- Email: [email protected]
11 September: IT Fall Out
feature
11 September: IT Fall Out Philip Hunter, CF&S Reporter
The summer just gone seems long time ago, and this is also true from the IT security perspective. The tragic events of 11 September have galvanised the IT security industry, which is one of the few sectors whose stock has risen both literally and metaphorically. Only in July, we ourselves posed the question in a headline: “Is security at risk from the IT Downturn?”. There is no chance now of that in the immediate future as IT managers come under intense pressure to strengthen disaster recovery plans and step up protection against potential cyber attacks on their systems.
Implications In the US, IT directors have already been warned by the US Department of Defense that they will soon have to take personal responsibility for the systems under their remit, and be prepared to sign guarantees for the integrity of their networks. They are likely to respond by increasing their IT security budgets, even at the expense of other developments. Broadly the IT security implications of the US terrorist attacks come under three headings. Firstly, there were the immediate consequences for businesses directly affected and the measures taken to get critical systems and networks up and running as quickly as possible. Second, there were the wider implications for IT security across the world given the potential for terrorist attacks on networks and IT installations. Third, is the whole issue of access by law enforcement agencies to individuals’ emails and to funds transfer networks in the hunt for terrorists, with ramifications for privacy.
Altruism In the immediate aftermath, we saw numerous examples of altruism on the 10
part of IT companies giving equipment away, making facilities available, and providing free help in restoring data. For example the Californian data recovery firm DriveSavers offered without charge to recover data from any hard drives or other devices found in the rubble of the World Trade Center or in surrounding buildings. Larger IT vendors such as Microsoft and Unisys sent in teams that worked round the clock to restore networks, resume email services, and replace lost hardware. This combined IT industry effort played a major part in enabling Wall Street to resume trading the Monday after the atrocities.
Big fish Of the firms directly affected, it tended to be the larger ones, like Morgan Stanley, which lost many people, but were able to resume at least a semblance of normal business relatively quickly. This is because larger businesses, especially those in the financial sector are so dependent on total availability of IT systems, had effective contingency plans in place.
11 September 2001 been vindicated, providing some late justification for the huge amounts that were spent on countering a threat that was often overhyped.
Small fry Smaller firms that were affected fared less well, and some lost all their data and may not survive as a result, unless they succeed in obtaining full consequential loss compensation either from their insurers, or more likely from the federal government. Of larger organizations, the worst affected was the Pentagon itself, which placed an emergency order for over 1000 proprietary secure desktops, along with other hardware, to replace classified systems destroyed in the attack. According to a former Navy intelligence officer speaking off the record, some top secret applications were definitely seriously affected for some days after the attack.
Y2K Morgan Stanley and others attributed their rapid IT recovery to the efforts made two ago to make their systems Millennium compliant. It was sometimes claimed at the time that a beneficial side effect of the work which often involved updating and re-documenting systems, was a greater fitness to withstand disaster. This view seems to have
Disaster recovery In the wider business world there has been a huge increase in demand for disaster recovery services, suggesting that many firms were insufficiently protected beforehand. EDS reported enquiries for disaster recovery up by 150% from their normal level, and the prospect of rapid growth in
feature the sector fuelled a surge in the shares of specialist companies. The shares of Guardian IT, the leading UK disaster recovery specialist, leaped from 260p to 350p during the days of rapid falls elsewhere in the stock market. In the US, there was a similar hike for Comdisco, one of the leading IT disaster recovery providers there.
Capasity The question arises as to whether there is sufficient spare capacity in the disaster recovery field to cater for the increased demand. Some, such as SunGard, were unable even to accept new customers directly affected by the attack, stating that they had their work cut out handling the growing demand for their services from existing customers. But others, such as Cervalis, which has two hot standby data centres in the US, were offering discounted or free services on a temporary basis to firms directly affected.
Terror As well as the heightened risk of direct physical attack on offices or IT sites, there is the fear of cyber-terrorism. The vulnerability of many US websites to such attacks was demonstrated in the days after the collision between a US surveillance plane and a Chinese jet fighter on 1 April 2001. A number of US websites were defaced by Chinese hackers. But, this is not the same as penetrating corporate networks and causing serious damage. So far, there have been no reports of any such attacks since 11 September, and the capability of Islamic terrorists to mount such an attack has been doubted. But the vulnerability is there, according to Daine Gary, a member of the FBI’s InfraGuard advisory board. Gary advised US enterprises to take down non-critical external Internet connections, and to disable instant messaging capabilities. And some analyst groups, including Garner, suggested enterprises ask their
ISPs to provide protection against denialof-service attacks, which could quite readily be mounted by terrorists. So far, it has to be said, most of the hacking activity elicited by the events of September 11 has been perpetrated from within the US against Islamic websites. These so called ‘patriotic’ hacking attacks included defacement of the website belonging to the Iranian Government’s ministry of the interior.
Safe harbour? The FBI has strongly counselled against such attacks on the grounds that the US does not itself want to stand accused of harbouring terrorists, even of the cyber variety. The hacking community itself has been split over the virtue of such attacks. One group of about 60 online vandals, calling itself The Dispatchers, called for arms, urging hackers to disable Palestinian-affiliated websites by whatever means possible. But, this appeal was condemned by the Chaos Computer Club, with the words: “being a galactic union of hackers, we simply cannot imagine dividing the world into good and bad at this moment.”
Civil liberties Not surprisingly, the FBI and other western law enforcement agencies have also been on the offensive, and this leads on to the third area of concern that we identified, that of privacy. The FBI immediately invoked the Foreign Intelligence Surveillance Act, which requires ISPs and others to turn over information deemed to relate to activity involving foreign governments. The burden of proof required under this Act is minimal compared with that required for a civil criminal warrant.
Counter reaction Yet, there have been calls to extend such powers further. US attorney general John Ashcroft has issued a legislative proposal
for new wiretap laws that would allow federal agencies to target individuals, rather than just the hardware they use to communicate, as at present. There are also calls for rapid implementation of biometric authentication methods for identifying individuals, on the basis of fingerprints, iris scans, or facial geometry. Proposals include incorporation of such biometric records into passports, visas, and identity cards, and the corresponding construction of databases of such records.
Privacy v security Inevitably the attacks have shifted the balance away from privacy towards national security, with the risk of undoing years of careful construction of laws protecting individual rights to freedom from intrusion: “The bottom line is that privacy will take a back seat to security,” admitted Larry Ponemon, chief executive of the Dallas-based Privacy Council. Equally, the events threaten a return to the early days of encryption when the US Government attempted to control the world’s ability to protect data from eavesdropping by restricting export of cryptographic algorithms as incorporated by the dominant software vendors. This policy achieved some success, not because of any US monopoly over cryptographic expertise, but because the world’s dominant software companies were nearly all from the US. US senator Judd Gregg was among those calling for tighter restrictions, once again on encryption software, in the hope of limiting terrorists’ ability to evade message tampering. The FBI believes that strong encryption was used in the transmission of messages co-ordinating the attacks on the World Trade Center and the Pentagon. So, we have the usual contradiction. On the one hand enterprises are being urged to step up security, but on the other governments want to limit the strength of encryption, which could undermine some of these efforts. 11
11 September: IT Fall Out Philip Hunter, CF&S Reporter
The summer just gone seems long time ago, and this is also true from the IT security perspective. The tragic events of 11 September have galvanised the IT security industry, which is one of the few sectors whose stock has risen both literally and metaphorically. Only in July, we ourselves posed the question in a headline: “Is security at risk from the IT Downturn?”. There is no chance now of that in the immediate future as IT managers come under intense pressure to strengthen disaster recovery plans and step up protection against potential cyber attacks on their systems.
Implications In the US, IT directors have already been warned by the US Department of Defense that they will soon have to take personal responsibility for the systems under their remit, and be prepared to sign guarantees for the integrity of their networks. They are likely to respond by increasing their IT security budgets, even at the expense of other developments. Broadly the IT security implications of the US terrorist attacks come under three headings. Firstly, there were the immediate consequences for businesses directly affected and the measures taken to get critical systems and networks up and running as quickly as possible. Second, there were the wider implications for IT security across the world given the potential for terrorist attacks on networks and IT installations. Third, is the whole issue of access by law enforcement agencies to individuals’ emails and to funds transfer networks in the hunt for terrorists, with ramifications for privacy.
Altruism In the immediate aftermath, we saw numerous examples of altruism on the 10
part of IT companies giving equipment away, making facilities available, and providing free help in restoring data. For example the Californian data recovery firm DriveSavers offered without charge to recover data from any hard drives or other devices found in the rubble of the World Trade Center or in surrounding buildings. Larger IT vendors such as Microsoft and Unisys sent in teams that worked round the clock to restore networks, resume email services, and replace lost hardware. This combined IT industry effort played a major part in enabling Wall Street to resume trading the Monday after the atrocities.
Big fish Of the firms directly affected, it tended to be the larger ones, like Morgan Stanley, which lost many people, but were able to resume at least a semblance of normal business relatively quickly. This is because larger businesses, especially those in the financial sector are so dependent on total availability of IT systems, had effective contingency plans in place.
11 September 2001 been vindicated, providing some late justification for the huge amounts that were spent on countering a threat that was often overhyped.
Small fry Smaller firms that were affected fared less well, and some lost all their data and may not survive as a result, unless they succeed in obtaining full consequential loss compensation either from their insurers, or more likely from the federal government. Of larger organizations, the worst affected was the Pentagon itself, which placed an emergency order for over 1000 proprietary secure desktops, along with other hardware, to replace classified systems destroyed in the attack. According to a former Navy intelligence officer speaking off the record, some top secret applications were definitely seriously affected for some days after the attack.
Y2K Morgan Stanley and others attributed their rapid IT recovery to the efforts made two ago to make their systems Millennium compliant. It was sometimes claimed at the time that a beneficial side effect of the work which often involved updating and re-documenting systems, was a greater fitness to withstand disaster. This view seems to have
Disaster recovery In the wider business world there has been a huge increase in demand for disaster recovery services, suggesting that many firms were insufficiently protected beforehand. EDS reported enquiries for disaster recovery up by 150% from their normal level, and the prospect of rapid growth in
feature the sector fuelled a surge in the shares of specialist companies. The shares of Guardian IT, the leading UK disaster recovery specialist, leaped from 260p to 350p during the days of rapid falls elsewhere in the stock market. In the US, there was a similar hike for Comdisco, one of the leading IT disaster recovery providers there.
Capasity The question arises as to whether there is sufficient spare capacity in the disaster recovery field to cater for the increased demand. Some, such as SunGard, were unable even to accept new customers directly affected by the attack, stating that they had their work cut out handling the growing demand for their services from existing customers. But others, such as Cervalis, which has two hot standby data centres in the US, were offering discounted or free services on a temporary basis to firms directly affected.
Terror As well as the heightened risk of direct physical attack on offices or IT sites, there is the fear of cyber-terrorism. The vulnerability of many US websites to such attacks was demonstrated in the days after the collision between a US surveillance plane and a Chinese jet fighter on 1 April 2001. A number of US websites were defaced by Chinese hackers. But, this is not the same as penetrating corporate networks and causing serious damage. So far, there have been no reports of any such attacks since 11 September, and the capability of Islamic terrorists to mount such an attack has been doubted. But the vulnerability is there, according to Daine Gary, a member of the FBI’s InfraGuard advisory board. Gary advised US enterprises to take down non-critical external Internet connections, and to disable instant messaging capabilities. And some analyst groups, including Garner, suggested enterprises ask their
ISPs to provide protection against denialof-service attacks, which could quite readily be mounted by terrorists. So far, it has to be said, most of the hacking activity elicited by the events of September 11 has been perpetrated from within the US against Islamic websites. These so called ‘patriotic’ hacking attacks included defacement of the website belonging to the Iranian Government’s ministry of the interior.
Safe harbour? The FBI has strongly counselled against such attacks on the grounds that the US does not itself want to stand accused of harbouring terrorists, even of the cyber variety. The hacking community itself has been split over the virtue of such attacks. One group of about 60 online vandals, calling itself The Dispatchers, called for arms, urging hackers to disable Palestinian-affiliated websites by whatever means possible. But, this appeal was condemned by the Chaos Computer Club, with the words: “being a galactic union of hackers, we simply cannot imagine dividing the world into good and bad at this moment.”
Civil liberties Not surprisingly, the FBI and other western law enforcement agencies have also been on the offensive, and this leads on to the third area of concern that we identified, that of privacy. The FBI immediately invoked the Foreign Intelligence Surveillance Act, which requires ISPs and others to turn over information deemed to relate to activity involving foreign governments. The burden of proof required under this Act is minimal compared with that required for a civil criminal warrant.
Counter reaction Yet, there have been calls to extend such powers further. US attorney general John Ashcroft has issued a legislative proposal
for new wiretap laws that would allow federal agencies to target individuals, rather than just the hardware they use to communicate, as at present. There are also calls for rapid implementation of biometric authentication methods for identifying individuals, on the basis of fingerprints, iris scans, or facial geometry. Proposals include incorporation of such biometric records into passports, visas, and identity cards, and the corresponding construction of databases of such records.
Privacy v security Inevitably the attacks have shifted the balance away from privacy towards national security, with the risk of undoing years of careful construction of laws protecting individual rights to freedom from intrusion: “The bottom line is that privacy will take a back seat to security,” admitted Larry Ponemon, chief executive of the Dallas-based Privacy Council. Equally, the events threaten a return to the early days of encryption when the US Government attempted to control the world’s ability to protect data from eavesdropping by restricting export of cryptographic algorithms as incorporated by the dominant software vendors. This policy achieved some success, not because of any US monopoly over cryptographic expertise, but because the world’s dominant software companies were nearly all from the US. US senator Judd Gregg was among those calling for tighter restrictions, once again on encryption software, in the hope of limiting terrorists’ ability to evade message tampering. The FBI believes that strong encryption was used in the transmission of messages co-ordinating the attacks on the World Trade Center and the Pentagon. So, we have the usual contradiction. On the one hand enterprises are being urged to step up security, but on the other governments want to limit the strength of encryption, which could undermine some of these efforts. 11