Even Bob Woodward doesn’t trust the Internet.
Last week, after Vanity Fair surprised everyone last week by disclosing the identity of Deep Throat, The Washington Post published a lengthy, detailed retrospective by Woodward on W. Mark Felt, the FBI agent who served as his secret informant during Watergate. Woodward had the story essentially ready to go, because he had been preparing it for when Felt died.
The story, along with other critical information, was kept on a computer in his home that wasn't connected to the Internet, Woodward told a group of computer security officials Monday. Woodward said he keeps all his important stories on this computer, physically disconnected from the world of computer hackers.
Woodward's remarks — along with the news of one of the biggest data-loss incidents on record — underscored how much work still lies ahead for the computer security industry, which gathered here Monday for an annual Gartner conference.
"Don't you think the average person is kind of scared?" Woodward asked. He cited statistics indicating 80 percent of consumers aren’t sure if they have been attacked while in cyberspace.
"How many people have ever been in a car that's broken down and don't know it?" he said.
Separately, Citigroup's consumer finance division, CitiFinancial, revealed Monday that a box of data tapes headed for a credit bureau was missing and that the tapes contained private information on 3.9 million consumers.
It was the latest in a series of disclosures from banks, data brokers, retailers and even universities that personal identification information had been exposed or stolen. "There has been an orgy of disclosures," said Gartner analyst John Pescatore.
The stream of admissions concerns Bruce Schneier, considered one of the founders of computer cryptography and now the CEO of Counterpane Internet Security Inc. He said such government-mandated disclosures were initially designed to shame companies into taking better care of consumers' data. But the California state law's effect is now muted, he said.
"The public shaming effect is less and less as more and more people do it," he said. He suggested that news agencies and consumers have now become tired of the disclosures — minimizing the deterrent effect.
'Crisis of confidence'
Woodward, whose appearance at the conference so soon after the Deep Throat revelation was a coincidence of scheduling, chaired a panel discussion of former White House cyberczars. The heavily attended session took on the question of what role the federal government — and the Bush administration in particular — should play in protecting the nation from cyberattack.
The former cyberczars, Howard Schmidt, Amit Yoran and Roger Cressey, all served post 9/11 and have since left government and returned to private industry. While Yoran and Schmidt said they left simply because their assignments were complete, Cressey was sharply critical of Bush’s computer security policies.
"The bumper sticker would say this administration doesn't care about cyberspace," Cressey said. "I wouldn't go that far, but there is a general feeling that this administration is unwilling to elevate the issue."
Despite public-private partnerships and the creation of government offices devoted to security, consumers are feeling increasingly insecure about their computers and the Internet, Cressey said.
"There is a growing crisis of confidence, and more and more people may decide that cyberspace is a place they don't want to go," he said.
Yoran said that even though he has spent his career working in security, he is only about 70 percent sure that his home computer is completely safe from outside attackers.
Worst-case scenarios
The discussion also focused on the possibility of an electronic 9/11, or at a terrorist attack with an Internet-based component.
"The question that is pulsing with everyone ... is why haven't we been attacked again," Woodward said. "My dark view ... is somebody is telling them to wait."
Yoran and Schmidt said it's particularly difficult for government to protect against unknown attacks, and even more difficult to take credit when such attacks are thwarted. That also prevents cybersecurity from getting more White House attention, they said.
"How do you measure the negative?" Schmidt said.
Worst-case scenarios discussed involved "cascading effects" from limited computer outages, such as recent incidents that temporarily crippled airlines, or the 2003 northeast blackout. Such incidents reveal how fragile connected computer systems are. A new 9/11 could include a multi-layered attack, or “swarm” attack which included some electronic elements, Cressey said.
Still, there hasn't been a significant terrorist-related computer incident, leading some to describe the threat as over-exaggerated.
Ultimately, Woodward said, if something does happen, no one will be able to say they weren't warned. "We are now in an environment in which we have all been put on notice."