When he addressed security professionals at RSA’s security conference last month, Department of Homeland Security Secretary Michael Chertoff wasted no time in indicating that the financial system represents the heart of the risk. “Imagine, if you will, a sophisticated attack on our financial systems that caused them to be paralyzed,” Chertoff said. “It would shake the foundation of trust on which our financial system works.”
It may have been the mass DDOS attack against Estonia last May that finally woke them up, but since January of this year, the federal government has begun to offer details on an expensive, and targeted, defensive cyber-security plan. The new initiative is “essentially throwing out everything we’ve done before and replacing it with actual security,” says Alan Paller, research director at the SANS Institute.
Chertoff dubbed the effort a cyber security “Manhattan Project,” a term bandied about for almost a decade among security analysts appalled at the state of cyber defenses and calling for concerted effort. The new initiatives were codified on January 8 when President Bush signed national security and homeland security presidential directives on cyber security. The directives are classified, but DHS says current measures include hiring additional personnel to support the U.S. Computer Emergency Readiness Team (US-CERT); expanding the EINSTEIN network intrusion early warning program to all Federal departments and agencies; cutting the number of Internet connections to federal agencies from thousands to about 50; creation of the National Cyber Security Center, which brings together federal cyber security organizations, headed by former financial technology executive Rod Beckstrom; and a number of other operations.
All told, it’s estimated that the government will spend between $30 billion and $40 billion on the efforts. “The president found out how wrong [the previous approach] was, and authorized doing it right,” Paller says.
Most agree that the plans as announced represent a new level of financial and political commitment to addressing cyber security, both offensively and defensively. But from there the consensus falls apart, with disagreement both on origins and adequacy of the effort.
Paller, among others, says the federal government’s newfound attention to the issue is the result of a “cyber Pearl Harbor”—a devastating cyber attack that already occurred and was “really awful and sort of scared everybody.”
Michael Vatis, now partner at Steptoe & Johnson, coined the phrase “cyber Manhattan Project” in 2001 when he was director of the Institute for Security Technology Studies at Dartmouth College. Still deeply involved in the issue of cyber security, Vatis doesn’t think we’ve already been the target of a catastrophic cyber attack. “The idea that anything akin to Pearl Harbor has already happened is wrong,” he says. “There have been major attacks….but they are different from the implications of a ‘Pearl Harbor.’”
The severity of previous attacks sounds a bit like academic debate, given the classified nature of much of the information. More important is how the new efforts will help shore up the nation’s cyber-security line. “I’m glad Chertoff’s talking about it because it’s long overdue and it’s way too little,” Vatis says. “It just seems like it’s a drop in the bucket compared to what’s needed.”
Others argue that the country still lacks a high-level cyber-security strategy. “So far there are a whole bunch of tactics. But is there an over-arching strategy that’s missing?” says William Hugh Murray, a security industry veteran and consultant to Verizon Business.
Many security analysts would agree with this statement, and take it further. Paller says that most global companies have likely been deeply penetrated by hackers, and that short of scrapping their entire systems they’ve little hope of eradicating the backdoors already installed.
The question for financial institutions, and the rest of the country’s critical infrastructure sectors, is how federal and private efforts can improve the overall situation, and what role does industry play in mitigating cyber threats and bolstering the country’s cyber defenses.
“In some respects this new initiative maybe is a somewhat different approach, where government is looking to what private industry is doing to see what government can do to improve its own security,” says Eric Guerrino, chairman of the financial services information sharing and analysis center (FS/ISAC) and svp at Bank of New York Mellon.
Paller suggests that rather than being worried that the government’s new initiatives might have privacy implications, institutions are more interested in piggy-backing on the technology.
On the proactive side, the Business Software Alliance believes that private industry needs to push for stronger cyber-crime laws to enable law enforcement to prosecute crimes more easily, and has called for the Federal government to demonstrate greater information sharing, especially once the new federal monitoring capabilities are in place.
“Right now there are a lot of sector-specific efforts, like the ISACs, that have been [created],” says Franck Journoud, manager of information security policy at BSA. “We need to see a lot more of that. Where if a company sees an attack pattern it can be communicated in real time between other companies, and between the Feds and us.”
Vatis adds that companies should push the new presidential administration to make cyber security a top priority, going as far as to call for a cyber arms control agreement. “This is a role where U.S. leadership, early, before this one gets out of hand, would be really helpful,” he says. “And I think private industry has a crucial role. If they don’t call for it it is unlikely to happen until there are devastating attacks.”
