Security expert recommends 'Net diversity

What aspects of the Internet infrastructure are most vulnerable to attack?

The most vulnerable aspect of the Internet is the assumptions under which it has been operating. That it's going to remain open and equal. That names will always resolve, and routes will be chosen because they are short hops. It's not very far away -- particularly if we move to IPv6 -- that there will be routes that will be blocked and routing tables that will be different based on your IP, country of origin or what you paid. The dynamic is going to change very dramatically if that happens, and we are headed down that path because people can't agree as to what the network should be and have not responded appropriately to the abuse.

Should the NSA be allowed to eavesdrop domestically without a warrant?

This is an issue for Congress and the courts to decide. Should the NSA be able to listen to conversations? No. But listen in the sense of gathering information that relates to making connections? Maybe. My experience with people at NSA is that they are much more concerned with the rights of citizens than the average person on the street. They take it very seriously. I don't view this sort of listening as evil, but there are limits that should be imposed.

How bad is the situation with rootkits (which provide administrator-level access to networks)?

Not as bad as it's going to get. These attacks are getting more sophisticated, faster and more capable. Currently, rootkits are a complement of some attacks but soon will be the default.

Any guess why we're seeing fewer new worm outbreaks than we did a few years ago?

Attacks have switched from hackers to the criminal element. Worms used to be large and splashy attacks. We may have as many worm attacks, but now they are quiet, stealthy and more targeted. The attackers are not interested in being known.

Do CIOs understand that the threat is no longer teenage hackers but criminals?

No. They don't understand that it's more the criminal element. In Europe, companies are seeing denial-of-service attacks used for extortion -- botnets that threaten attacks that will go away if money is wired to a particular bank account.

To battle criminals, you have to be concerned about customer data and remote control of systems that can be used for spam. You have to think about the exposure to your reputation if your systems are used as bots for something like kiddie porn. As far as I know, no companies have paid damages yet if their resources were used in an attack, but suits have been filed and settled out of court.

Multinationals also have to worry about patented information. They need to worry about information about their shipments that could be stolen. In other countries, companies have to worry about the addresses and travel itineraries for their executives to make sure they are not kidnapped.

There is a lot of information that is online that people don't think of protecting right away, like high-quality logos that can be used for counterfeit goods. Pictures of buildings and building plans can be useful information to someone interested in doing something of harm. Think about fire departments that have a GIS system that shows where all the hazardous chemicals in the town are. That's useful for the fire department but probably not something you want publicly available.