THE SKY HASN'T FALLEN yet, but it soon may. At least that's been the message repeated for more than a decade by computer security professionals, military planners and multiple blue-ribbon commissions. All have warned of an impending "Digital Pearl Harbor" in which US computers will be hit hard by foreign governments or terrorists employing a variety of electronic attacks. The result, we're told, will be damage to critical infrastructures, massive economic loss and perhaps worse.
Let's face it: Cyberattacks are easy. In August 2000, an employee at an Internet news service published a fake press release for Emulex and caused the company's market capitalisation to drop by $US2.5 billion. SQL Slammer used a vulnerability that had been known about for months, causing significant damage, and it could have wiped the hard drive of every infected system — if only its author had been more vindictive.
Since the early 1990s, it's been clear that an organised attack over the Internet or other data networks could seriously disrupt not just civilian but military targets as well, thanks to increased interconnections. In the 1980s, a group of West German hackers broke into more than 40 sensitive computer systems at the departments of Defense and Energy, and NASA. During the first Gulf War, hackers from the Netherlands broke into 34 DoD systems — including the computers that abort ships in the theatre of operations. In 1995, an Argentinean hacker broke into DoD, NASA and Los Alamos National Labs systems that contain information on aircraft design, radar technology and satellite control systems. In February 1998, two teenagers from California, tutored in the art of hacking by an 18-year-old Israeli, broke into other DoD systems. In each of these cases, had the hackers been suitably motivated, they could have caused substantial damage to US national security.
Given all that, why didn't the Iraqi military start attacking us in cyberspace when we started bombing their country? At the very least, why didn't Iraqi sympathisers and angry youths walk in from the Arab Street and start pounding us from their keyboards? When I called my friends in Washington and asked them that question, their answer was simple: The nation's digital security has gotten a lot better in the past two years.
Lines of communication that did not exist even two years ago have opened between law enforcement, the military, commercial providers and businesses. Administrators and software providers have become far more aggressive about deploying security technology like virus scanners and applying security patches. As a result, those running the national information infrastructure are now in a much better position to deal with current attacks. Yes, we're still vulnerable to worms and viruses, but those attacks are less likely to jeopardise lives. The Hoover Dam is secure.
And yes, some teenage hacker with a few hundred "zombies" on the Internet can use those assets to launch a distributed denial-of-service attack against a Web site. With just a few mouse clicks, the teenager might cause 6Gbps of traffic to bear down on some hapless victim. But aggressive monitoring now picks up these attacks shortly after they start. Once identified, it takes only a few phone calls to update a router configuration and neutralise the onslaught.
During the war in Iraq we experienced an upsurge in low-level denial-of-service attacks against Web sites, but for the most part these attacks appear to have been the work of relatively unsophisticated and underfunded sympathisers.
Iraq of the 1990s simply wasn't a good place for aspiring information warriors to develop their skills. What's more, those individuals with highly marketable computer skills were more likely to leave the country than to serve the regime. Countries such as China, England, France and Russia all have info-war capabilities; Iraq didn't.
Ironically, probably the most successful cyberspace attack of the 2003 Gulf War appears to have been a US-originated attack against the English language version of the Al Jazeera Web site; whether it was an official attack of the US military or the act of homegrown hackers sympathetic to the US position remains unclear.
Lessons from the Front
To understand what all this means for CSOs, it's helpful to look closer at the US military's own thinking, planning and response.
Within the US military, the phrase "information warfare" really covers a broad spectrum: blowing up bridges that contain fibre-optic cables, dropping leaflets urging troops not to use weapons of mass destruction or using intelligence to aim 2000-pound bombs on "leadership targets." For the military, "information warfare" really means using information to multiply the effectiveness of traditional war-fighting capability. It includes the millions of e-mails and text messages sent to Iraqi commanders. It also includes the practice of deception against the enemy and the use (or manipulation) of the news media. The decision to embed journalists with its forward troops, for example, was a marvelously successful part of the US military's information warfare strategy.
When computer geeks think of information warfare, their minds turn to hacking and cracking: shutting down communications networks by penetrating their routers and wiping out configuration files; planting viruses inside enemy e-mail systems; grounding enemy aircraft by diverting fuel trucks to the wrong bases. Most military planners classify these operations as cyberwar.
It's hard to write knowledgeably about our government's offensive information warfare capability; the capability is largely classified. But sources tell me that much more money is spent on defensive measures than offensive ones. That's because every military installation is responsible for defending its own computers. But because cyberwar is so new, relatively untested and specialised, a decision to launch a cyberweapon could be made only at the military's highest levels. If a commander in the field wanted to shut down an enemy e-mail server, it would be far easier to simply bomb a building than go through channels to do something digital. Top brass would likely feel the same way: Our military officials understand the political fallout of accidentally bombing the wrong building; they don't know what would happen if they released a computer worm that "accidentally" shut down the Internet for a few days.
The US military actually has a huge incentive to have politicians group cyberweapons in the same category as poison gas and germs — that is, weapons that are simply too terrible to use. That's because cyberweapons are cheap: If their use against the enemy is legitimised, then their use against our own civilian infrastructure is potentially legitimised as well. That's why if we are attacked with cyberweapons, our military is probably more likely to respond with conventional weapons.
Surprisingly, CSOs are faced with this same calculus when their systems are attacked in cyberspace. If a hostile customer shows up at your office with a gun and starts shooting, it's entirely appropriate for an armed security guard to respond with deadly force — in fact, the courts would see this as an exercise in self-defence. But if that same hostile customer were to launch a cyberspace attack against your servers, it would be utterly inappropriate to respond by hacking that customer's desktop computer or DSL modem. A more reasonable approach would be to report the attack to law enforcement or sue the customer in the civil courts.
That is a decision you might need to make some day. Like the military, many businesses are essentially developing an offensive cyberwar capability as part of their effort to defend themselves. If you have an antivirus system, then you have a collection of intercepted viruses that you could easily e-mail to your attacker. Many of today's network scanners will happily launch destructive scans at the click of a button. In order to effectively audit their systems, most security administrators have learned how to hack.
What's more, businesses are increasingly finding themselves in situations where "hacking back" seems like the only reasonable alternative. Law enforcement won't care that your organisation has been attacked unless you have significant monetary damage. Meanwhile, you may not be able to file a lawsuit unless you can identify the perpetrator, which may be difficult if the attack originates from a server in China. Wouldn't it be much easier, cheaper and faster to type a few commands and shut down the enemy system?
Perhaps, but any organisation that takes the law in its own hands by hacking back has far more to lose than its attacker. Hacking is illegal; breaking the law opens the organisation up to legal liability and criminal prosecution. It's safer to simply add a few rules to your firewall and hope that the attacker will go elsewhere. And with any luck, the sky won't fall after all.
Simson Garfinkel, CISSP, is a technology writer based in the Boston area. He is also CTO of Sandstorm Enterprises, an information warfare software company.