U.S. networks are likely targets for terrorist attacks, said lawmakers and representatives of government agencies, academia and the IT industry at a House of Representatives subcommittee hearing Wednesday.
While witnesses agreed that networks are possible targets, they offered differing opinions regarding the cause of vulnerability during testimony to the Committee on Government Reform's Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations.
Representatives from university research groups maintained that commercial software doesn't employ robust enough security to protect government and businesses, as well as home users, from infiltration and attacks, specifically computer viruses and worms that spread through the Internet. But the head of an industry association argued that the problem is the lack of education and prioritization of security issues by all types of users, leaving the country open to cyberattack.
Because much of the technology used today has roots in the personal computing era, when PCs were intended to be stand-alone devices, protecting them from threats that arise once those systems are connected means retrofitting software, said Richard Pethia, director of Computer Engineering Response Team (CERT) Centers with Carnegie Mellon University's Software Engineering Institute.
"We're lacking security, but we have this huge installed base" of software from the PC era, he said. "We can build systems that are much more robust and secure."
Countering this argument, Harris Miller, president of the Information Technology Association of America (ITAA), said that software companies are putting forth a "maximum effort" to produce highly secure products.
"Customers don't want the security features," Miller said, referring to the suggestion made many times during the hearing that companies should ship their software with the highest possible security settings turned on as the default. "It's just like how do you get people to wear seatbelts?"
Emphasis should be placed on educating the country about sound information security practices, Miller said. "Practicing information security as part of homeland defense will pay massive dividends in the future."
Another related discussion was sparked when the subcommittee chairman Representative Stephen Horn, a Republican from California, asked how vulnerable the Internet is to terrorist attacks.
"The possibility is there to take down the Internet," said Michael Vatis, director of the Institute for Security Technology Studies at Dartmouth College, adding that routers and domain name servers are particularly vulnerable. These problems are well known but not addressed, perhaps due to lack of resources or not making them high priorities, he said.
"Much of the Internet is very resilient," tempered CERT's Pethia," but a few key points like domain name servers don't have redundancy."
Fearing that such statements would lead to newspaper headlines predicting the collapse of the Internet, Miller said that there are risks, but the companies that manage those servers, such as VeriSign Inc, are aware of them and are working on redundancy plans.
One point many of the witnesses agreed upon was the need for more government-sponsored research and development programs to help build better security technology.
"There's a need for more resources. The money that most (computer companies) spend is on short-term development. We need long-term, government-funded research and development," Miller said. Government funded training programs aimed at producing more security specialists would also help, he said.
Considering that computer users today find security features difficult to use, Vatis added that long-term research should focus on developing software with high security levels and low end-user interference.
"The state of the art [of security technology] today is not good enough," he said. "The answer is research and development to design technology that's easier to use."
More information on the Subcommittee on Government Efficiency, Financial Management, and Intergovernmental Relations can be found at http://www.house.gov/reform/gefmir/.