- The Washington Times - Tuesday, December 3, 2002

Recent reports of two individuals using a few computer keystrokes to steal the financial identities of 30,000 Americans point up a growing weakness in the U.S. cyber security. And in the hands of a terrorist, the damage wrought by computers could be far worse than identity theft. Although the issue has not received much attention in the media, Congress has taken some key steps in the past year to counter the emerging cyber terrorist threat.
Cyber terrorism may sound like the stuff of science fiction or like a minor inconvenience, but it is neither. In a world in which our telecommunications and financial systems, our business transactions, our electric and water utilities and our emergency response systems all rely on computer networks, a focused cyber attack could wreak havoc and threaten lives. It is not an exaggeration to say that the day-to-day functioning of our society is only as secure as the most vulnerable computer terminal with access to the Internet.
And those terminals are vulnerable. In addition to the recent identify thefts, in the first half of 2002, there were 43,136 reported computer break-ins more than double the number reported in all of the year 2000, according to the Computer Emergency Response Team, a federally funded group at Carnegie-Mellon University that acts as central repository for break-in reports. The group defines a break-in conservatively, so each reported incident may affect thousands of computers. Even more troubling was the recent concerted attack on the servers that run the Internet a sophisticated effort that originated overseas.
Yet, before September 11 neither companies nor consumers were spending much time or money addressing computer security, and the government, by and large, shared that nonchalant approach.
One place attitudes have clearly begun to change is the Congress, where cyber security was a subject of intense concern, making the administration's cyber "czar" Richard Clarke a prominent presence on Capitol Hill this year.
The congressional concern was clearly reflected in the legislation creating the new Department of Homeland Security. The House added explicit cyber security duties to the department's mission. Indeed, the single most important benefit of the new department may turn out to be its ability to work with companies, states and localities to improve cyber security.
But in the realm of cyber security, the department will be charged with developing a new, centralized capability virtually from scratch, with only a few, relatively small, disconnected, pre-existing programs as building blocks, such as the Computer Information Assurance Organization being transferred from the Department of Commerce.
The legislation also gives the department new powers to carry out its cyber mission. Most significantly, perhaps, the bill includes new exemptions from the Freedom of Information Act to enable companies to share information with the government concerning computer network break-ins and vulnerabilities without fear that such sensitive information will then be free for the asking. That language should have been written more narrowly, but in the area of cyber security, it will provide clear benefits.
The bill also includes provisions designed to improve the security of federal computers by toughening the enforcement of rules that are supposed to ensure that federal agencies buy secure computers and use them in a way that minimizes their vulnerability.
In addition, the legislation would set up teams of volunteers, to be known as NET Guard, that could be deployed anywhere in the country if assistance were needed to respond to a cyber attack or other computer network breakdown.
But, Congress also took steps to improve cyber security separate from the Homeland Security bill. For example, one of the first votes the House cast during the lame duck session of Congress sent to the president my bill to set up new research and development programs to improve cyber security.
The House first passed the bill by a vote of 400-12 in February, and the Senate, led by Sens. Ron Wyden and George Allen, approved a version with minor changes by unanimous consent right before leaving town for the elections. It's that revised version, which includes changes negotiated with the House, that was sent last week to the president.
We need these new programs because the lack of focus on cyber security made computer security research a backwater, unable, in general, to attract research dollars, star researchers or the most promising students.
As a result, the basic methods to make computers and networks secure have not changed for decades, even though they have repeatedly been proven ineffective. Bill Wulf, a leading computer researcher and the president of the National Academy of Engineering, calls the current computer security paradigm a "Maginot Line defense" because, like the notorious French perimeter, it falls apart entirely once any portion of it is breached.
Under the legislation, the National Science Foundation and the National Institute of Standards and Technology would support new university research centers, fellowships and curriculum to develop innovative approaches to cyber security.
The result of all this legislation will be a gradual but substantial improvement in the nation's ability to foil attacks on its computer networks and to respond quickly to any attacks that manage to succeed. That may not be as dramatic or as dangerous as tracking down Osama bin Laden, or as visible as erecting barriers around potential targets of terrorist attacks. But it will contribute just as much to the nation's security.

Rep. Sherwood Boehlert, New York Republican, chairs the House Science Committee and serves on the House Permanent Select Committee on Intelligence.



Click to Read More

Click to Hide