[ISN] Cyber-Terrorism Analyst Warns Against Complacency

Wed Apr 6 04:14:37 EDT 2005

http://www.eweek.com/article2/0,1759,1782286,00.asp

By Ryan Naraine 
April 4, 2005 

ORLANDO, Florida - Cyber-security and counterterrorism analyst Roger 
Cressey on Monday pleaded with IT executives not to underestimate the 
threat of "national cyber-event" targeting critical infrastructure in 
the United States.

During a keynote address at the InfoSec World 2005 conference here, 
Cressey warned against discounting the danger of the Internet being 
used in a terrorist-related attack. 

"It may not be a terrorist attack, but a cyber-event is a very, very 
serious possibility. When it happens, it will have serious economic 
impact on our critical infrastructure."

Cressey, who served as chief of staff to the president's Critical 
Infrastructure Protection Board at the White House, said there was 
enough evidence that U.S. enemies were actively using the Web to 
recruit, organize and communicate terrorism activities.

"I don't see the Internet as a means to a mass attack [on human lives] 
but we have to be aware that cyber-crime is a key component of the 
terrorism setup. We would be foolish not to assume a targeted attack 
on some aspects of national infrastructure. I don't know if we can 
protect against this type of event today," Cressey said.

The on-air counterterrorism analyst for NBC News said the rapid rate 
in which Internet security vulnerabilities was being detected only 
adds to the worry. 

"Software vulnerabilities are being discovered at amazingly fast 
rates. [The] time to exploit continues to shrink. We're getting closer 
and closer to zero-day exploits," Cressey warned, adding that computer 
operating systems had become a target-rich environment.

"Before 9/11, we thought we had it all covered, but we had no idea 
what we're missing. There were warnings, but we never took them 
seriously. That's the mind set we need to have today regarding a 
cyber-event. We need to assume that it will happen and get ready to 
deal with it."

He said the increase in identity theft, spam and phishing attacks has 
already caused a "crisis of confidence" in the e-commerce sector. 

"Consumers go on the Internet to read the news, but they get scared to 
shop online. E-commerce will never reach its full potential," he said.

Cressey said the U.S. government's DHS (Department of Homeland 
Security) made a fundamental mistake in the early days when it threw 
resources on physical security assets without similar investments in 
critical security IT infrastructure. 

"The result is they sent mixed signals to the industry. Silicon Valley 
and the private sector looked at what was happening and figured the 
government was only talking the talk without walking the walk."

He said the DHS must prioritize the risks before deciding on the level 
of spending on security and must show leadership in the area of 
information-sharing and advance warnings on Internet security 
vulnerabilities.

Cressey used part of his keynote to call on VOIP (voice over IP) 
developers to put security on the front burner. 

Describing VOIP security as the great challenge of this decade, he 
said it would be a "big mistake" for another nascent industry to 
emerge without built-in protections.

"VOIP is today where the Internet was 10 years ago. Everyone 
acknowledges that security is a big issue, but no one is making it a 
top priority. We know we need to worry about it, but we're not doing 
anything about it," he said.

The growth of VOIP in the enterprise has led to several 
vulnerabilities in the technology, including the ability to launch 
denial-of-service attacks, caller-ID spoofing or the hijacking or 
voice sessions. 

"Nobody is baking security into the [VOIP] products just yet. If this 
truly becomes ubiquitous, it will be back to the future. We'll be 
scrambling to fix it just like we're scrambling today to deal with 
spam and viruses."

Cressey urged enterprise IT leaders to take a holistic approach to 
managing risks, arguing that executives must resist the urge to use 
return on investment to drive spending on security.

"Instead of ROI, you should be adopting new acronyms like ROR 
[Reduction of Risk] or ROC [Return on Compliance]."