From: InfoSec News (isnc4i.org)
Date: Thu Apr 10 2003 - 02:25:33 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.wired.com/wired/archive/11.05/schmidt.html

By Douglas McGray
Issue 11.05 - May 2003

WIRED: If there's a big cyberattack, is it likely to be by accident or
by design? A hacker's project gone awry or a coordinated terrorist
attack?

SCHMIDT: The big one is likely to be very, very focused and very
designed. We have this debate internally on a regular basis.

WIRED: Who is the most likely perpetrator?

SCHMIDT: Our perspective is, it doesn't make any difference whether
it's from a source in the Mideast or from one in the Midwest.

WIRED: Your predecessor, Richard Clarke, used to talk about the
likelihood of a digital Pearl Harbor. Others have dismissed
cyberattacks as weapons of mass annoyance. That's a pretty wide
spectrum.

SCHMIDT: I use the term weapons of mass disruption. Is it possible
that we could have a catastrophic failure on a regional basis?
Absolutely. Could we see that on a universal basis? That likelihood
has been reduced significantly.

WIRED: What worries you, then?

SCHMIDT: An unknown vulnerability in a system that someone chooses to
exploit in conjunction with some sort of a physical attack.

WIRED: Wouldn't it be difficult to coordinate a cyberattack with a
physical attack like a bombing?

SCHMIDT: If you have something that can proliferate quickly, like the
Slammer, it would be relatively easy to orchestrate.

WIRED: Most of the big hacks have affected data, rather than control
systems. Why is it easier to fry bank records than to knock out the
power grid?

SCHMIDT: The technology that runs the banking system and the Internet
is very public. A lot of it has come from a foundation of open
standards, so we understand it much better, whereas digital control
systems run in a proprietary manner. You need specific knowledge about
what it does and how it does it. There has been a shift -
appropriately so, for cost efficiencies and everything else - to
enabling some of those open technologies in control systems, but we
need to protect against those things becoming a failure point.

WIRED: Walk me through the first moments of a big cyberattack. The
Slammer worm, for instance.

SCHMIDT: The private sector sees what's going on long before the
government catches on. Generally, they'll see a spike in activity at
some of the main Internet monitoring points. Nanog [North American
Network Operators Group] was one of the first groups to post on an
email list that they saw something strange.

WIRED: Would ISPs investigate?

SCHMIDT: They're the ones monitoring the health of their networks.
They figure, jeez, this isn't something where someone has
inadvertently turned off the DNS. This is something malicious, and
it's moving at an alarming rate.

WIRED: Then what?

SCHMIDT: The next step is to identify how the maliciousness is
manifesting itself. Is it a worm? Something that somebody sent out via
email? Within the first hour or so, there's analysis of the code. Then
some of the downstream providers are notified, and the government is
brought online.

WIRED: Who in Washington gets the call?

SCHMIDT: Right now, it's not as clean as we'd like. In the future, one
of the first calls will go to the Department of Homeland Security.
[Now] the person on my staff who monitors Nanog gets the call.
Simultaneously, the National Communications System is notified and, of
course, the FBI's National Infrastructure Protection Center.

WIRED: Clarke wrote in a memo that the fast-moving Slammer was a dumb
worm that was easily and cheaply made. And that, with slight
modifications, the results of the worm would have been more
significant.

SCHMIDT: It had no payload. This was strictly a denial-of-service
activity in which it was looking for the port and using the worm to
propagate a subnetwork connection. The effect of that was some
restriction in the use of ATM machines and databases that provide
airline reservations. And in one case, a voice-over-IP system for a
911 dispatcher was affected.

WIRED: What could a loaded Slammer have done?

SCHMIDT: One payload could have injected other code, which would have
opened system backdoors under the context of administrator root
privileges. Hundreds of thousands of systems could have been taken
over.

WIRED: Critics have said that your strategy relies too much on the
goodwill of big business, that without new regulations, it has no
teeth.

SCHMIDT: What would you legislate? From this moment forward, you will
not have more than 10 vulnerabilities during a year? And then what
happens? Do we fine you? We have to be very practical when we look at
this.

WIRED: Are there ways besides regulation that the government can
enforce its priorities?

SCHMIDT: The power of the government's purchasing dollar. The Office
of Management and Budget now asks, You want to spend money on an IT
project? Give me your security plan, or you don't get the money.

WIRED: How tough will the government really be? Five years from now,
if Microsoft still has the vulnerabilities it does today, will you cut
it off?

SCHMIDT: I wouldn't say any particular company...

WIRED: But Microsoft is a good example, because the government is its
biggest client.

SCHMIDT: If you're not going to provide good security, and you're not
going to provide good quality control in engineering in the products
you provide us, we're not going to buy it.

Douglas McGray interviewed Andrew Marshall in Wired 11.02

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with 'unsubscribe isn'
in the BODY of the mail.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]