Cyberattacks: The Worst is Yet to Come
Cyberattacks: The Worst is Yet to Come<@VM>Internet Vulnerabilities<@VM>No Guaranteed Plan
By James Schultz
Whether in the form of denial-of-service, viruses, Trojan horses, identity impersonation or password cracking, computer attacks against government systems are on the rise.
At risk not only is sensitive or classified information, but also routine operations and myriad basic services that have either been automated or depend on Internet connectivity ? or both.
And while the government's increasing dependency on computer and Internet technology has accelerated substantially system requirements for confidentiality, authentication, integrity and access, the government's ability to meet those requirements and enforce suitable policies has not kept pace, according to a report by the National Research Council's Committee on Information Systems Trustworthiness.
Complicating ? and often compromising ? protection is the growing use of extensible systems and foreign or mobile software code, such as Java applets and network-delivered ActiveX modules. The result, said the committee, is that "successful attacks against networked [government] information systems are common, and evidence suggests that many go undetected."
The 1999 report, "Trust in Cyperspace," noted that the Federal Bureau of Investigation has estimated total damages to the U.S. economy from computer crime to be about $300 billion. Quantified financial injury, however, totals just $100 million, most likely because of a lack of clear-cut reporting guidelines and a reluctance to record intrusions.
Insider-initiated cybervandalism also is on the rise. While more accurate estimates will not be possible until comprehensive reporting mechanisms are in place, computer-security attacks and breaches may be responsible for at least $250 billion in lost revenue, according to the report.
William Malik, vice president and research area director for information security for the GartnerGroup Inc. of Stamford, Conn., said that while the total information technology and telecommunications sector in the United States is valued at $1 trillion, the computer security market itself amounts to just $1.5 billion.
On average, government agencies and companies spend between 2 percent and 3 percent of their annual budgets on security, including hardware products, software and assorted services. Those expenditures eventually may increase, based on perceived threat and anticipated losses.
Posing a far more serious threat are extortionists and embezzlers, who use computers to steal as much as $10 billion per year from the public and private sectors, Malik said.
"While hacking causes economic disruption, a lot of it is soft-dollar cost," he said. "If, because of a virus or other attack, my computer is slow to boot up, I don't go bankrupt. It may be irritating, but I do something else. It's a nuisance that slows you down, like running out of gas. But you recover and keep rolling."
A more ominous menace is that presented by impromptu alliances among figures in organized crime, terrorists and hackers, Malik said. All three groups have much to gain from collaboration. Their targets will have much to lose, especially as Internet-enabled e-business in government and the private sector becomes routine.
Constantly relying on Internet-based transactions to communicate, share information and conduct financial transactions is at the heart of cybervulnerability. Hackers count on ? and are only too eager to exploit ? the brief but powerful Net tradition of openness and accessibility.
Thus far, Internet-related security solutions for existing software predominantly have been add-ons; dedicated Internet applications with a high level of built-in security only now are beginning to appear.
"The Internet was designed to be open, with distributed control and mutual trust among users," said Richard Pethia, director of the Computer Emergency Response Team (CERT) Center at Carnegie Mellon University's Software Engineering Institute in Pittsburgh, in testifying before the Senate Judiciary Committee May 25.
"As a result, control is in the hands of users, not in the hands of the provider, and a central authority cannot administer use." he said. "Furthermore, security issues are not well understood and are rarely given high priority by software developers, vendors, network managers or consumers."
Consequently, security measures that were appropriate for mainframe computers and small, well-defined networks inside an organization are not effective for the Internet ? a complex, dynamic world of interconnected networks with no clear boundaries and no central control, Pethia told lawmakers.
"Because the Internet was not originally designed with security in mind, it is difficult to ensure the integrity, availability and privacy of information," Pethia said.
Exacerbating the problem is the government's move, for efficiency's sake and to boost cost-effectiveness, to off-the-shelf products. But such products could have hidden costs.
Commercial vendors, forced by the rapid pace of technological development to concentrate on rushing their products to market, place a low priority on security features, Pethia said. In newer versions of products, CERT sees the same kinds of susceptibilities already identified in earlier versions.
"Engineering for ease of use is not being matched by engineering for ease of secure administration," Pethia said. "Today's software products, workstations and personal computers bring the power of the computer to increasing numbers of people who use that power to perform their work more efficiently and effectively. Products are so easy to use that people with little technical knowledge or skill can install and operate them on their desktop computers.
"Unfortunately, it is difficult to configure and operate many of these products securely," he said. "This gap leads to increasing numbers of vulnerable systems."
As software continues its transformation into a bargain-basement commodity and profit margins drop accordingly, market pressures seem unlikely to ease. Aside from makers of security products, such as firewalls and virus detection and elimination programs, vendors appear to have scant commercial incentive to produce new software or upgrades to existing products that contain little more than rudimentary hacking safeguards.
With government buyers eager to purchase software inexpensively and in volume, the trend is disturbing to many security experts.
"Even [the Defense Department] and the military, even the [National Security Agency] and the CIA have been moving toward the [off-the-shelf] model in the last few years. It's hurting security," said Joseph Patanella, founder, president and chief executive officer of computer security services firm TrustWave Corp. in Annapolis, Md.
"You open yourself up to products that haven't been tested," said Patanella, who worked at NSA for 18 years as an information technology security expert. "The [software] industry chases technology and neglects security. They rely on users to find bugs, and then build patches to fix them. That's been and continues to be the model."
Whatever innovation is introduced may be stymied by existing policy. Obtaining the best of breed may not always be possible under government purchasing directives. In any case, both public- and private-sector users are often on their own, or at the very least dependent on the skill of their department's information technology specialists.
To combat computer systems intrusions, the Clinton administration has proposed spending $606 million in fiscal 2001 ? up from the previous year's $451 million ? for research and development funding to protect the nation's critical information technology infrastructure.
The National Plan for Information Systems Protection would target key systems, such as electric power generation and distribution, to prevent the potential of harm in any cyberdirected attack. Later iterations would funnel money and information to infrastructure owners and operators, as well as to the broader business community.
The plan would include the development of a Federal Intrusion Detection Network (FIDNET) to protect vital systems in federal civilian agencies and ensure the rapid implementation of system "patches" for known software defects.
Also included is funding for cryptographic efforts, including pilot programs at a variety of federal agencies, and the establishment of a $50 million Institute for Information Infrastructure Protection that would combine federal and private efforts to further boost advanced cybersecurity research and development.
Congressional support for the initiative, however, is uncertain. In the past, legislators have opted not for comprehensive legislation, but for more modest, less ambitious bills. The danger, said observers, is that legislation will move too slowly to effectively counteract threats that propagate at light speed.
Indeed, those who organize, plan and carry out attacks may be counting on legislative indifference or complacency.
"The public would be mortified if they really understood how vulnerable we ? the government and the private sector ? really are and how frequently hacking occurs," said John Thomas, deputy general manager and vice president for information assurance for AverStar Inc. in Burlington, Mass., which provides computer security services. "The Internet is getting larger and larger every day. The ability to inflict harm is likewise increasing. There's bound to be an increasing number of malicious events."
The risk of inactivity is high. With the explosion of Internet-enabled commerce, and common dependence on all things electronic, an intense enough attack could disrupt or disable large segments of the U.S. economy.
"More effective computer security will require a sea change," said the GartnerGroup's Malik. "Most software is still being shipped without the proper auditing controls.
"We're also putting out tons of bandwidth, and have no idea of the dangers flowing through those pipes into our computers," he said. "There are things out there that are not safe."