According to three cyber security experts at Telcordia Technologies Inc. , the networking industry is headed for a "digital Pearl Harbor" -- a security breach so serious that it creates major outages and serious economic damage.
US government officials, including the Obama White House, are well aware of the danger, which is one reason the President appointed cybersecurity czar Howard Schmidt. But the telecom and computing industries also need to be engaged in the process, which will require some changes in the way business is done today, says James Payne, senior VP/general manager of Telcordia's National Security and Cyber Infrastructure unit.
Payne says imposing security standards on today's converged-yet-diverse Internet service delivery community can be so complex that it even has some of those who are meeting to discuss the security challenge pining for the good old days, when monopoly AT&T Inc. (NYSE: T) ruled the roost and could have gold-plated security, albeit at its ratepayers' expense.
Convergence, the move to an all-IP infrastructure, and the best-effort nature of IP all play a role in the growing security challenge, as does the fact that organized crime, working on behalf of its own greed or rogue nations, now runs much of the cybercrime activities.
Payne quoted former national security adviser Richard Clark as saying recently that the cyber cartels are generating more money than drug cartels because of known exploitable vulnerabilities.
Multiple industry standards groups are attempting to address the issues, says John Kimmins, Telcordia fellow in security services and solutions. These include Alliance for Telecommunications Industry Solutions (ATIS) , the Internet Engineering Task Force (IETF) , the International Telecommunication Union (ITU) , 3rd Generation Partnership Project (3GPP) , and various government agencies such as the Department of Defense and Homeland Security, but no one agency is in charge of the effort.
"There is not one place to go and plug it [security] in -- each standards group has what it embraces, which is one of the problems," Kimmins says.
One thing that would help immediately, Payne says, is legislation similar to that passed in preparation for perceived Y2K dangers -- the kind that protects companies that admit vulnerabilities from being subsequently sued by their investors. Without such protection, it is hard for service providers, hardware companies, and software vendors to engage in "honest dialogue" about what the real dangers are, for fear of legal entanglements.
"At a policy level, let's get serious about having a dialogue to discuss moving away from the best-effort model," Payne says. "It's not about putting everything back together [like the old AT&T] but it's beginning of a dialogue that will enable us to avoid an event so serious" that repercussions might be unimaginable.
In advance of any standards or legal changes, however, there are things that the telecom and computing industries can be doing to mitigate some of the danger, Payne, Kimmins, and Petros Mouchtaris, executive director of information assurance and security, told press and analysts at Telcordia's New Jersey headquarters last Friday.
Those things include:
- Greater testing and hardening of hardware and software products before they are released on the market. The industry needs to move away from the attitude of release now, patch later, Kimmins says.
- Greater discipline in developing and deploying patches when they are needed. There is a lag between when vulnerabilities are discovered and when patches are released, and again between when patches come out and when they are deployed. The bad guys take advantage of those lag times, sometimes even using the information released about vulnerabilities and patches to select their targets.
- Eliminate marketing hype around standard terms such as "five-nines" and "no single point of failure." Too many vendors are playing games with those terms, defining them in a limited way to make their gear sound more secure that it is.
- Give consumers the information they need to protect themselves. Consumer broadband with its "always on" feature created an army of bot-net computers because consumers weren't made aware of the dangers and what they needed to do to protect themselves, Kimmins says.
- Take a more disciplined approach to testing configuration management and correcting configuration mistakes, Mouchtaris says. More than 50 percent of downtime is caused by configuration errors, which occur for many reasons, and cyber criminals exploit those mistakes, he says. Configuration testing needs to be part of a regular disciplined approach to preventing such attacks.
— Carol Wilson, Chief Editor, Events, Light Reading