04 November 1999
(Greater security needed against electronic attacks) (680) by Charlene Porter Washington File Staff Writer The rapid growth of electronic communications as a primary tool in international commerce is redefining how business is conducted. At the same time, information security analysts say the expansion of electronic commerce (e-commerce) has created a new vulnerability for corporations and a new way for them to be victimized by terrorists. Officials from the National Security Agency (NSA) and the U.S. Department of State (DOS) briefed hundreds of representatives from multi-national corporations and non-profit organizations November 3 in Washington about the growing risks of terrorists who are not trying to shed blood, but rather to wreak havoc with electronic records. With the increasing use of the Internet in business operations, it will not be long before, "more damage can be done with a keyboard than with a car bomb," according to Nickolas Proctor, Executive Director of the Overseas Security Advisory Council (OSAC). OSAC is an office within the State Department devoted to fostering the exchange of information on security issues between government, businesses and other organizations operating internationally. Assistant Secretary of State for Diplomatic Security David Carpenter told the audience of business security specialists that they must educate themselves about the mounting threats of cyber-crime. He said terrorists are constantly devising new ways "to cripple business, government, and infrastructure," and inventing new methods of "creative destruction." The U.S. government officials warned the corporate representatives that in their rush to enter the world of e-commerce and to establish a business profile on the Worldwide Web, they may have revealed information about their companies that a would-be terrorist could use to launch an attack. The security specialists from such major companies as Eastman-Kodak, Bristol-Myers-Squibb, Lucent Technologies and the New York Stock Exchange were urged to reexamine their Web sites and ask themselves how a terrorist could exploit the information posted there to raid corporate records or plot sabotage against company facilities. Michael Peters, the technical director for operations, readiness and assessments at the NSA, described his successful efforts to expose weaknesses in the security of U.S. government information systems. In an exercise to test the vulnerability of systems within the Department of Defense (DOD), Peters said a team of 20 government information experts posed as adversaries attempting to break through DOD computer security. The role-playing terrorists set out to deny, disrupt, delay or change critical DOD information, and to exploit any vulnerabilities. "The bad guys won," Peters said. "We were able to cause serious problems for DOD," in what was only an exercise, and he warned the business executives that their companies were probably equally vulnerable. The U.S. government security experts urged the corporate representatives to exercise a higher level of vigilance to protect their company's electronic records, but they also invited debate on some of the unresolved legal questions that surround electronic commerce. John Nagengast, assistant deputy director of the NSA, said, "We really need a national legal and policy framework," but that such a framework does not yet exist. He also said business and government need to collaborate to answer some of the questions about this new kind of crime. For example: When does a cyberspace prank become a crime? When does a computer hacker become a terrorist? Where do crimes occur in cyberspace? What law enforcement entities have jurisdiction? What are the appropriate penalties for cyber-crimes? Because the technology is global, Nagengast said, international consensus must be reached on the questions surrounding crime in cyberspace, adding that security structures must be put in place on a global level. Nagengast also called for a fundamental change in how corporations view security matters. He said security has long been considered only a minor factor in a company's overall cost of doing business. In today's world, however, he said, information security and vigilance against potential attackers must become a high corporate priority. (The Washington File is a product of the Office of International Information Programs, U.S. Department of State.)