BY SHARON STORM
Vidyut Patel, program director of information systems security infrastructure for the Federal Aviation Administration, described that organization's computer security as being so effective that even an "expert hacker" would be challenged. But Peter Neumann, principal scientist at SRI International, countered that the FAA was using 30-year-old technology that could be breached. Prospects for upgrading it, Neumann said, were difficult because "commercial [security system] vendors want to lock you into their system for life."
The debate over whether cyber criminals pose a major threat to computer networks was the subject of a two-day conference held on campus last month. Although there have been a growing number of reports about computer networks being invaded by unauthorized users, security experts still wonder whether the threat of a major system breakdown is taken seriously.
"People say there's no problem because we haven't had a cyber meltdown, [but] that's a very slippery slope on which to base assumptions," Neumann said during one of the sessions of the National Security Forum, International Cooperation to Combat Cyber Crime and Terrorism, which took place Dec. 6 and 7.
The forum was hosted by the Hoover Institution, which co-sponsored the event along with the Consortium for Research on Information Security and Policy (CRISP) and the Center for International Security and Cooperation.
During the forum's opening plenary session, FBI Senior Supervisory Agent Alan Carroll, who is assigned to the National Infrastructure Protection Center (NIPC) in Washington, D.C., stressed the destructive potential of online crimes. "Imagine the possibility of a World Trade Center-type bombing via cyberspace," he said. "The folks in the NIPC are trying to impress that this is a very real situation."
A challenge for every organization that investigates cyber crimes is a lack of uniformity in laws among states and countries. At another conference session, experts explored the potential for developing a consensus modeled after multilateral agreements used to combat airline terrorism. Panelists expressed divergent viewpoints on the ability of current computer networks to withstand attacks and discussed the likelihood of an international agreement to prosecute cyber criminals.
"Each country defines 'unauthorized access' differently," said David Elliott, an executive committee member of CRISP. "We need to encourage nations to develop common laws."
Drew Arena, senior counsel to the assistant attorney general in the Justice Department, argued that a lack of consensus hasn't stopped a myriad of organizations from increasing the awareness of cyber crimes. He also pointed out that achieving a global consensus might be difficult at best. "Sometimes trying to nail down a solution guarantees it will be obsolete," Arena said.
During another session, Thomas Longstaff, manager of research and development for the Computer Emergency Response Team (CERT) at Carnegie Mellon University's Software Engineering Institute, noted that very few Internet sites are secure. CERT, a federally funded center, studies Internet security weaknesses, provides response services to sites that have been attacked, and publishes a variety of security alerts. (CERT reports are available on the Web at www.cert.org.)
"The Internet is 90 percent junk and 10 percent good security systems," Longstaff said. "[When] intruders find systems that are easy to break into, there's no defense from a victim's perspective [other than to pull their site off the Web]." Longstaff encouraged policy experts and technology security experts to communicate with each other and build relationships based on trust.
According to Stephen Lukasik, a visiting scholar at CRISP, Internet attacks seem likely to rise. "We're beginning to notice that the water is rising, but we don't see the flood that's coming. We're going to run out of cops and courts before we run out of crooks."
Joseph Betser, project leader of business development and program management at the Aerospace Corporation in El Segundo, suggested that a collaborative group of security organizations develop automated responses to threatened attacks and improve tracking capabilities after attacks occur.
While state-of-the-art monitoring tools may be effective in catching cyber criminals, they also have the potential to become too invasive if misused, some experts pointed out.
"We don't all live in a democratic society that respects human rights," said Barry Steinhardt, associate director of the American Civil Liberties Union. "Tools that are used sparingly in the West won't be used sparingly elsewhere. It's cold comfort to a Chinese dissident if technology developed in the West is used against [him]."
Whitfield Diffie, a distinguished engineer at Sun Microsystems who is credited with discovering key cryptography in 1975, said police should focus their efforts on individual, rather than group, surveillance.
A draft international convention
treaty that addresses cyber crime and cyber terrorism issues, such
as consensus on legal definitions, jurisdiction, chain of evidence
and extradition procedures among signatory nation states was
presented at the conclusion of the conference. Hoover Institution
Senior Fellow Abraham Sofaer and CRISP Director Seymour Goodman
both expressed hope that more information would be available about
cyber crime. Goodman added that a book and possibly additional
publications would result from the forum. SR