-state actors."

Robert Bagnall, a former military intelligence officer who specializes in computer security for small and medium-sized companies, said that Islamic terror groups like al-Qaida currently appeared to lack the expertise to stage successful cyber attacks on their own.

But he added that their capacities were growing every day and that there was also a blossoming market in "hacking for hire," which posed a very real threat.

"These guys are very good," he said of the professionals. "It's how they make they make their living. You aren't talking about kids in a basement any more."

Bagnall said that organized crime could provide the nexus between professional hackers and terror groups. "The guys who are going to bring that expertise to them are the Russian mob," he told UPI.

Many worry that the United States' capacity to secure its networks and respond to attacks is growing much more slowly than the capacity of its enemies to mount those attacks.

Within the federal government, the Department of Homeland Security has the lead role in protecting the United States from Internet terrorism. But the department's head of cyber security recently quit suddenly, amid reports that he had clashed with his superiors.

"The department's cyber security program is not where it needs to be," John Gannon, staff director of the House Select Committee on Homeland Security, told UPI last month.

The committee recently produced legislation that would raise the rank of the post Amit Yoran held to the assistant secretary level.

"Elevating the post (of cyber-security chief) to assistant secretary level (in the legislation) was a sign of our concern about the progress they were making," Gannon said.

Not all experts share Tenet's concerns. Former senior federal cyber security official F. Lynn McNulty told UPI it was important to keep the problem in perspective.

"In terms of potential damage, losses and other consequences, the old-school threats remain the most serious," he said, referring to truck bombs, suicide hijackings and other conventional terrorist techniques.

"We may overestimate the capabilities of the attacker, especially to launch a major frontal assault," he cautioned.

But Tenet, who left the CIA in July after serving as director for seven years, warned that al-Qaida, though its first-tier leadership had been largely destroyed, remained "a sophisticated, intelligent organization with enormous capability."

The second-tier leadership that was emerging, he added, oversaw "a global, decentralized movement" whose "ability to thrive" depended crucially on the Internet, which enabled them to share information from explosives recipes to the best ways to get into Iraq undetected.

The group, he said, was "undoubtedly mapping vulnerabilities and weaknesses in our telecommunications networks."

However, McNulty, while acknowledging the cyber terror threat is real, stressed it was important not to overstate the nation's vulnerabilities. "In many cases, our networks and our critical infrastructure are much more robust than they get credit for," he told UPI recently.

McNulty said the key U.S. vulnerability was to "low-level attacks ... not a single catastrophic attack that ripples out across the country."

On this, Tenet was in agreement. "I am not worried about a Pearl Harbor," he said. "I'm worried about how they could use an isolated attack to play off what they do physically."

Others, like science fiction writer Bruce Sterling, have framed the danger as "not so much a digital Sept. 11, but rather a digital Mogadishu," a reference to the lawless and warlord-dominated capital of Somalia.

Under this conception, the key vulnerability is represented by the fact that a network is only as secure as its weakest link.

The United States was "at a crossroads," Tenet said, pointing out that the technological transformation of key industries was making them more vulnerable. "More critical industries previously isolated from Internet-security problems are reaching the point where the legacy infrastructure will have to be retired."

The danger was that more modern systems were based on "a fragile infrastructure" -- networks where weak security was endemic, because they were "only as secure as the weakest link in the customer chain."

Howard Schmitt, former head of security for the Internet auction house eBay and now a government cyber security consultant, pointed out in a recent speech that "the attack vector has changed" for Internet attacks.

No longer were networks being attacked at the center, he said, but rather through customer or other "downstream" accounts, thousands of which were compromised every day by hackers and other criminals.

He said that only 16 percent of Internet users changed their passwords more than once a year and that nearly two-thirds used the same one or two passwords for all their online accounts.

"If the end user, who is now part of the network, is not secure," Schmitt said, "we're not secure."

Tenet said that, for just this reason, access to some networks might need to be limited to those who could prove they took security seriously.

McNulty agreed that there would have to be "some retreat from the Wild West" concept of the Internet as an ungoverned space.

"It has become such an integral part of people's lives," he argued, "that they will demand from policymakers and legislators the laws and regulations needed to protect it."

Tenet suggested that this might not be enough, arguing that the very technology underlying the Internet was vulnerable because of its open structure. "New attacks have raised questions about the trustworthiness of the Internet and Internet protocol technologies," he said.

He called for industry to lead the way by "establishing and enforcing" security standards. Products needed to be delivered to government and private-sector customers "with a new level of security and risk management already built in."

Read the article here at World Peace Herald.

Another write-up can be found here at The Blue Lemur with comments enabled.