Information Security News mailing list archives
Q&A: On threats to the online marketplace
From: InfoSec News <isn () C4I ORG>
Date: Tue, 11 Jul 2000 01:11:38 -0500
http://www.mercurycenter.com/svtech/news/indepth/docs/qa071000.htm Posted at 11:08 a.m. PDT Monday, July 10, 2000 Jeffery Hunker, a senior director at the National Security Council's Office of Transnational Threats, recently attended a Washington, D.C., workshop on business-to-business marketplaces to warn executives about the ``dirty little secret'' of e-business. Hunker warned that most of the hardware and software used to build the New Economy is not designed to withstand hostile attacks or intrusions. In a conversation with Mercury News Staff Writer Elise Ackerman, Hunker elaborated on the national security concerns posed by e-marketplaces and information technology. Q: When people think business-to-business, they don't usually think transnational threat. Why is the National Security Council concerned about electronic marketplaces? A: We are very concerned about a rapidly emerging set of threats to our national infrastructure. These arise because we have this wonderful dependence on electronic information systems and cyber-systems on the Internet. It brings us lots of benefits that we all are enjoying. But -- and this is a big but -- none of these systems were ever designed with security in mind. What we're seeing is a range of threats emerging very rapidly. Q: What types of threats do you see? A: We've got countries like China and Russia that have publicly announced that their military and intelligence are developing the capability of breaking into U.S. computers and information systems. The Chinese have talked in terms of (a possible) confrontation with the United States (and) using electronic disruptions to our banking system. We know that there are very sophisticated terrorist groups and criminal cartels that also have the capabilities of the same sort of disruption. It could be to break into banking records, to manipulate financial markets or to steal money. It could be to break into personal records for the means of blackmail. It could be to disrupt military and government operations. It could be just to cause chaos and havoc. For example, the electric power grid now runs off of an Internet-based management system. Air traffic control is moving to an Internet-based control system. The potential exists right now to disrupt those systems, to subvert them. Q: How vulnerable are information technology systems to attack? A: In general, very vulnerable. With the spread of the Internet, we have a lot of systems that are run by people who aren't very experienced and aren't very sensitive to security. Q: Do company insiders pose a national security risk? A: There's a tremendous risk of insiders breaking into or manipulating data. Traditionally, when we think of cyber-attack, we think of some hacker on the outside breaking into the system. In fact, the bigger risk is probably the insider, and it could be the disgruntled employee who is angry at the company. It could be an individual or group of individuals who want to extort money or embezzle money. It could be industrial espionage. It could be terrorist groups that plant individuals inside, and it could be sophisticated foreign intelligence operations. All of those (could lead to) economic damage and disruption and potentially damage at a national level, damage to our military's ability to operate. Q: Is there a greater risk of foreign attack or of attacks by insiders? A: This isn't like the Cold War, where we can fly the satellites over Eastern Europe and we can count the tank brigades and the missile silos. We know that there are a number of nations hostile to us that are investing in these abilities to target the United States, to break in or disrupt the Internet and some of our computer systems. We know that there are individuals and small groups of people of whatever mental and political persuasion that have the capability -- and in some cases have exercised the capability -- to cause some disruption or to extort money or cause damage like that. Q: What is the government doing to address cyber-threats? A: Two years ago the president issued an executive order calling for the federal government to work with the private sector to begin to develop a national agenda to protect ourselves against this emerging set of threats. In January, the president released what we call Version 1 of our national plan to protect our critical information systems. And in February he had a cyber-security summit with leaders from the Silicon Valley community exactly on this issue. We're dramatically increasing the amount of basic federal research and development into cyber-security. This year we're proposing over $600 million in that area. Most importantly, though, we're working with the private sector to build a joint partnership for action. Particularly, we've been encouraging major industries to organize themselves into cyber-security centers. Q: Kind of like neighborhood watch committees? A: It's a little bit like the cyber equivalent. The major banks and major financial stock exchanges, for example, just about 12 months ago came together and created a cyber-security center where all of the participating banks can share information in real time with each other about intrusions and cyber-security threats. And the telecommunications industry, the electric power industry and the oil and gas industry are all in the process of creating similar structures. Q: Is the information you are receiving about cyber-threats coming from the intelligence agencies? A: It's really coming from a variety of sources. Some of our evidence comes from the military and intelligence and from law enforcement. And we know that there are sophisticated reconnaissances of U.S. networks. We know that there have been sophisticated efforts to systematically break into and steal data from the U.S. research laboratories, universities and the like, that have come from overseas sources. The private sector is also seeing some very sophisticated attempts at intruding into their systems. Q: Why were you at the B-to-B marketplace workshop? A: We see a real opportunity to use the growing interest in the expansion of B-to-B networks as a means of promoting cyber-security. It's clearly in the interest of all businesses that are joining these networks to ensure that the data and the networks are secure. We think there's a great opportunity to substantially improve the security of these B-to-B networks as they're being developed and to maybe develop a standard for security. Q: What would be a worst-case scenario? A: People who worry about cyber-security sometimes talk about the electronic Pearl Harbor (where) the lights go out. This is associated with perhaps a major terrorist attack. I'm more concerned about what I sometimes call the electronic Exxon Valdez, which is an incident where data is lost or networks are disrupted. It's bad for the nation, but it's really bad for the companies that are involved. I actually see the possibility of an electronic Exxon Valdez as probably being more likely to happen in the B-to-B networks, where businesses are trusting their economic livelihood to the functioning of these networks. And if these networks are disrupted or the data is destroyed there could be devastating consequences. Q: What is the White House thinking in terms of fighting cyber-threats in the future? A: We are working toward a very high-level conference organized by the White House this fall, which will include major businesses that are participating in B-to-B networks, as well as some of the companies that are developing these networks. We'll explore ways we can jointly take action to improve the overall security of the B-to-B networks. Are there ways federal research and development and procurement can be used to help improve the security of B-to-B networks? We're not looking at regulation, but we'll examine voluntary ways in which we can assist these networks and the businesses that are on them, ensuring that they are safe and reliable and the data is kept confidential. ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Q&A: On threats to the online marketplace InfoSec News (Jul 11)