Premier 100: Worst-case scenario for IT security

What if everything went wrong?

That’s the possibility security experts confronted here Tuesday at Computerworld’s Premier 100 conference as panelists with real-world experience in government, software development, Internet service and corporate IT security worked their way through an unfolding fictional scenario of a massive cyberattack on critical U.S. infrastructure after an invasion of Iraq by U.S. and allied forces.

Based on how these experts responded to the fabricated events, the story doesn’t have a particularly happy ending.

Even under the assumption that government and industry would be operating at a high level of alert during an invasion of Iraq, an outbreak of viruses, worms and other cyberattacks — combined with physical terrorist actions in the fictional city of “Metropolis” — showed the manner in which effective coordination between government agencies and private industry would be hampered.

In fact, stopping the attack might prove impossible.

Roger Cressey, former chief of staff for the President’s Critical Infrastructure Protection Board, said that as terrorist actions developed under the fictional scenario, the government “would be in triage mode.” That means it would focus its efforts on protecting or reviving electrical power to Metropolis, not on saving critical corporate operations.

Bill Malik, chief technology officer at Waveset Technologies Inc. in Austin, Texas, acted as the CEO of fictional “MegaCorp.” In the fabricated attack, MegaCorp’s software product, “Doors,” was the primary product under attack. Malik said the government would have to be ready, if necessary, to order any vendor to reveal proprietary information about its customers to help protect MegaCorp.

Satesh Lele, chairman of Global Data Systems USA in San Jose, who played the boss of a major Internet service provider, agreed. But in the real world, he said, government representatives in charge of security such as the FBI “are very slow to act.” He doubted that any such order would arrive in a timely manner.

As the story unfolded it was learned that the most devastating cyberattacks were being aimed at a part of Doors not yet identified as vulnerable. And no patch was available. Rob Clyde, CTO at Symantec Corp., described that as the worst-case scenario; Malik argued that a quick-fix patch would be unlikely to solve MegaCorp’s problem.

In the final chapter of the narrative, the likely source of the cyberattack was found to be Saudi Arabia, a discovery that would be good news if true, said Clyde. That’s because a lack of competing infrastructure providers and close contacts between U.S. security software companies and Saudi service providers would make it easier to end the threat.

Even so, the conclusion of the story was that damage to Metropolis, its IT infrastructure and MegaCorp would be substantial.