NEW YORK (10/29/2003) - The war on terrorism will be a "war to the death" likely last several decades, requiring the government and the private sector to focus immediately on making critical infrastructures and systems more resilient rather than immune to deliberate attacks, a former CIA director said Wednesday.
Speaking in New York to several hundred government and private-sector security experts at the Maritime Security Expo, James Woolsey said Americans should be prepared for the war on terrorism to last at least as long as the Cold War and for continued terrorist attacks on the soft spots in the nation's critical physical and cybernetworks. Woolsey, now a vice president of the Global Strategic Security practice at Booz-Allen & Hamilton Inc. in McLean, Va., served as director of the CIA from 1991 to 1993.
"You shouldn't rely too much on intelligence to solve this problem," said Woolsey. "We're not going to get real-time intelligence on specific attacks in most cases. That's why it's so important to build resilient protections into the infrastructure so that when an attack comes, we can abort it part of the way through, or if it succeeds, it doesn't have cascading effects on other infrastructures."
Some of the most important work to prevent cascading failures involves enhancing the security of supervisory control and data acquisition systems, the real-time control computers that are used to manage the electric power grid, Woolsey said.
The former CIA chief also wants to see the government more aggressively push the development of cybersecurity technologies "that work," as opposed to firewalls, which, he said, do not work. "Internet protocol address hopping, for example, which is the IT equivalent of radio frequency hopping that is used in military radios, is an example of what I find very exciting."
Industry must also do its part by devising "incentives" to get the companies that own and operate more than 85 percent of the nation's critical infrastructure to make the necessary investments in new and innovative security tools, he said.
"There are a number of things that can be done," he said in an interview with Computerworld. "One way to work is through the insurance industry, giving the insurance industry incentives to write coverage plans that offer companies lower premiums if they make certain investments in security. It's sort of like seat belts for automobiles."
He cautioned that such changes will take a long time.
During the World War II era, the government was able to federalize portions of the economy and shift private-sector production to war production. But that level of government intervention is "unimaginable" in the current economy, Woolsey said, although the government will have a hand in setting the standards by which companies are measured.
In the area of port and container security, the main focus of this two-day conference, the U.S. government has been pushing a "smart-container" initiative. Even so, it's unlikely to set specific mandates or timelines to force the shipping industry to adopt any particular technology to meet the requirements of the initiative, said Richard Biter, deputy director of the office that sets policy for the integration of all air, land and sea transportation networks at the Department of Transportation (DOT).
The smart-container initiative involves retrofitting all of the 6 million shipping containers that enter the country every year with state-of-the-art IT sensors and tracking systems.
"We don't have an answer yet," said Biter, referring to the time it will take to update the containers. Whatever the timeline, Biter said the industrywide retrofit will likely be "incremental"--and not be dictated by the government.
Although the DOT is working with the Department of Homeland Security to test new technologies such as radio frequency ID (RFID) tags and ultra-wideband communications systems for container tracking, Biter acknowledged that more than two years after the Sept. 11, 2001, terrorist attacks "we have not come up with the requirements for the capabilities that a smart container should have."
In fact, officials are still debating whether a smart container should provide a complete electronic manifest on the container or whether that data should be maintained in back-end systems operated by the shipping companies, said Biter.
"The smart container has yet to be defined," he said.
He did note that the government is studying the decision by Wal-Mart Stores Inc. to require RFID tags down to the package level in its supply chain, a process Biter called "nesting." In this way, "the package talks to the pallet, the pallet talks to the container and the container talks to the truck or the ship."
According to Woolsey, such a process is critical, given that harmless nuclear material has already been successfully shipped into the U.S. on at least two occasions during security tests.