Bush advisor predicts possible cyber-catastrophes

In his keynote address at an information technology auditing conference in New York, Howard Schmidt, U.S. President Bush’s advisor on cybersecurity, predicted that networks operated in the U.S. and abroad are likely to be brought down by catastrophic events unless security greatly improves.

“By 2009, there will be over 2 billion Internet-enabled devices, each with an IP address, in the U.S. alone, and 6 billion altogether,” predicted Schmidt, vice-chair of the President’s Critical Infrastructure Protection Board, in his keynote before the 30th annual international conference of the Information Systems Audit and Control Association (ISACA).

The conference was attended by nearly 300 security professionals from 37 countries.

The devices on the IP packet-based network of the future, predicted Schmidt, will include not just computers, but also traffic lights, elevators, appliances and even pacemakers. But the IP networks of 2009 will be unstable, subject to “constant security outages,” unless both governments and private industry focus on eliminating network vulnerabilities through research and better practices.

“The routing tables of the future will be unmanageable; there will slowdown and failures, and malicious and criminal activity between 2002 and 2009 all mean the Internet quits working,” warned Schmidt. He even forecast a future in which “special aircraft will be flying the routing tables” physically to servers after periodic network brownouts.

In addition, computer viruses, the “zero-day viruses and affinity worms,” will be surreptitiously entering IP devices, causing widespread devastation by wiping out business records.

“In a major brokerage house, it will enter through the CEO’s house by infecting the CEO’s PC, then the corporate network, and scrambling the brokerage house trading records,” said Schmidt, who was formerly chief of security at Microsoft Corp. before joining the President’s Critical infrastructure Protection Board in December.

Electrical power grids, controlled by networks, could collapse in 2005 due to distributed denial-of-service attacks that block traffic to IP-based management devices, Schmidt said. Economically, all these disruptions will take a toll by 2009, with the Federal Reserve coming to the conclusion that cyberattacks are depleting growth. Then, Fedwire, the government-run network for monetary transfers to banks, will be hit by a database scrambler attack and there will be an unscheduled bank holiday to clean up the mess.

“That’s where we’re headed if we don’t turn this ship around,” Schmidt warned.

The federal government is monitoring a situation that arose during the past year in which it was discovered that vulnerabilities in the Simple Network Management Protocol (SNMP) would allow attackers to take over SNMP-based routers, switches, applications and firewalls. This vulnerability, detailed by Finnish researchers, has been traced back to what’s called ASN.1 encoding, which caused dozens of network and applications vendors to issue software patches in a race to fix networks before hackers exploited the vulnerability.

ASN.1 constitutes a layer of network coding that is used in many network protocols other than SNMP, and there are suspicions that implementations of ASN.1, which Schmidt likened to “a bad gene in the DNA of complex programs,” may be at risk as well.

So far, Schmidt disclosed, the ASN.1 buffer-overflow vulnerability has also been discovered to affect telecommunications microwave equipment, which the industry has quietly addressed. “We’re monitoring that,” Schmidt said.

Working with industry, the government has wanted to keep information about major vulnerabilities quiet until industry had the needed remediation prepared.

The 20-member President’s Critical Infrastructure Protection Board, created by President Bush last October, is the organization expected to coordinate security strategies with both agencies and private-sector companies. Its concerns cover the safety, both physical and electronic, of industry sectors that include telecommunications, energy, transportation, banking, healthcare, manufacturing, and water systems.