U.S. senator: Cyberattacks could 'devastate' nation

By PATRICK THIBODEAU

(May 14, 2001) WASHINGTON -- While President Bush pushes for a strong defense against a missile attack, a U.S. senator who led the Y2k effort in Congress warned today that a cyberattack by a hostile nation could be as disruptive as a nuclear missile exploding over a U.S. city.

Sen. Robert Bennett (R-Utah), a leading congressional evangelist on critical infrastructure protection issues, also called on U.S. civilian agencies to adopt the "red team/blue team" models used by the defense agencies to test their information security defenses. In such tests, red teams are the attacking forces, while blue teams are the defending side.

"The big threat to our security comes from hostile nation states that can muster sufficient resources to make a concerted significant assault on America," Bennett said today at a conference here co-sponsored by the Armed Forces Communications and Electronics Association.

Bennett said these foreign cyberattackers aren't going to attack the U.S. military or its intelligence agencies, where defenses are strong, but would instead aim for the banking system and other targets. If, for example, they managed to shut down Fedwire, the Federal Reserve's fund transfer system, it could mean that "no checks will clear, no money can be transferred, no financial transactions can take place in the United States. That will devastate the United States more than a nuclear device set off over a large city," said Bennett. "It will cause more long-term havoc."

Bennett reiterated his point in response to a question following his talk, saying that a successful attack that shuts down Fedwire "could bring the nation to its knees."

A Bush administration official, John Sopko, a deputy assistant secretary for administration at the U.S. Department of Commerce, said the administration "has been taking definite steps" to elevate the importance of critical infrastructure protection.

In particular, the Bush administration last week said it was working with federal agencies to prepare an updated plan to protect U.S. government agencies and private-sector businesses from attack. The administration said the plan will involve the private sector and said meetings have already been held with officials involved in banking and finance, electric power, rail transportation, oil and gas, state and local law enforcement, and the IT sector.

On April 24, the Bush administration said it would review how the government is organized to deal with security issues and will seek an "integrated approach," said Sopko, who also spoke at the conference today.

Although he praised the Bush administration's recent efforts on this issue, Donald Upson, Virginia's secretary of technology, was also critical of the government's approach to critical infrastructure protection so far. "We don't know today, exactly, what the role of the federal government is in protecting that infrastructure.

"There has to be a management focus, and that management focus has to go at the highest level of government," said Upson.

http://www.computerworld.com/cwi/stories/0,1199,NAV47-68-84-88-93_STO60566,00.html

-- Martin Thompson (mthom1927@aol.com), May 15, 2001

Answers

Officials: Federal systems increasingly falling prey to hackers

By Patrick Thibodeau

(Apr. 05, 2001) WASHINGTON -- Hackers are succeeding more and more in gaining root-privilege control of government computer systems containing sensitive information, said federal officials who testified today before a U.S. House subcommittee that computers at many agencies are riddled with security weaknesses.

When an attacker gets root privileges to a server, he or she essentially has the power to do anything that a systems administrator could do, from copying files to installing software or sniffer programs that can monitor the activities of end users. And intruders are increasingly doing just that, the officials told the Subcommittee on Oversight and Investigation.

"The increase in the number of root compromises, denial-of-service attacks, network reconnaissance activities, destructive viruses and malicious code, coupled with the advances in attack sophistication, pose a measurable threat to government systems," said Sallie McDonald, an assistant commissioner at the U.S. General Services Administration (GSA).

Last year, 155 systems at 32 federal agencies suffered root compromises in which intruders took full administrative control of the machines, according to the GSA. That's up from totals of 64 root compromises in 1998 and 110 two years ago. And the government has only a vague idea of what kind of data may have fallen into the wrong hands.

For at least five of the root compromises, officials were able to verify that access had been obtained to sensitive information, McDonald testified. But for the remaining 150 incidents, she added, "compromise of any or all information must be assumed." She characterized the compromised data as involving scientific and environmental studies but said she couldn't offer further details.

Meanwhile, the U.S. General Accounting Office (GAO), in a report released today summarizing security audits that have been completed at 24 federal agencies, said it had identified significant security weaknesses at each one. Robert Dacey, director of information security issues at the GAO, said in his testimony that the shortcomings have "placed an enormous amount of highly sensitive data...at risk of inappropriate disclosure."

The government is going to find itself in "deep, deep trouble" if its IT security procedures aren't improved, warned Rep. Billy Tauzin (R- La.), chairman of the House Energy and Commerce Committee. If sensitive personal data about U.S. citizens is compromised, "Americans are going to wake up angrier then you can possibly imagine," he said.

Many of the thousands of attempts to illegally access federal systems come from abroad, testified Ronald Dick, who took over as director of the FBI's National Infrastructure Protection Center cyberdefense agency last month (see story). "We know many nations are developing information warfare capabilities as well as adapting [cybercrime] tools," he said.

Hackers are also exchanging vulnerability information with one another, said Tom Noonan, president and CEO of Internet Security Systems Inc. in Atlanta. "There is a whole new currency on the Internet that's called the back door," he said, adding that attackers are trading information about back doors that provide access to different systems.

One step the government could take to increase the security of its systems is to focus more resources on improving education and training, Noonan said. "Computer security experts are scarce," he added. "They are in short supply, and they are expensive." The average salary at his 2,000-employee security software company is $80,000, he noted.

A 1998 directive by President Clinton ordered all federal agencies to complete a virtual bulletproofing of their IT systems from attack by May 2003. But officials said most agencies are behind in that work, and only a few are doing penetration testing.

"We are not surprised or pleased by what we are finding," said Rep. James Greenwood (R-Pa.), chairman of the subcommittee that held today's hearing. Even more alarming, he added, is the fact that many attacks aren't detected. "We don't know what was done, and we have no way of knowing what was done," Greenwood said.

During the hearing, subcommittee members watched with rapt attention as a U.S. Department of Energy security team demonstrated how systems are scanned, probed and accessed by intruders. The demonstration also covered how passwords can be cracked and data can be copied after unauthorized access to a system is gained.

http://www.computerworld.com/cwi/Printer_Friendly_Version/0,1212,NAV47 -68-84-88-93_STO59280-,00.html

-- Martin Thompson (mthom1927@aol.com), May 15, 2001.