Former CIA chief sees need for greater network resilience, market incentives
James Woolsey specifically cites the computers that manage the nation's power grid
By Dan Verton
October 29, 2003 12:00 PM ET
Computerworld - NEW YORK -- The war on terrorism will be a "war to the death" that likely will last several decades, requiring the government and the private sector to focus immediately on making critical infrastructures and systems more resilient rather than immune to deliberate attacks, a former CIA director said today.
Speaking here to several hundred government and private-sector security experts at the Maritime Security Expo, James Woolsey said Americans should be prepared for the war on terrorism to last at least as long as the Cold War and for continued terrorist attacks on the soft spots in the nation's critical physical and cybernetworks. Woolsey, now a vice president of the Global Strategic Security practice at Booz-Allen & Hamilton Inc. in McLean, Va., served as director of the CIA from 1991 to 1993.
"You shouldn't rely too much on intelligence to solve this problem," said Woolsey. "We're not going to get real-time intelligence on specific attacks in most cases. That's why it's so important to build resilient protections into the infrastructure so that when an attack comes, we can abort it part of the way through, or if it succeeds, it doesn't have cascading effects on other infrastructures."
 |
 |
Former CIA director James Woolsey |
|
Some of the most important work to prevent cascading failures involves enhancing the security of Supervisory Control and Data Acquisition systems, the real-time control computers that are used to manage the electric power grid, Woolsey said.
The former CIA chief also wants to see the government more aggressively push the development of cybersecurity technologies "that work," as opposed to firewalls, which, he said, do not work. "Internet protocol address hopping, for example, which is the IT equivalent of radio frequency hopping that is used in military radios, is an example of what I find very exciting."
Industry must also do its part by devising "incentives" to get the companies that own and operate more than 85% of the nation's critical infrastructure to make the necessary investments in new and innovative security tools, he said.
"There are a number of things that can be done," he said in an interview with Computerworld. "One way to work is through the insurance industry, giving the insurance industry incentives to write coverage plans that offer companies lower premiums if they make certain investments in security. It's sort of like seat belts for automobiles."
He cautioned that such changes will take a long time.
During the World War II era, the government was able to federalize portions of the economy and shift private-sector production to war production. But that level of government intervention is "unimaginable" in the current economy, Woolsey said, although the government will have a hand in setting the standards by which companies are measured.
