Skip to comments.The next 9/11 could be in cyberspace
Posted on 06/11/2010 7:28:44 PM PDT by Eyes Unclouded
That's the warning from federal lawmakers who today introduced a bill to prevent a catastrophic cyber attack upon a power grid or the banking system from ever happening, and to defend against a multitude of other, perhaps less devastating cyber assaults against the government, the businesses and the people of the United States.
"The threat of a cyber attack is very real," said Senator Susan Collins (R-ME), at a press conference introducing the Protecting Cyberspace as a National Asset Act of 2010, a bill she co-sponsored with Senators Joe Lieberman (I-CT) and Thomas Carper (D-DE). "We cannot wait for a cyber 9/11. We have to take action now."
"This bill was prompted by growing concerns that public and private sector networks have become increasingly vulnerable to attack from cyber warriors, spies, criminals and terrorists," Senator Lieberman said.
"The federal government's efforts to secure cyber networks have been disjointed, understaffed, and underfinanced," Lieberman said. "We simply need better cyber security for the 21st century, and we are confident that this legislation will take a long stride in that direction."
A similar bill, the Federal Information Security Management Act of 2010, was passed by the House last month and incorporated as an amendment into the House's National Defense Authorization Act for FY 2011.
The Senate bill would establish an Office of Cyberspace Policy within the Executive Office of the President, with a director appointed by the president. The bill would also establish the National Center for Cyber Security and Communications, under the Department of Homeland Security.
Lieberman explained that, among other duties, the center would work with private corporations to establish cyber security performance standards for businesses across the country. The senators emphasized that the standards would not be forced upon companies, but measures the private sector assisted in recommending.
The bill also contains a provision that would grant the president temporary emergency powers over critical sections of national cyberspace in the event of an attack or imminent threat.
"DHS has identified a number of critical parts of national cyberspace, and these parts could come under the president in an emergency," Lieberman said.
Lieberman named the financial system, power grids and certain dams as examples of these critical sectors of national cyberspace. The senators emphasized that the president's extraordinary powers would be limited to the task at hand.
"He would, for example, be able to limit communications between the particular company and the nation the threat was perceived as coming from," Lieberrman said. "He would be able, in some instances, to shut part of a system down."
Collins said that the bill gives no new surveillance powers to the president or the government, and that the president would not be authorized to take over any private company.
Another provision would instruct the national center to set up cyber talent competitions and challenges in an initiative to find, recruit and train people able to operate and develop cyber security systems and methodologies.
"Other nations do this," Senator Carper said. "They find talented people and train them to become cyber warriors. We need to develop our own home-grown cyber warriors to ensure our security."
Carper said that there are still thieves and spies in the world, only now they have an easier time by using cyberspace.
"And they can escape with scarcely a trace," he added.
Ravi Sandhu, executive director of the Institute of Cyber Security at the University of Texas at San Antonio, concurred.
"It is extremely difficult to know where cyber attacks may have originated, and also difficult to know when your system has been penetrated - that is, until the hackers actually do something, and it is too late," Sandhu said. "And they can get away without leaving a trail."
Sandhu downplayed the imminence of a catastrophic cyber attack that would cripple a power grid or "freeze all ATMs."
"I do not believe the sophistication of hackers has yet reached that level, although it is not impossible," he said. "However, the sophistication levels are rising all the time. There is enough current activity in the way of attacks on computer networks, and a rising level of sophistication in these attacks, that, as a nation, we should be concerned."
Sandhu said that most cyber attacks are aimed at theft - of money, primarily, and of information.
"Hackers chiefly go after credit card and bank account information," he said. "There is also extortion."
A hacker penetrates a corporation's system, lets the business know its computers have been compromised and demands payment or serious damage will ensue.
"Some companies conclude that it is less expensive to pay," he said.
Lawmakers pointed out that government computers are constant objects of cyber assaults.
"In a month, an average of 1.8 billion cyber attacks are attempted against Congressional and Executive Branch computer networks," Collins said at the press conference, naming the Senate Sergeant-at-Arms Terrance Gainer as the source of the information.
Professor Sandhu said that developing better cyber security, although necessary, is problematic.
With the development of both defensive and offensive cyber systems, a nation will guard and rarely share its technologies. But hackers are also extremely sophisticated and ready to develop or steal state-of-the-art methods.
"And hackers share information all the time, for a price," Sandhu said. "There is a vast underworld network trafficking in new hacking technologies. Cyber security is hard to provide."
Lieberman said there will be a committee hearing on the bill next Tuesday and he hopes to have the measure on the floor of the Senate before the July 4 recess.
“Collins said that the bill gives no new surveillance powers to the president or the government, and that the president would not be authorized to take over any private company.”
With this being a possible strategy for the Chinese and/or a more cost effective attack from Iran or terrorist bodies I understand the need for an upgraded policy. The military recently added a cyber security general to STRATCOM. However I also understand that giving such a power to the federal government is not without risks.
Why would would the controls for infrastructure be connected to a public network? Has everyone in leadership positions gone daft?
So whenever the internet is abuzz with talk say , of Obama dithering, he can just shut it down...
As bad as IT management gets in the private sector things in the federal government are much worse. In addition to the regular hurdles of cost and organizational problems that crop up you have the problems of bureaucracy and legal issues. Of course DHS is a special case as it is a political appointee run federation of different agencies all fighting over the same turf.
Most of those in charge of government organizations are not geeks, as a matter of fact many couldn’t send an email if their very life depended on it ... and you expect them to understand the threat against cyberspace? To update software seems to them a waste of time and money. Until the inevitable software 9/11 happens, they will not respond to calls for updated software and associated security programs.
BRAVO SIERRA ALERT ! ! !
Forget armoring a free society. Instead, make unambiguously clear that any attack will result in the end of the society from which the attack originated.
That means every living thing is killed.
Using the Somali pirates as an example, simply level the towns used as bases. Conventional weapons could do it, but nukes have a higher deterrence factor for others considering attacking us.
Maybe we could make it in to a American Idol type TV show. Text 727211 for the Indian hacker dude.
They have to have a “compelling” reason to screw with the 1st Amendment, so they (dems/RINOs) are running the possibility of another 9-11 up the ol’ flagpole `cause they think flyover country will salute.
I want my mark in both my right hand and forehead... just in case I lose one or the other.
I attended an information security conference three years ago, where they talked about this.It was IANETSEC Dallas, for reference. A representative from the Idaho National Laboratory discussed a cyber attack against the grid, and explained how they could do it. They even had a video of a demonstration, where they had a generator similar to those out on the grid, and networked in a similar fashion, tear itself apart when given a rapid series of commands through the network. That network is vulnerable, and could be compromised at any time. The feds have known about this for years, and every now and then some group of congresscritters finds a copy of one of the many reports, and starts making noise about it, but the sad reality is that Information Security, even Cyber Security, for the nation is in sad shape. The reason for that is the same reason so many private companies don’t have sound information security postures either. Until an attack actually happens, its hard to give credence to the threat. Far too many people take the position that, because it hasn’t happened yet, it’s not going to happen, and they see what they perceive to be more important things to spend the budget on. That view is changing, but the change is incredibly slow. It’s hard to justify a six- or seven-figure budget for something that may never happen, especially since there is almost no way to prove that the money was well spent. A failed attack would be lost in the noise of all the other attacks or attempted attacks, and would look no different.
Sorry JimRob, it isn’t horse hockey. It is a genuine threat. The main reason it hasn’t happened yet is, so far as the security community can tell, dumb luck. I say that as someone who holds the CISSP certification, has security specializations on a bunch of other technical certifications, and holds a Master of Science in Information Assurance.
Get them off the public internet.
LOL! On the other hand have you seen a CS program at a university recently?
As we were told, the Defense Intelligence Agency, National Security Agency, Central Intelligence Agency, Federal Bureau of Investigation and any number of other intelligence gathering government bureaus and agencies had to be consolidated into the Department of Homeland Security, so that they could work more efficiently and protect us better.
Now we’re told that, in addition to all of those high-Q federal workers, we need some sort of Agency of Halo-Players & Cyberwarriors to throw money at because if we don’t—turrible bad e-things will happen, that 0 won’t abuse this power (”Trust Us—we’re The Federal Government!”) and that the natural inclination of the Beltway Beast is not, as we have seen, to grow exponentially, as allowed, like Seymour the Meat-Eating Plant.
9/11? No, not even close but you know how the kabuki bunch in congress love their hyperbole (the planet is melting so give us your money) and grandstanding.
On a different note:
If you combine the powers these bills grant along with some pre-existing conditions (DHS labeling conservatives domestic terrorists etc.) some interesting scenarios crop up especially in an environment where the government feels free to seize whole sectors of the economy and use them politically.
Dear Leader would love to get his grubby hands on the internet. Too much free speech is a problem for wannabe dicktators.