U.S. Government, Businesses Are Poorly Prepared for Cyber Attacks, Experts Say at AAAS

The United States is ill-prepared to defend its vital infrastructure against a cyber attack, a former top cybersecurity official said during a recent panel discussion at AAAS.

Richard C. Clarke, special adviser for cybersecurity under President George W. Bush, said the federal government might be able to defend some of its own military and civilian networks. But he warned that the United States has no comprehensive plan in place to defend “its railroads, its pipelines, its electric power grid, its aviation system, or its banking system from nation state cyber attack in a cyber war.”

Clarke’s remarks came during a 22 November session, sponsored by the AAAS Center for Science, Technology and Security Policy, on how effectively government cybersecurity efforts are keeping up with a rapidly changing technical environment.

Some 20 to 30 nations have military units with the capability to mount cyber attacks, Clarke said, citing comments by CIA director Leon Panetta. “The United States Air Force talks openly about its plans to knock out enemy power grids and turn enemy nations into blacked-out countries with cyber war,” Clarke said.

Despite some limited cyber disruptions against nations such as Estonia and Georgia, the notion of a concerted cyber offensive “seemed somewhat academic, somewhat science fiction to a lot of people until recently,” Clarke said.

Then someone launched a computer worm called Stuxnet. It was aimed at a supervisory control and data acquisition (SCDA) system that controls certain electric converters that govern the spin rate of electric motors, including those that run centrifuges in an Iranian uranium enrichment facility. As Clarke put it, the attack was a complex affair that stole digital certificates and used advanced encryption methods and was “a very targeted, precision-guided missile, if you will.”

The attack possibly affected the operation of the Iranian enrichment facility, Clarke said, and similar attacks could be targeted at SCDA systems for other facilities, such as electric power grids in the United States. “I think the debate on whether or not cyber war can happen is over,” Clarke said. “I think the evidence is clear it can happen.”

1210cybersecurity_clarke

Richard C. Clarke

Clarke, co-author of Cyberwar: The Next Threat to National Security and What to Do About It, argues that much more needs to be done to protect private sector facilities from cyber attack.

While there remains debate on just how vulnerable the United States is to cyber attack, the general state of American cybersecurity is “fairly poor,” Eugene Spafford, a professor of computer science at Purdue University, told the AAAS session. For cyber crime, he said, “Most of the perpetrators are not being caught. In fact, the crimes are difficult to detect.”

1210cybersecurity_spafford

Eugene Spafford

The retaliatory attacks against Web sites deemed hostile to WikiLeaks, the anti-secrecy group, and Julian Assange, its founder, suggest how easily a group of determined hackers can cause mischief in the cyber world.

Spafford said academic specialists have been warning for more than 25 years about vulnerabilities in computer systems that can lead to identify theft, credit card fraud and other security intrusions.

“We have research that shows that systems could be built better to prevent” the kinds of online intrusions that cost corporations and consumers billions of dollars each year, Spafford said. One obstacle, he said, is that there have been “no consequences at all for sloppy practice, for bad software that has been shipped out with known flaws, with poor configurations.”

There also have been major conflicts within the law enforcement community on who should be investigating cases of cyber crime, Spafford said. Moreover, since most of the individual losses are modest, there is not a sense of urgency with cyber crime comparable to the warnings about potential cyber attack by nation states or terrorist groups.

“It’s very easy to point to a large threat out there rather than to a diffuse threat that is all around us,” Spafford said. As a practical matter, the response to cyber crimes and intrusions into computer systems has been marked by an incremental approach, he said. Research funding has gone to finding ways to patch existing software and operating systems rather than looking for fundamentally new approaches.

Spafford called for more emphasis in schools on training professionals who understand computer systems and how to improve security. Too many companies have brought in ex-hackers for security purposes, he said, “as if the ability to break into a car and steal it is somehow indicative of how you can design an automobile.”

Larry Clinton, president of the Internet Security Alliance, an industry group, noted that several government and private sector studies have found 80% to 94 % of the known breaches in cybersecurity could have been prevented by inexpensive, off-the-shelf technology and practices that already are available.

1210cybersecurity_clinton

Larry Clinton

Private companies, in particular, need to be convinced to aggressively pursue such remedies, Clinton said. Many companies will accept a certain amount of financial loss due to cyber crime, he said, comparable to accepting a certain amount of overhead for shoplifting and employee theft.

The government can help spur sound cybersecurity practices in the private sector, Clinton said, but he argued that more government regulation would only tend to drive business offshore. Instead, he said, the federal government could serve as an evaluator of best practices in cybersecurity and provide appropriate incentives, such as tax breaks, to encourage companies to adopt tougher protection measures.

Clarke noted that companies already are spending hundreds of millions of dollars on firewalls, intrusion detection and anti-virus systems. “If companies are not able to prevent sophisticated penetrations, then perhaps the government does have a role in spurring research and development to fundamentally change the nature of software and networks,” he said.

Spafford said law enforcement agencies need to do a better job educating companies and individuals about threats in cyberspace, a realm that has no national borders. Alexander Howard, the Government 2.0 correspondent for O’Reilly Media, also made a plea for better education.

1210cybersecurity_howard

Alexander Howard

“The lack of basic education around protection of privacy, identity and security is something that is an issue across our country,” Howard said. He decried what he called sensationalistic coverage of cyber war in media accounts, and urged presentation of more information on how Americans can protect themselves, their families and their businesses from cyber intrusions.

Clinton said education efforts also need to include members of Congress. But better education and awareness can go only so far, Clarke said. “We need technology that is idiot proof,” he said. “We need to look for rock solid systems that people don’t have to spend a lot of time trying to configure… we have to rethink the fundamental nature of software and the protocols and rethink the architecture.”

Spafford said he is not optimistic there will be adequate willpower and funding in the current political climate to address some of the cybersecurity issues that academic researchers have been warning about for years. “I think we may be back here in a few years hearing the same recommendations yet again,” he said.

Links

Listen to an audio file of the 22 November panel discussion.

Learn more about the AAAS Center for Science, Technology and Security Policy.