The sky really is falling

COMPUTERWORLD has a good interview with Ed Lazowska, co-chairman of the last President's Information Technology Advisory Council.

Under Lazowska's leadership, PITAC studied three issues: IT for health care, the future of computational science and cybersecurity. PITAC's report on cybersecurity, called "Cyber Security: A Crisis of Prioritization," was published in February.

"The title nicely summarizes our findings," Lazowska says. "There is a crisis, and it is due to a failure to adequately prioritize this issue--a failure by CIOs, and a failure by the federal government."

Lazowska doesn't pull any punches when discussing the Bush administration's approach to the issue.

"In my opinion," he says, "this administration does not value science, engineering, advanced education and research as much as it should -- as much as the future health of the nation requires." ...

"There is a big gap between what we already know about cybersecurity and our deployment of technologies and processes to improve it. That's a CIO problem. There's also a big gap between what we already know about cybersecurity and what we need to know in order to engineer adequately secure systems for the long-term future. That's a federal government problem, because the federal government is responsible for R&D that looks out more than one product cycle--R&D such as engineering a more secure version of the Internet." ...

"We see some of the effects of cybervulnerabilities on a daily basis on the front page of our newspapers: phishing attacks, pharming attacks, denial-of-service attacks and large-scale disclosure of credit card information. Even phishing attacks, which seem easy to dismiss as a gullibility problem, arise from the basic design of the protocols we use today, which make it impossible to determine the source of a network communication with certainty.

"The public, and most CIOs, do not see many activities that are even more threatening. The nation's IT infrastructure is now central to the life of all other elements of the nation's critical infrastructure: the electric power grid, the air traffic control network, the financial system and so on. If you wanted to go after the electric power grid -- even the physical elements of the electric power grid -- then a cyberattack would surely be the most effective method. It's also worth noting that the vast majority of the military's hardware and software comes from commercial vendors. PITAC was told that 85% of the computing equipment used in Iraq was straight commercial. So the military itself is arguably about as vulnerable to a cyberattack as the civilian sector."