NRIC PRESSING CARRIERS FOR NEW FOCUS ON TERRORISM
ATLANTA -- The proliferation of easy access to information about hacking means “every kid without a date on Friday night can attack the network,” said William Hancock, chief security officer of Cable & Wireless. He was one of several speakers on network security in the opening day of the Supercomm convention here, which included a “Report to the Nation” by the FCC’s Network Reliability & Interoperability Council (NRIC).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Hancock said 86,000 attacks were reported last year, and only 3% of all attacks were reported. Network security is about where networking was 15 years ago, Hancock told a Supercomm plenary, and as networks converge, they often can’t even call for help when they're attacked, and mobile is making the network even more “wide open” to theft and attacks.
There has been a “huge increase” in the number of network attacks from overseas, said Christopher Leach, chief technology officer-risk management for Bank One. At the same time, he said, networks are becoming more vulnerable because of wireless, instant messaging and open source Linux: “Open source has great functionality, but everyone knows the weaknesses.” He said, for example, industrywide there was one virus for every 370 e-mails.
Industry experts are predicting a 70% chance of a terrorism cyberattack by the end of 2004, Leach said: “I am more concerned about a cyberterrorism attack on Bank One than about a physical attack on a building… I'm convinced that the kiddie attacks of the past will decline and be replacing by government-financed attacks by experts.”
Networks also increasingly are used for identity thefts, Leach said, with an estimated one ID theft every 79 sec., or 750,000 per year. He said ID theft cost the average consumer more than $1,000 to resolve, and ID theft accounted for 42% of all complaints to the FTC.
NRIC used Supercomm to begin the process of convincing telecom and Internet companies to use its list of “best practices” for protecting networks. Until Sept. 11, NRIC hadn’t focused on terrorist attacks on networks, said Jeffery Goldthorp, chief of the FCC’s Network Technology Div. and liaison to NRIC. He said the group now was working to extend information about the best practices beyond the 65 generally large companies that participate in NRIC.
A key question remains how widely the all-voluntary best practices are being implemented, particularly by smaller companies, industry officials acknowledged here. Goldthorp said NRIC would begin surveying companies later this year, but no data were available yet. However, he said he had some “confidence” of the best practices’ acceptance because “these are all ideas that have worked. They're really good ideas. But there are still a lot of people who need to hear about them.” Karl Rauscher, Lucent’s network reliability officer and an NRIC official, said: “I expect the implementation will be reasonable in most cases.”
Asked how well the best practices were being implemented, Qwest Senior Vp-National Network Pamela Stegora- Axberg, an NRIC steering committee chmn., said: “In some cases, extremely well. The larger carriers are generally fully engaged. The challenge we are still working on is the smaller carriers that are not as familiar with the process. We're trying to bring them along.”
NRIC officials repeatedly defended the voluntary nature of the best practices. Rauscher said the practices must remain voluntary because they were not applicable in all circumstances. One NRIC official said, for example, that EPA rules in some areas could block efforts to store reserve fuel for emergency power supplies.
The process of setting mandatory rules would result in “lowest common denominator” rules, rather than true best practices, Stegora-Axberg said, so the overall result might not be as good. She said network operators were “very self- motivated” to use the best practices because she, for example, was “doing it to improve the health of my network.”
“If you don’t do these things you will get hurt,” Hancock warned. He said cyberattacks are a whole new area for NRIC, but the need for cyberprotection is expanding. He said a typical worm virus took days to propagate throughout the Internet just 2 years ago, giving network operators time to react. But the slammer virus in Jan. took just 8 min. to propagate throughout the network, Hancock said. However. he said, companies that had complied with best practices weren’t affected.
Rauscher, whose NRIC group focused on the physical security of networks, said terrorist attacks inherently were surprises: “We should be surprised by the attacks, but we shouldn’t be surprised by our vulnerabilities.” He said his group would cooperate with Hancock’s cybersecurity group to develop best practices for attacks that combined physical attacks with cyber elements.