Bracing for Guerrilla Warfare in Cyberspace

Note the date on this article, April 1999, which is over four years ago. Ed.

“Electronic Pearl Harbor”

(CNN) — It is June, the children are out of school, and as highways and airports fill with vacationers, rolling power outages hit sections of Los Angeles, Chicago, Washington and New York. An airliner is mysteriously knocked off the flight control system and crashes in Kansas.

Parts of the 911 service in Washington fail, supervisors at the Department of Defense discover that their e-mail and telephone services are disrupted and officers aboard a U.S. Navy cruiser find that their computer systems have been attacked.

As incidents mount, the stock market drops precipitously, and panic surges through the population.

Unlikely? Hardly. The “electronic Pearl Harbor” that White House terrorism czar Richard A. Clarke fears is not just a threat, it has already happened.

Much of the scenario above — except for the plane and stock market crashes and the panic — occurred in 1997 when 35 hackers hired by the National Security Agency launched simulated attacks on the U.S. electronic infrastructure.

“Eligible Receiver,” as the exercise was called, achieved “root level” access in 36 of the Department of Defense’s 40,000 networks. The simulated attack also “turned off” sections of the U.S. power grid, “shut down” parts of the 911 network in Washington, D.C., and other cities and gained access to systems aboard a Navy cruiser at sea.

At a hearing in November 1997, Sen. Jon Kyl, R-Arizona, chairman of a Senate technology subcommittee, reported that nearly two-thirds of U.S. government computers systems have security holes.

“If somebody wanted to launch an attack,” says Fred B. Schneider, a professor of computer science at Cornell University, “it would not be at all difficult.”

‘There are lots of opportunities’

Although “Eligible Receiver” took place in the United States, which has about 40 percent of the world’s computers, the threat of cyberterrorism is global.

Consider:

* During the Gulf War, Dutch hackers stole information about U.S. troop movements from U.S. Defense Department computers and tried to sell it to the Iraqis, who thought it was a hoax and turned it down.

* In March 1997, a 15-year-old Croatian youth penetrated computers at a U.S. Air Force base in Guam.

* In 1997 and 1998, an Israeli youth calling himself “The Analyzer” allegedly hacked into Pentagon computers with help from California teen-agers. Ehud Tenebaum, 20, was charged in Jerusalem in February 1999 with conspiracy and harming computer systems.

* In February 1999, unidentified hackers seized control of a British military communication satellite and demanded money in return for control of the satellite.

The report was vehemently denied by the British military, which said all satellites were “where they should be and doing what they should be doing.” Other knowledgable sources, including the Hacker News Network, called the hijacking highly unlikely.

“There are lots of opportunities,” says Schneider. “That’s very scary.”

‘The Holy Grail of hackers’

President Clinton announced in January 1999 a $1.46 billion initiative to deal with U.S. government computer security — a 40 percent increase over fiscal 1998 spending. Of particular concern is the Pentagon, the military stronghold of the world’s most powerful nation.
“It’s the Holy Grail of hackers,” says computer security expert Rob Clyde. “It’s about bragging rights for individuals and people with weird agendas.”

Clyde is vice president and general manager of technical security for Axent Technologies, a company headquartered in Rockville, Maryland, that counts the Pentagon as one of its customers.

The Defense Department acknowledges between 60 and 80 attacks a day, although there have been reports of far more than that.

The government says no top secret material has ever been accessed by these intruders, and that its most important information is not online. But the frustration is evident.

Michael Vatis, director of the FBI’s National Infrastructure Protection Committee, told a Senate subcommittee last year that tracing cyberattacks is like “tracking vapor.”
‘A lot of clueless people’

Schneider says the “inherently vulnerable” nature of the electronic infrastructure makes counterterrorism measures even more difficult. Schneider chaired a two-year study by the National Academy of Sciences and the National Academy of Engineering that found that the infrastructure is badly conceived and poorly secured.

“There is a saying that the amount of ‘clue’ [knowledge] on the Internet is constant, but the size of the Internet is growing exponentially,” says Schneider. “In other words, there are a lot of clueless people out there. It’s basically a situation where people don’t know how to lock the door before walking out, so more and more machines are vulnerable.”

Schneider says the telephone system is far more complicated than it used to be, with “a lot of nodes that are programmable, and databases that can be hacked.” Also, deregulation of the telephone and power industries has created another weakness: To stay competitive and cut costs, companies have reduced spare capacity, leaving them more vulnerable to outages and disruptions in service.

Still another flaw is the domination of the telecommunications system by phone companies and Internet service providers (ISPs) that don’t trust each other. As a result, the systems do not mesh seamlessly and are vulnerable to failures and disruptions.

“There’s no way to organize systems built on mutual suspicion,” Schneider says. “We’re subtly changing the underpinnings of the system, but we’re not changing the way they’re built. We’ll keep creating cracks until we understand that we need a different set of principles for the components to deal with each other.”
‘The democratization of hacking’

Meanwhile, the tools of mayhem are readily available.

There are about 30,000 hacker-oriented sites on the Internet, bringing hacking — and terrorism — within the reach of even the technically challenged.

“You no longer have to have knowledge, you just have to have the time,” Clyde says. “You just download the tools and the programs. It’s the democratization of hacking. And with these programs … they can click on a button and send bombs to your network, and the systems will go down.”

Schneider says another threat is posed not by countries or terrorists, but by gophers and squirrels and farmers.

In 1995, a New Jersey farmer yanked up a cable with his backhoe, knocking out 60 percent of the regional and long distance phone service in New York City and air traffic control functions in Boston, New York and Washington. In 1996, a rodent chewed through a cable in Palo Alto, California, and knocked Silicon Valley off the Internet for hours.

“Although the press plays up the security aspect of hacker problems,” says Schneider, “the other aspect is that the systems are just not built very reliably. It’s easy for operators to make errors, and a gopher chewing on a wire can take out a large piece of the infrastructure. That’s responsible for most outages today.”

‘The prudent approach’

Schneider and Clyde favor a team of specialists similar to Clinton’s proposed “Cyber Corps” program, which would train federal workers to handle and prevent computer crises. But they say many problems can be eliminated with simple measures.

These include “patches” for programs, using automated tools to check for security gaps and installing monitoring systems and firewalls. Fixes are often free and available on the Internet, but many network administrators don’t install them.

A step toward deterrence was taken in 1998 when CIA Director George Tenet announced that the United States was devising a computer program that could attack the infrastructure of other countries.

“That’s nothing new,” says Clyde, “but it’s the first time it was publicly announced. If a country tries to destroy our infrastructure, we want to be able to do it back. It’s the same approach we’ve taken with nuclear weapons, the prudent approach.”

The U.S. Government Accounting Office estimates that 120 countries or groups have or are developing information warfare systems. Clyde says China, France and Israel already have them, and that some Pentagon intrusions have surely come from abroad.

“We don’t read about the actual attacks,” says Clyde, “and you wouldn’t expect to.”

“The Analyzer” was caught after he bragged about his feat in computer chat rooms, but Clyde says the ones to worry about are those who don’t brag and don’t leave any evidence behind.

“Those are the scary ones,” he says. “They don’t destroy things for the fun of it, and they’re as invisible as possible.”

http://www.cnn.com/TECH/specials/hackers/cyberterror/

Courtesy APFN