Slashdot Mirror

← Back to Stories (view on slashdot.org)

U.S. IT Infrastructure Highly Vulnerable

Posted by timothy on from the duh dept.

An anonymous reader writes "The President's Information Technology Advisory Committee in their February 2005 report to GW writes "...infrastructure of the United States, which is now vital for communication, commerce, and control of our physical infrastructure, is highly vulnerable to terrorist and criminal attacks." It goes on to say that "fundamentally new approaches are needed to address the more serious structural weaknesses of the IT infrastructure" and finally offers "four key findings and recommendations on how the Federal government can foster new architectures and technologies to secure the Nation's IT infrastructure." Here is yet another, not surprising, bleak outlook for cyber security in the United States. The full 72-page report can be found here."

7 of 324 comments (clear)

  1. Re:Slashdot 1, .gov 0 by TLouden · · Score: 5, Interesting

    well there's an interesting one. Is /. going to be fined or shutdown because they have the proven potential to attack the government? And what about the person who posted this, will they arrest them for using /. to attack that governement? Would RIAA sue a nine year old, how about an old lady? Would the US attack a country because they "might" have WMDs but leave another alone because the most likely do have WMDs? Give yourself one point for answering yes to any of the above.

    --
    -Tim Louden
  2. Re:At Least they are talking about it by Coryoth · · Score: 5, Interesting

    There is nothing they couldn't dream up as a terrorist or other attack on the IT infrastructure that hasn't been thought up already by others, even in the terror game it is hard to be truely original. And at least by going through the exercise of thinking like an attacker they may help spur the development of better defenses, traps, early warnings, recovery procedures , what have you.

    The problem is not that no one has thought about the problems of security of software assurance enough to have come up with solutions, the problem is the solutions haven't made their way out of theory and into practice. It's not that the theory is new either - a lot of the ideas are 10 years old or more. The problem is that there are too many people who are happy with what they have and never bothered to look at what the theorists have actually devised. Why do you think the NSA created SELinux? It wasn't because they were planning to create a secure operating system - they themselves say that they did it to demonstrate that such controls can easily be built into "mainstream operating system". Read that as: the've done the research, know the solutions (this sort of architecture is, research wise, quite old), and are so frustrated that no one was actually using it that they hacked it into the most mainstream OS they could just to show people how.

    If you consider the task of writing secure software applications, rather than just OS architectures to vastly enhance security, there are still perfectly good options out there. If you're serious about high integrity software (be it for security, or for fault tolerance) you ought to be proving your code. No, seriously - you can statically mathematically prove your code providing you use the right tools. For instance there are things like B-method or SPARK which use allow you to actually prove the partial correctness of your code (partial correctness in the sense of "if it terminates, it terminates with these properties..."). The concept of having a separate prover as a safety and correctness checker, as opposed to letting static typing and the compiler catch the most glaring errors, seems eminently sensible. The techniques for how to do this sort of thing are quite old, and it is becoming increasingly practical to do full proofs given the power of computers these days. Again, this is the category of "something we know how to do, but mostly never bother with".

    Jedidiah.

    --
    Craft Beer Programming T-shirts
  3. Re:At Least they are talking about it by dj245 · · Score: 3, Interesting
    And at least by going through the exercise of thinking like an attacker they may help spur the development of better defenses, traps, early warnings, recovery procedures , what have you.

    Problem is all the nastiest attacks are out of the blue and most of them are original and creative. If Shoe-bomber had succeeded we wouldn't have a clue how the plane went down other then an explosion in the passenger compartment. That time a lot of people got lucky.

    Oh and the anthrax mailings? Never did hear who was behind that. The actual killings it caused was pretty limited, but the panic and havok it induced was worth 2 tons of white powder.

    --
    Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
  4. "cyberterrorism" - the paper tiger by Anonymous Coward · · Score: 4, Interesting

    I think it's an insult to victims of 9/11 and other real terrorism around the globe to call any attack on a *computer network* "terrorism".

    I know it's trendy to attach the word "terrorism" to everything you don't like (Microsoft: "industrial terrorism", some politician just today: "medical terrorism"), but can we at least reserve it for cases when somebody might *die*?

    Yes, our economy will suffer a major blow from an attack on our computer networks, but if you give me a choice between having to become a farmer to feed myself and *DYING* in a suicide attack, I think I'll take the former.

    But one thing is true: our computers are horribly insecure and are at risk not ONLY from terrorists, but from pimply-faced teenagers that live down the street. And it doesn't matter what license your software uses or what OS it runs. The fact is that there aren't many programmers out there who bother writing secure software, and even fewer customers who demand it.

  5. Re:At Least they are talking about it by myowntrueself · · Score: 5, Interesting

    "The stuff used was US dot mil brand biological war prepped cooties."

    Since it was prepared in military labs in the USA, I'd kinda like to know who the *intended* target of these 'cooties' was supposed to be.

    I mean you don't go to all the trouble of preparing such an effective and well-developed agent without a potential use in mind; that stuff was high tech (they had trouble getting the spores to stick to the microscope slides).

    --
    In the free world the media isn't government run; the government is media run.
  6. Re:Microsoft OS zombies are a big reason why. by mattyrobinson69 · · Score: 3, Interesting

    or 'provide' a firewall for all users that are running as zombies

  7. Malicious Code by rlds · · Score: 3, Interesting
    Page 39 of the report says:

    In the future, the Nation may face even more challenging problems as adversaries - both foreign and domestic - become increasingly sophisticated in their ability to insert malicious code into critical software.

    I don't agree this is a future danger, it's a present danger. First, I don't think sophistication is needed as code is rarely inspected carefully in proprietary software. The theory behind open source is that everyone will be able to check the code and problems will be caught that way. But you have to admit that not everything can be open source.

    Second, critical code is getting developed in all sorts of places, increasingly offshore. Companies make those offshoring decisions based on their own bottomline, not the national security interests and that is not going to change anytime soon.