Terrorist Attacks Test IT Infrastructure

[IMGCAP(1)]Amid the death and destruction of the terrorist attacks Sept. 11 in New York and Washington, the United States received a brutal wake-up call about the vulnerability of the nation's critical infrastructures ? both physical and electronic.Talk of threats to important infrastructures, such as buildings and transportation, communications, power and information technology systems, will no longer be seen as hype."These threats are very real," said Harris Miller, president of the Information Technology Association of America, Arlington, Va. "The people that have been talking about threats, cyber and physical, weren't just trying to get more government spending."Critical infrastructure protection will be a key component of a policy known as "homeland defense" that is emerging in the wake of the attacks, industry officials said.[IMGCAP(2)]While the concept of homeland defense ? protecting U.S. soil from nearly any kind of attack ? has been increasingly discussed in recent years, the idea has "now moved up several rungs on the ladder," said Paul Lombardi, president of DynCorp, Reston, Va., and chairman of the Professional Services Council, a trade group that represents government contractors."A lot of people have been talking about homeland defense, but no one has really taken it seriously," said Phillip Odeen, executive vice president and general manager of TRW Inc.'s Washington office. Odeen also is a past chairman of the Defense Science Board, which is comprised of industry officials and members of academia that advise the Defense Department on technology issues.Homeland defense incorporates a broad range of strategies and activities designed to protect the United States from a variety of attacks. There will be civilian as well as military elements, ranging from 911 systems and enhanced cybersecurity to intelligence gathering and increased military responsiveness."Homeland defense has not been officially defined, so it is still a work in progress," said William Moore, a DynCorp official and a retired Army major general. He joined DynCorp in July to work on defense and national security issues.The threats to the United States, as illustrated by the World Trade Center attack, are not aimed at traditional military targets, nor are the means conventional for carrying out the threats. "These are all asymmetrical threats from an adversary that is not a military match [for the United States], so it has to look for vulnerabilities and attack those vulnerabilities," Moore said.Federal agencies are supposed to have plans outlining what infrastructures, both physical and electronic, are critical to each agency's function. The plans, known as continuity of operations plans, or Coops, can cover a range of elements from data backup and recovery to alternate sites for operations in case of a disaster.[IMGCAP(3)]In the days following the attack on the World Trade Center in New York and the Pentagon in Arlington, Va., government agencies will re-examine how to protect critical IT systems in the face of such disasters and attacks, industry officials said.They also likely will have funding with which to do it. Since the attacks, Congress approved $40 billion to enable the government to hunt down those responsible and to begin shoring up security efforts to combat terrorism."Money has been an issue," Miller said. Before the attack, agencies were "told to improve their security steps but were not given additional resources," he said.The heightened attention for protecting critical infrastructures should free funding for civilian agencies that have been struggling to increase their security measures, he said.The homeland defense issue has been growing since the end of the Cold War, but the terrorist attacks have served to "galvanize the issue and bring it home in a tragic way," said Phillip Lacombe, president of the information and infrastructure protection sector at Veridian Inc., Alexandria, Va. Before joining Veridian, Lacombe was the executive director of the President's Commission on Critical Infrastructure Protection, created in 1996 and comprised of members from industry, government and academia.[IMGCAP(4)]In its 1998 report, the commission identified eight infrastructures, such as water, power, transportation, finance and telecommunications, that are critical to life and commerce in the United States, Lacombe said. Information technology touches all of these and provides the backbone for managing and operating the different infrastructures, he said.An attack on one infrastructure can have a cascading effect on the others, Lacombe said. For example, the attack on the World Trade Center knocked out communications in that area.In recent years, critical infrastructure protection has been focused on cyberattacks, such as denial of service attacks and viruses and worms that have infected information systems. But the destruction of the World Trade Center and the damage to the Pentagon will heighten the attention paid to physical attacks, industry officials said."This is going to bring a more rounded approach to critical infrastructure protection," said Greg Swain, director of information assurance for Northrop Grumman Corp.'s information technology sector.Technology can still play a role in physical protection, he said.Even before the attack, Northrop Grumman had several meetings planned with customers to discuss anti-terrorism technologies. Biometric solutions, such as fingerprint readers and facial recognition, can be used with smart cards and personal identification numbers to improve security, he said.[IMGCAP(5)]"There are a lot of technology solutions available, but all that stuff costs time and money ? but the cost is dropping," he said.Also in the wake of the attack, more attention is being paid to lapses in intelligence gathering. Although most of the concerns raised have been about human intelligence, technology also will come into play."Obviously, we are going to see a big increase in intelligence spending," Odeen said.Data fusion is one technology likely to get more attention, he said. "Data fusion helps in trying to use and analyze quickly all this massive amount of information we have, and create real intelligence out of it," Odeen said.For now, most agencies are focusing on beefing up their infrastructure protection plans.Ron Salluzzo, a senior vice president for the state and local practice at KPMG Consulting Inc., McLean, Va., said that a good disaster recovery plan likely won't add too much to the bottom line of new systems. "If you're careful, the costs is negligible," Salluzzo said, adding that the least robust recovery plans are often the most expensive.