October 28, 2011, 1:20 PM — The computer networks that connect critical utilities, major companies, universities and military bases is insecure and should be replace with one less likely to be broken or manipulated by hackers or other countries that could become enemies of the United States, according to a top FBI offical.
Even terrorist groups with few hacking skills of their own are becoming a more serious threat as successful criminal hacking groups become more willing to hire themselves out to all comers, according to Shawn Henry, the FBI's executive assistant director in a speech to the International Systems Security Association last week.
One way to minimize the risk is to build out a second, more secure, limited-access network fo utilities and financial systems, Henry said.
Another would be to develop ways to eliminate the possibility of anonymity on existing networks to make it easier to trace attackers.
Maybe, but knowing who is responsible for security in any given instance is at least as big a problem, according to Gen. Keith Alexander – the Army general who is also head of the National Security Agency (NSA).
"Is it the FBI? Is it the NSA? Is it the military or is it the ISPs — the Internet service providers? But somebody can turn that device off," Alexander said at the same ISSA conference.
The Pentagon is finalizing plans describing what parts of the Internet should be its responsibility and what it will do about them, Alexander said.
Homeland Security is also working on its own plans and ability to secure utilities and other civilian resources, he said.
That still leaves a lot of holes in the coverage of the whole Internet, though.
It is not within the NSA's purview to take responsibility for that security, however. Nor is it the FBI's.
The NSA is an intelligence gatherer responsible for highlighting risks and developing responses to them. The FBI is strictly reactive – investigating crimes that have already taken place.
Even the overly broad mission of DHS doesn't include specific responsibility for specifying, implementing or enforcing regulations over the security efforts of public and private organizations across many industries.