Leslie Walker's .com Live
Guest: Ira Winkler, President and Acting CEO of Internet Security Advisors Group
Thursday, Oct. 18, 2001, 1 p.m. ET
Computer security expert Ira Winkler will join Internet columnist Leslie Walker to talk about security issues swirling around the Internet in the wake of terrorist attacks on the United States.
President Bush appointed a new federal czar for cybersecurity last week, even as businesses were rushing to install better security measures to defend their computer networks against terrorists. Experts
worry that U.S. government Web sites could be vulnerable to hackers, as could be the Internet's core infrastructure. Moreover, debate rages over the extent to which security - in the form of government surveillance -- should be allowed to trump privacy on the Internet.
On hand to answer your questions this Thursday will be Ira Winkler, president and acting chief executive of the Internet Security Advisors Group. He is one of the world's foremost experts in Internet security, information warfare and industrial espionage.
Winkler previously served as director of technology at the International Computer Security Association (ICSA). He began his career at the National Security Agency (NSA), where he performed cryptanalysis and supervised security elements in intelligence collection and analysis.
Edited transcript follows.
Editor's Note: Washingtonpost.com moderators retain editorial control
over Live Online discussions and choose the most relevant questions for
guests and hosts; guests and hosts can decline to answer questions.
To read the most recent
responses, click "Get New Text"
or select "Automatically Update
Hello and a warm welcome to Ira Winkler. So glad you could take our questions today. Let's start with the potential threat of cyber-terrorism.
So far, the terrorists attacking the United States do not appear to be waging information warfare or targeting our nation's electronic infrastructure. Do you think they have such capability, or that it's even on their radar screen?
Ira Winkler: I believe that they would likely have the capability, but if they don't, they could easily obtain it. The issue is that I do not think it is on their radar screen. Computers are not good terrorist targets. Real terrorists, bin Laden types, want to create fear in people's psyche. Computers as targets do not create fear. Let me give you an example.
The power went out througout the Pacific Northwest a few years ago. Even the FBI was reacting like it was a cyber attack, and even though it wasn't most people dont know or, more importantly, remember the incident. However if I say Pan Am 103, the image of a side of a plane on a field in Scotland comes to mind immediately.
Think of it this way, Code Red cost the country and businesses millions of dollars. However take your pick of an image, Code Red or Anthrax. The Anthrax scare will be much more long lasting and create lasting thoughts in people's mind. Code Red is a footnote.
Since we can never totally seal off the Internet from hackers, what do you think our top priorities should be for beefing up defense of our nation's electronic infrastructure?
Ira Winkler: I want to address the underlying issue first. Hackers as you are using the word means people doing bad things against the infrastructure and its users. To that end there is the basic fact that a certain percent of the population will always do bad things. These bad people are just on the Internet.
What should people do....
My philosophy is that 95% of crimes are because of a lack of basic security precautions. Most stolen cars didn't have their doors locked. Most crimes occur when people are in bad areas by themselves, and could have reduced the opportunity to become a victim. It is the same in the online world.
Basic security measures include update your software with all available patches. Update your antivirus software. For example, the Code Red and Nimda worms, viruses, whatever, exploited very known, and preventable vulnerabilities. Therefore the enabling factor was admins not patching their systems. Users should also be trained in Security Common Knowledge as I phrase it. There cannot be Common Sense without Common Knowledge. While it sounds like common sense to security practitioners to have good passwords and not to give out their passwords to anyone, users don't have the underlying commmon knowledge to protect themselves.
However there can never be perfect security. But if you maintain the basics, the bad guys will move onto easier targets. If you have an attacker committed to attacking you, they will likely get through. Unless you detect early attempts and do something to proactively stop them. A complete answer will take too long for now/
Do you think both governments and corporations are seriously underfunding cyber-security?
Ira Winkler: Definitely. Corporations look at security as an expense. They try to minimize the costs, and when times are financially difficult, they cut back even more.
The general recommendation is that 3-5% of an IT budget should be for computer security. If you are fundamentally insecure, then you will have to spend more than that to bring you up to the point of being secure. Right now I believe the average is that 1% or less is being allocated to IT Security
Are the banks safe?
Ira Winkler: I believe your underlying question is, "Is it safe to put your money in a bank?" That is sadly a different question than "Are banks safe?" The short answer is that it is definitely safe to put your money in a bank.
From my experience doing penetration tests on banks throughout the world, it is easy to steal money from a bank. The hard part is laundering the money so you get to keep it. According to the then Chairman of the PResident's Commission on Critical Infrastructure Protection, "Bank's loose billions of dollars a year to computer crime." It happens.
The issue is that people steal money from the bank. Even if they steal money from your account, you can demand it back from the bank. They will gladly pay you off not to spread your story.
The FBI set up the National Infrastructure Protection Center three years ago to defend the US against cyber attacks. We never heard much about it, though. Do you think it's accomplished much, and is it likely to take key role in President Bush's cyber-security efforts?
Ira Winkler: They are having small successes, but the government is not more secure. While it is an interagency effort, it is primarily maintained by the FBI. These people's experience is in investigating the crimes after they happen. The NIPC term implies proactive security. This is a fundamental problem.
The major issue is that they have no authority over the people who have to protect their own systems, and spend the appropriate money. Fundamentally, there is a flaw in their mandate. They have responsibility without authority.
I'm curious about your take on Microsoft's .Net/Passport service. I've heard some consumer groups voicing concerns about Microsoft's ability to protect the personal info. it will be collecting on users of these services. Given Microsoft's track record on privacy, should I be worried about signing up for these?
Ira Winkler: I have mixed feelings about this. I think that Microsoft would be complete morons for doing anything that approaches the appearance of a violation of privacy. However they are a company that is driven by shareholders, and are required to maximize their profits.
Will they believe that fundamental user privacy is a fundamental requirement, or not? The winds can change direction over time. On a personal note, I always consider whatever I do on the Internet as possibly being available to the world. I look at it from a risk perspective. I cannot stop using the Internet, however I seriously consider what the risk of the compromise of the information is. So I bring the question back to you to consider...Is using the service more beneficial to you than the violation of the privacy that you choose to give up to them?
Remember, you only tell them what you choose to. You can lie about or not give information you dont want to give out
If Bush had picked you to be the new cybersecurity czar, what would be the first action you'd take in that post?
Ira Winkler: I would demand the authority to disconnect government agencies, or the relevant parts of the agencies from the Internet or other networks if I believe or could prove that they are not secure, and not taking actions to improve the issue. Without this, the cybersecurity czar is a paper tiger, who can spend billions of dollars, without having significant effects.
How worried are you about our cyber-liberties being threatened as we boost law enforcement's powers on the Internet?
Ira Winkler: There is always a balance on freedom and a government's responsibility to protect society. I should tell you in advance that I tend to side with the government.
Let me use the Carnivore system as an example. Carnivore gave the FBI an important capability to effectively monitor the activities of a specific Internet account. It was even effective at being put in place and only looking at the targeted accounts. However it created an uproar.
A few civil liberatarians (sp?) made a big deal about it. Republicans looked to embarrass the Clinton administration. Liberal democrats did not want to appear to be for government intrusions. With all studies were finished the system did exactly what it was supposed to. Now after September 11, everyone wants Carnivore to be used on all suspected terrorist accounts.
We need this and now we want it. The problem is as a former intelligence analyst, I want law enforcement to be proactive in looking into this. A vocal minority don't want a proactive government until after something happens.
There has to be a balance, obviously, but right now we are not near the line where I would be concerned.
What is being done to protect the computer and Internet infrastructure from electromagnetic pulse (EMP) attacks? Flux compression generator devices can be used to disable electronics at a distance.
Nickolaus E. Leggett
Ira Winkler: Very little, if anything. A few key network switching centers may be hardened for EMP to a certain extent, but that's about it. The proliferation of the Internet is the biggest protection in that there are many redundant paths and systems. So if a few systems in an area are hit by EMP attacks, while the whole system may slow, only that area is critically hit.
Does the United States, to your knowledge, have credible evidence that foreign governments or organized terrorist groups have developed plans or capabilities to launch cyber-attacks against the US? If so, can you tell us any details of what you know?
Ira Winkler: The answer is yes. They have reported it themselves, I know at least in the case of governments. I would ask you to look at govenment documents from NACIC.gov, among other sites, for more details.
What does your group do? And did the NSA really contract all of its computer operations to CSC (Computer Sciences Corporation.)? Is that good or bad?
Ira Winkler: My company provides computer and information security services for commercial and government organizations. Most of our work involves architecture studies, policy review and creation, incident response, vulnerability assessments, penetration tests, and espionage simulations.
Concerning CSC, you are referring to project GROUNDBREAKER I believe. Basically NSA decided that it was more cost effective to hand computer operations over to an outside contractor. They are essentially telling CSC, and another company that I can't remember at the moment, and saying hire the following people for the following jobs. The people in most computer operations and computer support jobs are now being essentially transferred to CSC to do the same jobs they previously did.
A comment from someone in Vienna, VA:
Vienna, VA: I'm not sure that increased "security" for web sites is really the answer....a determined enough person can get around passwords or block-outs. Heck, teen-age kids do it every day. The only real answer, I think, is to simply not to have web sites on subjects deemed a security threat. One may argue...
How can we operate without a web site? Well, we did for many years before the Internet came along. You cannot break into or hack a web site that does not exist. If agencies will not voluntarily shot down their sites, President Bush can do so with an executive order. If Federal Courts try and intervene, the President can use his power as a national emergency...which this certainly is.
Could determined terrorists cripple the Internet, or is it so decentralized that no one could ever really take it down?
I'd like to know how vulnerable you think the core internet infrastructure--the domain name system, big backbone providers, major peering points, even the consumer giant AOL.
Ira Winkler: I believe it is theoretically possible to launch a coordinated and sustained attack against key Internet systems and effectively cripple the Internet for a relatively short period of time. It is possible, but it will not be permanent, or have the crippling effects for more than a week, in my opinion.
I've read a lot about how the NSA was woefully unprepared for the new realities of the Internet. But I'm wondering if it's even possible to sift ALL the info. that is on the Internet every day. Can any agency, even one with a slew of supercomputers and an unlimited budget, can patrol cyberspace probing for threats in advance and investigating crimes after the fact?
Ira Winkler: It is not possible to monitor everything. You can however watch known entities fairly well. If you have some leads, you may be able to go back after the fact to find additional information, depending on the audit and backup capabilities of the systems the bad guys used.
Another reader agrees with the notion we should put less information online. As many of you know, our federal government has been hastily removing sensitive information about the country's infrastructure and national defense from public Web sites since the Sept. 11 terrorist attacks. A comment from Silver Spring follows:
Silver Spring, Md. The real answer to computer security threats? Simple....just don't put so much data on the computers to start with. One of the greatest hoaxes of all time is this modern idea that everything has to be computerized. A benefit of this would also be fewer tie-ups and delays on the Internet.
What's your assessment of the "govnet" idea floated by the president's new cybersecurity advisor, Richard Clarke? Do we need, and can we really build, a parallel Internet that would be more secure for government?
Ira Winkler: Govnet is in my opinion a long overdue system. Honestly when you stop and think about it, don't you think it should have happened a long time ago?
We do need it. I know several security people in government agencies who were being told that "Sensitive by Unclassified Systems" will be moved to the Internet. That was the dumbest thing I every heard from government. Unfortunately, it took September 11 to kill that idea.
We needed it a decade ago, and it should have been proposed at the very least 3 years ago. It will be somewhat more secure, but not very secure. It will unfortunately rely upon limiting access. The government already has some of the most insecure systems in the world, putting them on a closed network will only limit access to them. Unfortunately, there will be millions of users from day one on govnet.
We are wrapping up in a few minutes folks.
Ira Winkler: Hopefully I addressed all your questions. Thanks for the opportunity, and your interest in reading this. Please contact me if there is anyway I can help you.
What's the biggest information security mistake you see corporations making?
Ira Winkler: Not taking care of the basics I already mentioned. They also tend to look for a silver bullet, or want to go to an advanced solution, like PKI, before they have a basically secure network
That's it for today. Thanks so much for Ira Winkler for his thoughtful answers, and to all of you who took time to participate. Hope to see you again next week!
Stay tuned to Live Online:
Dirda on Books at 2 p.m. EDT
Live Online Special Coverage: America At War
Did you know that you can follow more than one Live Online discussion at
the same time? Just open another browser window and toggle back and
forth between discussions! And, if you miss one, catch up with the Live Online transcripts.
Keep up with the latest in news, sports, politics and entertainment with
washingtonpost.com e-mail newsletters.
NEW! Personalize your Post with mywashingtonpost.com.
Get customized news, traffic, weather and more.
Hi. I run a Norton personal firewall on my home computer, which is on the At Home cable system. Do you think that's sufficient? It scares me how many so-called trojan horse and other attacks with awful names appear in my firewall log all day long, every day. Do I need to consider an even stronger defense?
Also, is there some way I can check the vulnerability of my home cmputer by running a test online?
Ira Winkler: If you keep the system updated, and have a strong configuration for your firewall, you should be "reasonably" secure. There is always more you can do.
Go to grc.com and run some of their scanners to test your security
© Copyright 2001 The Washington Post Company