Ken Watson, who once piloted jets off aircraft carriers, now finds himself on the front lines again--this time helping to marshal the battle to secure the United States against future cyberattacks.
The 23-year Marine veteran--and current Cisco Systems executive--is president and chairman of the Partnership for Critical Infrastructure Security, an 80-company organization that identifies vulnerabilities in the private sector's cyberinfrastructure. His conclusion so far: In this escalating arms race, the nation's critical services are far from secure.
How well are we moving toward securing the nation's infrastructure?
We have made a lot of progress, but it is an arms race. I don't know when the next attack is going to be. I don't know when the next breakthrough in defenses is going to happen, but everyone I have talked to in the infrastructure sectors is aware of the issue and is motivated to do everything they can to not only protect themselves, but also protect our country and other countries of the world.
What are the biggest security issues facing the Internet and the nation?
The Internet knows no borders. This is not just a national problem; it is an international problem. We are working together to try to raise the bar for security worldwide. The U.S. government knows this, but it is a paradigm shift for them. And it is difficult institutionally for the U.S. government to think globally when they are talking about their own national security. We think that the formation of the Department of Homeland Security is going to help a lot because it will provide focus.
One division is dedicated to information analysis and infrastructure protection. That'll help. And if you look at the structure of the draft national strategy (the Bush administration's "National Strategy to Secure Cyberspace" document), you'll see there is pretty strong global emphasis there, too. So thinking globally is a challenge that we are overcoming, both on the national front and with industry.
As far as industry and government, there is a definite business case for industry to be involved and there's a definite national security interest. This is the first national security issue that the government can't solve alone. The Department of Defense can't defend against a cyberattack on a power plant in Omaha. They just don't have the tools; they don't have the access. They don't have the authorization--sometimes they don't even have the intelligence because the attacks appear in corporate networks before the DOD or intelligence agencies are even aware it's going on. There is a real mandate for cooperation. Businesses are beginning to understand that (they) may represent the first line of defense against an attack on the country, because all the interconnectedness and all the interdependencies show that businesses may be prime attacks. After all, al-Qaida attacked the World Trade Center, which is a financial center. And that was not the government.
Because the majority of the Internet is hosted and used in the United States, can we take charge and at least secure our own territory?
The initial focus is U.S.-centered; at least as far as the U.S. government is concerned. Already, it is pretty successful. They have outlined strategic areas to think about: research; work force development, education and training; awareness; and incident response coordination and information sharing. All of those areas are being pursued. We are beginning to reach out to Europe and the Far East because they also have significant interest in this area. So the dialogue is beginning there, too.
We have recommendations suggesting that certain infrastructures be more secure. Do you think we need certifications and regulations, or will the hands-off approach work?
I think the hands-off approach will largely work. I really do. And we think it's forward thinking of the government to eschew new regulation. It's not being vendor-friendly; it's the best way to solve the problem. Dick Clarke (President Bush's special adviser for cybersecurity) has said many times that he thinks regulation would be too slow and actually wrong when it's implemented to solve problems that can largely be solved by the market. On the other hand, I don't think the market can provide a 100 percent solution. But it is up to us to work with the public-private partnership to identify how much the market can provide and where the remaining gap's going to be that will have to be either (incited) or funded by the government to finish.
When you talk about certification (of information-security workers), there is a real need for standards. There are several companies in the insurance industry that are providing information-security protection products but they don't have any actuarial data to stand on. So they are out on a limb a bit, taking a risk of their own to provide that kind of insurance product to industry.
Do you think that over the next few years we need to develop a standardized way of looking at security? Do you think it is even possible?
I think it is possible. I wouldn't characterize it as a standardized way of looking at security. I would characterize it as a set of industry-based system standards.
We have had defacements galore, the DNS (domain name system) root-server attacks, worms and denial-of-service attacks. Do you see the threats getting worse before they get better?
Old attacks never go away. There are new attack types. People get more and more sophisticated and the attacks are easier and easier to use. You can type some keywords in your browser and pull down point-and-click hacking tools, if you like. Some of them are illegal, depending on how you used them, but I think the number and types of attacks are going to increase, and they are going to increase in complexity. We are really in an arms race, building defenses and trying to figure out how to identify attacks in progress and respond quicker than we have in the past.
There has always been talk of dire attacks, such as "digital Pearl Harbor." Do you think we will see something like that before we get secured, or can we move fast enough to secure the infrastructure?
That's really hard to answer. You are basically asking me what keeps me up at night. And to answer that, I wouldn't say this is going to be the mother of all attacks. Who knows what they are going to try? You saw that even the attacks on the top-level domains didn't have much of an effect. I think they demonstrated the robustness and resiliency of the Internet in general.
The worst threat is a combination of a physical attack and then a cyberattack that would disable the response. So if there was another horrendous bombing attack and then someone disabled 911 emergency responders or screwed with the traffic lights, that would be a pretty significant nightmare scenario.
But we are working as hard as the bad guys are. And the fact that we have a dialogue, cross-sector with the PCIS (Partnership for Critical Infrastructure Security), and each of the ISACs (Information Sharing and Analysis Centers) is becoming more mature in its trending and analysis, keeps us better able to respond.
The national plan under President Clinton and the national strategy under President George W. Bush have both emphasized education and research. What dividends do you expect to see from those initiatives in the next few years?
I have always said that the two strategic areas in this field are research and education. If you look at what we call the (technical) skills gap, it keeps getting wider. All the training and education programs in the world can't produce enough highly qualified individuals to meet the demand. And that's true for networking in general and it's even more true for security. So the government getting out in front and providing a cybercore scholarship program and working with the NSA (National Security Agency) to identify centers of academic excellence and information assurance education is really helpful.
On the research side, we think it's a great idea that the National Infrastructure Simulation Analysis Center, the NISAC, is going to be involved with the new Department of Homeland Security. Interdependency modeling is probably one of the two top research topics that we need to address. If you understand the interdependencies--the nodes that cross bounds between, say, the electric power sector and the water sector and railroads and the banks and the rest--and you know where those dependencies are, then you can develop ways to defend them. You can really harden the critical infrastructure.
What about our response to events? Are there deficiencies in how we respond to these threats and will we see changes in how we deal with them?
The general awareness is going to keep going up. And if you look at the way (Internet) service providers are responding now, they are doing more filtering at the edge, they are doing more rate limiting and they are doing more cooperative traceback with each other that they weren't doing a year ago. I think that's going to improve security and that will help the service provider segment respond to attacks like that. There are also companies developing specific anti-DDoS (distributed denial-of-service attack) and DoS (denial-of-service attack) tools that I think will mature and be used by people in the Internet industry to provide even better defenses.
Do you think we are going to see an automated trace-back system? And do you think we need to expand on current systems to better fight threats in the future?
Well, some service providers and others already have some traceback capabilities. Traceback helps you identify where things come from, but there are jurisdictional issues and I don't know all the legal ramifications of where that has to go to be solved.
How much is industry getting behind this push for security? And do you think the ISACs will change from an advisory capacity to more of a responder capacity?
I hope they do. The ISACs are still new. One of the difficulties I see across industry sectors is how to integrate this new tool in normal business operations. Part of the awareness of this issue is getting the companies that join ISACs to figure out how to integrate the ISAC into their business. Once they solve that, once they see that they can gain knowledge from all of their fellow members...then they are better off as part of the ISAC than without the ISAC.
I think the ISACs will need to evolve to something that provides trending and analysis and more proactive solution distribution than just another warning mechanism, like CERT (Computer Emergency Response Team), the NIPC (National Infrastructure Protection Center), and the other organizations.