Risk
4/8/2008
06:01 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

RSA: Chertoff Likens U.S. Cyber Security To 'Manhattan Project'

The Homeland Security secretary calls for beefing up the cyberdefenses of federal agencies and making sure all of them can respond to threats around the clock.

In a keynote address at the RSA Conference in San Francisco, Homeland Security Secretary Michael Chertoff warned that the damage caused by a large-scale cyberattack might result in consequences comparable to the Sept. 11, 2001, attack on the World Trade Center buildings in New York.

"We have to look not only at threats that have materialized in the past," said Chertoff. "We have to consider the threats that may materialize in the future. ... We know that a successful large-scale cyberattack against our country would have very wide-reaching consequences."

Through the Internet, terrorists and criminals can do the kind of damage they could never do on their own, Chertoff said. As an example, he cited the massive denial-of-service attack launched against Estonian government computers last year.

"This attack went beyond simple mischief, it represented an actual threat to the ability of the Estonian government to govern the country," said Chertoff.

"Imagine what would happen if it were possible for hackers to enter the air travel system," he said.

Chertoff characterized cybersecurity as a very serious challenge, one that is likely to grow more serious over time. A network response, he said, is necessary to deal with network attacks.

"It takes a network to beat a network," said Chertoff.

Though US-CERT, the U.S. Computer Emergency Readiness Team, which provides information necessary to defend the nation's networks, Chertoff hopes to bring additional resources to bear to defend the country's computers.

Chertoff likened the government's attempt to improve its cybersecurity to the intensive effort of the Manhattan Project that brought the atomic bomb to fruition. In January, President Bush signed an order that gave DHS and the National Security Agency greater power to oversee government computer security. Details about what the agencies are doing remain classified.

Presently, Chertoff said it's not possible to monitor access to federal networks in real time, not all federal agencies have 24/7 network monitoring capabilities, and US-CERT's Einstein system is too backward looking in that it identifies threats that have already had an impact.

Chertoff said the government simply doesn't respond fast enough across the board. "The time delay is time that we cannot afford to lose in a world where attacks come literally in microseconds and from all corners of the globe," he said.

In keeping with the President's National Strategy to Secure Cyberspace, Chertoff aims to reduce the number of network access points into federal agencies from about 1,000 presently to about 50. He called for beefing up the cyberdefenses of federal agencies and making sure that all of them can respond to threats around the clock.

"The best way to deal with an attack is to prevent it before it happens rather than after it has occurred," Chertoff said.

Chertoff also emphasized the need for the federal government to engage with the private sector, given that so much of the nation's critical infrastructure is secured by private organizations.

And at some point when the government's network security systems are more responsive, Chertoff said he expected that the government would share some network security data to help the private sector keep its systems secure.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2004-2771
Published: 2014-12-24
The expand function in fio.c in Heirloom mailx 12.5 and earlier and BSD mailx 8.1.2 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in an email address.

CVE-2014-3569
Published: 2014-12-24
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshak...

CVE-2014-4322
Published: 2014-12-24
drivers/misc/qseecom.c in the QSEECOM driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate certain offset, length, and base values within an ioctl call, which allows attackers to gain privileges or c...

CVE-2014-6132
Published: 2014-12-24
Cross-site scripting (XSS) vulnerability in the Web UI in IBM WebSphere Service Registry and Repository (WSRR) 6.3 through 6.3.0.5, 7.0.x through 7.0.0.5, 7.5.x through 7.5.0.4, 8.0.x before 8.0.0.3, and 8.5.x before 8.5.0.1 allows remote authenticated users to inject arbitrary web script or HTML vi...

CVE-2014-6153
Published: 2014-12-24
The Web UI in IBM WebSphere Service Registry and Repository (WSRR) 6.3.x through 6.3.0.5, 7.0.x through 7.0.0.5, 7.5.x through 7.5.0.4, 8.0.x before 8.0.0.3, and 8.5.x before 8.5.0.1 does not set the secure flag for a cookie in an https session, which makes it easier for remote attackers to capture ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.