Internet Security Experts Urge U.S. to Secure its Critical Computer Networks

Two Internet security experts urged the United States to improve the security of its vital computer networks by incorporating solutions that would allow the systems to restore important services during an attack, accident or failure.

By designing applications that can limit the effect of an attack and guarantee the privacy of personal information, the experts said that the United States could create more powerful technologies, such as messaging and metering systems, that could have dramatic economic outcomes and potentially save lives.

"It is unreasonable to think that even the nation's most secure critical networks are impervious to attacks," said Howard Lipson, a senior member of CERT (the Internet's first computer emergency response team), at Carnegie Mellon University's Software Engineering Institute. "It is absolutely crucial that our most important networks have survivability features to ensure that they can fulfill their missions by providing essential services in a timely manner despite an attack, accident, or failure."

The experts spoke at a Capitol Hill briefing sponsored by the AAAS Center for Science, Technology, and Security Policy and hosted by the United States House of Representatives Committee on Homeland Security.

"Cyber security touches all aspects of society from networks, including financial and health networks, to control systems for utilities," said Kavita Berger, senior program associate at CSTSP. "It is very important that policy makers be aware of how to protect the nation's critical infrastructure."

The Capitol Hill briefing came on the heels of a Congressional investigation looking into the cause of an August 2006 "data storm" that forced the water recirculation pumps to malfunction at the Browns Ferry nuclear power plant in Alabama, resulting in a shutdown.

While the U.S. Nuclear Regulatory Commission concluded that the malfunction did not threaten the safety of the plant, and that it did not come from an outside hacker, the U.S. House Homeland Security Committee has called for answers to several unanswered questions including the source of the "excessive traffic."

When pressed, a spokesman for the Tennessee Valley Authority (TVA), the federal organization in charge of managing Browns Ferry, said the TVA could not rule out the possibility of outside interference.

"The incident at Browns Ferry is an example of short term survivability," said Lipson. "The plant's operators responded to the failure of control devices by manually shutting down the plant, without needing to wait for a determination of the underlying cause."

Lipson compared a short-term network survivability function to a guardrail on a tortuous mountain road where a car is about to veer off a cliff.

"The guardrail is a survivability solution for the immediate crisis whether the cause was ice on the road, a drunk driver, or the brakes had been tampered with," said Lipson.

Lipson explained that for long-term survivability, organizations must investigate the exact cause of a disruption and incorporate that information into a security plan to improve survivability in future crises.

In addition, organizations need to identify the essential services they must maintain when their networks are stressed under an attack.

Carl Gunter, professor of computer science at the University of Illinois at Urbana-Champaign, believes that important control systems like the ones at Browns Ferry remain susceptible to cyber attacks as a result of their obsolete security designs.

"Many of our key information technology systems—the Internet, personal computers, and important control systems—were not designed with security as a core objective," said Gunter.

In addition, Lipson said the Internet has far surpassed its original mission as a place where government and academic researchers could communicate and collaborate. "The Internet was not designed to resist highly untrustworthy users or track their behavior," said Lipson, adding that the pervasiveness of common computer software enables hackers to do a lot of damage once they find vulnerabilities.

Citing a nearly 35 percent increase from 2005 to 2006 in vulnerabilities reported to CERT, Lipson added that CERT has recently begun handling a small number of control system vulnerabilities. He noted an increasingly critical need for vulnerability analysis and incident response coordination activities related to control systems.

In addition to protecting critical control systems, Gunter said that if security experts are able to provide adequate cyber security, computer programmers could create a whole range of cutting-edge technologies and could potentially save time, money, and lives.

For example, Gunter proposed a medical messaging device that could communicate vital statistics from elderly patients to their physicians thousands of miles away. By using this system, doctors could get more information about a patient without them having to meet in person.

Another example of a cutting-edge technology is the use of advanced meter infrastructures (AMIs) for energy consumption data. These units would reduce costs by enabling energy consumption data to be sent to the power company. In addition, customers would be able to control costs by setting their meters to only use a certain amount of energy in a month.

In addition to the convenience of AMI's, they may also serve a safety function.

After Hurricane Katrina, Gunter explained, municipal security camera networks, very similar to AMI networks, were the only network infrastructures to survive. After the storm, officials were able to retask the camera networks to carry important communications.

Gunter believes that just as the security camera networks were retasked to serve in an emergency, the AMI network could potentially be used to communicate important information.

"There are certainly applications out there that will save money and lives while providing valuable new services," said Gunter. "I think it's our obligation to enable these technologies by providing better protections for security and privacy."

Benjamin Somers

8 June 2007