Two security threats, one old and one new

Two security threats, one old and one new

As if they needed any more, Americans got two more things to worry about this week — cyber attacks on government Web sites and proof of lax security in many of the government’s most important buildings.

The cyber attacks are presumed to have come from North Korea, and were carried out on both U.S. and South Korean Web sites.

We know exactly where the proof of flawed security came from — the Government Accountability Office, which exposed laxity by the Federal Protective Service, the agency responsible for guarding more than 1 million workers at 9,000 federal buildings nationwide.

The cyber assault involved more than 100,000 zombie computers linked together in a network known as a “botnet.” Most of those computers were in South Korea, but others were in Japan, China and the United States, and there was some indication that the trail leads to North Korea. But it is also possible that it was the work of ambitious hackers.

Target list

Targets in the United States included the Pentagon, the White House, the Treasury Department, the Federal Trade Commission, the National Security Agency, Homeland Security Department and State Department, the Nasdaq stock market and The Washington Post. That’s a pretty ambitious list for hackers.

The attacks were fended off by Pentagon and White House firewalls, but some of the other government sites had to be shut down for a period of time.

The insidious thing about a cyber attack is that since it is launched through drone computers, a country defending itself could do massive damage to innocent computer owners in its own country or in friendly countries. That gives the attacker the upper hand.

On the other hand, we know exactly who launched “bomb attacks” against various government facilities.

The Associated Press reported that a GAO team carried bomb making materials into 10 high-security federal buildings in the past year. The materials could be purchased in stores or online and cost roughly $150. Once inside, investigators assembled bombs in restrooms and walked around with them, undetected.

“One of the concerns we had is that in a number of the locations, three or four of them, guards were not even looking at the screens that would show materials passing through. If a guard had been looking, they would have seen materials not normally brought into a federal building,” Mark L. Goldstein, who led the investigation, told a congressional committee.

The buildings, which were protected by private security guards under FPS contracts, housed government agencies including Homeland Security, Justice and State departments, the Social Security Administration and the Internal Revenue Service.

Troubling question

Both stories coming in the same week raise a natural enough question: If we haven’t adequately prepared ourselves against the possibility of relatively unsophisticated attacks on the physical structures of government in nearly eight years since the Sept. 11, 2001, terrorist attacks, what else have we been missing?

We are reminded of a tactic pursued by both U.S. and Soviet military forces during the Cold War — the violation of air space by planes or national waters by submarines. These tests sometimes resulted in serious confrontations, but more often they were simple exercises to see how the enemy might react to specific events if the Cold War turned hot.

Clearly, the GAO has done its job by exposing intolerable weaknesses by the Federal Protective Service. We hope it is safe to assume that no one — government agent or enemy of the state — would be able to smuggle bomb-making materials into a federal building today.

But who learned more in the recent cyber attacks — the attackers or those who were attacked? It had better be our side, because next month or next year or in the next decade, if a real cyber attack is launched, we may not have the luxury of temporarily shutting down some sites and taking days to figure out who is doing what.