Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/8/2006
11:36 AM
50%
50%

Post 9/11: Five Years Of IT Promise And Failure

Sept. 11, 2001, spurred IT innovation and integration like no other event in history. Driven by fear, defiance, and inspiration, industry and government quickly promised to correct the conditions--including siloed data repositories, incompatible communications systems, and lax security practices--that allowed the terrorist attacks to be executed with such deadly precision. How far have we come in five years? Let's put it this way: We've got a long way to go.

Sept. 11, 2001, spurred IT innovation and integration like no other event in history. Driven by fear, defiance, and inspiration, industry and government quickly promised to correct the conditions--including siloed data repositories, incompatible communications systems, and lax security practices--that allowed the terrorist attacks to be executed with such deadly precision. How far have we come in five years? Let's put it this way: We've got a long way to go.Businesses, law enforcement, and government--in particular, the Homeland Security Department, formed in July 2002 from nearly two dozen government agencies in direct response to 9/11--have shown both promise and disappointment with regard to their IT initiatives. They've formed and funded crucial data collection and sharing programs, yet the execution of several of these have run afoul of privacy rights groups and even the courts. The National Security Agency's surveillance program was not only greeted with uneasiness by the public, but it was shot down last month when U.S. District Judge Anna Diggs Taylor ruled that the program violates the First and Fourth Amendments by monitoring communications without warrants.

In a move to improve access and information sharing among immigration and law enforcement officials, Homeland Security this week announced it has launched the first phase of a proposed three-phase program to promote interoperability between the U.S. Visitor and Immigrant Status Indicator Technology (US-Visit) program's Ident database and the FBI's Integrated Automated Fingerprint Identification System database. The goal is to provide state and local law enforcement officials with access to immigration history based on biometric and biographic information through a single biometric submission to these databases. Subsequent phases will increase the amount of data that Homeland Security and Justice exchange and provide law enforcement and immigration officials with a complete view of a person's criminal and immigration history.

Data collection and integration make up a pervasive thread that ties together all post-9/11 efforts to improve national security. They're the foundation of the Homeland Security Department's controversial Secure Flight program, which remains grounded thanks to unanswered questions regarding what data will be collected from passengers, how that data will be used, how it will be secured, and how decisions based on that data can be appealed.

Homeland Security's Registered Traveler program has done better, attracting thousands of participants. Passengers volunteer to undergo a federal background check in order to obtain an ID card encoded with fingerprint and iris images that speed them through airline check-ins at participating airports, which include Orlando International Airport and British Airways Terminal 7 at New York's JFK International Airport and will soon include Norman Y. Mineta San Jose, Indianapolis, and Cincinnati International airports once these locations get approval from the Transportation Security Administration. Bus and train travel have no such program, even though both have been targets of subsequent terrorist attacks.

In evaluating government and industry efforts to protect the critical infrastructure that keep the lights on, the transit systems moving, and the Internet chugging along, it's clear that there have been many programs launched over the past five years to improve security, but much less clear whether those programs are up to the task of protecting the country from attack, real or cyber.

True, we've yet to have a crippling attack against a nuclear power plant or a major shipping port, and the Internet has proven itself for the most part resilient against a variety of worms and viruses, but the feds haven't clearly laid out requirements for securing critical infrastructure, and there's no clear protocol in place for responding to a massive cyberattack. It may not be fair to say we've been lucky, but it's entirely accurate to say our critical-infrastructure defenses haven't truly been tested.

It's easy to give the government poor grades because it hasn't come up with a clear, consistent policy for dealing with critical-infrastructure threats, but private-sector industry is equally, if not more, complicit in this failure. Given that private-sector businesses own more than 85% of the nation's utilities, transportation facilities, and other critical infrastructure, nothing short of a law would force them to devote time and money to address these problems. Shareholders would rather see these companies invest in areas that generate profits rather than those areas devoted to security.

The safety of the Internet as a piece of critical infrastructure is much less certain. In a July report, the Government Accountability Office noted that federal laws and regulations that address critical-infrastructure protection, disaster recovery, and the telecommunications infrastructure provide broad guidance that applies to protecting the Internet, but it's not clear how well the country could recover from a major Internet disruption. While the Internet originated as a U.S. government-sponsored research project, the vast majority of its infrastructure is currently owned and operated by the private sector.

The lack of a unified blueprint for public- and private-sector coordination in the first 72 hours of an emergency leaves a gaping hole in the ability to respond to any attack against the national infrastructure, says James Gilmore, who was governor of Virginia on 9/11 and chaired the Gilmore Commission assessing the country's capability to respond to terrorist attacks. Partnerships between public and private entities are the only way prevention and, if necessary, response can be achieved. There's a lot at stake if businesses aren't able to use the Internet or if their systems are disrupted, he adds. "If you disrupt private-sector business, you disrupt the United States."

Perhaps the anniversary of that dreadful day will stir in government and business leaders that sense of purpose they felt five years ago, before politics and posturing slowed the progress of so many important programs. It's time to recapture that feeling we had when the dust finally began to settle, the markets reopened, and passengers once again took to the air, when we rolled up our sleeves and prepared to show the world what we were really made of.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-26585
PUBLISHED: 2021-06-24
A potential vulnerability has been identified in HPE OneView Global Dashboard release 2.31 which could lead to a local disclosure of privileged information. HPE has provided an update to OneView Global Dashboard. The issue is resolved in 2.32.
CVE-2021-31412
PUBLISHED: 2021-06-24
Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 1...
CVE-2021-33604
PUBLISHED: 2021-06-24
URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser.
CVE-2020-28097
PUBLISHED: 2021-06-24
The vgacon subsystem in the Linux kernel before 5.8.10 mishandles software scrollback. There is a vgacon_scrolldelta out-of-bounds read, aka CID-973c096f6a85.
CVE-2020-7862
PUBLISHED: 2021-06-24
A vulnerability in agent program of HelpU remote control solution could allow an authenticated remote attacker to execute arbitrary commands This vulnerability is due to insufficient input santization when communicating customer process.