U.S. IT Infrastructure Highly Vulnerable

An anonymous reader writes "The President's Information Technology Advisory Committee in their February 2005 report to GW writes "...infrastructure of the United States, which is now vital for communication, commerce, and control of our physical infrastructure, is highly vulnerable to terrorist and criminal attacks." It goes on to say that "fundamentally new approaches are needed to address the more serious structural weaknesses of the IT infrastructure" and finally offers "four key findings and recommendations on how the Federal government can foster new architectures and technologies to secure the Nation's IT infrastructure." Here is yet another, not surprising, bleak outlook for cyber security in the United States. The full 72-page report can be found here."

Re:Slashdot 1, .gov 0

[TLouden]

well there's an interesting one. Is /. going to be fined or shutdown because they have the proven potential to attack the government? And what about the person who posted this, will they arrest them for using /. to attack that governement? Would RIAA sue a nine year old, how about an old lady? Would the US attack a country because they "might" have WMDs but leave another alone because the most likely do have WMDs? Give yourself one point for answering yes to any of the above.

Re:At Least they are talking about it

[Coryoth]

There is nothing they couldn't dream up as a terrorist or other attack on the IT infrastructure that hasn't been thought up already by others, even in the terror game it is hard to be truely original. And at least by going through the exercise of thinking like an attacker they may help spur the development of better defenses, traps, early warnings, recovery procedures , what have you.

The problem is not that no one has thought about the problems of security of software assurance enough to have come up with solutions, the problem is the solutions haven't made their way out of theory and into practice. It's not that the theory is new either - a lot of the ideas are 10 years old or more. The problem is that there are too many people who are happy with what they have and never bothered to look at what the theorists have actually devised. Why do you think the NSA created SELinux? It wasn't because they were planning to create a secure operating system - they themselves say that they did it to demonstrate that such controls can easily be built into "mainstream operating system". Read that as: the've done the research, know the solutions (this sort of architecture is, research wise, quite old), and are so frustrated that no one was actually using it that they hacked it into the most mainstream OS they could just to show people how.

If you consider the task of writing secure software applications, rather than just OS architectures to vastly enhance security, there are still perfectly good options out there. If you're serious about high integrity software (be it for security, or for fault tolerance) you ought to be proving your code. No, seriously - you can statically mathematically prove your code providing you use the right tools. For instance there are things like B-method or SPARK which use allow you to actually prove the partial correctness of your code (partial correctness in the sense of "if it terminates, it terminates with these properties..."). The concept of having a separate prover as a safety and correctness checker, as opposed to letting static typing and the compiler catch the most glaring errors, seems eminently sensible. The techniques for how to do this sort of thing are quite old, and it is becoming increasingly practical to do full proofs given the power of computers these days. Again, this is the category of "something we know how to do, but mostly never bother with".

Jedidiah.

Re:At Least they are talking about it

[myowntrueself]

"The stuff used was US dot mil brand biological war prepped cooties."

Since it was prepared in military labs in the USA, I'd kinda like to know who the *intended* target of these 'cooties' was supposed to be.

I mean you don't go to all the trouble of preparing such an effective and well-developed agent without a potential use in mind; that stuff was high tech (they had trouble getting the spores to stick to the microscope slides).