Editor's noteThis story was updated at 5 p.m. May 5, 2006, with additional information on how to receive a copy of the checklist.

The U.S. government and industry face many cyberthreats that, until now, have not received adequate attention, according to a new checklist outlining the threats.

“We’re talking about vulnerabilities where we can calculate the effects, and the effects are considerable,” said Scott Borg, director and chief economist at the U.S. Cyber Consequences Unit.

The unit’s Cybersecurity Checklist looks at potential avenues for real-world cyberattacks and recommends ways to thwart them. Borg presented a draft version of the list at the GovSec conference in Washington, D.C. DHS has not yet approved the draft.

The list includes 478 questions relating to cybersecurity attacks in 16 attack venues in six areas of vulnerability:

• Hardware: Physical equipment, physical environment and physical byproducts.


• Software access: Identity authentication, application privileges, input validation and appropriate behavior patterns.


• Network: Permanent connections, intermittent connections and network maintenance.


• Automation: Remote sensors and control systems and backup procedures.


• Human operator: Security training and accountability.


• Software supply: Internal policies for software development and policies for dealing with vendors.

The list contains recent content that reflects how the cybersecurity environment has changed in the past several years, Borg said. It uses a simpler framework than many similar checklists and is more self-consistent and easy to use, he said.

The checklist provides more specific guidance for industry and recognizes economic realities, Borg said. It also includes asterisked items that are necessary but difficult and expensive to implement, he said.

If the list is going to be used as a standard, it’s a practical necessity to let companies off the hook for the asterisked items, Borg said. “We don’t have the services and products to deal with them,” he said.

The unit analyzed each of the 16 critical infrastructure sectors, Borg said. Many sectors say they follow international security standards but still have gaping security vulnerabilities, he said.

“They follow all the procedures, they do all the checklists, but they have the open fields of Belgium to drive tanks through next to their beautiful, secure systems,” Borg said.

Borg referred to the Maginot Line that the French built along the border with Germany to prevent attack before World War II, but that the Germans circumvented by heading north through Belgium and Holland.

A gigantic area of vulnerability is the intersection of physical and cybersecurity, Borg said. People in each field don’t understand how physical security can cause cybersecurity breaches and vice versa, he said.

Another is inserting malware that causes normal business processes to occur in inappropriate or wrong ways, such as causing a valve at a chemical plant to open at the wrong time, Borg said.

One of the biggest security holes in networks are extra connections added for the convenience of senior users without attention to security or proper documentation, Borg said. “It’s a very bad, scary one,” he said.

Copies of the checklist are available by request at scott.borg@usccu.us.