Cyberdefense mired in Cold War

[InfoSec News <isn () C4I ORG>]

http://www.fcw.com/fcw/articles/2000/0619/news-dfnse-06-19-00.asp

BY Dan Verton
06/19/2000

The absence of a catastrophic cyberattack against the United States
has created a false sense of cybersecurity and has allowed costly Cold
War-era Pentagon programs to siphon money from critically needed
information technology and security programs, a panel of experts
warned last week.

"Were still mired in a Cold War-era defense spending mentality," said
Sen. Charles Schumer (D-N.Y.) at a symposium titled "Technological
Change and American Security" and sponsored by The Brookings
Institution.

The rapid advance of IT has created "real and potentially catastrophic
vulnerabilities," Schumer said, adding that the consequences of a
cyberterrorist attack "could be devastating."

Eye of the Beholder

However, senior security officials are battling a perception problem,
according to experts who took part in the symposium. Without a
clear-cut example of an "electronic Pearl Harbor," where a surprise
cyberattack cripples financial markets and other critical systems, its
difficult to convince top military and political leaders that IT
research and development should be a bigger priority in the budget
process, experts say.

"Cyberterrorism is not an abstract concept," said Jeffrey Hunker,
senior director for critical infrastructure protection at the National
Security Council. Although attacks historically have been labeled as
"nuisances," that may not be the correct way to look at the problem,
Hunker said.

The government is dealing with an "enormous educational deficit" when
it comes to IT security, he said.

Part of the problem is the fact that the Defense Department remains
committed to lobbying Congress for money to pay for programs such as
the F-22 Joint Strike Fighter instead of increasing funding for IT
programs, said Michael OHanlon, a senior fellow for foreign policy
studies at The Brookings Institution.

"I believe that is not affordable even in this age of surpluses,"
OHanlon said, adding that DODs assumptions about future budget gains
are "wrong."

OHanlon advocated spending more money on advanced sensors,
precision-guided weapons and other IT programs. That type of
investment would preclude the need to buy costly systems such as the
F-22, he said.

But even events such as the outbreak of the "love bug," which
reportedly cost the U.S. economy billions of dollars, have not
convinced people in and out of government that the problem is real,
Schumer said. Usually, when a major crisis costs people a lot of
money, it leads to many visits to Capitol Hill and requests for help,
Schumer said. But that never happened after the love bug outbreak, he
said.

Some experts have questioned the governments liberal use of the term
terrorism to describe acts of mass disruption on the Internet.
However, when asked about the seeming lack of interest in cyberattacks
by well-known terrorists such as Osama bin Laden, a senior White House
official said the focus should not be on what bin Laden does or does
not do, but on being proactive and understanding that a major attack
may be coming.

Hunker said he agrees. "We are attempting to be proactive," he said.
"I believe that we are going to get nailed seriously."

The National Security Agency is one of the federal entities that has
taken a proactive approach toward security cooperation between
government and industry (see box).

But one of the biggest challenges facing the nation, highlighted
during the love bug incident, remains convincing industry that
security is as important as making money, said John Nagengast,
assistant deputy director for information systems security at NSA.

"Vendors and users have to treat information assurance as a
fundamental precept of doing business," he said. "It has to become
part of the business case."

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".