WASHINGTON, Sept. 26 (UPI) -- In sworn testimony before a House committee Wednesday, computer security experts said U.S. computer networks, both governmental and private, are very vulnerable to cyber-terrorism.
Rep. Stephen Horn, R-Calif., chairman of the House Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations, convened the hearing to examine how, in the wake of the Sept. 11 terrorist attacks, the country's critical infrastructure could cope with a concerted cyber-attack against its computer-related assets.
"During the crises in New York and Washington, we found that the nation's communication systems were not as strong as they needed to be," Horn said. "Imagine the repercussions if attacks on the federal government's critical computers were equally successful."
The majority opinion among the assembled witnesses left little doubt about the amount of work needed to resist an attack and recover from it. Joel Willemssen, the General Accounting Office's managing director of information technology issues, said the latest GAO review of government systems continues to show serious and widespread problems.
"Because virtually all federal operations are supported by automated systems and electronic data, the risks are very high and the breadth of potential impact very wide," Willemssen said. "The risks cover areas as diverse as taxpayer records, law enforcement, national defense and a wide range of benefit programs."
Ineffective management has hamstrung prior government efforts to tackle the problem, Willemssen testified. Recently passed legislation requiring annual evaluation of IT security plans, when properly enforced, will help improve matters, he said. Proper coordination between current cyber-security organizations and the newly created Office of Homeland Security also will be vital, he said.
Some of the blame for today's computer security problems, such as the recent "Nimda" worm, can be laid at the feet of software developers, said Richard Pethia, director of the CERT Coordination Center, an organization at Carnegie Mellon University in Pittsburgh that studies computer vulnerabilities and disseminates warning information.
"Today's commercial off-the-shelf (software) is riddled with holes," Pethia said. "Software design practices in use today do not yield software that's resistant to attack. Software implementation practices do not remove programming flaws that result in vulnerabilities, and default configurations shipped to customers leave security doors open, with users needing to take explicit action to close them."
These factors have spawned automated tools such as Nimda, which can severely damage systems before users are even aware an attack is under way, Pethia said. In addition to reversing the dangerous practices he listed, Pethia said computer and software makers must share more information on previous attacks, so future IT systems will more easily notice unauthorized activity and automatically defend against it.
Society in general can take steps to help, Pethia said. Universities should create a standard curriculum for information security, perhaps turning it into an entirely new engineering discipline. Even at the elementary school level, teachers can start showing tomorrow's users proper procedures for computer security, he said. In the long run, however, the entire IT industry will have to migrate to a set of hardware and operating systems designed with security as a core function, Pethia said.
The threat of a government -- or terrorist -- coordinated information warfare has increased since the Sept. 11 attacks, said Michael Vatis, director of Dartmouth College's Institute for Security Technology Studies, and the former director of the National Infrastructure Protection Center, an FBI organization coordinating the nation's cybersecurity effort. Targets of such an "infowar" could include domain name servers -- Internet address repositories, he said, or the routing hardware that directs information through the Internet.
It is clear terrorist organizations have used IT for other parts of their activities, Vatis said. Countries such as Libya and Iraq also are thought to have infowar capabilities, he said, and terrorist sympathizers and anti-globalization groups could also pose a threat.
"What's needed today is essentially a 'Manhattan Project' for counter-terrorism technology," Vatis said. "America's leading computer scientists, industry, academia and government ... can design tools and technology to secure the information infrastructure that provides the foundation for our economy and national defense."
Other steps to take include making frequent backup copies of vital data, Vatis said, as well as configuring routing hardware to reject information packets from mistrusted addresses.
While much needs to be done, the picture isn't all bleak, said Ronald Dick, NIPC's director. The center already has helped coordinate responses to Nimda and the earlier "Code Red" worms, he said, and is working closely with the Defense Department and intelligence agency investigations into the Sept. 11 attacks.
"The center has provided detailed information used to brief the National Command Authority about how the terrorist cells ... used technology to further their murderous activities," Dick said. The center is also working with Vatis' group to study possible future cyber-threats, he said.
