http://www.nytimes.com/2001/10/04/technology/circuits/04SECU.html By JOHN SCHWARTZ October 4, 2001 In the hours of torment and confusion after the attacks on the World Trade Center and the Pentagon, many people making phone calls to or from the affected cities encountered the grating "All circuits are busy" recording. E-mail messages, however, seemed to sail through the crisis to their destinations. The smooth traffic was hailed by many experts as testament to the underlying strength of the Internet. But hold on just one nanosecond. Are we talking about the Internet, referred to by so many other experts as a famously vulnerable, fragile network that can be brought to its knees by college students in the Philippines or a teenager in Canada, with estimates of damage in the billions of dollars? It is indeed the same Internet, ever a combination of flaky and robust. Fred Cohen, the computer security researcher who first applied the word "virus" to malicious software, said that the individual elements of the network were fragile but that the network over all was resilient. "It's easy to tear a piece of paper," he said. "Try tearing a phone book in half." Still, David J. Farber, a computer scientist and former chief technologist at the Federal Communications Commission, said that the Internet's success on Sept. 11 could largely be attributed to the fact that "nobody attacked it." Experts in the emerging field of cyberterrorism say that with such an inviting target, terrorists are bound to take up the hackers' wares. What will happen when an attacker with real resources and a deep desire to do harm grabs the keyboard? It may not take long to find out, and the vulnerability may go far beyond Web sites or e-mail. According to a report last week by the Institute for Security Technology Studies, founded last year at Dartmouth, "U.S. retaliatory strikes for the tragic Sept. 11 events may result in cyberattacks against the American electronic infrastructure." While such attacks may amount to no more than familiar nuisances like hackers' defacing Web pages or tying up sites by overwhelming them with traffic "the potential exists for much more devastating cyberattacks," the report said. Those who watch trends in computer crime and terrorism say that the two are coming together with potentially catastrophic results. Richard A. Clarke, who will head cyberterrorism efforts for the Bush administration's Homeland Security Council, said in a speech last December that the government had to make cybersecurity a priority or face a "digital Pearl Harbor." In 1997, the President's Commission on Critical Infrastructure Protection noted that telephone networks and the Internet were increasingly the bonds of the world's economy, for everything from financial operations to the supply of water and power. Consequently, it said, "a computer can cause switches or valves to open and close, move funds from one account to another, or convey a military order almost as quickly over thousands of miles as it can from next door, and just as easily from a terrorist hideout as from an office cubicle or military command center." For Tom Marsh, who was the commission's chairman, the worst-case scenarios are nightmarish: a determined coalition of hackers, he said, could disrupt 911 service, air traffic control, the power-switching centers that move electricity around the country, rail networks and more. "It's a major undertaking," said Mr. Marsh, a retired Air Force general, "but it's not beyond the realm of possibility." The complexity of the attacks on the World Trade Center and the Pentagon, he said, showed that "even terrorist organizations can conduct very well- organized and sophisticated attacks." "We said in our report we didn't foresee an electronic Pearl Harbor, and I still don't," he said. "But I do believe that as cybercrime progresses, over time the terrorists are going to get more and more interested in it and see it as a very possible opportunity to cause major disruption." Those who have worked in cyberintelligence say that the attention to the subject is timely. "Up until the 11th, people like me would talk in terms of the growing threat of transnational attack the prospect of new forms of terrorism and the basic reaction was, `Yeah, yeah, yeah, but that's theoretical,' " said Jeffrey A. Hunker, dean of the Heinz School of Public Policy and Management at Carnegie Mellon University and formerly the senior director for protection of critical infrastructure at the National Security Council. Since the attacks, he said, it has become clear that "there are clearly transnational organizations that are incredibly capable of executing sophisticated operations and are enormously creative and innovative." That, in turn, "makes much more real the possibility of new techniques or new types of terrorist attacks," including cyberterror, he said. "We're sitting on a cyber time bomb," he said. Some experts have warned, for example, that systems accessible to the Internet like power grids could be brought down by a determined hacker, though as Mr. Farber put it, "it's a lot easier to throw a hand grenade down the highway south of San Jose and take out a major power station" than to do so by modem. And most would put cyberattacks in a different category from the weapons of mass destruction associated with visions of catastrophic terrorism; these are not nuclear arms, nerve gas or germs. Instead, many experts now call them weapons of mass disruption. "People aren't going to be killing us with computers," Mr. Hunker said, "but our life may be hell because of computer attacks." The likeliest use of the technology, he said, would be to complicate matters further after a real-world attack, a tactic he describes with the military phrase "force multiplier." That could involve planting false information on the Web to create a panic or taking down crucial computers in the financial or communications sectors. The ripple effects of the World Trade Center attacks on everything from the travel industry to supply chains in manufacturing show the potential for havoc. "Besides the fact of the horrendous loss of life, it was really an attack on the critical infrastructures," said Mary J. Culnan, a professor of management and information technology at Bentley College in Waltham, Mass., and a member of the presidential commission that issued the 1997 report. The Clinton administration started the first major national effort to upgrade computer security in government and business against cybercrime and terrorist attack. President Bill Clinton issued an order in May 1998 creating the National Infrastructure Protection Center, a collaborative effort of law enforcement, military and intelligence organizations to shore up defenses against computer crime. The center also developed an information-sharing network with major industrial sectors. Such activities will presumably be brought under the umbrella of the new Homeland Defense Council that President Bush has appointed Gov. Tom Ridge of Pennsylvania to run. Mr. Clarke will oversee cyberdefense initiatives for the council as head of its Office of Cyber Security. Michael Vatis, the head of the Dartmouth cybersecurity group and a former head of the National Infrastructure Protection Center, said the stereotype of computer intruders as thrill-seeking teenage loners was misleading. Talented intruders who are motivated and perhaps banding together with criminal or ideological motives can go far, he said, citing little-publicized attacks on business and Pentagon computer networks by hackers who may be linked to organized crime in Russia. The attacks, beginning in 1998, are the focus of a federal investigation. "The type of access they were able to gain," he said, and "the amount of information and the types of information they were getting means they could do lots of stuff to those systems," both purloining data and disrupting operations. Even more dangerous than outsiders, potentially, are insiders with specialized knowledge, according to the 1997 report of the President's Commission on Critical Infrastructure Protection. That report estimated that by this year 19 million people worldwide would have the skills to engage in malicious hacking and 1.3 million people would have advanced knowledge of the systems that control the nation's telecommunications infrastructure. Whatever the nature of the attack, the tools are easy to acquire and the knowledge to use them even more so. A reasonably competent programmer who is willing to delve into the arcana of computer operating systems and networks can cobble together viruses or other destructive computer code from software posted online. Similarly, tools for examining computer systems for security holes and the programs that can be used to take advantage of them to gain unauthorized entry are also easy to find online, and computer vandals are happy to share their knowledge in Internet forums. So what is to be done? Most of the measures that experts recommend, like keeping up with the latest antivirus software, using strong passwords to protect computers and networks and installing intrusion-detection software, are painfully obvious but still ignored by many businesses, government agencies and consumers. The Dartmouth report also recommends increasing protection at Web sites and keeping backups of their important data, with special attention to the potential for Web page defacement. That report also recommends vigilance, and appropriate software, to prevent or detect the surreptitious commandeering of computer systems for use in denial-of-service attacks. (A guide to the best security practices can be found at www.cert.org /security-improvement.) Informal networks for intrusion detection are beginning to form among those who hope to find security in numbers. One such network, AirCert, has been developed by the CERT Coordination Center at Carnegie Mellon's Software Engineering Institute. The fledgling AirCert project places Internet- based security sensors on participating sites; those sensors automatically send data on intrusion attempts to a central CERT knowledge base that is able to analyze the information and share it quickly. The idea has been suggested before. A network for intrusion detection in government computers, called Fidnet, was proposed late in the Clinton administration but never created because of assertions that the system might be used as a large-scale monitoring network for citizens' online communications. Government officials insist that was never the intention, but Mr. Vatis said that they did not make their case well. Making that case may now be easier, but Professor Culnan, at Bentley College, said that mounting an effective deterrent to cyberterror was no small task. "It's a gigantic problem making this work," she said. "But at least we've started thinking about it." - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Oct 05 2001 - 03:09:13 PDT