CIA can't foresee computer attacks, official says

[InfoSec News <isn () c4i org>]

http://www.nandotimes.com/technology/story/30632p-523453c.html

By D. IAN HOPPER, Associated Press 

WASHINGTON (June 21, 2001 2:54 p.m. EDT) - The CIA is unable to
predict attacks on U.S. computer systems before they happen, as the
agency is expected to do with political and military events, a top CIA
official told Congress on Thursday.

Despite a major increase in intelligence efforts dedicated to computer
security, attackers still develop new tools and techniques faster than
the CIA can keep up, Lawrence K. Gershwin said.

Often, "we end up detecting it after it's happened," said Gershwin,
the CIA's top adviser on science and technology issues. "I don't feel
very good about our ability to anticipate."

Gershwin told the Joint Economic Committee that foreign governments
are the most potent threat to U.S. computers for the next five to 10
years, rather than terrorists or lone troublemakers.

So far, he said, individual hackers don't have the skills or the
motive to make a major attack against U.S. infrastructure like the
telephone system or financial networks. And since terrorists want
immediate and predictable results, they will stick with their current
attacks for the foreseeable future.

"Terrorists really like to make sure that what they do works,"
Gershwin said. "They do very nicely with explosions, so we think
largely they're working on that."

Still, Gershwin warned that a terrorist organization could surprise
intelligence officers and mount a cyber attack within the next six
months.

The committee focused on the vulnerabilities faced because of the
separation of the public and private sector. Even though the
government uses commercial networks, and vice versa, there still is
little information shared and attackers could exploit that split.

"When a commander at the Pentagon tries to call a commander in the
field," Sen. Robert Bennett, R-Utah, said, "he's connecting with
Verizon."

Gershwin said that this reliance on private networks can mean that a
foreign power could install a backdoor into government systems.

"While we may be working with American companies on issues at some
point, there are contracts and subcontracts," Gershwin said. "It gets
hard to tell who's doing the work for you."

Gershwin and other legislators said they would like to see more
cooperation between businesses and government, similar to the programs
designed to beat the Y2K bug.

There are some public-private collaborations, such as the FBI's
InfraGard program to get closer to tech companies and the federal
Information Sharing Analysis Centers. But there is still much
distrust, as companies don't want to share their vulnerabilities with
other firms or see them reported publicly, and the government holds
back its secrets.

"I'd like to think we can work on that collaboration now," said Rep.
Adam Putnam, R-Fla., "rather than when there's a crisis."




ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.