March 1, 2007
Forum looks at threat of cyber terrorism
When Paul Oman and Barbara Endicott-Popovsky open their newspapers or scan headlines online, they marvel at what they don’t see — no stories detailing how our power grid, water supply, and communication systems have been compromised.
Our Infrastructures — Online…and Vulnerable?
6:30 – 8:30 p.m. Tuesday, March 6 120 Kane Free and open to the public. |
They don’t consider themselves alarmists. But they stand with counter-espionage experts who believe it’s just a matter of time before new generations of cyber-savvy terrorists apply malicious code, along with more conventional bombs and bullets, to topple critical infrastructure systems.
“It will occur,” predicts Oman, a professor of computer science at the University of Idaho.
That such disaster has not yet struck is probably due to some unknowable combination of good luck and national security efforts, like freezing the assets of suspected terrorists and their support groups, Oman said.
Oman and Endicott-Popovsky, director of the UW’s Center for Information Assurance and Cybersecurity, are among the experts who will appear at a free, public forum Tuesday, March 6 in Kane Hall (see accompanying box) that will address how safe our critical infrastructure systems are, or are not.
“The fact that we haven’t had a major event is a surprise to me,” said Endicott-Popovsky, “although I don’t believe we can hold out for luck forever.”
To date, documented cyber attacks on critical infrastructures in North America are not particularly alarming, Oman conceded. Typical, for example, was a 2003 incident in which the so-called “Blaster” worm caused cancellations and delays for freight and rail service in the U.S.
So far, Oman said, terrorists have used the Internet primarily as a means of spreading fear and propaganda, but he expects them to exploit technology in a more sinister fashion.
He and Endicott-Popovsky point to evidence suggesting a more ominous future, including intelligence cited by Richard Clarke, former White House cyber security adviser, showing that Al Qaeda operatives were doing reconnaissance on U.S. infrastructure facilities.
Oman gives U.S. utilities and communication companies credit for generally having done a good job at building reliability into critical infrastructure systems to safeguard against natural disasters. Along with police and other emergency personnel, utility representatives were among the first responders to Hurricane Katrina, he noted.
What’s concerning, Oman added, is our alarming degree of naivete when it comes to protecting against technologically skilled terrorists “with sabotage in their hearts.”
As cameras, Internet access and phones get packed into smaller, sophisticated devices capable of displaying Google Earth images, it will become “very possible to direct malicious offenses in ways we probably can’t imagine,” Oman said.
In the hands of people with sabotage on their minds, such portable and powerful tools could be lethal, Oman said. “We need to lose the notion that the only enemy is Mother Nature,” he asserted.
Part of the problem, Oman said, is that we are accustomed to living in what he described as a “benign environment.” The last time there was a deliberate assault on our critical infrastructure facilities, he said, was more than 140 years ago during the Civil War when armed forces from the North and South attacked each other’s railroads, shipping lanes and communication lines.
Oman said he has participated in some two dozen on-site security evaluations of critical infrastructure facilities, including hydroelectric plants, and on many occasions has seen user account and password information placards pinned to the operator console — clearly visible to tour groups passing by.
What’s also scary, he said, is the alarming number of utility and communications organizations he’s found that are unaware of the connections that exist between their “real time” control systems and their information-technology systems.
“People running these systems don’t understand the vulnerabilities,” Oman said. “They are so focused on natural-disaster events they haven’t actually thought of a malicious cyber attack.”
As part of the effort to shake off our complacency, regulators, utilities and communication companies need to implement some common-sense safeguards — including removing those all-too-visible placards containing user names and passwords.
Less developed nations without sophisticated water supply, power and communications systems may be at an advantage when cyber-terrorists move into gear, Endicott-Popovsky observed, because those populations aren’t dependent on services that many of us take for granted. Look no further than the storms that hit the Seattle area in December, she noted, to see the paralyzing impact of no power.
Forum panelists include:
- Paul Oman, professor of computer science at the University of Idaho and a national expert on digital control and monitoring systems, computer and network security, systems reliability, and software engineering
- Kevin Desouza, assistant professor in the Information School of the University of Washington, director of the Institute for National Security Education and Research, and an author, lecturer, and consultant on business strategy and knowledge management
- Joe Weiss, a graduate of the University of Washington’s Master of Strategic Planning for Critical Infrastructures graduate degree program, and a noted consultant in private industry, specializing in cybersecurity for computer control systems
- Daniel J. Ryan, professor of Systems Management at the Information Resources Management College of the National Defense University, a lawyer and mathematician with expertise in information security, information assurance, cryptography, network security and computer forensics
- Mark D. Hadley, a research scientist with Pacific Northwest National Laboratory, currently focusing on cybersecurity and the protection of critical infrastructure systems that consist of distributed control environments and their associated control centers.
The panel will be introduced by Harry Bruce, dean and professor of the UW Information School. It will be moderated by Hilda J. Blanco, professor and chair, of the UW Department of Urban Design and Planning and director of the Master of Strategic Planning for Critical Infrastructures online graduate degree program.
This lecture is presented by the UW’s Center for Information Assurance and Cybersecurity at the Information School, and is part of a colloquium series called “Unintended Consequences of the Information Age.”
It is sponsored by UW Institute for National Security Education and Research; the Master of Strategic Planning for Critical Infrastructures online graduate program at the University of Washington’s Department of Urban Design and Planning, with additional support from the Information School; the Pacific Northwest Center for Global Security; and Pacific Northwest National Laboratory.
For more information, see:
http://www.ciac.ischool.washington.edu/index.shtml
