The Minister of Net Defense

[InfoSec News <isn () c4i org>]

http://www.wired.com/wired/archive/11.05/schmidt.html

By Douglas McGray
Issue 11.05 - May 2003  

WIRED: If there's a big cyberattack, is it likely to be by accident or 
by design? A hacker's project gone awry or a coordinated terrorist 
attack? 

SCHMIDT: The big one is likely to be very, very focused and very 
designed. We have this debate internally on a regular basis. 


WIRED: Who is the most likely perpetrator? 

SCHMIDT: Our perspective is, it doesn't make any difference whether 
it's from a source in the Mideast or from one in the Midwest.


WIRED: Your predecessor, Richard Clarke, used to talk about the 
likelihood of a digital Pearl Harbor. Others have dismissed 
cyberattacks as weapons of mass annoyance. That's a pretty wide 
spectrum. 

SCHMIDT: I use the term weapons of mass disruption. Is it possible 
that we could have a catastrophic failure on a regional basis? 
Absolutely. Could we see that on a universal basis? That likelihood 
has been reduced significantly. 


WIRED: What worries you, then?

SCHMIDT: An unknown vulnerability in a system that someone chooses to 
exploit in conjunction with some sort of a physical attack.


WIRED: Wouldn't it be difficult to coordinate a cyberattack with a 
physical attack like a bombing?

SCHMIDT: If you have something that can proliferate quickly, like the 
Slammer, it would be relatively easy to orchestrate. 


WIRED: Most of the big hacks have affected data, rather than control 
systems. Why is it easier to fry bank records than to knock out the 
power grid?

SCHMIDT: The technology that runs the banking system and the Internet 
is very public. A lot of it has come from a foundation of open 
standards, so we understand it much better, whereas digital control 
systems run in a proprietary manner. You need specific knowledge about 
what it does and how it does it. There has been a shift - 
appropriately so, for cost efficiencies and everything else - to 
enabling some of those open technologies in control systems, but we 
need to protect against those things becoming a failure point.


WIRED: Walk me through the first moments of a big cyberattack. The 
Slammer worm, for instance.

SCHMIDT: The private sector sees what's going on long before the 
government catches on. Generally, they'll see a spike in activity at 
some of the main Internet monitoring points. Nanog [North American 
Network Operators Group] was one of the first groups to post on an 
email list that they saw something strange.


WIRED: Would ISPs investigate?

SCHMIDT: They're the ones monitoring the health of their networks. 
They figure, jeez, this isn't something where someone has 
inadvertently turned off the DNS. This is something malicious, and 
it's moving at an alarming rate.


WIRED: Then what?

SCHMIDT: The next step is to identify how the maliciousness is 
manifesting itself. Is it a worm? Something that somebody sent out via 
email? Within the first hour or so, there's analysis of the code. Then 
some of the downstream providers are notified, and the government is 
brought online. 


WIRED: Who in Washington gets the call?

SCHMIDT: Right now, it's not as clean as we'd like. In the future, one 
of the first calls will go to the Department of Homeland Security. 
[Now] the person on my staff who monitors Nanog gets the call. 
Simultaneously, the National Communications System is notified and, of 
course, the FBI's National Infrastructure Protection Center. 


WIRED: Clarke wrote in a memo that the fast-moving Slammer was a dumb 
worm that was easily and cheaply made. And that, with slight 
modifications, the results of the worm would have been more 
significant.

SCHMIDT: It had no payload. This was strictly a denial-of-service 
activity in which it was looking for the port and using the worm to 
propagate a subnetwork connection. The effect of that was some 
restriction in the use of ATM machines and databases that provide 
airline reservations. And in one case, a voice-over-IP system for a 
911 dispatcher was affected.


WIRED: What could a loaded Slammer have done?

SCHMIDT: One payload could have injected other code, which would have 
opened system backdoors under the context of administrator root 
privileges. Hundreds of thousands of systems could have been taken 
over.


WIRED: Critics have said that your strategy relies too much on the 
goodwill of big business, that without new regulations, it has no 
teeth.

SCHMIDT: What would you legislate? From this moment forward, you will 
not have more than 10 vulnerabilities during a year? And then what 
happens? Do we fine you? We have to be very practical when we look at 
this.


WIRED: Are there ways besides regulation that the government can 
enforce its priorities? 

SCHMIDT: The power of the government's purchasing dollar. The Office 
of Management and Budget now asks, You want to spend money on an IT 
project? Give me your security plan, or you don't get the money. 


WIRED: How tough will the government really be? Five years from now, 
if Microsoft still has the vulnerabilities it does today, will you cut 
it off?

SCHMIDT: I wouldn't say any particular company...


WIRED: But Microsoft is a good example, because the government is its 
biggest client.

SCHMIDT: If you're not going to provide good security, and you're not 
going to provide good quality control in engineering in the products 
you provide us, we're not going to buy it.


Douglas McGray interviewed Andrew Marshall in Wired 11.02

 

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.