Who's Protecting Our Infrastructure?

No one. Computer-security standards that would thwart hacker terrorism against utility, telecom, health-care, or power systems don't exist

By Alex Salkever

Chris Wysopal, a computer-security expert, was scheduled to brief the Senate Governmental Affairs Committee in Washington, D.C., on Wednesday, Sept. 12. But when the Federal Aviation Administration grounded all national air travel after two hijacked planes struck the World Trade Center towers and a third set the Pentagon ablaze, Wysopal's appearance was postponed indefinitely.

His message, however, should not get drowned out in the din of war talk. A noted good-guy hacker and the research director of Web-security company @stake, Wysopal planned to deliver a candid assessment of how utilities, telecoms, and other critical national infrastructure providers protect their computer networks.

A HODGEPODGE.

  Wysopal's assessment? Much work remains to be done. While some critical infrastructure providers have rock-solid protections, all too many have neglected even the basic steps of encrypting databases, auditing their networks, and patching security holes on all their servers. When it comes to network security, "there need to be some minimum requirements," says Wysopal. "There are none now."

With major military action looming and the economy reeling, shoring up computer security among infrastructure providers might not seem a top priority. It would cost money, obviously, and might be inconvenient. Nevertheless, President George W. Bush should add the protection of infrastructure -- and the crucial computer systems that control it -- to the growing list of mandates under the rubric "Homeland Defense."

The very backbone of what makes America strong is the reliable provision of water, power, communications, and health care. Without these services, our ability to wage a war and to project power would be severely diminished. Furthermore, the disruptions to normal life unleashed if determined, malicious hacker-terrorists were successful could could be disastrous.

A BIT SHOCKING.

  How shaky is the protection of the computer networks embedded in our critical national infrastructure? That's hard to tell right now. Says Wysopal, who has audited security at a number of infrastructure providers: "It varies across the board. I have seen some excellent security in some places and very poor in others."

That's about par for a field where no national standards have been developed. But it's a bit shocking considering what's at stake. Imagine the chaos that could ensue should a terrorist act of mass destruction be combined with induced power or telecom outages.

Obviously, cell phones played a crucial role in the aftermath of the New York disaster. For many, they were the only means of contact with the outside world. Yet earlier this summer, Verizon Wireless, the nation's largest cell-phone provider, encountered horrendous problems after someone hacked into a customer database and dumped credit-card records into various Internet chat rooms. Many security experts commented, in the wake of that incident, that Verizon should do a total security audit. In response, the company said it would vigorously investigate the issue and put in place preventive measures.

POROUS 911.

  Here's another truly terrifying tale from a man who should know -- Thomas Noonan, the CEO of Internet Security Systems. One of the largest computer-security companies in the world, ISS builds software and sells protection services. That makes Noonan a personal target for nefarious hackers. Small wonder a police officer shows up at his front door at least once a week in response to "calls" by hackers who break into the 911 system. "It's just their way of letting me know that they can find me if they want," says Noonan. It also means that the 911 system, a decentralized but critical part of the infrastructure, needs a major network security overhaul.

No question, the cost of bringing infrastructure providers' systems up to snuff could well stretch into the billions. But what's a few more billion, considering the types of spending the U.S. is now looking at in the name of Homeland Defense? Computer-security standards for critical companies could end up being well worth the cost.

Salkever covers computer security issues twice a month in his Security Net column, only on BW Online

Edited by Douglas Harbrecht