NIPC Daily Report 8 April 2002 The NIPC Watch and Warning Unit compiles this report to inform recipients of issues impacting the integrity and capability of the nation's critical infrastructures.
Hacking up, disclosure down, FBI survey says. An FBI survey of 503 US corporations, government agencies, financial and medical institutions and universities reveals that only 34% of detected computer security breaches were reported to authorities. Many respondents cited fear of bad publicity as their reason for not reporting. The government is using partnership groups, such as the FBI's InfraGard program in each field office, to persuade companies to report attacks directly to FBI agents without public disclosure. Overall, there were more computer crimes than in last year's survey, but fewer victims reported crimes to police than in 2001, reversing a trend from earlier surveys. (Nandotimes, 7 Apr) Nuclear fuel rods misplaced. Despite losing two nuclear fuel rods from its closed Millstone 1 nuclear plant, Millstone Power Station operators are ready to safely store more nuclear waste at its Millstone 3 unit, company attorneys and federal regulators said at a hearing on 2 April. At issue is whether Dominion Nuclear Connecticut, owner and operator of the Millstone station in Waterford, should be given a license amendment to increase by 2 1/2 times the amount of spent nuclear fuel it can place in the Millstone 3 storage pool. The licensing board agreed to reopen the proceedings to hear arguments as to whether the mistakes at Millstone 1 mean station operators are not prepared to handle more spent fuel at Millstone 3. (The Day, 3 Apr) CT declares drought advisory. Connecticut officials issued a statewide drought advisory, asking residents and state agencies to voluntarily conserve water. A similar water shortage is affecting many areas in the US and Canada. Last week, New York City Mayor Michael Bloomberg declared a drought emergency - the first in the city since 1989 - and ordered mandatory restrictions on water use by businesses and residents. (Water Tech Online, 4 Apr) Cities seeking 311 phone systems after attacks. The Federal Communications Commission set aside 311 as a phone number for non-emergency needs in 1997. Since 11 September, cities that have been flooded with calls about anthrax and terrorism have sought to implement 311 as a crisis backup for 911. (Scripps Howard News Service, 3 Apr) AG John Ashcroft names Vance Hitch as DOJ CIO. One of Mr. Hitch's responsibilities will be to oversee major systems upgrades at the Immigration and Naturalization Service, where clashing databases have contributed to problems controlling the nation's borders. Ashcroft called for development of an IT strategy when he reorganized the department for wartime operations last November; Hitch is to oversee development of that plan. (Government Computing News, 26 Mar) Expanded police powers. The Justice Department has drafted a legal opinion that would give state and local police agencies the power to enforce immigration laws; potentially broadening an activity long handled by federal agents. The draft opinion, by Justice's Office of Legal Counsel, says states and municipalities have the "inherent authority" to enforce immigration laws. Except for small pilot programs in Florida and South Carolina, state and local police departments generally have steered clear of immigration issues. They sometimes help Immigration and Naturalization Service agents with security or transportation during INS raids, but they do not make arrests on civil immigration violations. (Washington Post, 4 Apr) Senator proposes bio terrorism legislation. Senator Max Cleland proposes to bolster the clout and funding of the Center for Disease Control and Prevention as the CDC prepares against the possibility of a bio terrorism attack. Cleland's proposed center would put the CDC in charge of training response teams, developing local contingency plans, implementing disease-surveillance systems and tracking dangerous biological agents and toxins. (Associated Press, 4 Apr) Signs of 'trustworthy computing' NEC Computing International has announced a trial program in which Packard Bell PCs will be equipped with keyboards that include secure smart-card readers. The keyboards are designed to hold credit card numbers, PINs and other personal information in encrypted form, without leaking them into the PC where they could be stolen. But developers of secure systems say the plan will go nowhere without new hardware that addresses fundamental security problems in the PC's aging architecture. Security experts agree that the basic design of the PC is flawed: It allows data to travel around inside unencrypted, which means information can be stolen or faked by a program installed on the desktop. (Wired News, 4 Apr) Cellular carriers, DOD debate spectrum needs. The DoD would consider sharing its portion of the radio frequency spectrum with commercial wireless operators if those companies will assume liability for any problems that result, including the possibility of a test missile going astray because of interference. Voicestream and other cellular carriers have eyed portions of the spectrum used by the DOD for years, and have lobbied either to share bandwidth or acquire portions of it in an outright auction. An auction of the DOD spectrum would require Defense officials to move complex systems to new frequencies, which in turn would require new wireless communications systems costing hundreds of millions of dollars. Commercial carriers aren't the only ones seeking more spectrum space. Electric, gas and water utilities use their own slice of the spectrum band to dispatch repair crews, and to monitor and control cross-country power networks, gas pipelines, and water systems. (ComputerWorld, 4 Apr) White House: Vendors must improve on security protections. Federal technology vendors must do a better job of building privacy and security protections into their software, two top-ranking White House officials said on 4 April. Privacy and security must be key components of the "enterprise architecture" blueprints that are guiding agencies' efforts to integrate their systems, reduce paperwork, and accomplish tasks in "minutes or hours, rather than weeks or months." As that transformation occurs, federal agencies must take steps to ensure the accuracy of shared information, and prevent its misuse. (National Journal's Technology Daily, 4 Apr) Sept. 11's impact on data security is limited. Despite the focus on corporate data security after September 11, big companies haven't significantly changed their thinking about their approach to data security. "If you're a hacker who's looking to become famous, you're not going to go after a site no one has ever heard of," said In-Stat/MDR analyst Jaclynn Bumback. The events of 11 September have frequently been cited as a motivator that pushed companies to re-evaluate and even bolster their security infrastructures. Yet the In-Stat/MDR data suggest that companies haven't significantly changed their perspective, or their spending, when it comes to security. (Internet Week, 4 Apr) New report says Dept of Transportation should develop security plan before installing explosive detection machines. The National Research Council said Friday that the Transportation Department is moving too slowly in developing a comprehensive plan to provide layers of security at airports. Consequently, bomb-detection machines are being installed at airports even though it is uncertain how they will fit into the overall security plan. The advisory board's report was issued as the new Transportation Security Administration tries to meet a year-end congressional deadline for installing enough explosive detection machines to inspect all checked baggage. The report said the Transportation Department needs to develop an overall security plan, from deciding which passengers should undergo extra scrutiny to which bags should get additional checks. (DigitalMass, 5 Mar) IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk