Bracing for guerrilla warfare in cyberspace

There are lots of opportunities; that's very scary'

April 6, 1999 Web posted at: 2:29 p.m. EDT (1829 GMT)

By John Christensen CNN Interactive

(CNN) -- It is June, the children are out of school, and as highways and airports fill with vacationers, rollingpower outages hit sections of Los Angeles, Chicago, Washington and New York. An airliner is mysteriously knockedoff the flight control system and crashes in Kansas.

Parts of the 911 service in Washington fail, supervisors at the Department of Defense discover that their e-mailand telephone services are disrupted and officers aboard a U.S. Navy cruiser find that their computer systems havebeen attacked. As incidents mount, the stock market drops precipitously, and panic surges throughthe population.

Unlikely? Hardly. The "electronic Pearl Harbor" that White House terrorism czar Richard A. Clarke fearsis not just a threat, it has already happened.

Much of the scenario above -- except for the plane and stock market crashes and the panic -- occurred in 1997 when35 hackers hired by the National Security Agency launched simulated attacks on the U.S. electronic infrastructure.

"Eligible Receiver," as the exercise was called, achieved "root level" access in 36 of theDepartment of Defense's 40,000 networks. The simulated attack also "turned off" sections of the U.S.power grid, "shut down" parts of the 911 network in Washington, D.C., and other cities and gained accessto systems aboard a Navy cruiser at sea.

At a hearing in November 1997, Sen. Jon Kyl, R-Arizona, chairman of a Senate technology subcommittee, reportedthat nearly two-thirds of U.S. government computers systems have security holes.

"If somebody wanted to launch an attack," says Fred B. Schneider, a
professor of computer science at Cornell University, "it would not be
at all difficult."
'There are lots of opportunities'

Although "Eligible Receiver" took place in the United States, which has about 40 percent of the world'scomputers, the threat of cyberterrorism is global.

Consider:

During the Gulf War, Dutch hackers stole information about U.S.
troop movements from U.S. Defense Department computers and
tried to sell it to the Iraqis, who thought it was a hoax and
turned it down.

In March 1997, a 15-year-old Croatian youth penetrated
computers at a U.S. Air Force base in Guam.

In 1997 and 1998, an Israeli youth calling himself "The Analyzer"
allegedly hacked into Pentagon computers with help from
California teen-agers. Ehud Tenebaum, 20, was charged in
Jerusalem in February 1999 with conspiracy and harming
computer systems.

In February 1999, unidentified hackers seized control of a British
military communication satellite and demanded money in return
for control of the satellite.

The report was vehemently denied by the British military, which
said all satellites were "where they should be and doing what
they should be doing." Other knowledgable sources, including
the Hacker News Network, called the hijacking highly unlikely.

"There are lots of opportunities," says Schneider. "That's very scary."

The Holy Grail of hackers'

President Clinton announced in January 1999 a $1.46 billion initiative to deal with U.S. government computer security-- a 40 percent increase over fiscal 1998 spending. Of particular concern is the Pentagon, the military strongholdof the world's most powerful nation.

"It's the Holy Grail of hackers," says computer security expert Rob
Clyde. "It's about bragging rights for individuals and people with weird
agendas."

Clyde is vice president and general manager of technical security for Axent Technologies, a company headquarteredin Rockville, Maryland, that counts the Pentagon as one of its customers.

The Defense Department acknowledges between 60 and 80 attacks a day, although there have been reports of far morethan that. The government says no top secret material has ever been accessed by these intruders, and that itsmost important information is not online. But the frustration is evident. Michael Vatis, director of the FBI'sNational Infrastructure Protection Committee, told a Senate subcommittee last year that tracing cyberattacks islike "tracking vapor."

A lot of clueless people'

Schneider says the "inherently vulnerable" nature of the electronic infrastructure makes counterterrorismmeasures even more difficult. Schneider chaired a two-year study by the National Academy of Sciences and the NationalAcademy of Engineering that found that the infrastructure is badly conceived and poorly secured.

"There is a saying that the amount of
'clue' [knowledge] on the Internet is
constant, but the size of the
Internet is growing exponentially,"
says Schneider. "In other words,
there are a lot of clueless people out
there. It's basically a situation where
people don't know how to lock the
door before walking out, so more and
more machines are vulnerable."

Schneider says the telephone system
is far more complicated than it used
to be, with "a lot of nodes that are
programmable, and databases that
can be hacked." Also, deregulation of
the telephone and power industries
has created another weakness: To
stay competitive and cut costs,
companies have reduced spare
capacity, leaving them more
vulnerable to outages and disruptions
in service.

Still another flaw is the domination of the telecommunications system by phone companies and Internet serviceproviders (ISPs) that don't trust each other. As a result, the systems do not mesh seamlessly and are vulnerableto failures and disruptions.

"There's no way to organize systems built on mutual suspicion,"
Schneider says. "We're subtly changing the underpinnings of the
system, but we're not changing the way they're built. We'll keep
creating cracks until we understand that we need a different set of
principles for the components to deal with each other."

The democratization of hacking'

Meanwhile, the tools of mayhem are readily available. There are about 30,000 hacker-oriented sites on the Internet,bringing hacking -- and terrorism -- within the reach of even the technically challenged.

"You no longer have to have
knowledge, you just have to have
the time," Clyde says. "You just
download the tools and the
programs. It's the democratization
of hacking. And with these
programs ... they can click on a
button and send bombs to your
network, and the systems will go
down."

Schneider says another threat is posed not by countries or terrorists, but by gophers and squirrels and farmers.

In 1995, a New Jersey farmer yanked up a cable with his backhoe, knocking out 60 percent of the regional and longdistance phone service in New York City and air traffic control functions in Boston, New York and Washington. In1996, a rodent chewed through a cable in Palo Alto, California, and knocked Silicon Valley off the Internet forhours.

"Although the press plays up the security aspect of hacker problems,"
says Schneider, "the other aspect is that the systems are just not
built very reliably. It's easy for operators to make errors, and a gopher
chewing on a wire can take out a large piece of the infrastructure.
That's responsible for most outages today."

The prudent approach'

Schneider and Clyde favor a team of specialists similar to Clinton's proposed "Cyber Corps" program,which would train federal workers to handle and prevent computer crises. But they say many problems can be eliminatedwith simple measures.

These include "patches" for programs, using automated tools to check for security gaps and installingmonitoring systems and firewalls. Fixes are often free and available on the Internet, but many network administratorsdon't install them.

A step toward deterrence was taken in 1998 when CIA Director George Tenet announced that the United States wasdevising a computer program that could attack the infrastructure of other countries.

"That's nothing new," says Clyde, "but it's the first time it was publicly
announced. If a country tries to destroy our infrastructure, we want
to be able to do it back. It's the same approach we've taken with
nuclear weapons, the prudent approach."

The U.S. Government Accounting Office estimates that 120 countries or groups have or are developing informationwarfare systems. Clyde says China, France and Israel already have them, and that some Pentagon intrusions havesurely come from abroad.

"We don't read about the actual attacks," says Clyde, "and you
wouldn't expect to."

"The Analyzer" was caught after he bragged about his feat in
computer chat rooms, but Clyde says the ones to worry about are
those who don't brag and don't leave any evidence behind.

"Those are the scary ones," he says. "They don't destroy things for
the fun of it, and they're as invisible as possible."


Source: CNN.com. This material is intended to be within bounds of fair use. Any copyright holder who objects to our use of this copyrighted work please email the Open Security E-lab or nesson@law.harvard.edu.