U.S. must prepare for attacks over the Internet

In June, a CIA official testifying before Congress on cyberthreats warned that terrorists believe that "bombs still work better than bytes." This assessment by Lawrence Gershwin, the national intelligence officer, turned out to be chillingly accurate.

But despite last week's physical attacks by terrorists on the World Trade Center and the Pentagon, concern remains high on Capitol Hill that cyberwarfare threats also loom.

"It's still vitally important that we pay attention to how vulnerable we are in the Internet and in the Information Age," said Sen. Robert Bennett (R-Utah) at a forum today on Internet security sponsored by the Washington-based Business Software Alliance. "Someone who wishes us ill could do very significant damage," he said.

Threat of Internet-based attacks in the U.S. were underscored by a General Accounting Office report released today that faulted the government for making "slow progress" on information security.

"While federal outreach efforts have raised awareness and prompted information-sharing among government and private-sector entities, substantive analysis of infrastructure components to identify interdependencies and related vulnerabilities has been limited," said U.S. Comptroller David Walker in the report. A national plan that sets roles and responsibilities for infrastructure protection is needed, he said.

The Bush administration has been working for months on developing a new infrastructure protection plan to improve government agency security as well as private-sector partnership efforts.

"Clearly, at very senior levels in the administration, all issues are being reviewed, and I think that there will be a number of decision and actions," said Dan Chenok, director of the Information Technology and Policy Division at the White House's Office of Management and Budget.

Bennett said he expects the Internet to play a role in the new war.

"The president made it very clear that this war cannot be fought in the traditional military fashion," he said. "And that means it will be fought over the Internet, it will be fought diplomatically, it will be fought economically and with trade agreements, every bit as much as it will be fought with cruise missiles and F-16s."

Security experts aren't certain of the potential risk to businesses, but they have said that previous international incidents, such as the downing of a U.S. spy plane over China, have brought an increase of cyberattacks. "There is, certainly, a real risk of hostile network activity," said Scott Charney, who was chief of the Justice Department's computer division for nearly a decade.

The most serious threat rests with state-sponsored terrorism, said Charney, and most experts agree that "there is a likelihood that networks will become increasingly important in military affairs," he said.

But the degree of risk is difficult to assess, said Charney, who heads the Digital Risk Management and Forensics Practice at New York-based PricewaterhouseCoopers LLP. "Most people would be reasonably concerned about protecting your critical command and control infrastructures," he said.

But Bennett said the risk of a terror-related cyberattacks "may have become less rather than more in the short term" because of the pressure the U.S. is now applying on terrorist groups.

"If the terrorist groups are forced to be on the run constantly, afraid of some kind of American attack, they can spend less time preparing themselves for [a] cyberattack," said Bennett. However, Bennett said his views weren't based on any intelligence information.

With the frequency of cyberattacks, new viruses and other threats on the rise, security experts say if there are war-related incidents, it may be hard to tell them apart from general Web activity.

"If it continues to be much more frequent, we are going to get real good at fighting these things," said Pat Gilmore, a managing director of cybersecurity firm AtomicTangerine Inc. in Menlo Park, California.

Recent assaults on the U.S. have some lawmakers exploring the possibility of passing new laws that would require encryption manufacturers to make keys, or back doors, for their products available to the government.

"You can't stick your head in the sand," said William Conner, the CEO of Entrust Inc., an information security firm in Plano, Texas. "There are over 200 sites around the world where you can download encryption today. And if we try to legislate or regulate back doors and control on encryption, it will be the bullet that is used against us."