Natural disaster could enable hackers

A new security assessment of the nation’s private-sector computer networks from the Department of Homeland Security says some of the most worrisome vulnerabilities reflect the open structure of the Internet itself.

The assessment, produced jointly by the department and private companies that own much of the country’s information-technology infrastructure, also says that a major natural disaster such as an earthquake or a pandemic could be a “force multiplier” for any cyber-attacker, because it likely would impede the ability of officials and IT specialists to respond.

The concern is that “a malicious actor … could wait for a natural disaster and then use it as a force multiplier for an attack,” said Jerry Cochran, a security strategist at Seattle-based Microsoft Inc., to The Washington Times.

Mr. Cochran, who helped produce the assessment, said the concern was not the damage such a disaster could do to the physical infrastructure. “The focus … was more on the disruption of human resources and the ability to detect, respond to and recover from [a] cyber-incident during a natural event.

“As people are displaced, can’t get to their place of business or to the places they need to be to get access to their systems and data … the inability of human actors to do their jobs would impact the ability to get data to enable the detection of and response to a coming or ongoing cyber-attack,” he said. “It’s a narrowly focused concern about the incident-management capabilities of the IT sector.”

The assessment was the first-ever attempt to objectively assess risks to the nation’s critical IT networks, said Robert Dix, chairman of the Information Technology Sector Coordinating Council, one of the industry groups that worked with the Department of Homeland Security to produce the report.

“These networks underlie everything we do,” said Mr. Dix, who also is a vice president at the computer firm Juniper Networks. He noted that previous risk assessments for critical infrastructure had focused on the protection of physical assets such as cables and cell towers.

“We deliver functions,” he said of the IT industry. The assessment “will help us identify where the gaps are that we need to protect.”

Homeland Security Assistant Secretary Gregory Schaffer called the assessment “a major step forward in mitigating risks to critical infrastructure functions that are essential to both homeland and economic security.” His area of responsibility is cybersecurity and communications.

The assessment says IT companies were working to mitigate the risk to their incident-management and response capabilities. Many already had “redundant infrastructure and continuous monitoring, detection, and response capabilities” and would continue to rely on “geographically dispersed workforces and resources.”

The risk Mr. Cochran outlined was one of just two rated by the assessment’s experts as “high-consequence, medium-likelihood” threats to the nation’s IT infrastructure.

The other is a more geopolitical concern, stemming from the consensus-based and open-ended way the governance structures of the Internet have evolved.

The way users find their way around the Internet relies on a highly decentralized system of servers that direct Web traffic and ensure that each small packet of computer data finds the way to its destination. This domain name system, or DNS, has been attacked by hackers in the past, the assessment says.

DNS servers are not just geographically dispersed; they are owned and operated by a large number of different organizations and companies, from national telecommunications monopolies to small contractors engaged by Internet name registrars.

However, the loose, trust-based character of this architecture means nation-states or other actors could set up their own DNS by establishing alternative servers for the “root” — the highest level of the multilayered DNS, which commentators call the “dot” in “dot-com.”

Story Continues →