Catastrophic cyberattack unlikely, experts say

Leilani Lauger doesn't worry much about terrorists bombing the Chicago Stock Exchange. She's not too concerned about a trading tailspin in the face of massive downtown evacuations. Unlike the daily hustle and bustle of the New York Stock Exchange, this operation is calmer.

THE MERGING PHYSICAL-CYBER THREAT Hurricane Katrina and the 9-11 terrorist attacks demonstrated how physical catastrophe can kill companies. Security experts have long warned that an Internet-based disaster could have similar consequences.   As buildings and business processes become more computerized and companies grow more dependent on e-commerce, those tasked with enterprise security are having a harder time separating threats in the physical world from those in cyberspace.   In this three-day series, security officers describe how their operations are evolving to confront the combined threat; where they see the most damage potential and where they're finding the best survival tools.

Trading is done on a highly automated network that could be run from remote backup locations if necessary. Generators are in place in case the power goes out. The exchange is also part of ChicagoFIRST, an organization the city's financial institutions started two years ago to address homeland security issues and coordinate with the government for business continuity during and after a disaster. As the Chicago exchange's information security manager, she's more worried about a cyberattack.

"What really keeps me up at night is the threat of things that would cause a denial of service or things that would corrupt data and keep us from doing business," said Lauger, whose primarily Windows-based operation includes 175 employees -- 102 of them on the IT staff -- 650 workstations and more than 200 servers. She also has to protect the network from any malware that tries to enter the building from remote systems run by the different trading firms with seats on the exchange. When the SQL Slammer worm came out, it tried to infect the network from a partner firm. Because of the exchange's security architecture, it couldn't get through. But looking to the future, Lauger said, "It's more likely we'll see a major cyberattack than a physical attack."

That doesn't mean she fears a catastrophic failure, nor does she dismiss the possibility. She simply believes her organization has the people, plans and technology in place to mitigate at least some of the damage if it ever happens. But several security experts have warned of the potential for a devastating digital incident, including former White House cybersecurity advisor Richard Clarke and noted security researcher Dan Geer, who co-wrote a paper two years ago that famously predicted grave peril for a virtual world too dependent on flawed Windows systems.

Cyberattack response: Insider threat seen as biggest data security issue:  The insider threat is the biggest disaster scenario say Security officers. Who best to avert data security disaster: government or business? look to government to prevent a data security catastrophe, but corporate IT pros should do their part. Security tools help reduce insider threat: Security tools, such as PKI, help reduce reduce the insider threat.

One security officer believes the cyberdoom predictions are off -- way off. Dennis Treece, director of corporate security for the Massachusetts Port Authority (Massport) since September 2002, oversees the security of Logan International Airport, Massport's regional airports, the state's shipping and cruise terminals and the Tobin Bridge connecting North Shore residents to Boston. One wall in his Logan-based office is lined with glass-encased Army medals, including three bronze stars for his service in the Vietnam and Persian Gulf wars and a purple heart for a combat wound he suffered in Vietnam. On another wall is a map of the Internet, which Treece described as "a snapshot of top-level domain routers and the Class A through C networks in a 24-hour period."

The wall hangings illustrate a career in the military and private sector that's given Treece an unshakable faith in the Internet as an indestructible force. He agrees with security experts who say the biggest threats to cyberspace remain in the physical world. But he believes that can change if the world loses its dependence on wires and cables.

Digital Pearl harbor 'a tough sell'
When people like Richard Clarke said there'd be a Digital Pearl Harbor, Treece said people shrugged. "It's such a hard sell," he said. "The problem is we haven't had a cyber Pearl Harbor or 9-11." And, he predicts, we never will.

"The Internet is the most overtly redundant operation around," he said. "On 9-11, computer systems were working in New York and the Internet functioned. Continental gateways are always being added to the Internet. It will keep getting bigger and more redundant. As it does it will be more and more impervious to total failure."

His philosophy is based on experience in the military and private sector. Before retiring as a colonel in June 2000, Treece served as the Army's first information assurance program manager. His task was to build an effective program to detect and respond to all threats affecting the telecommunications and computer systems. Before joining Massport he worked for what is now Atlanta-based Internet Security Systems' (ISS) X-Force. While there, he built and operated a state-of-the-art computer threat operations center and provided early warning of computer attacks to his clients and to the government. His team provided computer network security for Australia's national telecommunications company during the 2000 summer Olympics in Sydney.

While he saw many examples of how hackers can attack networks and disrupt cyberspace, he said those threats haven't kept pace with the Internet's expansion and never will. Enterprises that fall asleep on the security switch will undoubtedly suffer damage -- in some cases fatal damage, he said. But the Internet will endure.

Part 2: Why the Internet will not implode