Experts say liability, antitrust protections needed to improve cyber-security

<br>WASHINGTON (AP) _ Experts in computer security, emboldened since Sept. 11 by renewed attention to threats of cyber-terrorism, are asking Congress for protections from liability lawsuits, antitrust

Wednesday, July 24th 2002, 12:00 am

By: News On 6

WASHINGTON (AP) _ Experts in computer security, emboldened since Sept. 11 by renewed attention to threats of cyber-terrorism, are asking Congress for protections from liability lawsuits, antitrust restrictions and public disclosure laws as companies begin sharing more sensitive information about Internet attacks.

In stark testimony prepared for a hearing today by the Government Reform subcommittee on government efficiency, some of these experts described the risks that foreign hackers one day soon may attack the computerized systems controlling the nation's electrical or water networks.

``Today, some say it would be easier for a terrorist to attack a dam by hacking into its command-and-control computer network than it would be to obtain and deliver the tons of explosives needed to blow it up,'' said Stanley ``Stash'' Jarocki, who heads a threat-warning network established by some of the country's largest financial institutions. ``Even more frightening, such destruction can be launched remotely, either from the safety of the terrorist's living room, or their hideout cave.''

Another expert, Joseph M. Weiss of KEMA Consulting, complained that not enough has been done in the months after the Sept. 11 terror attacks to buttress cyber-security, while the government's primary focus has been to improve physical security around buildings, airports and other facilities.

These experts said that even as new vulnerabilities are discovered in modern technology, companies increasingly are connecting vital systems via the Internet because of cost-savings and efficiency.

``Companies have the capacity to manage their infrastructure with never-before-seen ease,'' said Marc Maiffret, the co-founder of eEye Digital Security Inc., which sells security software. ``Fifteen field offices can be managed from one central location,''

Maiffret said this newfound convenience presents unprecedented risks. ``The attack would be able to take advantage of the functionality ... to seize control of a power plant, a water treatment plant, a dam or even an amusement park,'' he said. Maiffret recommended all employees within companies that operate important systems undergo background checks _ in some cases as rigorous as ones needed for government clearances.

But Maiffret added that this threat largely remains a distant one. ``Terrorists are only recently starting to realize the benefits of having people within their organizations that have real hacking skills.''

Douglas Thomas, an associate professor of communication at the University of Southern California, agreed that while the U.S. government needs to pay attention to these threats, media reports often exaggerate the risks. ``Cyber-terrorism is a lot more difficult than many people assume.''

Jarocki, the security expert for banks, urged the panel to approve new legislative protections for companies willing to share information among themselves and with government. He said new rules are needed, similar to Y2K liability protections, when customers were prohibited from suing a company if it could demonstrate that it made good-faith efforts to keep its computers running safely.

``The sharing of information may lead to liability lawsuits against the company or its officers and directors,'' Jarocki said. ``The chilling effect of potential liability lawsuits on voluntary speech cannot be underestimated.''

He also asked for exemptions under antitrust laws to protect companies from sharing information about Internet attacks among competitors, and for exemptions under the U.S. Freedom of Information Act to protect any disclosures companies might make to government agencies about attacks.

Another expert, Alan Paller of the SANS Institute, recommended that Congress require all federal agencies to measure the security of their computers against minimum requirements. He also said that experts hired to identify weaknesses in computer networks also should make the necessary changes to fix any such problems.