Blocking a cyberterror attack
Marin Independent Journal By John Schwartz, New York Times
In the abstract, fighting a war is simple. The enemy and the targets are generally identifiable. But in the war against hackers and virus writers, the combatants are harder to know.
The attacker might be a 14-year-old in Canada, or a co-worker in the accounting department. "You'll have every type of person" practicing the dark arts of programming, said Sarah Gordon, a senior research fellow with the security technology developer Symantec.
As industry and government seek to repel the attacks for which the Internet is a launching pad, much of the effort involves understanding those who unleash malicious code and jiggle digital doorknobs. In the world that emerged after the Sept. 11 attacks, after all, understanding an elusive enemy has become a growing part of confronting a threat.
Security experts have warned for several years that cyberterrorism presents a great potential threat to the United States, with its increasing dependence on computer networks for everything from weapons systems to hydroelectric dams, not to mention the underpinnings of commerce. Richard A. Clarke, a former White House adviser on terrorism, warned even before Sept. 11 of a coming "digital Pearl Harbor."
And new vulnerabilities that could leave the way open to such an attack are being discovered all the time: according to Symantec, the number of software holes reported in the nation's computer networks grew by 80 percent in 2002.
Still, the company says it has yet to record a single cyberterrorist attack - by its definition, one originating in a country on the State Department's terror "watch list." That could be because those inclined to commit terrorist acts do not yet have the know-how to do significant damage, or perhaps because hackers and adept virus writers are not motivated to disrupt networks for a cause. But should the two groups find common ground, the result could be devastating, said Michael A. Vatis, head of the Institute for Security Technology Studies at Dartmouth College.
"There is still a big gap in our actual knowledge of our actual vulnerabilities to a serious attack," he said.
The government is working to close that gap. In the executive branch, cyberdefense is one of the concerns of the new Department of Homeland Security. Within the military, a task force with a $26 million annual budget is studying cyberwarfare for both its defensive and offensive potential, and President Bush has signed a directive, disclosed in February, calling for the military to develop policies to govern the waging of digital war. Regular exercises at the military service academies prepare students to defend military networks against hackers.
For now, though, the quarry in such exercises remains elusive. The most damaging attacks and intrusions, experts say, are typically carried out by disgruntled corporate insiders intent on embezzlement or sabotage, or by individuals - typically young and male - seeking thrills and notoriety.
There was, to be sure, the explicitly political Code Red, a self-reproducing program known as a worm that was unleashed in 2001 to take control of thousands of computers and force them to block access to the White House Web site by flooding government servers with data. Many security experts believe that the program was developed in China in retaliation for the loss of a Chinese jet and its pilot after a collision with an American spy plane. Once the worm was detected, a tweak to the numeric online address for the White House Web site prevented disruption.
Code Red drew attention to cyberattacks as a vehicle for political activism, said Roger Thompson, the director of malicious code research at TruSecure, a computer security company. "Instead of doing it to be jerks and show off to their buddies, they're doing it to make a statement," he said.
But exploits coinciding with the war in Iraq were tame at best. Days before the United States began its air attacks, for example, an American military computer was hacked through a security hole in Microsoft software, according to Russ Cooper, a security expert with TruSecure, but no apparent damage was done. And though a programmer identifying himself as a Malaysian Muslim and calling himself Melhacker warned late last year that he would release a potent new virus on the Internet if the United States invaded Iraq, there has been no sign of it.
"Individuals like Melhacker are considered more smoke than fire," said Ken Dunham, a senior intelligence analyst for iDefense, a computer security company. He said that developing profiles of such "malicious actors" - both general and individual - was helpful in defending against their activities and sometimes even curbing them. In Melhacker's case, he said, the company gained the virus writer's trust and obtained some of his code and tools last fall.
The threats and attacks witnessed recently are the sort of harassment that security experts dismiss as "weapons of mass annoyance." Experts who study the lives and motivations of virus writers and hackers, - and those who have wandered onto the wrong side of the law themselves - say that while some want to push a political view, many are interested in making a splash rather than a statement.
"Many of them probably think, 'Hey, hacking the Iraqi government would make me famous!"' said Seth Pack, a former virus writer who lives in Spartanburg, S.C., and works in the computer security field. Similarly, current viruses are likely to be carried in e-mail with subject lines related to Iraq or the SARS epidemic because they are topical, and virus writers, like all marketers, look for the largest possible audience.
Although some Web sites are chosen as hackers' targets for their political significance - an Iraqi government site was defaced during the war with the message, "Hacked, tracked, and now owned by the U.S.A." - most such vandalism is carried out by hackers using automated programs that simply search for any vulnerable machine, said Vincent Weafer, the senior director of a Symantec security response unit.
Aside from the increase in Web site defacement, he said, the level of virus writing and hacking has not risen sharply in recent weeks. "What we were seeing a month ago is what we're seeing today, and what we'll probably see next month," he said.
Businesses and individuals who take security seriously can protect themselves fairly well against the threat of viruses and hacking, said James Lewis, head of the technology program for the Center for Strategic and International Studies in Washington. "It's going to be irritating," he said, "but it's not going to be the end of the world."
At the same time, the government is taking a less urgent view - at least in what little it says on the subject - than the specter of a "digital Pearl Harbor" might have indicated. The role of cybersecurity adviser has been moved out of the White House and into the new Department of Homeland Security, and Clarke's successor in that role, Howard Schmidt, announced his resignation on Monday. "Nobody is in charge of the issue," Harris N. Miller, president of the Information Technology Association of America, complained after Schmidt's resignation was announced. "Cybersecurity is unique, and does require somebody in charge."
A spokesman for the Homeland Security Department said the administration took cybersecurity seriously, but as part of the overall security puzzle. "Our approach to cyber is it is combined with the other critical infrastructures; it's not a stand-alone," said the spokesman, David Wray. Much of the work in understanding the threat and countering it is being carried out in private industry, think tanks and academia, he said, and the role of government is to "look at the body of work and at the body of evidence and find the ways to make the best use of it."
That puts the primary burden on researchers like Gordon, the security expert with Symantec, who has interviewed hundreds of digital mischief-makers. Experts note significant differences between those who unleash viruses, with potentially widespread but somewhat random effects, and hackers, whose targets are generally specific if arbitrary.
Many of the early virus writers were computer researchers testing the limits of machines in the days before the Internet allowed rogue programs to spread around the world in minutes. But as the information on virus coding moved from the elite to the merely adept, there emerged a generation of "script kiddies" who could cobble together malicious programs from online tips.
Gordon said she had interviewed virus writers as young as 10 and as old as 50. "For a young person starting out, she said, "it's a real challenge to write a program that will re-create itself."
Because the writers tend to be young, they lose interest in the activity at about the time they might be prosecuted as adults for their mischief, Gordon said. Those who write viruses, and those who continue to do so into adulthood, tend to hold an immature point of view, she said. "They don't realize the impact - they don't realize there are real people at the other end of the computers," she said. "They don't tend to recognize the consequences of their actions."
Computer intruders, on the other hand, tend to characterize themselves as explorers. "'Why hack?' That's like 'Why eat?"' said Rafael Nunez, an Internet security consultant in Venezuela who has crossed over from the dark side of computer intrusion, in an e-mail message responding to questions. He now tests companies' security by trying to defeat their network defenses. The allure of hacking, he said, is "the attraction of the unknown, to penetrate, to find out secret things."
Hackers and virus writers can work together, but many have a competitive and acrimonious relationship. "Virus coders are evil," Nunez said. "They want to cause destruction."
A recent virus detected by Sophos, a security firm, seems to embody the tension between hackers and virus coders: the virus, which originated in India, contains text with insults directed at Pakistani hackers. The conflict "took it away from the geopolitical stage and put it into a geek-to-geek stage," said Chris Wraight, a technology consultant with Sophos.
Some of those who pursue the craft say they are blending computer science and art. A Spanish programmer who goes by the online name Jtag said in an e-mail exchange that he found in viruses "some kind of 'artistic' beauty."
"It's like to give 'life' to one creation and this 'life-form' takes control of things, replicating, transforming and giving his own 'touch' to another programs (infecting them)," he wrote.
Wraight of Sophos said a more apt comparison is to a sprayer of graffiti. Virus writers have the potential to spread a message to millions of computers. He expects the trend toward political hacking to continue. "The whole notion of trying to use the world stage for political views is going to grow over time," he said.
And the attacks will grow more potent, said Vatis, who served as the first director of the National Infrastructure Protection Center within the Federal Bureau of Investigation. Referring to the work of the military cyberwar force, he said, "The fact that our own government has offensive information programs that it won't talk about except to acknowledge that they exist - that should tell us something."