cyberterrorism
| NET • Fiends |
cyberterrorism |
|
Experts said the latest electronic attack bore remarkable similarities to "Code Red" virus during the summer of
2001 which also ground traffic to a halt on much of the Internet. "It's not debilitating," said Howard Schmidt,
President Bush's No. 2 cyber-security adviser. "Everybody seems to be getting it under control." Schmidt said
FBI's National Infrastructure Protection Ctr and private experts at the CERT Coordination Ctr were monitoring the
attacks.
The virus-like attack sought out vulnerable computers to infect on the Internet using a known flaw in popular
database software from Microsoft Corp., called "SQL Server." But the attacking software code was scanning
for victim computers so randomly and so aggressively, sending out thousands of probes each second, that it
overwhelmed many Internet data pipelines.
The attack sought to take advantage of a software flaw discovered in July 2002 that permits hackers to infect
corporate database servers. Microsoft deemed the problem "critical" and offered a free repairing patch, but it
was impossible to know how many computer administrators applied the fix.
Computer worm grounds flights, blocks ATMs
Wash.D.C. A fast-moving computer worm snarled business & govt computers Saturday,
slowing some corporate systems to the point of inaccessibility. Internet security experts said the worm does not
appear to have done any serious damage.
Experts called it the most damaging attack on the Internet in 18 months as networks across Asia, Europe and the
Americas were effectively shut down, Reuters reported. Bank of America Corp., one of the nation's largest banks,
said many customers could not withdraw money from its 13,000 ATMs because of technical problems caused by
the attack, according to Associated Press. BoA spokeswoman Lisa Gagnon told AP that the bank restored service
to nearly all ATMs by late Saturday afternoon and that customers' money & personal information had not been
at risk.
The White House was notified about the attack after it was discovered early Saturday, said President's Critical
Infrastructure Protection Board spokeswoman Tiffany Olson. The FBI's National Infrastructure Protection Center is
investigating, she said.
Several companies, incl Continental Airlines, reported widespread computer problems Saturday. Continental said
the worm attack caused its difficulties. Spokesman Jeff Walt said agents reverted to "the old fashioned way",
phones, and pen & paper, to record reservations and electronic tickets. "[That is] more time consuming, so we
had some scattered delays around the system and some cancellations of regional flights," said Walt, adding that
the airline experienced few problems on its national flights. "It looks like we're getting close to [having] everything
resolved."
Worms of this nature are often precursors to a different type of attack called "distributed denial of service." In that
case, computers infected with a worm or other program are directed to send a flood of information to a specific
Internet location and force it off-line. "[Saturday's worm] is the recruitment of soldiers, not telling the soldiers where
to aim their guns," Paller said. He described Saturday's activity as a "worm with collateral damage."
Friedrichs said Saturday's worm was similar to the "Code Red" worm, which attacked unpatched Microsoft IIS
servers in 2001 and defaced Web pages with the message "Welcome to http://www.worm.com! Hacked By
Chinese!" "Code Red" eventually hit more than 700,000 computers and spread too quickly for investigators to trace
its origin. So far, "SQL Slammer" has not disturbed any Web pages or other files.
1.27.03 AP Govt funded Hong Kong Computer Emergency Response Team was investigating but said it would be hard to determine the origin of the Internet attack, which shut down millions of computer users in S.Korea and slowed or halted networks elsewhere. "Checking the origin of the worm is like finding which part of a river a drop of water comes from," said Hong Kong computer team sr consultant S.C. Leung.
The worm could have been timed for release during the Asian day and cropped up in Hong Kong when people
began using their computers on Saturday, but that does not mean it was launched from Hong Kong, said Matrix
NetSystems vp Tom Ohlsson, Austin TX. "It appears that performance on the Internet seemed to degenerate [in
Hong Kong] before we noticed it in the Eastern Seaboard."
Wash.Post reported experts who studied the worm found references in its coding to Honker, a Chinese hacker
group believed to operate in mainland China and possibly in Hong Kong. Internet service in S.Korea was "stable"
though not at 100% early Monday, said S.Korea's Information & Communication Ministry spokesman Woo
Do-shik
3.18.03 BBC In an advisory, Microsoft called the flaw "critical" and has been telling customers to patch their computers in case they fall victim. The flaw is present in servers running Windows 2000, up to and including service pack 3, and version 5.0 of Microsoft's Internet Information Server (IIS) software.
It arises because of Microsoft's implementation of a program called WebDAV that lets different people remotely
manage what is on a net server. Using a cleverly crafted HTTP request an attacker could exploit the flaw to gain
control of a server and either crash it or make it run programs of their choice.
Often there is a hiatus between the discovery of a flaw in software and its active exploitation by vandals.
However, in this case at least one net server has been attacked via the WebDAV loophole before security
advisories have been issued. The server, belonging to the US Army, was successfully attacked in early March. No
serious damage was done because it was not connected to any important systems. Once patched it was attacked
again.
Govt simulates national attack on computers, banks, utilities 11.24.03 Ted
Bridis AP
Homeland Security Dept's first simulation of a terrorist attack on computer, banking and utility systems exposed
problems with the ways victimized industries communicated vital information during the crisis, the govt's new
cybersecurity chief said Monday. Experts inside govt and the Institute for Security Technology Studies at
Dartmouth College are still formally evaluating results of the so-called "Livewire" exercise, carried out over 5 days
late in Oct. 2003. It simulated physical & computer attacks on banks, power companies and the oil & gas
industry, among others.
Yoran said mock attacks during the exercise tried to broadly disrupt services & communications across major
industrial sectors, enough to make consumers to lose economic confidence. It modeled bombings at
communications facilities outside Washington and cyberattacks aimed at companies & other networks. Even
before 9.11.01, govt organized its cyber-protection efforts around early-warning centers operated separately by
banks, water utilities, technology companies and the electric industry.
Yoran said that in some cases, the exercise exposed problems as simple as uncertainty about which companies
& industries can be contacted in the middle of the night with urgent information about an ongoing attack; most
mock failures occurred during the day. In some cases, victim companies weren't told explicitly about an attack;
organizers might send them clues, such as e-mails purportedly from customers who mysteriously couldn't access
their bank accounts.
U.S. cybercrime crackdown nets 125 arrests nationwide
11.20.03 Curt Anderson AP
A federal crackdown on a wide range of Internet fraud schemes costing victims an estimated $100 million has
resulted in the arrest or conviction of 125 individuals, law enforcement officials said Thursday. The investigation,
dubbed "Operation Cyber Sweep," targets such crimes as stolen credit card numbers, software piracy and
the sale of stolen goods over the Internet, said Atty Gen John Ashcroft.
The investigation, begun 10.1.03, uncovered about 125,000 victims with losses topping $100 million. 70
indictments to date have led to arrests or convictions of 125 people, with more expected as the probe continues.
The cases range from a Virginia woman who sent fake e-mails to America Online customers asking them to update
their credit card numbers to a disgruntled Philadelphia Phillies fan who hacked into computers nationwide and
launched spam e-mails criticizing the baseball team. The crackdown stemmed from indications that Internet fraud continues to rise. The Internet Fraud Complaint Ctr, run in part by the FBI, referred some 58,000 complaints to law enforcement in the first 9 months of 2003, compared with 48,000 for all of 2002. |
[ Despite NatSec having sired the Net via DARPA funding, its devious dames so far have kept its independence intrinsic. Duplicitously tub-thumping hysteria while surreptitiously abetting attack methods' development on behalf munitions makers' corporate welfare is doomed to spawn ever more belated & ineffectual security remedies. NatSec abandons more technology stillborn than it nurtures to mature into infrastructure. Those fetal corpses offer villains & vandals more security breaches than they can ever hope to exploit, hence genuine cyberspace security is only possible as a result of a social structure evolved from mores of trusting & trustworthy behavior, not programs & systems expediently devised by greed driven munitions corps. ]
Securing the homeland
With homeland security a hot topic and computer
security always on the minds of IT professionals, "The National Strategy to Secure Cyberspace," recently released by the President's Critical Infrastructure Protection Board and introduced by President Bush's special adviser for cyberspace security Richard Clarke, comes as no surprise.
I don't have enough space to summarize the entire 65 pg report, but there are a few interesting items of note. First of all, the fact that the executive branch has integrated network security into its general thoughts about homeland security while offering fairly detailed suggestions is noteworthy in itself:
The document describes the 5 levels on which the national strategy will be applied: the home user, the enterprise, critical sectors, the nation, and the "global community." It then offers recommendations, references programs, and includes open points for discussion. Although the entire document is worth reading, I'll focus on the home user and enterprise because most of us deal with those every day. With many home-office users on VPN software to access corporate networks, it's important to understand their challenges.
The report rightfully notes that attention must be paid to Internet users in homes & small businesses because their machines & networks can be used individually or in aggregate to attack larger targets; think grid computing at its worst.
On the enterprise side, the home-user recommendations still apply. But a sound managerial approach is critical.
Large enterprises should coordinate their people & processes from the CEO down to create & manage
effective security policies. Technology security within the enterprise should be recognized as a priority by the CEOs & boards of large companies, and upper management should work with CTOs to make sure that best practices are employed. Rather than fan the flames of worry about outside attacks, the report notes that in reality, 70% of attacks are perpetuated by trusted "insiders."
2 Marines charged with plotting to bomb base
Tunkhannock, PA 2 U.S. Marines from Camp Lejeune, N.Carolina, are in custody after conspiring to use an explosive device at their base, police said. Lance Cpls. Richard Morrison, 21, and Richard Thomas
Medders, 22, were arrested Saturday along with Janna Rebecca Lynn Smith, 27, and charged with criminal
conspiracy to cause or risk a catastrophe, and making terrorist threats & bomb threats, Pennsylvania State Police said.
Electronic Pearl Harbor
That's been 2 hours you've been unable to get on-line now. So much for always-on, you think, as you go to fill the
kettle. You turn the tap and there's no water. Then the lights go out. Now the phone line is down, too. There's
always the mobile, but why is it dialling 999 all by itself?
There have been warnings from parts of the IT community that terrorists could attempt something like this for at
least 10 years, but now govts are taking it much more seriously. Last week the FBI issued an alert warning that the threat of war with Iraq, and increased tension with North Korea, could lead to increased numbers of attacks on US infrastructure.
"Network security has become a key concern, especially in the aftermath of 9.11.01," he says. "The malfunctioning of networks & information systems concerns everybody: citizens, businesses and public administrations."
The language is reserved, the discussions kept within a close circle of specialists, but security experts say the govt is taking the threat seriously. In the U.S., repeated warnings of an "electronic Pearl Harbor" from terrorism & technology experts have given the subject more public prominence.
The National Security Agency simulated a cyber-terrorist attack with 35 hackers in 1997. They managed to hack into department of defense networks, "turn-off" sections of the power grid, "shut down" parts of the 911
emergency service and even managed to "hack" into a Navy cruiser's systems.
His argument is quite simple: before 9.11.01, al-Qaida tended to talk about taking human lives, killing as many
people as possible. But afterwards its rhetoric shifted towards threats against the economic infrastructure of the
west. This is too dispersed & diverse to bring down with bombs, he argues, but it could do a lot of
damage in cyberspace.
al-Qaida is just one group interested in waging cyber-terrorism. A CIA report for the Senate Intelligence Committee adds Sunni extremists, Hezbollah and Aleph (formerly Aum Shinrikyo, responsible for the Tokyo underground poison gas attack) to the list. Clarke says Iraq, Iran, North Korea, China and Russia are already training people in cyber-warfare. "There are a lot of different people who can conduct cyber-warfare," says Clarke.
The motive for most hackers & virus writers has always been one of ego or intellectual challenge rather than
financial gain or political belief. But now ideologically motivated hacking is rising fast, says UK computer security
consultancy Mi2g. Its study of major hacker groups active in 2002 notes: "Attacks on the west show a spurt of
growth mainly coming from radical groups & individuals based in predominantly Islamic countries." It reports
that there were 5,589 attacks on the UK last year, with ideologically motivated attacks coming from Egypt,
Pakistan, Morocco and Turkey.
But Clarke argues that we should be worrying about how to protect our critical systems, rather than where the next attack will come from. Every new technology is a potential target for cyber-terrorists. Viruses in Spain & Japan have tricked mobile phones into dialling the local emergency numbers. "Now, if you're a terrorist, the first thing you might want to do before an attack is take down the 911 system," says Clarke.
The legend of the internet is that it was designed to survive a nuclear blast; it will always survive one part going
down because it will just find another path through other servers. Yet research at Arizona State Univ. published last week found that it is not as bomb-proof as we assume. Only a few thousand computers transmit most of the data over the internet, they found, and it is in fact vulnerable to a "virtual cascade" of overload failures that could make the whole system crash.
Computer Security Awareness consultant Mike Barwise says hackers are persistent, pay attention to detail & share information. "If the defence had those attributes then it would be a level playing field," he says. But he adds: "There's a risk of fulfilling the terrorist purpose ourselves. If we spread the terror ourselves they can sit back and relax."
"Before we make assertions we must justify them with evidence," says Barwise, and he reckons we don't yet have a lot of evidence that terrorists either do or don't have the skills. Most attacks are by "grafitti writers" on websites, he says, and then come the less common hacks into systems for financial fraud or other personal gain.
This is why Peter Sommer, of the London School of Economics Computer Security Research Centre, dismisses the idea of an impending "electronic Pearl Harbor". The number of people in govt who know the sort of sensitive
security information that terrorists would need is very few, he says. Matai says data attacks are more of a
nuisance than a terror but "command & control" attacks on water, power, transport, telecommunications or
aviation hubs could be fatal. Once inside the control systems, hackers may choose to turn off power or water supplies, open dams or empty sewage into rivers.
al-Qaida's style is to patiently plan coordinated attacks and it's not too hard to imagine that it is at least training or
preparing hackers and virus writers around the world for a large scale, coordinated assault that piles attack upon
attack until systems fall over. It would be cheap and involve little risk of those involved ever being caught.
The rules of cyber-warfare are in a legal black hole because the Geneva convention forbids attacks on non-combatants. Last week the Washington Post reported that President Bush had signed a secret directive for govt to develop guidance on when, and how, the US would launch cyber-attacks against enemy networks.
Mi2g says it is inevitable that govts develop cyber-warfare weapons because in cyberspace as in the real world,
attack is a strong form of defence. There are always counter attacks in response to cyber-attacks, says Matai:
"During the Nato-Serbia war in 1999, the blended [virtual & physical] attacks on Serbia's telephone &
power utilities were followed by counter-attacks on NATO Command and U.S. DoD's email & internet servers. |
|
Prank starts 25 years of security woes 9.1.07 & Anick Jesdanun AP
NYC What began as a ninth-grade prank, a way to trick already-suspicious friends who had fallen for his earlier practical jokes, has earned Rich Skrenta notoriety as the first person ever to let loose a personal computer virus. Although over the next 25 years, Skrenta started the online news business Topix, helped launch a collaborative Web directory now owned by Time Warner Inc.'s Netscape and wrote countless other computer programs, he is still remembered most for unleashing the "Elk Cloner" virus on the world.
"Elk Cloner", self-replicating like all other viruses, bears little resemblance to the malicious programs of today. Yet in retrospect, it was a harbinger of all the security headaches that would only grow as more people got computers and connected them with one another over the Internet.
So during a winter break from the Mt. Lebanon Senior High School near Pittsburgh, Skrenta hacked away on his Apple II computer, the dominant personal computer then, and figured out how to get the code to launch those messages onto disks automatically.
The prank, though annoying to victims, is relatively harmless compared with the viruses of today. Every 50th time someone booted an infected disk, a poem he wrote would appear, saying in part, "It will get on all your disks; it will infiltrate your chips". These days, there are hundreds of thousands of viruses, perhaps more than a million depending on how one counts slight variations. |
With the growth of the Internet came a new way to spread viruses: e-mail. "Melissa" (1999), "Love Bug" (2000) and "SoBig" (2003) were among a slew of fast-moving threats that snarled millions of computers worldwide by tricking people into clicking on e-mail attachments and launching a program that automatically sent copies to other victims.
Although some of the early viruses overwhelmed networks, later ones corrupted documents or had other destructive properties. Compared with the early threats, "the underlying technology is very similar (but) the things viruses can do once they get hold of the computer has changed dramatically," said Florida Institute of Technology computer science prof. Richard Ford.
Later viruses spread through instant-messaging and file-sharing software, while others circulated faster than ever by exploiting flaws in Windows networking functions. More recently, viruses have been created to steal personal data such as passwords or to create relay stations for making junk e-mail more difficult to trace.
Suddenly, though, viruses weren't spreading as quickly. Virus writers now motivated by profit rather than notoriety are trying to stay low-key, lest their creations get detected and removed, along with their mechanism for income.
Many of the recent malicious programs technically aren't even viruses, because they don't self-replicate, but users can easily get infected by visiting a rogue Web site that takes advantage of any number of security vulnerabilities in computer software.
Although worldwide outbreaks aren't as common these days, "believe it or not there's exponentially more malware today than there ever was," said McAfee Inc.'s Avert Labs research manager Dave Marcus. "We find 150 to 175 new pieces of malware every single day. Five years ago, it would have been maybe 100 new pieces a week".
Symantec Corp. formed the same year Skrenta unleashed "Elk Cloner," but it dabbled in non-security software before releasing an anti-virus product for Apple's Macintosh in 1989. Today, security-related hardware, software and services represent a $38 billion industry worldwide, a figure IDC projects will reach $67 billion in 2010.
Even as corporations and Internet service providers step up their defenses, though, virus writers look to emerging platforms, including mobile devices and Web-based services like social-networking sites.
"Malware writers can't assume you are on PCs or won't want to limit themselves to that," said Symantec's security response dir. Dave Cole.
That's not to say Skrenta should get the blame anytime someone gets spam sent through a virus-enabled relay or finds a computer slow to boot because of a lingering pest. After all, there no evidence virus writers who followed even knew of Skrenta or his craft.
Fred Cohen, a security expert who wrote his Ph.D. dissertation in 1986 on computer viruses, said the conditions were right, and with more and more homes getting computers, "it was all a matter of time before this happened".
In fact, a number of viruses preceded "Elk Cloner," although they were experimental or limited in scope. Many consider Skrenta's the first true virus because it spread in the wild on the dominant home computers of its day.
"You had other people even at the time saying, `We had this idea, we even coded it up, but we thought it was awful and we never released it,'" said Skrenta, who is now heading Blekko Inc., a month-old startup still working in stealth mode.
Where was his restraint? Skrenta replied: "I was in the ninth grade."
|
After a review initiated at the outset of the Administration, President Bush signed Executive Order 13231 (Critical Infrastructure Protection in the Information Age) in October, 2001 creating the President's Critical Infrastructure Protection Board. The Board is the central focus in the Executive Branch for cyberspace security. It is composed of senior officials from more than 20 departments and agencies. The President created a series of interagency committees that report to the Board on issues such as Education, Research, Incident Response, and Interdependencies.
President's Critical Infrastructure Protection Board Sept.18, 2002
President Bush directed the development of a National Strategy to Secure Cyberspace to ensure that America has
a clear road map to protect a part of its infrastructureso essential to our way of life. On the pages that follow is a
draft of that road map, developed in close collaboration with key sectors of the economy that rely on cyberspace,
State and local govts, colleges and universities, and concerned organizations. These public-private
partnerships that formed in response to the President's call have developed their own strategies to protect the parts
of cyberspace on which they rely.
They are made available online today. Other groups, representing other sectors, have recently formed, and have
begun the process of developing strategies. Town hall meetings were held around the country, and fifty three
clusters of key questions were published to spark public debate. Even more input is needed. This unique
partnership and process is necessary because the majority of the country's cyber resources are controlled by
entities outside of govt. For the Strategy to work, it must be a plan in which a broad cross-section of the
country is both invested and committed.
8 more town hall meetings will be held around the country in the next few weeks to further solicit and receive the
views of concerned citizens. Comments on the National Strategy to Secure Cyberspace may be sent via the
feedback link at www.securecyberspace.gov by November 18, 2002. The National Infrastructure Advisory
Committee, leaders from the concerned sectors of industry, academia, and State and local govt will add
their comments and advice to that received from the town hall meetings and web site. The President will review and
approve the Strategy in the next several months.
Technology will continue to change rapidly. New vulnerabilities and threats will be uncovered. Elements of our
present programs may be determined to be ineffective in the future. America's cybersecurity strategy must be
dynamic and continually refreshed to adapt to the changing environment.
Howard A. Schmidt, vice chair
U.S. ignored warning signs before: 2 attempts by al-
Qaeda in 1994 to use airplanes as weapons, as well as public statements in 2000 about terrorists being trained as
pilots. Now PCIPB chair Clarke is trying to prevent new warning signs from being ignored, signs that al-Qaeda's
brand of terrorism has a growing cyber element and that the nation's economy is at risk.
Before taking his current post Oct.2001, Clarke advised 2 presidents on cybersecurity and served as the country's
first counterterrorism coordinator. Most of his time now is spent raising awareness of the changing nature of
terrorism and the increasing relevance of cyberterrorism to the stated goals of groups such as al-Qaeda.
Clarke said vulnerabilities in the nation's critical infrastructure stem mainly from unknown security holes in widely
deployed software and from the constant influx of new technologies that often have unintended consequences for
security.
According to Clarke, 9.11.01 was a turning point for the national effort to protect cyberspace. "Before, [al-Qaeda]
was interested in killing as many people as possible," he said. "After, [Osama bin Laden] starts talking about
destroying the American economy. And he starts to talk about going after U.S. economic infrastructure.
Clarke said he's aware that many people doubt terrorist organizations' willingness & ability to carry out
strategic cyberattacks against the U.S. But he said it's his job to think differently about the future and to do what
some officials failed to do in months leading up to 9.11.01. Eliminating al-Qaeda, for example, "won't end the threat to us from cyberspace," he said. Therein lies the challenge, according to Clarke. The U.S. needs to take the target of cyberspace away from its enemies by eliminating vulnerabilities, he said. | ||||||||||||||
|
1 3 7 11
15
23
53 |
Introduction Cyberspace Threat and Vulnerabilities: A Case for Action National Policy & Guiding Principles Highlights
_ Level 2: Large Enterprises _ Level 3: Critical Sectors
State and Local Govt Higher Education Private Sector _ Level 5: Global Acronyms | ||||||||||||||
|
Introduction Issued earlier this year, the National Strategy for Homeland Security addresses a very specific and uniquely challenging threat—terrorism in the U.S.—and provides a comprehensive framework for organizing the efforts of Federal, State, local and private organizations whose primary functions are often unrelated to national security. Cyberspace is essential to both homeland security and national security; its security and reliability support the economy, critical infrastructures, and national defense.
Accordingly, the National Strategy to Secure Cyberspace is an implementing strategy, which supports both the
National Strategy for Homeland Security and the National Security Strategy of the U.S.. The National
Strategy to Secure Cyberspace describes initiatives to secure U.S. information systems against deliberate,
malicious disruption and to foster an increased national resiliency. This Strategy, together with a complementary
Homeland Security Physical Protection Strategy, provides
the strategic foundation for the nation's efforts to protect its infrastructures.
Strategy as Place
In this Strategy, readers will see plans from and for a diverse group of Americans: teachers, military officers,
privacy experts, doctors, stock brokers, police, civil servants, computer scientists, State govt officials,
corporate CEOs, and Federal officials.
Strategy as Process
Component strategies were developed by stakeholders and customers of cyberspace. Representatives of
companies that own and operate critical infrastructures came together to draft how banking and finance, electric
power, railroads, and other sectors could secure their parts of cyberspace.
Community colleges and major universities teamed to plan for securing cyberspace at academic institutions. Big
city police and small town sheriffs collaborated on the cyberspace security needs of law enforcement.
Congressional committees in both houses held hearings on cybersecurity and related topics. Dozens of national
associations met and devoted thousands of hours in developing contributions to this Strategy.
These groups have developed strategies for how they will help secure the portions of cyberspace that they own or
operate, because each user of cyberspace must play a role in securing it. That fact does not absolve the Federal
govt of its responsibilities, which are many & outlined in the Strategy. It does, however, underline the
reality that the Federal govt alone cannot secure cyberspace. We must all do our part. The Strategy Will Evolve
To stimulate debate and discussion, the President's Board solicited the views of experts across the country on what
are the key issues and questions that should be addressed by the Strategy. The accumulated questions were then
placed on web pages sponsored by a govt agency, an association, and a private organization. Many
citizens offered their views. This initial release of the Strategy proposes answers for most of the questions and
places others in "Agenda Boxes" for continued national dialogue.
As a further part of the national dialogue, the President's Critical Infrastructure Protection Board hosted public town
meetings in the spring of 2002, prior to the initial release of the Strategy. These meetings were held in cities around
the country. In addition, the Commerce Dept's Critical Infrastructure Assurance Office (CIAO) sponsored
meetings with State & local govt officials from several States, which incl national-level conferences
held in Austin TX 2.12-13.02, and Princeton NJ 4.23-24.02.
Following the Internet launch of the initial release, additional town meetings and State forums may be held as part
of the effort to maintain national dialogue on securing cyberspace. Additional meetings around the country are
possible and initial planning is underway. Further details will be posted on the web site, www.securecyberspace.
gov, as events are confirmed.
The National Strategy to Secure Cyberspace supplements other strategies
Some sections of this Strategy are more detailed than others. However, as the Strategy evolves in subsequent
editions, it will attempt to address all of the major problems of cybersecurity in appropriate detail. The Strategy
is a roadmap for the Administration, the Congress, State and local govts, sectors of the economy, higher
education, and the American Internet consumer.
The recommendations are directed at many audiences, including the Administration itself. The Strategy does not
substitute for the normal decision-making process about budgets and policies. While there are many
recommendations in the Strategy that do not require additional resources, those that do will be considered in the
normal processes. Many of the recommendations will become the work of the President's Critical Infrastructure
Protection Board and its interagency committees. | |||||||||||||||
|
Strategy for Cyberspace, in Cyberspace The printed version of this release references places in cyberspace where strategies developed by various groups, as well as other useful material, may be found. Because of size limitations, the hard copy does not contain the text of all references. However, the online version contains hyperlinks to referenced materials. In this paper document, you will find these core components of the Strategy: |
Throughout the 5 levels in the online version, agenda boxes will highlight:
|
The Strategy is hyperlinked to documents and web pages owned and operated by nongovt organizations,
trade associations, academic institutions, State and local govts, and corporations. Their content is
determined by them alone and their inclusion does not constitute automatic acceptance of their views by the
Federal govt. They are included because the National Strategy is not intended to be a Federal
govt prescription, but rather a participatory process.
Please join this process to help secure cyberspace, so that the U.S. can continue to reap the benefits of
the Information Technology Revolution in education, health sciences, the economy, E-Govt, and national
defense. Only by securing cyberspace can the next level of benefit it offers be tapped to its full potential.
| Cyberspace threats & vulnerabilities: a case for action |
Case for Action - key themes
|
|
A week after the terrorist attacks on September 11, a less physically destructive but economically significant attack
was striking leading financial services firms a few blocks away from the World Trade Center site. Its significance
was not in the amount of damage caused, which was considerable, but because it may foreshadow what we could
face in the future. The attack was called NIMDA ("ADMIN" spelled backwards), and for a nation that has become
dependent on computer networks, it was a wake-up call. NIMDA was an automated cyber attack, a blend of a computer worm and a computer virus; it propagated across the nation with enormous speed and tried several different ways to infect computer systems it invaded, until it got in and destroyed files. It went from nonexistent to nationwide in an hour, lasted for days, and attacked 86,000 computers. |
NIMDA caused significant problems in well-protected industries, forcing firms offline, shutting down customer
access, and requiring some firms to rebuild systems entirely. The actual financial cost of the NIMDA attack is
unknown because there is no consistent method to track such damage.
However, industry sources estimate that the overall financial impact of cyber attacks resulting from malicious code
could have been $13 billion in the year 2001. Two months before NIMDA, a cyber attack called Code Red had
infected 150,000 computer systems in 14 hours, causing billions of dollars in losses. Such attacks demonstrate
the growing sophistication and destructiveness of cyber attacks. The volume of attacks is also up: Carnegie
Mellon University's Computer Emergency Response Team's [CERT] Coordination Center reported 3,700
attacks in 1998, and at current rates will report over 110,000 in 2002. Other teams report similar, dramatic
growth in cyber attacks. That trend is likely to continue.
A nation now fully dependent on cyberspace
For the U.S., the Information Technology Revolution quietly changed the way business and govt
operate. Without a great deal of thought about security, the nation shifted the control of essential processes in
manufacturing, utilities, banking, and communications to networked computers. As a result, the cost of doing
business dropped and productivity skyrocketed. The trend towards greater use of networked systems continues.
By 2002, our economy and national security are fully dependent upon information technology and the information
infrastructure. A network of networks directly supports the operation of all sectors of our economy—
energy (electric power, oil and gas), transportation (rail,air, merchant marine), finance and banking, information
and telecommunications, public health, emergency services, water, chemical, defense industrial base, food,
agriculture, and postal and shipping.
The reach of these computer networks exceeds the bounds of cyberspace. They also control physical objects such
as electrical transformers, trains, pipeline pumps, chemical vats, radars, and stock markets. At the core of the
information infrastructure upon which we depend is the Internet, a system originally designed to share unclassified
research among scientists who were assumed to be uninterested in abusing the network. It is that same Internet
that today connects into millions of other computer networks, which, make most of the nation's essential services
work. While the Internet has grown enormously and globally, it has also grown increasingly insecure. People in
almost every country on the globe can access a network that, in turn, is ultimately connected to networks
that run critical functions in the U.S..
Cyber attacks on U.S. information networks occur regularly and can have serious consequences such as disrupting critical operations, causing loss of revenue and intellectual property, or loss of life. Countering such attacks requires the development of robust capabilities where they do not exist today, if we are to reduce vulnerabilities and identify and deter those with the capabilities and intent to harm national infrastructures.
|
A range of threats A spectrum of actors conduct attacks against the information infrastructure. They range from "script kiddies" who download malicious software from the Internet to carry out the equivalent of annoying graffiti attacks in cyberspace; to hackers who merely want to demonstrate their destructive skills; to trusted "insiders" who exploit their access to computer systems to cause damage; to criminal organizations that engage in fraud, extortion, and theft in cyberspace; and to terrorists and potential enemy nation states spying on us now, and developing plans that would enable them, in a future conflict, to damage our economy and weaken or control the physical and cyber systems the U.S. needs to fight back. Identifying those who did or might attack provides an opportunity to not only stop them and bring them to justice (whether, for example, through arrests in the case of criminals, or military means in the case of acts of information warfare), but also to learn their skill sets and better focus national protection efforts. |
An excerpt from a letter to the President from 50 scientists,
computer experts and former intelligence officials. Consider the Following Scenario … A terrorist organization announces one morning that they will shut down the Pacific Northwest electrical grid for six hours starting at 4pm; they then do so. The same group then announces that they will disable the primary telecommunication trunk circuits between the U.S. East and West Coasts for a half day; they then do so, despite our efforts to defend against them. Then, they threaten to bring down the air traffic control system supporting New York City, grounding all traffic and diverting inbound traffic; they then do so. Other threats follow, and are successfully executed, demonstrating the adversary's capability to attack our critical infrastructure.
Finally, they threaten to cripple e-commerce & credit card service for a week by using several hundred
thousand stolen identities in millions of fraudulent transactions, if their list of demands are not met. Imagine the
ensuing public panic and chaos. |
Reduce vulnerabilities, in the absence of known threats
A key lesson from these cyber attacks and others like them is that those who rely on networked computer systems
need to identify and remedy their vulnerabilities now, rather than wait for an attacker to be stopped or until alerted
of an impending attack. No one has yet been arrested for launching the Code Red or NIMDA attacks. However, it is
important to note that computer attacks are serious felonies and perpetrators are being caught with increasing
regularity.
Identifying vulnerabilities by having a group of trained professionals complete an information technology security
audit can take 2-3 months. Remedying the most serious vulnerabilities by creating a multi-layered defense and a
resilient network may take several additional months. Then the process must be regularly repeated.
New vulnerabilities requiring continuous response
The process of securing networks & systems must be continuous because new vulnerabilities are created or
discovered regularly. CERT/CC notes that not only are cyber incidents and the number of attacks increasing at an
alarming rate, so too are the number of vulnerabilities that an attacker can utilize. Identified computer security
vulnerabilities, problems with software and hardware that permit unauthorized entry or damage to a network, more
than doubled in the last year, with 1,090 separate vulnerabilities reported in 2000, and 2,437 reported in 2001.
Installing a network security device is not a substitute for a constant focus on keeping defenses up to date.
In a recent survey by the Computer Security Institute, 90 percent of respondents used anti-virus software, but
85 percent had been damaged by a virus. In the same survey, 89 percent had installed computer firewalls and 60
percent had intrusion detection systems, yet 90 percent reported security breaches had taken place and
40 percent had their systems penetrated from outside their network. The majority of security vulnerabilities can be
mitigated with good security practices. As these survey numbers indicate, good security practices include not just
installing those devices, but operating them correctly and keeping them current, including regular patching and
virus updates.
Cybersecurity and opportunity cost
For individual companies and for the national economy as a whole, improving computer security often requires
investing attention, time, and money. President Bush requested that Congress increase funds to secure
Federal computers by 64 percent in FY03.
President Bush's investment in securing Federal computer networks will eventually reduce expenditures through
cost saving E-Govt solutions, modern enterprise management, and by reducing opportunities for
waste and fraud.
For the national economy and, in particular, for the information technology industry, the dearth of trusted, reliable, secure information systems is a barrier to future growth. Much of the promise and potential of continued growth in the economy, as a result of the Information Technology Revolution, has yet to be realized. That unrealized opportunity, including e-commerce and business-to-business (B2B) activity, is in part deterred by computer security risks. Vulnerability in cyberspace places more than transactions at risk; it can jeopardize intellectual property, business operations, infrastructure services and consumer trust.
|
Investment in cybersecurity is not just more costly overhead. There is a return on security investment. Surveys
have repeatedly shown that:
These results suggest that with greater awareness of the issues, companies may find benefit in increasing their level of cybersecurity. Greater awareness and voluntary efforts are critical components of this Strategy. |
|
Every day in America an individual company, or a home computer user, suffers damage and losses from cyber attacks that, on an individual level, are significant, perhaps even catastrophic. The ingredients exist for that kind of damage to also occur on a national level, to the networks and systems upon which the nation depends:
These factors mean that no strategy can completely eliminate risk, but the nation can and must act to manage risk
responsibly and to minimize the potential damage that could be done by exploiting vulnerabilities. By noting this in
a public document, we are not telling potential foes something that they and others do not already know. In 1997, a
Presidential Commission identified the risks in a seminal public report. In 2000, the first national plan to address the
problem was published. In 2001, President Bush, citing these risks, issued an Executive order making
cybersecurity a priority issue and increased funding to secure Federal networks.
In 2002, the President moved to consolidate & strengthen Federal cybersecurity agencies.
Govt alone cannot secure cyberspace
Yet despite this awareness and these measures, the risk continues to our national information networks and the
critical systems they manage. Reducing that risk requires an active, unprecedented, partnership among diverse
components of our country and our global partners.
The Federal govt should not and, indeed, could not, secure the computer networks of privately owned
banks, energy companies, transportation firms, or other parts of the private sector. The Federal govt should
not intrude into homes and small businesses, into universities, or local agencies and departments to create secure
computer networks.
Each American who depends on cyberspace, the network of information networks, must secure that part that they own or for which they are responsible. The Federal govt can help to empower Americans to do just that, by:
Ultimately, cyberspace security is not about "good ones and zeroes attacking bad ones and zeroes in the ether." It
is about whether when one throws the switch the electricity comes on, or whether the money Americans have
invested and deposited is there, and whether this country is secure. U.S. physical infrastructure has been protected
since it emerged in the 19th century. For example, railroad police were created to mitigate threats to the vast
transportation networks.Those problems of physical security remain, but are now matched by the problems of
cybersecurity.
The two problem sets are related. A cybersecurity problem can render physical structures insecure and vice versa.
Govt and industry must analyze those interactions and interdependencies, but must also place a special
focus on the unique and new vulnerabilities posed by reliance on cyberspace.
National policies & guiding principles
The National Strategy to Secure Cyberspace supplements the National Strategy for Homeland Security and the
National Security Strategy of the U.S.. This "Policy and Principles" section, together with President
Bush's Executive Order 13231, provides the Administration's policy guidance on cyberspace security. The policy
statements and recommendations in this Strategy are subject to Executive Order 13231 and other relevant
Executive orders relating to national security, and nothing herein alters the authorities, roles or responsibilities of
U.S. govt officials under the National Security Act or other relevant statutes.
This document is the first ever National Strategy to Secure Cyberspace. The purpose of the Strategy is to engage,
empower, and establish efforts to secure cyberspace. Engaging and empowering America to secure cyberspace is
an exceedingly complex mission that requires coordinated and focused effort across society—the Federal
govt, State and local govts, the private sector, and the American people. The Strategy seeks to
implement the President's national policy objectives and principles for securing cyberspace.
Statement of national policy
The Information Technology Revolution has changed the way business is transacted, govt operates, and
national defense is conducted. Those three functions now depend on an interdependent network of
critical information infrastructures, cyberspace.
Continuous efforts to secure information systems for critical infrastructure, including emergency preparedness
communications, and the physical assets that support such systems are needed to minimize disruption and
maximize reliability.
The U.S. will achieve and maintain the ability to protect our nation's critical infrastructures from natural events and intentional acts that would significantly diminish the abilities of:
This policy acknowledges that no security measures will be 100 percent reliable. Nonetheless, it strives to ensure
that any interruptions or manipulations of these critical functions will be infrequent, brief, manageable,
geographically isolated, and minimally detrimental to the welfare of the U.S..
Many of the nation's critical infrastructures have historically been physically and logically separate systems with
little interdependence. Advances in information technology and the necessity of improved efficiency, however, have
precipitated a steadily and rapidly increasing amount of automation in, and interconnection among, these systems.
The USA PATRIOT Act defines critical infrastructure as those "systems and assets, whether physical or virtual, so
vital to the U.S. that the incapacity or destruction of such systems and assets would have a debilitating
impact on security, national economic security, national public health or safety, or any combination of those
matters."
America's critical infrastructures include energy (electric power, oil and gas), transportation (rail, air, merchant
marine), finance and banking, information and telecommunications, public health, emergency services, water,
chemical, govt, defense industrial base, food, agriculture, and postal and shipping.
This Strategy also recognizes that maintaining the integrity of the national economic and social fabric over the long
term requires attention, not only to the security of information systems, but also to the related societal
structures on which those systems depend. Accordingly, the Strategy incorporates affirmative measures designed
to enhance and augment these supporting structures.
Though the U.S. possesses both the world's strongest military and largest national economy, these two
aspects of the nation's power increasingly rely upon certain critical infrastructures, which include cyber-based
information systems. As witnessed on September 11, enemies of the U.S., nations, groups, and, indeed,
even individuals, are prepared to strike in unconventional ways. These adversaries have explicitly stated the
intention, not only to strike at U.S. citizens, but to attack the nation's infrastructures and cyberspace, the pillars of
the economy.
Guiding policy principles
In January 2001, the Administration began a review of the role of information systems and cybersecurity. In
October 2001, President Bush issued Executive Order 13231, which authorized a protection program consisting
of continuous efforts to secure information systems for critical infrastructure, including emergency preparedness
communications, and the physical assets that support such systems. The protection of these cyber systems is
essential to every sector of the economy. The development and implementation of this program directive has been
guided by the following organizing principles:
Embrace Private-Public Partnerships
The protection of critical infrastructures is necessarily a shared responsibility since approximately 85 percent of the
nation's critical infrastructure facilities are owned and operated by the private sector, and many critical
govt operations depend on these private facilities.
Because the targets of attacks on the nation's critical infrastructure would likely include both facilities in the
economy and those in the govt, addressing potential vulnerabilities will require flexible, evolutionary
approaches that span both the public and private sectors, and protect both domestic and international security
interests. The private sector has been intensively engaged in a closely coordinated effort with the Federal
govt to address these issues. One important step taken by many sectors has been the development of
information sharing and analysis centers (ISACs) to facilitate communication and the dissemination of
security-related information. In addition, various sectors have developed plans to secure their parts of cyberspace,
which complement this National Strategy. It is the govt's hope and intention that this productive and
collaborative partnership will continue.
The nation must focus on mechanisms for prevention and crisis management, such as the identification and
remediation of vulnerabilities, education, research and development, alert and warning methodologies, and the
development of measures to support these efforts. To that end, private sector owners and operators should be
encouraged to provide maximum feasible security for the infrastructures they control, and to provide the
govt with the information necessary to assist them in that task. For its part, the Federal govt, in
working to safeguard its own information systems, should strive to serve as a model to the private sector on how
infrastructure assurance is best achieved and shall, to the greatest extent possible, act with reciprocity to distribute
the results of its endeavors to the private sector.
Avoid Regulation
In order to engage the private sector fully, the Federal govt recognized that participation by owners and
operators in the private-public partnership would have to be voluntary. To encourage maximum participation
by the private sector in this partnership, the U.S. Govt, to the extent feasible, has sought to avoid outcomes
that increase govt regulation or expand unfunded govt mandates to the private sector. Accordingly,
the govt has relied on the incentives that the market provides as the first choice for addressing
the problem of critical infrastructure protection, and would turn to regulation only in the face of a material failure
of the market to protect the health, safety, or wellbeing of the American people.
Safeguard Civil Liberties and Privacy
The interests of security and personal privacy need not be antithetical to one another. Indeed, to a large degree, by
securing the integrity of communications over the Internet, the measures advocated in this Strategy seek to protect
individual privacy and, thus, complement those interests. Nevertheless, in crafting measures to increase the
nation's security, one must exercise caution to avoid undermining those fundamental values and characteristics of
free society that the nation is seeking to protect in the first place. Accordingly, care must be taken to respect
privacy interests and other civil liberties. Consumers and operators must have confidence that information will be
handled accurately, confidentially, and reliably.
Coordinate with Congress
To ensure that the approaches adopted to secure America's cyberspace systems enjoy broad support and
consensus, the Executive branch will work with Congress on approaches and programs to meet the goals of
our national policy. As appropriate, the Executive branch may ask Congress to enact legislation to advance this
Strategy.
Cooperate with State and Local Govts
American democracy is rooted in the precepts of federalism—a system of govt in which State govts
share power with Federal institutions. This structure of overlapping Federal, State, and local governance has more
than 87,000 different jurisdictions and provides unique opportunity and challenges for cyberspace security efforts.
State and local govts, like the Federal govt, operate large, interconnected information systems upon
which critical govt services depend.
The opportunity comes from the expertise and commitment of local agencies and organizations involved in
cybersecurity. The challenge is to develop interconnected and complementary systems that are reinforcing
rather than duplicative and that ensure essential requirements are met.
Accordingly, all critical infrastructure and cyberspace protection plans and actions shall take into consideration the
needs, activities, and responsibilities of State and local govts and first responders.
|
Designation of coordinating agencies To facilitate and enhance coordination and communication between the Federal govt and the private sector upon which effective partnership depends, the govt has designated a "Lead Agency" for each of the major sectors of the economy vulnerable to infrastructure attack. The designated lead agencies, and their sector counterparts, are listed in the table on the previous page.
In addition, the Office of Science & Technology Policy (OSTP) coordinates research & development to
support critical infrastructure protection. The Office of Management & Budget (OMB) is responsible for the
development and oversight of the implementation of govtwide policies, principles, standards, and guidelines for
Federal govt computer security programs. State Dept is responsible for coordinating international outreach on
cybersecurity.
Working together, sector representatives & lead agencies assess vulnerabilities of their sectors to
cyber or physical attacks and recommend plans or measures to eliminate significant vulnerabilities. Because
technology and the nature of the threats to the nation's critical infrastructures continue to change rapidly,
sectors and lead agencies should frequently assess the reliability, vulnerability, and threat environments of
the nation's infrastructures and employ protective measures and responses that are robustly adaptive. Finally, in keeping with the partner relationship, the full authority, capabilities and resources of the govt, incl law enforcement, regulation, foreign intelligence and defense preparedness must be available, as appropriate, to ensure that critical infrastructure protection is achieved and maintained. |
|
Cyberspace is a complex network that connects diverse infrastructures, enterprises, and nations. These
connections occur over multiple paths owned by many different operators. Securing this network does not mean
ensuring that no one element or connecting path is ever lost. Instead, it means ensuring that the network is resilient
in the face of disruption or losses, that paths may be replaced by others, and that network elements
are redundant and difficult to permanently disable. The security of individual elements within cyberspace, and their
continued evolution with changing conditions, creates this resiliency.
Thus, to create a secure and resilient cyberspace, the nation must acknowledge and act accordingly
on to two strategic security principles: (1) that the security of the entire infrastructure will depend on the security of
each component, and (2) that threats and vulnerabilities will evolve, and that security must evolve at an equal or
higher rate.
Secure the parts of cyberspace to achieve security of the whole
The security of cyberspace rests on the security of all of its components. In cyberspace, attackers can be anywhere
at the speed of light. No geographic safety exists. Networks may prove vulnerable to attacks both from outside and
inside the network.
Components within an otherwise secure network may still be compromised by insiders, downloaded software, or its
compromised neighbors. Placing a wall around the perimeter of a network is not adequate to achieve security.
Once one computer or element in the network is compromised, it can be used to compromise others. Similarly,
unsecured sectors of the economy or govt can and are being used as platforms to sectors. Disruptions in
one sector also have cascading effects that can disrupt multiple other parts of the infrastructure. To combat these
vulnerabilities, the security of the infrastructure must not be dependent on a single layer, group or focal point, but
rather must be found in multiple layers, distributed defenses, and the ability to recover quickly from any
attack.
To improve cybersecurity, the nation must secure cyberspace at each level of activity. Accordingly, each individual
and sector must be aware of its roles and responsibilities in securing its part in cyberspace. Each sector and each
individual depends on the others to make cyberspace secure.
Therefore, the nation must secure cyberspace through awareness and information; identified roles and
partnerships at all levels, and through Federal leadership in securing Federal cyber systems. Such leadership also
includes preventing and deterring cybercrime, electronic espionage, and information warfare.
Rapidly evolve security measures to stay ahead of changing technology and vulnerabilities
New vulnerabilities in systems accrue at an alarming rate. Vulnerabilities are created as new software is developed
and new technologies emerge. They are identified over time and through use. At the same time, new and ever
more advanced tools are developed to exploit them. Security policies, practices, and technology must adapt. The
nation must develop a security infrastructure that can evolve one step ahead of would be attackers.
Only now are experts beginning to imagine what impact nanotechnology and quantum computing will have on the
current cyberspace. These innovations and others will introduce unforeseen changes in the way networks operate
and the way they can be made secure. The nation must invest in education and training, technology, and
coordination of activity if it is to understand these changes and remain the world leader in the development
and application of new technologies for cyberspace security.
Highlights
This section summarizes and provides a framework for the rest of the
document. It highlights in one place the most important recommendations
that will be discussed in later sections.
Strategy
The security of cyberspace depends vitally on all owners of the nation's cyber infrastructure, from the home user to
the Federal govt. Each individual and organization has a responsibility to secure its own portion of
cyberspace. The Strategy is designed to empower each person and each organization to do its part. It provides a
roadmap for how to achieve cybersecurity and provides tools to better empower all Americans to do so.
To create this strategic roadmap, the owners of each major component of cyberspace have been developing their
own plans for securing their portions of the infrastructure. Some of these plans are already developed and are
contained in this document. Others will be added over time.
Together they will reflect a national partnership between private sectors, govt, and individuals to vigorously
create, maintain, and update the security of cyberspace.
The overall national strategic goal is to empower all Americans to secure their portions of
cyberspace.
This strategic goal will be accomplished through six major tools for empowering people and organizations to do
their part:
Summary of recommendations by section
The National Strategy calls for actions at all levels and across all sectors. Some of the major strategic innovations
called for in this document are highlighted below. A detailed discussion of each of these innovations is
included in the pages that follow.
Awareness and Information
The Strategy identifies the need for increased awareness about the vulnerability of America's cyber infrastructure
and provides information that each person, company, organization, and agency can use to help make cyberspace
more secure. It recommends:
Technology and tools
The Strategy identifies the need for increased cybersecurity-related research. It recommends:
Training and education
The Strategy addresses the existing gap between the need for qualified IT professionals and America's ability to
train and develop these workers. Specific recommendations include:
Roles and partnerships
The Strategy recognizes that all Americans have a role to play in cybersecurity, and identifies the market
mechanisms for stimulating sustained actions to secure cyberspace. It recommends:
Coordination and Crisis Management
The Strategy identifies a pressing need for a comprehensive national analysis and warning capability. It
recommends:
6 tools for empowerment discussed for each level of audience
The Strategy provides a roadmap to help Americans understand their part in securing cyberspace. To make
this roadmap easier to use, it is divided into audience levels: Level 1 for home users and small businesses,
Level 2 for large enterprises, Level 3 for sectors including govt, private industry, and higher education,
Level 4 for national issues and efforts, and Level 5 for discussion of global issues. Each of these levels and their
sub-levels will have its own strategic goal. These goals will be supported by strategic actions that the nation will
take to achieve the goals.
6 tools for empowerment (see page 11) will help drive corresponding strategic actions at each level. Some or
all of the 6 tools may be employed at each level. For example, "Awareness & Information" will help empower
the home user as well as private sector employees & Federal workers to secure their portion of
cyberspace.
Roles & partnerships will be identified and described at all levels. Not every tool will be appropriate for every
level, but, taken together, these tools will underpin all of the nation's efforts to secure cyberspace.
level 1
Cyber attacks on home user & small business
|
Former U.S. attorney finds skills carry over to Microsoft 4.21.08 Costas Paris Wall St Journal
Katharine Bostick, who for 11 years served as a U.S. govt atty investigating and prosecuting cases as varied as fraud, international drug smuggling and money laundering, now serves as Microsoft Corp.'s senior director of legal and corporate affairs in Asia Pacific. She joined Microsoft in 2001 and leads its regional efforts to combat cybercrime.
Immediately prior to joining Microsoft, Ms. Bostick was chief of the Organized Crime Drug Enforcement Task Force for the Pacific region in the U.S. attorney's office in San Francisco. Before that she had served as an assistant U.S. attorney in New York, the Narcotic and Dangerous Drug Section at the U.S. Justice Dept, and in Northern California.
WSJ: You moved from managing people in the public sector to managing people in the private sector. What's the difference?
Ms. Bostick: The public and private sectors both provided vital experience, because it's partnerships that enable the best results in the area I am focused on now: fighting cybercrime. Core values of integrity, honesty and being respectful apply to my job as a federal prosecutor and in Microsoft. The one difference at Microsoft is that you push your team to be self-critical. You ask them to look internally and ask what we could have done better, even if something was successful.
[At Microsoft] I need to ensure that our legal teams are integrated into the business, understand the business and listen to the needs of our business teams. Our role is to ensure that the overall business environment allows for growth and innovation, and that we achieve that success by doing the right things in the right way. We work to protect the public by ensuring the Internet is safer and more secure.
WSJ: Of the countries across Asia, which is the most difficult to deal with?
Ms. Bostick: Often, the most challenging can be where you can achieve the most success. For example, China has certainly been a journey with many challenges, and there is no quick fix as far as intellectual-property rights are concerned. In early April, the U.S. attorney general discussed the largest-ever joint operation between the FBI and the People's Republic of China against a major counterfeit-software organization worth half a billion dollars. It was an historic, win-win situation because 10 years ago this type of action wouldn't have been possible.
Today's actions are the result of years of diplomatic, legislative and public-private partnerships to build an environment that promotes innovation and protects intellectual property. When you work with foreign governments or law enforcement, the key is to win their trust, and this is an ongoing learning process, which varies from country to country.
WSJ: What was the biggest lesson you learned from your first job?
Ms. Bostick: In my first job, as a cashier and hostess at a restaurant, I saw employees at the cash register ringing zero-value receipts for customers who didn't check or take the receipts, and then pocketing the money. Management figured out what was happening and revised the checkout process to ensure accountability for each cashier. At Microsoft and with my team, I try to ensure that we have processes in place that ensure we have a culture of accountability and integrity. I try to focus on developing employees and teams who do not take short cuts to win, and I emphasize that the best way to serve our customers is to win the right way, which doesn't mean winning at any cost. |
acronyms
AICPA American Institute of Certified Public Accountants
BGP Border Gateway Protocol
CIAO Critical Infrastructure Assurance Office
CISO Chief Information Security Officer
CNSS Committee on National Security Systems
CWIN Cyber Warning and Information Network
DARPA Defense Advanced Research Projects Agency
DCS Digital Control System
DDoS Distributed Denial of Service Attack
DoS Denial-of-Service attacks
DSL Digital Subscriber Line
FBIIC Financial and Banking Information Infrastructure Committee (of the PCIPB)
FCC Federal Communications Commission
FedCIRC Federal Computer Incident Response Capability
FEMA Federal Emergency Management Agency
FIRST Forum of Incident Response and Security Teams
FTC Federal Trade Commission
FY Fiscal Year
GISRA Govt Information Security Reform Act of 2000
GSA General Services Administration
ICANN Internet Corporation for Assigned Names and Numbers
IETF Internet Engineering Task Force
IHE Institution of Higher Education
IP Internet Protocol
ISAC Information Sharing and Analysis Center
ISP Internet Service Provider
IT Information Technology
ITU International Telecommunications Union
LAN Local Area Networks
NACD National Association of Corporate Directors
NCS National Communications Systems
NERC North American Electric Reliability Council
NIAC National Infrastructure Assurance Council
NIAP National Information Assurance Partnership
NIPC National Infrastructure Protection Center
NISAC National Infrastructure Simulation and Analysis Center
NIST National Institute of Standards and Technology
NS/EP National Security/Emergency Preparedness
NSA National Security Agency
NSC National Security Council
NSF National Science Foundation
NSTAC National Security Telecommunications Advisory Committee
OECD Organization for Economic Cooperation and Development
OMB Office of Management and Budget
OSTP Office of Science and Technology Policy
PCIS Partnership for Critical Infrastructure Security
PCIPB President's Critical Infrastructure Protection Board
R&D Research and Development
SBA Small Business Administration
SCADA Supervisory Control and Data Acquisition
SFS Scholarship for Service (NSF hosted)
TCP/IP Transport Control Protocol / Internet Protocol
VPN Virtual Private Network
WAN Wide Area Networks
WLAN Wireless Local Area Network
It's impossible to know how much is China spending on digital spying and censorship because the same
technology is imported by multinationals to give their local plants the same protection against viruses &
hackers as elsewhere, says BDA China's Mr Clark. "There is a legitimate inflow for dual use technology," he points
out, estimating the Chinese market at approaching $100m a year.
Sales by intl telecoms firms to build China's internet backbones are huge & well documented, $1bn in 2001 for
Cisco Systems alone. It seems likely much of the technology being used by China's security services was designed
& supplied by foreign firms. Speculation centres on how knowingly they did it, whether they modified it.
In Mr DeWoskin's view, the ties between the IT sector & intelligence services are so deep & long-
standing that "99% of it is absolutely common firewall technology that is used by govts around the world".
Meanwhile, the Communist Party seems confident that acceptable commercial savvy will always find ways to
flourish within the firewall.
With investment from UK bank HSBC, Mr Zeng has refocused Sparkice as an e-commerce supplier for foreign
retailers trying to source cheap, high quality goods in China.
|
§ite map courtesy of FreeFind |
presented by § |
OCIAL JUSTICE |