- The Washington Times - Thursday, July 16, 2009

A leading authority on cyberwarfare says the Independence Day attack that knocked some U.S. government Web sites offline was so primitive it could be compared to a modern air force using hot-air balloons instead of planes to attack a foe.

“We should have been able to shrug it off,” James Lewis, project director of the independent blue-ribbon Commission on Cyber Security for the 44th Presidency told The Washington Times. “The physical equivalent of this would have been an attack using hot-air balloons.”

A senior Department of Homeland Security official who requested anonymity to speak freely about interagency issues, said the government’s response to the attacks was “beautifully choreographed … everything went well.”

The attacks, which began July 4 and continued through most of last week, targeted 47 Web sites in the United States and South Korea, according to data collected by Shadowserver.org, a group that monitors cyberattacks.

“The attack itself was very minor,” said Marcus Sachs, director of the Internet Storm Center, a volunteer monitoring group run by Web security specialists.

Mr. Sachs said the attacks were “distributed denial of service” (DDOS) attacks, carried out using large networks of computers — known as “botnets” — that have been infected with a software virus without the knowledge of their owners.

Upon a broadcast command, or at a predetermined time, these computers begin bombarding their target Web sites with millions of fake requests for information, overloading them and causing real visitors to the site to experience long delays, or sometimes shutting the Web sites down altogether.

Specialists say it is almost impossible to discover the true origin of such attacks, and although some reports have cited anonymous South Korean intelligence officials as blaming North Korea, none of the specialists who spoke to The Times backed that thesis.

“There’s not a shred of technical evidence it was North Korea,” Mr. Sachs said.

Most of the U.S. sites targeted were only marginally affected, but those of some government agencies, including the Federal Trade Commission and the Secret Service, were temporarily knocked offline.

“It’s pathetic” that some agencies’ Web sites were unable to withstand the attack, Mr. Lewis said.

The Homeland Security official said not all Web sites required the same level of security, and that it was important to distinguish between sites that were just there as a shop window and those with which the public might have to interact, or that housed sensitive or confidential information.

“It makes sense for everyone that Web sites are sized appropriate to their mission,” the official said; “different sites have different resilience needs.”

For a site that was there simply to give information to the public, the key security issue would be integrity — ensuring that the data was accurate and could not be tampered with. Availability — ensuring that everyone was always able to reach the site quickly and easily — would be a secondary issue. “There are different ways to do your risk assessments [about the threat posed by various kinds of cyberattacks] depending on your mission,” the official said.

“DDOS attacks don’t cause any lasting damage,” the official added.

Although the attacks continued through the week, all the affected government sites were back up and running by Tuesday night at the latest. “It was handled well and handled quickly,” the official concluded.

But the fact that such a simple, and relatively small-scale attack was able to knock several government Web sites offline altogether, albeit temporarily, gave some specialists pause.

Although there were many more government sites that were able to cope with the flood of data, those that went down “weren’t at the right starting point” in terms of their security, said Dale Meyerrose, a former chief information officer for the director of national intelligence.

“There is a fundamental baseline that needs to be moved up,” said Mr. Meyerrose, now an executive with Melbourne, Fla.-based government technology contractor Harris Corp.

Mr. Sachs said the technology to deal with crude DDOS attacks was widely available. “We know how to deal with these,” he said. “This is not a technical issue, it’s a leadership issue.”

“Departments and agencies need to be learning from the past, from the mistakes the private sector has made” that left early e-commerce sites vulnerable to DDOS attack, Mr. Sachs said.

Mr. Lewis said part of the problem was that, although much good work was being done there, the Department of Homeland Security — the agency charged with leading the U.S. response — had too little clout within government. “They have an authority issue,” he said. “Too many other agencies tend to regard their advice as optional.”

White House spokesman Nick Shapiro said cybersecurity is “a major priority” for President Obama and cited “a top-to-bottom review of the federal government’s efforts to defend our information and communications infrastructure” that Mr. Obama ordered upon taking office.

The review recommended the appointment of a White House czar to take responsibility for cybersecurity across the federal government.

“The president gets it,” Mr. Meyerrose said. “Leadership needs to come out of the White House.”

But he cautioned that the devil would be in the details of the appointment. “The responsibilities and tools” the new cybersecurity coordinator would have “are still to be determined,” he said.

LOAD COMMENTS ()

 

Click to Read More

Click to Hide