The challenge of fending off cyberspace threats

As scores of high school and college students raced from event to event, tracking down opportunities afforded by the business of information technology Thursday, a group of experts talked about the frightening challenges created by this ever-evolving field.

Not just challenges, but actual threats to national and industrial security, from the Internet user in his or her home office to weather satellites feeding data to forecasters tracking a Category 5 hurricane.

The experts were panelists at a conference at the Philadelphia Marriott sponsored by BDPA, a nonprofit organization of people involved in the industry of information technology.

The organization, launched by Earl Pace Jr. and David Wimberly in Philadelphia 35 years ago, was designed to increase minority presence when the computer industry was in its infancy.

BDPA still supports diversity, but it is for careers in technologies that are incredibly complex and vulnerable. Two of the panelists were military men, because as one, Navy Rear Adm. William Leigher, put it, "cyberspace is a domain that we have to defend, just as we do the seas and space."

The Defense Department defines cyberspace as the Internet, telecommunications networks, computer systems, and embedded processors and controllers.

Leigher, deputy commander of the U.S. Fleet Cyber Command, said the Defense Department elevated cyberspace to domain status in 2006.

"The daily threats to our defense network fall into the category of foreign espionage," Leigher said.

While fending off such attacks guarantees that "we fight the way we want to fight," keeping the systems safe also permits "a surgeon operating on board an aircraft carrier to stay in contact with one at Bethesda who may have done that surgery many times before," he said.

For Leigher and the other panelists - Air Force Col. Jeffrey T. Butler and John Osterholtz, vice president of BAE Systems Inc. - the event that demonstrated how information systems are vulnerable to attack occurred in 2007.

Estonia, once a Soviet satellite, removed a statue memorializing Russian soldiers killed in World War II. In response, Russian nationalists directed enormous streams of data to Estonian government, bank, and media websites, effectively crippling the nation's Internet access for almost a month.

Osterholtz, who handles cyberwarfare and security issues for BAE, called the Russian tactic a "denial-of-service" attack, meaning that all the sites were overwhelmed by massive amounts of bogus data, preventing transactions of legitimate business.

Osterholtz added: "There is no difference in what the military considers a threat and what the industry sees as one. Commercial enterprises possess a treasure trove of intelligence, which makes us a target."

Leigher and Butler, assigned to the Air Force Academy, are working to develop a proactive response to cyberspace threats.

Butler said introduction to computer science was mandatory for first-year cadets, and his efforts are directed to get his students to get more deeply into it - especially as members of "red teams" that try to find ways of breaching security in order to learn how to prevent it.

Butler warned that mobile devices, filled with personal and financial information, "are a growing target."

The weakest link in the chain is the everyday computer user, who is often exploited to allow personal information to be stolen, he said.

"People tweet too much," he said. "I say 'deny access' and keep it that way."

Osterholtz, whose company develops systems for the government and industry to "tie together security and intelligence," cited statistics showing the number of cyberspace threats increased 1,000 percent between 2006 and 2008, and the cost of a data breach in 2009 ranged from $750,000 to $31 million.

In 2010, the cost of system downtime because of a security attack ranged from $6.3 million to $8.4 million.

Although most systems are basically protected from 85 percent of attacks, "15 percent come from criminal and national sources, and they do the most damage," he said.

Although most cyberspace attacks are software-based, the fact that hardware is manufactured in countries that might not be all that security conscious has the government and industry making random purchases of computer equipment to assess risk.

"Buying hardware off the back of a truck may be cheaper, but it isn't necessarily safer," Butler said.