Official: Tech Firms Should Be Drafted

[William Knowles <wk () C4I ORG>]

http://www.zdnet.com/intweek/stories/news/0,4164,2618582,00.html

By Patrick Houston, ZDNN
August 22, 2000 5:00 PM PT

REDWOOD SHORES, Calif. -- The federal official in charge of protecting
the nation's critical information systems sounded a Klaxon here
Tuesday, calling on corporations to create a new type of civil defense
system against hackers and hostile nation-states.

"If the United States goes to war again ... our movements of troops,
our movement of aircraft, our lines of supplies will probably be
attacked not by bombs, not by bullets but by bytes," said Richard A.
Clarke, national coordinator for security, infrastructure protection
and counter-terrorism, at a daylong conference on information
security.

Tech industry leaders -- including Microsoft Corp., Oracle Corp., Sun
Microsystems Inc. and Cisco Systems Inc. -- joined retailing, banking
and manufacturing executives at the fourth in a series of five
regional gatherings that began last spring in Washington.

Their mission is clear, Clarke told corporate board members and the
auditors who help them manage major risks. "By protecting the IT
security of your company, you can protect the security of your
country."

Clarke is the National Security Council's first-ever infrastructure
coordinator, charged with assessing potential threats to the nation's
railroads, electrical power grid and telephone systems. But he has
focused less on rails and ties, wires, towers and poles and more on
the computing systems underlying the operations of companies that
supply basic services.

His appearance was a sign of the government's commitment to
information security, an issue that has escalated to a place on the
national agenda, thanks in part to a series of highly publicized
incidents including the "Love" bug and Melissa virus outbreaks; Y2K
glitches; and the denial-of-service attacks that brought down
Yahoo.com, eBay.com and ZDNet.com.

No army will win this war It also represented a realization by the
national security establishment: In the borderless world of the
Information Age, there's no way the Army, the Air Force or the Marines
can defend the nation's information systems as they've protected its
vital interests in the past.

Clarke said threats come in several different potential forms:
vandalism, extortion, espionage and disruption.

He cited a hacking incident involving a Florida Internet service
provider. The hacker obtained thousands of customers' credit card
numbers and threatened to expose them on the Internet if the ISP
didn't pay a ransom. Police tracked the extortionist to Frankfurt,
Germany, where they arrested an Indian national.

"Someone from India, living in Germany, stole credit card numbers from
Florida," Clarke said.

There are "nation-states which have formed information warfare units,"
and those units are probing the nation's information networks "looking
for points of vulnerability," he said.

"The next time there is a major crisis, we have to worry about being
blackmailed as a nation or being disrupted as a nation," he said.

He said the Pentagon has experienced "millions" of attempted
intrusions each year. The U.S. Air Force alone was subjected to
300,000 last year, of which only about two dozen succeeded.

Twice a month While that might not seem significant, given the totals,
he said, "Think of it this way: Twice a month, your Air Force had its
computers successfully hacked last year."

Clarke also warned of attacks on private companies creating a calamity
that could be tantamount to an "electronic Exxon Valdez."

He cited several ways the government is trying to enhance security.
They include:

encouraging industries to create information sharing and analysis
centers (ISACs), groups of companies in the same industry that share
information about cybersecurity. A group of banks have bonded together
to do just that. When one is attacked, its ISAC creates a report
circulation among its members on the causes and precautions;

creating a more receptive "legal framework." This might include
amending the Freedom of Information Act so that companies could feel
more confident in sharing information about security breaches with the
government;

spending $600 million on information technology research, particularly
in areas where commercial prospects remain slim and thus unattractive
to for-profit companies; and sharing classified information with
"trusted partners."

In the end, however, the burden of protecting the nation and its vital
interests lies with the individual efforts of individual companies and
institutions.


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".