[ISN] Cyber-Terrorism Analyst Warns Against Complacency
isn at c4i.org
Wed Apr 6 04:14:37 EDT 2005
By Ryan Naraine
April 4, 2005
ORLANDO, Florida - Cyber-security and counterterrorism analyst Roger
Cressey on Monday pleaded with IT executives not to underestimate the
threat of "national cyber-event" targeting critical infrastructure in
the United States.
During a keynote address at the InfoSec World 2005 conference here,
Cressey warned against discounting the danger of the Internet being
used in a terrorist-related attack.
"It may not be a terrorist attack, but a cyber-event is a very, very
serious possibility. When it happens, it will have serious economic
impact on our critical infrastructure."
Cressey, who served as chief of staff to the president's Critical
Infrastructure Protection Board at the White House, said there was
enough evidence that U.S. enemies were actively using the Web to
recruit, organize and communicate terrorism activities.
"I don't see the Internet as a means to a mass attack [on human lives]
but we have to be aware that cyber-crime is a key component of the
terrorism setup. We would be foolish not to assume a targeted attack
on some aspects of national infrastructure. I don't know if we can
protect against this type of event today," Cressey said.
The on-air counterterrorism analyst for NBC News said the rapid rate
in which Internet security vulnerabilities was being detected only
adds to the worry.
"Software vulnerabilities are being discovered at amazingly fast
rates. [The] time to exploit continues to shrink. We're getting closer
and closer to zero-day exploits," Cressey warned, adding that computer
operating systems had become a target-rich environment.
"Before 9/11, we thought we had it all covered, but we had no idea
what we're missing. There were warnings, but we never took them
seriously. That's the mind set we need to have today regarding a
cyber-event. We need to assume that it will happen and get ready to
deal with it."
He said the increase in identity theft, spam and phishing attacks has
already caused a "crisis of confidence" in the e-commerce sector.
"Consumers go on the Internet to read the news, but they get scared to
shop online. E-commerce will never reach its full potential," he said.
Cressey said the U.S. government's DHS (Department of Homeland
Security) made a fundamental mistake in the early days when it threw
resources on physical security assets without similar investments in
critical security IT infrastructure.
"The result is they sent mixed signals to the industry. Silicon Valley
and the private sector looked at what was happening and figured the
government was only talking the talk without walking the walk."
He said the DHS must prioritize the risks before deciding on the level
of spending on security and must show leadership in the area of
information-sharing and advance warnings on Internet security
Cressey used part of his keynote to call on VOIP (voice over IP)
developers to put security on the front burner.
Describing VOIP security as the great challenge of this decade, he
said it would be a "big mistake" for another nascent industry to
emerge without built-in protections.
"VOIP is today where the Internet was 10 years ago. Everyone
acknowledges that security is a big issue, but no one is making it a
top priority. We know we need to worry about it, but we're not doing
anything about it," he said.
The growth of VOIP in the enterprise has led to several
vulnerabilities in the technology, including the ability to launch
denial-of-service attacks, caller-ID spoofing or the hijacking or
"Nobody is baking security into the [VOIP] products just yet. If this
truly becomes ubiquitous, it will be back to the future. We'll be
scrambling to fix it just like we're scrambling today to deal with
spam and viruses."
Cressey urged enterprise IT leaders to take a holistic approach to
managing risks, arguing that executives must resist the urge to use
return on investment to drive spending on security.
"Instead of ROI, you should be adopting new acronyms like ROR
[Reduction of Risk] or ROC [Return on Compliance]."
More information about the ISN