|
On 19 March 2001, a busboy at a Brooklyn restaurant was apprehended by police and charged with identity theft. Using information he had obtained from public library internet access and credit bureaus, he illegally purchased merchandise, withdrew funds from brokerage accounts, and obtained credit using other people’s names. Last year roughly 9 million Americans had to deal with the financial consequences of identity theft. The numbers are expected to rise. Other cyber attacks geared to collect classified and unclassified data from government and defense related computing systems are apparent and evolving. In 1999, the code name “Moonlight Maze” was given to a series of what appeared to be coordinated attacks on American computer systems by hackers from within the Russian Academy of Sciences. In 2004, the code name “Titan Rain” was used to describe a series of allegedly coordinated attacks that included systems at NASA, Redstone Arsenal, Sandia National Labs, and Lockheed Martin. To date, there has been no full and credible public record disclosing whether these attacks were perpetrated by hackers and criminal elements, or were some form of organized foreign espionage. In 2003 there were 3784 new software vulnerabilities documented by the Computer Emergency Readiness Team (CERT) and in 2005 this had increased to 5990 despite various attempts to increase public awareness and promote a greater use of internet security tools. We have all become participants in a great Cyber War. It is a borderless war, where attackers from almost anywhere in the world can enter our homes, our financial institutions, and our military establishments. It is an asymmetric war, where a solitary enemy can inflict economic and physical consequences on thousands, perhaps millions, of innocents. It is a time-critical war, where the duration of an attack is measured in minutes and seconds rather than months and days, with ever diminishing opportunities to mount an effective defense. It is a silent and invisible war, where the perpetrator is increasingly able to inflict damage in a form that may not be discovered for weeks, months, or even years. It is also an ill-defined war, where the enemy’s real agenda may not be known or even discoverable. So what can be done? What can be done to ensure that a computer system put in place to bolster port security is not invaded and rendered unusable? What can be done to ensure that an air traffic control system does not suddenly fail amidst an unmanageable number of false indicators? What can be done to ensure that a lifetime of savings for retirement is not siphoned off by organized crime or a terrorist organization? In his October 2005 address to the House Armed Services Committee on Cyber Security, Information Assurance and Information Superiority, Dr. Spafford, summed up the current cyber-security situation succinctly: “Unfortunately, we have developed an attitude and culture that views failures and compromises of important computing systems as inevitable and acceptable. This is dangerous and threatens the future economic and military safety of the country.” – Eugene Spafford Testimony - HASC Meeting this ever-present cyber-security threat requires a changed attitude in both the public and private sectors about the critical need for improving the cyber-security of our country’s infrastructure. It will also require a cultural shift which acknowledges the significance of this threat and demands immediate and sustained personal engagement in the use of digital security “best practices”. Until then, perhaps . . . "The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then, I have my doubts." – Eugene H. Spafford |
|
MetroCon 2006 |
|
“Innovating for Society” |
|
Keynote |
The Emerging Cyber-Security Crisis
|
|
About the Keynote Speaker: Eugene H. Spafford is one of the most senior and recognized leaders in the field of computing. He has an on-going record of accomplishment as a senior advisor and consultant on issues of security, cybercrime and policy to a number of major companies, law enforcement organizations, and government agencies, including Microsoft, Intel, Unisys, the US Air Force, the National Security Agency, the Federal Bureau of Investigation, the National Science Foundation, the Department of Energy, and two Presidents of the United States. Dr. Eugene Spafford is a professor with a joint appointment in Computer Sciences and Electrical and Computer Engineering at Purdue University, where he has served on the faculty since 1987. He is also a professor of Philosophy (courtesy) and a professor of Communication (courtesy). He is the Executive Director of the Purdue University Center for Education and Research in Information Assurance and Security (CERIAS). He serves on a number of advisory and editorial boards, and has been honored several times for his writing, research, and teaching on issues of security and ethics. |
