Internet warfare: Are we focusing on the wrong things?

Lack of vision and leadership have left the U.S. woefully unprepared for a cyber catastrophe.

1 2 3 4 5 Page 4
Page 4 of 5

Another reminder is an experiment conducted in March 2007 in which the Idaho National Laboratory showed how it could reduce a power turbine to a smoking, shuddering, metal-spewing mess simply by executing malicious code on the computer controlling the system.

These examples are only the tip of the iceberg. According to the GAO's Wilshusen, the trend over the past few years to connect the systems that are used to control critical equipment to the Internet in power generation and distribution, water treatment, biotech, pharmaceuticals and transportation is making them more vulnerable to threats.

This was demonstrated in 2000 when a disgruntled employee at an Australian water-treatment plant released about 264,000 gallons of raw sewage into nearby rivers and parks by breaking into the control systems using a radio transmitter, he says.

Similarly, in August 2003, a computer virus called Sobig managed to infiltrate a control system at CSX Corp.'s headquarters in Florida and shut down train signaling systems throughout the East Coast for hours, he says.

And in October 2006, a foreign hacker broke into a system at a water-filtration plant in Harrisburg, Pa., after an employee's laptop computer was compromised via the Internet and then used as an entry point to install malware on the plant's computer system.

Although almost all critical infrastructure systems are owned by the private sector, making sure they are adequately protected should be a top priority for government, says Wilshusen. Not only should baseline security standards be established for critical infrastructure industries, he says, but there should also be regulations for enforcing them and a formal strategy for sharing information and information-security practices between the private and public sectors.

Use federal procurement power to force better security from vendors

Karen Evans
Karen Evans

As the de facto CIO of the federal government under the Bush administration, Karen Evans knows a lot about how to use the government's enormous buying power to force technology vendors to improve security. "When you spend $71 billion in the marketplace, you should be very clear about what your requirements are" and expect vendors to abide by them, she says.

One place where the government has successfully done this is in the Federal Desktop Core Configuration (FDCC) initiative, in which it is working with Microsoft Corp. and other technology vendors to ensure that all Windows XP and Vista desktops delivered to government have standard baseline security configurations. There's no reason why a similar model can't be implemented to get vendors to do things such as turning off default configurations and disabling functions that pose a security risk before products are delivered to agencies. Implementing security language in federal acquisition rules is much easier than forcing regulations down vendor throats, Evans says.

Requiring vendors to bake in security and centralizing procurement across government can also bring costs down significantly, says Alan Paller, director of research at the SANS Institute, a training and certification organization in Bethesda, Md. "Right now, there's enormous inefficiency" when it comes to security purchases, he says.

1 2 3 4 5 Page 4
Page 4 of 5
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon