ederal agencies are ripe targets for a new breed of cybercriminals intent on making their marks. As the competition among hackers intensifies, it's no longer exciting or impressive enough to just sneak in, look around and leave some trap doors. Now hackers want to deface the systems or even bring them down.
Meanwhile, some intruders are seeking sensitive information from agency files. Add to that the threat of infrastructure damage that can be done by enemy countries through holes left by loose computer security, and it's easy to understand why the Senate Governmental Affairs Committee is targeting agencies that are lax on security for scrutiny and, if necessary, for tighter management controls.
For Mark Boster, the wake-up call from the FBI came at 12:30 a.m. on a Saturday two years ago, and it was a rude awakening. An agent asked whether Boster was aware that the Justice Department Web site now displayed the words "The Department of Injustice" and that the picture of Attorney General Janet Reno had been replaced by a picture of Adolf Hitler.
As deputy assistant attorney general for information resources management, Boster was responsible for dealing with the break-in at the Justice site. Over the next two hours, he and his staff called the systems administrators responsible for the Web servers into the office and had the servers disconnected from the Internet. Their objective was to stop people from seeing the counterfeit Web page. They went to sleep, much later that night, confident they had accomplished this. But they were wrong.
For nearly a week afterwards, Boster received calls from reporters for The Wall Street Journal and other publications, who said they still were seeing the Hitler picture. He and his staff didn't know that large Internet service providers such as America Online hold copies of popular pages so they don't have to take the time to retrieve them. When Justice turned its system off, every large service provider had only the Hitler page to show when people requested information from the Justice site. Thinking they had solved the problem by disconnecting their Web site was just one of Justice's mistakes.
Today Boster, who chairs the CIO Council's Committee on Computer Security, says, "That break-in was probably the best thing that could have happened to improve security at the Department of Justice." In the aftermath, Boster identified a dozen errors he and his staff had made that might have opened the door to the hackers. Top-level management interest created by the defacement gave him the resources and opportunity to correct these errors.
Other agencies face a choice. They can wait until a hacker defaces their Web site and embarrasses their top managers, or a more serious attack stops their operations. Or they can take some surprisingly inexpensive actions to defend themselves.
A New Epidemic
Cybercrime is becoming epidemic. The president of one security consulting organization reports that every week there are three or four major security incidents at the 38 agencies and corporations that his firm monitors.
Defense Department officials estimated that DoD computers were attacked 250,000 times as far back as 1995, and DoD intrusion-detection expert Stephen Northcutt of the Naval Surface Warfare Center reports that the number of attacks has doubled just since the beginning of 1998 and has grown tenfold in the past three years. Attacks apparently have intensified on the civilian side too, but a 1997 survey by the CIO Institute and Government Executive showed that four out of five civilian agency security managers don't know how much they are being attacked or by whom.
The problem is being fueled by smart hackers who not only find vulnerabilities and build tools to exploit them but also post the break-in tools on the Web where any bored high-schooler, criminal or foreign power can find and use them. It doesn't take much intelligence to copy an attack script from a Web site and then point it at a target organization. The price of entry into the hacking game is just $9.95 per month for an Internet account, and the hacker can do the job from Prague as easily as from Princeton.
New vulnerabilities are discovered every week, and the threats are become more sophisticated. Gen. Kenneth Minihan, director of the National Security Agency, told the Senate Governmental Affairs Committee June 24 that structured attacks are on the rise. In structured attacks, a coordinated group of people tries to penetrate systems simultaneously by sharing the blueprints of sites they have probed and applying their combined processing power, network bandwidth, tools and expertise.
Defense agencies with research or weapons development responsibilities are mounting efforts to deploy multi-tiered early-warning systems and analytical capabilities to identify and thwart network-borne attacks. At best, they stay barely ahead of the intruders. Some attackers still get through. At the same time, according to Director of Central Intelligence George Tenet, other segments of the defense and intelligence community are working on ways to take advantage of computer and network vulnerabilities to plan offensive cyberwarfare attacks that could disrupt an enemy nation's command and control systems or even its telephone and electricity production and distribution capabilities.
In the competition between the need for secrecy to maintain an offensive edge and the need for disclosure to enhance the ability to defend against cyberattacks, the DoD offense people usually win. Thus, the defensive knowledge being gained by Defense is only minimally available to civilian agencies and commercial organizations.
In March, an 18-year-old Israeli hacker who went by the name "Analyzer" came forward to claim responsibility, along with a U.S. collaborator who goes by the handle "Makaveli," for breaking into 20 federal computer sites. Analyzer's attorney, Amnon Zichroni, told Reuters, "In the past we used to boast about the girls we had. Nowadays, kids boast with their ability to hack into computer systems."
The damage the teen-agers can cause even without malicious intent is substantial. Law enforcement agencies reached a plea bargain agreement late in March with a Massachusetts teen-ager who had broken into the Bell Atlantic system and disabled communication at the Worcester airport, cutting off services to the airport's control tower and preventing incoming planes from turning on the runway lights. With teen-age pranks wreaking such havoc, it's not difficult to imagine the damage organized criminals or unfriendly nations can cause.
A Security Checklist
With the risks growing every day, what's an agency supposed to do to protect its information, operations and reputation? To answer that question, Government Executive and the CIO Institute convened a panel of technology experts from five of the leading computer security firms and one of the government's most advanced intrusion-detection facilities. Their advice can be summarized in a four-step plan that closely parallels what careful people would do to protect their homes in high-crime areas:
- Upgrade the locks on the doors. Computer managers use a tool called a firewall to lock out most network attacks. For firewalls to be effective, the people who install and maintain them must always be aware of the latest attacks so they can write programs that will stop those attacks, as well as ones that were discovered earlier.
- Check to be sure that doors are locked and that windows and other means of access, such as balconies, are protected. Careful managers do the same thing by regularly performing a vulnerability analysis and penetration test to check that the computer hardware and software are set to the most secure positions. They actually perform two analyses-one from the outside and one from the inside-to simulate what both outsiders and insiders could do. And in a manner similar to the way they use virus checkers, they rerun the vulnerability analysis repeatedly with up-to-date settings that reflect both the old and the most recently discovered vulnerabilities.
The Israeli hacker Analyzer reported that he used the first of those vulnerabilities-known holes in Web server software left unpatched by busy system administrators-to enter the federal computers. The numbers of holes to close is high, and new ones are being discovered every day. System administrators with hundreds of systems to manage don't have the time to keep up.
n Install burglar alarms, both as early-warning systems and as deterrents. Burglar alarms that protect computers are called intrusion-detection systems. These tools monitor the patterns and sources of electronic traffic coming into the site and, in a manner similar to virus checkers, compare the traffic with "signatures" of known attacks. Smarter varieties are being released that attempt to detect new kinds of attacks or sources of attacks, but so far they have been plagued by too many false alarms.
A second type of electronic burglar alarm monitors the computer's own log files to determine whether anyone is gaining unauthorized access to files or systems. Since half of all computer incidents, and the vast majority of all the losses from computer incidents, are caused by insiders, internal monitors are especially important. Computer crime is silent, so that many criminals-especially insiders who know the routine-feel quite safe. Effective burglar alarms can change that.
When these monitors find that unauthorized access has occurred, careful organizations act immediately to correct the structural or policy weakness that allowed the problem to occur.
n Make sure intrusions get the correct response. To do this, agencies connect the electronic burglar alarms to a 24-hour-a-day, seven-day-a-week monitoring center where trained people know how to reach the appropriate contact persons at all times, or where electronic sensors correlate information and page the right people automatically.
As these systems proliferate, more and more attackers are being caught and prosecuted. Each story about another successful prosecution serves as a warning to hackers. But agencies should be careful about publicizing their security strengths. To a hacker, a report of a new computer defense mechanism is a temptation to attack. Before he was caught, Analyzer was interviewed over the Internet by Wired News. Asked about his choice of targets, he said in broken English, "I hate when [security people] trying to be overconfident . . . try to be God."
To protect themselves, the experts say, agencies should follow the four-step action plan outlined above and also do the following:
- Implement and enforce a comprehensive set of security policies. Provide continuous education and reinforcement programs that enable all employees to know what constitutes a breach of computer security and whom to call, and motivate them to make the call.
- Learn from the Justice Department's experience. The CIO Institute has summarized the errors Boster identified after Justice's Web site was tampered with in a booklet, "Twelve Mistakes to Avoid for Managing Web Security." A brief summary is available at no cost to those who send e-mail to firstname.lastname@example.org with the words "12 Mistakes" in the subject line.
- Tap the expertise of law enforcement officials. Invite such officials, especially those from the FBI's new infrastructure protection team, to educate management and staff on what to do when they see an intrusion or other suspicious situation. (Contact the FBI's National Computer Crime Squad via e-mail at email@example.com, or through the Washington Metropolitan Field Office at (202) 324-9164.)
Lack of Trust
Even if agencies take all these steps, the bad guys will still have the edge because they share everything they find. Attack victims, meanwhile, hide the information out of fear that publicizing their vulnerabilities could embarrass them or aid other attackers. Unfortunately, this approach is akin to an ostrich sticking its head in the sand. It is the integration of knowledge that provides the advantage in cyberspace. The only way to get ahead is the equivalent of a distant early-warning line created by pooling the intrusion-detection knowledge and data of federal agencies and commercial organizations.
One step in the right direction came in February when Attorney General Janet Reno announced a new center at the FBI to combat cybercrime. But most security experts feel uncomfortable with the FBI as the repository of all their knowledge. Instead, they'd like to establish a new federal agency that would operate the way the Centers for Disease Control and Prevention does. Doctors know they can send data about outbreaks of diseases to the CDC without fear of embarrassing their patients and with confidence that the CDC will act quickly and wisely to stem any potential epidemics.
The new Center for Intrusion Control (CIC), as some have dubbed it, would complement the work of the crime fighters by gathering filtered data (that is, only data pertaining to the transmission of the message and the potentially malicious sections of it) from all intrusion-detection sensors and integrating that knowledge. Commercial organizations would willingly provide the information as long as they know, beyond a doubt, that their confidentiality would be protected. The CIC's goal would be to provide new "intrusion signatures" that could be monitored and stopped by intrusion-detection systems throughout the Internet. Ultimately, the CIC should be in a position to anticipate the next attack, cut it off before it happens, and identify the attackers so that law enforcement people could take action.
Whether and when the CIC will go into operation will be decided by congressional committees and administration officials, all of whom are busy with other tasks. Last year a presidential commission found that the telephone network, the electric power grid and other basic utilities on which we all depend are vulnerable to partial destruction through coordinated attacks. There's little doubt that what the CIA's Tenet calls "an electronic Pearl Harbor" would provide enough incentive to get the CIC staffed and operational. But the nation might be better served if its leaders would take preventive steps today.
Alan Paller is director of research at the CIO Institute.