Don't let minor attacks obscure bigger threats, experts warn

Don't let minor attacks obscure bigger threats, experts warn

Potential adversaries are analyzing U.S. security weaknesses, the White House's Jeffrey Hunker says.

Viruses and service-denial attacks are nothing compared with what could happen, systems pros say

By Christopher J. Dorobek

GCN Staff

Information technology professionals should not be distracted by the recent outbreak of e-mail viruses or the arrest of a suspect in a rash of distributed denial-of-service attacks, experts warned.

The real danger lies elsewhere and could have more serious consequences, they said.

'The threat is real, and it's not the 15-year-old that was apprehended in Canada,' said Jeffrey Hunker, senior director for critical infrastructure at the White House's National Security Council. The distributed denial-of-service attacks were a nuisance, but potential threats could be much greater, he said.

The threats could come from other countries, or terrorist and transnational organizations, some of which have more resources than the federal government, Hunker said at the recent Government IT Executive Council's Information Processing Interagency Conference in Orlando, Fla.

Minor, so far

The attacks raised awareness of IT security, said Mark Fabro, senior scientist and managing director for Guardent Inc. of Toronto. But he agreed that the attacks so far have been relatively minor.

In the networked world, a hacker can gain access to a system and deflect the organization's data onto another server that matches the organization's server, he said. Then, after collecting data on that server for months or years, the hacker could encrypt the data, essentially blocking the originators' access to their own data.

How could any organization survive without access to two years of its work, Fabro said.

Yet despite a significant amount of media attention, most organizations pay little notice to IT security, he said. One survey showed that 93 percent of organizations have Web sites, and 32 percent of those did not know whether they had been attacked, Fabro said.

'To not know is fatal,' he warned.



Furthermore, the survey found, there was only one security administrator for every 1,000 computers, he said. The task can be daunting.

'There is no such thing as a secure anything,' said James Connavino, chairman and chief executive officer of Cybersafe Corp. of Seattle. Yet security has to be part of system design, he said.

Increasingly, potential adversaries are analyzing the country's IT security weaknesses, Hunker said. There have been published reports from the Chinese government that discuss its focus on cyberattacks, which would likely be directed at disrupting a target's economic framework, he said.

Presidential Decision Directive 63, issued two years ago, for the first time put cyberterrorism on the map, Hunker said. In January, President Clinton and the Critical Infrastructure Assurance Office released the national plan for protecting critical infrastructures, which is largely based on working with the private sector [GCN, Jan. 24, Page 1].

The plan calls on the federal government to be a model of security practices, he said. But, Hunker said, there is still much work to do.

'Do not leave here thinking that there is a template and that everything is worked out,' he said. The challenge of information security is that it is constantly changing and affects so many organizations, he said.

Just as software is becoming more sophisticated and easier to use, so are hacking programs, Fabro said. And those programs are now widely available online.

Retrofitting security into existing systems is expensive, Fabro said.

But the problem is important enough that it will become an essential part of system development, Connavino said.

'You will not be able to launch a program without fundamental security built in,' he said.

inside gcn

  • analytics (Wright Studio/Shutterstock.com)

    3 data strategies to help crackdown on internal corruption

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group