The keynote agenda for Compsec 2002reflects the newly transformed securitylandscape with the compounding dam-age from 11 September and the menac-ing threat of cyberwar.

CyberwarBrian Jenkins, senior advisor to the presi-dent of the RAND Corporation and advi-sor to the International Chamber ofCommerce, is one of the top five terroristanalysts in the world. Jenkins delivers achilling keynote on the current threat ofinternational terrorism. To start BrianJenkins tackles the big question — can weexpect calculated and catastrophic cyber-terrorism? We have heard speculationabout cyber-attacks and witnessed violentvariations in network traffic but nothingthat can be classified as cyberwar. Jenkinssays that what worries him the most is acombined attack involving a physicalstrike with a coordinated cyber-attack. Heindicated the three-way multi-dimension-al attack that ran simultaneously with 11September. Corporations and govern-ment departments were facing Anthrax scares, Code Red and the back-lash from 11 September all at once.Jenkins told Network Security that “We now know that the anthrax scare andthe Code Red virus were unrelated to 11 September but this leaves us with the worry that such a combination of different attack strategies could pose a significant threat”.

Jenkins believes that “Al-Quaeda werenot fully aware of the cascading eco-nomic effects that the 11 Septemberattacks would have”. He asserts that“their intentions were to bring downtall buildings, strike the symbol of theUS military — the Pentagon and kill asmany civilians as possible”. He is wor-ried that after terrorists have observed

the economic standstill that 11September caused with catastrophicfinancial loss they may rethink and aimto launch economic warfare in thefuture. Jenkins also asserts that it is notadvisable to defend based on vulnerabil-ity intelligence alone as “vulnerabilitiesare infinite in modern society. We aregreatly concerned, some vulnerabilitiesexist but not as many as people think.The notion of a hacker on a laptop inPakistan bringing down a power grid inthe midwestern US or NorthernEngland is pretty far fetched. The sys-tems are a lot more robust than that.”

Disaster survivalAlan Brill from Kroll Consultingexplains first hand who coped throughthe twin towers disaster and who didn'tin his keynote. One business type thatemerged with particular difficulties waslaw firms as many of their transactionsare paper-based. He recounts scenes thathaunt his memory such as trees outsidethe building covered in paper transac-tions. Every company located in thetwin towers discovered whether theirdisaster recovery plan worked or didn't.Simple basic practical trivialitiesemerged as critical in the disaster.Typical examples witnessed by Brillinclude: Companies designed excellentaction plans but these were so confiden-tial that they did not leave the office. Sowhen the building went down, the mostvital document to help the business sur-vive became dust in the attack. Brilladvises the conversion of the documentto an encrypted PDF file and transfer toa credit-card sized CD-ROM for accessi-bility and mobility. All key employeescould have the copy on their person; anyCD-reader then becomes all the redun-dancy equipment you need. Another

example occurred when companiesrelied on contractual back-ups. The con-tracts dictated that in order to activateback-up plans, an emergency phone callwas required that instigated upfrontcharges. Many employees outside theTwin Tower buildings were gazing attheir burning offices but couldn’t makethe call to the disaster recovery contrac-tors because they didn’t have the author-ity to initiate such charges.

Policing across bordersWilly Bruggeman, Deputy Director ofEuropol, the intelligence agency of theEU member states, believes there are “pending needs for enhanced technicalcooperation across Europe” and he indi-cates that there are planned initiatives toensure maximum synergy in suppressingorganized crime. One new such proposi-tion is the integration of all national lawenforcement technical systems, e.g.national crime squad, from each memberstate under one umbrella.

Bruggeman says that Europol is facedwith critical problems such as using theInternet for sending sensitive informa-tion. He calls for common technical stan-dards and common protective systems forall member states at a European level.

The futureMarcus Ranum, a true visionary predictsthe future of network security in hiskeynote. According to Ranum “buildingreliable systems translates to buildingsimpler solutions.” In the next 10 year wewill see the death of general computing,”said Ranum. There will be a driving moveto appliances. Users will buy N point ter-minals and rent software when they needit. The X Box initiative by Microsoft tooffset the Sony playstation is a key indica-tion of this move. According to Ranum,“Palladium is an unfortunate mistake”, itis a movement in the right direction butwill not be the answer to security.Currently examples of Ranum’s theorycan be seen in the online environment.For example, users pay for AOL’s serviceson a Windows machine.http://www.compsec2002.com

compsec 2002

6

Compsec — NetworkSecurity and DisasterSurvival

neseoctprint.qxd 23/10/2002 13:32 Page 6