Fearing 'Cyber Katrina,' Obama Candidate for Cyber Czar Urges a ''FEMA for the Internet'

Posted by: Keith Epstein on February 18, 2009

For all the fears of sophisticated digital intrusions preoccupying many computer security professionals, President Obama’s leading candidates for “cyber czar” also are focusing on an all-too-human vulnerability: The nation’s inability to respond to a full-fledged Internet-borne crisis for lack of a central cyber commander.

Former White House cybersecurity official Paul B. Kurtz, in his first public remarks since becoming an advisor to President Obama’s transition team following the election, describes his biggest worry: A “cyber Katrina” in which fragmented bureaucracies and companies fail to share critical information and coordinate responses to cyber intruders attempting to disrupt power grids, financial markets, or any number of now-plausible scenarios involving a Web shutdown. One recent fear is the cascading effects of even a partial Internet blackout that could add to economic anxieties. There’s such electronic insecurity afoot, some are even beginning to suggest building an entirely new global computer infrastructure.
“The bottom line is, is there a FEMA for the Internet? I don’t think there is,” Kurtz told an audience of security professionals at a Feb. 18 Black Hat security conference in Virginia.

Kurtz’ solution: A trio of key agencies - the Defense Department, the Department of Homeland Security, and the Federal Communications Commission - but overseen by a new national cybersecurity center.

Balkanized bureaucracies with incomplete awareness, conflicts, and unclear responsibilities - no single entity aggregates, analyzes and rapidly prescribes action for ongoing threats - “reminds me of the days before 9/11 when I’d be in meetings in the situation room, with NSA and CIA and FBI guys on different screens, and the FBI guys would say, ‘oh, I can’t share this because it’s law enforcement information,” says Kurtz, an infrastructure guardian who has served on White House homeland and national security councils.

Kurtz also urges dealing openly with long-taboo subjects such as deploying cyber weapons that can disrupt cyber operations by hackers working for terrorists or other countries – and can be used to minimize the casualties in “kinetic” physical attacks.

And he advocates expanded use of intelligence agencies and their operatives overseas to gain information about specific origins and perpetrators of attacks.

Already, the National Security Agency is said to be capable of disrupting and shutting down distant servers when necessary, and technology exists to trace sources of electronic intrusions. But well-funded professional hackers and those who work on behalf of nations often can thwart detection.

Kurtz, a Safe Harbor security consultant, is one of three people said to be leading candidates to become Obama’s “cyber czar.” The others include DHS’ National Cyber Security Center director Rod Beckstrom, an entrepreneur and author of the “The Starfish and the Spider: The Unstoppable Power of Leaderless Organizations,” and Melissa Hathaway, President Bush’s former top cybersecurity official under former national intelligence director Mike McConnell.

Obama tapped Hathaway on Feb. 9 to recommend steps forward on cybersecurity policy within 60 days, but elements of that policy are already emerging into view – though perhaps not one of the most critical elements, exactly who will be in charge and with how much authority.

President Obama would consider the nation’s cyber infrastructure – the same networks on which companies, citizens and government agencies depend - a strategic asset, which will probably lead to a push for new standards to be imposed on the private sector as well as rigorous requirements for safeguarding proprietary and national security information.

Defense contractors already face the prospect of having to agree to new rules in order to bid for contracts; a draft version of a new kind of contract that would also apply to email networks used by corporations who are engaged in military work has been circulating at the Pentagon.

The issue of using intelligence agencies to help trace, identify and deter perpetrators overseas from conducting espionage and other intrusions into U.S. systems is a sensitive one. Within defense and intelligence community circles, there has been talk of a perceived need to develop new supercomputers and monitors capable of eavesdropping on Internet communications – not for the content of messages, but for malicious software attached to them, and to form an early-warning system that issues alerts when identifying disturbing patterns across vast quantities of data moving between U.S. and overseas computers.

Meanwhile, there’s increasing talk within government and industry of seeking to develop an alternative, new Internet.

To date, U.S. advantages are small; cyber conflict requires few resources, and could prove to be the ultimate weapon in asymmetric warfare, as Pentagon planners refer to adversaries who are capable of multiplying their might beyond conventional means.

“We have very limited capabilities to determine the origin of attack,” says Kurtz, adding “we must have an active capability to trace back attacks through intelligence channels. If we know attacks are coming from country X, we ought to be able to get into that server to understand where the attack is coming from (and) ultimately we may want to take that server offline.”

About objections to militarizing cyber space operations, Kurtz responds that “it’s too late” – space is already militarized. “We can’t sit back and not have a capability to defend ourselves.”

Also on Feb. 18, computer security professionals at the Black Hat conference heard about one of the latest threats: A new tool that can undermine secure Web transactions by fooling browsers into thinking they’re on an SSL or HTTPS site.

And a team of researchers are said to have cracked facial recognition technology embedded in several brands of laptops. Conclusion of a Vietnamese reseacher, Nguyen Minh: Your face is not good enough to be your password.

Reader Comments

hack_the_planet

February 18, 2009 4:19 PM

let the games begin !!!

Connelly Barnes

February 18, 2009 6:17 PM

Hahahaha, FEMA for the Internet. Because FEMA worked so well, and there isn't a FEMA for the Internet, let's make one! I hope we can eventually lock up all the thought criminals, if we just have enough policing organizations, I'm sure it's possible.

chris jones

February 19, 2009 3:41 AM

The games will never end. The internet security industry is only going to get bigger. thanks

Roland

February 19, 2009 1:56 PM

I predict that when this idea gets discussed on slashdot.org, it will be torn to pieces, and rightly so. A political solution for a technical problem is dumb--doubly so for imaginary problems.

Cindy Sue Causey

February 20, 2009 10:02 AM

Well, this is certainly "interesting" to be reading today.. Just finished following a *very* long international thread *yesterday* where standards behind the Internet were already being occasionally called "Americocentric".. :))

As to this specifically and how it first comes across to these Fingertips :: Electing oneself to control the Net so as to be able to shut it down on us will-nilly, nuh-uh, not so much..

Besides, haven't the FBI and similar *ALREADY* been involved in this type of activity for ages..? Why not further support them then and instead as they do appear to remain among the *least partisan* entities when it comes to this type of activity in the first place..?

Cyber hugs from Talking Rock.. :wink:

Brad Healy

February 21, 2009 4:38 AM

Just a step closer to shutting up the bloggers and sites that turn against Washington and its special interests groups.

The special interests group President has spoken, and thou shall not disobey.

Jack

February 23, 2009 10:03 AM

Why is it that all of these pieces refer to the "possibility" of a cyber Katrina? If I think about that horror, of innocent people being hurt by a combination of a (somewhat) predictable event, and slow-to-react government agencies, I would say that we are already there.

The Army CoE had warned on the levees, and the local and federal response was weak. In terms of technology, the papers are full of data on breaches, and the internal government analysts can detail hundreds more.

Cyber-Katrina is here. We just refuse to admit that we are already up on the cyber-roof.

Robert Malcovitch

February 25, 2009 5:20 PM

*Sigh*. This is nothing more than a desire to censor free speech. All hail the Union of American Socialist Republics!

Robot Jesus

April 23, 2009 5:43 PM

I, for one, welcome our new Internet Overlords. I'd like to remind them that as a trusted internet citizen, I can be helpful in rounding up others to toil in their underground cyber prisons.

Tim Hart

May 30, 2009 12:42 PM

George H.Conrades, Chairman of the Board and former CEO of Akamai will be named Cyber Czar.

Susan Donovan

June 2, 2009 1:35 AM

Cyber Czar? Obama has this figured out to the inth degree folks. Like your freedom of speech. Better kiss it good-bye when the Cyber Czar comes online, he'll hack us all to death.

Post a comment

 

About

Bloomberg Businessweek writers Peter Burrows, Cliff Edwards, Olga Kharif, Aaron Ricadela, and Douglas MacMillan, dig behind the headlines to analyze what’s really happening throughout the world of technology. Tech Beat covers everything from tech bellwethers like Apple, Google, and Intel and emerging new leaders such as Facebook to new technologies, trends, and controversies.

Categories

 

BW Mall - Sponsored Links

Buy a link now!