Securing the Lines of a Wired Nation

[InfoSec News <isn () c4i org>]

http://www.nytimes.com/2001/10/04/technology/circuits/04SECU.html

By JOHN SCHWARTZ
October 4, 2001

In the hours of torment and confusion after the attacks on the World
Trade Center and the Pentagon, many people making phone calls to or
from the affected cities encountered the grating "All circuits are
busy" recording. E-mail messages, however, seemed to sail through the
crisis to their destinations. The smooth traffic was hailed by many
experts as testament to the underlying strength of the Internet.

But hold on just one nanosecond. Are we talking about the Internet,
referred to by so many other experts as a famously vulnerable, fragile
network that can be brought to its knees by college students in the
Philippines or a teenager in Canada, with estimates of damage in the
billions of dollars?

It is indeed the same Internet, ever a combination of flaky and
robust. Fred Cohen, the computer security researcher who first applied
the word "virus" to malicious software, said that the individual
elements of the network were fragile but that the network over all was
resilient. "It's easy to tear a piece of paper," he said. "Try tearing
a phone book in half." Still, David J. Farber, a computer scientist
and former chief technologist at the Federal Communications
Commission, said that the Internet's success on Sept. 11 could largely
be attributed to the fact that "nobody attacked it."

Experts in the emerging field of cyberterrorism say that with such an
inviting target, terrorists are bound to take up the hackers' wares.
What will happen when an attacker with real resources and a deep
desire to do harm grabs the keyboard?

It may not take long to find out, and the vulnerability may go far
beyond Web sites or e-mail.

According to a report last week by the Institute for Security
Technology Studies, founded last year at Dartmouth, "U.S. retaliatory
strikes for the tragic Sept. 11 events may result in cyberattacks
against the American electronic infrastructure." While such attacks
may amount to no more than familiar nuisances like hackers' defacing
Web pages or tying up sites by overwhelming them with traffic "the
potential exists for much more devastating cyberattacks," the report
said.

Those who watch trends in computer crime and terrorism say that the
two are coming together with potentially catastrophic results. Richard
A. Clarke, who will head cyberterrorism efforts for the Bush
administration's Homeland Security Council, said in a speech last
December that the government had to make cybersecurity a priority or
face a "digital Pearl Harbor."

In 1997, the President's Commission on Critical Infrastructure
Protection noted that telephone networks and the Internet were
increasingly the bonds of the world's economy, for everything from
financial operations to the supply of water and power.

Consequently, it said, "a computer can cause switches or valves to
open and close, move funds from one account to another, or convey a
military order almost as quickly over thousands of miles as it can
from next door, and just as easily from a terrorist hideout as from an
office cubicle or military command center."

For Tom Marsh, who was the commission's chairman, the worst-case
scenarios are nightmarish: a determined coalition of hackers, he said,
could disrupt 911 service, air traffic control, the power-switching
centers that move electricity around the country, rail networks and
more. "It's a major undertaking," said Mr. Marsh, a retired Air Force
general, "but it's not beyond the realm of possibility." The
complexity of the attacks on the World Trade Center and the Pentagon,
he said, showed that "even terrorist organizations can conduct very
well- organized and sophisticated attacks."

"We said in our report we didn't foresee an electronic Pearl Harbor,
and I still don't," he said. "But I do believe that as cybercrime
progresses, over time the terrorists are going to get more and more
interested in it and see it as a very possible opportunity to cause
major disruption."

Those who have worked in cyberintelligence say that the attention to
the subject is timely. "Up until the 11th, people like me would talk
in terms of the growing threat of transnational attack the prospect of
new forms of terrorism and the basic reaction was, `Yeah, yeah, yeah,
but that's theoretical,' " said Jeffrey A. Hunker, dean of the Heinz
School of Public Policy and Management at Carnegie Mellon University
and formerly the senior director for protection of critical
infrastructure at the National Security Council.

Since the attacks, he said, it has become clear that "there are
clearly transnational organizations that are incredibly capable of
executing sophisticated operations and are enormously creative and
innovative." That, in turn, "makes much more real the possibility of
new techniques or new types of terrorist attacks," including
cyberterror, he said. "We're sitting on a cyber time bomb," he said.

Some experts have warned, for example, that systems accessible to the
Internet like power grids could be brought down by a determined
hacker, though as Mr. Farber put it, "it's a lot easier to throw a
hand grenade down the highway south of San Jose and take out a major
power station" than to do so by modem. And most would put cyberattacks
in a different category from the weapons of mass destruction
associated with visions of catastrophic terrorism; these are not
nuclear arms, nerve gas or germs. Instead, many experts now call them
weapons of mass disruption.

"People aren't going to be killing us with computers," Mr. Hunker
said, "but our life may be hell because of computer attacks."

The likeliest use of the technology, he said, would be to complicate
matters further after a real-world attack, a tactic he describes with
the military phrase "force multiplier." That could involve planting
false information on the Web to create a panic or taking down crucial
computers in the financial or communications sectors.

The ripple effects of the World Trade Center attacks on everything
from the travel industry to supply chains in manufacturing show the
potential for havoc. "Besides the fact of the horrendous loss of life,
it was really an attack on the critical infrastructures," said Mary J.
Culnan, a professor of management and information technology at
Bentley College in Waltham, Mass., and a member of the presidential
commission that issued the 1997 report.

The Clinton administration started the first major national effort to
upgrade computer security in government and business against
cybercrime and terrorist attack. President Bill Clinton issued an
order in May 1998 creating the National Infrastructure Protection
Center, a collaborative effort of law enforcement, military and
intelligence organizations to shore up defenses against computer
crime. The center also developed an information-sharing network with
major industrial sectors.

Such activities will presumably be brought under the umbrella of the
new Homeland Defense Council that President Bush has appointed Gov.
Tom Ridge of Pennsylvania to run. Mr. Clarke will oversee cyberdefense
initiatives for the council as head of its Office of Cyber Security.

Michael Vatis, the head of the Dartmouth cybersecurity group and a
former head of the National Infrastructure Protection Center, said the
stereotype of computer intruders as thrill-seeking teenage loners was
misleading. Talented intruders who are motivated and perhaps banding
together with criminal or ideological motives can go far, he said,
citing little-publicized attacks on business and Pentagon computer
networks by hackers who may be linked to organized crime in Russia.
The attacks, beginning in 1998, are the focus of a federal
investigation. "The type of access they were able to gain," he said,
and "the amount of information and the types of information they were
getting means they could do lots of stuff to those systems," both
purloining data and disrupting operations.

Even more dangerous than outsiders, potentially, are insiders with
specialized knowledge, according to the 1997 report of the President's
Commission on Critical Infrastructure Protection. That report
estimated that by this year 19 million people worldwide would have the
skills to engage in malicious hacking and 1.3 million people would
have advanced knowledge of the systems that control the nation's
telecommunications infrastructure.

Whatever the nature of the attack, the tools are easy to acquire and
the knowledge to use them even more so. A reasonably competent
programmer who is willing to delve into the arcana of computer
operating systems and networks can cobble together viruses or other
destructive computer code from software posted online. Similarly,
tools for examining computer systems for security holes and the
programs that can be used to take advantage of them to gain
unauthorized entry are also easy to find online, and computer vandals
are happy to share their knowledge in Internet forums.

So what is to be done? Most of the measures that experts recommend,
like keeping up with the latest antivirus software, using strong
passwords to protect computers and networks and installing
intrusion-detection software, are painfully obvious but still ignored
by many businesses, government agencies and consumers. The Dartmouth
report also recommends increasing protection at Web sites and keeping
backups of their important data, with special attention to the
potential for Web page defacement.

That report also recommends vigilance, and appropriate software, to
prevent or detect the surreptitious commandeering of computer systems
for use in denial-of-service attacks. (A guide to the best security
practices can be found at www.cert.org /security-improvement.)

Informal networks for intrusion detection are beginning to form among
those who hope to find security in numbers. One such network, AirCert,
has been developed by the CERT Coordination Center at Carnegie
Mellon's Software Engineering Institute. The fledgling AirCert project
places Internet- based security sensors on participating sites; those
sensors automatically send data on intrusion attempts to a central
CERT knowledge base that is able to analyze the information and share
it quickly.

The idea has been suggested before. A network for intrusion detection
in government computers, called Fidnet, was proposed late in the
Clinton administration but never created because of assertions that
the system might be used as a large-scale monitoring network for
citizens' online communications. Government officials insist that was
never the intention, but Mr. Vatis said that they did not make their
case well.

Making that case may now be easier, but Professor Culnan, at Bentley
College, said that mounting an effective deterrent to cyberterror was
no small task. "It's a gigantic problem making this work," she said.
"But at least we've started thinking about it."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.