and terror are more likely to use a physical attack than an attack that targets IT exclusively.
The committee makes two short-term recommendations with respect to the nation’s communications and information systems.
Short-Term Recommendation 1: The nation should develop a program that focuses on the communications and computing needs of emergency responders. Such a program would have two essential components:
Ensuring that authoritative, current-knowledge expertise and support regarding IT are available to emergency-response agencies prior to and during emergencies, including terrorist attacks.
Upgrading the capabilities of the command, control, communications, and intelligence (C3I) systems of emergency-response agencies through the use of existing technologies. Such upgrades might include transitioning from analog to digital systems and deploying a separate emergency-response communications network in the aftermath of a disaster.
Short-Term Recommendation 2: The nation should promote the use of best practices in information and network security in all relevant public agencies and private organizations.
For IT users on the operational level: Ensure that adequate information-security tools are available. Conduct frequent, unannounced red-team penetration testing of deployed systems. Promptly fix problems and vulnerabilities that are known. Mandate the use of strong authentication mechanisms. Use defense-in-depth in addition to perimeter defense.
For IT vendors: Develop tools to monitor systems automatically for consistency with defined secure configurations. Provide well-engineered schemes for user authentication based on hardware tokens. Conduct more rigorous testing of software and systems for security flaws.
For the federal government: Position critical federal information systems as models for good security practices. Remedy the failure of the market to account adequately for information security so that appropriate market pro-security mechanisms develop.