Thursday, April 23, 2009

RSA 2009: Why the Top U.S. Cyber Official is Losing Sleep


Melissa Hathaway has led an extensive review of the nation's cybersecurity. Her dreams are haunted by what she has discovered

By Bill Brenner, Senior Editor

April 22, 2009CSO

SAN FRANCISCO -- The United States' top cybersecurity official already knew the world's digital infrastructure needed help before she took on a 60-day cyberspace policy review. With the review now complete, she admits the gravity of the situation seeps into her dreams and disturbs her sleep.

"I worry about [questions surrounding cyber security] every night; they infiltrate my dreams," Melissa Hathaway, acting senior director for cyberspace for the National Security and Homeland Security Councils, said in a keynote speech at the RSA Conference Wednesday. "I often wake up at 2:30 or 4:30 in the morning having worked the problem in my sleep, and sometimes even develop a good idea."

President Obama tapped Hathaway, a Bush administration official who helped develop a multi-billion-dollar classified initiative to better secure federal systems and critical-infrastructure networks against online threats, to lead a 60-day review of the government's cybersecurity efforts in February. [See Obama Taps Bush Aide to Review Federal Cybersecurity Efforts]

She acknowledged what everyone attending RSA already knew: The nation's digital infrastructure -- the world's, for that matter -- is full of security holes that leave us vulnerable to those who would steal personal data for financial gain or to compromise national security. [See Botnets: 4 Reasons It's Getting Harder to Find and Fight Them]

"Despite all of our efforts, our global digital infrastructure, based largely upon the Internet, is neither secure enough nor resilient enough for what we use it for today and will need in to the future," she said. "This poses one of the most serious economic and national security challenges of the 21st century."

She offered several examples: The design of today's digital infrastructure was driven more by considerations of interoperability and efficiency than of security, she said. As a result, a growing array of state and non-state actors can compromise, steal, change, or destroy information. She cited "countless intrusions that have allowed criminals to steal hundreds of millions of dollars and allowed nation states and others to steal intellectual property and sensitive military information." Digital miscreants even have the ability to threaten or damage portions of the nation's critical infrastructure, she said, a recent example being a November 2008 incident where 130 automated teller machines in 49 cities around the world were illicitly emptied in the space of a half hour. These and other risks have the potential to undermine consumer confidence in the information systems that underlie our economic and national security interests, she said.

No comments: