| By John T. Correll, Editor
in Chief
Last winter, a flood of some 30,000 messages swamped the e-mail
system at Langley AFB, Va., the headquarters of Air Combat Command.
They virtually shut the system down for several hours until network
administrators devised programs to filter out the disruptions. As
investigators reconstructed it later, the messages originated in
Australia and Estonia and were routed through several intermediate
points, including the White House computer system. The perpetrators
have not been identified.
That may have been a small-scale preview of how an enemy of the
future might choose to launch a strike, rather than challenging US
military superiority head-on.
"While once an attack on our nation's infrastructures had to
overcome physical distance and physical borders, now an adversary can
gain access to the heart of our infrastructures from anywhere
instantaneously and can use that instant access to do harm," said
Robert T. Marsh, chairman of the President's Commission on Critical
Infrastructure Protection, which spent 15 months studying the nation's
vulnerability to electronic attack.
There are perhaps 20 million people who have the means and skill to
do some level of damage. It requires no more than a 486 computer and a
modem. The software, instructions, and targeting information can be
gotten from hacker sites on the Internet.
The threats to the public and private sectors overlap. For example,
most military communications are now carried by commercial channels.
"National defense is not just about government anymore, and
economic security is not just about business," the Marsh
commission said in its report to the President in October.
In 1992, a refinery in California could not use its emergency alert
network to notify the surrounding area of an accidental release of
toxic substances because a disgruntled employee had accessed the data
system and disabled the warning mechanism for more than 25 sites.
In 1996, a hacker, using an electronic service denial technique
that had been written up in two hacker magazines, bombarded the system
of an Internet service provider in New York and practically shut down
access for 6,000 individuals and nearly a thousand corporate
subscribers for a week.
In 1997, malicious calls from a Swedish hacker jammed the 911
emergency telephone lines in Miami, disrupted service, harassed the
operators, and diverted 911 calls hither and yon. He also accessed a
telephone system and generated 60,000 unauthorized calls. He was tried
as a juvenile in Sweden and fined the equivalent of $345.
Electronic Pearl Harbor
The Marsh commission was established in July 1996 amid concerns
that, as former Sen. Sam Nunn put it, the nation might be headed for
an "electronic Pearl Harbor." Nunn said, for example, that
Department of Defense information systems were coming under attack
about 250,000 times a year and that more than half of those attempts
had been successful. The number of attacks is increasing and is now
believed to approach 500,000 a year.
The commission was chartered to examine the threats to eight
critical national infrastructures: information and communications,
electrical power systems, transportation, oil and gas delivery and
storage, banking and finance, emergency services, water supply
systems, and government services. However, what the commission found
was that the problem centers on the information and communications
sector--the public telecommunications network, the Internet, and the
millions of computers in home, government, and commercial use.
"Our security, economy, way of life, and perhaps even survival
are now dependent on the interrelated trio of electrical energy,
communications, and computers," said Marsh, a retired Air Force
four-star general and a former commander of Air Force Systems Command.
How
the Hackers Attack
Eight of the 10 founders of WheelGroup in San Antonio
are former members of the Air Force Information Warfare
Center. Their team--named after the computer slang term
for UNIX group zero (the "wheel"), which controls
the network--is now among the nation's leaders in electronic
security. Last year, in a demonstration organized by
Fortune magazine and with the consent of the targeted
firm, WheelGroup operators penetrated the well-defended computer
networks of a Fortune 500 company in New York. Their methods
illustrate some of the ways in which hackers attack.
They began their attack via the Internet,
"bouncing" an e-mail with a deliberate error in
it to gain pathway information from the returned message.
They then "pinged" all of the computer ports at
the target firm to see if any were open. However, the firm
had invested in a good (and expensive) "fire
wall," and rather than spend time trying to break
through, WheelGroup went directly after the company's
computer modems instead.
Beginning with an employee's business card and figuring
that most of the target telephone numbers would have the
same area code and three-digit prefix, WheelGroup
"war-dialed" 1,500 numbers, using a program
downloaded from the Internet.
Several of the numbers responded. One, a fax server at a
subsidiary, invited WheelGroup to "log in," which
it did, moving deeper and deeper into the network from there.
Another modem offered WheelGroup a "C" prompt, the
same kind that is familiar to millions of personal computer
users. Playing a guess, WheelGroup typed in "Win,"
and--sure enough--was rewarded with a Microsoft Windows
program screen and from there, a welcome to the corporate
tax department, where all manner of information and records
were stored. WheelGroup gained "root access" in
short order and, true to its name, was in position to control
the networks it had targeted.
Fortune quoted E-mail Security author
Bruce Schneier, who says that "the only secure
computer is one that is turned off, locked in a safe, and
buried 20 feet down in a secret location--and I'm not
completely confident of that one either."
|
The commission arrayed the threats
on three levels. So far, most of the activity has been at the
lowest level and are "local threats," which include
recreational hackers, vandals, and independent thieves. At the
next level are "shared threats" from institutional hackers,
organized crime, and industrial espionage. The ultimate concern is
"national threats," which encompass full-up information
warfare and attacks by foreign governments or terrorists.
"Today, a computer can cause switches or valves to open
and close, move funds from one account to another, or convey a
military order almost as quickly over thousands of miles as it can
from next door, and just as easily from a terrorist hideout as from
an office cubicle or military command center," the commission
report said. "A false or malicious computer message can traverse
multiple national borders, leaping from jurisdiction to jurisdiction to
avoid identification, complicate lawful pursuit, or escape
retribution."
A complicating factor is that only about 17 percent of the
attacks on communications and data networks are reported to law
enforcement authorities. The commission report said that victims
"expressed reluctance to share information about
vulnerabilities, fearing it might be made public, resulting in
damage to their reputations, exposing them to liability, or
weakening their competitive position. Many also feared that
sharing vulnerability information could invite unwanted federal
regulation."
Another complication is that the problem is not widely
recognized. Several industry decision makers told the commission
that "there has not yet been a cause for concern sufficient
to demand action.
Big, Vulnerable Networks
The number of computers in the United States has risen from
5,000 in 1960 to about 180 million today. More than 95 percent
of these are personal computers.
Over the past 15 years, many of these machines have been linked
into a vast network through public telephone lines and the
Internet, "creating an extended information and communications
infrastructure that has changed the way we live and work," the
commission report said. "This infrastructure has swiftly become
essential to every aspect of the nation's business, including
national and international commerce, civil government, and
military operations."
The transformation continues. "Current trends suggest that
the public telecommunications network and the Internet will merge
in the years ahead; by 2010, many of today's networks will likely
be absorbed or replaced by a successor public telecommunications
infrastructure capable of providing integrated voice, data, video,
private line, and Internet-based services," the commission
said.
This trend leads not only to greater economy and convenience
but also to new and greater vulnerabilities.
In times past, the telephone company sent out somebody in a
truck to hook up service or check out problems. Today, much of
the network maintenance is performed through remote access.
Services ranging from cable television to the Internet are also
managed to large degree by remote electronic access.
"The channels used for remote access by authorized
maintenance personnel offer potential attack routes for
adversaries," the Marsh commission said. "Once logged
on, an attacker can remove nodes from service and disrupt the
network."
It is difficult to distinguish between an electronic attack and
the accidental failure of a network. In June 1991, service for 6.7
million telephone lines in Washington, D.C., was disrupted for
several hours. The problem turned out to be a mistake in the
telephone switching protocol--a single mistyped character of code.
An attack on the telephone system might take much the same form.
Furthermore, the commission report said, "The tools designed
to access, manipulate, and manage the information or communications
components that control critical infrastructures can also be used to
do harm. They are inexpensive, readily available, and easy to
use."
We do not even have the capability to know when we're under attack.
"Deciding whether a set of cyber and physical events is
coincidence, criminal activity, or a coordinated attack is not a
trivial problem," the commission report said. "Without a
central repository and analytic capability, it is virtually impossible
to make such assessments until after the fact."
Administrators on the Ramparts
The defenses consist mainly of scattered security practices,
virus scanners, passwords, and "fire walls." Few
organizations have specialized electronic security people.
"Our first line of protection is with the system
administrators and computer people," said Phillip E. Lacombe,
the commission's staff director.
|
Global Technology Trends
|
|
in 1982 |
in 1996 |
in 2002 |
|
|
Personal computers |
thousands |
400 million |
500 million |
|
| Local area networks |
thousands |
1.3 million |
2.5 million |
|
| Wide area networks |
hundreds |
thousands |
tens of thousands |
|
| Viruses |
some |
thousands |
tens of thousands |
|
| Internet devices accessing the World Wide Web |
none |
32 million |
300 million |
|
| Population with skills for a cyber attack |
thousands |
17 million |
19 million |
|
| Telecommunications systems control software
specialists |
few |
1.1 million |
1.3 million |
|
|
The United States, where nearly half the world's
computer capacity (180 million computers out of 400
million) and 60 percent of Internet assets reside, is
at once the most advanced and most dependent user of
information technology. The last line on the chart
shows the population of systems control software
specialists who possess the tools and know-how to
disrupt or take down the public telecommunications
network. |
Those working the problem say they are laboring with inadequate
tools, information, and coordination of effort. They must also
operate within a legal system that never envisioned an attack on
the nation's telecommunications switches from a distant computer
keyboard.
"Looping and weaving" is standard operating procedure
for accomplished hackers. They route their attack through a series
of computers, which may be located in several different countries.
Security people have the technical ability to "hack back"
the signal to its source, but at present, they're allowed to track
it only to the last computer in the series. Going further requires
a court order for every computer in the chain. On the security
shopping list, therefore, is a national "trap and trace"
law in which a single court order would allow pursuit all the way
back to the hacker.
(Doug Richardson, writing in Armada International, says the
Air Force has devised methods to damage computers used in hacker
attacks and has destroyed expendable 486 computers in demonstration
tests.)
Other provisions of the law make people in the private sector wary
of sharing information, revealing problems, or cooperating with the
federal government. For example, the Freedom of Information Act makes
information in the possession of the government available to the public.
Private sector participants want better assurances than are available
now that sensitive information or trade secrets will remain
confidential.
In particular, the private sector is cautious on the issue of
encryption, the scrambling of data so that it cannot be decoded
without a key. Initially, the Clinton Administration had opposed strong
encryption systems, especially if they might be exported, unless federal
law enforcement and intelligence officials were given the means to
unscramble the encryption.
Getting almost no acceptance of that notion, the Administration now
seeks a compromise solution--which is endorsed by the Marsh commission--that
would have the deciphering keys held by trusted third parties. The
Administration argues that this would permit the same sort of legal
protection that currently exists for mail and telephone communications
but also ensure court-authorized access for law enforcement officials. That
proposal has not generated much enthusiasm from industry, either.
Among the electronic security questions yet to be resolved are:
What do we guard against? How do you recognize harmful information?
Even if you can recognize it, how and where do you screen for it?
In the case of online cyber attack from abroad, a signal must
enter the United States either through a major satellite-downlink
site, of which there are just over a dozen, or by way of
telecommunications cables, said Lacombe. That might seem to reduce
entry points to a manageable number. On the other hand, he added,
information might enter as three separate pieces of nonmalicious
data that become malicious when they are combined. There are other
techniques to evade detection as well.
And of course, if the attacker can arrange to work from a
computer located in the United States, a multitude of attack routes
will lie open.
A New Partnership
The Marsh commission's budget proposals are modest. At present
federal spending on infrastructure protection amounts to only $250
million a year, about $150 million of which is spent on information
security. The commission recommended doubling the amount to $500
million a year. Much of that is for research and development of
real-time detection, identification, and response tools and for
means to prevent attack, mitigate damage, recover service, and
reconstitute architectures.
What the commission proposed mainly is the creation of a new
partnership between government and the private sector and the
establishment of a national point of focus.
"National security is a shared responsibility," Marsh
said. "The private sector is responsible for taking prudent
measures to protect itself from commonplace hacker tools. If these
tools are also used by the terrorist, then the private sector will
also be protecting itself from cyber terrorist attack and will be
playing a significant role in national security.
"The federal government is responsible for collecting
information about the tools, the perpetrators, and their intent from
all sources, including the owners and operators of the infrastructures.
The government must then share this information with the private sector
so that industry can take the necessary protective measures."
The Datastream Cowboy and Kuji
The best known of all attacks on Air Force data
systems began on March 23, 1994, with penetration of
the Rome Laboratory computer network at Rome, N.Y.
Five days had passed before Rome discovered that the
attack was under way, and before it ended 26 days
later, 150 known intrusions had taken place. The
hackers gained complete access to 30 systems,
downloaded data, and used Rome as a launching platform
to penetrate about 100 other systems, including
computers at NASA, the Jet Propulsion Laboratory
in Pasadena, Calif., and the Goddard Space Flight
Center in Greenbelt, Md.
Using a variety of techniques, investigators
learned that there were two hackers, using the handles
"Datastream Cowboy" and "Kuji."
They also discovered early that the final links in the
attack chain were Internet service providers in New
York and Seattle.
April 15 was a tense day. The hackers used the Rome
computers to tap and download information from the
Korean Atomic Research Institute. At first, the Air
Force was fearful that the institute might be in North Korea and
an intrusion from Rome Lab might be perceived by the suspicious North Koreans
as an act of war. As it turned out, the institute was in South Korea.
The Air Force Office of Special Investigations got a lead on the Datastream
Cowboy through his indiscretion in declaring his handle in an e-mail exchange
with another hacker. He said he lived in the United Kingdom and that he
liked to attack "dot mil" sites, or military computers. Unknown
to Datastream, the hacker on the other end of the e-mail exchange was an
OSI informant.
New Scotland Yard began monitoring Datastream's telephone in London.
Instances of "phone phreaking" from his number--manipulating British
Telecom to zero out billing records and thus make calls free--coincided
with intrusions at Rome Lab. He routed his attacks, variously, through South
America, Europe, Mexico, and Hawaii.
Datastream was arrested in May 1994. According to the Times
of London, when the police came for him, he "curled up on the floor
and cried." His name was Richard Pryce and he was 16 years old. He
was using a 25 mHz, 486 SX desktop computer with a 170 megabyte hard drive
at a workstation on the third floor of his family's home. On March 21, 1997,
Datastream was sentenced in Bow Street Magistrates Court in London, for
12 counts of hacking in violation of the Computer Misuse Act. He was fined
a total of £1,200 plus £250 court costs.
Kuji, several years older than Datastream, was not arrested until June
1996. He was revealed to be Matthew James Bevan, a computer technician from
Cardiff in Wales. He has been charged under a tougher section of the Computer
Misuse Act than Datastream was. At present, he is free on bail and reporting
on his own case from his site on the World Wide Web. |
The commission called for an Office of National Infrastructure Assurance
within the White House, reporting to the National Security Council and serving
as the federal government's focal point for infrastructure protection.
A number of other organizations were proposed as well, notably "clearinghouses"
as focal points for industry cooperation and sharing. Clearinghouses might
be operated by associations or trade groups.
How the partnership would operate where national security is concerned
is even less clear. It has not been determined when or whether a cyber attack
would constitute an act of war or what the nation would do about it if it
occurred.
If such an attack is an act of war, the Department of Defense would have
major if not sole responsibility for response. It is not presently organized
to meet such a responsibility.
In a speech in September, Marsh made passing reference to "a recent
Joint Staff exercise" in which "some of the issues were quite
troubling--including the fact that the Joint Staff ended up fighting this
war, which was not only bad but illegal."
He was talking about Joint exercise "Eligible Receiver," an
element of which was an adversary using cyber tools. Public law vests the
war making powers of the United States in the hands of the National Command
Authorities and the commanders of the unified combat commands. This part
of the exercise did not fit the mission of any of the unified commanders,
so in the simulation, the Joint Staff took charge itself, which it could
not legally do in an actual conflict.
The Marsh commission also proposed one or more federal agencies to coordinate
work on each of the critical infrastructures. The Treasury Department would
be lead agency for banking and finance matters, for example, and the Department
of Energy for electrical power vulnerabilities.
Federal responsibility for the pivotal information and communications
sector would be shared by the Departments of Defense and Commerce. Inevitably,
the Justice Department would be involved as well. In the view of Attorney
General Janet Reno, who has been active on the infrastructure protection
problem from the beginning, the same sort of relationship that developed
between the Departments of State and Defense during the Cold War now needs
to develop between Justice and Defense.
Given the ambiguity of electronic threats, the Marsh commission concluded
that "initially, all cyber attacks will have to be treated as crimes--regardless
of where they originated or the purpose of the attack. When investigation
provides evidence of foreign government involvement or the magnitude of
the attack requires it, then other leadership may be assigned."
Copyright Air Force Association. All rights reserved.
|
