NIPC Reaches Out to Private IT Sector
Page 1 of 1
NEW YORK -- With so much of the nation's critical infrastructure in the hands of the private sector, especially as federal officials are striving to create a cohesive homeland defense strategy, the government is reaching out to the technology industry in an effort to raise awareness of security issues.
That's what brought Harold Hendershot, of the Federal Bureau of Investigation's National Infrastructure Protection Center (NIPC), to give a keynote address at TechXNY at the Jacob Javits Convention Center in New York Wednesday.
"Technology has exploded, and so has crime on computers," Hendershot said. He added, "We are today in a society without borders. We don't have borders to watch anymore."
The need to think about the nation's critical infrastructure -- those physical and cyber-based systems essential to the minimum operations of the government and economy -- has been highlighted by the events of the past year, especially the destruction of an essential telephone switch under the World Trade Center on Sept. 11, and the fire in the Baltimore tunnel which destroyed two backbone fibers, severely disrupting Internet traffic.
But it doesn't take a physical attack to bring down infrastructure. Hendershot noted that cyber vulnerability stems from easy accessibility to infrastructures via the Internet, and that globalization of infrastructures increases exposure to potential harm while the interdependencies of systems make attack consequences harder to predict and potentially more severe.
At the same time, the tools necessary to perpetrate an attack are fairly easy to obtain and use. "Tools to do harm are widely available and do not require a high degree of technical skills," Hendershot said.
Hendershot explained that the FBI classifies cyber-criminals in three categories:
- Unstructured threats, consisting of company insiders (or disgruntled former employees) and intruders (both hackers and crackers)
- Structured threats, like organized crime (which has engaged in large-scale credit card fraud by invading the servers of e-commerce sites), industrial espionage and hacktivists (which mainly use hacking to deface Web sites as a form of civil disobedience)
- National Security threats, like terrorists, including groups like the Tamil Tigers and Hizbollah.
Like Hacktivists, Hendershot said terrorist groups have mainly confined their activity to defacing Web sites, and using the Internet for communication and fundraising efforts. They have not yet attempted attacks on critical infrastructure, but Hendershot stressed the "yet."
He explained that the next war in which the United States engages will begin with information warfare -- the U.S. will attack critical infrastructure first, before bombers or ships or soldiers arrive at the scene. But he noted that enemies of the U.S. are sure to attempt the same.
He also explained that information theft can be a danger to national security, referring to an ongoing investigation in which a foreign government has spent years stealing unclassified technologies which seem innocuous in themselves, but can be combined with other technologies and put to military uses.
"So what's the fix?" he asked. "The fix is all of us working together."
He stressed that both government and the private sector bring valuable assets to the table in the effort to guard the nation's infrastructure. The private sector, he said, is the first to become aware of system vulnerabilities and incidents, is able to respond instantly to attacks, is the most familiar with the technology in question, and has the most incentive to protect it. The government, he said, has broad access to threat information, is in a better position to disseminate information, and has response and investigation capabilities.
To enable that collaboration, Hendershot recommended businesses look into InfraGuard, an information sharing and analysis effort which is a cooperative undertaking between the NIPC and an association of businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to increasing the security of United States critical infrastructures.
He also said businesses need to assess their security from multiple perspectives, including operational security, physical security, communication security and personnel security.
"We have to bring [security] to the forefront," he said, advising attendees to make sure that default settings are changed when boxes are set up, and that passwords are changed frequently. "Start thinking about using firewalls and other security devices," he said, adding that the security of networks is only as strong as its weakest point. If a network has a system has a trusted relationship with another system, and that system is compromised, the first system is compromised as well.