[ISN] Several Infowar Articles from Will Rodger

From: mea culpa (jerichot_private)
Date: Wed Oct 07 1998 - 14:54:45 PDT

  • Next message: mea culpa: "[ISN] Privacy ad campaign to launch"

    [Moderator: Several articles along the same lines, by the same
     journalist. These were posted to the EWAR list originally.]
    Cyberwars: Proper vigilance or paranoia?
    By Will Rodger, Inter@ctive Week Online 
    October 5, 1998 6:12 AM PT
    The last war was on land, air and sea. The next one may be on your
    -- Armed with reams of data showing dramatic increases in computer crime
    since 1995, a wide-ranging but little-noticed federal working group is
    moving swiftly to try to knit together a private and public partnership
    against armies of hackers, government spies and terrorist agents that
    could make cyberspace unsafe for democracy. 
    The fear: that no part of the industrialized world is safe from digital
    disaster. Successful attacks on power grids, hospitals, banks, farms,
    factories and railroad switches could plunge a target nation into chaos
    and dysfunction.  
    Administration officials say this is no joke, ticking off threats
    already encountered:
    * A 19-year-old Israeli hacker, known as the Analyzer, and two California
    teenagers successfully penetrate U.S. Department of Defense computers in
    February, setting off fears that their intrusions are related to U.S.
    troop buildups against Iraq. 
    * Russian hacker Vladimir Levin breaks into Citibank systems and steals
    $12 million in 1994. He escapes arrest for one year, only to be brought to
    justice as he gets off a flight to London and walks into the arms of
    * A study by network security specialist Dan Farmer that shows more than
    60 percent of 1,700 high-profile Web sites - many run by banks - can be
    broken into or destroyed using a program he designed to probe for
    weaknesses no system administrator should allow in the first place. 
    Free flow of bits and bytes
    At the center of the U.S.' attempts to create a cyberdefense structure is
    the Critical Infrastructure Coordination Group, an assembly of cabinet
    undersecretaries and other senior officials sworn to work with the FBI and
    American business to protect a society that now depends on a afe, free
    flow of bits and bytes. 
    'I don't think the government can any longer say we know what's good for you
    and we're going to take care of it.'
    -- James Adams, head of Infrastructure Defense Inc.
    But even as the defense structure emerges, civil libertarians, industry
    executives and even administration insiders worry about how well the
    Clinton administration or its successors can steer between protecting
    against all forms of disruption on one hand and creating a police state on
    the other. 
    Fears that police agencies will use the threat to gain unprecedented power
    "reflect a misunderstanding of what we're all about and what the
    administration is all about," said Michael Vatis, director of the National
    Infrastructure Protection Center (NIPC) at the FBI. "We are structured as
    a real partnership [between government and free enterprise]. It's our own
    intention to bring people on board from the private sector. We all say the
    same thing." 
    But James Adams, former chief executive officer of United Press
    International and head of the newly formed Infrastructure Defense Inc. 
    consultancy, said government must surrender more power first. "I don't
    think the government can any longer say we know what's good for you and
    we're going to take care of it. The government is becoming increasingly
    irrelevant. I'm not arguing that's a good thing or a bad thing - it's
    simply a fact." 
    Endless government disputes 
    Either way, bitter, seemingly endless disputes between the administration
    and the people whose cooperation it needs already have tainted the process
    of developing a national approach to protecting critical information
    assets, both sides said. A five-year battle over use and export of
    data-scrambling technologies crucial to data security, for instance, has
    alienated much of the computer industry. FBI demands that telephone
    companies spend hundreds of millions of dollars to make wiretaps easier to
    perform, meanwhile, have led to charges of betrayal by phone companies
    that claim they were promised more compensation than they're getting, and
    civil libertarians who say the new proposals invite abuse by rogue police.
    As a result, what should be a cooperative effort to secure the nation from
    outside attacks threatens to bog down in a morass of mistrust and stony
    "Our members are scared to death of this whole program," a Washington
    association executive said, insisting on anonymity. "You've got the FBI
    and the National Security Agency pushing this thing. These guys are spies.
    Then there are these 'private sector' groups springing up to coordinate
    'information sharing' about how different companies have these huge holes
    in their networks. Some of them are headed by ex-Defense Department
    people. The whole thing makes us paranoid." 
    Worse, still, the lobbyist said: The nation's chief computer security
    organization - the secretive, estimated 50,000-employee National Security
    Agency (NSA) - is the same one responsible for wiretapping and signal
    interception everywhere outside the U.S. As long as the world's biggest
    Big Brother has a major role to play, business may be gun-shy of the
    Department of Offense
    By Will Rodger, Inter@ctive Week Online 
    October 5, 1998 12:11 PM PT
    Somewhere in the middle is Air Force Col. James C. Massaro, commander of
    the Air Force Information Warfare Center (AFIWC) at Kelly Air Force Base
    in San Antonio. As a military officer, he has to stay out of policy
    disputes. Even so, he will be the one calling the shots if a digital
    Armageddon ever becomes reality. 
    -- He won't go into details, but he readily confirmed one thing: For every
    hack, virus, worm or physical disruption, there is an offensive answer. If
    computer intrusions give way to war over computer networks, his team is
    prepared to hack back - virus for virus, break-in for break-in, worm for
    Already, dealing with intrusions from the outside occupies most of
    Massaro's time. "We have anywhere from 500 to 800 alerts a day we have to
    check out to make sure someone isn't trying to get into our systems,"  he
    His base will likely do more fighting than any other if cyberwarfare
    breaks out. Massaro has to take it as a given that it will. An apparent
    surge in computer hacks shows why. In a 1997 Ernst & Young LLP survey of
    more than 4,000 information technology managers, for instance, 38 percent
    said they had suffered an intrusion by an industrial spy, up more than
    sixfold from the year before. Of those who claimed damages, only 16
    percent could place a dollar figure on those. 
    By policy, the AFIWC is on guard against all intruders, including the
    "ankle-biter" kids who made headlines in February with their "Analyzer" 
    attacks on defense computers. But the organized attacker that clearly
    worries the military most is another nation-state. Besides the U.S.,
    China, France, Russia and the U.K. all admit mounting some kind of program
    to fight the coming info wars. In addition, the Irish Republican Army, the
    major Colombian drug cartels and Spain's Basque ETA commandos are all
    known to rely heavily on computer technology to carry out their work. In
    time, petrol bombs could literally give way to bit bombs. 
    Yet, no one knows how they will do it.  
    International Concern
    By Will Rodger, Inter@ctive Week Online 
    October 5, 1998 12:22 PM PT
    "We know the problem as a whole is increasing greatly," said the FBI's
    Vatis. "But we don't have a clear picture yet of the sophisticated end of
    the threat." 
    -- In interviews and trips to Capitol Hill, Vatis tells the same story: To
    fight the next cyberwar, civilized nations will have to draw on skills
    found within all of government and the private sector, pooling
    investigative, technical and political knowledge as never before. 
    Blurring, even discarding, traditional lines drawn between domestic law
    enforcement and military engagement will be part of the process, he said. 
    But beyond technical complications lies a more difficult problem. Ever
    since the end of World War II, domestic law enforcement and foreign
    intelligence have had distinctly separate roles. President Harry S. 
    Truman was so afraid of government spies operating in the U.S. that he
    separated the NSA's spying role from its computer security
    responsibilities while banning the CIA from domestic activities entirely. 
    So, in testimony before the Senate Judiciary subcommittee on technology,
    terrorism and government information in June, Vatis made clear the
    bureau's distaste for relying too heavily on those restrictions in
    "What really underlies this whole problem is the fact that national
    security and law enforcement are so intermeshed," he told subcommittee
    Chair Jon Kyl, R-Ariz. 
    Wayne Madsen, a computer security expert and policy fellow at the
    Electronic Privacy Information Center in Washington, D.C., conceded the
    FBI understands the vulnerabilities. Yet, the conclusions Vatis draws
    about what should be done are precisely wrong, he said. 
    "Most of this is nonsense. Who would do it?" the cyberlibertarian said. 
    Much as the FBI may want to suggest terrorists could take down, say, the
    New York Stock Exchange, the cascading effect of a major disruption to
    developed economies would be catastrophic. 
    "Most terrorists move their money through the same networks; they stay in
    hotels," Madsen said. Threatening to take down major sectors of the world
    economy only amounts to the same kind of "mutually assured destruction"
    that kept the Soviet Union and the U.S. from ever actually launching a
    nuclear strike against each other. 
    Why, then, is the government moving to "secure" the nation's
    infrastructure? Attribute it to the overheated imaginations of gung-ho
    cops, Madsen said. 
    But the FBI has been beaten back almost every time it has tried to impose
    more sophisticated eavesdropping techniques on society. Whether it's the
    battle to ban domestic use of uncontrolled encryption technologies or
    moves to gain access to phone conversations conducted over the Internet
    with nothing more than the say-so of a U.S. attorney, the FBI is fighting
    a pitched battle for access on Capitol Hill. By pushing the threat of an
    "info war," FBI and security agencies could get another chance to win what
    they've so far been denied. 
    Indeed, the U.S. Department of Justice is threatening to push for further
    powers of search and seizure in the physical world, if it doesn't get its
    way in the electronic one. "If privacy advocates get their way on
    encryption, they may not be happy," department computer crime specialist
    Scott Charney told an international symposium in August. Instead of
    wiretaps and remote searches of computer disks, the FBI would go to
    Congress for authority to step up its use of bugging devices and physical
    searches. "That could really decrease privacy," he said. 
    Yet, as long as law enforcement sees telecommunications as a surveillance
    tool, Madsen said, it's hard to trust the FBI or the national security
    establishment with anything having to do with telecommunications, let
    alone sweeping initiatives that are supposed to secure the entirety of
    Back at the AFIWC, Massaro remains above the fray. He commands from deep
    within a hardened concrete shell, behind multiple layers of three-inch
    steel doors. Some 50 computer specialists there hunch over their screens.
    A 50-50 mix of civilian and Air Force officers, the Air Force's Computer
    Emergency Response Team is widely acknowledged as the best group of
    intrusion specialists in the U.S. government, if not the world.  Their
    mission is to monitor attacks on nearly all military networks worldwide
    and respond when necessary. 
    Last year alone, the center's automatic monitoring software detected more
    than a million suspicious events on military networks. More than 99
    percent were meaningless - many, for instance, were simply cases in which
    users failed to remember passwords and repeatedly tried to log in. 
    Despite its neat title, AFIWC's responsibility ultimately knows no bounds
    in cyberspace. Hackers don't stop for borders, care little who owns a
    network and, Massaro added, deliberately pass through multiple networks to
    confuse and slow their defenders. A hacker "can go anywhere," he said. "He
    can go foreign. He can come in the U.S., he can go DOD, he can go
    national, he can go government. Whatever, wherever.  The bottom line is
    it's all of our problems because there are no boundaries in cyberspace." 
    When "he" comes to do battle, Lt. Chad Renfro will be on the front lines.
    Not yet 30 years old, Renfro hunches over his Sun Microsystems Inc.
    workstation. On screen is an endless list of logs from 110 separate Air
    Force bases worldwide, gathered by the center's Automated Security
    Incident Measurement (ASIM) software. Arguably the most sophisticated
    system of its kind, ASIM software in 1997 tracked 360 million events on
    military computers last year. Of those, 7.2 million were sufficiently
    unusual to make the system record every keystroke generated by those
    Of that group, 107 were confirmed "incidents" in which hackers penetrated
    sensitive networks. Eighteen resulted in hackers' achieving "root," or
    network administrator privileges. Those 18 break-ins should have given
    vandals power to do anything they wanted on the networks they penetrated.
    No one will say what they did once inside. 
    Renfro runs the ASIM through its paces as a visitor launches attacks of
    his own with the help of automated hacking software culled from one of
    several hundred hacker sites the center monitors. In short order, the faux
    hacker is exploiting a weakness in a telephone and directory program that
    comes loaded on most Internet servers. Though handy for storing names and
    addresses of employees, students and faculty at universities and
    businesses that run it, the directory program also has a flaw that lets
    intruders break into password files and other sensitive data stored on
    those same computers. The would-be victim is a machine at Hickham Air
    Force Base in Hawaii. 
    "An analyst would pull up a screen and take a look at this," Renfro said.
    The hacker pulls down a password file and runs "crack," a decryption
    utility that can successfully guess many passwords, particularly those
    that use words found in dictionaries. In this case, the hacker nabs 2,000
    of them - enough to take over as many accounts and, perhaps, bring down
    the network. 
    Bright as this group is, it was nearly helpless for weeks in February,
    when the Israeli "Analyzer" and his two pals from Silicon Valley worried
    experts throughout the Pentagon as they skated from one DOD computer to
    the next. Back then, Defense Undersecretary John Hamre and other top
    Pentagon officials were in regular contact with President Clinton, warning
    that a long-feared info war attack from the Middle East might be under
    way. To be sure, AFIWC eventually got its men. But the incident also
    showed something else: The U.S. may not be ready for the next round of
    attacks, no matter what their origin. 
    That's why Jeffrey Hunker is a busy man these days. As director of the
    Commerce Department's Critical Infrastructure Assurance Office, his job is
    to convince business - big business in particular - to help the government
    produce a plan for info war defense. 
    The CIAO, along with Vatis' NIPC, is part of a three-legged plan to nail
    down the Net. The other, a series of private-sector groups called
    Information Sharing and Assessment Centers, is supposed to be formed by
    the private sector - but who that may include remains undefined. 
    Hunker knows battles over wiretaps and encryption have worn thin the
    government's welcome with a computer industry whose cooperation he
    desperately needs. Yet, this time, it will be different, he said. "This is
    basically about business," the former consultant said. "Cybersecurity is
    going to have to be viewed as good business."  --
    Fear factor
    By Will Rodger, Inter@ctive Week Online 
    October 5, 1998 12:15 PM PT
    But it's the idea of cooperation that strikes fear in the hearts of many
    businesses. Consider, for a moment, what happens when a company's main
    revenue stream - its Web site - is suddenly deemed the scene of a crime. 
    -- For starters, there's the problem of actually sharing information. A
    recent survey by Ernst & Young LLP showed only a small minority of
    break-ins are ever reported to anyone. The reason? Fears that once a site
    has been exposed as vulnerable, its poor security practices will leave it
    open to a feeding frenzy by copycat vandals.  Beyond that, businesses fear
    they will lose customers, investor confidence, even be subject to lawsuits
    if the truth leaks out. Calling in investigators when break-ins occur may
    also be at odds with company interests. Instead of running a data center
    to make their company money, computer workers may find themselves helping
    to run a center whose chief purpose is to nab criminals. 
    Hunker has heard the complaints dozens of times before. "We're going to
    have to have a legal structure so that information stays confidential," 
    he said. But confidential to whom? 
    The administration said it will win legislation to exempt communications
    like the ones Hunker said must occur from Freedom of Information Act
    inquiries. The White House may seek further exemptions from the Federal
    Advisory Council Act (FACA), which requires open meetings when
    private-sector groups advise the government on policy. At the very least,
    Commerce Undersecretary Larry Irving said, the government will structure
    the groups so that FACA never comes into play. 
    Eight agencies will oversee efforts in information and communications,
    banking and finance, electric power - in short, virtually every aspect of
    civilian life. Four others - the FBI, CIA, State and Defense - are
    supposed to rally support for the program among the law enforcement,
    foreign intelligence, national defense and diplomatic communities. 
    But it's Vatis' NIPC that's the biggest bone of contention so far.  Tucked
    away on the top floor of the fortress-like FBI headquarters in Washington,
    the NIPC has 60 FBI agents and a handful of government representatives
    from the military and national security communities.  When it's fully
    staffed, the FBI will have 85 of the 125 positions for itself. Of the
    remaining 40 positions, an undetermined number will go to the private
    In addition to investigating break-ins, the NIPC is supposed to carry out
    long-term assessments, forecast attacks and issue technical alerts when
    analysts discover new weaknesses in computer hardware and software.  Vatis
    said a new, high-tech team at the FBI will make the center work.  He still
    has to convince skeptics. 
    "The idea that the appropriate place for it to be effectively managed is
    the two most reactive government agencies whose task it is to arrest
    people and send them to jail - in an environment that needs cooperation,
    conciliation, proactivity and a very high degree of understanding of
    technology - it doesn't make any sense to me," Adams of Infrastructure
    Defense said. 
    The May presidential directive that created the NIPC, the CIAO and its
    working groups also called for a parallel response from business. 
    Private-sector Information Sharing and Assessment Centers were supposed to
    pool information and send on summaries of what they found to the federal
    bodies. Yet, despite a November deadline for a preliminary plan, not one
    center has been created and no representative from the private sector has
    actually taken up residence at FBI headquarters. 
    On Sept. 25, Commerce Undersecretary Irving gathered 50 representatives of
    the nation's telecommunications, defense and information technology
    companies to meet on infrastructure protection. 
    Just 30 seconds into his opening statement, Irving made it clear he
    understood the friction that has precluded close industry and government
    partnerships on matters of data security. "We hope this is going to be a
    collaborative relationship," he said. "I do not want to see a repeat of
    some of the problems we've seen between industry and government with
    regard to issues involving [wiretapping] and encryption, and I'm going to
    work my hardest to make sure that that doesn't happen. I don't want any
    failures."  --
    The FBI's Infragard project
    By Will Rodger, Inter@ctive Week Online 
    October 5, 1998 12:10 PM PT
    The FBI's InfraGard Project
    Who cares what the lobbyists think?" computer specialist "Dave" asked.
    "The FBI's doing a great job."
    Dave won't let his last name or his employer's name be used out of fear
    hackers will target his Cleveland company for attack. After all, he's a
    dyed-in-the-wool fan of InfraGard, the FBI's grassroots approach to
    preparing for information warfare. 
    Since August 1996, the Cleveland FBI has spent a lot of time talking to
    business about what they need and vice versa. Instead of showing up with
    badges and guns when hacks happen, agents are getting to know likely
    targets before the crimes occur - something unheard of until now. 
    But that's the way InfraGard is supposed to work. Once a month, a group of
    computer management specialists gets together in Cleveland to talk with
    FBI agents about the security vulnerabilities they face and how they deal
    with the problems. Though Ernst & Young LLP and KeyBank NA admit to
    belonging to the group, most members remain anonymous. 
    Once per quarter, the group hosts a speaker - past presenters have
    included FBI chief Louis Freeh. 
    Cleveland Special Agent Brian Vigneaux said the bureau shows companies how
    to best prepare and preserve evidence so that when hackers do get in, the
    FBI has some way to find them, and companies can get on with their
    business. What's more, he said, the better business and police know each
    other, the better they will cooperate when something goes wrong. 
    The FBI's National Infrastructure Protection Center hopes to roll out a
    national version of the Cleveland program, beginning in the fall. The
    Columbus, Ohio, and Indianapolis FBI offices already have started. 
    The efforts might be welcomed by network managers like Dave. He has more
    than 25 years of experience. But like most security officers, he has fewer
    bodies, less money and less time than he can justify to management. So he
    jumps at the chance to get free or almost-free advice. 
    Members agree not to use the information against each other and not to
    disclose who has problems outside the meeting. 
    FBI can be reached at www.fbi.gov
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:06:57 PDT