Weekly Schedule
  Message Boards
  Transcripts
  Video Archive

Discussion Areas
  Politics
  Nation
  World
  Metro
  Business
  Washtech
  Sports
  Style
  Entertainment
  Travel
  Health
  Home & Garden
  Post Magazine
  Food & Wine
  Books & Reading
  Viewpoint
  WashingtonJobs

  About Live Online
  About The Site
  Contact Us
  For Advertisers

Special Report: America at War
Cybersecurity Headlines
Profile: White House Cybersecurity Czar Richard Clarke
TechNews.com

Protecting the Nation's Critical Infrastructure
Guest: Washington Post reporter Barton Gellman

Thursday, June 27, 2002, 11 a.m. EDT

Join Washington Post reporter Barton Gellman for a discussion the post-Sept. 11 drive to protect America's critical infrastructure -- everything from the Internet to water supplies -- from cyberterrorists. The White House, joined by national security and law enforcement agencies and the private sector, is working to plug holes in the information technology systems that drive much of the nation's key services.

Read Gellman's piece from today's Washington Post: "Cyber-Attacks by Al Qaeda Feared."

Submit Your Questions and Comments Now: Join Barton Gellman from 11 a.m. to Noon on Thursday.

Editor's Note: Washingtonpost.com moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions.

dingbat

To read the most recent responses, click "Get New Text"
or select "Automatically Update Page."


Poolesville, Md.: How can Richard Clarke convince industry to shape up when Defense Dept. Chief Information Officer Stenbit is dismissing cyber-threats to critical infrastructure as "...some sophisticated, tricky cyber thing."

Barton Gellman: Clarke is making a business case to industry, not a national security case. He's said things like this: If "all" hackers do is $15 billion in damage in a $10 trillion economy, that may not frighten you unless $100 million of it comes out of your company.

washingtonpost.com: Thanks for joining us today. Before we get started with questions from our readers, can you tell us about how you went about reporting this story? Was this a long project, and did covering a topic like "cyberterrorism" present journalistic challenges you had not seen before?

Barton Gellman: It took six weeks of work, off and on, with breaks for other stories. It's hard to do in much the same way as most stories are hard to do in the new war on terror. Which is, much of what we want to know is secret. Another level of difficulty is understanding the technical details, then writing them in plain English, then deciding which ones to withhold to avoid giving recipes to bad guys. We withheld a lot.

Odenton, Md.: Remote control of utilities' distributed control systems via the Internet has been implicated as a vulnerable point for cyberterrorist attacks. However, most talk of increased security involves the design of improved data encryption safeguards, not private computer networks. Could you talk about the unique vulnerabilities of linking device controls to the Internet, and why there is so little attention given to de-connecting these devices from the Internet? Thank you.

Barton Gellman: There are two main avenues of new security. One is to keep people out of the networks on which the remote control devices are present. There are points of entry now by radio, broadband and dial-up modems. The other is to make it harder (by encryption, authentication, etc.) to control the devices if you can talk to them. The reason there's so little talk of taking them off line is that utilities are now dependent on the connections. Any company is. The Washington Post used to know how to put out a newspaper without the Internet, even without computers, but we couldn't go back to that today -- not without vast difficulty, anyway.

Castle Shannon, PA: Truly frightening story this morning. Lots of questions for you, Mr. Gellman. Is it possible that cyberterrorists could change train signals and cause major railroad crashes? And how about our subway systems? What are the possibilities there? And finally, why weren't these threats taken more seriously earlier?

Barton Gellman: Trains and subways use some of the same digital controls the story talked about, so in theory this are possible avenues of attack. No one *knows* it would work, but it's a concern. Besides complacency and the lack of urgency of the pre-9/11 world, the reason this did not come up much earlier is that only recently have the bulk of these remote control systems been hooked up to the Internet.

Reston, Va.: This week we are learning about a $3.8 billion accouting fraud scandal at the second largest voice and data communications firm in the United States. Has the existence of such massive fraud by the senior management of a company engaged in a critical infrastructure activity caused anyone to question if WorldCom's operations side has been adequately protected from terrorist infiltration?

Barton Gellman: Not that I know of. Seems to me they're separate questions, but you could have a point worth inquiring about.

Falls Church, Va.: In your reporting, did you come across much information on the government's plans to create a new, "secure" Internet for critical communications?

Barton Gellman: I'm aware of it, but it won't solve the main problem, which is that 90 percent of the nation's critical infrastructure is private.

Baltimore: Is this a remote possibility, or is this likely to occur? If likely, does this mean that terrorists actually could cause grave harm to Americans and/or the economy?

Barton Gellman: Most of the people I talked to think it likely al Qaeda and others will try this sort of thing, and nearly all of them think it will be synchronized with another form of attack. Taking down electricity in a limited area, say part of a city, is not a catastrophe by itself (storms do it sometimes) but it can be a much bigger deal if it coincides with an emergency that requires hospitals, subways, 911 dispatches and so on.

D.C.: On Sept. 11, the nation's telecommunications system held up fairly well. But the attacks that day were focused on two physical locations. How much planning is in place to restore vital communications in the wake of a coordinated physical and digital attack?

Barton Gellman: Actually, the WTC collapse came *very* close to physically destroying a huge communications switch that is exactly the kind of thing a cyberterrorist might aim for. But it held up. Every big business and especially utility has recovery plans, but in many cases they don't have good models to undertand what they'd be recovering from. No one is going to take down the nation's phones or power grid in one fell swoop, or take down parts of it for a very long time. The issue is whether they can take down part of it for long enough to amplify the effects of another attack. For dams, railroads and other big structures -- say, pipelines -- the issue could be irreversible damage (water released, rail cars collide, pipelines breach).

Seattle, Wash.: I believe a possible solution to getting companies invested in national security with regards to their installed systems, is to make them legally and substantially accountable for the disasters that may arise because of their lack of due diligence. This would put a fire under them to get involved.

Moreover it should be a requirement of these potential new laws to have some security agency such as the FBI test these companies for compliance. These tests could be done unannounced, in the form of pseudo-strikes, with subsequent reports delivered to the companies on their compliance to the legal requirements as well as informing these companies of any other discovered vulnerabilities to their systems.

This type of legal structure is analogous to what we use for industrial pollution. No one is forcing a company to use digital control systems. But if a company deems them necessary then that company should also be accountable for its decisions in doing business in this manner in this country.

In this way industries could protect their investments and their liabilities and not have to give up their civil liberties in the process. At the same time this would help national security agencies achieve their desired goals.

Barton Gellman: A milder version of this seems to be coming. The federal govenment (at the National Information Assurance Program, among othre places) is setting detailed security standards for systems it will buy. It's a big customer, and it will influence other customers. Insurance companies will probably begin to impose comparable conditions for issuing policies. So the administration is trying to influence market forces. The problem here is that there are probably "externalities" that make the market an imperfect protector of national security. For instance: a company might stand to lose $50 million in a certain type of hacking disaster, but the disaster for that company could cascade into something that killed a lot of people or inflicted 100 times more damage elsewhere. So the company's risk-benefit calculations don't reflect the social values.

Arlington, Va.: You obviously did a lot of legwork and talked extensively with all of the intelligence parties involved in cybersecurity for the federal government. Given that the administration is planning to fold a number of depts. responsible for reaching out to industry on cybersecurity into its proposed Homeland Security agency, what was your impression of the quality of communication between these different agencies?

Barton Gellman: ON this they seem to have a lot of interagency cooperation, and they keep adding new interagency groups -- CIAO, NIAP, PCIPB, CWIG and others. (This is how they talk -- some of them don't even remember what the acronyms stand for.)

Dallas, Texas: Dear Barton: Have you seen the AP story which broke today that links the Russian Mafia to identity theft at college campuses. This story ties in well with a GAO report released on June 25, 2002.

Barton Gellman: Didn't see the story but Russian mafia has some of the world's most accomplished black hat hackers, and they're for sale.

Columbia, MD: Do you think the goverment should approve software -just lke the FDA approves new drugs- to make sure they meet certain security standards?

washingtonpost.com: Is anyone in government talking about an approach like this?

Barton Gellman: My earlier answer alluded to this. The Bush administration does not want a regulatory approach here, but by setting standards for federal purchase it thinks it can create de facto market requirements.

McLean, VA: I think it's important to clarify what we mean by "on the Internet." I think people assume that the Internet can be equated to the World Wide Web, which most of us (somewhat correctly) perceive to be a big, open, unsecure method for getting any and all kinds of data from point "A" to "Z." In point of fact, there are many businesses, government agencies, utility companies and so forth that may use the -Internet Protocol- to link up their devices (in the sense that using IP gets them to speak a common language, lowers cost of development and so forth) -- but they run these IP devices on private, or highly secure, infrastructure: dedicated lines, private radio networks, VSAT satellite systems, and so forth. Having said that, perhaps I only have a familiarity with the companies that are doing things -right- (I work in the industry), and that there are a lot of people out there just asking for trouble. Your thoughts?

Barton Gellman: Some of these devices (distributed control systems, and supervisory control and data acquisition systems) actually have their own IP addresses on the Internet, though of course you couldn't browse into them with Internet Exporer or Netscape. Others have private networks but they're accessible by dial-up modem or radio transmissions on published frequencies. Still others are linked to corporate intranets behind firewalls but the firewalls aren't as good as the companies who use them think they are.

New York City: This is an interesting issue. Suppose al Aueda targets the domain name system, for example. There are only so many 'root-servers' which drive the entire system. If they were ALL attacked at the same time, it could create a DNS outage, meaning nobody could reach any Web sites until the attack stopped, unless you knew the numeric IP address of the site ahead of time. The answer to this, is create more root-server slaves which are harder to attack. With the advent of modern distributed denial of service attacks, and armys of trojan virus drones, this is not an impossible scenario at all.

Barton Gellman: I didn't even talk about this scenario, which is called a Distributed Denial of Service attack. This of course has already happened on a pretty big scale to sites like Yahoo. As you know but maybe others here don't, a DDoS attack uses holes in the security of thousands or even millions of home and office computers and turns them, in effect, into zombies. So one person can tell many, many computers to fire packets of information at a single target. Those packets aren't harmful individually but collectively they overwhelm the system.

Los Angeles: If a defense contractor to the government makes a faulty aircraft part or rocket engine part, there's a huge uproar, Congressional investigations and media scrutiny. Yet if Microsoft or Oracle sell faulty software resulting in security breaches or problems due to bugs, there's nary a word about it, why the disconnect? How can our government in good conscience buy Microsoft products when it's plainly obvious they fail due to security and other defects?

Barton Gellman: Not sure. I wonder whether the levels of complexity are comparable. Millions of lines of code in an operating system, which then interacts with thousands of other products. Maybe rocket engines are that complex. I don't know.

wiredog: Your story got on the front page of <a href="http://slashdot.org/article.pl?sid=02/06/27/0449259&mode=thread&tid=172">slashdot</a>, and I noticed one reaction, that I'm also seeing in this forum. Everyone is assuming that 'remote access' means 'over the internet'. It doesn't. Many of the infrastructure systems are remotely accessible over phone (or power) lines, but not over the internet. The article could perhaps have been a bit clearer on that point.

I used to do programming for industrial automation systems, and many of them were remotely accessible. But they were small enough that security was achieved through unplugging the phone line. The power grid requires a bit more monitoring.

Barton Gellman: The article and my previous answer said other points of entry are radios and modems. But I agree it was a challenge to write precisely about technical issues in plain English, and one or the other always risks being compromised.

York, PA: Not a question, but a comment...

Those who operate in the critical infrastructure environment need to become involved in InfraGard, if they haven't already. This is a cooperative venture between the FBI and private industry. Most don't know of it, and we need to get the word out.

Please refer such people to InfraGard at www.infragard.net to find the contacts for their local chapter so they may become involved. Thanks!

Barton Gellman: Infraguard is where Ron Dick and Ron Ross were speaking. In just a couple of years it has grown from 200+ to 4,000+ corporate members, which is encouraging. See http://www.infraguard.net/

Washington DC: Uh, wasn't the internet designed by the Defense Department specifically to >withstand attacks? So that if, say, Washington blows up, messages can still get anywhere they need to go (well, except to Washington, of course...)?

Seems the problem is with devices that connect TO the internet, right? That seems to be a real problem. I get the sense that warnings like this are somewhat akin to saying "Terrorists Plan Tricycle Attacks", and warning that if a terrorist loaded with weapons is on a tricycle, we're all in grave danger. It's not the tricycle that is the problem.

Barton Gellman: Not sure I buy the tricycle analogy. The infancy of the Internet was a set of direct links between a small number of defense establishments, but they were mainly academic or quasi academic, and it never had great security. Now that it has, what?, hundreds of millions of nodes, it certainly isn't secure. And unlike a tricycle, it is inherently part of the risk because this threat wouldn't be a threat without it.

Washington, D.C.: You mention potential disasters such as wide spread flooding or power grid failures, but fail to include how human responsiveness to these potential electronic attacks fits into the overall calculus of potential harm. Wouldn't employees whose companies or agencies are attacked by cyber terrorists be able to respond in a timely enough manner so as to effectively correct or neutralize problems before they affect systems to the point where millions of lives are at risk? Or are there methods terrorist could employ to electronically prevent efforts to correct the problems they seek to create?

Barton Gellman: I was careful not to claim that millions of lives are at risk. I do assume that if, for instance, a dam's floodgates opened, someone would notice (after how long?) and try to close them. But if someone else has the digital controls, it could take a while to get those controls back. It took a long, long time to do so in the Australia sewage case. So now I'm wondering, is there some big manual valve and a guy to start turning it?

Alexandria, Va: How come no one questions the access of the foreign born worker to information of this nature? In the software industry we've pretty much turned over much of our programming and data management work to foreigners (h1b temp workers) many who may not have our best interest in mind. Yet no one questions this.

Barton Gellman: More than half the Ph.D.s awarded inthe US in computer network security were awarded to foreign nationals in the last three years. That: (1) reflects shortage of interest among Americans (2) is part of the great strength of this country in attracting the world's best talent (3) probably does represent some degree of risk. That is one, but only one, reason why the government would like to be able to vet people in critical jobs in critical industries.

Bethesda MD: The issue of liability for security failures has emerged in this discussion. Regarding Los Angeles's comment regarding faulty software, I think a recent article in the MIT TEchnology Review is an excellent analysis of this issue, and actually calls for MORE LAWYERS to help internalize the currently externalized costs of sloppy code.

Software programmers know they are releasing buggy software, but their employers demand speed and new releases so that the revenues keep flowing. Engineers in every other field would not dream of releasing products that are so essential to public safety with known defects, but software companies have been given a free pass.

Barton Gellman: A good point about bugs v. speed. Also true of security v. speed. A three-month lag to market in the hardware/software business is a lifetime, because the shelf life of these products is so short. And that's why market incentives, until now, have let speed win the battle.

Alexandria, Va.: How vulernable is the financial industry to these types of attacks? Seems like the banks etc. would be the ones that have spent the most time trying to protect their IT infrastructure from outside abuse.

Barton Gellman: I guess I think there's no time in the history of any warfare in which defense has been ahead and stayed ahead. It's an iterative contest. So anyone could be vulnerable. But the financial industry, among the eight critical sectors, is generally considered the most secure. Maybe because the little bits and bytes in that business are *actual money* and that's what the industry is about.

Washington, DC: So, what's to be done? Do we sit back and wait to be attacked or be proactive in some way? What does the average citizen need to know about being prepared for a scenario like this actually happeining, and how to survive?

Barton Gellman: I wouldn't say the stakes are individual survival, except in the sense that we're all potentially vulnerable to terrorist attack. Do keep some perspective on numbers. 6,000 Americans die every day of all causes; on Sept 11 there was a 30-something percent spike. Believe me I understand the horror of that catastrophe -- I was there and watched the second tower fall -- but it's also true that highways and bad diet will kill a lot more of us.

As for what is to be done: There are always tradeoffs between security and other values. In cyberspace security has been losing. With more attention to this at the *top* levels of government and industry, and public interest, that is beginning to change.

Bethesda MD: It seems clear to be that using the bully pulpit and making vague appeals to "patriotism" will not be enough to get private industry to make the very substantial investments needed to protect their part of the infrastructure. That's not the way our economy works. As one of the Post's guests said in a chat yesterday, the economy can be explained by four words: "People respond to incentives."

What are the incentives for private industry?

First and foremost, the bottom line. Can a business case be made based on the security threat alone that companies in this uncertain economy should invest heavily in upgrading security to protect against an unknown risk? It's very very difficult to make a logical business case based on that. Try it.

Private industry also responds to liability risks. With Y2K, there was no new "Y2K Liability Law" that was passed, yet industry made enormous investments because this was a KNOWN bug/event that had measurable impact, and that companies knew would result in major liability litigation if they failed to take reasonable steps. Here, the uncertain nature of the risk and impact hampers the "avoid liability" incentive from taking hold, but there's something here that might work.

Third, there's regulation. Private industry abhors regulation in most instances. However, if regulation is logical, reasonable, applies equally across the board, contains financial incentives/credits to offset costs, and does not create unfair advantage for foreign competitors who are not subject to the same regulation, then, though industry will complain and grumble, some will be secretly pleased at being "forced" to do what's ultimately right for the country, but perhaps not optimal for shareholders in a "business case" mindset.

So.... I'm thinking that unless Dick Clarke figures out how to make a business case for this investment (short of scare tactics and general patriotic appeals), we will need to focus on the second two avenues above. Is he thinking along those lines, or is the Bush Administration and the Republican Party going to shy away from a legalistic/regulatory approach to what is, by definition, a national security and defense issue?

Barton Gellman: John Tritak at the Commerce Dept. said exactly that in my story today.

Berkeley,CA: If that "huge communications switch" had been destroyed or disabled, what would have been the effects on our communications infrastructure?

Would there have been backup switches that would have picked up the lost functions?

Barton Gellman: I don't understand this in detail. I was told that it would have simply cut off telephones on a small regional scale. There certainly are recovery plans but I don't know how long they'd take. For another example, there are only two super-junctions in the continental U.S. (I'm saying no more about what/where they are but they're not closely guarded secrets) through which *all* Internet traffic passes.

Washington, D.C.: We hear a lot about the experts in the administration who are leading the cyber defense effort. But are there any key players in Congress or the states who are playing key roles?

Barton Gellman: I wanted room to mention this. There are a bunch of legislators energized on this and quite well informed, including Lieberman, Bennett and Kyl.

Arlington, VA: For years now, oil pipeline companies have used private satellite networks from companies like Spacenet and Hughes to perform all their mission critical switching operations. Why can't the rest of the nation's "critical infrastructure" follow their lead and deploy similar, secure technology?

Barton Gellman: One on level, I'm not sure they "can't." As the article said, the power companies are leaning toward building themselves a whole private internet (technically, a private wide area network) -- but that's a vast and time consuming investment. On another level, efficient operations will always press companies to connect these secure networks to computers that are not as secure. The Defense Department has classified and unclassified systems, and never the twain (are supposed to) mix. Maybe industry needs to move that way.

Dothan, Ala.: Every security professional with a couple of years experience knows there's no single solution "silver bullet" for information security. No single vendor has all the best of breed tools, so why is it that the government is reviewing single vendor solutions as an answer? Trying to make strategic business / political partnerships is actually working against security. The way to enhance the security posture for the critical infrastructure is to use the best tool, whether it's open source or commercial. Why doesn't the government look for the best of breed tool for each area and then a tool to consolidate all the data.

Barton Gellman: At NSA, NIST, and NIAP (which is a collaboration between them) they are talking very directly about the fact that single products aren't the whole problem, that bigger systems and systems of systems that combine the products have to be considered.

As for the debate over proprietary versus open source solutions, John Stenbit at Pentagon has been quoted as saying he doesn't care which he uses as long as it's the best tool for the job.

washingtonpost.com: If Hoover dam was hacked, what would it flood, and what dams are near major cities?

washingtonpost.com: As an online sidebar to Gellman's piece, there's a link to more information on the Web, including a list of the nation's biggest dams.


Washington, D.C.: In reading your story, it's clear that there are many key people in government who take cybersecurity very seriously. But I'm wondering, is cybersecurity seen as on par with other types of security within the national security structure? Or do Clarke and his colleagues find themselves taking a back seat to the Pentagon etc.? For that matter, how seriously does the military take cybersecurity?

Barton Gellman: For it's own command, control and communication systems, and other computer nets, the military takes security very seriously. It thinks a lot about how to attack an adversary's info systems and about how to protect its own. Which is not to say it's perfect. Look up clips on "Solar Sunrise" and other breaches. In other departments, and in competition with other dimensions of national security, cybersecurity certainly took a back seat. That began to change with Presidential Decision Directive 63 in 1998, under Clinton, and again in October with the creation of Clarke's new office -- the President's Critical Infrastructure Protection Board.

wiredog (again): Security Link-O-Rama:

The Hacker Crackdown, written in 1992 by Bruce Sterling, goes into some detail about security in cyberspace. It's interesting that the same issues are still, well, issues. It's available online. (Legally! The author says "You can copy this electronic book." He wants you to!)

Another good place to look for security discussion is the Crypto-Gram by Bruce Schneier, a security expert and author of Applied Cryptography and Secrets and Lies. You might want to interview him and get his reaction to your story.

O'Reilly Publishing has some good books, aimed at the general reader, about digital privacy and security.

Barton Gellman: Thanks. I don't know all these links, but I pass them on.

Reston, Va: To NYC: The Post had an article in recent months about the security of the root servers.

Bruce Schneier has written about the influence of liability on security in his crypto-gram

washingtonpost.com: The Post's piece on root servers is online here.

Barton Gellman: Thanks for that too.

Arlington, Va.: Great story. If a major cyber-attack occurs, does the government have enough technical wizzes to fix it quickly? And if not, has anyone considered organizing a big group of volunteer programmers from the private sector to be on call if needed?

Barton Gellman: Nobody has enough. The public private partnerships like Infraguard are supposed to be more preventive. I don't know whether anyone has organized a swat team.

Oklahoma City, Okla.: What is the practicality of taking these critical external control systems offline until their security can be enhanced? Does this stuff really need to be remotely controlled via the Internet or is it just convenient for the companies in question?

Barton Gellman: I think many of the companies have reorganized their operations in ways that depend critically on the connections. They've also dismantled the systems they used to use. So an analogy might be whether we could go back to telegraphs. That's not true in all cases and some people think there are systems that should be taken off line right now.

Alexandria, Va.: Congressman Howard Berman of Los Angeles is proposing legislation which would make it legal for recording companies to hack their way into webservers that illegally provide music.

If such legislation passes, would it lead to an increase in the availability and sale of legal hacking tools?

It would give such tools a legitimate purpose. Stores could sell them for the alleged purpose of helping people protect their copyrights.

washingtonpost.com: The legislation that this reader is referencing has not been officially introduced, but Berman gave a description of it earlier this week -- see related coverage.

Barton Gellman: Hacking tools, according to a recent government study, are growing at the rate of 40 or 50 a month, so I don't know that this proposal would change much in that sense.

Thank you for all the great questions, and sorry I couldn't get to them all.

washingtonpost.com:

That wraps up today's show. Thanks to everyone who joined the discussion.

Stay tuned to Live Online:

Post Columnist Marc Fisher at Noon EDT
What's Cooking Vegetarian Special at Noon EDT
Post Book Club: Rhys's "Voyage in the Dark" at Noon EDT
Entertainment Guide: Got Plans? at 1 p.m. EDT
Cybersecurity and the War on Terror at 2 p.m. EDT
Barbara Burtoff: The Apartment Adviser at 2 p.m. EDT

Did you know that you can follow more than one Live Online discussion at the same time? Just open another browser window and toggle back and forth between discussions! And, if you miss one, catch up with the Live Online transcripts.

Keep up with the latest in news, sports, politics and entertainment with washingtonpost.com e-mail newsletters.

NEW! Personalize your Post with mywashingtonpost.com. Get customized news, traffic, weather and more.


   |      |   

© Copyright 2002 The Washington Post Company