Launching a Counteroffensive in Cyberspace
Saturday, February 5, 2000; Page A3
LIVERMORE, Calif. �� Eric Thomas hacks into Jason Arnold's computer with a few simple keystrokes, sniffing Arnold's password, hijacking his online session and stealing all the data on his screen.
It's easy enough. Thomas launches the attack, an ingeniously malicious script of Czech origin that he's downloaded from the Internet, without Arnold ever knowing what hit him.
"I'm watching everything he's doing right now," Thomas says, peering at his computer screen. He types in another command and declares victory: "I've taken over his connection!"
As it happens, Thomas and Arnold are seated 10 feet apart here at the Northern California branch of Sandia National Laboratory, the nation's best-equipped computer attack simulation center. This is a place where it is quickly apparent that the thrust and parry between cyber-attackers and cyber-defenders has evolved further than non-experts may realize--and that the defenders are not as hapless as the American public may think.
Both Thomas, 20, and Arnold, 18, are students at San Jose State University with a flair for computers. And both are just the type President Clinton had in mind last month when he proposed a national scholarship program to train cyber-security experts in return for four years of public service once they graduate.
The two young men are part of the vanguard, already enrolled in Sandia's College Cyber Defenders Program, an initiative of computer security guru Fred Cohen. A principal member of Sandia's technical staff, Cohen, 43, is credited with inventing the computer virus as a graduate student at the University of Southern California in 1983. Like Clinton, he believes the current security environment is more precarious than ever, having spent the past 17 years pioneering defenses against all forms of cyber-attack.
The attackers are becoming bolder and more sophisticated, Cohen said, while most people using computers know little--and seem to care even less--about protecting their machines. "This disconnect between technology and how people behave is getting broader, not narrower," Cohen said.
But within the federal government, the picture is more encouraging. The Pentagon's computer defenses have improved by "an order of magnitude over the past five years," according to Cohen. While the government still makes its share of blunders in cyberspace, he said, its combined expertise for defending computer systems and waging cyberwar "is probably the best in the world--by a long ways."
Such prowess isn't always readily apparent, with hackers taking down federal Web sites with regularity and Clinton sounding the alarm about cyber-terrorism in his budget proposal for fiscal 2001, which contains $2 billion in computer defense initiatives.
But the Pentagon started funding the government's first computer emergency response team, or CERT, at Carnegie Mellon University 12 years ago after the so-called Morris "worm" was unleashed on the Internet and spread to 6,000 computers. Now most federal departments and agencies staff their own CERTs, the infantry in a growing cyber-security command structure.
At the FBI, the National Infrastructure Protection Center is responsible for fighting cyber-crime, taking many of its leads from CERTs throughout the executive branch. At the Pentagon, a newly created center in Arlington called the Joint Task Force-Computer Network Defense is responsible for coordinating all computer defenses throughout the military. And at the General Services Administration, the Federal Computer Incident Response Center plays the same role for all civilian computer defenses.
The price tag for these forces this fiscal year: $1.5 billion.
Cohen himself is a one-man computer defense conglomerate, beginning with an 18-member research staff on cyber-security he directs here at the California branch of Sandia, which has its headquarters in New Mexico.
Dressed in blue jeans and Birkenstocks, he explains that he developed the Cyber College Defenders Program for much the same reason Clinton proposed the $25 million scholarship program. "Ph.D. researchers are very expensive, they're hard to find, and the [national] labs don't pay as much as Silicon Valley," Cohen said. "It's build or buy these employees--and you can't buy them. So you have to build them."
The son of two physics professors, Cohen is also an adjunct professor at the University of New Haven in Connecticut and an expert in the nascent field of computer forensics--tracking digital crimes. And he runs a private consulting business, advising companies on how to protect their computer systems. One of his tactics is to show clients that they are theoretically vulnerable to attacks that could disable factories, cause chemical spills, or steal millions of dollars.
With such experience, Cohen is deadly earnest about the threat of cyber-war. He joined Sandia's technical staff, he said, because he saw "the potential for attacks on the critical infrastructure that could cost millions of lives and change the course of nations."
Lance J. Hoffman, director of the Cyberspace Policy Institute at George Washington University, said most experts believe it is only a matter of time before a disastrous computer assault takes place.
"The government does have resources in computer security and information assurance," Hoffman said. "But there is no such thing as perfect security. . . . I hope Congress does not wait until the aftermath of a cyber-disaster to take action."
In Sandia's cyber-defenders program, Cohen downloads attack programs posted on hacker Web sites and assigns his students to run them against a variety of operating systems, figure out how they work and devise ways to defeat them. The suggested defenses are then posted on the Internet.
"Attackers share, but defenders don't share as well," Cohen said.
With the program nearing its first anniversary, students working part-time for $10 to $12 an hour have already modeled 400 attacks. Cohen has 1,800 more planned, and he figures his students will be caught up by the end of this summer, when the number of participants in the training program will double to 25.
One day last month, Corbin Stewart, 28, who has a degree in history and is studying computer science at Las Positas Community College, launched his 100th simulated attack, a script called seyon exploit.sh.
It comes with a disclaimer: "Please use in a responsible manner." But seyon exploit.sh was written with unconcealed malice, designed to allow whoever launches the code to gain root access to an improperly protected Unix operating system.
"It's privilege expansion," Cohen said as Stewart fired away. "They become the super-user on your computer--they can read, write, modify anything. They can cause it to crash, they can use it to attack other computers, they can install sniffers, Trojan horses to get back in--it's all theirs."
The threat, of course, is relative--and often grossly exaggerated, Cohen said.
Hackers launching seyon exploit.sh or other commonly available attack scripts could damage somebody's home computer or business server, Cohen said, but it is highly unlikely that they could bring down U.S. military networks.
Most hackers lack the expertise to penetrate sophisticated defenses or sustain their attacks, Cohen said. Hacking into a federal government Web site, he said, typically causes little more lasting damage than spray-painting a sign outside a government office.
But when Clinton said last month that "hostile powers and terrorists can now turn a laptop computer into a potent weapon capable of doing enormous damage," he was not, in Cohen's opinion, exaggerating at all.
A hacker may not be able to disrupt the Northeast's power grid, Cohen said, but the Russian government--with legions of computer scientists, years of expertise and a sophisticated understanding of how power systems work--probably could, if it wanted to.
) 2000 The Washington Post Company
link
http://www.washingtonpost.com/wp-dyn/articles/A12795-2000Feb4.html
-- Carl Jenkins (Somewherepress@aol.com), February 05, 2000