U.S. IT Infrastructure Highly Vulnerable

An anonymous reader writes "The President's Information Technology Advisory Committee in their February 2005 report to GW writes "...infrastructure of the United States, which is now vital for communication, commerce, and control of our physical infrastructure, is highly vulnerable to terrorist and criminal attacks." It goes on to say that "fundamentally new approaches are needed to address the more serious structural weaknesses of the IT infrastructure" and finally offers "four key findings and recommendations on how the Federal government can foster new architectures and technologies to secure the Nation's IT infrastructure." Here is yet another, not surprising, bleak outlook for cyber security in the United States. The full 72-page report can be found here."

Yeah

Secure, is what IT ain't!

Slashdot 1, .gov 0

[squidgyhead]

Unfortunately, we have already managed to obliterate the server on which the document is hosted, so now no one will be able to read it, and won't know how to stop this from happening in the first place.

Is slashdotting a .gov site an act of terrorism?

Re:Slashdot 1, .gov 0

[TLouden]

well there's an interesting one. Is /. going to be fined or shutdown because they have the proven potential to attack the government? And what about the person who posted this, will they arrest them for using /. to attack that governement? Would RIAA sue a nine year old, how about an old lady? Would the US attack a country because they "might" have WMDs but leave another alone because the most likely do have WMDs? Give yourself one point for answering yes to any of the above.

Re:Slashdot 1, .gov 0

[MadMartigan2001]

You not only have rights, you also have obligations. Part of being a citizen is the acceptance of those obligations. You have to pay taxes and serve on juries.

That's an interesting point. In fact, the king of England said those exact same things to the American colonists just before the war of Independence. And a funny thing happened, the people we call the founding fathers of the United States, you know, those guys who said that "all men are created equal", told the king to stuff it.

So by that example, it appears that freedom loving people, who care about their country and their fellow citizens, have the "obligation" to voice their opposition to oppressive laws, rules and regulations, and refuse to submit if their conscience dictates so.

If the Congress decides that it is necessary, you may be drafted into military service.

If the congress decides? Where did you get that idea from? Where, in the Constitution or the bill of rights, does it says anything about submitting to a draft?

In fact, I see that the 13Th amendment to the Constitution specifically says that "involuntary servitude" is not acceptable in the United States.

Yes, we have a draft, but perhaps you should research where the draft originated and the ramifications it has on your freedom, or lack of. A draft means you can be drafted for any reason that, according to you, the congress deems appropriate. You know, not long ago it was legal to own black people, and illegal for women to vote. Would you gladly "serve" your country if the congress drafted you to repress blacks and women? Hmmmm?

There is no free lunch.

No, there is not. But there is this little thing called freedom. A concept that seems to be hard for some people to comprehend. A concept which requires people to think for themselves and make their own decisions and allow others the same privilege.

With one statement you just trampled on the inalienable rights of every citizen of the United States and allowed for the possibility that each and every one of us could be drafted against our will and forced to kill other human beings, simply because a small group of people (the congress) decries it.

The icons of history are those who stand up for principles of freedom and equality. Does anyone remember the names of the 1000's of police officers who did not think for themselves and simply enforced the segregation laws? No, we remember Martin Luther King. Does anyone remember the names of millions of men who repressed women for decades and did not allow them to vote or own property? No, we remember Susan B. Anthony and Elizabeth Cadey Stanton.

Will anyone remember your name?

Re:You bet. /.ed already.

[TLouden]

or maybe the terrorist took it down to keep there secret protected...

At Least they are talking about it

[Fox_1]

I don't know if this is just to increase paranoia or not in the US, but if there are security issues it is better that they talk about them, bring them out into the "open" so to speak. There is nothing they couldn't dream up as a terrorist or other attack on the IT infrastructure that hasn't been thought up already by others, even in the terror game it is hard to be truely original. And at least by going through the exercise of thinking like an attacker they may help spur the development of better defenses, traps, early warnings, recovery procedures , what have you.

Re:At Least they are talking about it

[Coryoth]

There is nothing they couldn't dream up as a terrorist or other attack on the IT infrastructure that hasn't been thought up already by others, even in the terror game it is hard to be truely original. And at least by going through the exercise of thinking like an attacker they may help spur the development of better defenses, traps, early warnings, recovery procedures , what have you.

The problem is not that no one has thought about the problems of security of software assurance enough to have come up with solutions, the problem is the solutions haven't made their way out of theory and into practice. It's not that the theory is new either - a lot of the ideas are 10 years old or more. The problem is that there are too many people who are happy with what they have and never bothered to look at what the theorists have actually devised. Why do you think the NSA created SELinux? It wasn't because they were planning to create a secure operating system - they themselves say that they did it to demonstrate that such controls can easily be built into "mainstream operating system". Read that as: the've done the research, know the solutions (this sort of architecture is, research wise, quite old), and are so frustrated that no one was actually using it that they hacked it into the most mainstream OS they could just to show people how.

If you consider the task of writing secure software applications, rather than just OS architectures to vastly enhance security, there are still perfectly good options out there. If you're serious about high integrity software (be it for security, or for fault tolerance) you ought to be proving your code. No, seriously - you can statically mathematically prove your code providing you use the right tools. For instance there are things like B-method or SPARK which use allow you to actually prove the partial correctness of your code (partial correctness in the sense of "if it terminates, it terminates with these properties..."). The concept of having a separate prover as a safety and correctness checker, as opposed to letting static typing and the compiler catch the most glaring errors, seems eminently sensible. The techniques for how to do this sort of thing are quite old, and it is becoming increasingly practical to do full proofs given the power of computers these days. Again, this is the category of "something we know how to do, but mostly never bother with".

Jedidiah.

Re:At Least they are talking about it

[misleb]

When an Internet worm destroys two buildings in New York City and kills thousands of people, THEN maybe you can compare 13 year old boys with too much time on their hands with terrorists. Until then, lets leave terrorism out of this. Ok? There is no comparison. I dont' care how much money Internet worm X costs companies, it doesn't compare to shit blowing up and people dying.

-matthew

Re:At Least they are talking about it

[orthogonal]

"Any type of attack nowadays will be labeled terroristic."

You mean like Republican Majority Leader Tom DeLay calling removing brain-dead Terry Schiavo's feeding tube medical terrorism?

(The link is to Delay's own site: he's proud of invoking the spectre of terrorism to justify unprecedented government intrusion into personal medical decisions. DeLay also threatened to hold a judge in contempt of Congress for quashing a Congressional subpoena issued to compel the brain dead woman to testify. (Since removed form a conservative web site).

Now, before some winger decides to mod this off-topic, let me spell out what has this to do with IT security.

Very simple: our current "leaders" have shown they'll label anything -- even the legally uncontroversial, medically backed decisions of US judges -- as "terrorism", just in order to win points with their core fundamentalist Christian constituency.

If they'll do it about the private medical decisions of a family, they'll sure as hell do it about IT, if they think they can gain something by so doing. And they've shown that even if that "terrorism" label is obviously bunkum of the first order, they'll go ahead and use it.

Hey, it worked to get us into a pointless war in Iraq: remember when we were told about WMDs and Saddams "ties" to terrorists?

Like the boy who cried wolf, it should be clear by now that when a leading politician (and Delay is only one step away from being Speaker of the House of Representatives, the third in line of presidential succession, he's no fringe politician ) calls something "terrorism", we need to understand he's doing it to whip up our fears -- not to make us safer, but to get what he wants.

Re:At Least they are talking about it

[zogger]

The anthrax attack caused passage of the Patriot Act, which was stalled in the senate at the time (kinda). They rushed it through, zillion pages, none of them cretins who voted for it even read it. The stuff used was US dot mil brand biological war prepped cooties. Should be sorta obvious what's going on.

but you are correct on "spontaniety" and such like, and relative ease of assymetrical warfare. And it's fairly telling that since then there have been zero attacks despite how many dozen warnings of impending attacks and code whatever color "alerts" and protestations for years there were 'terrorist sleeper cells" hanging about. Them boys been real asleep it appears......

And they still haven't finished the lawsuits filed by some government whistleblowing agents who got warned off investigating after they started getting some real evidence, embarrasing evidence that pointed upstream to white guys in dark suits. Again, sorta obvious what's going on. And the 9-11 whitewash committee, pretty funny if it wasn't serious.

I think it's all right to say it, it's been a pretty spiffy coup d'etat. Just a little smoother than your typical third world coup, that's all, lot more media sound bites and slick advertiseoganda pieces on the newzzzzz.

Re:At Least they are talking about it

[myowntrueself]

"The stuff used was US dot mil brand biological war prepped cooties."

Since it was prepared in military labs in the USA, I'd kinda like to know who the *intended* target of these 'cooties' was supposed to be.

I mean you don't go to all the trouble of preparing such an effective and well-developed agent without a potential use in mind; that stuff was high tech (they had trouble getting the spores to stick to the microscope slides).

Re:At Least they are talking about it

[ScentCone]

When an Internet worm destroys two buildings in New York City and kills thousands of people, THEN maybe you can compare 13 year old boys with too much time on their hands with terrorists.

First, let's define what a terrorist is. Where do you draw the line? 3000 people dead? 300? 30? 3? I say that someone who deliberately sets out to cause havoc, knowing that their actions will cost jobs, induce fear, require cleanup, new security measures, etc.... that person is terrorizing their audience/victims, and is a terrorist. Some are more effective at smashing store windows during witless demonstrations than they are killing people, and some are more effective at burning cash in the economy as businesses, schools, and grandmas fight malware, and some manage to kill thousands of people - but they all, by choice and deed, are causing pain, expense, suffering, and sometimes death. Those are terrorists, varying only in scope and effectiveness.

Now, is the 14 year old kid that's in to model rocketry a terrorist when his latest experiment goes sideways and catches someone's hayfield on fire? An idiot, perhaps, but not arguably someone that set out to terrorize the farmer or cost the township thousands of dollars to put out the blaze. Is the 14 year old kid that's deliberately looking for malware to kiddie-script into his own flavor and set loose in an attempt to be cool or flail against "corporations" (while using corporately made computer parts, listening to his decidedly not made-by-old-world-artisans iPod, wearing his corporately made clothing, and still alive past childbirth and unafflicted by polio and other nasties because of corporately made medical supplies) the same? No. He's intent on damage, and on making the news. He's a terrorist, just a lame one. But he's in the same camp as the guys who would blow up bridges or poison wells: chaos, fear, damage - all in the name of recognition.

Don't think hackers can physically damage things? Right here is someone's copy-and-paste of a recent article about infrastructure threats from hackers. The director of the federal agency tasked with worrying about this stuff "wished he was wearing a diaper" while watching a demo of a guy hacking a SCADA-controlled turbine at a power generating plant. Just a few clicks, turn off the lube oil pump, and you're out millions of dollars of equipment and have a piece of the grid down for weeks or months. Multiply that times several power plants at the peak of a hot August Friday night across, say, most of California, and you're going to get deaths from failed safety equipment, chaos and social damage as often happens in those circumstances, and a huge economic upheaval.

Where do the folks with an axe to grind get the chops for that stuff? From young, net-savvy kids with, as you put it, "too much time on their hands" who are disaffected, susceptible to bent ideolgies because of the feeling of inclusion, and easily intimidated. Whether young people like that are tools, or have it in them to dream up and execute stuff like this on their own, for their own Columbine-like revenge fantasy reasons, don't dismiss it as just kids' stuff. The consequences for millions of lives, jobs, and for history could be huge.

Lastly, if you (as you do seem to) consider the 9/11 attacks as terrorism - what would you have been willing to tolerate, law-enforcement-wise, intelligence-gathering-wise, to prevent them? What should the people in Spain have been willing to put up with at their train stations before 3/11? Would any of us have tolerated the preventative measures before that stuff happened? Will we have the same conversation after a large municipal drinking water supply gets raw sewage pumped into it by a cranky ex-employee who knows that the SCADA system controlling the treatment plant still has the factory default password set? Or, posts that info on some forum where a 13-year-old kid with "too much time on his hands" decides to try his hand at it?

It would be a...

[Phidoux]

... true indication of the US governments commitment to security if they moved away from M$ operating systems.

Sick of hearing about cyber-terrorism.

[GeorgeMcBay]

Seriously, the whole "cyber-terrorism" boogeyman is one of the worst things to be exploited after 9/11, and that's saying something considering how much exploiting people have been doing. Honestly, terrorists are NOT interested in cracking databases and DDOSing the Internet. They just aren't. That doesn't spread FEAR or TERROR, just annoyance.

I'm not doubting that this report is accurate in so far as systems are insecure, but the real danger is from script kiddies and other such people, NOT TERRORISTS. Using the word so far out of context to drum up interest (and thus funding) is despicable.

Re:Sick of hearing about cyber-terrorism.

[Matilda+the+Hun]

...but the real danger is from script kiddies and other such people...

Actually, the real danger are the federal employees who don't update their horribly vulnerable software, open random attachments to their emails, click on the pop-up ads telling them their computer is insecure, and give their passwords out to social engineers over the phone. Which, of course, make it easy for the script kiddies and other such people to run well-known and documented but apparently still dangerous exploits because people are too stupid and lazy to do anything about them.

Perhaps I'm just paranoid but...

[bmw]

It always worries me when I see the current administration saying things like this...

highly vulnerable to terrorist and criminal attacks."

fundamentally new approaches are needed to address the more serious structural weaknesses of the IT infrastructure

It isn't that they aren't right... It's just that whenever they go on and on about terrorists threatening our way of life it seems all they really want is to implement new ways of taking away our rights without actually protecting us at all.

Sure wish I could actually read the article. :-\

Excuse to go forward with Trusted Computing?

[Anti-Trend]

I haven't RTFA (who can, it was /.'ed almost instantly), but this sounds a bit like a segway into trusted computing -- or paladium, or whatever MS is calling it. I would love to believe they'd get the clue and go OSS, but with the amount of sugar-daddy financial pull MS has with our government officials, I just can't put any hope in that theory.

Another source for the report

[StefanSavage]

http://lazowska.cs.washington.edu/CyberSecurity.pd f

Perfect /. quote

[TLouden]

if found this /. quite (from the bottom of the page) to be perfect:
"The biggest problem with communication is the illusion that it has occurred."
considering that the server was /.ed AND is supposed to be talking about a failure of communication. Anybody else like it?

Re:Education

[cptgrudge]

Yeah. Kinda sucks when all that money goes to "administrative" positions making six figures.

Just a single example, but when you have a principal and an assistant principal at each school, both making 100,000+ $USD, that money gets used up in a hurry. Why don't they spend some of that money on teachers to lower class size? It's a bunch of stupid politics, and the students continue to suffer for it. There are dozens of other positions like that. I can see a need for a single principal, but what about all these other stupid positions?

In the High School at the K-12 district where I worked before, the "assistant principal" fixed his three sons' grades before he got caught and had to "resign to pursue other opportunities", and the "normal principal" was caught (by me) surfing porn after hours. Fucking brilliant.

Can you tell I'm jaded?

Crying Wolf

[schmobag]

This all seems a little alarmist. Our IT infrastructure is far more secure than our physical infrastructure, because our IT infrastructure has grown up under constant threats from script kiddies, trojans, and worms. 9/11 was possible because we have (or had) a basically open, trusting society. That's not true online.

Servers across the internet are under constant attack from all kinds of viruses, worms, and malicious hackers. Even the most successful viruses amount to little more than annoyances, and can be easily protected against by any systems administrator worth his salt. Like the human immune system, continuous exposure to cyber-pathogens results in our information infrastructure growing increasingly good at resisting and fending off attacks.

There's no reason to think that Islamic terrorists would be any more competent virus writers than those that currently plague us. In fact, given the backwardness of the arab countries where most islamic terrorists come from, I think there's good reason to think they would be less competent as computer programmers than people from other parts of the world. The only significant difference between cyber terrorists and today's virus writers is motivation. Most virus writers are interested in the technological challenge, and want to show off their prowess. They don't really want to do any damage. Others are more sinister, and try to install keystroke loggers or bots in order to steal your credit card numbers or extort money from people threatened with having their servers brought down by an attack from an army of compromised computers. Cyber-terrorists, on the other hand, would want to cause some spectacular failure that would grab all the headlines. Unfortunately for them, the systems that the terrorists would like to bring down are administered by professionals, people who are a lot more sophisticated than a grandma who forgets to update her anti-virus definitions.

Finally, two more features of our information infrastructure make it resistant to catastrophic failure. First, it is resilient. Our information infrastructure is largely owned by private industry, and is supported by an army of trained to quickly get systems back up and running should they ever be brought down. Second, and more importantly, the systems that comprise the infrastructure are diverse. No program can run natively on a Cisco router, an Apache webserver, and a Microsoft SQL server. It's therefore extremely unlikely that a single program could bring the nation's cyber infrastructure to its knees.

Re:Education

[josh3736]

From your link:

President Bush today unveiled his plans to build upon the success of the historic No Child Left Behind education reforms ...

I wasn't aware the Iraqi Information Minister worked for the US government now.

The only thing that piece of shit legislation does is give the kids more tests to suffer through. It adds no actual "accountability" to schools. Instead of teachers preparing their students for what they might actually need in life, they focus on only what's going to be on the test. What happens when some struggling inner-city school gets shut down because their kids don't pass their proficiency tests? They disperse into other schools and bring their scores down, resulting in less funding for those schools. Brilliant.

If Bush has added $13 billion in education funding, I'd like to know where it went. Districts all over are struggling just to keep the lights on. They are being forced to go to the voters for property tax increases. It's not a pleasant situation for anyone. The kids suffer because all their extracurriculars get cut and the property owners suffer because their taxes go up.

The state of education in Ohio (where both of my parents are in the field) is abysmal. Over 10 years ago, the state's Supreme Court ruled our school funding system was unconstitutional. Yet here we are 10+ years later, and the Legislature hasn't done a damned thing about it. My dad is convinced they're trying to kill public education, and from what I see, it's working. People are getting laid off, everything outside of the State Board of Ed.'s required curriculum is being cut, and the kids suffer. They've even cut bussing. It's really a very unfortunate situation.

In conclusion, fuck our incompetent politicans. I'm sick of agendas (as they almost always end up screwing the common man).

"cyberterrorism" - the paper tiger

I think it's an insult to victims of 9/11 and other real terrorism around the globe to call any attack on a *computer network* "terrorism".

I know it's trendy to attach the word "terrorism" to everything you don't like (Microsoft: "industrial terrorism", some politician just today: "medical terrorism"), but can we at least reserve it for cases when somebody might *die*?

Yes, our economy will suffer a major blow from an attack on our computer networks, but if you give me a choice between having to become a farmer to feed myself and *DYING* in a suicide attack, I think I'll take the former.

But one thing is true: our computers are horribly insecure and are at risk not ONLY from terrorists, but from pimply-faced teenagers that live down the street. And it doesn't matter what license your software uses or what OS it runs. The fact is that there aren't many programmers out there who bother writing secure software, and even fewer customers who demand it.

Re:You bet. /.ed already.

[Alsee]

I located two other government sources here and here.

Another poster also found it here.

I'd like to point out that while there is no direct mention of Trusted Computing, it calls for a "fundamentally different architecture", some sections mostly later in the paper apprear to describe Trusted Computing functionality, the experts they cite all appear to be Trusted Computing speciallists and proponents (in particular David Spafford was the author of the semi famous WHY_TCPA and TCPA_REBUTTAL papers), at least some of the committee members appear to have Trusted Computing ties, and an earlier Cyber Security Advisor gave a speech at the Washington D.C. Tech summit calling for Trusted Computing and for ISPs to eventually make it a mandatory part of terms of service for internet access. A call to fight worms and viruses and to Secure the National Information Infrastucture against terrorist attacks, to defend against Osama bin Laden himself. Yes, he actually cited bin Laden by name. chuckle.

-

Having worked on .gov systems as a contractor

[Exter-C]

Having worked on some .gov systems over my time the bigget problem is often that the resources are spread very thinly across the country. They really need each department to invest in people that will just focus on keeping things upto date.

Primary focus can be desktop and internet facing systems. This can be made alot easier. Windows update for example is much more reliable than it has been in the past (not perfect but better). And most unix systems are compatable with systems like pkgsrc which would make it much easier to at least try and resist incoming attackers.

Having centralised management and control over all systems would be a great start. Thats something that many countries have however from my experience many american departments have different staff in different offices/regeons making the mismatch in staff quality and skillset diverse enough to affect security.

What about the bigger problems?

[Oriumpor]

The security of a network is a combination of factors:
Technological
Physical
Social

We can fight the battles in the technological front till we're blue in the face, but the temp at the front desk is a hole you'll probably never close.

In my head obvious questions this document failed to address are as follows:
How many people have access to your data center?

How many people have access to your most remote networked buildings?

Scrolling through this document there is no mention of the greatest security challenges facing IT today. Worms have been around since before the public internet, and as IT warriors we fight those battles constantly.

Ignoring the other aspects of "cyber" security is folly and tantamount to IT security suicide.