Battling the Cyber-threat
A Conversation with Colonel Steve York '72
"In the coming decade, a terrorist will be able to cause more disruption with a low-cost laptop computer than with a bomb" - Colonel Steve York '72
Though bombings in Oklahoma City, Atlanta, and New York have shown the U.S. vulnerable to "traditional" terrorist attacks, retired U.S. Marine Colonel Steve York '72 is concerned about what could prove to be an even more destructive threat-"cyber terrorism" attacks on the computer networks that are the nerve center of the military, as well as the country's financial, telecommunications, transportation, and power-generating industries.
"In the coming decade, a terrorist will be able to cause more disruption with a low-cost laptop computer than with a bomb," York told the Wabash community during an international politics roundtable during this fall's Political Science Homecoming Week. As a senior policy analyst for the President's Commission on Critical Infrastructure Protection, York is assisting a group drawn from the military, public, and private sectors in devising a strategy for protecting these computer systems and other critical infrastructures from physical and cyber threats.
The cyber threat is real and with us today, York says, as various groups and individuals probe computer networks to find weaknesses in the systems. In 1996, the U.S. Department of Defense computers were the target of approximately 250,000 detectable intrusions. Even Langley Air Force Base, which once prided itself on its tight information security, was recently the target of an e-mail flooding attack which rendered its e-mail system useless for several hours until the systems administrator could filter out the harmful traffic.
Though we have yet to experience a computer-based incident that comes close to inflicting the suffering of the Oklahoma City bombing, York says the country's dependence on telecommunications and information technology, and the interdependence of those systems, leaves the nation's infrastructure vulnerable at many levels. Even detecting a terrorist attack of this sort would be difficult. York cited last year's power outages in the western U.S. as an example.
"Hours passed before we found out that the cause was a tree that had fallen on some power lines," York says. If the incident had been an intentional attack to disrupt power production, efforts to prevent further damage would have been futile.
The national security affairs analyst believes protecting the country's critical infrastructures will be a daunting task requiring unprecedented cooperation and information sharing between government agencies, the private sector, and the general public.
"What the private sector can bring to this information sharing process is their understanding of their own vulnerabilities," York says. "They use the system, they should know where it's vulnerable. The government can bring information about threats; the intelligence committee collects that information and has a mandate to do that.
"Then we need an honest broker to look across the different sectors to find where they are dependent on each other," York explains. "We suggest that's probably best done by the government, because they have the resources to do it.
"That's when you get into what has been the most disappointing part of the commission for me," the colonel explains. "As we've reached out to the private sector, much of the feedback we've gotten has been 'we don't trust the government.'
"We've got a lot of work to do to rebuild that trust," York says. "The government has to lead by example. Within the government, agencies don't trust each other. The government has to break down these walls and make sure this change is widely broadcast to the private sector."
In addition, the private sector and the general public need to be made more aware of the cyber-threat and how information systems are vulnerable. To address this concern, the commission is recommending several initiatives for public awareness programs.
For infrastructure owners and operators and corporate infrastructure users, the commission is planning a series of White House-sponsored conferences with national leaders to increase the commitment to information security. Regular briefings from intelligence agencies for CEO's of major infrastructure companies are also recommended, as are infrastructure assurance "games" similiar to those used by the military.
For the general public, the commission has suggested a public awareness blitz similar to the successful "designated-driver" campaigns. In addition, the group sees a need for computer ethics courses for children from primary grades through college.
"In many families, the children are more computer literate than the parents," the commission's report on Awareness and Education states. "Lacking experience, the parents seldom can offer ethical guidance regarding computer privacy and related issues."
"We've got quite a canyon to get across in solving these problems," York concludes. "But this is a rare opportunity-to do something now, before the worst case happens. We can't just blissfully dither along and not understand the dark side to this. If we do, when something happens, it may too late to do anything about it."
For more information, contact the President's Commission website: www.pccip.gov