Worst-Case Security Planning

Sept. 11 taught Americans to plan for the worst. Now the nation's top security experts are pursuing ways to act on the theory, particularly in industries involved in critical infrastructure.

“In previous acts of terrorism committed in this country, the perpetrators exploited our collective sense of complacency and enlisted the aid of citizens of our own country to facilitate their heinous acts,” said James Savage, U.S. Secret Service deputy special agent in charge of the Financial Crimes Division.

Savage said the Secret Service's concern about wireless-network security coincides with its mission to protect the nation's financial systems. As more consumers use wireless devices for financial transactions, the need to increase network security will grow.

Unfortunately, wireless fraud and network breaches remain a problem, despite a proliferation of technological solutions to combat the problems.

“One thing we continue to see in telecommunications fraud and even network compromises is the involvement of the human factor or social engineering used by perpetrators to defeat security safeguards,” Savage said. “The industry spends huge sums of money to develop technical and automated network monitoring and protection systems — all of which can be defeated by an actively involved insider or a less-than-attentive corporate employee who … ends up being an unwitting accomplice.”

Over the years, the Secret Service's Financial Crimes Division has linked social engineering to numerous wireless security breaches, Savage said. The latest case illustrates the broad-reaching implications of such breaches, both to carriers and national security.

On Feb. 20, two major wireless carriers informed the New York Electronic Crimes Force that two hackers had attacked their networks from remote sites. The hackers manipulated the networks to get free long-distance services, re-route calls and add calling features. Plus, they'd installed software that gave them continued unauthorized access to the networks.

“The level of access obtained by the hackers was virtually unlimited,” Savage told a Senate committee in July. “And had they chosen to do so, they could have shut down telephone service over a large geographic area, including 911 systems, as well as service to government installations and other critical infrastructure components.”

The government is getting involved by collaborating with the information and communications industries to develop the second edition of its National Plan for Critical Infrastructure Assurance, Savage said.

However, Savage suggests the industry also confront security problems by investing in what he calls “human firewalls,” policies and procedures to monitor and screen employees and verify that security policies are being followed.

“Invest” is the operative word here.

“Spending money on prevention is always an interesting situation,” said Dave Daniels, former AirTouch fraud-prevention director. “If you're successful and you prevent a particular act, you'll never know, will you? There are no accepted accounting practices that are going to account for something that never happened.”

Daniels said that during his 10-year tenure at AirTouch, the carrier lobbied for federal tax breaks to companies working to beef up security in backup systems.

“They always said, ‘Well, it's your patriotic duty to do that,” he said.

However, Daniels contends that it's tough for carriers to convince shareholders to agree to spend hundreds of millions of dollars to implement security measures that would be necessary to thwart a major terrorist attack on networks.

“Hindsight is really great,” Daniels said. “Had (carriers) devoted tens or hundreds of millions of dollars 10 years ago and nothing happened, how would they explain that?”