Who's minding the Net?
COMMENTARY--First, the Internet got invaded by a killer computer worm. Then, the power grid went on the blink. What's next--Martians land in New Jersey?
It was a wacky week, as this summer of our discontent neared the Labor Day finale. But watching the responses to the two separate crises left me wondering how prepared we are for a really serious attack on the cyber-infrastructure.
When the juice got cut, the electricity blackout was treated as a national emergency. This was fitting and proper, and power returned within 24 hours. What's more, in the aftermath of the blackout, state and federal executives promised steps to upgrade the grid in order to prevent a reoccurrence.
The response to the MSBlast Internet worm was more problematic. Something along the lines of a bad hair day: unsightly but not urgent enough to get exceptionally bent out of shape. (Unless, of course, you were numbered among its unhappy victims.)
President Bush was understandably too busy playing horseshoes out at the Crawford ranch to break away from his summer vacation routine. But how do you explain the silence at the U.S. Department of Homeland Security? Not a peep was heard out of the department until Aug. 14, a full three days after press reports began circulating that something big was afoot.
The job of fixing the MSBlast problem was left to the private sector, with most of the attention focused on Microsoft's culpability. After all, said the critics--yours truly included--the virus was exploiting vulnerabilities in the Windows operating system. All that is true, but you can only take the blame game so far. Microsoft has a legitimate beef, in that Windows does not get shipped out to customers with a timer rigged to open the system to Internet worms. MSBlast was an act of targeted vandalism. Period.
The resulting chaos and downtime was very real and should have been enough to set off alarm bells in the upper reaches of the U.S. government. After all, it makes no difference whether the author was a mischievous hacker or a more serious no-goodnik. But why the powers that be still don't get particularly exercised by cyberattacks remains a mystery.
The folks in government who are supposed to worry about this sort of stuff have done a lot of talking since computer worms and viruses became a regular part of the computing landscape. Maybe the hired help in Washington, D.C., would get more fully engaged if Osama bin Laden emerged from his cave to declare open season on the infidels' cybernetworks.
If they somehow need more immediate incentive, they should consider the recent revelation that the "Slammer" worm hit a nuclear plant near Lake Erie this past January. So far, there's no indication the worm put the plant's safety in danger--though it did shut down its monitoring system for almost five hours.
The easy way out would be to blame user error or laziness for the breach. In that case, one might fault the plant managers for using the same network for monitoring as it did for Internet access. And so on and so forth.
But that avoids the core issue: whether you believe this was a one-off example or a more troubling harbinger. When the Clinton administration published the results of a six-month study of power grid cybersecurity in 1997, the insouciant conclusion was that electronic intrusion posed "an emerging, but still relatively minor, threat."
Would Uncle Sam still reach the same conclusion today? I doubt it.
biography