SINGAPORE AN INTERESTING ARTICLE ON CYBERSECURITY AND THE IMPORTANCE OF PROTECTING THE INFORMATION INFRASTRUCTURE CIO Asia - Issue - The Interactive NightmareThe Interactive Nightmare
The best thing about the modern computer network is also its chief liability: everything's connected, with on-ramps conveniently located everywhere.


CONSIDER THE FOLLOWING SCENARIO. Members of a terrorist organisation announce one morning that they will shut down the Pacific Northwest electric power grid for six hours starting at 4 p.m.; they then do so. The same group then announces that it will disable the primary telecommunications trunk circuits between the U.S. East and West Coasts for a half day; they then do so, despite our best efforts to defend against them. Then, they threaten to bring down the air traffic control system supporting New York City, grounding all traffic and diverting inbound traffic; they then do so. Finally, they threaten to cripple e-commerce and credit card services for a week by using several hundred thousand stolen identities in millions of fraudulent transactions. Their list of actions is then posted in The New York Times, threatening further action if their demands are not met. Imagine the ensuing public panic and chaos.

Alarmist, perhaps? Far from it. The scenario is actually quoted from a letter sent by a group of concerned scientists to U.S. President Bush in February 2002. Signatories included O. Sami Saydjari, founder of the Cyber Defense Research Center; Matt Donlon, former director of the security and intelligence office at the Defense Advanced Research Projects Agency; and Robert T. Marsh, a retired Air Force general and former chairman of the President's Commission on Critical Infrastructure Protection. The scientists don't mince words about the cyberthreats facing the nation: "The critical infrastructure of the United States, including electric power, finance, telecommunications, healthcare, transportation, water, defense and the Internet, is highly vulnerable to cyberattack. Fast and resolute mitigating action is needed to avoid national disaster."

While the group's scenario was meant to grab attention, it also was grounded in reality. Each of the events depicted has happened (though not concurrently); some resulted from government-sponsored exercises, some from technical failures and some from actual cyberattacks. All could plausibly be triggered by a few knowledgeable people using some PCs and Internet access.

The cyberthreat to the nation's security and economy may not be as well understood to the general public as a dirty bomb or a vial of ricin in the wrong hands. But to experts in cybersecurity--those who know the vulnerabilities of the Internet and do daily combat with hackers, criminals and foreign governments trying to probe our critical infrastructure and military networks--the threat is vividly real. Indeed, the 54 scientists who signed the letter believe that a professionally coordinated cyberattack on the critical infrastructure could ravage not only the nation's economy (to the tune of hundreds of billions of dollars in damage) but also undermine public confidence in the government's ability to protect its citizens. In fact, although a cyberattack alone may lack the awful human destruction that can accompany a physical attack, because the systems controlling the critical infrastructure are often densely interconnected, such an attack could have more destructive and widespread consequences.

The lead defender in protecting the critical infrastructure is the U.S. Department of Homeland Security, a collection of 23 agencies that began operations in January 2003. Spearheading the effort is the National Cyber Security Division, led by Director Amit Yoran. Like the rest of DHS, Yoran and his staff face a steep uphill climb in accomplishing the department's mission. Eight-five percent to 90 percent of the critical infrastructure rests in private hands. Yet in the absence of regulation, which the private sector often views as a poison pill, DHS has no whip; rather, it must play the role of prodder and pleader, reaching out to a leery private sector that knows it needs to harden security but wonders where the money is coming from to pay for it. As a result, many of those private-sector companies may not feel compelled to move as quickly as DHS might like. Compounding the fledgling division's challenges is its organisational immaturity: At the same time it's trying to boost cybersecurity, it's also dealing with the headaches of hiring staff, integrating IT systems, figuring out how to analyse the boatloads of data coursing through its pipelines and how to share that information. All that will take months--some say years--to sort out.

This story looks at the challenges facing DHS and its cybersecurity team, and how they're working with the private sector to address them. While regulations remain a political third-rail within the business community, DHS and some in Congress are sending signals to CEOs that serious progress had better happen fast or else regulation may turn from threat to reality.

CONTINUED at weblink.............