Weekly Schedule
  Message Boards
  Transcripts
  Video Archive

Discussion Areas
  Politics
  Nation
  World
  Metro
  Business
  TechNews
  Sports
  Style
  Entertainment
  Travel
  Health
  Home & Garden
  Post Magazine
  Food & Wine
  Books & Reading
  Viewpoint
  Jobs

  About Live Online
  About The Site
  Contact Us
  For Advertisers

U.S. Fears Al Qaeda Cyber Attacks (Post, June 26)
Center for Strategic and International Studies: Technology Program
Special Report: America at War
Cybersecurity Headlines
Profile: White House Cybersecurity Czar Richard Clarke
TechNews.com
Live Online Transcripts
Subscribe to washingtonpost.com e-mail newsletters
mywashingtonpost.
com -- customized news, traffic, weather and more

Cybersecurity: Protecting the Nation's Critical Infrastructure
James Lewis,
Cybersecurity Expert, Center for Strategic and International Studies
Thursday, June 27, 2002, 2 p.m. EDT

How can we protect America's critical infrastructures -- everything from the Internet to water supplies? The White House, joined by national security and law enforcement agencies and the private sector, are working to plug holes in the information technology systems that drive much of the nation's key services. Read the full story, U.S. Fears Al Qaeda Cyber Attacks (Post, June 26).

Join James Lewis, senior fellow and director for Technology Policy at the Center for Strategic and International Studies, on Thursday, June 27 at 2 p.m. EDT, for a discussion on cybersecurity and possible threats of terrorism.

According to cybersecurity expert Lewis, "The Internet has changed the way that businesses and the military operate and it's changing the way terrorists operate as well. We know terrorists are making use of the Internet and we've found areas where the U.S. and other developed countries may be vulnerable. What we need to do is determine how vulnerable we really are and what we need to do about it."

Formerly, Lewis worked on a range of security and technology-related issues at the Foreign Service and worked at the Senior Executive Service at the Departments of State and Commerce. His current research projects include the role of information technology in homeland defense and governance issues for identity and authentication on the Internet. Lewis has authored numerous studies including "Preserving America's Strength in Satellite Technology," (April 2002) and "Strengthening Law Enforcement Capabilities for Counter-Terrorism" in the book To Prevail: An American Strategy for the Campaign Against Terrorism (December 2001).

The transcript follows.

Editor's Note: Washingtonpost.com moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions.

To read the most recent responses, click "Get New Text"
or select "Automatically Update Page."


Washington, D.C.: What role does training play in helping public and private sector entities prevent future Cyber Terrorist events?

James Lewis: Training people to be security conscious about their networks is very important. It's not training in the sense of 'practicing' an action until you get it right, but training to make network administrators and users to adopt and follow good security practices - watching for unusual activity on your network, keeping up with the latest patches, and even simple steps like using good passwords or installing a firewall.

College Park, Md.: Colleges are notorious for having lax security procedures. What responsibility do network and telecom engineers that maintain campus networks have in regards to the latest al Qaeda cyber threat? Should campus engineers pay any notice to these warnings? Or should campus engineers just ignore the problems/warnings?

James Lewis: Universities are among hackers' favorite targets. They have lots of computing power that is poorly guarded - ideal for creating zombies or for disguising your tracks. Many Universities haven't been particularly good at security, but the argument is that they shouldn't be held liable for the misuse of their systems as it is done without their knowledge. There some sentiment to change this and make schools liable. Until this happens, I doubt you'll see any real improvement.

Arlington, Va.: Why in the world are all of these important and vulnerable locations connected to the public Internet in the first place? This seems extraordinarily dumb to me. If your average 15-year-old hacker can cause so much trouble why would these industries expect to be safe from smart people with a malicious agenda?

James Lewis: Costs drive companies to make more use of networks because it saves them money. It's cheaper to do things over the Internet, especially if you are unaware or discount the risk of cyberattack. We are not going to persuade people to stop using newer, cheaper technologies (it would be like asking people to go back to a rotary dial phone)so we need to focus on improving network security and raising security consciousness among companies.

Telluride, Colo.: On Marketplace a couple months ago I heard about a U.S. government program called the Cybercorps -- federally subsidized college level study to encourage training of persons skilled in computer security who would then serve in government for a period of years. Sounds like even more of this will be needed. When I looked for info about the program on the internet, couldn't find any. Do you know anything about the program and how to connect with it?

James Lewis: You can find it on the Critical Infrastructure Assurance O
office (CIAO) webpage: www.ciao.gov

Click on "education" - let me know if this doesn't work.

Portland, Ore.: Previous news reports about the nation's infrastructure have said that there aren't any control systems directly connected to the Internet. But this latest report in The Post says that at least some are. How much of the electrical transmission system, for one, can be accessed from the Internet?

washingtonpost.com: Cyber-Attacks by Al Qaeda Feared (Post, June 27)

James Lewis: Peopel have been moving systems onto the internet as it becomes more and more the core communications network for the US. What this means is that networked applications using the internet's TCP/IP protocol are replacing dedicated phone lines and other older technologies. The use of the Internet varies from industry to industry but it increases every year.

Jacksonville, Fla.: Will you define cyber terrorism in layman's terms and advise as to what ordinary citizens can do to protect themselves/be more aware of the signs.

James Lewis: Cyberterrorism is the use of the Internet by terrorist groups to carry out their operatins, including fund-raising, propaganda and attacking networked infrastructure. Making sure that your home computer systems can't be exploited for use in an attack (the FBI has a webpage with tips at www.nipc.gov) and following good security practices at work will help.

Washington, D.C.: What is your view on the information sharing debate regarding sharing of cybersecurity related information between the private and public sectors? Is legislation the solution?

James Lewis: Companies say they won't share information about attacks and vulnerabilities because of their concern over the freedom of information act - FOIA. They worry that using FOIA, a competitor or a terrorist group could obtain damaging information - this sounds far fetched but it has happened in the past. I think legislation to protect critical infrastructure information is a necessary step, but even with FOIA protection companies will still be reluctant to share. Bottom line - the only way we'll get more is with legislation, but we still won't get it all.

Bethesda, Md.: After hardening security on a corporate network, following the guidelines published by the SANS institute, what further steps can a small company take to plug vulnerabilities in their network equipment, such as routers, switches, and the like?

James Lewis: If you are keeping up with your software patches, I would look at two areas. First, think about network management software that can automatically respond and alert you to unusual activity on your net, like an attack, without waiting for a human to notice. This might even save some money. Second, focus on getting employees to be security conscious - 'social engineering'* is still one of the most effective way to penetrate a network.

*type social engineering into your browser for a definition and some funny stories.

Washington, D.C.: What are your thoughts on proposals to institute a national ID program? Do you think a "trusted traveler" program will be successful in increasing the levels of security at airports?

James Lewis: I wouldn't create a new national ID issued by the US government. We already have a national ID system, administered by the States, as almost all adults have a drivers license. Finding ways to make drivers licenses harder to obtain fraudulently would help, as would finding better ways to connect a drivers license to national criminal data bases. Right now, when you show your license at the airport, all they are verifying is that the face on the card is the same as the face of the person holding it. That's not very useful for detecting terrorists.

If the trusted traveller idea speeds the lines in airports and is well administered, I'm all for it.

Bethesda Md: Do you feel that Microsoft's "Palladium" concept, ie hardware embedded encryption and security, is where the network security industry is headed? What are the disadvantages of hardware embedded security to the industry, aside from having to re-write code?

James Lewis: Most people won't use encryption or other security measures until it is embedded and transparent to the user - meaning you don't have to do anything special to start it. An easy way to test this is to poll your friends on how many have ever sent an encrypted e-mail. I'm for embedding as long as the user knows exactly what is embedded and how he or she can control it.

Bethesda, Md: What are your thoughts about GIAC certification?

James Lewis: SANS does good stuff. There is more to security thant GIAC, and the requirements for secure networks change continually, but GIAC can put you ahead of the curve.

Virginia Beach, Va.: Much of cybersecurity is a balancing act, keeping the network accessible, but keeping it controlled at the same time. How will we know if we are maintaining the proper balance?

James Lewis: It's a tough question. Here at CSIS we've installed a new secuirty package that is routinely zapping harmless email and webpages. It probably needs to be reset. I'd say go for the maximum amount of pain your organization can accept. If you aren't getting a few complaints every month, the balance probably is tilted too far towards access.

OF course, I'm from a security background...

Arlington, Va.: I hear that EDS is working with Homeland Security to fix and improve security features such as the Smartcard to the Dept. of Defense and online security as well.

Will the government be distributing more online security/intelligence projects to various consultant firms?

James Lewis: I believe they will if you have contractual arrangements with them and it is required for you to participate in a program.

Washington, D.C.: It seems to me that in order to be effective in securing our critical infrastructure a "culture of security" must be adopted. How can the private and public sectors be successful in adopting a "culture of security" - what steps beyond what we already read about in the news can be taken to be truly successful in protecting our critical infrastructure?

James Lewis: This is a key question, and I'm disenchanted with the kumbayah approach (if we preach enough, people will do it). Actually, if we preach a lot, a few people will do it and the rest will move very slowly. I'd look for systemic fixes - SEC regulations, assignment of liability for damages, etc, that will make it in people economic interest to change. I'd also build security features into software so that people get it and it runs whether they turn it on or not.

Philly, Pa.: Hi James,
What route should I take to join the NSA. I am an IT professional, but I'm just a regular citizen. I have a big desire to do security and I think the NSA would be a great place to start? I am I just 1 out of a million people that have the same desire?

Thanks Jamie.

James Lewis: www.nsa.gov - I think employment is the second link on the page. You might also want to look at the CIAO (www.ciao.gov) and the new Department of Homeland Defense when it gets itself up and running.

Reston, Va.: Hello,

Since amateur radio networks are completely invulnerable to cyber attacks, amateur radio networks should be used as backup in case of major cyber attacks. The amateur radio networks are invulnerable because they use human operators instead of automated digital switches.

James Lewis: Amateur rdio has been used as an emergency network in the past. It doesn't work so well for mobile applications but it might not hurt to let your local police know that you have the capability.

Washington, D.C.: In the recent report by the National Research Council, a proposal was made to create an independent, nonprofit Homeland Security Institute to funtion as a think tank to analyze and test the effectiveness of counterrorism technologies for the White House Office of Homeland Security. What are your views on this?

James Lewis: DOD, CIA, NIST, NSA, the new Department of Homeland Security (DHS - people in Washington are acronym-crazed) will all be testing different technologies. I'd rather see the task assigned to an existing agency like DARPA, and have places like DARPA find better ways to connect with Universities and the private sector to work on this kind of technology.

Cleveland, Ohio: What is the most reconized security certification in the industry? Who are the top dogs?

James Lewis: In part it depends on what industry you're in. SANS is well recognized and different industry sectors have their own programs (the financial community uses BITS, for example). You might want to check the ITAA website (they runs the Information Sharing and Analysis Center for the IT industry) to see what they list.

Bethesda Md: Thanks for answering today...

One more question...Do you think that it's critical that security flawed software like IIS, Exchange, and SQL be abandoned as soon as there is a more secure alternative available to the public?

James Lewis: There are so many legacy systems out there that it will take a long time to move to more secure software. I don't think we can command people to abandon old software. Generally, I think we have to let the market take its course, but if there were more secure applications, we might want to think about how to create incentives to get people to move.

Washington, DC: Has a system of security clearances been established by the various government agencies and/or industries (electricity, gas, telecom) for companies wishing to provide services in cyber security? Has one been proposed? Or, will most contracts will go to the usual round of suspects?

James Lewis: There hasn't been a system of clearances established and it is a wide-open market. On the other had, government acquisitions regulations remain as complex and inscrutable as always, giving people who've worked with them before an advantage.

Seatle, Wash.: Can you recomend some top firewalls? What websites/news keeps you up to date on security information/updates?

James Lewis: ZDnet has good updates on software and you can get on several cybersecurity mailing lists. Most people I know use Black Ice or Zonelabs, but there are lots of good firewalls out there.

Washington, D.C.: How do you think the relationship between privacy and security will play out in the remaining Congress and then in the 108th?

James Lewis: The new Department of Homeland Security legislation is probably the only thing that will be passed this year that addressed security and privacy, but the privacy issue is central to a lot of the Homeland defense problems, so I expect it wil be back. Growing interest from consumers in some sort of Federal approach to privacy guarantees continued Congressinal action.

Washington, D.C.: How can states be successful in helping protect our critical infrastructures?

James Lewis: State governments can probably be more effective in working with the industries in their states than the Federal governments, and State legislatures can help move legislation needed for security - we've seen the States' take the lead in digital signatures and privacy, so everything doesn't have to wait for Federal action.

Coordinating state and local government action with Federal efforts is one of the big problems for homeland defense, and it poses some real constitutional challenges we'll have to work through.

Miami, Fla.: Do you believe PKI should be used in protecting critical infrastructure?

James Lewis: I just came out of a three hour meeting where everyone thought that better internet identification (whether it's through PKI or something else) was critical for security. The problme is finding rules that let different cyberidentity systems work together and preserving the abiliyt to be anonymous in some situations. Check our website (www.csis.org) in September for more on internet identity.

Phoenix, Ariz.: Who do you think has the best antivirus packages out there? How come?

James Lewis: ACtually, I think they are all pretty good. It is a very competitive market, so they all have to stay on their toes and move fast.

Irvine, Calif.: Has anyone looked at all the Y2K-related code re-writing done in Pakistan and India as to backdoors which may have been placed in the code? Many of our largest corporations used off-shore software engineers to up-date their systems.

James Lewis: Yes, security agencies are aware that this could be a source of vulnerability and are looking at steps to rectify the situation. No one has found (as far as I know) any 'Trojan horses' yet.

That sounds good, but it is a hard problem to get your hands around. The only comfort is that other countries are as vulnereable as we are.

Washington, D.C.: A few days ago news came out about the FBI seeking to 'interlope' into citizens' library leasing habits. This is absurd and verges on the road to PARANOIA. Not even in WW2 did peoples' library info. go on tap by the Feds. The reason for it being absurd is that people can obtain info. on mass, chemical, biological or any other kind of destruction just by reading a book within the library and NEVER checking it out. Likewise in shopping mall bookstores as well as used book stores. Your thoughts!

James Lewis: I'd like to split the problem by saying that people should be able to read whatever they like without having J.Edgar Hoover breathing down their necks, but that the government should be able to look for possible terrorist activities where it needs to, including libraries. Reading a book should not be a crime, but if it is part of a larger pattern (phone calls to the UAE, suspicious money transfers, etc) it might be good to know. We can find ways to preserve civil liberty while increasing security awareness.

Washington, D.C.: How can hackers gain access and control to machines that don't even have Internet capability?

James Lewis: If a network is connected to the internet at a single point, anything on that networked can be hacked.

Many devices beyond computers can be connected to the internet and have computing capability. This will only grow as we enter the age of 'ubiquitous computing" and "pervasive connectivity." Cars, for example, have 40 to 50 microprocessors in them and as these microprocessors get the ability to connect to the internet wirelessly (this is a year or tow away, at most) the car wil lbe internet enabled. If a network is connected to the internet at a single point, anything on that networked can be hacked.

Cleveland, Ohio: I am currently focusing on cyberterrorism for my senior thesis. Do you feel that new policies or standards should be implemented in corporate America? If so, what are some of those standards/policies?

James Lewis: The ISO and other organizations are looking at cybersecurity standards, but it's hard to come up with a good standard as we don't yet have enough information as to what works. The best we can do is manage risk in cyberspace, not eliminate it. Standrads will get better only as we learn from experience what works and what doesn't.

The best thing for corporations might be an SEC requirement that they report their level of cybersecurity. This would provid a powerful incentive for improvement.

Ashtabula, Ohio: What new computer policies or standards should corporations be implementing now to help secure themselves from an attack?

James Lewis: A number of sites (the CIAO, NIPC, ITAA, SANS, VISA - teh credit card people) have practices or guidelines that companies might want to look at as a first step in making themselves more secure,

Birmingham, Alab.: If we have computers from the enemy can we stop their attacks? If there was info about such attacks then we must know where and when they planned attacks.What kind of info was on their computers?

James Lewis: The US is still mining the trove of informaiton it got in Afghanistan when it captured Al Qaeda computers. It won't stop their attacks, but it will help us better prepare for them and eventually track them down.

Washington, D.C.: Other than al Queda, what groups and/or countries do you believe pose a threat to the United States' cyber-security?

James Lewis: China makes a lot of noise about cyberwarfare, but the Russians have real capabilities.

Lots of fundamentalists groups like Al Qaeda (Hamas, for example) are interested in cyberattacks on the US.

Washington, D.C.: Are there currently and task forces or joint efforts between law enforcement organizations and/or info tech private sector organizations?

James Lewis: The US set up a number of "Information Sharing and Analysis Cneters for industry groups) - chekc hte CIAO website (www.ciao.gov). FBI also has programs, although these may change with the new Department of Homeland Security. For now, check www.nipc.gov

Alexandria, Va.: Because cyberspace knows no physical international borders, it is ofter difficult to persecute, let alone investigate criminal activity. Where do you see this going in the future? What about cyber law? Is there going be be a new worldwide juris code to cover this?

James Lewis: The US has been working on a common international appraoch to cybercrime for about ten years, primarily in the 'G8' countries. We;ve made good progress there. The real breakthrough is the Council of Europe's Convention on Cybercrime, which sets common standards for law enforcement acros borders. About 35 countries, including the US, adhere to the convention. This internationl agreement is our best bet for better international law enforcement

Washington, D.C.: Prevention is obviously the key to deal with this issue. With that said, do we really feel the al Qeada forces have the technological expertise to pull something off of this magnitude? When I think computer-related technological advancements and the such, I usually associate it with Cal Tech or MIT not Afghanistan.

James Lewis: You're probably right in that it may be a while before they are entirely sufficient, but there are plenty of good programmers in Pakistan, plenty of free hacker tools on the net, and I've heard they may try to contract hackers from somewhere else (Russia, for example) to work for them.

Los Angeles, Calif.: If a defense contractor to the government makes a faulty aircraft part or rocket engine part, there's a huge uproar, Congressional investigations and media scrutiny. Yet if Microsoft or Oracle sell faulty software resulting in security breaches or problems due to bugs, there's nary a word about it, why the disconnect? How can our government in good conscience buy Microsoft products when it's plainly obvious they fail due to security and other defects?

James Lewis: Unfortunately, all software is buggy and vulnerable. Microsoft just gets n the new more. All software companies are making security a top priority - Microsoft closed down their Redmond campus for a month to cncentrate on security -so the message has gotten through.

One incentive for software companies - I hear that trial lawyers are circling around software liability as the next big class action suit. that should scare anyone into moving.

James Lewis: The risk of cyberterrorism is oftenr overstated - some of the literature reads like it was written by Chicken little - but the risk of attack and damage to our economy is very real. It would be hard to shut down the power grid or water supply, but the most frightening scenario is a cyberattack in combination with a bombing. We need to take a sober look at the risks and then design a response - the US is actually doing pretty good at this, but there are still a lot of vulnerabilities.

James Lewis: Thanks, Jim Lewis

   |      |   

© Copyright 2003 The Washington Post Company