Bracing for a cybersecurity Pearl Harbor

RSA panel says not enough is being done to protect cyberspace

Some of the people who know best how serious the cybersecurity threat is say not enough is being done to prevent such attacks and lament that the only thing that will prompt any action is the cyber equivalent of Pearl Harbor.

"We've got to start talking about this," said Michael Chertoff, former secretary of the U.S. Department of Homeland Security, during a panel discussion on cybersecurity at RSA Conference 2010 this week in San Francisco. "The solution seems so complicated that the public ignores it."

During an hour long discussion, Chertoff -- along with Richard Clarke, a cybersecurity adviser to presidents Clinton and Bush 43, and Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC) -- said that cyber attacks happen all the time and could get worse, but that retaliating against them is difficult because it's hard to trace their source. The panel said deep packet inspection could thwart attacks, but debated whether government or private industry should do it and how privacy can be protected in the effort to strengthen security.

Clarke, currently a partner in the security firm Good Harbor Consulting, was the most crtical of the lack of security protection today, noting that the computer networks of major U.S. companies and government agencies are attacked daily in acts of cyber espionage in which petabytes of information are extracted. The attacks emanate from China and Russia and a few other countries and are either government sanctioned attacks or conducted by criminal enterprises.

But there are even more serious threats of cyberwar that aren't being addressed either, he said. "We have no public strategy about how to fight a cyberwar. In fact I don't think we have a private strategy either."

Clarke pointed to a Wall Street Journal article from April 2009 about how cyber attackers from China and Russia had penetrated the power grid of electric utilities in the U.S. and planted "logic bombs," software programs that could be executed to disrupt the system.

"What if ... plastic explosives had been found on some high tension distribution wires throughout the United States and we had reason to believe the people who put them there were Chinese agents? Congress would go crazy. They wouldn't serve Chinese food in the cafeteria. But you make it a logic bomb and nobody notices," Clarke said.

Beyond serving Freedom Chow Mein in the Capitol cafeteria, deep packet inspection (DPI) might help detect suspicious activity on the network. But that raises privacy issues with Rotenberg, whose EPIC has challenged the government and private enterprises on security methods that clash with privacy rights.

"I think the big questions are what do we do? Do we give the government a lot more authority, do we start authenticating all users? Do we start tracking all communications? This is where the debate really begins," Rotenberg said. "Privacy ends up being the collateral damage of the cyberwar battles."

Clarke agreed that the government should not be the entity performing DPI, but that the government could require Internet service providers to do it. Rotenberg responded with an added concern about whether ISPs would mine data they're inspecting for commercial purposes, to which Clarke replied that the DPI regulation could be written to prohibit that.

Complicating efforts to fight cybercrime is a lack of "attribution," the panelists agreed. Retaliating against the perpetrators of a cyber attack is difficult because it's hard to identify them. The fact that botnets hijack innocent servers disguises the perpetrators the same way wearing a ski mask disguises a bank robber. Rotenberg commended Secretary of State Hillary Clinton for elevating the cybercrime issue in January with remarks she made in the wake of attacks emanating from China on Google Gmail accounts and networks of other U.S. companies.

But, being a diplomat, Clinton had to be, y'know, diplomatic.

"She had to walk a careful line there in part because of the attribution problem," Rotenberg said.

Being the largest software company in the world, Microsoft's name inevitably came up. The moderator, Forbes magazine National Editor Quentin Handy, reminded Clarke of what he said in 2003 that he took Microsoft at its word that they were improving the security of their products, "but they've got to get better." Handy asked Clarke whether, in 2010, they have. "Well, they haven't done worse," Clarke replied.

"But it's not just Microsoft," he continued, adding that there is no rating agency, public or private, that evaluates security products and gives them a Good Housekeeping Seal of Approval if they actually work.

That's quite a diss to deliver to an audience of hundreds of people whose business is to develop and sell security products. But Clarke raised a challenge in the form of a question: "Is it beyond the technical capability of all of the people in this room to design a [network] that can't be attacked?"

Let's hope not.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.