Virginia Business
Spacer
SEARCH
Spacer
NEWS CENTER
Spacer

December 2007

Home page
Current Issue
Past issues
Daily Headlines
Virginia Ideas
Editor's Blog
Spacer
TOP FEATURES
Spacer
Business Calendar
Virginia's Wealthiest
List of Leaders
Fantastic 50
Legal Elite
Super CPAs
Maritime Guide
Business Guide
Spacer
MARKET RESEARCH
Spacer
Regional Guides
Spacer
CLASSIFIEDS
Spacer
Jobs
VACommercial
Executive Services
Featured Ads
Spacer
CONTACT US
Spacer
Contact Us
Advertise With us
Planning Calendar
Subscribe
Spacer

Return to Virginia Business - November 2001

How secure are your IT systems?
Cyber-terrorism is much more terrifying than Y2K

by Robert Burke

Patrick J. Sweeney III believes terrorists are like bullies. They prefer easy targets, says the president of ServerVault, a managed hosting services provider in Dulles. ServerVault's bunker-like data center, though, is no easy prey. The sensitive business data stored there is guarded by sophisticated anti-hacking software. If terrorists choose a more conventional attack, there are wrought-iron fences, around-the-clock guards and 18-inch-thick concrete walls. Those must be comforting features to company clients, among them The United Way, domain name registrar Network Solutions and a department of the government of Ireland.

Outside ServerVault's walls, however, it's a different story. Experts say that the Internet and information networks essential to many businesses are poorly defended and easy to scramble. Why? They were never designed to carry sensitive data since security is hard to keep current and is considered a low priority. The Sept. 11 attacks in New York and at the Pentagon, however, have underscored just such a vulnerability. If more attacks come and the nation's information technology network is targeted, the U.S. economy could grind to a halt. "Suppose [terrorists] were able to destroy the information infrastructure" of a critical financial network by planting viruses and destroying backed-up data, says University of Virginia computer science professor Alfred Weaver. "If that's Bank America, Bank America is out of business. The stock market is out of business. That's an incredible nightmare."

In fact, significant if less catastrophic cyber-attacks are already taking place. Among them are the recent Nimda and Code Red Worm e-mail viruses and the February 2000 'denial of service' attacks on the Web sites of eBay, Amazon.com, E*Trade and Yahoo! Then there are dozens of lesser-known cases, such as one involving a teen-age hacker in 1998 who shut down an FAA control tower at a Massachusetts airport. Anonymous hackers or unhappy former workers are the most likely sources of trouble, says Paul Robertson, director of risk assessment for TruSecure, a Herndon-based security firm. "The threats in general haven't changed. Only people's awareness of the threats." At Sweeney's company: "Our phones have been ringing off the hook" since Sept. 11 he says. "Before [the attacks] people said, 'Are you guys being paranoid?' Now people understand that the threat is real."

Seven simple computer security tips

In case your business has to relocate

Experts say most companies can take simple steps to protect themselves. First is redundancy - making sure essential records are backed-up at aseparate location. Also important is knowing what's on the network. Many companies don't know how many computers are on their system or who's using them. Finally, realize that security is not a fix-and-forget problem. It needs constant tending to stay current with the latest threats and defenses. Says Robertson: "You have to look at security as an investment in the continuity and survivability of the business."

Still, many say the private sector's best effort isn't enough. "There is no comprehensive federal plan for information security at the federal level," notes U.Va.'s Weaver. "That's our vulnerability." Robertson points out that defending against cyber-attacks is more complicated because the private sector controls so much of the physical infrastructure and IT network. "That means a lot of companies are part of the national infrastructure, but the responsibility for protecting that is in the hands of that company's network administrator, who doesn't have a way to find out what's going on at other companies," he says. "The attackers are well-coordinated, so the defenders need to be as well."

One industry group is pushing legislation to remove a major hurdle to private sector cooperation. The Arlington-based Information Technology Assoc-iation of America wants Congress to include rules in anti-terrorism legislation that would allow companies to exchange "confidential or proprietary information" about network security without fear of that information becoming public. That would require changing anti-trust regulations and adding Freedom of Information Act exemptions, the group says.

Even before the Sept. 11 attacks, people were sounding alarms, saying protection of the country's IT infrastructure was woefully inadequate. Ronald L. Dick, director of the FBI's National Infrastructure Protection Center, said in a Sept. 5 speech to security experts: "An individual out to harm our infrastructure can infect hundreds of thousands of computers within a matter of hours. He can find ready targets even when the vulnerabilities are long known, well-known, further publicized and easily fixed."

Cyber-security has a higher priority today. In October President Bush named Richard A. Clarke his special adviser on cyberspace security. Clarke, a longtime expert on anti-terrorism, will lead a new government-wide board overseeing protection of critical information systems. He had been the National Security Council's coordinator of security, infrastructure protection and counter-terrorism.

Preceding September's terrorist attack, government-led efforts were underway to improve security. The FBI has joined with the private sector to create InfraGard, a nationwide network for sharing of information about network security information. There are 65 chapters nationwide; Virginia has chapters in Richmond, Norfolk and Northern Virginia. In July, the Department of Justice announced plans to spend $3 million to add 77 people nationwide to its computer hacking prevention efforts, including 10 in Alexandria.

Maybe the biggest boost to IT security was the Y2K bug. Remember the dire warnings that computers weren't prepared to handle the date change, and that everything from ATMs to the air-traffic control system would collapse? In the U.S. alone an estimated $100 billion was spent preparing the public and private sector. On the big day, almost nothing happened. The current threat, though, isn't quite the same, says Bob Cohen, a senior vice president with the Arlington technology association. Y2K forced businesses to create contingency plans and systems to back up their data in case something went wrong, he says, "but in terms of intrusion detection and the things you have to worry about in information security, I'm not sure there's an overlap."

In terms of handling the heavy demand after the Sept. 11 attacks, though, the country's voice and data networks held up fairly well. Texas-based Matrix.Net, which analyzes Internet traffic, says Internet access dropped significantly immediately after the attack but was back to normal within hours. And when voice connections didn't work, e-mail did: e-mail and wireless message devices worked when phones didn't because of the ability of data networks to go around trouble spots. If one route is blocked, the data goes in pieces another way and is reassembled at its destination. By comparison, voice connections whether by wireless or landline require a single steady connection.

One Virginia company, Alex-andria-based messaging provider Metrocall, scrambled to get its network working again after the New York attack. The company had three transmitters atop one of the World Trade Center buildings; it was able to restore service within hours to its 80,000 customers by rushing new transmitters into service across the Hudson River in New Jersey. The day of the attack, Metrocall also sent 2,000 of its wireless messaging devices to the rescue workers and federal officials at the rescue effort in Manhattan and to the Pentagon in Arlington County. "Our biggest focus was to make sure we had communications for emergency services personnel," says Rich Dewey, Metrocall's vice president for engineering. Metrocall, however, suffered a grievous personal loss in the attacks. Chief Operating Officer Steven Jacoby was killed along with other passengers when the plane they were on was hijacked and flown into the Pentagon.

Now security has moved to the forefront nearly everywhere. Metrocall is already taking orders for its two-way messaging devices from security officials preparing for the coming Winter Olympics in Salt Lake City. ServerVault's Sweeney predicts the job of "chief security officer" will become a part of corporate hierarchy. Mississippi-based WorldCom, which has a network operation center in Loudoun County, is expecting a surge in security spending in the fourth quarter and early next year, says spokeswoman Janet Brumfield. "It's like insurance. A business would never go without insurance."

But many still do, says U.Va.'s Weaver. Look at airport security. "Everybody knows you could smuggle a weapon on. Everybody knows that the doors to the cockpit are flimsy. I'm afraid ... we learn primarily by having things happen rather than being told that they could happen." Perhaps. Enough people believed the Y2K threat, though, and we dodged that bullet. And the threat of cyber-terrorism feels a lot more threatening than computers that couldn't tell time.

Return to Virginia Business - November 2001

Virginia Business Online | Contact Us | E-mail the editor

©2007, Media General Operations Inc., publisher of Virginia Business.
Use of this website is subject to certain terms and conditions.