[Moderator: Several articles along the same lines, by the same
journalist. These were posted to the EWAR list originally.]
Cyberwars: Proper vigilance or paranoia?
By Will Rodger, Inter@ctive Week Online
October 5, 1998 6:12 AM PT
The last war was on land, air and sea. The next one may be on your
computer.
-- Armed with reams of data showing dramatic increases in computer crime
since 1995, a wide-ranging but little-noticed federal working group is
moving swiftly to try to knit together a private and public partnership
against armies of hackers, government spies and terrorist agents that
could make cyberspace unsafe for democracy.
The fear: that no part of the industrialized world is safe from digital
disaster. Successful attacks on power grids, hospitals, banks, farms,
factories and railroad switches could plunge a target nation into chaos
and dysfunction.
Administration officials say this is no joke, ticking off threats
already encountered:
* A 19-year-old Israeli hacker, known as the Analyzer, and two California
teenagers successfully penetrate U.S. Department of Defense computers in
February, setting off fears that their intrusions are related to U.S.
troop buildups against Iraq.
* Russian hacker Vladimir Levin breaks into Citibank systems and steals
$12 million in 1994. He escapes arrest for one year, only to be brought to
justice as he gets off a flight to London and walks into the arms of
Interpol.
* A study by network security specialist Dan Farmer that shows more than
60 percent of 1,700 high-profile Web sites - many run by banks - can be
broken into or destroyed using a program he designed to probe for
weaknesses no system administrator should allow in the first place.
Free flow of bits and bytes
At the center of the U.S.' attempts to create a cyberdefense structure is
the Critical Infrastructure Coordination Group, an assembly of cabinet
undersecretaries and other senior officials sworn to work with the FBI and
American business to protect a society that now depends on a afe, free
flow of bits and bytes.
'I don't think the government can any longer say we know what's good for you
and we're going to take care of it.'
-- James Adams, head of Infrastructure Defense Inc.
But even as the defense structure emerges, civil libertarians, industry
executives and even administration insiders worry about how well the
Clinton administration or its successors can steer between protecting
against all forms of disruption on one hand and creating a police state on
the other.
Fears that police agencies will use the threat to gain unprecedented power
"reflect a misunderstanding of what we're all about and what the
administration is all about," said Michael Vatis, director of the National
Infrastructure Protection Center (NIPC) at the FBI. "We are structured as
a real partnership [between government and free enterprise]. It's our own
intention to bring people on board from the private sector. We all say the
same thing."
But James Adams, former chief executive officer of United Press
International and head of the newly formed Infrastructure Defense Inc.
consultancy, said government must surrender more power first. "I don't
think the government can any longer say we know what's good for you and
we're going to take care of it. The government is becoming increasingly
irrelevant. I'm not arguing that's a good thing or a bad thing - it's
simply a fact."
Endless government disputes
Either way, bitter, seemingly endless disputes between the administration
and the people whose cooperation it needs already have tainted the process
of developing a national approach to protecting critical information
assets, both sides said. A five-year battle over use and export of
data-scrambling technologies crucial to data security, for instance, has
alienated much of the computer industry. FBI demands that telephone
companies spend hundreds of millions of dollars to make wiretaps easier to
perform, meanwhile, have led to charges of betrayal by phone companies
that claim they were promised more compensation than they're getting, and
civil libertarians who say the new proposals invite abuse by rogue police.
As a result, what should be a cooperative effort to secure the nation from
outside attacks threatens to bog down in a morass of mistrust and stony
silence.
"Our members are scared to death of this whole program," a Washington
association executive said, insisting on anonymity. "You've got the FBI
and the National Security Agency pushing this thing. These guys are spies.
Then there are these 'private sector' groups springing up to coordinate
'information sharing' about how different companies have these huge holes
in their networks. Some of them are headed by ex-Defense Department
people. The whole thing makes us paranoid."
Worse, still, the lobbyist said: The nation's chief computer security
organization - the secretive, estimated 50,000-employee National Security
Agency (NSA) - is the same one responsible for wiretapping and signal
interception everywhere outside the U.S. As long as the world's biggest
Big Brother has a major role to play, business may be gun-shy of the
program.
=-=
Department of Offense
By Will Rodger, Inter@ctive Week Online
October 5, 1998 12:11 PM PT
Somewhere in the middle is Air Force Col. James C. Massaro, commander of
the Air Force Information Warfare Center (AFIWC) at Kelly Air Force Base
in San Antonio. As a military officer, he has to stay out of policy
disputes. Even so, he will be the one calling the shots if a digital
Armageddon ever becomes reality.
-- He won't go into details, but he readily confirmed one thing: For every
hack, virus, worm or physical disruption, there is an offensive answer. If
computer intrusions give way to war over computer networks, his team is
prepared to hack back - virus for virus, break-in for break-in, worm for
worm.
Already, dealing with intrusions from the outside occupies most of
Massaro's time. "We have anywhere from 500 to 800 alerts a day we have to
check out to make sure someone isn't trying to get into our systems," he
said.
His base will likely do more fighting than any other if cyberwarfare
breaks out. Massaro has to take it as a given that it will. An apparent
surge in computer hacks shows why. In a 1997 Ernst & Young LLP survey of
more than 4,000 information technology managers, for instance, 38 percent
said they had suffered an intrusion by an industrial spy, up more than
sixfold from the year before. Of those who claimed damages, only 16
percent could place a dollar figure on those.
By policy, the AFIWC is on guard against all intruders, including the
"ankle-biter" kids who made headlines in February with their "Analyzer"
attacks on defense computers. But the organized attacker that clearly
worries the military most is another nation-state. Besides the U.S.,
China, France, Russia and the U.K. all admit mounting some kind of program
to fight the coming info wars. In addition, the Irish Republican Army, the
major Colombian drug cartels and Spain's Basque ETA commandos are all
known to rely heavily on computer technology to carry out their work. In
time, petrol bombs could literally give way to bit bombs.
Yet, no one knows how they will do it.
=-=
International Concern
By Will Rodger, Inter@ctive Week Online
October 5, 1998 12:22 PM PT
"We know the problem as a whole is increasing greatly," said the FBI's
Vatis. "But we don't have a clear picture yet of the sophisticated end of
the threat."
-- In interviews and trips to Capitol Hill, Vatis tells the same story: To
fight the next cyberwar, civilized nations will have to draw on skills
found within all of government and the private sector, pooling
investigative, technical and political knowledge as never before.
Blurring, even discarding, traditional lines drawn between domestic law
enforcement and military engagement will be part of the process, he said.
But beyond technical complications lies a more difficult problem. Ever
since the end of World War II, domestic law enforcement and foreign
intelligence have had distinctly separate roles. President Harry S.
Truman was so afraid of government spies operating in the U.S. that he
separated the NSA's spying role from its computer security
responsibilities while banning the CIA from domestic activities entirely.
So, in testimony before the Senate Judiciary subcommittee on technology,
terrorism and government information in June, Vatis made clear the
bureau's distaste for relying too heavily on those restrictions in
cyberspace.
"What really underlies this whole problem is the fact that national
security and law enforcement are so intermeshed," he told subcommittee
Chair Jon Kyl, R-Ariz.
Wayne Madsen, a computer security expert and policy fellow at the
Electronic Privacy Information Center in Washington, D.C., conceded the
FBI understands the vulnerabilities. Yet, the conclusions Vatis draws
about what should be done are precisely wrong, he said.
"Most of this is nonsense. Who would do it?" the cyberlibertarian said.
Much as the FBI may want to suggest terrorists could take down, say, the
New York Stock Exchange, the cascading effect of a major disruption to
developed economies would be catastrophic.
"Most terrorists move their money through the same networks; they stay in
hotels," Madsen said. Threatening to take down major sectors of the world
economy only amounts to the same kind of "mutually assured destruction"
that kept the Soviet Union and the U.S. from ever actually launching a
nuclear strike against each other.
Why, then, is the government moving to "secure" the nation's
infrastructure? Attribute it to the overheated imaginations of gung-ho
cops, Madsen said.
But the FBI has been beaten back almost every time it has tried to impose
more sophisticated eavesdropping techniques on society. Whether it's the
battle to ban domestic use of uncontrolled encryption technologies or
moves to gain access to phone conversations conducted over the Internet
with nothing more than the say-so of a U.S. attorney, the FBI is fighting
a pitched battle for access on Capitol Hill. By pushing the threat of an
"info war," FBI and security agencies could get another chance to win what
they've so far been denied.
Indeed, the U.S. Department of Justice is threatening to push for further
powers of search and seizure in the physical world, if it doesn't get its
way in the electronic one. "If privacy advocates get their way on
encryption, they may not be happy," department computer crime specialist
Scott Charney told an international symposium in August. Instead of
wiretaps and remote searches of computer disks, the FBI would go to
Congress for authority to step up its use of bugging devices and physical
searches. "That could really decrease privacy," he said.
Yet, as long as law enforcement sees telecommunications as a surveillance
tool, Madsen said, it's hard to trust the FBI or the national security
establishment with anything having to do with telecommunications, let
alone sweeping initiatives that are supposed to secure the entirety of
cyberspace.
Back at the AFIWC, Massaro remains above the fray. He commands from deep
within a hardened concrete shell, behind multiple layers of three-inch
steel doors. Some 50 computer specialists there hunch over their screens.
A 50-50 mix of civilian and Air Force officers, the Air Force's Computer
Emergency Response Team is widely acknowledged as the best group of
intrusion specialists in the U.S. government, if not the world. Their
mission is to monitor attacks on nearly all military networks worldwide
and respond when necessary.
Last year alone, the center's automatic monitoring software detected more
than a million suspicious events on military networks. More than 99
percent were meaningless - many, for instance, were simply cases in which
users failed to remember passwords and repeatedly tried to log in.
Despite its neat title, AFIWC's responsibility ultimately knows no bounds
in cyberspace. Hackers don't stop for borders, care little who owns a
network and, Massaro added, deliberately pass through multiple networks to
confuse and slow their defenders. A hacker "can go anywhere," he said. "He
can go foreign. He can come in the U.S., he can go DOD, he can go
national, he can go government. Whatever, wherever. The bottom line is
it's all of our problems because there are no boundaries in cyberspace."
When "he" comes to do battle, Lt. Chad Renfro will be on the front lines.
Not yet 30 years old, Renfro hunches over his Sun Microsystems Inc.
workstation. On screen is an endless list of logs from 110 separate Air
Force bases worldwide, gathered by the center's Automated Security
Incident Measurement (ASIM) software. Arguably the most sophisticated
system of its kind, ASIM software in 1997 tracked 360 million events on
military computers last year. Of those, 7.2 million were sufficiently
unusual to make the system record every keystroke generated by those
users.
Of that group, 107 were confirmed "incidents" in which hackers penetrated
sensitive networks. Eighteen resulted in hackers' achieving "root," or
network administrator privileges. Those 18 break-ins should have given
vandals power to do anything they wanted on the networks they penetrated.
No one will say what they did once inside.
Renfro runs the ASIM through its paces as a visitor launches attacks of
his own with the help of automated hacking software culled from one of
several hundred hacker sites the center monitors. In short order, the faux
hacker is exploiting a weakness in a telephone and directory program that
comes loaded on most Internet servers. Though handy for storing names and
addresses of employees, students and faculty at universities and
businesses that run it, the directory program also has a flaw that lets
intruders break into password files and other sensitive data stored on
those same computers. The would-be victim is a machine at Hickham Air
Force Base in Hawaii.
"An analyst would pull up a screen and take a look at this," Renfro said.
The hacker pulls down a password file and runs "crack," a decryption
utility that can successfully guess many passwords, particularly those
that use words found in dictionaries. In this case, the hacker nabs 2,000
of them - enough to take over as many accounts and, perhaps, bring down
the network.
Bright as this group is, it was nearly helpless for weeks in February,
when the Israeli "Analyzer" and his two pals from Silicon Valley worried
experts throughout the Pentagon as they skated from one DOD computer to
the next. Back then, Defense Undersecretary John Hamre and other top
Pentagon officials were in regular contact with President Clinton, warning
that a long-feared info war attack from the Middle East might be under
way. To be sure, AFIWC eventually got its men. But the incident also
showed something else: The U.S. may not be ready for the next round of
attacks, no matter what their origin.
That's why Jeffrey Hunker is a busy man these days. As director of the
Commerce Department's Critical Infrastructure Assurance Office, his job is
to convince business - big business in particular - to help the government
produce a plan for info war defense.
The CIAO, along with Vatis' NIPC, is part of a three-legged plan to nail
down the Net. The other, a series of private-sector groups called
Information Sharing and Assessment Centers, is supposed to be formed by
the private sector - but who that may include remains undefined.
Hunker knows battles over wiretaps and encryption have worn thin the
government's welcome with a computer industry whose cooperation he
desperately needs. Yet, this time, it will be different, he said. "This is
basically about business," the former consultant said. "Cybersecurity is
going to have to be viewed as good business." --
Fear factor
By Will Rodger, Inter@ctive Week Online
October 5, 1998 12:15 PM PT
But it's the idea of cooperation that strikes fear in the hearts of many
businesses. Consider, for a moment, what happens when a company's main
revenue stream - its Web site - is suddenly deemed the scene of a crime.
-- For starters, there's the problem of actually sharing information. A
recent survey by Ernst & Young LLP showed only a small minority of
break-ins are ever reported to anyone. The reason? Fears that once a site
has been exposed as vulnerable, its poor security practices will leave it
open to a feeding frenzy by copycat vandals. Beyond that, businesses fear
they will lose customers, investor confidence, even be subject to lawsuits
if the truth leaks out. Calling in investigators when break-ins occur may
also be at odds with company interests. Instead of running a data center
to make their company money, computer workers may find themselves helping
to run a center whose chief purpose is to nab criminals.
Hunker has heard the complaints dozens of times before. "We're going to
have to have a legal structure so that information stays confidential,"
he said. But confidential to whom?
The administration said it will win legislation to exempt communications
like the ones Hunker said must occur from Freedom of Information Act
inquiries. The White House may seek further exemptions from the Federal
Advisory Council Act (FACA), which requires open meetings when
private-sector groups advise the government on policy. At the very least,
Commerce Undersecretary Larry Irving said, the government will structure
the groups so that FACA never comes into play.
Eight agencies will oversee efforts in information and communications,
banking and finance, electric power - in short, virtually every aspect of
civilian life. Four others - the FBI, CIA, State and Defense - are
supposed to rally support for the program among the law enforcement,
foreign intelligence, national defense and diplomatic communities.
But it's Vatis' NIPC that's the biggest bone of contention so far. Tucked
away on the top floor of the fortress-like FBI headquarters in Washington,
the NIPC has 60 FBI agents and a handful of government representatives
from the military and national security communities. When it's fully
staffed, the FBI will have 85 of the 125 positions for itself. Of the
remaining 40 positions, an undetermined number will go to the private
sector.
In addition to investigating break-ins, the NIPC is supposed to carry out
long-term assessments, forecast attacks and issue technical alerts when
analysts discover new weaknesses in computer hardware and software. Vatis
said a new, high-tech team at the FBI will make the center work. He still
has to convince skeptics.
"The idea that the appropriate place for it to be effectively managed is
the two most reactive government agencies whose task it is to arrest
people and send them to jail - in an environment that needs cooperation,
conciliation, proactivity and a very high degree of understanding of
technology - it doesn't make any sense to me," Adams of Infrastructure
Defense said.
The May presidential directive that created the NIPC, the CIAO and its
working groups also called for a parallel response from business.
Private-sector Information Sharing and Assessment Centers were supposed to
pool information and send on summaries of what they found to the federal
bodies. Yet, despite a November deadline for a preliminary plan, not one
center has been created and no representative from the private sector has
actually taken up residence at FBI headquarters.
On Sept. 25, Commerce Undersecretary Irving gathered 50 representatives of
the nation's telecommunications, defense and information technology
companies to meet on infrastructure protection.
Just 30 seconds into his opening statement, Irving made it clear he
understood the friction that has precluded close industry and government
partnerships on matters of data security. "We hope this is going to be a
collaborative relationship," he said. "I do not want to see a repeat of
some of the problems we've seen between industry and government with
regard to issues involving [wiretapping] and encryption, and I'm going to
work my hardest to make sure that that doesn't happen. I don't want any
failures." --
=-=
The FBI's Infragard project
By Will Rodger, Inter@ctive Week Online
October 5, 1998 12:10 PM PT
The FBI's InfraGard Project
Who cares what the lobbyists think?" computer specialist "Dave" asked.
"The FBI's doing a great job."
Dave won't let his last name or his employer's name be used out of fear
hackers will target his Cleveland company for attack. After all, he's a
dyed-in-the-wool fan of InfraGard, the FBI's grassroots approach to
preparing for information warfare.
Since August 1996, the Cleveland FBI has spent a lot of time talking to
business about what they need and vice versa. Instead of showing up with
badges and guns when hacks happen, agents are getting to know likely
targets before the crimes occur - something unheard of until now.
But that's the way InfraGard is supposed to work. Once a month, a group of
computer management specialists gets together in Cleveland to talk with
FBI agents about the security vulnerabilities they face and how they deal
with the problems. Though Ernst & Young LLP and KeyBank NA admit to
belonging to the group, most members remain anonymous.
Once per quarter, the group hosts a speaker - past presenters have
included FBI chief Louis Freeh.
Cleveland Special Agent Brian Vigneaux said the bureau shows companies how
to best prepare and preserve evidence so that when hackers do get in, the
FBI has some way to find them, and companies can get on with their
business. What's more, he said, the better business and police know each
other, the better they will cooperate when something goes wrong.
The FBI's National Infrastructure Protection Center hopes to roll out a
national version of the Cleveland program, beginning in the fall. The
Columbus, Ohio, and Indianapolis FBI offices already have started.
The efforts might be welcomed by network managers like Dave. He has more
than 25 years of experience. But like most security officers, he has fewer
bodies, less money and less time than he can justify to management. So he
jumps at the chance to get free or almost-free advice.
Members agree not to use the information against each other and not to
disclose who has problems outside the meeting.
FBI can be reached at www.fbi.gov
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Wed Oct 7 19:48:52 1998