Search /
Advanced search  |  Help  |  Site map
Click for Layer 8! No, really, click NOW!
Networking for Small Business
While Heartbleed distracts, hackers hit US universities
How Apple's billion dollar sapphire bet will pay off
US to vote on sharp increase in broadband subsidies
iPhone 6 rumor rollup for the week ending April 18
NSA spying revelations have tired out China's Huawei
Arista co-founder may have switch maker by its jewels
Apple kicks off public OS X beta testing
Open source pitfalls – and how to avoid them
AT&T's expanded 1 Gbps fiber rollout could go head to head with Google
BlackBerry Releases BES 10 Security Update to Address 'Heartbleed' Flaw
Verizon: Web apps are the security punching bag of the Internet
Cisco announces security service linked with new operations centers
Dell launches virtual storage accelerator, aims to boost SAN performance
Free OS X Mavericks now powers half of all Macs
Even the most secure cloud storage may not be so secure, study finds  
3D printing will transform these five industries
Most but not all sites have fixed Heartbleed flaw
NEC launches face-recognition protection for PCs
Hundreds of medical professionals targeted in multi-state tax scam
Super-high frequencies could one day deliver your mobile video
Americans cool with lab-grown organs, but not designer babies
IT Departments Not Losing Ground to Managed Service Providers (Yet)
Where's my gigabit Internet, anyway?
IE6: Retired but not dead yet
Enterprise who? Google says little about Apps, business cloud services in Q1 report

Defending against cyberattack

Today's breaking news
Send to a friendFeedback

In the midst of Year 2000 chaos, key power grids across the country go dark, telecommunications and data networks crash, and emergency services are crippled.

Even worse, public switched telephone network-based leased lines that carry military communications are toast. Military bases, powered by public gas and electric, are knocked out. And troop movement is disrupted because railway, seaport and airport traffic is at a standstill.

But this is not a Year 2000 problem. It's just a convenient smokescreen that the enemy hides behind when it launches a cyberwar - and America has just lost.

It's a war in which no bombs are dropped, no guns are fired, no blood is shed. But America's infrastructure is nevertheless left in ruins. In this scenario, the weapon of mass destruction is technology; the militia, an army of foreign hackers bent on taking down key services vital to the nation's stability.

Could this really happen? Absolutely, says Deputy Assistant FBI Director Michael Vatis, who heads a new cyberdefense agency, the National Infrastructure Protection Center (NIPC).

"In the information age, our critical infrastructures - services vital to our national economy and stability - are subject to debilitating remote attacks that can shut them down. Already, weapons of mass destruction - computer viruses and attacks that can overflow buffers and shut networks down - are available off the Web. "We have concrete information about several foreign countries that are developing programs to target the U.S. and our critical infrastructure in particular," he continues. "I just can't say publicly what countries those are."

The U.S. government takes this threat so seriously that President Clinton last May ordered a full-scale obilization to defend the nation against cyberattack. Clinton's directive called for the creation of a number of programs ranging from the FBI-managed NIPC to industry-specific centers for the sharing of information between private companies and the government (see story).

However, the creation of these Information Sharing and Analysis Centers (ISAC) and, in fact, the whole effort to develop a public-private partnership on security, is on shaky ground because companies are very reluctant to share network security information with the feds.

Bridging the gap

Two years ago, Nancy Wong took a leave of absence from her job as director of information assets for Pacific Gas and Electric Company in San Francisco to work with government and private industry on security issues.

"When we did focus groups in 1997, the overwhelming issue was lack of awareness," she says.

She tells the story of an electric company that installed intrusion detection and caught more than 100,000 unauthorized intrusions into its network over three months - 10 of which warranted investigation. Another problem she discovered: "Too many companies were running proprietary information over the Internet as if it were secure."

When considering the value of your company's information assets, Wong suggests asking three questions: What impact does a catastrophic event have on business viability? What impact does it have on your ability to deliver service to your customers? What impact does this have on your company's risk, liability and relationship with investors?

The concern about government intrusion into private security matters made the front pages late last month when the Electronic Privacy Information Center (EPIC) in Washington, D.C., sounded alarms concerning potential federal monitoring of private-sector networks.

EPIC went so far as to charge that a newly announced federal intrusion-detection network (FIDNET) will link directly to the private industry sector information sharing groups. That charge was denied by Sally McDonald, spokeswoman for the General Services Administration, which manages information services and information security for the federal government. She says the yet-to-be-defined FIDNET will in no way link to private sector networks.

But EPIC's general concerns are shared by many in the business community, even by those who are on board and working to build this cyberdefense system.

"The government wants to facilitate private industry taking care of itself. This means building trust in the partnership, and government has not done a good job handling this in the past," says Nancy Wong, a Pacific Gas and Electric security expert who has taken a leave of absence to work with federal officials on the cyberwar defense project. "That is the difficulty and challenge that [the government and FBI are] having now." For example, there's already bad blood between the software industry and the FBI over the sticky issue of government controls over encryption exports. And industry leaders are adamant that any information they provide on attempts to hack into their networks or the results of security evaluations be reported anonymously. The goal, from the government's side, is a two-way sharing of information. Federal agencies will share information on threats, vulnerabilities, orchestrated attacks, assessment services and network security products (patches, vendor product recommendations and others) to the private sector through the ISACs. In turn, the feds hope the ISACs will push the same information from the private sector to the appropriate government agencies.

But many issues need to be resolved before that happens. While some private sector groups are answering the call to create these centers, the issue of anonymity remains undecided.

The feds say they need some way to verify the source of the information, and they can't do that if it comes in anonymously, says Guy Copeland, vice president of information infrastructure protection advisory programs for Computer Sciences Corp., an $8 billion technology services company in Washington, D.C. Copeland sits on the National Security Telecommunications Advisory Committee (NSTAC), an 18-year-old presidential advisory board that is positioning itself to become the ISAC for the telecom industry. Therefore, industry leaders are taking a wait-and-see approach to sharing information with the government, he says.

The financial services sector plans to build and maintain an ISAC, says Steve Katz, chief information security officer for CitiGroup in New York. But at this point, the financial services ISAC plans only to receive information, but not send any to the government, he says.

Katz adds that if the industry does agree to send information back to the government, it will do so only with a "tremendous firewall" between government and the private sector.

The FBI and other federal players involved in the project are well aware of industry concerns and are making a concerted effort to overcome them. For example, the FBI, with the help of industry executives, is training 214 field agents to understand business culture and fears of lost privacy. So far, these agents have learned the business ropes from folks in the telecom and energy industries, with more training to come from other vertical industry executives, the FBI's Vatis says.

The federal agencies have also recruited private-sector professionals, such as Pacific Gas and Electric's Wong, to better manage business concerns. Wong says she's had many a conversation with political decision makers who think the solution is to "regulate software makers" or dictate security measures in private industry. Each time, she tells them that the Constitution - and American business leaders - won't stand for it.

To better reach business leaders, she advises the feds to present infrastructure vulnerabilities as a business problem instead of an "information war" - a term at which Wong crinkles her nose. After all, information security is directly tied to a company's bottom line. A breach of infrastructure networks could interrupt the business processes, resulting in lost customer and shareholder confidence, even the company's viability; and that's what is important to the private sector, she says.

In spite of this natural tug-of-war, private sector companies are coming around to help the government protect them against what they feel is a serious threat, Katz, Wong and others say. "I have worked with a great many difficult projects in my life, and this is by far the most difficult," says William Harris, a former member of a federal commission on the topic. "This problem requires a true partnership between government and industry. There's such an enormity of consequences if we don't do the right thing."

Another shaky trust issue: the wording of the presidential directive allows for government intervention should it be deemed necessary. The FBI and the Federal Emergency Management Agency (FEMA) are granted the authority to "coordinate the rapid reconstitution of minimum essential capabilities in the aftermath of an attack."

"If private industry doesn't take care of itself, that's when the government will have to step in," Wong warns. Thus far, FEMA has made it clear that it will keep its distance from the cyberdimension, Wong says. "FEMA only wants to get involved when it sees the physical disruption occur," she adds. That means bombs, debilitating natural disasters or other physical sabotage that would knock out vital services.

In addition, federal and emergency response agencies need to figure out how they will integrate with one another. And the legal system needs to catch up with 21st-century cybercrime.

There's one more giant hitch to the president's program: When Clinton leaves office, all this work could be for naught because his directive, a Presidential Decision, is valid only as long as he's in office. For the infrastructure protection program to live on, Clinton must sign a Presidential Executive Order.


Radcliff is a freelance writer in northern California. She can be reached at

Inside the FBI
In an interview inside FBI headquarters, Network World Senior Editor Ellen Messmer met with Michael Vatis, one of the FBI's top cybercrimefighters. Network World Fusion, 8/23/99.

Reaction: Here's what some Fusion users are saying about this article: What do you think? Add your comments to the thread

NIPC Web site

Presidential Decision Directive 63
Government policy statement on protecting technological infrastructure.

Statement of Dr. Jeffrey A. Hunker, Director, Critical Infrastructure Assurance Office
Discusses PDD 63.

President's Commission on Critical Infrastructure Protection
Includes a link to the commission's report: "Critical Foundations: Protecting America's Infrastructures."

Critical Infrastructure Protection and the Endangerment of Civil Liberties
Analysis by EPIC.

Big Problem - Bad Solution
Speech on what's wrong with the commission's approach by James Adams, chairman of UPI.

Serb supporters sock it to NATO and U.S. computers
Network World, 4/5/99.

Sun Tzu Art of War in Information Warfare
Hypothetical case study showing how a group of Serbian hackers could get the U.S. out of the Balkans. From the Institute for National Strategic Studies.

Electronic Civil Defense
Links to articles on online terrorism and attacks.

National Security and the Internet
Paper by Gary Chapman, director of the University of Texas' 21st Century Project.

The New Face of War
America's dependence on technology exposes our infrastructure to cyberterrorism. TechWeek, 11/2/98.

NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.