Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security United States IT

U.S. IT Infrastructure Highly Vulnerable 324

An anonymous reader writes "The President's Information Technology Advisory Committee in their February 2005 report to GW writes "...infrastructure of the United States, which is now vital for communication, commerce, and control of our physical infrastructure, is highly vulnerable to terrorist and criminal attacks." It goes on to say that "fundamentally new approaches are needed to address the more serious structural weaknesses of the IT infrastructure" and finally offers "four key findings and recommendations on how the Federal government can foster new architectures and technologies to secure the Nation's IT infrastructure." Here is yet another, not surprising, bleak outlook for cyber security in the United States. The full 72-page report can be found here."
This discussion has been archived. No new comments can be posted.

U.S. IT Infrastructure Highly Vulnerable

Comments Filter:
  • Yeah (Score:4, Insightful)

    by Anonymous Coward on Sunday March 20, 2005 @12:59AM (#11989115)
    Secure, is what IT ain't!
    • XP zombie [slashdot.org]

      maybe it's time to start regulating/banning all operating systems until they pass some networking security standard.
    • by Oriumpor ( 446718 ) on Sunday March 20, 2005 @10:55AM (#11990842) Homepage Journal
      The security of a network is a combination of factors:
      Technological
      Physical
      Social

      We can fight the battles in the technological front till we're blue in the face, but the temp at the front desk is a hole you'll probably never close.

      In my head obvious questions this document failed to address are as follows:
      How many people have access to your data center?

      How many people have access to your most remote networked buildings?

      Scrolling through this document there is no mention of the greatest security challenges facing IT today. Worms have been around since before the public internet, and as IT warriors we fight those battles constantly.

      Ignoring the other aspects of "cyber" security is folly and tantamount to IT security suicide.
  • by dtfinch ( 661405 ) * on Sunday March 20, 2005 @01:00AM (#11989119) Journal
    That was fast. www.nitrd.gov was /.ed even before the article went public for non-subscribers. Or maybe it went down some other way. Netcraft says they've been running a pretty old Apache.
    • by TLouden ( 677335 ) on Sunday March 20, 2005 @01:04AM (#11989139)
      or maybe the terrorist took it down to keep there secret protected...
    • by Alsee ( 515537 ) on Sunday March 20, 2005 @03:08AM (#11989513) Homepage
      I located two other government sources here [nitrd.gov] and here. [iwar.org.uk]

      Another poster also found it here. [washington.edu]

      I'd like to point out that while there is no direct mention of Trusted Computing, it calls for a "fundamentally different architecture", some sections mostly later in the paper apprear to describe Trusted Computing functionality, the experts they cite all appear to be Trusted Computing speciallists and proponents (in particular David Spafford was the author of the semi famous WHY_TCPA and TCPA_REBUTTAL papers), at least some of the committee members appear to have Trusted Computing ties, and an earlier Cyber Security Advisor gave a speech at the Washington D.C. Tech summit calling for Trusted Computing and for ISPs to eventually make it a mandatory part of terms of service for internet access. A call to fight worms and viruses and to Secure the National Information Infrastucture against terrorist attacks, to defend against Osama bin Laden himself. Yes, he actually cited bin Laden by name. chuckle.

      -
      • running as "trusted code" immune to any possible attempts by the user to make them stop short of unplugging the computer.

        And they want to make ISPs require TCPA for Internet access?

        I'm sure that TCPA advocates will be telling us that this is impossible...

        Of course, the Titanic was unsinkable, too.

  • by squidgyhead ( 613865 ) on Sunday March 20, 2005 @01:02AM (#11989131)
    Unfortunately, we have already managed to obliterate the server on which the document is hosted, so now no one will be able to read it, and won't know how to stop this from happening in the first place.

    Is slashdotting a .gov site an act of terrorism?

    • by TLouden ( 677335 ) on Sunday March 20, 2005 @01:13AM (#11989179)
      well there's an interesting one. Is /. going to be fined or shutdown because they have the proven potential to attack the government? And what about the person who posted this, will they arrest them for using /. to attack that governement? Would RIAA sue a nine year old, how about an old lady? Would the US attack a country because they "might" have WMDs but leave another alone because the most likely do have WMDs? Give yourself one point for answering yes to any of the above.
      • by caino59 ( 313096 )
        God I know thats probably dripping with sarcasm - and 10 years ago, it would be modded as funny...

        but damn - we aren't far off. these days, that post is insighful.

        scary.
        • Re: (Score:2, Interesting)

          Comment removed based on user account deletion
      • Erm, you forgot something.

        "Might" as in, they didn't and they knew they didn't to the point where they had to "sex up" documents to make a case and when 2 high rank British lawyers said it was illegal they sent a third to the White house to "find out if it was or not" who came back and went "no it's fine it won't stand up in court but don't worry it won't get there". Then went on his say so..

        You also forgot the RIAA also sued a DEAD woman.. Got to love how it costs exactly the same to sue 1000 people as i
      • Little old ladies (Score:3, Interesting)

        by jd ( 1658 )
        When asked by the Supreme Court if a little old lady, in Switzerland, unknowingly giving money to a group invilved in terror activities would be considered a terror suspect, the Government's official position was "yes, of course".

        Slashdot may well be classed as a terrorist threat. It allows dissemination of "dangerous" information, the questioning of technical strategy, the promotion of "communist" ideals (ie: a sense of community, rather than paranoia), the repeated DDoS attacks against discussed sites,

  • by Fox_1 ( 128616 ) on Sunday March 20, 2005 @01:06AM (#11989147)
    I don't know if this is just to increase paranoia or not in the US, but if there are security issues it is better that they talk about them, bring them out into the "open" so to speak. There is nothing they couldn't dream up as a terrorist or other attack on the IT infrastructure that hasn't been thought up already by others, even in the terror game it is hard to be truely original. And at least by going through the exercise of thinking like an attacker they may help spur the development of better defenses, traps, early warnings, recovery procedures , what have you.
    • by Coryoth ( 254751 ) on Sunday March 20, 2005 @01:28AM (#11989237) Homepage Journal
      There is nothing they couldn't dream up as a terrorist or other attack on the IT infrastructure that hasn't been thought up already by others, even in the terror game it is hard to be truely original. And at least by going through the exercise of thinking like an attacker they may help spur the development of better defenses, traps, early warnings, recovery procedures , what have you.

      The problem is not that no one has thought about the problems of security of software assurance enough to have come up with solutions, the problem is the solutions haven't made their way out of theory and into practice. It's not that the theory is new either - a lot of the ideas are 10 years old or more. The problem is that there are too many people who are happy with what they have and never bothered to look at what the theorists have actually devised. Why do you think the NSA created SELinux? It wasn't because they were planning to create a secure operating system - they themselves say [nsa.gov] that they did it to demonstrate that such controls can easily be built into "mainstream operating system". Read that as: the've done the research, know the solutions (this sort of architecture is, research wise, quite old), and are so frustrated that no one was actually using it that they hacked it into the most mainstream OS they could just to show people how.

      If you consider the task of writing secure software applications, rather than just OS architectures to vastly enhance security, there are still perfectly good options out there. If you're serious about high integrity software (be it for security, or for fault tolerance) you ought to be proving your code. No, seriously - you can statically mathematically prove your code providing you use the right tools. For instance there are things like B-method [b-core.com] or SPARK [praxis-his.com] which use allow you to actually prove the partial correctness of your code (partial correctness in the sense of "if it terminates, it terminates with these properties..."). The concept of having a separate prover as a safety and correctness checker, as opposed to letting static typing and the compiler catch the most glaring errors, seems eminently sensible. The techniques for how to do this sort of thing are quite old, and it is becoming increasingly practical to do full proofs given the power of computers these days. Again, this is the category of "something we know how to do, but mostly never bother with".

      Jedidiah.
      • Totally agree on the SELinux part, what's especially interesting about this is that we finally have an opportunity to start over with Linux and get it right this time. It's brilliant that the NSA are helping out with that.

        One thing: my understanding (based on a course I took last term on verifying code) is that code provers are still very much a research topic. In particular they find it very hard to deal with pointers. Also the lecturer implied it was quite hard to prove pre-existing code bases and it wa

        • One thing: my understanding (based on a course I took last term on verifying code) is that code provers are still very much a research topic. In particular they find it very hard to deal with pointers. Also the lecturer implied it was quite hard to prove pre-existing code bases and it was better to "refine" code from a specification into code proving it as you go.

          Both are pretty much true - doing advanced things and still being provable is still under investigation, and certainly proving existing codebase
    • by dj245 ( 732906 ) on Sunday March 20, 2005 @02:16AM (#11989381) Homepage
      And at least by going through the exercise of thinking like an attacker they may help spur the development of better defenses, traps, early warnings, recovery procedures , what have you.

      Problem is all the nastiest attacks are out of the blue and most of them are original and creative. If Shoe-bomber had succeeded we wouldn't have a clue how the plane went down other then an explosion in the passenger compartment. That time a lot of people got lucky.

      Oh and the anthrax mailings? Never did hear who was behind that. The actual killings it caused was pretty limited, but the panic and havok it induced was worth 2 tons of white powder.

      • by zogger ( 617870 ) on Sunday March 20, 2005 @04:13AM (#11989732) Homepage Journal
        The anthrax attack caused passage of the Patriot Act, which was stalled in the senate at the time (kinda). They rushed it through, zillion pages, none of them cretins who voted for it even read it. The stuff used was US dot mil brand biological war prepped cooties. Should be sorta obvious what's going on.

        but you are correct on "spontaniety" and such like, and relative ease of assymetrical warfare. And it's fairly telling that since then there have been zero attacks despite how many dozen warnings of impending attacks and code whatever color "alerts" and protestations for years there were 'terrorist sleeper cells" hanging about. Them boys been real asleep it appears......

        And they still haven't finished the lawsuits filed by some government whistleblowing agents who got warned off investigating after they started getting some real evidence, embarrasing evidence that pointed upstream to white guys in dark suits. Again, sorta obvious what's going on. And the 9-11 whitewash committee, pretty funny if it wasn't serious.

        I think it's all right to say it, it's been a pretty spiffy coup d'etat. Just a little smoother than your typical third world coup, that's all, lot more media sound bites and slick advertiseoganda pieces on the newzzzzz.
        • by myowntrueself ( 607117 ) on Sunday March 20, 2005 @04:53AM (#11989825)
          "The stuff used was US dot mil brand biological war prepped cooties."

          Since it was prepared in military labs in the USA, I'd kinda like to know who the *intended* target of these 'cooties' was supposed to be.

          I mean you don't go to all the trouble of preparing such an effective and well-developed agent without a potential use in mind; that stuff was high tech (they had trouble getting the spores to stick to the microscope slides).
      • "If Shoe-bomber had succeeded we wouldn't have a clue how the plane went down other then an explosion in the passenger compartment."

        If 'Shoe-bomber' had succeeded, we might well = be wondering how someone managed to detonate a block of plastic explosive using a *match*.
    • And at least by going through the exercise of thinking like an attacker they may help spur the development of better defenses, traps, early warnings, recovery procedures , what have you.

      The trouble is, Infosec has never been a strong point of the US Government. That's not to say there aren't niche sections of the US Gov't that are competant - maybe even far more advanced than is public knowledge. But as a whole, Governmental agencies have a hard time even keeping up with standard industry practices. W

  • It would be a... (Score:4, Insightful)

    by Phidoux ( 705500 ) on Sunday March 20, 2005 @01:07AM (#11989152) Homepage
    ... true indication of the US governments commitment to security if they moved away from M$ operating systems.
    • by matria ( 157464 )
      Over 10 years ago, when Microsoft was pushing itself into the server market, and the university hospital where I worked was moving away from their IBM servers to PCs with Microsoft (and managed to lose most of a year's worth of doctor's dictated medical procedure reports within a few months of moving them), I told the IT department that this trend would eventually cause the destruction of a large part of the US IT infrastructure. I still believe that. And, funny thing is, I don't see the huge savings in I
    • Not employing fanbois, such of yourself, of any platform would also help. The (in)ability to a) properly identify the problem, b) choose the correct product, and c) implement it properly, is the primary failure of IT.

      And FWIW, the correct product isn't necessarily the most hardcore geekfest you can find. VHS, x86, Windows95, etc. may be/have been the inferior technologies, but they were the superior products. You need to realise this reality and deal with it before it costs you your business (unless you
      • Re:It would be a... (Score:2, Interesting)

        by Anonymous Coward
        Funny, I re-read grandparent's comment and couldn't see any OS-specific advocacy. I didn't see Linux fanboi-ism, or Mac-worship, or any mention of xBSD... I did, however, see a suggestion that the widespread use of Microsoft products has led to a weakness in IT security. Since MS themselves have been trumpeting to the heavens their new commitment to security (which is tantamount to a tacit admission that security really IS a problem for them), I think we can safely say that even an unbiased observer woul
      • VHS, x86, Windows95, etc. may be/have been the inferior technologies, but they were the superior products. You need to realise this reality and deal with it before it costs you your business (unless your business happens to be the aformentioned niche geekfest products).

        Looking for "superior products" is great if business is in itself what you're concerned with. If it's providing service based on solid technology then the superior technology IS, in fact, an important consideration. Incidently, the "nich

    • I think there's as much chance of that as of Richard Clarke being brought back onboard. MS is too big a contributor to political campaigns on both sides of the aisle for that to ever happen.
  • by GeorgeMcBay ( 106610 ) on Sunday March 20, 2005 @01:07AM (#11989153)
    Seriously, the whole "cyber-terrorism" boogeyman is one of the worst things to be exploited after 9/11, and that's saying something considering how much exploiting people have been doing. Honestly, terrorists are NOT interested in cracking databases and DDOSing the Internet. They just aren't. That doesn't spread FEAR or TERROR, just annoyance.


    I'm not doubting that this report is accurate in so far as systems are insecure, but the real danger is from script kiddies and other such people, NOT TERRORISTS. Using the word so far out of context to drum up interest (and thus funding) is despicable.

    • ...but the real danger is from script kiddies and other such people...

      Actually, the real danger are the federal employees who don't update their horribly vulnerable software, open random attachments to their emails, click on the pop-up ads telling them their computer is insecure, and give their passwords out to social engineers over the phone. Which, of course, make it easy for the script kiddies and other such people to run well-known and documented but apparently still dangerous exploits because people are too stupid and lazy to do anything about them.
      • Actually, the real danger are the federal employees who don't update their horribly vulnerable software, open random attachments to their emails, click on the pop-up ads telling them their computer is insecure, and give their passwords out to social engineers over the phone...

        I get frustrated everytime I hear a comment like this. If I leave my door unlocked and get robbed it does not remove blame from the thief or make it my own fault that my own was robbed. (It just makes me an idiot.)

        These 'dangerou

    • Comment removed based on user account deletion
  • by bmw ( 115903 ) on Sunday March 20, 2005 @01:08AM (#11989159)
    It always worries me when I see the current administration saying things like this...

    highly vulnerable to terrorist and criminal attacks."

    fundamentally new approaches are needed to address the more serious structural weaknesses of the IT infrastructure

    It isn't that they aren't right... It's just that whenever they go on and on about terrorists threatening our way of life it seems all they really want is to implement new ways of taking away our rights without actually protecting us at all.

    Sure wish I could actually read the article. :-\
    • It always worries me when I see the current administration saying things like this..

      Did it worry you when the previous administration said exactly the same things?

      Wired News - Jan. 22, 1999 [wired.com]
      "President Clinton drew a nightmarish portrait of 21st century terrorism on Friday and asked Congress for more than US$2.8 billion to defend against chemical and germ warfare and protect computer networks.
      [...]
      Clinton described a world of frightening terror scenarios involving nerve gas, germ attacks, and computer h

      • Did it worry you when the previous administration said exactly the same things?

        Yes, actually it did. However, for some reason the Bush administration worries me even more... Gee... I wonder why that is. Take a look at everything Bush has done since he has been in office. I don't know about you but it seems to me that the stakes have been raised just a bit since Clinton's time.

        (And no, I'm not a Clinton fan either.)
      • Uhh... maybe because the previous administration didn't use terrorism as an excuse to pass laws that restrict our civil rights to the degree that the patriot act (etc) do.

        I think that's what the parent poster was talking about. Not that they talked bs about terrorism, but they used that bs as a weapon with which to destroy the constitution.

        Sorry if I'm putting words in the mouth of the parent poster, but that's how I interpreted it.

      • by Ohreally_factor ( 593551 ) on Sunday March 20, 2005 @02:10AM (#11989362) Journal
        Because we haven't seen as naked a power grab since. . .ever?

        At least you knew that Clinton wouldn't get away with too much in the way of hurting our civil liberties, because the Republicans controlled Congress for most of his Presidency. And despite Clinton's fiscal conservatism, he was a liberal at heart, so he wasn't interested so much in curtailing civil liberties as he was in growing social welfare programs, i.e., growing the "feel good" side of government, often at the expense of defense programs. One of the things I respect about Clinton is that he was at least realistic about fiscal responsibility, so we could actually pay for the programs he wanted. (Just a note: I'm not totally against social welfare programs, I just suspect the liberal tendency to go overboard on them and attempt to solve all of our problems.)

        Bush, on the other hand, might talk a good game of conservatism, but his actions speak differently. And so it is with his and congress's actions to "protect our liberty. Bush pays lip service to conservative ideals, but at heart he is a criminal who will do anything to gain more power for himself or his friends.

        There are many many examples, far too many to list. So, I'll just mention the latest in a long line of power grabs, some minor, some major. Schiavo.

    • Indeed, as soon as a largely domestic problem starts to get (at least hypothetically) attributed to international terrorists, one can't help but worry that it's because domestic criminal policy is beginning to be actively conflated with international military policy. Maybe these are policy areas that one needn't much worry about conflating if one is, say, Iceland. But when one is the United States, conflating international military policy and domestic security policy can be an exceptionally scary thing.
  • by Anti-Trend ( 857000 ) on Sunday March 20, 2005 @01:12AM (#11989173) Homepage Journal
    I haven't RTFA (who can, it was /.'ed almost instantly), but this sounds a bit like a segway into trusted computing -- or paladium, or whatever MS is calling it. I would love to believe they'd get the clue and go OSS, but with the amount of sugar-daddy financial pull MS has with our government officials, I just can't put any hope in that theory.
    • "... this sounds a bit like a segway into trusted computing..."

      At least we'll be riding into trusted computing in syle; those Segways are hip, from what I hear. At least, riding on one of those, we'll be sure to segue into the new trusted architecture without ever falling over!
    • Yeah, I was thinking that too. But it wouldn't even have to be due to Microsoft's bribery; I'm sure locking down everyone's computers sounds like a great idea to someone like Bush
    • Someone kindly provided an alternate link to the report (http://lazowska.cs.washington.edu/CyberSecurity. p df [washington.edu]) and if MS or similar have ahand in it, it's fairly well removed - most of the comittee seem to be academics from a variety of Universities around the US. There's a the president of AT&T and someone from Dell, but otherwise it's mostly just academics. I see no signs of a slide into trusted computing - mostly just a lot of complaint about the relatively slipshod state of current critical IT in
      • They do not directly mention Trusted Computing, but it looks like every expert they cite is in fact a Trusted Computing advocate. Hell, David Spafford was the author of the fairly famous WHY_TCPA and TCPA_REBUTTAL papers. I have to do some more Googling, but I think pretty much the entire committee has Trusted Computing ties.

        -
        • by Coryoth ( 254751 ) on Sunday March 20, 2005 @03:21AM (#11989539) Homepage Journal
          They do not directly mention Trusted Computing, but it looks like every expert they cite is in fact a Trusted Computing advocate. Hell, David Spafford was the author of the fairly famous WHY_TCPA and TCPA_REBUTTAL papers. I have to do some more Googling, but I think pretty much the entire committee has Trusted Computing ties.

          You might want to check your DNS entries as apparently you're using a different "google" than I am. For starters '"David Spafford" TCPA' returns 0 hits of Google. Secondly, it's Eugene Spafford that took part in, and is cited in the report. Googling for Eugene Spafford and TCPA gives a few hits, but nothing about him writing any papers on TCPA. Confused, I went to his homepage and looked up his list of publications [purdue.edu]. Lo and behold, not a single mention of TCPA in any of his numerous books, journal articles or conference papers. He did write "Practical UNIX security" [oreilly.com] available from O'Reilly.

          I'm sure if you continue to completely make stuff up you can find all manner of other connections to trusted computing. On the other hand if you care to join the rest of us in reality you might find that the report really has nothing to do with TCPA at all.

          Jedidiah.
    • Thanks. It is actually quie a good report all things considered, with the main thrust being that more money needs to be spent of fundamental research into security, and that the NSA and ARDA need to produce more unclassified research. The listed research goals are all quite sensible as well, focusing on such things as increasign software assurance through better engineering practices, and building more secure protocols for general use.

      Surprisingly sensible all things considered.

      Jedidiah.
  • by TLouden ( 677335 ) on Sunday March 20, 2005 @01:15AM (#11989190)
    if found this /. quite (from the bottom of the page) to be perfect:
    "The biggest problem with communication is the illusion that it has occurred."
    considering that the server was /.ed AND is supposed to be talking about a failure of communication. Anybody else like it?
  • by Fox_1 ( 128616 ) on Sunday March 20, 2005 @01:20AM (#11989207)
    The first link in the Post goes to their Homepage
    Here is the google cache: google cache [64.233.167.104]
    Here is the blurb from their page, good luck trying to get the PDF though.
    President's Information Technology Advisory Committee The President's Information Technology Advisory Committee (PITAC) was chartered by Congress under the High-Performance Computing Act of 1991 (P. L. 102-194) and the Next Generation Internet Act of 1998 (P. L. 105-305) as a Federal Advisory Committee. The Committee provides the President, Congress, and the Federal agencies involved in information technology research and development (IT R&D) with expert, independent advice on maintaining America's preeminence in advanced information technologies, including such critical elements of the national infrastructure as high performance computing, large-scale networking, and high assurance software and systems design. As part of this assessment, the PITAC reviews the Federal Networking and IT R&D Program. Comprising leading IT experts from industry and academia, the Committee helps guide the Administration's efforts to accelerate the development and adoption of information technologies vital for American prosperity in the 21st century. PITAC is formally renewed through Presidential Executive Orders. The current Executive Order is due to expire June 1, 2005.
  • Does it matter? (Score:2, Insightful)

    by Anonymous Coward
    Is it to the political benefit of the Bush administration, or the neoconservative agenda, to in some way react to the widespread and systematic vulnerability in the IT infrastructure of the U.S.?

    Is there some personal gain they can derive from it, some personal goal that responding to this knowledge is convergent with?

    No?

    Then it doesn't matter. This advisory committee will be ignored, just as the committees and others who warned the Bush administration about the insecurity and threats in our nation's (an
  • Memo (Score:2, Funny)

    by Phidoux ( 705500 )
    Read the report and would like to respond. Could someone please tell me how to make one of those sad face things in my email?

    Regards

    George.
  • Comment removed based on user account deletion
  • by ABeowulfCluster ( 854634 ) on Sunday March 20, 2005 @01:56AM (#11989323)
    Damn! The Terrarists are gonna take away the interweb!

    Launch all zig!

  • Crying Wolf (Score:5, Insightful)

    by schmobag ( 804002 ) on Sunday March 20, 2005 @01:59AM (#11989329)
    This all seems a little alarmist. Our IT infrastructure is far more secure than our physical infrastructure, because our IT infrastructure has grown up under constant threats from script kiddies, trojans, and worms. 9/11 was possible because we have (or had) a basically open, trusting society. That's not true online.

    Servers across the internet are under constant attack from all kinds of viruses, worms, and malicious hackers. Even the most successful viruses amount to little more than annoyances, and can be easily protected against by any systems administrator worth his salt. Like the human immune system, continuous exposure to cyber-pathogens results in our information infrastructure growing increasingly good at resisting and fending off attacks.

    There's no reason to think that Islamic terrorists would be any more competent virus writers than those that currently plague us. In fact, given the backwardness of the arab countries where most islamic terrorists come from, I think there's good reason to think they would be less competent as computer programmers than people from other parts of the world. The only significant difference between cyber terrorists and today's virus writers is motivation. Most virus writers are interested in the technological challenge, and want to show off their prowess. They don't really want to do any damage. Others are more sinister, and try to install keystroke loggers or bots in order to steal your credit card numbers or extort money from people threatened with having their servers brought down by an attack from an army of compromised computers. Cyber-terrorists, on the other hand, would want to cause some spectacular failure that would grab all the headlines. Unfortunately for them, the systems that the terrorists would like to bring down are administered by professionals, people who are a lot more sophisticated than a grandma who forgets to update her anti-virus definitions.

    Finally, two more features of our information infrastructure make it resistant to catastrophic failure. First, it is resilient. Our information infrastructure is largely owned by private industry, and is supported by an army of trained to quickly get systems back up and running should they ever be brought down. Second, and more importantly, the systems that comprise the infrastructure are diverse. No program can run natively on a Cisco router, an Apache webserver, and a Microsoft SQL server. It's therefore extremely unlikely that a single program could bring the nation's cyber infrastructure to its knees.
    • This all seems a little alarmist. Our IT infrastructure is far more secure than our physical infrastructure, because our IT infrastructure has grown up under constant threats from script kiddies, trojans, and worms. 9/11 was possible because we have (or had) a basically open, trusting society. That's not true online.

      The actual report has less to say about terrorists and more to say about the general lack of real security and assurance in software systems that are generally available. For instance they s
    • There's no reason to think that Islamic terrorists would be any more competent virus writers than those that currently plague us.

      One has to wonder why a real terrorist would even bother inflicting damage through the Internet. Yeah, it sucks to have systems shut down and whatnot, and it can hurt the economy if done on a wide enough scale, but if nobody dies, and nothing is blowing up, how is it terrifying? There have been several worms in the last few years that have shut down significant portions of the

  • by Doc Ruby ( 173196 ) on Sunday March 20, 2005 @02:15AM (#11989380) Homepage Journal
    You're not praying hard enough.
  • +5 Useful Bounty (Score:2, Insightful)

    by idsfa ( 58684 )
    First person to set up a BitTorrent for the PDF gets a +5 CoolAssMoFo from me. (Useless, but cool)
  • If you read http://www.coralcdn.org/ [coralcdn.org], you will see how to Coralize links. If you are going to link to
    • A video
    • A large image collection
    • A PDF file
    • A "personal" website (possibly hosted on a home DSL/Cable connection

    then please consider using Coral.

    As long as Coral can see the site, it will be in the cache, and as more /.ers hit the Coral Cache, it will be distributed around (kind of like what Akamai does, only without having to set it up in advance)

  • There are actually programs around the country to address this, flying under the banner of "Information Assurance". I happen to be in one of the six initial NSA-approved programs.

    The problem here, as I see it, is not a lack of opportunity or even expertise; it is a problem of making advanced degrees and training cost effective. For instance, I have a classmate who is running at around $120K of debt from school, from undergraduate work to his MSc. While this is not representative, it is quite rare here t

  • that some of them thar gummermint mofo intarweb geniuses are putting together a contigency plan to save the pron. For god sakes won't somebody think of the pron!!
  • by Anonymous Coward on Sunday March 20, 2005 @02:35AM (#11989437)
    I think it's an insult to victims of 9/11 and other real terrorism around the globe to call any attack on a *computer network* "terrorism".

    I know it's trendy to attach the word "terrorism" to everything you don't like (Microsoft: "industrial terrorism", some politician just today: "medical terrorism"), but can we at least reserve it for cases when somebody might *die*?

    Yes, our economy will suffer a major blow from an attack on our computer networks, but if you give me a choice between having to become a farmer to feed myself and *DYING* in a suicide attack, I think I'll take the former.

    But one thing is true: our computers are horribly insecure and are at risk not ONLY from terrorists, but from pimply-faced teenagers that live down the street. And it doesn't matter what license your software uses or what OS it runs. The fact is that there aren't many programmers out there who bother writing secure software, and even fewer customers who demand it.
    • But one thing is true: our computers are horribly insecure and are at risk not ONLY from terrorists, but from pimply-faced teenagers that live down the street. And it doesn't matter what license your software uses or what OS it runs. The fact is that there aren't many programmers out there who bother writing secure software, and even fewer customers who demand it.

      To be fair to customers and programmers, you should consider that security often means inconvenience and lost functionality for users. For s

    • "Terrorism" is just used to make it sound like you're tough and cool.

      The same as "The War on Poverty" or "The War on Drugs".

      Yes, our economy will suffer a major blow from an attack on our computer networks, but if you give me a choice between having to become a farmer to feed myself and *DYING* in a suicide attack, I think I'll take the former.

      It's not even that bad. Look at what happened with the other worms (slammer in particular). Banks were off-line. And the total number of businesses that failed was

  • This information filters into the brain of a person who had sent two emails during his first term of office, and one of those was just to confirm that his account was set up right.
    Do you really think he'll GET this and act on it?
    We're so doomed.
  • Speaking of which (Score:2, Informative)

    by Nykon ( 304003 )
    I had just written an article [kevinblanchard.com] not only on this topic but about the fact they keep putting too much emphasis on "terrorism" and not on the other 75% of people who would just as easily get in.
  • I thought this was old news, having to deal with the theory of scale free systems, power-laws, etc. Most nodes on the internet are leaf nodes or have only a few connections to larger nodes which in turn feed into still larger nodes on up to supernodes which tie everything together. The probability of a node have some number of links is inversely proportional to the number of links raised to a power.

    It turns out that this design has a couple of advantages. For one, the network diameter grows only logarit
  • by Linker3000 ( 626634 ) on Sunday March 20, 2005 @05:33AM (#11989885) Journal
    The startpoint for a decent environment should be a way to interconnect (or 'internetwork'?) various computer systems and local networks using data links with redundant, multiple pathways (or 'routes') so that the failure of a single route would not affect the overall functionality of the internetwork.

    Since the US government is worried about this, maybe one of their own divisions - say the Department of Defense? - should look into this.

    In the end, maybe technology spin offs from this could be used for the benefit of the civilian population too?

    Just an idea.
    • I think the network is more vulnerable due to the existance of a million hacked PCs that can be turned into attackers at the click of a mouse, than due to some datalink that is critical to the connection of two points.
      A "cyberterrorist" can melt down the Internet without even leaving home.
  • by PhotoGuy ( 189467 ) on Sunday March 20, 2005 @06:47AM (#11990029) Homepage
    Even an attack which wasn't targeting the IT infrastructure (Sept 11th), made the net (and phone infrastructure) pretty much unusuable for an extended period of time. An emergecy broadcast system for information during a major attack, it's not.

    With proper routing, redundancy, spare capacity, it could be more robust, but there is no mandate for that, but mainly pressure to drive costs lower and lower. So you get an internet which is very low cost, and very powerful, but not very resilient to major problems.

  • Malicious Code (Score:3, Interesting)

    by rlds ( 849683 ) on Sunday March 20, 2005 @08:48AM (#11990303)
    Page 39 of the report says:

    In the future, the Nation may face even more challenging problems as adversaries - both foreign and domestic - become increasingly sophisticated in their ability to insert malicious code into critical software.

    I don't agree this is a future danger, it's a present danger. First, I don't think sophistication is needed as code is rarely inspected carefully in proprietary software. The theory behind open source is that everyone will be able to check the code and problems will be caught that way. But you have to admit that not everything can be open source.

    Second, critical code is getting developed in all sorts of places, increasingly offshore. Companies make those offshoring decisions based on their own bottomline, not the national security interests and that is not going to change anytime soon.

  • These people must be really, really smart

    "software is a major vulnerability"

    "endless patching is not the answer"

    Did they recommend BREAKING UP THE OS MONOPOLY CHIEFLY RESPONSIBLE FOR THE MAJORITY OF THE PROBLEM?

    I didn't see that one

  • by Exter-C ( 310390 ) on Sunday March 20, 2005 @10:31AM (#11990720) Homepage
    Having worked on some .gov systems over my time the bigget problem is often that the resources are spread very thinly across the country. They really need each department to invest in people that will just focus on keeping things upto date.

    Primary focus can be desktop and internet facing systems. This can be made alot easier. Windows update for example is much more reliable than it has been in the past (not perfect but better). And most unix systems are compatable with systems like pkgsrc which would make it much easier to at least try and resist incoming attackers.

    Having centralised management and control over all systems would be a great start. Thats something that many countries have however from my experience many american departments have different staff in different offices/regeons making the mismatch in staff quality and skillset diverse enough to affect security.

"The great question... which I have not been able to answer... is, `What does woman want?'" -- Sigmund Freud

Working...