United States Facing Cyber Security Crisis, Experts Tell Capitol Hill
Briefing, As IEEE-USA Prepares New Position Statement
http://www.todaysengineer.org/2005/Aug/cybersecurity.asp
by Barton Reppert
The nation¹s information technology (IT) infrastructure is ³highly
vulnerable to terrorist and criminal attacks,² and a White House-appointed
expert panel has concluded that ³the federal government needs to
fundamentally improve its approach to cyber security,² according to a senior
member of the President¹s Information Technology Advisory Committee (PITAC).
F. Thomson (Tom) Leighton, chair of PITAC¹s Subcommittee on Cyber Security,
told a Capitol Hill briefing on 26 July that the panel believes ³federal
support for fundamental research in civilian cyber security must be
dramatically increased or the nation¹s security and technological edge
will be seriously jeopardized.² He declared that cyber security research and
development (R&D) in the United States ³is currently suffering from a crisis
in prioritization.²
Sponsored by IEEE-USA and the IEEE Computer Society Task Force on
Information Assurance (TFIA), in conjunction with the bipartisan House
Research and Development Caucus, the Forum on Cyber Security was held as
IEEE-USA moves ahead with developing a new policy statement on cyber
security issues.
Following the briefing, which was particularly intended to help raise the
awareness of congressional staff members, Clifford Lau, chair of IEEE-USA's
Research and Development Policy Committee, told IEEE-USA Today¹s Engineer,
³The country¹s problem with cyber security is very serious, and it is going
to get worse in the next five years before it gets any better. I would say
the situation not only is alarming, but it is almost out of control.²
Lau, a research staff member with the Information Technology and Systems
Division, Institute for Defense Analyses, Alexandria, Va., said on 27 July
that his committee is coordinating with IEEE-USA's Committee on
Communications and Information Policy to prepare the new IEEE-USA position
statement on cyber security.
The 26 July session on cyber security held at the Rayburn House Office
Building and attended by about 25 congressional staff members, along with
private sector computer experts, technology journalists and IEEE-USA
officers and staffers included opening remarks by Rep. Judy Biggert
(R-Ill.), co-chair of the House R&D Caucus and chair of the House Science
Committee¹s energy subcommittee.
Biggert told the gathering that following the shock of 9/11 almost four
years ago, ³suddenly the likelihood increased significantly that cyber space
could be used to launch an attack against the nation that created it and
pioneered its use. And the scale and magnitude of the chaos and havoc that
could be wreaked by cyber warfare or a cyber terrorist attack suddenly
became almost immeasurable.²
Within six months of the September 2001 attacks, she noted, the House
Science Committee reported out a bill that subsequently was enacted by
Congress as the Cyber Security Research and Development Act of 2002. The
five-year, $902.85 million measure was designed to help address the nation¹s
vulnerability to cyber attacks, in part by creating new research and
education programs at the National Science Foundation (NSF) and the National
Institute of Standards and Technology (NIST).
Also, Congress last year approved intelligence reform legislation
establishing a new position of assistant secretary for cyber security at the
Department of Homeland Security.
Despite these steps, however, Leighton emphasized the continuing seriousness
and immediacy of threats to America¹s IT infrastructure. His remarks at the
Capitol Hill briefing included a summary of key findings presented by PITAC
in a February 2005 report to President George W. Bush, entitled Cyber
Security: A Crisis of Prioritization.
PITAC itself, a 24-member panel co-chaired by Marc R. Benioff, chairman and
CEO of Salesforce.com Inc.; and Edward D. Lazowska, Bill & Melinda Gates
Professor and chair of the Department of Computer Science and Engineering at
the University of Washington, officially ceased functioning when the
executive order which had chartered the presidential committee expired on 30
June.
Leighton, chief scientist at Akamai Technologies, Cambridge, Mass., and
professor of applied mathematics at MIT, observed that ³computing and data
communications are integral to nearly every activity today in the United
States. But the nation¹s IT infrastructure is highly vulnerable to terrorist
and criminal attacks.²
³The problems of vulnerable software and easy access from afar are
compounded by the lack of security in basic network protocols,² he told the
briefing. ³Hostile activities, such as DDoS [distributed denial of service]
attacks, cyber extortion and identity theft on a massive scale have become
immensely damaging to personal and economic interests.²
Among facts and figures cited by Leighton were:
* More than 10 percent of PCs across the United States were infected by
viruses each month in 2003
* 92 percent of organizations reported ³virus disasters² in 2003
* The Computer Emergency Response Team Coordination Center (CERT/CC)
published 3,780 new electronic vulnerabilities in 2004
* ³Phishing² attacks victimized at least one percent of U.S. households
and cost about $400 million in the first half of 2004
According to Leighton, ³endless patching is not the answer it doesn¹t
solve the underlying, fundamental problem of security. We need fundamentally
new security models and methods.²
The private sector, he noted, has an important role in securing this
country¹s IT infrastructure by deploying sound security products and
adopting good security practices. ³But the federal government also has a key
role to play by supporting the discovery and development of cyber security
technologies that underpin these products and services,² Leighton said. In
this regard, he told the 26 July briefing, ³PITAC finds that the federal
government needs to fundamentally improve its approach to cyber security to
fulfill its responsibilities.²
Expressing strong concern over current ³underinvestment² in civilian cyber
security R&D, Leighton said that in recent years federal government efforts
in this area have involved ³a pronounced shift favoring classified military
R&D, rendering it unavailable to the civilian sector,² and at the same time
³an equally pronounced shift in all sectors favoring short-term research
over long-term fundamental research.²
The February report by PITAC recommended increasing the NSF budget for
fundamental research in civilian cyber security by $90 million annually.
That would amount to a four-fold increase for the NSF¹s Cyber Trust program,
which in fiscal year 2004 made 32 research awards totaling $31 million. The
presidential panel also urged substantial increases for civilian cyber
security R&D funding through the Department of Homeland Security and the
Defense Advanced Research Projects Agency (DARPA).
Other recommendations by PITAC included intensifying efforts to promote
recruitment and retention of cyber security researchers and students at
universities, with the goal of doubling their numbers in the next decade,
and strengthening government-private sector technology transfer activities
involving cyber security.
A fourth PITAC recommendation the only one so far officially accepted by
the Bush administration called for making the Interagency Working Group on
Critical Information Infrastructure Protection (CIIP), which is part of the
National Science and Technology Council (NSTC), the focal point for federal
cyber security R&D efforts. PITAC said this working group should be
strengthened and integrated under the Networking and Information Technology
Research and Development (NITRD) program.
Also speaking at the 26 July Capitol Hill briefing was Professor Eugene H.
Spafford, a PITAC member who has served on the cyber security subcommittee.
Spafford is executive director of the Center for Education and Research in
Information Assurance and Security (CERIAS) at Purdue University, West
Lafayette, Ind.
Summarizing the overall current situation with cyber security, Spafford
declared: ³It¹s really awful.² He predicted that ³it¹s going to take a very
large and significant failure² of critical computer systems across the
country to galvanize public support for significantly bolstered security
measures.
Spafford noted that more than 100,000 known viruses and worms exist, with
about 200 new ones being reported per week. ³Large-scale attacks² on various
organizations are doubling per year, spam comprises up to 85 percent of
e-mail in some places, and major end-users (including the U.S. Army) are
throwing out infected systems rather than trying to fix them, he said.
The Purdue cyber security expert forecast that in the near future there will
be a ³growing threat from organized crime,² more incidents of identity
theft, loss of public confidence, ³national-level incidents,² and a ³major
drain on the economy.² To help deal with these challenges, Spafford said,
the country needs ³out-of-the-box² thinking on cyber security and stepped-up
resources going to ³risky but often high-payoff² research.
After the briefing, Lau commented that he believes the problems discussed at
the session amounted to ³only scratching the surface.² He indicated that he
is particularly concerned over ³our national defense and homeland security
computer systems, which are presumably more secure, but which are highly
dependent on the civil computer network infrastructures.²
³Some effective action can be taken within the next five years, but it is a
cat and mouse¹ game or measure and countermeasure and
counter-countermeasure,² said Lau. ³As soon as an effective measure is
developed, another virus or spyware will be developed by the perpetrators.
There is no end to it.²
Lau observed that the Internet has evolved over the past decade with
open-system architecture. ³There is no way to go back and redesign the
Internet for it to be completely secured,² he said. ³There is a tradeoff and
balance between privacy and censorship. Sure, the government can step in and
censor everything like the Chinese government is doing with the Internet,
but that is not the American way.²
Lau contended that it is ³critically important² for the federal government
to provide adequate funding for cyber security R&D.
²I believe that if there is enough support from the public to demand secured
network services, the federal government and Congress will act to provide
sufficient cyber security R&D funding but not until there is a public
outcry for action. On the other hand, the private sector and industry must
do their part to ensure that the public has the most secured network
services, through secured browsers and encrypted communications and
authentication.²
In another development in late July, the Cyber Security Industry Alliance
(CSIA) an advocacy group based in Arlington, Va., comprised of security
software, hardware and service vendors issued a white paper asserting that
³the crisis in leadership in cyber security R&D will hold long-term
implications for the United States if it is not arrested soon.²
The CSIA paper noted that in June, ³PITAC was dissolved for reasons which
remain unclear. The recent lapse of PITAC is yet another blow to the R&D
community. The loss of this independent committee¹s expertise and advice
reduces the priority level of cyber security R&D, and it will continue to
dissipate without an advisory body or another leader to oversee R&D.²
Looking ahead, the industry group said, ³increasing cyber security R&D
funding will foster a more secure, stable global information infrastructure,
create a larger pool of experts in information assurance, and enable the
full potential of the Internet.²
Read the PITAC report online at:
www.nitrd.gov/pitac/reports/20050301_cybersecurity/cybersecurity.pdf.
You are a subscribed member of the infowarrior list. Visit
www.infowarrior.org for list information or to unsubscribe. This message
may be redistributed freely in its entirety. Any and all copyrights
appearing in list messages are maintained by their respective owners.
