How will last month's terrorist attacks affect corporate IT? Hijacking and crashing four jetliners was only one move in a concerted campaign to disrupt global commerce, damage U.S. economic interests, erode U.S. power and foment distrust in the conduct of international business. Given those objectives, I'm quite sure that high on terrorists' checklists is a plan to wreck the Internet. If they can stop Internet traffic for a day or two, the effect on business, and particularly on the future of IT, would be devastating.
Current configuration and management practices for securing the Internet are roughly comparable to what has so far passed for airport security measures. Communications protocols were designed for cooperative ease of use, not security.
The software that runs the servers possesses known security holes through which increasingly virulent attacks are launched every day. The software that operates our desktops has been designed for convenience and is readily exploited by available attack tools. A large portion of more than 100 million powerful PCs and more than 10 million servers can, in an instant, be commandeered to serve as engines that amplify anything terrorists launch, guaranteeing their anonymity and becoming weapons of mass corruption of Internet services. Thus, an IT network that's negligently managed and known to be insecure becomes part of the terrorist's arsenal in information warfare.
All IT assets in the U.S. should now be seen as operating in a war zone.
What could we see in this war zone? The most probable scenario is an attempt to collapse the Internet through a massive denial-of-service attack. One can begin when malicious code is implanted in unprotected computers or when the attacking code sneaks past defenses unrecognized. The infected host is then induced to pass the attack package to others. Damage is inflicted by all compromised computers, which become generators of a huge volume of messages and make all other systems inaccessible by overloading networks with useless traffic so that legitimate users can't access Internet resources. When that happens, operators must disconnect the infected devices, and often, they must also reformat their drives and reinstall all software from a secure source.
That would fit a terrorist's idea of a perfect crime. Just like the attack on the World Trade Center, the target contributes to the spread of damages. The recovery processes magnify the victims' suffering. Meanwhile, an affected information system remains inoperable, and the personnel who depend on it are unable to work. Even if an attack fails, the terrorist wins because he can learn from each failure. Attacks are cheap and almost impossible to prevent, and damages can be enormous. That's why defending the Internet's integrity should be a public priority.
The Internet's current vulnerability is largely the result of gaping holes in the design of operating systems that power servers. Vendors will offer "patches" to plaster over known cracks but will never fix the systems' architectures. That's why you receive one patch after another, each covering yet another variant of the same vulnerability. When you're operating in a war zone, you can't tolerate such conduct, because you could unwittingly become an accomplice to cyberterrorism. The solution lies in mandating government testing, certification and standards, just as prescription drugs, automobiles and buildings are regulated to assure public safety.
The Net's vulnerability is the product of sloppy IT practices. Today, even driving a car or operating a bulldozer requires formal training, an examination, certification and adherence to codes. IT, which has become the lifeblood of America in the past 30 years, leaves network operations to individuals who have no legal accountability. In the information war zone, you can't tolerate such leniency.
The freewheeling, undisciplined days of network management practices are over. If your organization is connected to the Internet, IT must assume the added responsibility of blocking access by information terrorists.
Paul A. Strassmann (firstname.lastname@example.org), former director of defense information at the Pentagon, has been lecturing on information warfare at the National Defense University since 1994.