- The Washington Times - Thursday, September 3, 2009

A new security assessment of the nation’s private-sector computer networks from the Department of Homeland Security says some of the most worrisome vulnerabilities reflect the open structure of the Internet itself.

The assessment, produced jointly by the department and private companies that own much of the country’s information-technology infrastructure, also says that a major natural disaster such as an earthquake or a pandemic could be a “force multiplier” for any cyber-attacker, because it likely would impede the ability of officials and IT specialists to respond.

The concern is that “a malicious actor … could wait for a natural disaster and then use it as a force multiplier for an attack,” said Jerry Cochran, a security strategist at Seattle-based Microsoft Inc., to The Washington Times.

Mr. Cochran, who helped produce the assessment, said the concern was not the damage such a disaster could do to the physical infrastructure. “The focus … was more on the disruption of human resources and the ability to detect, respond to and recover from [a] cyber-incident during a natural event.

“As people are displaced, can’t get to their place of business or to the places they need to be to get access to their systems and data … the inability of human actors to do their jobs would impact the ability to get data to enable the detection of and response to a coming or ongoing cyber-attack,” he said. “It’s a narrowly focused concern about the incident-management capabilities of the IT sector.”

The assessment was the first-ever attempt to objectively assess risks to the nation’s critical IT networks, said Robert Dix, chairman of the Information Technology Sector Coordinating Council, one of the industry groups that worked with the Department of Homeland Security to produce the report.

“These networks underlie everything we do,” said Mr. Dix, who also is a vice president at the computer firm Juniper Networks. He noted that previous risk assessments for critical infrastructure had focused on the protection of physical assets such as cables and cell towers.

“We deliver functions,” he said of the IT industry. The assessment “will help us identify where the gaps are that we need to protect.”

Homeland Security Assistant Secretary Gregory Schaffer called the assessment “a major step forward in mitigating risks to critical infrastructure functions that are essential to both homeland and economic security.” His area of responsibility is cybersecurity and communications.

The assessment says IT companies were working to mitigate the risk to their incident-management and response capabilities. Many already had “redundant infrastructure and continuous monitoring, detection, and response capabilities” and would continue to rely on “geographically dispersed workforces and resources.”

The risk Mr. Cochran outlined was one of just two rated by the assessment’s experts as “high-consequence, medium-likelihood” threats to the nation’s IT infrastructure.

The other is a more geopolitical concern, stemming from the consensus-based and open-ended way the governance structures of the Internet have evolved.

The way users find their way around the Internet relies on a highly decentralized system of servers that direct Web traffic and ensure that each small packet of computer data finds the way to its destination. This domain name system, or DNS, has been attacked by hackers in the past, the assessment says.

DNS servers are not just geographically dispersed; they are owned and operated by a large number of different organizations and companies, from national telecommunications monopolies to small contractors engaged by Internet name registrars.

However, the loose, trust-based character of this architecture means nation-states or other actors could set up their own DNS by establishing alternative servers for the “root” — the highest level of the multilayered DNS, which commentators call the “dot” in “dot-com.”

The assessment concludes there is a risk to the long-term integrity of a single, global interoperable Internet.

“Internet market influences may not be strong enough to avoid the emergence of an alternate, authoritative root,” the assessment says, adding, “The establishment of regional or alternative Internets could decrease interoperability and cause technical confusion.”

“No one’s saying ‘the sky is falling,’ ” said another contributor to the assessment, Howard Eland. “This was about identifying what we thought were the most significant risks and saying what was being done to mitigate them.”

Attacks by hackers against DNS are possible, but “their effects are generally localized, and there are lots of technical solutions” to the traffic problems they cause, said Mr. Eland, an executive with the Dublin, Ireland-based global Internet service Afilias Ltd.

However, Mr. Eland said if a nation-state decided to establish its own DNS and mandate Internet service providers in its own country to use it, “there’s very little, technically, that could be done.”

“There’s no Internet police,” Mr. Eland noted.

He acknowledged that there was unease in some quarters about the pre-eminent role of U.S.-based entities in the governance of the Internet but dismissed that as the product of “a fringe.”

“It’s unfair in my opinion,” he said of criticism of the U.S. role. “The Department of Commerce [which contracts with VeriSign Inc. to manage much of the DNS] is pretty hands-off operationally.”

Mr. Eland said the deployment of a new, more secure DNS architecture, known as DNSSec, will reach an important milestone later this year, when the root zone will begin to provide secure digital signatures, forging the first link in what he called “a chain of trust.”

Each of the top-level domains, like dot-org or dot-gov, can then be secured in turn, extending the chain, said Mr. Eland, whose company provides DNS services and is implementing DNSSec in the dot-org zone.

The U.S. government already has put DNSSec into place for the dot-gov domain and has championed its introduction across the whole Internet.

“They’re noisy, and they are out there,” Mr. Eland said of the critics of the U.S. role, “but my own view is … the vast majority of folks out there are OK with where we’re at.”

He added that in his view, the market would punish severely any attempt to break away from the global DNS. “Should they defect like that … it would be economically devastating to the nation concerned.”

Nonetheless, in the absence of technical solutions, mitigating the risk of this kind of governance breakdown falls to policymakers, he said.

LOAD COMMENTS ()

 

Click to Read More

Click to Hide