'We're Making Rapid Progress'

[InfoSec News <isn () c4i org>]

http://www.washingtonpost.com/wp-dyn/articles/A12893-2004Feb4.html

By Jennifer Barrett
Newsweek
February 4, 2004

The Department of Homeland Security didn't have to wait long to test 
out its new National Cyber Alert System. Hours after the system went 
online Wednesday, it issued its first major alert, warning of a 
variation of a new virus called MyDoom. Nonetheless, by the next day, 
security experts said MyDoom had become the world's fastest-spreading 
virus ever, sending out more than 100 million infected e-mails in its 
first 36 hours. And this may be just the beginning. Last year brought 
a record number of viruses, worms and other cyberattacks. Security 
experts say 2004 could be even worse. The attacks are increasingly 
sophisticated. They don't just cause headaches when they crash e-mail 
systems or shut down servers, they cost millions of dollars. Should 
hackers shut down government servers or break into sensitive sites and 
steal financial or security data, the results could be devastating. 

Recognizing the increasing security threat, President George W. Bush 
handed the task of keeping cyberspace secure to the Department of 
Homeland Security last year, creating a National Cyber Security 
Division. But it got off to a rough start. Earlier this month, 
Democrats on the House Homeland Security Select Committee criticized 
the administration, saying the implementation of recommendations in 
Bush's National Strategy to Secure Cyberspace is behind schedule. They 
also noted that the administration's top cybersecurity position was 
open for months last summer after the first two appointees stepped 
down--the second, just a few months after being named to the post. 
Finally, early last fall, Amit Yoran was hired away from his executive 
position at the security firm, Symantec. NEWSWEEK's Jennifer Barrett 
spoke to Yoran about the new National Cyber Alert System and the 
division's other plans for improving cyber security. Excerpts: 


NEWSWEEK: How does the new National Cyber Alert System benefit the 
average computer user?

Amit Yoran: It provides each user of cyberspace--basically, everyone 
on the Internet--with timely information [about viruses], which is 
accurate and actionable, so they know what they can do to protect 
themselves. [See www.us-cert.gov/press_room/cas-announced.html.] This, 
at a time when these threats are on the rise. 


This week's MyDoom virus is said to be the fastest-spreading e-mail 
virus ever. How are viruses like this getting through?

Well, just because it's the fastest spreading doesn't mean that it is 
the most damaging. 


That's true, and an important distinction. But how are these viruses 
getting worse--or more prolific--despite our efforts to stop them?

The people who spend time creating viruses are spending a lot of time 
exercising their creativeness to find new ways of propagating their 
way through the system and making them more difficult to detect. It's 
a game of cat and mouse. 


How serious a threat do these viruses pose?

This threat was one of the most efficient at spreading itself 
throughout the Internet. But I want to add that, in spite of it being 
one of the most sophisticated viruses, our nation is better prepared 
to deal with this now than we were a few years ago. A few years ago, 
we experienced significant outages in our businesses from Love Letter 
and Melissa and other viruses. Today, even with a more sophisticated 
threat, the reports of outages [like networks going down, e-mail 
servers being shut down] is far below where it was a few years ago 
with those less-sophisticated viruses. The message here is that we 
have a lot of work to do but our overall preparedness is improving. 


It's been reported that the government basically warned leaders in the 
technology field last month that if they don't start taking control of 
the responsibility of making cyberspace secure, that the government 
will be forced to take control. Do you think that's going to happen?

Clearly, that's not my position. That was reported as being the 
message delivered at the National Cyber Security Summit [held last 
month with the private sector]. It's not an accurate depiction. The 
summit represented a transition from an agreement on a national 
strategy--on how we want to go about protecting our shared 
information, for example--to now [when] we are in the implementation 
mode. Now, it's what initiatives are underway so that this strategy 
moves forward and gets implemented? That was really the focus of the 
summit. I think there is a tremendous amount of enthusiasm to 
collaborate from the private and the public sectors. 


What role do you envision the private sector playing in improving 
security?

If you go to the Website for US-CERT [the United States Computer 
Emergency Readiness Team, established in September as a government 
partnership with the private sector], we've issued an alert early last 
evening [about MyDoom] and much of the information came from 
private-sector companies like F-Secure and iDEFENSE. That is just one 
example of this public-private partnership. We are working with the 
software vendors to make sure they are producing patches and fixes 
before the vulnerability becomes public. Making people aware of a 
vulnerability is not our goal, but to provide information that is 
actionable so there are patches available. We're not producing our own 
antivirus software. We're quite busy, thank you. But we refer people 
to their security provider and to antivirus vendors. 


What about proposals like requiring Internet service providers [ISPs] 
to provide free antivirus and firewall software to their customers?

I've not spoken with them [ISPs] about that. I do think there is some 
value-added services which some ISPs are providing. It's good that 
these issues are receiving public attention. 


Why do you think it took so long for cyberattacks to be classified as 
a serious threat to homeland security?

I think in many cases, without having a focal event like a September 
11, or like the blackout in the Northeast and Midwest last 
summer--some highly visible, focal event that caused a direct impact 
to many people in the public--it's often difficult to increase 
awareness. But we have made significant progress in the past few 
years. I'm not implying that the road ahead is rosy. But I am 
optimistic that by increasing our preparedness, we increase the 
likelihood that we will not be struck by a digital Pearl Harbor or an 
electronic 9/11. The key is preparedness. The key is making 
improvements. 


Can you give some examples of those improvements?

It has to be a holistic approach. Antivirus vendors have made 
fantastic progress with new logarithms to identify viruses and more 
efficient ways of pushing out updates of their signature files (many 
antivirus technologies rely on fingerprints, or signatures, of 
viruses, so they can identify if it's the same fingerprint of another 
virus). Candidly, you are only protected for the threats your 
antivirus program knows about, so if your signature file is two years 
[old] you are in bad shape. The antivirus community has gotten much 
more efficient, though, and users have gotten much more aware, and 
corporations have gotten much more aware of the importance of updating 
their software. That is one more important piece of the puzzle. But 
there are really a number of things. 


You took the position of cybersecurity division chief in October after 
two other appointees had stepped down, and left the post vacant for a 
few months. Are you enjoying the job?

There's no shortage of work to be done. But the task is an important 
one, and I'm encouraged by the level of commitment in the public 
sector and in the private sector that are working on these issues. It 
is certainly a challenging job. 


Earlier this month, Democrats on the on the Homeland Security Select 
Committee criticized the administration's cybersecurity efforts, 
saying that implementation of the recommendations in the National 
Strategy to Secure Cyberspace (released last February) is behind 
schedule, among other things. How would you respond to that?

We're measuring ourselves in the National Cyber Security Division on 
very tight time frames. I'm not going to address specific criticisms, 
but I can tell you that we are moving very aggressively. The 
Department of Homeland Security was created in March. The National 
Cyber Security Division was created in June. In September, the US-CERT 
was created. We have conducted the live-wire exercise. 


What was that?

That's where not only federal, but state and local entities 
participated, as well as the private sector, in a large-scale national 
cyberexercise where our nation was under simulated attack using 
cybertechniques. And we looked at how those attacks impacted some of 
our systems and some of our infrastructure. How did they 
[participants] react? How did the departments work with one another? 
How did they coordinate? 


How did they do?

It was apparent that we need to increase the level of information 
exchange between the public and private sector. But, overall, I was 
very favorably surprised at how well coordinated we are. I'd give it a 
B-plus. That's not bad, given our state of development. There is a lot 
of work underway. I am confident that we're making rapid progress. 


What do you see as the biggest challenges ahead?

Well, there's no shortages of challenges in our division, but we'll 
stay very focused on implementation and execution and collaborating 
with the private sector. 


Can you give some specific examples?

We want to be sure that we bring our national resources to the table 
and make sure we are able to provide the actionable information from 
whatever source--it could be law-enforcement based, intelligence 
based, it can come out of the private sector. We want to bring the 
information in an actionable way to the operators responsible for 
protecting the public interest. By that, I mean that 85 percent of the 
critical infrastructure owner and operators are in the private sector. 


So the government would be willing to provide the private sector with 
sensitive data gathered by intelligence agencies?

This is a new paradigm for the government to operate under. It had 
been focused on getting highly classified information just to the 
folks who needed it. But there's been a paradigm shift, and the 
warfighters now are more frequently on the private-sector side. The 
government is learning now how to do that [share information]--it's a 
front-and-center focal point. 


By the end of 2004, do you think we'll see a decrease in virus attacks 
like MyDoom?

I think it's unlikely to expect that there will be fewer viruses 
written. Every indication we have is that it will only continue to 
rise and become more efficient in how they propagate themselves. But I 
think we will continue to improve our preparedness to deal with them. 


 

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.