Slashdot Log In
U.S. IT Infrastructure Highly Vulnerable
Posted by
timothy
on Sun Mar 20, 2005 12:58 AM
from the duh dept.
from the duh dept.
An anonymous reader writes "The President's Information Technology Advisory Committee in their February 2005 report to GW writes "...infrastructure of the United States, which is now vital for communication, commerce, and control of our physical infrastructure, is highly vulnerable to terrorist and criminal attacks." It goes on to say that "fundamentally new approaches are
needed to address the more serious structural weaknesses of the IT infrastructure" and finally offers "four key findings and recommendations
on how the Federal government can foster new architectures and technologies to secure the
Nation's IT infrastructure." Here is yet another, not surprising, bleak outlook for cyber security in the United States. The full 72-page report can be found here."
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Yeah (Score:4, Insightful)
What about the bigger problems? (Score:5, Insightful)
Technological
Physical
Social
We can fight the battles in the technological front till we're blue in the face, but the temp at the front desk is a hole you'll probably never close.
In my head obvious questions this document failed to address are as follows:
How many people have access to your data center?
How many people have access to your most remote networked buildings?
Scrolling through this document there is no mention of the greatest security challenges facing IT today. Worms have been around since before the public internet, and as IT warriors we fight those battles constantly.
Ignoring the other aspects of "cyber" security is folly and tantamount to IT security suicide.
Parent
Re:Microsoft OS zombies are a big reason why. (Score:4, Interesting)
Parent
You bet. /.ed already. (Score:3, Interesting)
Re:You bet. /.ed already. (Score:5, Funny)
Parent
Re:You bet. /.ed already. (Score:5, Informative)
Another poster also found it here. [washington.edu]
I'd like to point out that while there is no direct mention of Trusted Computing, it calls for a "fundamentally different architecture", some sections mostly later in the paper apprear to describe Trusted Computing functionality, the experts they cite all appear to be Trusted Computing speciallists and proponents (in particular David Spafford was the author of the semi famous WHY_TCPA and TCPA_REBUTTAL papers), at least some of the committee members appear to have Trusted Computing ties, and an earlier Cyber Security Advisor gave a speech at the Washington D.C. Tech summit calling for Trusted Computing and for ISPs to eventually make it a mandatory part of terms of service for internet access. A call to fight worms and viruses and to Secure the National Information Infrastucture against terrorist attacks, to defend against Osama bin Laden himself. Yes, he actually cited bin Laden by name. chuckle.
-
Parent
imagine TCPA ENABLED malware (Score:3, Insightful)
And they want to make ISPs require TCPA for Internet access?
I'm sure that TCPA advocates will be telling us that this is impossible...
Of course, the Titanic was unsinkable, too.
Slashdot 1, .gov 0 (Score:5, Funny)
Is slashdotting a .gov site an act of terrorism?
Re:Slashdot 1, .gov 0 (Score:5, Interesting)
Parent
Re:Slashdot 1, .gov 0 (Score:2, Insightful)
but damn - we aren't far off. these days, that post is insighful.
scary.
Re:Slashdot 1, .gov 0 (Score:3, Interesting)
Re:Slashdot 1, .gov 0 (Score:5, Insightful)
That's an interesting point. In fact, the king of England said those exact same things to the American colonists just before the war of Independence. And a funny thing happened, the people we call the founding fathers of the United States, you know, those guys who said that "all men are created equal", told the king to stuff it.
So by that example, it appears that freedom loving people, who care about their country and their fellow citizens, have the "obligation" to voice their opposition to oppressive laws, rules and regulations, and refuse to submit if their conscience dictates so.
If the congress decides? Where did you get that idea from? Where, in the Constitution or the bill of rights, does it says anything about submitting to a draft?
In fact, I see that the 13Th amendment to the Constitution specifically says that "involuntary servitude" is not acceptable in the United States.
Yes, we have a draft, but perhaps you should research where the draft originated and the ramifications it has on your freedom, or lack of. A draft means you can be drafted for any reason that, according to you, the congress deems appropriate. You know, not long ago it was legal to own black people, and illegal for women to vote. Would you gladly "serve" your country if the congress drafted you to repress blacks and women? Hmmmm?
No, there is not. But there is this little thing called freedom. A concept that seems to be hard for some people to comprehend. A concept which requires people to think for themselves and make their own decisions and allow others the same privilege.
With one statement you just trampled on the inalienable rights of every citizen of the United States and allowed for the possibility that each and every one of us could be drafted against our will and forced to kill other human beings, simply because a small group of people (the congress) decries it.
The icons of history are those who stand up for principles of freedom and equality. Does anyone remember the names of the 1000's of police officers who did not think for themselves and simply enforced the segregation laws? No, we remember Martin Luther King. Does anyone remember the names of millions of men who repressed women for decades and did not allow them to vote or own property? No, we remember Susan B. Anthony and Elizabeth Cadey Stanton.
Will anyone remember your name?
Parent
Little old ladies (Score:3, Interesting)
Slashdot may well be classed as a terrorist threat. It allows dissemination of "dangerous" information, the questioning of technical strategy, the promotion of "communist" ideals (ie: a sense of community, rather than paranoia), the repeated DDoS attacks against discussed sites,
At Least they are talking about it (Score:5, Insightful)
Re:At Least they are talking about it (Score:5, Interesting)
The problem is not that no one has thought about the problems of security of software assurance enough to have come up with solutions, the problem is the solutions haven't made their way out of theory and into practice. It's not that the theory is new either - a lot of the ideas are 10 years old or more. The problem is that there are too many people who are happy with what they have and never bothered to look at what the theorists have actually devised. Why do you think the NSA created SELinux? It wasn't because they were planning to create a secure operating system - they themselves say [nsa.gov] that they did it to demonstrate that such controls can easily be built into "mainstream operating system". Read that as: the've done the research, know the solutions (this sort of architecture is, research wise, quite old), and are so frustrated that no one was actually using it that they hacked it into the most mainstream OS they could just to show people how.
If you consider the task of writing secure software applications, rather than just OS architectures to vastly enhance security, there are still perfectly good options out there. If you're serious about high integrity software (be it for security, or for fault tolerance) you ought to be proving your code. No, seriously - you can statically mathematically prove your code providing you use the right tools. For instance there are things like B-method [b-core.com] or SPARK [praxis-his.com] which use allow you to actually prove the partial correctness of your code (partial correctness in the sense of "if it terminates, it terminates with these properties..."). The concept of having a separate prover as a safety and correctness checker, as opposed to letting static typing and the compiler catch the most glaring errors, seems eminently sensible. The techniques for how to do this sort of thing are quite old, and it is becoming increasingly practical to do full proofs given the power of computers these days. Again, this is the category of "something we know how to do, but mostly never bother with".
Jedidiah.
Parent
Re:At Least they are talking about it (Score:4, Interesting)
Problem is all the nastiest attacks are out of the blue and most of them are original and creative. If Shoe-bomber had succeeded we wouldn't have a clue how the plane went down other then an explosion in the passenger compartment. That time a lot of people got lucky.
Oh and the anthrax mailings? Never did hear who was behind that. The actual killings it caused was pretty limited, but the panic and havok it induced was worth 2 tons of white powder.
Parent
Re:At Least they are talking about it (Score:5, Insightful)
but you are correct on "spontaniety" and such like, and relative ease of assymetrical warfare. And it's fairly telling that since then there have been zero attacks despite how many dozen warnings of impending attacks and code whatever color "alerts" and protestations for years there were 'terrorist sleeper cells" hanging about. Them boys been real asleep it appears......
And they still haven't finished the lawsuits filed by some government whistleblowing agents who got warned off investigating after they started getting some real evidence, embarrasing evidence that pointed upstream to white guys in dark suits. Again, sorta obvious what's going on. And the 9-11 whitewash committee, pretty funny if it wasn't serious.
I think it's all right to say it, it's been a pretty spiffy coup d'etat. Just a little smoother than your typical third world coup, that's all, lot more media sound bites and slick advertiseoganda pieces on the newzzzzz.
Parent
Re:At Least they are talking about it (Score:5, Interesting)
Since it was prepared in military labs in the USA, I'd kinda like to know who the *intended* target of these 'cooties' was supposed to be.
I mean you don't go to all the trouble of preparing such an effective and well-developed agent without a potential use in mind; that stuff was high tech (they had trouble getting the spores to stick to the microscope slides).
Parent
Re:At Least they are talking about it (Score:4, Insightful)
Stop perpetuating the "terrorist" propaganda, will you? It's in your best interest to do so... you're just facilitating the wild-west style power grab going on in your country.
Parent
Re:At Least they are talking about it (Score:5, Insightful)
You mean like Republican Majority Leader Tom DeLay calling removing brain-dead Terry Schiavo's feeding tube medical terrorism [majorityleader.gov]?
(The link is to Delay's own site: he's proud of invoking the spectre of terrorism to justify unprecedented government intrusion into personal medical decisions. DeLay also threatened to hold a judge in contempt of Congress for quashing a Congressional subpoena issued to compel the brain dead woman to testify. (Since removed form a conservative web site) [64.233.167.104].
Now, before some winger decides to mod this off-topic, let me spell out what has this to do with IT security.
Very simple: our current "leaders" have shown they'll label anything -- even the legally uncontroversial, medically backed decisions of US judges -- as "terrorism", just in order to win points with their core fundamentalist Christian constituency.
If they'll do it about the private medical decisions of a family, they'll sure as hell do it about IT, if they think they can gain something by so doing. And they've shown that even if that "terrorism" label is obviously bunkum of the first order, they'll go ahead and use it.
Hey, it worked to get us into a pointless war in Iraq: remember when we were told about WMDs and Saddams "ties" to terrorists?
Like the boy who cried wolf, it should be clear by now that when a leading politician (and Delay is only one step away from being Speaker of the House of Representatives, the third in line of presidential succession, he's no fringe politician ) calls something "terrorism", we need to understand he's doing it to whip up our fears -- not to make us safer, but to get what he wants.
Parent
Re:At Least they are talking about it (Score:5, Insightful)
-matthew
Parent
Re:At Least they are talking about it (Score:3, Insightful)
If a company (and it's reputation) get sufficiently hurt, it may have to close or fire staff. These folks may lose their homes quite easily, especially if many flood the marketplace due to mass firings.
While it may sound cold, the death of 3000 folks on that day was incidental to the major damage done. The US economy was rebounding, that got stalled. Shipping got more expensive (due to increased security and energy costs). Personal
Re:At Least they are talking about it (Score:5, Insightful)
First, let's define what a terrorist is. Where do you draw the line? 3000 people dead? 300? 30? 3? I say that someone who deliberately sets out to cause havoc, knowing that their actions will cost jobs, induce fear, require cleanup, new security measures, etc.... that person is terrorizing their audience/victims, and is a terrorist. Some are more effective at smashing store windows during witless demonstrations than they are killing people, and some are more effective at burning cash in the economy as businesses, schools, and grandmas fight malware, and some manage to kill thousands of people - but they all, by choice and deed, are causing pain, expense, suffering, and sometimes death. Those are terrorists, varying only in scope and effectiveness.
Now, is the 14 year old kid that's in to model rocketry a terrorist when his latest experiment goes sideways and catches someone's hayfield on fire? An idiot, perhaps, but not arguably someone that set out to terrorize the farmer or cost the township thousands of dollars to put out the blaze. Is the 14 year old kid that's deliberately looking for malware to kiddie-script into his own flavor and set loose in an attempt to be cool or flail against "corporations" (while using corporately made computer parts, listening to his decidedly not made-by-old-world-artisans iPod, wearing his corporately made clothing, and still alive past childbirth and unafflicted by polio and other nasties because of corporately made medical supplies) the same? No. He's intent on damage, and on making the news. He's a terrorist, just a lame one. But he's in the same camp as the guys who would blow up bridges or poison wells: chaos, fear, damage - all in the name of recognition.
Don't think hackers can physically damage things? Right here [interesting-people.org] is someone's copy-and-paste of a recent article about infrastructure threats from hackers. The director of the federal agency tasked with worrying about this stuff "wished he was wearing a diaper" while watching a demo of a guy hacking a SCADA-controlled turbine at a power generating plant. Just a few clicks, turn off the lube oil pump, and you're out millions of dollars of equipment and have a piece of the grid down for weeks or months. Multiply that times several power plants at the peak of a hot August Friday night across, say, most of California, and you're going to get deaths from failed safety equipment, chaos and social damage as often happens in those circumstances, and a huge economic upheaval.
Where do the folks with an axe to grind get the chops for that stuff? From young, net-savvy kids with, as you put it, "too much time on their hands" who are disaffected, susceptible to bent ideolgies because of the feeling of inclusion, and easily intimidated. Whether young people like that are tools, or have it in them to dream up and execute stuff like this on their own, for their own Columbine-like revenge fantasy reasons, don't dismiss it as just kids' stuff. The consequences for millions of lives, jobs, and for history could be huge.
Lastly, if you (as you do seem to) consider the 9/11 attacks as terrorism - what would you have been willing to tolerate, law-enforcement-wise, intelligence-gathering-wise, to prevent them? What should the people in Spain have been willing to put up with at their train stations before 3/11? Would any of us have tolerated the preventative measures before that stuff happened? Will we have the same conversation after a large municipal drinking water supply gets raw sewage pumped into it by a cranky ex-employee who knows that the SCADA system controlling the treatment plant still has the factory default password set? Or, posts that info on some forum where a 13-year-old kid with "too much time on his hands" decides to try his hand at it?
Parent
Re:At Least they are talking about it (Score:3, Insightful)
It would be a... (Score:4, Insightful)
Sick of hearing about cyber-terrorism. (Score:5, Insightful)
I'm not doubting that this report is accurate in so far as systems are insecure, but the real danger is from script kiddies and other such people, NOT TERRORISTS. Using the word so far out of context to drum up interest (and thus funding) is despicable.
Re:Sick of hearing about cyber-terrorism. (Score:5, Insightful)
Actually, the real danger are the federal employees who don't update their horribly vulnerable software, open random attachments to their emails, click on the pop-up ads telling them their computer is insecure, and give their passwords out to social engineers over the phone. Which, of course, make it easy for the script kiddies and other such people to run well-known and documented but apparently still dangerous exploits because people are too stupid and lazy to do anything about them.
Parent
Perhaps I'm just paranoid but... (Score:5, Insightful)
highly vulnerable to terrorist and criminal attacks."
fundamentally new approaches are needed to address the more serious structural weaknesses of the IT infrastructure
It isn't that they aren't right... It's just that whenever they go on and on about terrorists threatening our way of life it seems all they really want is to implement new ways of taking away our rights without actually protecting us at all.
Sure wish I could actually read the article.
Re:Perhaps I'm just paranoid but... (Score:3, Informative)
Did it worry you when the previous administration said exactly the same things?
Wired News - Jan. 22, 1999 [wired.com]
"President Clinton drew a nightmarish portrait of 21st century terrorism on Friday and asked Congress for more than US$2.8 billion to defend against chemical and germ warfare and protect computer networks.
[...]
Clinton described a world of frightening terror scenarios involving nerve gas, germ attacks, and computer h
Re:Perhaps I'm just paranoid but... (Score:4, Insightful)
At least you knew that Clinton wouldn't get away with too much in the way of hurting our civil liberties, because the Republicans controlled Congress for most of his Presidency. And despite Clinton's fiscal conservatism, he was a liberal at heart, so he wasn't interested so much in curtailing civil liberties as he was in growing social welfare programs, i.e., growing the "feel good" side of government, often at the expense of defense programs. One of the things I respect about Clinton is that he was at least realistic about fiscal responsibility, so we could actually pay for the programs he wanted. (Just a note: I'm not totally against social welfare programs, I just suspect the liberal tendency to go overboard on them and attempt to solve all of our problems.)
Bush, on the other hand, might talk a good game of conservatism, but his actions speak differently. And so it is with his and congress's actions to "protect our liberty. Bush pays lip service to conservative ideals, but at heart he is a criminal who will do anything to gain more power for himself or his friends.
There are many many examples, far too many to list. So, I'll just mention the latest in a long line of power grabs, some minor, some major. Schiavo.
Parent
Re:Perhaps I'm just paranoid but... (Score:3, Interesting)
Indeed, as soon as a largely domestic problem starts to get (at least hypothetically) attributed to international terrorists, one can't help but worry that it's because domestic criminal policy is beginning to be actively conflated with international military policy. Maybe these are policy areas that one needn't much worry about conflating if one is, say, Iceland. But when one is the United States, conflating international military policy and domestic security policy can be an exceptionally scary thing.
Excuse to go forward with Trusted Computing? (Score:4, Insightful)
Re:Excuse to go forward with Trusted Computing? (Score:3, Funny)
At least we'll be riding into trusted computing in syle; those Segways are hip, from what I hear. At least, riding on one of those, we'll be sure to segue into the new trusted architecture without ever falling over!
Re:Excuse to go forward with Trusted Computing? (Score:3, Funny)
Well, I guess most of us will [about.com].
Re:Excuse to go forward with Trusted Computing? (Score:3, Informative)
Re:Excuse to go forward with Trusted Computing? (Score:4, Informative)
You might want to check your DNS entries as apparently you're using a different "google" than I am. For starters '"David Spafford" TCPA' returns 0 hits of Google. Secondly, it's Eugene Spafford that took part in, and is cited in the report. Googling for Eugene Spafford and TCPA gives a few hits, but nothing about him writing any papers on TCPA. Confused, I went to his homepage and looked up his list of publications [purdue.edu]. Lo and behold, not a single mention of TCPA in any of his numerous books, journal articles or conference papers. He did write "Practical UNIX security" [oreilly.com] available from O'Reilly.
I'm sure if you continue to completely make stuff up you can find all manner of other connections to trusted computing. On the other hand if you care to join the rest of us in reality you might find that the report really has nothing to do with TCPA at all.
Jedidiah.
Parent
Another source for the report (Score:5, Informative)
Perfect /. quote (Score:5, Funny)
"The biggest problem with communication is the illusion that it has occurred."
considering that the server was
The first link in the Post goes to their Homepage (Score:3, Informative)
Here is the google cache: google cache [64.233.167.104]
Here is the blurb from their page, good luck trying to get the PDF though.
Ah.. the "Wolves are gonna get ya" argument.... (Score:3, Funny)
Launch all zig!
Crying Wolf (Score:5, Insightful)
Servers across the internet are under constant attack from all kinds of viruses, worms, and malicious hackers. Even the most successful viruses amount to little more than annoyances, and can be easily protected against by any systems administrator worth his salt. Like the human immune system, continuous exposure to cyber-pathogens results in our information infrastructure growing increasingly good at resisting and fending off attacks.
There's no reason to think that Islamic terrorists would be any more competent virus writers than those that currently plague us. In fact, given the backwardness of the arab countries where most islamic terrorists come from, I think there's good reason to think they would be less competent as computer programmers than people from other parts of the world. The only significant difference between cyber terrorists and today's virus writers is motivation. Most virus writers are interested in the technological challenge, and want to show off their prowess. They don't really want to do any damage. Others are more sinister, and try to install keystroke loggers or bots in order to steal your credit card numbers or extort money from people threatened with having their servers brought down by an attack from an army of compromised computers. Cyber-terrorists, on the other hand, would want to cause some spectacular failure that would grab all the headlines. Unfortunately for them, the systems that the terrorists would like to bring down are administered by professionals, people who are a lot more sophisticated than a grandma who forgets to update her anti-virus definitions.
Finally, two more features of our information infrastructure make it resistant to catastrophic failure. First, it is resilient. Our information infrastructure is largely owned by private industry, and is supported by an army of trained to quickly get systems back up and running should they ever be brought down. Second, and more importantly, the systems that comprise the infrastructure are diverse. No program can run natively on a Cisco router, an Apache webserver, and a Microsoft SQL server. It's therefore extremely unlikely that a single program could bring the nation's cyber infrastructure to its knees.
Major Security Hole (Score:3, Insightful)
"cyberterrorism" - the paper tiger (Score:4, Interesting)
I know it's trendy to attach the word "terrorism" to everything you don't like (Microsoft: "industrial terrorism", some politician just today: "medical terrorism"), but can we at least reserve it for cases when somebody might *die*?
Yes, our economy will suffer a major blow from an attack on our computer networks, but if you give me a choice between having to become a farmer to feed myself and *DYING* in a suicide attack, I think I'll take the former.
But one thing is true: our computers are horribly insecure and are at risk not ONLY from terrorists, but from pimply-faced teenagers that live down the street. And it doesn't matter what license your software uses or what OS it runs. The fact is that there aren't many programmers out there who bother writing secure software, and even fewer customers who demand it.
A solid foundation is required (Score:3, Insightful)
Since the US government is worried about this, maybe one of their own divisions - say the Department of Defense? - should look into this.
In the end, maybe technology spin offs from this could be used for the benefit of the civilian population too?
Just an idea.
Vulnerable indirectly, too (Score:3, Insightful)
With proper routing, redundancy, spare capacity, it could be more robust, but there is no mandate for that, but mainly pressure to drive costs lower and lower. So you get an internet which is very low cost, and very powerful, but not very resilient to major problems.
Malicious Code (Score:3, Interesting)
In the future, the Nation may face even more challenging problems as adversaries - both foreign and domestic - become increasingly sophisticated in their ability to insert malicious code into critical software.
I don't agree this is a future danger, it's a present danger. First, I don't think sophistication is needed as code is rarely inspected carefully in proprietary software. The theory behind open source is that everyone will be able to check the code and problems will be caught that way. But you have to admit that not everything can be open source.
Second, critical code is getting developed in all sorts of places, increasingly offshore. Companies make those offshoring decisions based on their own bottomline, not the national security interests and that is not going to change anytime soon.
Having worked on .gov systems as a contractor (Score:5, Insightful)
Primary focus can be desktop and internet facing systems. This can be made alot easier. Windows update for example is much more reliable than it has been in the past (not perfect but better). And most unix systems are compatable with systems like pkgsrc which would make it much easier to at least try and resist incoming attackers.
Having centralised management and control over all systems would be a great start. Thats something that many countries have however from my experience many american departments have different staff in different offices/regeons making the mismatch in staff quality and skillset diverse enough to affect security.
Re:Education (Score:3, Interesting)
Re:Education (Score:5, Informative)
Just a single example, but when you have a principal and an assistant principal at each school, both making 100,000+ $USD, that money gets used up in a hurry. Why don't they spend some of that money on teachers to lower class size? It's a bunch of stupid politics, and the students continue to suffer for it. There are dozens of other positions like that. I can see a need for a single principal, but what about all these other stupid positions?
In the High School at the K-12 district where I worked before, the "assistant principal" fixed his three sons' grades before he got caught and had to "resign to pursue other opportunities", and the "normal principal" was caught (by me) surfing porn after hours. Fucking brilliant.
Can you tell I'm jaded?
Parent
Re:Education (Score:4, Informative)
The only thing that piece of shit legislation does is give the kids more tests to suffer through. It adds no actual "accountability" to schools. Instead of teachers preparing their students for what they might actually need in life, they focus on only what's going to be on the test. What happens when some struggling inner-city school gets shut down because their kids don't pass their proficiency tests? They disperse into other schools and bring their scores down, resulting in less funding for those schools. Brilliant.
If Bush has added $13 billion in education funding, I'd like to know where it went. Districts all over are struggling just to keep the lights on. They are being forced to go to the voters for property tax increases. It's not a pleasant situation for anyone. The kids suffer because all their extracurriculars get cut and the property owners suffer because their taxes go up.
The state of education in Ohio (where both of my parents are in the field) is abysmal. Over 10 years ago, the state's Supreme Court ruled our school funding system was unconstitutional. Yet here we are 10+ years later, and the Legislature hasn't done a damned thing about it. My dad is convinced they're trying to kill public education, and from what I see, it's working. People are getting laid off, everything outside of the State Board of Ed.'s required curriculum is being cut, and the kids suffer. They've even cut bussing. It's really a very unfortunate situation.
In conclusion, fuck our incompetent politicans. I'm sick of agendas (as they almost always end up screwing the common man).
Parent