Posted by: Keith Epstein on February 18, 2009
For all the fears of sophisticated digital intrusions preoccupying many computer security professionals, President Obama’s leading candidates for “cyber czar” also are focusing on an all-too-human vulnerability: The nation’s inability to respond to a full-fledged Internet-borne crisis for lack of a central cyber commander.
Former White House cybersecurity official Paul B. Kurtz, in his first public remarks since becoming an advisor to President Obama’s transition team following the election, describes his biggest worry: A “cyber Katrina” in which fragmented bureaucracies and companies fail to share critical information and coordinate responses to cyber intruders attempting to disrupt power grids, financial markets, or any number of now-plausible scenarios involving a Web shutdown. One recent fear is the cascading effects of even a partial Internet blackout that could add to economic anxieties. There’s such electronic insecurity afoot, some are even beginning to suggest building an entirely new global computer infrastructure.
“The bottom line is, is there a FEMA for the Internet? I don’t think there is,” Kurtz told an audience of security professionals at a Feb. 18 Black Hat security conference in Virginia.
Kurtz’ solution: A trio of key agencies - the Defense Department, the Department of Homeland Security, and the Federal Communications Commission - but overseen by a new national cybersecurity center.
Balkanized bureaucracies with incomplete awareness, conflicts, and unclear responsibilities - no single entity aggregates, analyzes and rapidly prescribes action for ongoing threats - “reminds me of the days before 9/11 when I’d be in meetings in the situation room, with NSA and CIA and FBI guys on different screens, and the FBI guys would say, ‘oh, I can’t share this because it’s law enforcement information,” says Kurtz, an infrastructure guardian who has served on White House homeland and national security councils.
Kurtz also urges dealing openly with long-taboo subjects such as deploying cyber weapons that can disrupt cyber operations by hackers working for terrorists or other countries – and can be used to minimize the casualties in “kinetic” physical attacks.
And he advocates expanded use of intelligence agencies and their operatives overseas to gain information about specific origins and perpetrators of attacks.
Already, the National Security Agency is said to be capable of disrupting and shutting down distant servers when necessary, and technology exists to trace sources of electronic intrusions. But well-funded professional hackers and those who work on behalf of nations often can thwart detection.
Kurtz, a Safe Harbor security consultant, is one of three people said to be leading candidates to become Obama’s “cyber czar.” The others include DHS’ National Cyber Security Center director Rod Beckstrom, an entrepreneur and author of the “The Starfish and the Spider: The Unstoppable Power of Leaderless Organizations,” and Melissa Hathaway, President Bush’s former top cybersecurity official under former national intelligence director Mike McConnell.
Obama tapped Hathaway on Feb. 9 to recommend steps forward on cybersecurity policy within 60 days, but elements of that policy are already emerging into view – though perhaps not one of the most critical elements, exactly who will be in charge and with how much authority.
President Obama would consider the nation’s cyber infrastructure – the same networks on which companies, citizens and government agencies depend - a strategic asset, which will probably lead to a push for new standards to be imposed on the private sector as well as rigorous requirements for safeguarding proprietary and national security information.
Defense contractors already face the prospect of having to agree to new rules in order to bid for contracts; a draft version of a new kind of contract that would also apply to email networks used by corporations who are engaged in military work has been circulating at the Pentagon.
The issue of using intelligence agencies to help trace, identify and deter perpetrators overseas from conducting espionage and other intrusions into U.S. systems is a sensitive one. Within defense and intelligence community circles, there has been talk of a perceived need to develop new supercomputers and monitors capable of eavesdropping on Internet communications – not for the content of messages, but for malicious software attached to them, and to form an early-warning system that issues alerts when identifying disturbing patterns across vast quantities of data moving between U.S. and overseas computers.
Meanwhile, there’s increasing talk within government and industry of seeking to develop an alternative, new Internet.
To date, U.S. advantages are small; cyber conflict requires few resources, and could prove to be the ultimate weapon in asymmetric warfare, as Pentagon planners refer to adversaries who are capable of multiplying their might beyond conventional means.
“We have very limited capabilities to determine the origin of attack,” says Kurtz, adding “we must have an active capability to trace back attacks through intelligence channels. If we know attacks are coming from country X, we ought to be able to get into that server to understand where the attack is coming from (and) ultimately we may want to take that server offline.”
About objections to militarizing cyber space operations, Kurtz responds that “it’s too late” – space is already militarized. “We can’t sit back and not have a capability to defend ourselves.”
Also on Feb. 18, computer security professionals at the Black Hat conference heard about one of the latest threats: A new tool that can undermine secure Web transactions by fooling browsers into thinking they’re on an SSL or HTTPS site.
And a team of researchers are said to have cracked facial recognition technology embedded in several brands of laptops. Conclusion of a Vietnamese reseacher, Nguyen Minh: Your face is not good enough to be your password.