One of the nation's leading computer-security authorities has sent a wake-up call to the federal government. "The infrastructure stinks," Peter Neumann, principle scientist at SRI International, said Monday, speaking to an audience of computer-security professionals at the Network Security and Firewalls 97 conference in San Jose, California.
Neumann, who also moderates the popular comp.risks Usenet forum, was an advisor on the recent President's Commission on Critical Infrastructure Protection (PCCIP). The report, which is still largely classified, recognizes that the nation's critical infrastructures - telecommunications, power, water, banking, etc. - are extremely vulnerable to attack.
"When it comes to the computer information infrastructure, they really did get to the conclusion that things aren't good, we're in serious shape," Neumann told the crowd. "But their recommendations are pretty much - I wouldn't say pablum - but they are fairly obvious. They are the kinds of recommendations that you or I might have written a year ago."
Among the report's conclusions is that "cyber attacks can be conceived and planned without detectable logistic preparation. They can be invisibly reconnoitered, clandestinely rehearsed, and then mounted in a matter of minutes or even seconds without revealing the identity of the hacker."
Neumann said that the PCCIP's greatest shortcoming was "tunnel vision" among the 17 commissioners: "The water person knew water, the power person knew power. But the commission didn't appreciate until the last month that every critical infrastructure is connected to computer communications infrastructures."
Further, said Neumann, one of the most valuable and essential security solutions - cryptography - was off limits from the beginning. "Whether they were told not to touch it, or if they decided that it was so contentious that they couldn't do anything with it, they simply ducked it. All they did was say that it's important and that we need to have it."
Neumann also touched on physical security and social engineering. Ironically, Nancy J. Wong, one of the commissioners, is the manager for Information Assets and Risk Management for Pacific Gas & Electric - which last week found itself the target of sabotage that cut power to 126,000 San Franciscans. The sabotage is being investigated by the FBI as an inside job.
"There were people who had keys [to the PG&E substation] but were no longer employees. There were people who walked in and out and were recognized but not questioned," said Neumann.
One of the commission's recommendations is an Information Sharing and Analysis Center, which would compile incident and intrusion reports in a similar manner to the Computer Emergency Response Team.
But Neumann is skeptical, pointing to the widespread denial of vulnerability among phone companies and banks.
"The banks are categorically unwilling to talk about [hacking] for competitive reasons. So whether you can get a bank to admit that it's been taken to the cleaners, and then to hush it up - they've either hired the penetrator or paid off the folks who lost money to pretend it never happened - this is a very difficult issue," he said.
"It's not clear at all where we go from here."
Last updated 28.Oct.97
Copyright © 1993-97 Wired Ventures Inc. and affiliated companies.