Newsroom

CORVALLIS - It's the nightmare scenario the government isn't prepared for.

By remote control, a terrorist hacks into the computer system of a pharmaceutical manufacturer to alter the formulas of medication resulting in a staggering loss of life. The computers of the world's major financial institutions are compromised, leading to a loss of confidence in the economic system. Power is cut off by disabling the computer networks that control it.

Sound too far-fetched to be true? Next month, the White House's new Critical Infrastructure Protection Board will release a sweeping national plan intended to bolster computer security. The federal government - through the Office of Homeland Defense - is poised to spend millions of dollars to defend the nation's computer networks.

Leading the way in this defense is Oregon's cyber-security industry. There are about 20 companies in Oregon doing computer security-related work, one of the largest concentrations of cyber-security industry experts in the nation.

"Washington, D.C., and San Francisco, Calif., have the largest concentration of cyber-security experts in the country," said Çetin Koç (pronounced CHETT-in COACH), a professor of electrical and computer engineering at Oregon State University. Koç is a leading researcher in the area of cyber-security and is a member of the advisory board for the Oregon Regional Alliance for Infrastructure and Network Security. RAINS is a consortium of private and public sector organizations and individuals helping to defend U.S. computer networks.

In June, Portland played host to President Bush's special adviser on cyberspace security, Richard Clarke, and other senior federal officials charged with protecting the nation's computers. Clarke's town hall meeting - one of only four held nationwide - tapped local expertise for ideas on building a national policy to secure the nation's increasingly vulnerable computer networks. The fact that Clarke and other senior officials held a meeting in Oregon was testament to the state's position in national cyber-security.

At that meeting, Koç and William Seidman, CEO of Cerebyte, Inc., demonstrated new software technology designed to protect computer networks. Using a form of artificial intelligence, the "Security Coach" software automatically configures a computer correctly so that it can't easily be probed by hackers. It can defend home computers and small networks as well as larger systems by acting as the in-house security expert.

Koç said systems need to be designed for rural governments because they are more vulnerable to cyber-terrorists. He is working with the Oregon Security Institute, a coalition of local governments and cyber-security experts established by Ann Steeves of Coquille, to fund full-scale development of Security Coach.

"We could have the system ready in 18 months," he said. "Rural areas don't have the necessary expertise to handle an attack. Security Coach provides the expert inside the software."

Koç said Clarke and the government officials were impressed with the software but they were also impressed with the public/private partnership used to create it.

Koç is also working with the Technical University of Berlin to create a software system that monitors and responds to computer attacks using a distributed agent system. In this system, autonomous and relatively intelligent pieces of software work together to maintain security and detect attacks against various network nodes. In case of an intrusion, the software will respond by fixing security holes and sharing information with other nationwide networks in order to circumvent further attack and minimize damage. The system will run continuously without human supervision, observe deviations from normal behavior, and adapt to changes over time.

Koç has already written a proposal that outlines the project to build a prototype, and will fly to Berlin in October and sign an agreement with the Germans. Then he'll send proposals to various U.S. government agencies to determine their interest in the software.

"We could start work on the system as early as January," he said.

The issue of computer security has become more pressing in recent years as more and more computers and networks have been linked to the Internet, Koç said. Many public and private computers are not properly configured to block outsiders, and security components of operating software often remain on the lowest default level to ease installation.

"With more people hooking up to the Internet through cable modems and DSL (Digital Subscriber Lines), there is a greater security risk," Koç said. "With cable modem or DSL, you are always online inviting intrusions and attacks. Internet Service Providers aren't capable of providing security since most of them are five-person companies, lacking the necessary resources to combat cyber-attacks."

The number of incidents reported to the CERT Coordination Center at Carnegie Mellon University - the leading clearinghouse of information about intrusions, viruses, and computer crimes - increased from 406 in 1991 to more than 43,000 in just the first two quarters of this year.

With that number likely to grow in the future, Koç said he wants to take the next step and have Oregon State University named as one of the National Security Agency's Centers of Excellence in Information Systems Assurance Research and Education. Established four years ago, the program's goal is to reduce vulnerability in the nation's information infrastructure by promoting higher education in information assurance, and producing a growing number of professionals with expertise to combat cyber-terrorism.

Colleges and universities designated to the program are eligible to apply for scholarships and grants through both the federal and Department of Defense Information Assurance Scholarship Programs.

"I hope to apply to this program in the near future," Koç said. "Our earlier information security research has concentrated on electronic commerce, and we have just started working in the area of computer defense but I hope to add more classes in the future and begin to graduate students who understand how to protect the nation's computer networks."