NIPC Reaches Out to Private IT Sector

NEW YORK — With so much of the nation’s critical infrastructure in the hands of the private sector, especially as federal officials
are striving to create a cohesive homeland defense strategy, the government is reaching out to the technology industry in an effort
to raise awareness of security issues.

That’s what brought Harold Hendershot, of the Federal Bureau of Investigation’s National Infrastructure Protection Center (NIPC), to
give a keynote address at TechXNY at the Jacob Javits Convention Center in New York Wednesday.

“Technology has exploded, and so has crime on computers,” Hendershot said. He added, “We are today in a society without borders. We
don’t have borders to watch anymore.”

The need to think about the nation’s critical infrastructure — those physical and cyber-based systems essential to the minimum
operations of the government and economy — has been highlighted by the events of the past year, especially the destruction of an
essential telephone switch under the World Trade Center on Sept. 11, and the fire in the Baltimore tunnel which destroyed two
backbone fibers, severely disrupting Internet traffic.

Disruption of telephone service can close down airports, and Hendershot noted that lightning strikes to two of Washington, D.C.’s
four radio towers recently brought down the city’s 911 dispatch operation, forcing the dispatchers to use cell phones to dispatch
calls. And cellular networks can be severely taxed by spikes in use.

But it doesn’t take a physical attack to bring down infrastructure. Hendershot noted that cyber vulnerability stems from easy
accessibility to infrastructures via the Internet, and that globalization of infrastructures increases exposure to potential harm
while the interdependencies of systems make attack consequences harder to predict and potentially more severe.

At the same time, the tools necessary to perpetrate an attack are fairly easy to obtain and use. “Tools to do harm are widely
available and do not require a high degree of technical skills,” Hendershot said.

Hendershot explained that the FBI classifies cyber-criminals in three categories:

  • Unstructured threats, consisting of company insiders (or disgruntled former employees) and intruders (both hackers and crackers)
  • Structured threats, like organized crime (which has engaged in large-scale credit card fraud by invading the servers of
    e-commerce sites), industrial espionage and hacktivists (which mainly use hacking to deface Web sites as a form of civil

  • National Security threats, like terrorists, including groups like the Tamil Tigers and Hizbollah.

Like Hacktivists, Hendershot said terrorist groups have mainly confined their activity to defacing Web sites, and using the Internet
for communication and fundraising efforts. They have not yet attempted attacks on critical infrastructure, but Hendershot stressed
the “yet.”

He explained that the next war in which the United States engages will begin with information warfare — the U.S. will attack
critical infrastructure first, before bombers or ships or soldiers arrive at the scene. But he noted that enemies of the U.S. are
sure to attempt the same.

He also explained that information theft can be a danger to national security, referring to an ongoing investigation in which a
foreign government has spent years stealing unclassified technologies which seem innocuous in themselves, but can be combined with
other technologies and put to military uses.

“So what’s the fix?” he asked. “The fix is all of us working together.”

He stressed that both government and the private sector bring valuable assets to the table in the effort to guard the nation’s
infrastructure. The private sector, he said, is the first to become aware of system vulnerabilities and incidents, is able to
respond instantly to attacks, is the most familiar with the technology in question, and has the most incentive to protect it. The
government, he said, has broad access to threat information, is in a better position to disseminate information, and has response
and investigation capabilities.

To enable that collaboration, Hendershot recommended businesses look into InfraGuard, an
information sharing and analysis effort which is a cooperative undertaking between the NIPC and an association of businesses,
academic institutions, state and local law enforcement agencies, and other participants dedicated to increasing the security of
United States critical infrastructures.

He also said businesses need to assess their security from multiple perspectives, including operational security, physical security,
communication security and personnel security.

“We have to bring [security] to the forefront,” he said, advising attendees to make sure that default settings are changed when
boxes are set up, and that passwords are changed frequently. “Start thinking about using firewalls and other security devices,” he
said, adding that the security of networks is only as strong as its weakest point. If a network has a system has a trusted
relationship with another system, and that system is compromised, the first system is compromised as well.

News Around the Web