President's advisor predicts cybercatastrophes unless security improves

NEW YORK - In his keynote address at an information technology auditing conference here, Howard Schmidt, President Bush's advisor on cybersecurity, predicted that networks operated in the U.S. and abroad are likely to be brought down by catastrophic events unless security greatly improves.

"By 2009, there will be over 2 billion Internet-enabled devices, each with an IP address, in the U.S. alone, and 6 billion altogether," predicted Schmidt, vice chair of the President's Critical Infrastructure Protection Board, in his keynote before the 30th annual international conference of the Information Systems Audit and Control Association (ISACA). The conference was attended by nearly 300 security professionals from 37 countries.

The devices on the IP packet-based network of the future, predicted Schmidt, will include not just computers, but also traffic lights, elevators, appliances and even pacemakers. But the IP networks of 2009 will be unstable, subject to "constant security outages," unless both governments and private industry focus on eliminating network vulnerabilities through research and better practices.

"The routing tables of the future will be unmanageable; there will slowdown and failures, and malicious and criminal activity between 2002 and 2009 all mean the Internet quits working," warned Schmidt. He even forecast a future in which "special aircraft will be flying the routing tables" physically to servers after periodic network brownouts.

In addition, computer viruses, the "zero-day viruses and affinity worms," will be surreptitiously entering IP devices, causing widespread devastation by wiping out business records.

"In a major brokerage house, it will enter through the CEO's house by infecting the CEO's PC, then the corporate network, and scrambling the brokerage house trading records," said Schmidt, who was formerly chief of security at Microsoft before joining the President's Critical infrastructure Protection Board in December.

Electrical power grids, controlled by networks, could collapse in 2005 due to distributed denial-of-service attacks that block traffic to IP-based management devices, Schmidt said. Economically, all these disruptions will take a toll by 2009, with the Federal Reserve coming to the conclusion that cyberattacks are depleting growth. Then, Fedwire, the government-run network for monetary transfers to banks, will be hit by a database scrambler attack and there will be an unscheduled bank holiday to clean up the mess.

"That's where we're headed if we don't turn this ship around," Schmidt warned.

The federal government is monitoring a situation that arose during the past year in which it was discovered that vulnerabilities in the Simple Network Management Protocol (SNMP) would allow attackers to take over SNMP-based routers, switches, applications and firewalls. This vulnerability, detailed by Finnish researchers, has been traced back to what's called ASN.1 encoding, which caused dozens of network and applications vendors to issue software patches in a race to fix networks before hackers exploited the vulnerability.

ASN.1 constitutes a layer of network coding that is used in many network protocols other than SNMP, and there are suspicions that implementations of ASN.1, which Schmidt likened to "a bad gene in the DNA of complex programs," may be at risk as well.

So far, Schmidt disclosed, the ASN.1 buffer-overflow vulnerability has also been discovered to affect telecommunications microwave equipment, which the industry has quietly addressed. "We're monitoring that," Schmidt said.

Working with industry, the government has wanted to keep information about major vulnerabilities quiet until industry had the needed remediation prepared.

For that purpose, the Bush administration is supporting legislation that would somewhat restrict the Freedom of Information Act (FOIA), which allows individuals to petition for release of government-held documents, by not requiring federal agencies to release information about security vulnerabilities disclosed by industry to government. The goal is to establish what's know being called the "Cyber Warning and Information Network" between government and industry to share information about serious security threats quickly. "We want a limited FOIA exception for this," Schmidt said.

The 20-member President's Critical Infrastructure Protection Board, created by President Bush last October, is the organization expected to coordinate security strategies with both agencies and private-sector companies. Its concerns cover the safety, both physical and electronic, of industry sectors that include telecommunications, energy, transportation, banking, healthcare, manufacturing, and water systems.

The CIIP board expects to publish its cyberstrategy report on Sept. 19, initially to ask for public input on its recommendations. These recommendations are expected to include a statement of "best practices" for federal agencies, asking them to adhere to guidelines for security auditing, vulnerability assessment, intrusion detection and other tasks, Schmidt said.

In addition, the report will recommend proposed research areas where more work needs to be done to improve the Internet's somewhat shaky foundation, particularly as pertains to older protocols such as Domain Name Server and Border Gateway Protocol.

"DNS and BGP are not designed for use in an open environment with the kind of threats we have today," said Schmidt. "We need Secure DNS and Secure BGP. And we have to start securing the future systems, beginning with wireless."

RELATED LINKS