Just two days after the Department of Homeland Security officially opened its doors, government-and business-security managers scored a victory of sorts with a successful public-private effort to combat a potential threat to more than 1.5 million E-mail systems around the world. The work served as a dress rehearsal for the kind of cyberattacks the government expects will increase as geopolitical tensions rise and a war with Iraq looms.
When the Sendmail vulnerability and the patches for it were simultaneously made public last week, key commercial organizations such as banks and utilities, as well as government agencies, were prepared to deal with the problem, having been alerted to it in late February by officials at the government's Critical Information Sharing and Analysis Centers. Issuing the patches was the culmination of work that began in December, when security software vendor Internet Security Systems Inc. warned the National Infrastructure Protection Center, now a part of Homeland Security, of the vulnerability in the Sendmail Mail Transfer Agent, which handles half to three-quarters of all Internet E-mail traffic. If exploited, the vulnerability could disrupt E-mail systems, emergency services, telecom networks, and other online systems worldwide, ISS warned.
The new department quietly worked with businesses and government agencies to secure highly vulnerable communication systems, according to sources, including people at computer-security education group SANS Institute and ISS. Homeland Security, working with ISS, contacted software developer Sendmail Inc. and Sendmail distributors such as Hewlett-Packard, IBM, Silicon Graphics, Sun Microsystems, and the Sendmail Consortium, which immediately began developing patches.
To secure open-source Linux and Berkeley Software Design, or BSD, versions of Sendmail, the CERT Coordination Center, a group that provides security information and monitoring, asked vendors such as OpenBSD, Red Hat, and SuSE to assist in correcting the source code. Homeland Security notified the Defense Department--the first group to receive the patches on Feb. 25--and the Federal CIO Council about the flaw. The Federal Computer Incident Response Center and the Office of Management and Budget also joined in the effort.
"The cooperation on this effort was the best I've ever seen," says Alan Paller, director of research at the SANS Institute. "When has there ever been an example of the White House, OMB, federal and civilian CIOs, DoD, and nearly 20 software vendors, all working together under the Department of Homeland Security's encouraging leadership?"
The government is prepping for cyberwar in other areas. The new House Homeland Security Committee last week created five subcommittees to focus on security, one of which will oversee federal cybersecurity, science, and research and development efforts for homeland security. The move follows the approval of the Cybersecurity Research and Development Act, which pro-vides $900 million over five years for universities to create IT security centers and research ways to protect computer systems.
The joint public-private effort that the Homeland Security Department led may become standard operating procedure as war gets closer. The National Infrastructure Protection Center and officials in the United Kingdom have warned that cyberattacks against Western interests will likely increase as global tensions rise.
Government and business should prepare for more serious cyberattacks, Clarke says.
Some recent activity, such as denial-of-service attacks against the Internet's domain-name servers and the Slammer worm, seem to be evidence of "some funny things happening in cyberspace" that stopped short of causing serious harm, Clarke said. "It looked to me like people were seeing what you could do to be really destructive but not being really destructive, yet."
Increased tensions have business-technology managers concerned. "Customers are asking more about both network and building security than they used to," says Josh Richards, chief technology officer at Digital West Networks. The hosting company hasn't noticed any unusual activities, Richards says, but as the United States moves toward an attack on Iraq, "we'll all be a little more paranoid and more alert."
Experts disagree on how vulnerable the nation's critical infrastructure is, especially so-called SCADA, or supervisory-control and data-acquisition, systems that utility companies use to remotely monitor and control their operations. Joe Weiss, consultant with KEMA Consulting and former technical lead for cybersecurity of digital control systems security for the Electric Power Research Institute, says SCADA systems are vulnerable. "They were never designed with security in mind, and these systems are connected to the Internet," he says. "There's no doubt that you can get unauthorized access to these systems. It's been done often." But James Lewis, director of the technology program at the Center for Strategic and International Studies, a Washington think tank, says any attacks against SCADA systems would be unlikely to cause anything more than "minor disturbances, like the outages in phone or electrical power that we already experience."
According to network-security vendor Symantec Corp.'s Internet Security Threat Report, which is based on real-time attack information from more than 400 companies in more than 30 countries, about 60% of power and energy companies experienced at least one severe event in the second half of 2002. The attacks, however, didn't "necessarily endanger critical systems, such as SCADA systems," according to Symantec.
More likely targets may be the Internet's domain-name servers, which store Internet addresses, and the Border Gateway Protocol, used by routers to send traffic around the Internet. Research presented last week to the International Telecommunication Union in Geneva indicates that an attack against country-code domains could make an entire country disappear from the Internet because its domain-name servers couldn't be reached, with serious repercussions on its economy.
Companies must think about security when they put new processes and systems in place, P&G's David says.
Business-technology managers may need to ratchet up security efforts even more. Despite experiencing a variety of worms, viruses, denial-of-service attacks, and other threats, "security is now almost the last thing companies think about when they put in place new systems or business processes," said Steve David, CIO and business-to-business officer at Procter & Gamble Co., at the InformationWeek conference. "There has to be a shift." The SQL Server worm in January was the first to penetrate Procter & Gamble's firewalls, and though it didn't cause serious damage, it was a real "wake-up call," he said.
One chief information security officer at a major financial-services firm says he welcomes all efforts to create a more secure Internet, secure software, and better tools to protect apps and networks. "We're preparing the best we can, monitoring and hardening our systems," he says. "The rest is patching and praying."--with Robin Gareiss and Jennifer Zaino
Photo of David by Sacha Lecca