CyberSecurity NOW

Cybersecurity NOW!

America is vulnerable to crippling cyberattacks. Government has a national plan for protection but here's what you can do right now.
By Richard Clarke

IN JANUARY, someone wrote a little piece of computer code. It was a simple enough task. The hacker exploited a glitch in Microsoft's SQL Server software that the company had warned about months before and for which it had provided a fix. Then the hacker added a few lines of code that would send the little program searching the Internet for systems that had not applied the fix. When the program found such unpatched systems, it used the glitch to enter the vulnerable computer, destroy files, and use the infected computer as a launch point to attack any other computer it could find.

Then the hacker hit "send."

Fifteen minutes later, over 300,000 computers were crashing. Bank ATM machines went off line. Routers running networks flapped and were unable to send Internet traffic. 911 call systems were hit. An airline cancelled flights. Some companies, unable to work, sent employees home. Untold millions of dollars were spent cleaning up the aftermath.
That was all the work of one hacker, exploiting a vulnerability in one company's server software that had been known for months, and which most systems administrators had fixed. But because of the high degree of interconnectedness and interdependency in cyberspace, systems in addition to servers crashed, companies that had fixed the vulnerability were hit anyway, and companies not even running the software were damaged.

That attack was not hard to write. And it was just one of many such attacks that have been launched in the last few years.

National strategy to secure cyberspace
The White House, February 2003

Five national priorities:

A national cyberspace security response system
The Department of Homeland Security is to create a single point of contact for government to interact with industry and other partners in order to analyze and respond to threats and incidents, provide warnings, share information, and recover after attacks.

A national cyberspace security threat and vulnerability reduction program
The Department of Justice and other agencies are to take measures to reduce cyber attacks and threats. They are to identify ways to improve information sharing and investigative coordination in the federal, state and local law enforcement communities; facilitate investigations; and develop a better understanding of the victims and nature of cybercrime.

A national cyberspace security awareness and training program
The Department of Homeland Security and other agencies will mount a comprehensive awareness campaign. DHS, in coordination with the Department of Education, will support cybersecurity programs including those at the primary and secondary school levels.

Securing governments' cyberspace
Federal agencies will continue expanding the use of cybersecurity tools to deter attacks. The federal government will determine what actions are necessary to promote greater use of these tools.

National security and international cyberspace security cooperation
The Federal Bureau of Investigation and the intelligence community should strengthen US defenses against cyber-based intelligence collection against the government, commercial and educational organizations. These entities will also strengthen the US defense against cyber threats to national security.

Each priority has detailed programmatic objectives, outlined in the document, which can be obtained at www.whitehouse.gov/pcipb

The vulnerability that was exploited was just one of the 2,800 publicly revealed glitches in various types of software.

They are just the tip of the iceberg.

THE THREAT
For many, the cyber threat is hard to understand. They think that these attacks like the one last January are unfortunate, but a cost of doing business; just a minor nuisance in a multi-trillion dollar economy. No one was killed, after all, and there was no smoking ruin for cameras to photograph.

Such thinking is dangerous. Implicit in such reasoning is the unarticulated notion that the only cyberattacks that can happen in the future are similar to those that happened in the past. Implicit is the 20th century notion that if it's not a smoldering heap with a body count, there has been no real damage.

That is the kind of thinking that prior to September 11th, said that the only kind of hijacking the United States would ever face would be on flights to Havana. It's the kind of thinking that said we never had a major foreign terrorist attack in the United States, so we never would; that Al Qaeda had just been a nuisance, so it never would be more than that.

The threat is really very easy to understand. If there are major vulnerabilities in the digital networks that make our country run, then someday, somebody will exploit them in a major way, doing great damage to the economy in the process. What could happen?

Transportation systems could grind to a halt. Electric power and natural gas systems could malfunction. Manufacturing could freeze. 911 emergency call centers could jam. Stock, bond, futures, and banking transactions could be jumbled. If that major attack comes at a time when we are at war, it could put our forces at great risk by disrupting their logistics systems.

Meanwhile, short of the Big Attack, there is damage being done every day. The threat ranges from minor cybervandalism to theft of intellectual property and personal identity, runs the gamut of extortion, industrial espionage, international spying, and continues to stoppages of sales or production. The culprits comprise a wide range of usual and not-so-usual suspects: cyber joy riders, thieves, organized criminals, corporate spies, terrorist groups, and even nation states.

Several nation states, including our own, have formed intelligence and military units for the express purpose of exploiting cyber vulnerabilities for information collection and to damage enemies' infrastructure in future wars.

CYBER RESPONDERS
Who is convinced that the threat is real and important to our national economy and national security? In 1997 a Presidential Commission of distinguished government, industry and academic leaders concluded that the threat was urgent. A National Academy of Sciences panel reached the same conclusion. A Presidential Decision Directive and National Plan followed. In the subsequent Bush administration, the President signed an Executive Order for a National Strategy on cybersecurity. President Bush requested an increase of 64 percent in cybersecurity spending to defend federal departments' systems in his first budget. Congress approved it and added a touch of its own, the Cybersecurity Research Act. The House of Representatives recently formed a cybersecurity subcommittee.

In the private sector, while overall spending is down, IT security spending is up. Companies are buying software and hardware as fast as possible to find and fix their vulnerabilities. Segments of the private sector have united to share information about cybersecurity and to develop best practices to prevent and recover from cyber attacks.

As the last two presidents have understood, the solution to the crisis lies in an activist federal government working in voluntary cooperation with the private sector, state and local governments, and research institutions to identify cyber vulnerabilities, fix them and at the same time, prepare plans to rapidly recover from cyber attacks.

The National Strategy to Secure Cyberspace, which was developed with widespread public participation, outlines five major priorities and specific programs.

The issue is complex, and the long-term solution lies in developing more reliable computer code and systems that automatically detect and repair unauthorized activities.
The National Strategy gives much of the lead on implementation to the Department of Homeland Security, but the Department has yet to appoint a senior official with full time cybersecurity responsibilities. Ridge's aides shelved plans for a National Cybersecurity Center in the Department. Indeed, there is a lack of nationally known experts in this field within the Department's ranks. The leaders of the National Infrastructure Protection Center and the Critical Infrastructure Assurance Office both exited government just before they would have been transferred to the new Department.

One has to look very far down on the organization chart to find an office that handles cybersecurity full time. The Department's strategy says "cyber must be integrated with physical" but it lacks a recognized expert as a spokesman for the issue, has no senior official working the issue full time, and no identifiable cybersecurity organization.

Richard Clarke's top cyber security websites

National Strategy

www.whitehouse.gov/pcipb

Current threat information, awareness and training

www.sans.org

New cyber vulnerabilities data

www.cert.org

Threat and awareness information

www.nipc.gov

Awareness and training, including for children

www.staysafeonline.info

Consumer tips on cybersecurity

www.ftc.gov/bcp/conline/edcams/
infosecurity/

Industry-specific information

www.pcis.org

While the federal government tries to figure out what to do with its own organization, many in the private sector and state, local and municipal governments say they cannot wait for Washington. The danger is real and immediate. They want to know what they can do to protect their systems.

WHAT YOU CAN DO NOW

In the short term, there are some things that the home user, the company, or the government department can do to enhance security. Here are my top ten steps that you can implement, some at home and some in your company or agency:

Don't become a zombie: If you have a home cable modem or DSL connection, install a firewall. There are several commercially available, at computer and electronics stores or over the internet. Just download or slip in the CD and answer a few prompts. Without a firewall, someone will get into your computer within a few days of your connecting. Once in, hackers can use your computer and hundreds like it (called zombies) to attack others without you even knowing it. They can also steal any identity information on your hard drive.

Update your software every week: From home users to company and agency networks, everyone needs to do regular software updates. The anti-virus software that came with your computer was out of date the day you bought it. You need to connect to an anti-virus company online and buy a program that automatically keeps your anti-virus guard up to date. Your operating system (probably Windows or Mac) and your Internet browser (probably Netscape or Internet Explorer) also needs to be updated very frequently. Connect to the company that made it and get the updates. Sign up for automatic updates if they are offered.

Outsource IT security: Don't kid yourself that your in-house IT department can watch your enterprise firewalls and intrusion detection devices 24 x 7. Do not assume that your staff can tell the wheat from the chaff as those systems alarm. Outsource the monitoring of IT security devices. Don't stop with outsourcing the firewall and intrusion detection system; sign up with a company that will automatically scan your enterprise both from the outside and from within your network to look for a) one of those 2,800 known vulnerabilities that you have not fixed somewhere and b) violations of your company's or agency's IT security policy. You do have an IT security policy, don't you?

Do not connect unclean machines to your network: Everyone wants to go wireless, or Wi-Fi, using laptops in "hot spots" from coffee shops to airports or surf the Net from a hotel on the road. When one does these things, it's much easier to get into the computer and leave a little present: a program that phones home later when it's connected inside your network and all of those expensive security systems. Unless you know that an employee's laptop is clean, do not allow it to connect to your network through a virtual private network (VPN) or by just plugging it in when it comes back to the office.

Scan for Wi-Fi: Increasingly employees are buying Wi-Fi devices and bringing them to work so that they can use their laptops anywhere in the office complex. When they do that, anyone in the parking lot can read anything on your network. The same thing can happen when you consciously install Wi-Fi and don't configure it with the latest in encryption and authentication. Early Wi-Fi systems had encryption that could be easily broken. Who is that guy with the laptop in your parking lot?

Buy IT security insurance: If you're in the private sector, buy IT security insurance to limit your liability and transfer some of the risk. Insurance companies will make you clean up your act before they sell it to you, but you probably should do that anyway. While you're at it, check your business continuity insurance policy and business continuity plans to see if they're realistic. When was the last time you had a business continuity exercise or test?

Check your service provider: Your enterprise might be fairly secure, but what if someone deluges your network from outside with millions of messages a minute? Known as a "denial of service attack," that can effectively put you out of business. Make sure your upstream provider really has installed systems to protect you from such attacks.

Authenticate and encrypt: When someone sits down at or connects to your network, they should need to do more than just type in a complex password (even at home you need to use a password that is 9 digits or more, uses letters both upper and lower case, numbers, and symbols). In a company or agency, you should use an authentication system that requires that the user have additional proof of identity such as a smart card. Your network should automatically encrypt internal e-mails (and e-mails to trusted partners in other companies) and stored files so that only authenticated users can read them. This helps ensure that even if someone does break in to your network, they cannot steal anything.

Awareness: Make sure everyone with access to your network is regularly taught how important IT security is. Don't just have boring lectures and employee handbooks. Use posters, computer training games, contests, etc. Let your employees know that from time to time they may be tested by someone asking them for their password, or someone coming in to their desk while they're at lunch to use their computer, or someone giving them a disk to download, etc.

Governance: If you're serious about IT security, don't give the job to the chief information officer (CIO) or to anyone reporting to him or her. The IT security officer needs to report directly to both the chief operating officer (COO) and to the internal auditor or inspector general. Corporate boards also need an IT security committee. Each institution needs to find or help develop "best practices" and to participate in information sharing systems appropriate for their sector.

ANALYSIS
Our nation is now fully dependent upon cyber systems for the functioning of the economy, government, and critical functions; yet all of our networks remain vulnerable to relatively simple cyber attacks. As long as we have this weakness, we run the chance that it will be exploited in a big way, beyond the billions of dollars in losses we already see every year. With Washington again unfocused on the issue, state governments and companies need to coalesce and act on their own. The National Strategy to Secure Cyberspace is a good guide for the federal government but is only a start. To achieve cybersecurity now, everyone at every computer has to take action.

RICHARD CLARKE, former advisor to the last three presidents, is chairman of Good Harbor Consulting. He can be reached at rac@ goodharbor.net.

Appeared in Homeland Defense Journal, May 2003.