DHS chief Michael Chertoff is a keynote speaker at the RSA Conference.

File photo: AP / J. David AkeSAN FRANCISCO – The federal government has launched a cyber security "Manhattan Project," U.S. homeland security secretary Michael Chertoff said Tuesday, because online attacks can be a form of "devastating warfare", and equivalent in damage to "physical destruction of the worst kind."

Speaking to hundreds of security professionals at the RSA security conference, Chertoff cited last year's denial-of-service attacks against Estonia, and hypothetical hack attacks on financial networks and air traffic control systems, as proof that a federal strategy was needed.

"Imagine, if you will, a sophisticated attack on our financial systems that caused them to be paralyzed," Chertoff said. "It would shake the foundation of trust on which our financial system works."

That digital mushroom cloud scenario means the government's role in computer security must extend beyond federal networks, and reach to shared responsibility for financial, telecommunication and transportation infrastructure, Chertoff said. "The failure of any single system has cascading effects across our country," Chertoff said.

But Chertoff's talk shed precious little light on the details of the Bush administration's cyber security plans. In January, President Bush signed a presidential order expanding the role of DHS and the NSA in government computer security. Its contents are classified, but the U.S. Director of National Intelligence has said he wants the NSA to monitor America's internet traffic and Google searches for signs of cyber attack.

Computer security experts' reaction to the talk was mixed, some happy with the new federal attention and dollars, while others ridiculed it as empty rhetoric.

Chertoff said he did not foresee the government becoming the net's protector or censor. "We don't have to sit on the internet and prevent things from coming in or going out," Chertoff said, referring obliquely to countries like China that censor the net."That's not what we are going to do."

Chertoff emphasized that the first order of business was for the feds to get "our own house in order,", by, among other things, shrinking the number of access points for government computer systems and websites so that intrusion detection software can scan them more quickly.

The Bush administration's Cyber Initiative has gotten $150 million in funding for this year, and the administration is requesting $192

million for 2009.

Chertoff hopes that the government's new cyber security efforts will lead to technology breakthroughs that it can share with the private sector. Silicon Valley entrepreneur Rod

Beckstrom was recently named to head that effort.

In fact, Chertoff imagines the government's cyber security center will transform its current intrusion detection system, named Einstein, into a pre-computer crime detector.

"We might have the ability to understand the signature of an attack before it is launched," Chertoff said. "I think it could become an early warning system that might be able to detect an attack before it is coming. Giving an adversary one bite at the apple before we understand the attack's meta data, or the code, is one bite too many."

One side-benefit of better cyber security is less identity and intellectual property theft.

"This is one case where security and privacy are not at odds," Chertoff said. They are complementary."

One prominent security expert declined to speak on the record but ridiculed the notion that the government would develop technology to find attacks before they happen, calling it the "clairvoyance machine."

More important, he said, was that there was only one DHS employee dedicated to keeping electrical systems safe from attack.

But Ray Kaplan, one of the founders of the RSA conference, said there's much Chertoff cannot say and that the government does have a role to play, especially in terms of grants for research.

"There is an undercurrent underneath what Chertoff was talking about of people giving the government recommendations," Kaplan said. "It isn't just a one-way street."

One key thing the government could do is get the security industry to release real threat metrics, so that industries can know how prone their industry is to different kinds of attacks. That information, according to Kaplan, just isn't currently shared and there's not even a common language for it.

See Also: