Michael Vatis, director of the Institute for Security Technology Studies (ISTS) at Dartmouth College, is working to identify top vulnerabilities and he wants to pull together voices from industry, government, academia and law enforcement to devise a plan to eliminate, or at least defuse, them.
And Vatis has a long history in the security arena. Before joining the ISTS in the spring of 2001, he founded and served as the first director of the National Infrastructure Protection Center (NIPC) in Washington, D.C. The NIPC is part of the FBI and acts as the lead federal agency responsible for detecting, warning of and responding to cyber attacks, including computer crime, cyber terrorism and cyber espionage. Vatis also worked with the U.S. Department of Defense and the Department of Justice, which funds the ISTS.
In this Q&A, Vatis, sitting in his office on the edge of the Dartmouth campus, talks about the potential for a cyber terrorist attack on corporate America, our ability to defend against it, the impact it would have on the economy and the future of information warfare.
Q: How prepared are U.S. companies for a cyber terrorist attack?
As a general matter, companies, government agencies and academia are inadequately prepared. Too little attention is paid to security, too few resources are devoted to it
Q: Has corporate security improved since the attacks of Sep. 11?
Since then, more companies have taken needed steps but we're not close to where we need to be. It's just not where we must be...Certainly, there's more attention to the issue than two, three, four years ago. The spectre of threats is growing. There are more attacks. The sophistication of those attacks is growing. There are terrorist groups to deal with. Foreign nation states are using cyber technologies.
Q: Have the number of network attacks increased since Sep. 11?
I can't tell you that yet. We're waiting for a little more time to pass and then we'll do a study. I've seen conflicting reports. My gut feeling is that the level of attacks has been on a steady upward slope, but I don't know if they're up because of Sep. 11.
Q: Do you expect a cyber terrorist attack?
Given that there has been evidence of Al Qaeda planning for it and there still are Al Qaeda members on the loose, I think we definitely could see direct cyber terrorist attacks. Professionally, I think a stand-alone cyber attack is the most likely, rather than a coordinated effort with a physical attack. It definitely could be coupled with a physical attack, but it's easier to plan and execute a cyber attack than plan the timing of a physical and cyber attack.
Q: What networks do you think terrorists might target?
Targets we're likely to see hit by cyber attacks are critical infrastructures. That's where the impact would be the broadest and most severe. We've seen Al Qaeda planning to take out dams and power grids. Government agencies are always a target for hackers, and terrorists wouldn't be any different. Banks, [financial houses, and traders] are big targets because of the impact it would have on the economy.
Q: What kind of cyber attacks worry you the most?
All of them. What people could do is almost limitless because the vulnerabilities are almost endemic. Attacks on various financial networks could affect the economy badly. Denial of Service or an attack that affects the integrity of the information in those networks could have a major impact. Most cyber attacks are of a limited duration, but a lasting impact could be customer confidence. With a financial attack, the residual impact would be greater than an attack on an electric grid because it's a sector where confidence is everything.
Q: What are the biggest vulnerabilities?
The vulnerabilities are endemic because we have whole networks and infrastructures built on software that's insecure. Once an outsider gains route access, he could do anything. Any given day, some new vulnerability pops up.
Q: What should CIOs and network administrators be doing to protect their systems?
There has to be a holistic approach. There's no silver bullet. There has to be perimeter security, security at the application level, anomaly detection on the network, and attention to personnel security because insiders are responsible for so much of the attacks and the damage. And a company that depends on one or more ISPs has to plan for an outage of that ISP or telecom. If your telecom goes down, your company may not have been penetrated but you still can't talk to the world. You can't just worry about perimeter security. As long as a company needs communication to the outside world and has pipes to communicate with the world, someone could get through...You could have the best perimeter security, but if someone can call the CEO's secretary and get the boss' password and ID, you've wasted a lot of money on fancy security measures...You need means to detect and respond.
Q: How are network attacks changing and what is looming ahead?
The kind of attacks we've seen -- teenage virus writers and hackers damaging systems as a form of vandalism or for bragging rights -- that's the past. Now, it's organized crime groups. And foreign governments are using these technologies for economic and industrial espionage. And we have to deal with terrorist groups. It hasn't happened yet but it could happen this afternoon. It's that imminent. Information warfare is a reality. Rather than just firing missiles, countries will use a cyber attack against each other. Lots of governments have departments for it set up. China has been open in its discussion of it. China has talked about using a cyber attack against Taiwan if they go to war with them. That's something were certain to see in the future.
Q: When you were speaking in front of a House subcommittee on the country's preparedness for a cyber terrorist attack, you advocated forming a team resembling the Manhattan Project. What did you mean?
In the post 9/11 world, government and industry and academia need to gather their best minds to address these vulnerabilities. We have a dire need for technology to detect chemical or biological weapons in containers on trucks or released in a subway system. I called for a Manhattan Project to bring the best scientific minds together.
Q: Is that happening?
On the cyber side, we're leading an effort with the Institute for Information Infrastructure Protection (I3P). We're the manager of the I3P. The mission is to bring together the best minds and develop a prioritized research agenda for cyber security. No one has laid out a list of the Top 10 problems. We're consulting with people in government, people in industry and users of technology to assess needs in the near term and in the long term. By the beginning of next year, we'll publish a research agenda. Hopefully, there will be a consensus document on what are the top vulnerabilities and attacks. If we get more funding this year, we'll fund research -- by people who present proposals -- on these ideas.
Q: How should government and industry be working together?
That's improved a lot over the last few years. The I3P is an attempt to do that. When I was director of the NICP, we focused on sharing information about threats. In the cyber area, companies are the most common victims of attacks. Government can't analyze that information and determine what the trends are or if this is telling of a larger attack coming, if private companies don't share information about their attacks...There's still the thought that companies that have been attacked should keep the information about it internal, rather than share that information with law enforcement and government agencies...If they dont have a good relationship with the government, they won't get the threat information they need and their ability to respond is going to be limited.
Q: If there's one thing you could tell CIOs and CSOs to do, what would it be?
There's no one thing, but one message is that senior management needs to make security a priority. CEOs and Boards of Directors need to pay attention to security and make sure resources are devoted to it.