[March
8, 2000]
WhoopsLittle Johnny Launched
The Missiles:
The U.S. Government's Crusade To Safeguard Its Systems
Here's a plot to the next sexy, high-budget Hollywood power flick. A
huge organization with multinational interests views itself vulnerable to
computer hacker attacks, basing its justifiable paranoia on a recent spate
of Internet attacks that put an estimated $1.2 billion dollar strain on
Internet businesses. The organization decides to shore up its own defenses
by consulting an eccentric, long-haired hacker genius to identify its weak
spots and suggest means of protection. Quickcall Harrison Ford and
Anthony Hopkins' casting people!
But this isn't fiction. The huge organization is the U.S. government,
the long-haired hacker is real person, an individual named "Mudge"
who is a member of a well-known Massachusetts-based hacker group and the
$1.2 billion lost dollars is a figure estimated by the Yankee
Group. So why is President Clinton inviting hackers over for tea and
cucumber sandwiches? Because the U.S. government has realized, in light of
last month's "denial of service" hacker attacks on prominent Web
sites such as Yahoo!, CNN.com and eBay, that it would be terrifically
embarrassing, not to mention globally catastrophic, to have a 17-year old
bring down the computer systems of the Department of Defense just before
he starts his algebra homework and in between re-runs of "The
Jeffersons."
Why am I picking on the Department of Defense? Because of something
terrifying I read in a statement issued by William A. Reinsch, Under
Secretary of Commerce for Export Administration. The statement
was made in mid-February of this year to the Subcommittee for Commerce,
Justice, State, the Judiciary and Related Agencies of the Senate
Appropriations Committee. The Under Secretary stated that, "The
Department of Defense is well on its way to securing its critical
systems." Well on its way? Does that mean "We're desperately
trying to protect the missiles from being launched by junior-high school
students" or "We almost have the system so safeguarded there's
not a person alive who could hack into our computers?"
In either case, the recent attacks have motivated various government
agencies into taking a more proactive stance on e-commerce security than
their former attitude of benign encouragement of its growth. As with most
organizations, the directive came from the top down and is filtering
through almost every agency of the government. On March 3rd, President
Clinton wrote a memo
to the heads of executive departments warning them to mobilize their
respective departments to begin learning about what they can do to protect
themselves. "I ask that each Cabinet Secretary and agency head renew
their efforts to safeguard their department or agency's computer system
against denial-of-service attacks on the Internet," Mr. Clinton
wrote. "Within legal and administrative limits, attention should also
be paid to contractors providing service. The Federal Computer Incident
Response Center and the National Infrastructure Protection Center have
available software tools to assist you in these efforts," he
concluded. Have a nice day. Saying that this is a tall order is an
extraordinary understatement.
The President specifically refers to denial-of-service attacks. As most
of us now know, a denial-of-service attack involves flooding a Web site
with so many requests for pages the server becomes completely locked up
for regular business and often crashes. The individuals who carry out
these types of attacks use fake IP addresses, making the source of the
attacks extremely difficult or even impossible to trace. It's important to
note that with a denial-of-service attack, the hackers are not actually
breaking into a company's systemsthey are merely distracting and
confusing them. Hacking into an e-commerce site for the purpose of
obtaining credit card or personal information is a different game to the
hacker, but it's one that is concerning business and government leaders as
much as denial-of-service attacks.
Just within the last few weeks, some of the most high-profile
individuals in the U.S. government have been addressing the crisis.
Attorney General Janet Reno has been very visible recently, indicating
that she is dedicating her staff to track down those responsible for last
month's attack on prominent Web sites. FBI Director Louis Freeh testified
at a Senate committee hearing in mid-February, admitting that his own
resources were stretched "paper thin." It was perhaps this
admission that prompted the President to put forth a proposal to pour a
sharply increased amount of money into the government's cyber-security
budget. Mr. Clinton has proposed a 15 percent increase this year in the
budget dedicated to safeguarding Federal computer systems, from $1.75
billion in 1999 to $2 billion in 2000. Built into this budget is an
increase from $451 million last year to $606 million this year for
research and development of techniques to defend government computer
systems from cyber attacks.
Research and development implies that something can be done about
denial-of-service attacks and other types of cyber-terrorism. It is likely
that the agency chosen to shoulder this research and development will be
the National Infrastructure Protection Center (NIPC), an agency created
two years ago by the Department of Justice and the FBI. A page on the
organization's Web site
already contains information pertaining to, and downloadable software for,
the protection of denial-of-service attacks. According to the NIPC, these
types of attacks are detectable, as there are apparently common threads in
protocol attacks that are not impervious to identification and blocking.
Some systems are more vulnerable than others to these types of attacks, so
the FBI is strongly recommending that e-businesses examine their systems
and search for the type of vulnerabilities that denial-of-service hackers
prey upon. Filtering techniques are also available that detect fake IP
packets. You can expect a great deal of money, in both the private and
public sectors, to be spent on expanding these technologies in the near
future. Finally, the true spirit of entrepreneurism, insurance companies
have begun offering hacker insurance to large sites concerned about the
integrity of their systems.
So, like any good Tom Clancy novel, the plot thickens. The months ahead
should be a good show that proves once again, the truth is stranger than
fiction. Anyone know how to get in touch with Harrison Ford?
The author welcomes your conspiracy theories at troth@tmcnet.com.
|