Cyberterrorismgreenspun.com : LUSENET : TB2K spinoff uncensored : One Thread |
Preparing for cyberterrorism--badly. Screen SaverBy JOHN ARQUILLA The New Republic, 5/1/2000
"The decision to send American troops was easy. Sure, the Saudi demonstrators and rioters wanted democracy, but we couldn't sell out our old ally King Fahd. And what if the insurgents were Iranian pawns? There was too much oil at stake to take a chance.
But something funny happened on the way to the counterrevolution. An unknown fundamentalist group, the Campaign for Islamic Democracy (CID), warned that if we didn't butt out, it would wield the "Secret Sword of Allah." We laughed. Then the CID unsheathed its "cybersword." The attack began with rolling power outages throughout the United States. Next, an automated pipeline control near Valdez, Alaska, was manipulated to lower the temperature of the flowing oil, causing congealment, a burst pipe, and an environmental disaster.
The fundamentalists said they would stop messing with our computers if we stayed out of Saudi affairs. Furious, we continued deployment and stepped up our efforts to find them. The CID took it up a notch, too; the group hit our air-traffic-control system. Result: one midair collision over Los Angeles International Airport and several near misses. It was time to cut a deal, even if meant abandoning the king.
Of course, none of this happened. But a group of us at RAND in the early '90s started worrying that it might. So we dreamed up a scenario quite like this one and convinced the deputy secretary of defense to pull together some high-level political and military officials to treat it as a war game. They played it out over a long Saturday--and found themselves at a complete loss.
That was five years ago. Today, we're as open to attack as we were then. American prosperity and security increasingly depend on an extremely vulnerable information infrastructure. And, while the military has all sorts of systems to keep its communications up even during a nuclear war, civilian systems--power supplies, transportation, resource flows, and financial markets--are wide open to "cybotage" of the kind we imagined. It's not that the U.S. government hasn't done anything to try to protect us over the last half-decade. It just hasn't done the right things.
Cyberwar means disrupting the flow of information--principally through computer viruses that eat data or freeze up systems and logic bombs that force machines to try to do something they can't (like resolve the value of pi, a trick Mr. Spock once used to disable a computer on "Star Trek").
Cyberwarfare can be used by one military against another. In the Gulf war, for example, the United States implanted viruses and made other computer intrusions into Iraqi air defenses. Against Serbia, we went further--instead of simply slowing or stopping data flows, we strove to distort the information Serb gunners saw on their screens, helping keep our planes safe during their bombing runs. Since the U.S. military already does a good job of protecting its systems against such attacks--and since the only other power seriously pursuing battlefield cyberwar capacity, China, is way behind us--there's no reason for alarm on this front. At least not right now.
America's civilian computers are another story--they're much more vulnerable to attack. And it wouldn't take an army to launch one, just a small organization, or even a knowledgeable individual. Sound far-fetched? Tell that to the system administrators at Amazon.com, eBay, and Yahoo!, who saw their sites downed by simple, though well-tooled, attacks.
It's true that the talent needed to wage cyberwar is relatively hard to develop. Terrorists don't yet have it. And, while some hackers do, they have not yet shown an interest in cyberterrorism--perhaps because there are ample opportunities to apply those skills for legitimate profit. (Why destroy the U.S. information infrastructure when you can make $100 million as part of it?) But this is bound to change.
For one thing, as knowledge about the Internet increases, the line between terrorist and hacker may blur. Terrorists' initial forays have been defensive--for example, acquiring encryption technology in order to keep their communications secret. But they won't stay defensive forever. There is even anecdotal evidence that Bulgarian hackers (I kid you not), cut off by the Russians and feared and rejected by the West because they spawned the "Michelangelo" virus some years back, may be trying to hire themselves out as cybermercenaries.
But trying to prevent terrorists from becoming cyberterrorists doesn't much interest the U.S. government. Instead, U.S. computer-protection efforts focus on "infrastructure." This is what the respected Presidential Commission on Critical Infrastructure Protection recommended two and a half years ago; so did the equally prestigious National Research Council. Now there's even a National Infrastructure Protection Center in Washington, D.C.--which involves considerable collaboration between the Departments of Justice and Defense--in charge of the effort.
The trouble with infrastructure protection is that it misunderstands the cyberwar threat. The guiding notion behind nearly all current efforts is to prevent an "electronic Pearl Harbor"--a massive cyberattack that would cripple our ability to deploy our forces. The allusion is sexy but misleading, because nowhere is American power as concentrated today as it was at Battleship Row in 1941. A better analogy is the "harbor lights" phenomenon that bedeviled American efforts to protect merchant ships in the early months of 1942. Big-city mayors on the Eastern seaboard fought to keep their cities from being blacked out, because the cost to business would be high. So, for some months, U-boat skippers had their targets illuminated by well-lit skylines. Today, similarly, harbor lights are on all over cyberspace.
In response, the government has constructed a kind of Maginot Line. It has tried to build leakproof firewalls and safe areas--that is, domains protected by computer protocols and codes--that presumably will prevent hackers from accessing sensitive information and systems. Both the presidential commission and the research-council report strongly recommended this strategy, and the government is following their advice to the letter. What's more, the government is pushing the private sector to take a similar approach, and many businesses are complying.
But, as the French discovered in 1940, even the best fortifications can be outflanked and penetrated. Cyberterrorists can always find trapdoors and glitches in software that allow them to get around obstacles; or, if that fails, they can try launching direct attacks by using very sophisticated password-cracking programs. This vulnerability was highlighted for me at one Department of Energy laboratory, where I investigated a hack that had shut down the facility for a few weeks in 1998. I learned that the lab's own security people were running a password-cracking program to help assess and limit their risk of intrusion. But, even a year after the initial break-in, their program was still able to guess one in ten new passwords every week.
So what, then, would an effective cyberdefense look like? First, it would abandon the notion that we can simply wall off safe areas, moving instead to a "depth defense" of countermeasures designed to foil intruders once they've broken in. Such countermeasures would include electronic camouflage for files (e.g., making sensitive data look like office-supply orders), the strongest encryption (to keep an intruder from being able to read what he sees), and diffusing that encryption broadly throughout information systems. While some such deceptions are now employed, very strong encryption remains terribly underutilized. This is a pity, since today's best encryption, unlike the mediocre code legally available to the public, simply cannot be broken (for reasons having to do with the length of a code's "key," which can now be measured in thousands of bits).
But something is keeping the best encryption technology from the public: the U.S. government. The Department of Justice argues that strong encryption would let criminals foil its cybertaps. The National Security Agency says it will be crippled if it can't decode communications. And the Department of Commerce fears that diffusing encryption would spawn a "virtual currency," reenergizing and expanding the subterranean economy while undermining America's tax base. But all these objections ignore a critical reality: The best encryption is already in the hands of criminals, terrorists, and the Russians (who will probably sell them to the former). And, by not using our best technology against cyberwar, we only encourage cyberterrorists to develop their emerging capabilities even further.
In addition to freeing up controls on encryption technology, the United States could do one other thing to protect the nation from cyberwar: recruit some hackers to its side. In the same way the United States courted and cultivated German rocket scientists after World War II, the government should bring some of the best cyberminds onto its team--in recognition that, for all the techno-glitz that surrounds cyberwar, human factors still reign supreme. Only the best hackers can tell you for certain whether you've designed a system that is impossible (or at least very difficult) for them to disable. We could buy all the hackers there are for the price of one F-15. And they'd do us a lot more good than an F-15 if we ever came face-to-face with the "Secret Sword of Allah.""
-- Ken Decker (kcdecker@worldnet.att.net), April 28, 2000
http://hv.greenspun.com/bboard/q-and-a-fetch-msg.tcl?msg_id=002hffhttp://www.usatoday.com/usatonline/20000309/2012438s.htm
Link
Page 1A
How the government failed to stop the world's worst Internet attack
By M.J. Zuckerman
USA TODAY
Susan Levy Haskell arrived at her office at the University of Minnesota as usual before 8 a.m. on Monday, Aug. 16, 1999, where she watched at first curiously, then later in horror, as the university computer system came under attack from a massive yet anonymous Internet adversary.
Haskell, the university's computer security coordinator, says that as hours passed the volume of incoming malicious traffic rose from a mere annoyance to an all-consuming electronic dissonance. The Internet connection grew ever less responsive, degrading steadily until the university was cut off from the world.
''It became pretty terrifying to realize how many machines had to be involved. It seemed like hundreds.''
Investigators later determined that 2,200 computer systems, including those at more than 30 universities in the United States, had become unwitting ''zombies,'' serving a still unidentified master computer, which directed the attacks and forced the university off the Internet for two days.
In a matter of weeks after the Minnesota incident,academics and elite computer security firms began spreading the word to clients and colleagues that this newly enhanced ''denial of service'' (DoS) attack was a clear and immediate danger to the Internet.
But it would take more than a month before federal officials at the National Infrastructure Protection Center (NIPC), which is responsible for national computer security matters, to learn of the incident and three more months for them to conclude that it was a threat worthy of a warning to the public.
It is now apparent that throughout the end of 1999,cybervandals were infecting large, insufficiently secured computer systems as zombies and laying the groundwork for a series of attacks last month that rocked e-commerce.
The delayed response and limited distribution of threat information is one of several criticisms being leveled at the NIPC and its sister agencies as the investigation into the attacks progresses slowly, according to recent congressional testimony.
''It was not enough,'' says Jamie Gorelick, the former deputy attorney general, who from 1994 to 1997 directed the administration's creation of the current electronic defense policy.
She and others say the protection center failed, leaving many e- commerce firms unprepared for the attacks Feb. 8-11 that slowed the global Internet by 20% and shut down the world's most popular commercial Web sites and the FBI's home page.
''There needs to be some agile operational capacity in the government, an ability to move quickly to provide warnings,'' she says. ''This doesn't sound at all like what we had in mind.''
Michael Vatis, director of the NIPC, an interagency fusion of federal, local and international organizations based at the FBI, defends his agency's response. It says it permitted the private sector to prepare for the worst while avoiding public hysteria.
''Three years ago we wouldn't have been able to respond at all,'' Vatis says. ''Today we have an effective resource'' for investigating crimes and issuing threat alerts.
Critics say the protection center and its sister agencies have fallen short of the vision President Clinton had two years ago when he issued a plan to ''create a genuine public-private partnership to protect America in the 21st century'' from devastating cyberattacks. The plan called for the private sector, which owns and operates both the Internet and the infrastructure that supports it -- electricity, banking and communications -- to create secure information-sharing centers in which companies could anonymously share threat information, new vulnerabilities and crises data. It also created a Commerce Department coordinating center to work with those industry clearinghouses and the NIPC.
But as the administration seeks $37 million in new spending for cybersecurity, the NIPC and its sister agencies are troubled by confusion within their own ranks as well as a lack of cooperation from companies and other government agencies:
* Other government agencies are refusing to work with the NIPC, privately pointing to the FBI's longstanding reputation for not sharing well with others. ''That's something we're still working on,'' Vatis says.
The Pentagon is the only Cabinet-level agency represented at the NIPC. The Secret Service, Transportation Department and Treasury Department, each of which is designated to have representation at the protection center, refuse to take part. The Department of Energy, which is supposed to play a major role at the center, is not represented. The CIA, which has four slots at the center, has filled one.
* Friction and turf battles between the new cyber-security agencies may be hampering operations. The National Coordinator for infrastructure protection and counterterrorism is Richard Clarke, a White House official, who must get clearance on a case-by-case basis before the NIPC will brief him about investigations.
Vatis says Justice Department guidelines bar the FBI from briefing anyone outside the department about ongoing cases unless the attorney general grants a waiver.
* The Internet community is demanding broader distribution of more timely threat information, beyond the security professionals with whom the NIPC typically deals. ''If you are only spreading the word to specialists, then you are not getting threat information out across the board to small universities or e-tailers,'' says Harris Miller of the Information Technology Association of America, a leading trade association representing 11,000 corporations.
* Though some companies are warming to the idea of sharing information with the government, many complain that they remain uneasy about government efforts to police the Internet.
''Where (the federal government) is completely failing is to be a place people trust'' with delicate information, says Alan Pallar of the SANS Institute, an education facility for computer system administrators that claims 100,000 members. ''Ninety-eight percent of the time they won't share with the FBI because they fear having their (computers) confiscated, that their troubles will become public knowledge and that the agents will scare (clients) to death.''
* The president's plan has created so many entities gathering data on Internet vulnerabilities that it is causing confusion. ''Imagine living in a community where there are seven different numbers to call for 911 services,'' says Mark Rasch, chief counsel to Global Integrity, a leading cybersecurity firm that hosts the financial industry's information sharing center. ''You need to have one number, one place, that everyone trusts.''
Adds Tom Noonan, CEO of Internet Security Systems, probably the fastest-growing firm in its field and a major booster of the NIPC: ''Quite frankly, I'm confused by all these different government groups.''
Word spreads slowly
In the days after the University of Minnesota attack, Haskell says her 911 instinct was to notify academic colleagues or other trusted computer professionals.
One of those she contacted was David Dittrich, director of software engineering at the University of Washington in Seattle. He became the first person to track down and unlock the codes that make the attacks operate.
It was a matter of days before he realized the new attack technique required immediate action. But the wheels of government turn slowly.
Dittrich first alerted CERT, the Computer Emergency Response Team at Carnegie-Mellon University, the nation's premier clearinghouse for data on computer vulnerability. By early September, it began organizing an unprecedented international conference to examine the emerging threat.
Based on CERT's letters of invitation to the conference, a handful of high-end security firms learned of the attack technique, and in October and November the firms quietly briefed clients about the impending threat.
Though the NIPC is a sponsor of CERT and has a liaison for the emergency response team on its staff, it received its first substantial report from CERT in late October. The response team has declined to comment on the apparent delay.
The three-day CERT conference in early November adjourned with this determination: ''There is essentially nothing a site can do with currently available technology to prevent becoming a victim'' of a denial-of-service attack.
The only prevention, the conferees said, was for system operators to update their security precautions to prevent vandals from exploiting known system weaknesses to gain control of their computers as attack ''zombies.''
On Dec. 8, the NIPC sent a note briefing FBI Director Louis Freeh for the first time. On Dec. 17, Vatis personally briefed Attorney General Janet Reno as part of an overview of preparations being made for Y2K.
By that point, several DoS attacks already had occurred, but ''people weren't getting the message,'' Dittrich says. ''CERT and NIPC were really worried. They had obviously been hearing about a lot more intrusions. They went back and recategorized a whole bunch of incident reports going back to April-May time frame, and they started telling me that this is a really big thing.''
But not until the NIPC, working with Dittrich and Mitre Corp., developed a tool for identifying zombies in a system did the protection center decide to warn the public Dec. 30 and post the tool for anyone to download.
By that time, Vatis says, ''someone was setting the groundwork for an attack, and that is when we decided to make a public announcement.''
Electronic 'night of the living dead'
The NIPC was convinced that New Year's Eve ''could be a day for people to start sending marching orders to these zombies. We were afraid that Dec. 31 might become the night of the living dead,'' he says.
''Thanks for giving us plenty of time to prepare,'' says a sarcastic Vinton Cerf, an MCI WorldCom executive who is widely regarded as a founder of the Internet. ''The timing of this all was singularly unfortunate.''
But the protection center gets high praise from many security firms for being the first to provide an effective tool to locate and remove the zombie infections. Vatis says far more damage would have occurred in February otherwise.
''You know, I'm sensing a little bit of doublespeak here,'' Vatis says. ''Business is saying, 'We don't want the government telling us what to do; we can fix this ourselves.' And I agree. But then I hear people saying, 'Gosh, government didn't warn us loud enough.' ''
''People have been saying for a long time that it's going to take an electronic Pearl Harbor for people to take security seriously,'' he says. ''There's a kernel of truth there because we live in an event- driven society.''
-- (*@*.*), April 29, 2000.
Tackling the Net's biggest issue (ZDNet)http://hv.greenspun.com/bboard/q-and-a-fetch-msg.tcl?msg_id=002uSB
-- See (this@s.well), April 29, 2000.
Absolutely required reading: The Crypt NewsletterTo date, most cyberattacks have consisted mostly of clueless Web site operators shutting things down in a panic because someone has scrambled a few Web pages.
The worst case in history was the Win95.CIH "Chernobly" virus, and was mostly inadvertent. The writer of the virus never expected it and was as surprised as anyone else that so many clueless people could be concentrated in one region.
It is not possible for someone to turn off the "power grid" via the Web. This is a fiction that the Military, various government Dulles-types and even a few over-imaginative sci-fi writers have toyed with for years.
Yes, the government has played games and created scenarios to describe this in lavish detail (the most infamous is Eligible Receiver, discussed at the Crypt site) -- primarily to beat Congress out of additional funding.
All of these scenarios ignore one tiny little detail: if there's no public access to the computer system that throws the switch, it can't be done. The most brilliant programmer in the world can't cause electrons to jump through sheer aether.
-- Me (me@thisplace.net), April 29, 2000.