Governments, Industry Must Coordinate Homeland Security Measures
The terrorist attacks of September 11 put the nation’s critical information infrastructure to the test, and members of industry, the military and all levels of civil government came away from the experience with a new sense of urgency to work cooperatively to address the challenges revealed that day. According to security experts, existing emergency response infrastructures must be strengthened, critical information infrastructures must be protected and information exchange among federal, state and local law enforcement organizations must be expedited.
These issues were discussed in detail at AFCEA International’s conference titled “Homeland Security: IT on the Frontline,” held February 27-28 at the Ronald Reagan International Trade Center, Washington, D.C. The event featured speeches by distinguished government and industry leaders, panel discussions by seasoned professionals and exhibits by companies offering the specialized goods and services needed by those who work on the homeland security front line.
The conference opened with a speech by Arthur E. Johnson, senior vice president for corporate strategic development, Lockheed Martin Company. Johnson discussed the need to establish a joint government-industry task force to develop homeland security standards. Instead of spending time developing all-encompassing security applications, emphasis should be placed on “80 percent” solutions because systems designed for utility can be modified later. Although not perfect, these will provide better security than existing methods, he said.
Information technology (IT) lessons learned from September 11 were the focus of the first panel discussion. The destruction of the World Trade Center’s twin towers caused a massive loss of telecommunications in New York City. When the towers collapsed, most of Lower Manhattan lost cellular communications. Land lines also were affected. Seven million high-speed data lines were cut when a girder penetrated an underground vault containing a major fiber optic bundle.
Brenton Greene, deputy manager of the National Communications System, described how two crucial programs, the Government Emergency Telecommunications Service (GETS) and the Wireless Priority Service (WPS), allowed officials to coordinate rescue efforts. GETS consists of personal identification numbers and calling cards that permit key personnel to make priority calls. More than 10,000 GETS-enabled calls were made during the emergency. WPS designates key circuits in wireless systems for priority use. Although it was not in widespread use on September 11, it was implemented immediately after the attack and was used to prepare Wall Street to resume trading the following week, Greene said.
Bruce Fleming, a divisional technology officer with Verizon, noted that the firm has a major facility located next to the World Trade Center complex. Verizon equipment there suffered substantial damage. In addition to the millions of lines severed, firefighting operations later flooded the underground cable vault and other underground communications areas with 10 million gallons of water.
After the attack, a major concern was to keep air compressors operating to maintain air in the fiber optic cables running under the Hudson River. Fleming noted that it took 10 days to drain the vaults and a week to get Wall Street operational again. A fully redundant Verizon facility in Brooklyn was vital to maintaining emergency communications because it kept 911 emergency services operating, Fleming said.
Luncheon speaker James Flyzik, the U.S. Treasury Department’s deputy assistant secretary for information systems and chief information officer, discussed new technologies and methods being applied to homeland security after September 11. Flyzik outlined several key technologies being implemented such as public key infrastructure, physical and logical access control systems, and applications such as secure videoconferencing and wireless systems.
Coordination is increasing among government agencies, state governments and research facilities in the wake of September 11, Flyzik added, noting that the Central Intelligence Agency and the Federal Bureau of Investigation (FBI) are creating a shared computer system. “We can never be complacent again because once we become complacent we are vulnerable,” he said.
The first afternoon session focused on connecting federal, state and local governments through IT. Moderator Paula Scalingi, president of The Scalingi Group LLC, described how these three entities often do not communicate or understand command and control issues of emergency situations, adding that the challenge is to foster communication between federal, state and local governments and industry.
Representative Jeffrey Morris, chairman of the Washington State House of Representatives Technology, Telecommunications and Energy Committee, and president of the Pacific Northwest Economic Region (PNER), a regional economic authority, explained why critical infrastructure protection is important to regional energy planning and coordination efforts. PNER’s objective is to create a disaster resistant region, strengthen regional security, develop cost-effective mitigation of regional vulnerabilities, develop anticipatory plans for emergency response, and bridge gaps in U.S. and Canadian federal government, state and provincial responses.
Morris said that deficiencies exist in organizations’ capability to analyze multiple emergencies. Concurrent failures in a power network could have disastrous cascading effects. He explained that most power plants in the Pacific Northwest use natural gas and that power failures would ensue if the gas supply was cut off.
Kristin Cormier Robinson, government relations director for the Council of State Governments’ National Emergency Management Association, explained that the main issue facing her organization after September 11 is coordinating and standardizing communications technology. In both the Oklahoma City and the New York City attacks, emergency response teams resorted to writing notes and using runners after the local wireless communication systems had been overwhelmed. She maintained that future systems must be redundant, have spectrum set aside to survive a disaster, and be available to state and local groups.
The day’s final session dealt with how the stock exchange reacted to and recovered from the September 11 attacks. Douglas Moore, vice president of telecommunications at NASDAQ, explained that the trading company remained operational because its primary systems are located outside of New York and that it uses a decentralized, redundant, meshed network designed to prevent a single point of failure.
Leo Colborne, vice president of global technical support for EMC2, described how September 11 has challenged businesses to think differently about continuity plans and data recovery following a disaster. Although most large companies back up valuable data on magnetic tape, he said tape backup is not dependable, is inconsistent and has a slow recovery time. He explained that the best tape recovery technology takes up to 10 hours to recover a gigabyte and weeks to retrieve a petabyte. Real-time, remotely located data storage facilities can provide organizations with more effective information recovery, he said.
The second day began with breakfast speaker Maj. Gen. Robert L. Nabors, USA (Ret.), senior vice president for enterprise solutions and homeland security, EDS. Gen. Nabors stated that the country is at war with a new enemy that does not wear a uniform and does not live in a far-off land. This enemy lives among the people. Also, the enemy’s targets are chosen to inflict maximum casualties and economic chaos, and they do not differentiate between soldier and civilian, man or woman, parent or child.
“The good news is we already possess the technology and much of the infrastructure we need to solve or significantly reduce the vulnerabilities exposed by the events of September 11,” Gen. Nabors emphasized. “There are no major technical challenges. Information technology will provide the most expedient results, but implementing these solutions could pose a significant test of our national resolve.” The general noted that five areas must be addressed to succeed in the application of IT to homeland defense. These include creating a homeland defense strategy and an implementation battle plan; standardizing IT architectures; establishing common legislation among U.S. sovereign states; obtaining funding and commitment; and speaking to the question of state sovereignty as it affects individual liberties.
Lt. Gen. Harry D. Raduege Jr., USAF, director, Defense Information Systems Agency (DISA), and manager, National Communications System, followed Gen. Nabors’ address with a presentation on DISA’s role in response to September 11, noting that the organization provided direct support to the President through the White House Communications Agency in the early hours of the crisis. “At all times, his ability to communicate with those in the impacted areas was unimpaired, despite a significant increase in saturated voice traffic in the public networks,” the general said.
Gen. Raduege also shared that the nose of the terrorist-controlled aircraft that struck the Pentagon came to rest one floor above DISA’s communications node into and from the Pentagon. This is one of the major nodes that provides primary connectivity between the Pentagon and the outside world. DISA obtained a generator to supply power to the damaged part of the Pentagon and had to drill through a reinforced window to get a cable to a primary network router. Personnel successfully connected the generator to the router and continued to provide uninterrupted service to the Pentagon, he stated.
Additionally, after the initial assessment and immediate response, DISA was faced with supporting customers who had been displaced by the attack, Gen. Raduege said. For critical offices housed in damaged areas, officials had to determine where to move displaced individuals. “Should they pre-empt other offices in the Pentagon or should other locations be found for them?” he asked. “If so, where? And because of security concerns, a lot of people were relocated to the surrounding area whether or not their offices had been affected. When all was said and done, the Navy moved over 500 people and the Army over 1,000. And these were to several different locations in military, government and commercial buildings.” For each of these people, and for all of these functions, DISA was responsible for their connectivity.
A panel on federal government and industry efforts to secure the IT infrastructure discussed the myths, trends and lessons learned in infrastructure security. Sallie McDonald, assistant commissioner, Office of Information Assurance and Critical Infrastructure Protection, Federal Telecommunications Service, General Services Administration, moderated the panel. Alan Paller, director of research at the SANS Institute, a system administration, networking and security cooperative research and education organization, cited three myths about the country’s IT capabilities. The first myth, he said, is that cyberattacks are launched by teenagers and never affect physical systems. He pointed out that physical systems indeed are affected, and he gave the example of a hacker in Australia who broke into a sewage treatment facility’s information systems and changed settings so that sewage would travel in the wrong direction. The second myth is that the nation’s technical personnel know what they need to do. And the third misconception is that vendors always deliver systems in secure condition, and it is up to users to keep them that way. Paller shared that vendors frequently release systems that do not have the security capabilities required.
Paller went on to discuss what he calls “hopeful trends” that address the challenges of cybersecurity. He noted that the FBI has done an extraordinary job of catching hackers as well as making it expensive for hackers to launch attacks. Additionally, companies are more frequently requiring IT staff to have technical security certification. And, users are working together to define what they want. Many users are joining organizations such as the Center for Internet Security to raise the level of security for information assets. Finally, there is a new consensus on site certification forming across industry.
The second day’s luncheon address featured Ira Winkler, chief security strategist at Hewlett-Packard Company. Winkler’s speech took a hard look at the U.S. government’s IT security requirements and sometimes contradictory actions regarding information security. Winkler contended that there have been several wake-up calls—such as the Solar Sunrise attack, deliberate denial of service attacks and the Nimda virus—but that government has been “hitting the snooze button” and “does not follow the CERT [Coordination Center] advisories it pays for.” He said that the way the country protects itself essentially has not changed in the past decade.
He also suggested that the United States look more objectively at the experts it talks to such as professors, hackers and government contractors because policy can play into their biases. “We must look to the past to see the future,” he said. To succeed, Winkler said, society must focus on the basics, not the hype; clearly define security regulations for industry; and better train its work force as well as maintain salary parity.
The conference concluded with a panel session on funding the IT infrastructure. Glenn R. Schlarman, senior director for federal information systems security, White House Office of Management and Budget, identified some of the primary weaknesses in how government manages its security assets. Among them is the need to increase senior management’s attention to security and, more importantly, to sustain that attention over time, Schlarman said. Once it is sustained, the question must be asked, “How do senior managers measure their performance and the performance of those under them who are implementing security?” Additionally, the federal government must integrate security into capital planning and the investment control process.
Schlarman also noted a weakness in security education and awareness. He recommended “Security 101” even for employees who have no specific security responsibilities so they will understand why certain procedures are necessary. “Employees learn to work around security features if they impede job productivity,” he pointed out.
“How much money should we spend on security?” Schlarman asked. “Who knows? It isn’t how much you’re spending; it’s the results you get, and it’s how you manage what you have.” He observed that the government spends $1 billion per year on research and development and that many projects are very similar in nature. “We need more bang for our buck. If we’re spending enough money, are we spending it wisely?”