Technology

Feds Should Fund Corporate Cyber Defense


By Mark Rasch Last week, the White House announced the creation of a new Special Advisor

to the President for Cyber Security, and installed Richard Clarke in that

position. Fresh warnings were issued about the threats of new forms of

terrorism, including cyber terrorism. But what exactly is cyber

terrorism? What are the government's responses, from a technical and

legal perspective, and what are the costs of such response?

While there is no universally accepted definition of terrorism, and

therefore no universally accepted definition of cyber terrorism, there

are a few attributes of terrorism that hold true for its conventional as

well as electronic methodology. Keep in mind of course that whether an

attack is considered to be a terrorist attack or a legitimate use of

force may frequently depend upon the attacker.

It is somewhat tautological to point out that the essence of terrorism is

terror. In the wake of the September 11 attacks, we have seen a massive

disruption that, like ripples in a still lake, reverberate well beyond the

World Trade Center and the Pentagon. People are afraid to travel on

airplanes, work in large office buildings, open their mail, and use the

rails. Some people are stockpiling food, water and antibiotics in

anticipation of new and more virulent threats. Terrorism inflicts on its

victims a sense of fear and mistrust of previously accepted safe havens.

It also inspires governments and individuals to respond in a manner

disproportionate to the actual threat inflicted by the attacks themselves.

Thus, a half dozen anthrax cases in New York and Florida cause pharmacies

in Des Moines to sell out of the antibiotic Cipro. Fear that terrorists

may have used email to communicate causes the FBI and other government

agencies to demand, and Congress to acquiesce in granting, new powers to

intercept communications.

Because the essence of terrorism is terror, the Internet is a relatively

poor vehicle for attack. If you blow up a shopping center, people across

the nation are afraid to shop and are terrorized. If you disrupt the

Internet, however, or other infrastructures, people are inconvenienced,

but generally not terrorized. Indeed, the Internet is a better tool for

terrorists or propagandists if it is running properly. It can be used to

spread information -- true or false -- rumor, panic and political

propaganda.

We also have to distinguish between cyber terrorism, cyber warfare, cyber

attacks, and information warfare. Cyber attacks, either by organized

groups of hackers, disgruntled employees, thieves, teenagers or even

governments have been endemic to the Internet, and will continue. They

may include viruses, worms, Trojans, as well as denial of service

attacks, and straight unauthorized access attacks.

CRITICAL INFRASTRUCTURES. Information warfare includes the use of rumor, propaganda, and the prevention of access to competing information to wage psychological war on an adversary. The Bin Laden videotape represents a form of information warfare, as does the White House's effort to prevent or limit its raw

distribution. The distribution of leaflets over Afghanistan likewise represents a form of information warfare. It would be naove to believe that the Internet is not and will not be a tool for both affirmative and negative information warfare.

Cyber war represents a different character. The United States government,

while bombing the critical infrastructures of the Taliban controlled

portions of Afghanistan, could use electronic devices to disrupt the

infrastructure as well. Logic bombs could disrupt water, power and

telecommunications systems. Denial of Service attacks could affect

command and control systems.

The problems with protecting America from all of these attacks are

interrelated. The vast majority of the critical infrastructure of the

United States -- those networks that are essential for the running of the

economy and the nation -- are in the hands not of the government, but of

the private sector.

Telecommunications, water, electricity, nuclear power, gas distribution,

transportation systems, banking and financial sectors are all run by

corporate America, not by some agency or department.

It is these corporations that will be required to invest in new hardware,

software, training and policies to protect against cyber terrorism. But

there are many things the government can do to help.

ENCOURAGE INFORMATION SHARING. Information Sharing and Analysis Centers (ISAC's) are voluntary groups within critical infrastructures that permit and facilitate the free sharing of information about threats, vulnerabilities and incidents that may be a prelude to an attack, or may give early warning of an attack.

The ability to share information free from regulation and without

attribution, and the competent and thorough analysis of this raw data, is

essential for these ISACs to work properly.

The government can facilitate these voluntary sharing mechanisms by

making the data in them immune from disclosure, removing liability for

companies for good faith reporting of such information, and by

voluntarily sharing unclassified intelligence data with the private

sector in a secure manner.

Key individuals within the private sector should also have access to

classified threat data so they can respond appropriately.

EDUCATE. A traditional governmental role has been to train the next generation of warriors -- both offensive and defensive. The government can help fund and endow university programs in cyber security, creating a new generation of security professionals with skills that will assist in protecting not only the national defense, but also the commercial infrastructure.

Government funded and supported training programs should be introduced to

raise awareness in the public and private sector about the genuine threats

to the electronic infrastructure.

Government agencies, such as the National Institute of Standards and

Technology (NIST), can perform basic research and testing on hardware,

software or implementations, and can make recommendations about new

security practices that will harden the infrastructure.

As a large-scale purchaser of hardware and software, the government can

also demand security and secure implementation as a condition precedent to

purchasing. This alone may skew the market in favor of more secure

applications.

OFFER TAX INCENTIVES. The commercial sector generally places security among the factors it considers in making purchasing and resource decisions. Using a

cost-benefit analysis, companies decide on the level of protection they deem reasonable, depending upon the criticality of the application and data, and the cost of securing it.

If the government believes that, for national security purposes, this

level is too low, it may provide direct grants to companies in the

critical infrastructure, direct support for security, or tax incentives

to companies to provide additional security.

Just as nobody would have expected the owners of the World Trade Center

towers to be responsible for providing F-18s to intercept incoming

airplanes, we must redefine the government private sector roles and

responsibilities.

The United States is perhaps the most vulnerable to cyber attacks, being

among the most technologically advanced and dependent nations on the

planet. The asymmetric nature of the attack makes us even more

vulnerable. While panic is both unproductive and unwarranted, there is

much more than can and should be done to protect critical infrastructures

from attack. There is a business case for much of this, and most

security measures are not expensive. Only though effective cooperation

between the public and private sector, based upon trust and mutual

respect, can this be achieved. Mark D. Rasch, J.D., is the Vice President for Cyberlaw at Predictive

Systems Inc. in Reston, Virginia, a computer security and network design

consulting firm. Prior to joining Predictive Systems, Mr. Rasch was the

head of the U.S. Department of Justice Computer Crime Unit and prosecuted

a series of high profile computer crime cases from 1984 to 1991.


Tim Cook's Reboot
LIMITED-TIME OFFER SUBSCRIBE NOW

Sponsored Links

Buy a link now!

 
blog comments powered by Disqus