[iwar] [fc:How.vulnerable.is.the.U.S..IT.infrastructure?]

From: Fred Cohen (fc@all.net)
Date: 2001-09-28 12:09:34


Return-Path: <sentto-279987-2475-1001704177-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Fri, 28 Sep 2001 12:11:07 -0700 (PDT)
Received: (qmail 2839 invoked by uid 510); 28 Sep 2001 19:09:51 -0000
Received: from n35.groups.yahoo.com (216.115.96.85) by 204.181.12.215 with SMTP; 28 Sep 2001 19:09:51 -0000
X-eGroups-Return: sentto-279987-2475-1001704177-fc=all.net@returns.onelist.com
Received: from [10.1.4.56] by mu.egroups.com with NNFMP; 28 Sep 2001 19:09:37 -0000
X-Sender: fc@big.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-7_4_1); 28 Sep 2001 19:09:36 -0000
Received: (qmail 62976 invoked from network); 28 Sep 2001 19:09:34 -0000
Received: from unknown (10.1.10.142) by l10.egroups.com with QMQP; 28 Sep 2001 19:09:34 -0000
Received: from unknown (HELO big.all.net) (65.0.156.78) by mta3 with SMTP; 28 Sep 2001 19:09:34 -0000
Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id MAA12330 for iwar@onelist.com; Fri, 28 Sep 2001 12:09:34 -0700
Message-Id: <200109281909.MAA12330@big.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Fri, 28 Sep 2001 12:09:34 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [fc:How.vulnerable.is.the.U.S..IT.infrastructure?]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

How vulnerable is the U.S. IT infrastructure?  
Cara Garretson, IDG News Service, 9/28/2001
<a href="http://www.itworld.com/Tech/2987/IDG010927infrastructure/?idgnet">http://www.itworld.com/Tech/2987/IDG010927infrastructure/?idgnet>

U.S.  networks are likely targets for terrorist attacks, said lawmakers
and representatives of government agencies, academia and the IT industry
at a House of Representatives subcommittee hearing Wednesday. 

While witnesses agreed that networks are possible targets, they offered
differing opinions regarding the cause of vulnerability during testimony
to the Committee on Government Reform's Subcommittee on Government
Efficiency, Financial Management and Intergovernmental Relations. 

Representatives from university research groups maintained that
commercial software doesn't employ robust enough security to protect
government and businesses, as well as home users, from infiltration and
attacks, specifically computer viruses and worms that spread through the
Internet.  But the head of an industry association argued that the
problem is the lack of education and prioritization of security issues
by all types of users, leaving the country open to cyberattack. 

Because much of the technology used today has roots in the personal
computing era, when PCs were intended to be stand-alone devices,
protecting them from threats that arise once those systems are connected
means retrofitting software, said Richard Pethia, director of Computer
Engineering Response Team (CERT) Centers with Carnegie Mellon
University's Software Engineering Institute. 

"We're lacking security, but we have this huge installed base" of
software from the PC era, he said.  "We can build systems that are much
more robust and secure."

Countering this argument, Harris Miller, president of the Information
Technology Association of America (ITAA), said that software companies
are putting forth a "maximum effort" to produce highly secure products. 

"Customers don't want the security features," Miller said, referring to
the suggestion made many times during the hearing that companies should
ship their software with the highest possible security settings turned
on as the default.  "It's just like how do you get people to wear
seatbelts?"

Emphasis should be placed on educating the country about sound
information security practices, Miller said.  "Practicing information
security as part of homeland defense will pay massive dividends in the
future."

Another related discussion was sparked when the subcommittee chairman
Representative Stephen Horn, a Republican from California, asked how
vulnerable the Internet is to terrorist attacks. 

"The possibility is there to take down the Internet," said Michael
Vatis, director of the Institute for Security Technology Studies at
Dartmouth College, adding that routers and domain name servers are
particularly vulnerable.  These problems are well known but not
addressed, perhaps due to lack of resources or not making them high
priorities, he said. 

"Much of the Internet is very resilient," tempered CERT's Pethia," but a
few key points like domain name servers don't have redundancy."

Fearing that such statements would lead to newspaper headlines
predicting the collapse of the Internet, Miller said that there are
risks, but the companies that manage those servers, such as VeriSign
Inc, are aware of them and are working on redundancy plans. 

One point many of the witnesses agreed upon was the need for more
government-sponsored research and development programs to help build
better security technology. 

"There's a need for more resources.  The money that most (computer
companies) spend is on short-term development.  We need long-term,
government-funded research and development," Miller said.  Government
funded training programs aimed at producing more security specialists
would also help, he said. 

Considering that computer users today find security features difficult
to use, Vatis added that long-term research should focus on developing
software with high security levels and low end-user interference. 

"The state of the art [of security technology] today is not good
enough," he said.  "The answer is research and development to design
technology that's easier to use."

More information on the Subcommittee on Government Efficiency, Financial
Management, and Intergovernmental Relations can be found at <a
href="http://www.house.gov/reform/gefmir/">http://www.house.gov/reform/gefmir/>. 

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Pinpoint the right security solution for your company- Learn how to add 128- bit encryption and to authenticate your web site with VeriSign's FREE guide!
http://us.click.yahoo.com/yQix2C/33_CAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:51 PDT