Q&A: On threats to the online marketplace

[InfoSec News <isn () C4I ORG>]

http://www.mercurycenter.com/svtech/news/indepth/docs/qa071000.htm

Posted at 11:08 a.m. PDT Monday, July 10, 2000


Jeffery Hunker, a senior director at the National Security Council's
Office of Transnational Threats, recently attended a Washington, D.C.,
workshop on business-to-business marketplaces to warn executives about
the ``dirty little secret'' of e-business. Hunker warned that most of
the hardware and software used to build the New Economy is not
designed to withstand hostile attacks or intrusions. In a conversation
with Mercury News Staff Writer Elise Ackerman, Hunker elaborated on
the national security concerns posed by e-marketplaces and information
technology.


Q: When people think business-to-business, they don't usually think
transnational threat. Why is the National Security Council concerned
about electronic marketplaces?

A: We are very concerned about a rapidly emerging set of threats to
our national infrastructure. These arise because we have this
wonderful dependence on electronic information systems and
cyber-systems on the Internet. It brings us lots of benefits that we
all are enjoying. But -- and this is a big but -- none of these
systems were ever designed with security in mind. What we're seeing is
a range of threats emerging very rapidly.


Q: What types of threats do you see?

A: We've got countries like China and Russia that have publicly
announced that their military and intelligence are developing the
capability of breaking into U.S. computers and information systems.
The Chinese have talked in terms of (a possible) confrontation with
the United States (and) using electronic disruptions to our banking
system.

We know that there are very sophisticated terrorist groups and
criminal cartels that also have the capabilities of the same sort of
disruption. It could be to break into banking records, to manipulate
financial markets or to steal money. It could be to break into
personal records for the means of blackmail. It could be to disrupt
military and government operations. It could be just to cause chaos
and havoc.

For example, the electric power grid now runs off of an Internet-based
management system. Air traffic control is moving to an Internet-based
control system. The potential exists right now to disrupt those
systems, to subvert them.


Q: How vulnerable are information technology systems to attack?

A: In general, very vulnerable. With the spread of the Internet, we
have a lot of systems that are run by people who aren't very
experienced and aren't very sensitive to security.


Q: Do company insiders pose a national security risk?

A: There's a tremendous risk of insiders breaking into or manipulating
data. Traditionally, when we think of cyber-attack, we think of some
hacker on the outside breaking into the system. In fact, the bigger
risk is probably the insider, and it could be the disgruntled employee
who is angry at the company. It could be an individual or group of
individuals who want to extort money or embezzle money. It could be
industrial espionage. It could be terrorist groups that plant
individuals inside, and it could be sophisticated foreign intelligence
operations.

All of those (could lead to) economic damage and disruption and
potentially damage at a national level, damage to our military's
ability to operate.


Q: Is there a greater risk of foreign attack or of attacks by
insiders?

A: This isn't like the Cold War, where we can fly the satellites over
Eastern Europe and we can count the tank brigades and the missile
silos. We know that there are a number of nations hostile to us that
are investing in these abilities to target the United States, to break
in or disrupt the Internet and some of our computer systems.

We know that there are individuals and small groups of people of
whatever mental and political persuasion that have the capability --
and in some cases have exercised the capability -- to cause some
disruption or to extort money or cause damage like that.


Q: What is the government doing to address cyber-threats?

A: Two years ago the president issued an executive order calling for
the federal government to work with the private sector to begin to
develop a national agenda to protect ourselves against this emerging
set of threats. In January, the president released what we call
Version 1 of our national plan to protect our critical information
systems. And in February he had a cyber-security summit with leaders
from the Silicon Valley community exactly on this issue.

We're dramatically increasing the amount of basic federal research and
development into cyber-security. This year we're proposing over $600
million in that area. Most importantly, though, we're working with the
private sector to build a joint partnership for action. Particularly,
we've been encouraging major industries to organize themselves into
cyber-security centers.


Q: Kind of like neighborhood watch committees?

A: It's a little bit like the cyber equivalent. The major banks and
major financial stock exchanges, for example, just about 12 months ago
came together and created a cyber-security center where all of the
participating banks can share information in real time with each other
about intrusions and cyber-security threats. And the
telecommunications industry, the electric power industry and the oil
and gas industry are all in the process of creating similar
structures.


Q: Is the information you are receiving about cyber-threats coming
from the intelligence agencies?

A: It's really coming from a variety of sources. Some of our evidence
comes from the military and intelligence and from law enforcement. And
we know that there are sophisticated reconnaissances of U.S. networks.
We know that there have been sophisticated efforts to systematically
break into and steal data from the U.S. research laboratories,
universities and the like, that have come from overseas sources. The
private sector is also seeing some very sophisticated attempts at
intruding into their systems.


Q: Why were you at the B-to-B marketplace workshop?

A: We see a real opportunity to use the growing interest in the
expansion of B-to-B networks as a means of promoting cyber-security.
It's clearly in the interest of all businesses that are joining these
networks to ensure that the data and the networks are secure. We think
there's a great opportunity to substantially improve the security of
these B-to-B networks as they're being developed and to maybe develop
a standard for security.


Q: What would be a worst-case scenario?

A: People who worry about cyber-security sometimes talk about the
electronic Pearl Harbor (where) the lights go out. This is associated
with perhaps a major terrorist attack. I'm more concerned about what I
sometimes call the electronic Exxon Valdez, which is an incident where
data is lost or networks are disrupted. It's bad for the nation, but
it's really bad for the companies that are involved.

I actually see the possibility of an electronic Exxon Valdez as
probably being more likely to happen in the B-to-B networks, where
businesses are trusting their economic livelihood to the functioning
of these networks. And if these networks are disrupted or the data is
destroyed there could be devastating consequences.


Q: What is the White House thinking in terms of fighting cyber-threats
in the future?

A: We are working toward a very high-level conference organized by the
White House this fall, which will include major businesses that are
participating in B-to-B networks, as well as some of the companies
that are developing these networks.

We'll explore ways we can jointly take action to improve the overall
security of the B-to-B networks. Are there ways federal research and
development and procurement can be used to help improve the security
of B-to-B networks? We're not looking at regulation, but we'll examine
voluntary ways in which we can assist these networks and the
businesses that are on them, ensuring that they are safe and reliable
and the data is kept confidential.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".