Disclaimer: This information comes from sources that cannot be verified. As such, make no assumptions about its completeness or accuracy. We endeavor to keep this information up to date as much as possible. Feel free to send comments/ updates to the Security News Editor.

November 06, 1997, Section:

Presidential Panel Issues Cyberattack Warning

By John Borland

Forget fertilizer bombs and dynamite. Terrorists can now use the Internet. The United States is vulnerable to new kinds of cyberattacks that could play havoc with national power grids or telecommunications lines, according to the final report released Wednesday from the President's Commission on Critical Infrastructure Protection.

"Potentially serious cyber attacks can be conceived and planned without detectable logistic preparation," says the commission's report, which studied threats to critical national infrastructures. "A personal computer and a simple telephone connection to an Internet Service Provider anywhere in the world are enough to cause a great deal of harm."

"They can be invisibly reconnoitered, clandestinely rehearsed, and then mounted in a matter of minutes or even seconds without revealing the identity of the attacker," the report says. "We are quite convinced that our vulnerabilities are increasing steadily while the costs associated with an effective attack continue to drop."

As power stations, telecommunications networks, and the Internet become increasingly linked, terrorists could cripple large sectors of the economy by attacking a single critical point in the Net, the report says.

"Today, the right command sent over a network to a power generating station's control computer could be just as effective as a backpack full of explosives," the report says. "While we do not believe a debilitating attack is imminent, the threats to our nation and the vulnerabilities in our infrastructures are real. ... The investments required to improve the situation are still relatively modest, but will rise if we procrastinate." The report makes recommendations for a broad campaign of protection, several of which were protested by civil libertarian groups. One section calls for the implementation of an encryption key management system, which would allow government access to a repository of private citizens' encryption keys in the case of a suspected crime.

This kind of key escrow system has been blasted by privacy advocates and encryption experts, who have said that a large-scale key management system is technically implausible and practically impossible.

"It doesn't make any sense," said Stanton McCandlish, director of the Electronic Freedom Foundation Program. "We've got the world's most renowned cryptographers saying that it won't work."

Even if U.S. citizens do register their keys, McCandlish said, virtually unbreakable encryption is easily available from foreign sources, so criminals would be able to skirt U.S. laws.

Another section of the report says that detailed infrastructure information should not be distributed to the public, thus preventing ambitious terrorists from obtaining road maps. Much of this previously unclassified material, including information shared with the government by private companies such as ISPs or utilities, should be better protected and be given exemptions from Freedom of Information Act requests.

"The risk is increasing on a daily basis the more we rely on unreliable components," said John Cronican, vice president of engineering at the Merdan Group, a San Diego-based computer security consultancy. "Any time you become dependent on information and begin replacing people with machines, you've got problems."

Both the report and security consultants said that private companies and the public at large need to be educated about the dangers of computer attacks.

"The report says we don't have safeguards because people have not thought it through," Cronican said.