Cyber War!
homeinterviewsvulnerabilitieswarningsdiscussionblank

Three cyber security experts are ready to answer questions from viewers of FRONTLINE?s 'Cyber War!.'  We invite you to email your question here and FRONTLINE will post it, together with the experts? responses, within 24 hours.

Note: This opportunity to send in your questions will extend through Tuesday night, April 29. FRONTLINE cannot promise to post every question we receive, but we will do our best to represent the range of questions asked.

fielding your questions will be:
photo of lewis

James Lewis
He is a senior fellow and director of technology policy at the Center for Strategic and International Studies.

Read the full interview >

photo of lewis

O. Sami Saydjari
He is chief executive officer of Cyber Defense Agency and chairman of the Professionals for Cyber Defense.

Read the full interview >

Dear FRONTLINE

As a control systems engineer responsible for the design and implementation of industrial controls, I have questioned why industries and government entities don't just disconnect from the internet and create stand-alone Local or Wide Area Networks within their facility with no external connection to the outside world.

I understand that this slows down the sharing of data and some remote control. However, this would remove the possibility of anyone hacking into your SCADA system. If it's important enough to protect then keep all possible access out of the public domain.

Clint Strange
Lehi, Utah

Dear FRONTLINE

how do i obtain a transcript of the show last night and get in touch with the on camera sources at Sandia, FBI Infrastructure etc. Seemed the major threat was to our electricity system. what about transfer of money, security nuclear plants, oil and gas facilities, Fort Knox, other strategic locations

robert lenzner
new york, new york

experts respond:

The transcript of the program can be downloaded onto your computer here on this companion web site for Cyberwar! It's under "Tapes & Transcripts" on the homepage.

Dear FRONTLINE

On this web page...

http://news.com.com/2100-7345_3-5205145.html?tag=nl

the article discusses Microsoft working to advance connectivity of electronics devices to Windows.

Ultimately, such code will end up being used by infrastructure devices and when infiltrated, could even serve as a base for cyber attacks. Do we really want this?

Shouldn't separate networks be used by the government, military, finance, and our infrastructure? In that way, we could ultra-secure those resources and further keep out intruders.

Ken Kashmarek
Eldridge, IA

Dear FRONTLINE

America as a nation is attacked in cyberspace thousands of times "DAILY". Our bank systems are hacked for credit card and idenification information, as well as, other business. It is reported daily and it seems that know one really feels that we are "ALREADY" under attack from inside our borders and from the outside.

WE ARE ALREADY IN A CYBER WAR!

Will it take a "CYBER 911" attack, before we will make this issue as great a priorty as the attacks, on the World Trade Center and the others on September.

We have the ability, the personal, the finances and the "NEED" to develop aggressive "CYBER MILITARY UNITS" or "CYBER SEALS" that can defend our country, from any attack from cyberspace!

The NSA, FBI and CIA all have departments that address this issue, but I do not see a "REAL" centralized departmant in our present system under Homeland Security.

My question is this:

Should or will, Homeland Security centralize and develop "ONE" department to handle any and all threats of "CYBER WAR"?

David Wardell
Dallas, Texas

Dear FRONTLINE

The problem that I see is a sloppy procedural agenda. If you are not doing the proper inventory control of your systems, then how can you know if when a problem arises where it fits on severity scale to such an level that you are vunerable.

I thought that when using Unix or a flavor you only loaded the modular components that you needed. That is what the complaint has always been about microsoft especially "NT" loading too many services that make it ripe for an attack.

I would like to finish up my studies and am looking at Ecommerce to make that happen . Where can you recommend that I focus my technical expertise to upgrade my skillset to lend a hand. I see management as the way to organize, and feel that I can ask the tough questions to secure the right people who have the interest to delve into the depths of cyberspace until I get back up to speed.

John Gostomski
Baltimore, Maryland

Dear FRONTLINE

Thankyou for finally opening up the "sloppiness" of Microsoft products (especially their OS and its potential security vulnerabilities) for all to see.

Question 1:

Why, within this whole Program was IPversion6 not mentioned thouroughly.

It is exponentially so much stronger security-wise (built in IPSEC ready,...) than IP4 -which is 20years old!

-This is something that should be implemented on all networks. Why hasn't it?

John Cybernitsky
Miami, Florida

Dear FRONTLINE

Education is the key to controlling the challenges that we face as viruses, DNS attcaks and trojan horses are released upon our public networks.

What are community colleges and unversities doing to educate the future network security experts on this front? Is the government spending any significant amount of money on network security education?

Steven Elliot
brookline, MA

Dear FRONTLINE

how safe is our home computer without any virus protection.

richard herr
spokane, wa.

Dear FRONTLINE

Thank you for the excellent presentation of a critical issue.

While it was appropriate to single out Microsoft to represent non security-centric software to put it mildly, I was disappointed that the program did not briefly touch on the Solaris and Linux various flavors security issues. I'm under the impression that the non-MS operating systems dominate the majority of the country's non-ecommerce infrastructure at least, I hope so. What are your feelings concerning these OS's and their vulnerability?

Also, I'd like to know your thoughts on open source versus proprietary software. In the context of the network cracker, how much of a factor is the availability of source code? Can security conscious network and server administration procedures / expertise more than offset the availability of source code?

Henry Plummer
Boulder Creek, CA

experts respond:


From James Lewis:
If you adjust the statistics for market share, Microsoft doesnt seem to be less secure than other software. The large number of attacks is proportionate for the to market share and a larger market share also attracts more hackers: why attack an OS that only 4 people use when you can spend the same effort to attack one used by millions. As Linux users increase in number, the number of security breaches will also increase. This may change as people develop secure versions of their software Microsofts big push on security in the last year, SecureLinux, SecureBSD and so on. The motive for this race is that the OS that is seen as more secure will pick up market share from the others. That said, networks have many areas of vulnerability. A secure OS doesnt limit the risk of social engineering or bad password discipline, or form insider attacks which make up perhaps 70% of computer security breaches.

Having access to the source code for an operating system probably doesnt increase risk very much or at all if, as you note, the administrators have taken reasonable efforts to improve network security.

From O. Sami Saydjari: The program was commenting that software development practices, in general, do not focus on security. Security vulnerabilities have been found in all operating systems, including Unix operating systems. Because Unix operating systems tend to be simpler and focused on a few applications in their server role, they seem to have had fewer vulnerabilities.

Dear FRONTLINE

I saw the Cyberwar episode last night and am concerned even more about Security threats and Cyberwar/IW. I want to do more to help.

I currently hold a Sys Admin position and have a Microsoft MCSE certification. What is your suggestion on pursuing a career in Security ? Are there classes you recommend or other certs and later a job ? What is a good security trade association I could join ?

Kurt Skaggs
Fremont, CA

experts respond:

Your concern and initiative is laudable. There are many training courses in security available. Often these take the form of mini-courses given as tuorials associated with the main security conferences. See the Cipher web site for a list of significant security conferences http://www.cs.utah.edu/flux/cipher/cipher-hypercalendar.html. See also the SANS institute site http://www.SANS.org/ for course offerings. I know of no formal certifications yet, but it is a great idea. - O. Sami Saydjari

Dear FRONTLINE

Our family PC which is running WIN XP Pro., with all of the recent updates has in the last two days been attacked six times. We have nothing of any significance on our PC,,,but we do have a virus filter and a Norton Firewall which had been sucessful so far.

One. Why all the attacks?

Two. Why us. Don't these people have anything better to do?

Thanks.

Kenneth Roswarski
West Lafayette, Indiana

Dear FRONTLINE

If you were going to try to protect individual servers from inside users that may already be sitting behind a perimeter firewall with an extra layer of security what would you recommend?

Jerry Gaillard
Alpharetta, GA

experts respond:

From James Lewis:
An intrusion detection system and perhaps honeypots theres an article in the NY Times this week on honeypots. The goal is to know when an insider has accessed or is trying to access files without authorization. The Times article is at: http://www.nytimes.com/2003/04/28/technology/28NECO.html

From O.Sami Saydjari: Protecting against insider access is one of the hardest problems facing the information assurance community. I recommend that you implement strong security policies that limit access within and across systems behind the firewall. You can use some of the internal access controls available in operating systems to do this, including virtual private networking built into the software of several of these systems. For a stronger hardware-oriented solution, 3COM makes a product call Embedded Firewall EFW that implements strong controls within the network interface card. I also strongly recommend running intrusion deteciton software behind the firewall and monitoring access for any suspicious behavior.

Dear FRONTLINE

I agree there is no 100% secure system, but why not?

Seems to me with a bug-free firewall blocking all but a certain port,

and a bug-free webserver, say, behind that running

a good application server which is not allowed to write to the filesystem or execute commands and an application that only can take a certain set of requests from the Internet and pass that data on to backend systems, that the worst an attack could do is deny service, not gain total access to any systems.

2nd question: If digital certificates were used to always authenticate a client operator human, his computer, his browser, whatever the 'client' is, would we seriously increase our security? Or are they unreliable.? I'm imagining a system where the authorized users are issued smart cards with locked digital certificates on them, unlocked with a large password. They must insert this card into their computer, unlock it, and their client software web browser,say uses that to authenticate itself with the system they're trying to control. Is this secure?

Andrew Trieger
chicago, il

experts respond:

From James Lewis:These are good steps to lower risk, but they wouldnt eliminate all risk social engineering, bad passwords, et cetera. Large networks tend to be built incrementally, so youve got a mix of platforms, a difficult time knowing if patches have been installed, and large numbers of users with unequal skills. That said, many organizations are moving to implement approaches like those youve outlined and were seeing the results in improved network security.

Better authentication would improve security and paying attention to authentication is one way to make things more secure inside a network. The problems with authentication come from policy issues, not technology. First, if the documents that a credential or token like a certificate or smart card are vulnerable, the credential will also be vulnerable. The Social Security Number/Birth Certificate/Drivers License system we use to identify people wasnt designed for digital applications in fact, it wasnt designed as an identification system, so you could have a good certificate based on bad ID information. Second, there is the problem of one system knowing how much to trust a credential issued by another system. Some of the high-end financial authentication systems like Identrus have solved this problem by having an extensive paper process that establishes identity and assigns liability behind the digital ID, but most authentication systems dont yet match this.

That said, if the majority of networks adopted your suggestions on network architecture and authentication, computer network security would be much better. Id add encrypting stored data as a third element for a secure network, so that if an unauthorized user did gain access, theyd still have trouble exploiting their advantage.



From O.Sami Saydjari: There certainly exist configurations of systems that are more secure than others. The one you describe sounds reasonable. Unfortunately, there is no such thing as a bug-free webserver or application servers. They often have both design and implementation bugs that can cause them to give adversaries high privileges when certain failures are induced. Futhermore, many user needs are not met by such restricted configurations that you mention. Users need to browse the web, read email, run java scripts, and many many other such operations. These sorts of systems are even more difficult to secure. Finally, I should point out that these software services could, in theory, come with built-in trap doors that adversaries insert during the development or distribution lifecycle of the systems. So, even if there were perfect designs, and perfect configurations, you would still have to deal with lifecycle attacks.

Dear FRONTLINE

I would like to know how the economic impact of a successful attack is measured. It seems to me that, like one of the interviewees in the show said, you cant compare a cyber attack to a physical attack; virtually nothing is destroyed presuming good backup procedures by the system administrators nor are people physically harmed.

I would suggest that the cost of salaries for the IT employees to fix the exposure and restore the data is essentially not a loss but a redistribution of wealth. This is not unlike the home building / repair industrys employment after a hurricane wealth has been transferred from the insurance companies to the contractors and material suppliers. Wealth, like matter, cant really be destroyed.

Michael Sullivan
Essex Jct., Vermont

Dear FRONTLINE

I watched the program last night and was interested in the similarity between 1999 discussions leading up to Y2K and now regarding cyber-threats.

How much is hype this time being generated by those that seek measurable gains and how much is real? What was the White House response to the Feb. 2002 letter from several prominent individuals regarding cyber-terrorism and what was the catalyst for that group's letter?

Scott Coghill
Milwaukee, Wisconsin

experts respond:

From James Lewis:
Thats a very touchy question. One of the frequent criticisms in the cyber debate is that self-interest perhaps plays too great a role. This may not be fair, and its a criticism thats applied at times to the software industry in general as well as other industry sectors. At least one urban legends site http://www.vmyths.com/index.cfm proclaims, This site is NOT sponsored by antivirus companies. The Y2K cycle of hyperventilating warnings did create problems for network security, in that some companies felt burned after spending large amounts on what they came to perceive as an invisible problem and tended to under-spend on security for a few years after Y2K as a result.

The inside baseball story on the letter Ive heard is that some in the White House saw it as something ginned up by individuals who wanted senior positions in the new Department of Homeland Security. This is not an uncommon practice inside the beltway. There was also a sense at the White House that 9/11 showed that threats other than cyber deserved more attention and that cyber should be downgraded in the pantheon of risks. Thus, the Administration tended to dismiss the letter. I expect that alleged laxness in cyber security will soon become a useful tool for bashing the Administration the letter is an early example, although it also reflected real concerns. This is normal Washington politics -- stand by for more exaggeration -- but usually some good will come out of a full and energetic debate.

From O. Sami Saydjari: Those who think Y2K was hype do not fully appreciate what would have happened had a major effort not taken place to prevent Y2K flaws from damaging our systems. Those in the government, for example, who led Y2K remediation efforts are absolutely convinced that the investment made to fix Y2K problems was well worth it.

There is much debate on how devastating cyber attacks could be. Many scientist think it is quite significant and make their case in the letter that you reference which is contained on the frontline website. Several well-respected studies by the top scientists of the Defense Department, the National Academy of Sciences, and a Presidential Commission reached the same conclusion. There is significant weight behind the conclusion that the threat is real and that the consequences could be quite serious. Some of these same scientists have strongly recommended that the government urgently undertake a careful systematic scientific study to scope the threat at the national scale to help settle this debate and to form the foundation of a reasoned national cyberspace defense strategy. Such a study has yet to be initiated.

The catalyst for the letter was the the 9/11 attack in which our own infrastructure, commercial airliners in this case, was used against us by terrorist attacks. A number of us reasoned that our critical information infrastructure suppoting key national services could be a next target given the methods, means, and motives of terrorist groups. White House reaction was somewhat encouraging, but fell well short of the decisive and urgent action recommended by the scientists to start developing a national cyber defense capability that we believe will take at least three years to create.

Dear FRONTLINE

What is a good site or program to use to check your personal system for these zombie programs? I currently have both a firewall zone alarm and Nortons antivirus running to protect the system but I would like to have a site that can from time to time check and test these systems. This is a peraonal computer but it does have both a adsl connection and a person who enjoys visiting the web. I consider myself aware of the risk to computers but I do use the web.

Part of our countries defence has to be the people's awareness that our computers can be high jacked and used against others. I want to make it very difficult for anyone to use this box. Thank you for your time...

jon ley
kings mountain, nc

more
 

 

home :introduction : interviews : experts' answers : faqs : vulnerabilities : warnings?
discussion : readings & links : maps : producer's chat
tapes & transcripts : press reaction : credits : privacy policy
FRONTLINE : wgbh : pbsi

posted apr. 24, 2003

background photograph copyright © photodisc
web site copyright 1995-2014 WGBH educational foundation

 

 
SUPPORT PROVIDED BY

FRONTLINE on

ShopPBS