Interview: Richard Power (Computer Security Expert)
How difficult is it to quantify the effects of cyber criminal activity?
Quantifying financial losses from cyber attacks is one of our major problems. Really, you're still doing "guesstimates." Sometimes you'll see tens of thousands, and hundreds of thousands of dollars lost in an attack, and that's mostly the cost of clean-up and investigation. But the real costs are the soft costs--lost business opportunities. If you're conducting e-business and you're counting on $600,000 an hour in revenue, like Amazon, and your service is disrupted by a denial of service attack, you can start with the figure $600,000 for every hour that you're down. If you're Cisco and you're making $7 million a day online, and you're down for a day, you've lost $7 million. That's where you start. . . .
There were estimates that the "Love Bug" virus did damage in the billions and billions of dollars. That scale leaves most people saying, "That's beyond any kind of comprehension."
Right. It staggers the imagination, and there's a tendency to disbelieve that four lines of code literally cost $80 million, or $10 billion in damages. But if you think about it in terms of a 24/7 global corporation, a Fortune 500 corporation, there's a little meter inside it, ticking all the time. . . . A Fortune 50 corporation was hit by the "Melissa" virus when it came out, and their own internal tabulation was that they lost $10 million. When you ask them how they lost it, it was lost productivity, lost network operation time. All of this is factored into their budgets. They have a dollar sign attached to each minute of network time, and when you disrupt that minute of network time, you cost that much money.
And every serious corporation values their information. This trade secret is worth X amount of money. If that trade secret is compromised online, or through some kind of hacking, insider or outsider, then that much money is lost.
Why do so many of these people insist on suffering in silence, instead making a big noise about the amount of the losses because of this kind of activity?
They're very afraid. . . . There are all kinds of reasons they want to keep it quiet. When there's blood in the water, the sharks get excited, and there are all kinds of sharks--not just hackers. There are civil liability lawyers, government regulators, stockholders, people who are looking at your company for hostile takeovers--all kinds of reasons not to draw attention to your vulnerabilities in cyberspace.
If the victims are opting to keep it quiet for their own proprietary reasons, how much will this delay the ability of society or of this new security industry to deal with the real problems out there?
They're banking on the hunch that their profits will still outweigh the losses--that they'll be able to absorb it and things will go on quietly. But I don't think that that's going to be the case. And they are thwarting the progress of a secure internet, of a secure global cyberspace, because law enforcement, globally--not only in the United States and Canada--but law enforcement in other countries has come a long way. . . . They've gotten up to speed on tracking down, arresting, trying, and convicting cyber criminals. But corporations are way behind on building their own cyber fences, and committing the resources in staffing and money needed to defend their own systems.
How should we view this new private information technology security industry?
Law enforcement's role has never been to secure your business. Law enforcement isn't expected to put in your sprinkler system or your burglar alarm, or to make sure your doors are locked at night. Their job is to respond to your call when there's been a crime committed against you or your property. It's the fiduciary responsibility of those corporations to defend themselves and their customers and their clients against cyber attack. . . .
But there's a kind of a contrast here. On the one hand, you have the victims of cyber crime trying to say that they'll look after it. On the other hand, you see the elements of this new industry scaring the hell out of everybody, saying things like, "Osama bin Laden is going to get you, the hackers are going to get you, the sky is falling." Where does the truth lie in between this sort of self-interested silence and this self-interested racket?
Well, there's the zone of responsibility in there. It's not that easy to find, and you've articulated the problem really well, because you have a bunch of people running around saying, "The sky is falling. The sky is falling. Give us your money, and we'll keep it up for you." And then you have another group of people running around saying, "This guy's crying wolf. There's no problem here. Your credit card is safe over the internet." . . . There's been a kind of a shift in the security industry over the last few years, and you see a lot of people thinking about cashing in with their own IPOs, and their own dotcom security companies, and making a fortune off the danger to other people's fortune. . . .
Not so long ago, when you wanted to talk about security of corporations, the security of software, people like Microsoft would say, "We're not talking." Now, not only are they talking, but they're telling us that they're really doing something about it. How comforted can we be by the reassurances that we're getting from them now?
Well, that's a loaded question. Windows NT came out a few years ago. It was heralded as the secure operating system. And the hackers had a few good whacks at that tree, and fruit started falling off it right away. And now there are hundreds of vulnerabilities for NT. In fact, the hackers joke among themselves that "NT" stands for "Nice Try." So it's not that simple to slap some marketing hype on an operating system and say, "This is a secure operating system." It takes a lot more than that, and they haven't advanced internet security with their product.
But Microsoft is telling us that now they're taking it a lot more seriously, that with Windows 2000, security is a deal-breaker. Their security people say, "If we don't like the security components of Windows 2000, it ain't going out." Is it secure?
Well, ask that question six months from now, or a year from now. The tree will be given a few good shakes, and there'll be some fruit fall off it. There'll be vulnerabilities. There'll be exploits. How those vulnerabilities and exploits are dealt with is another question.
There's a debate in the security community about what kind of operating system we should have. NT Windows 2000 is a closed system. You can't look at the source codes. That means only Microsoft and whatever hackers have succeeded in stealing it know how good it is. The good guys don't know how good the code is. The good guys can't look at the code and fix it, and adjust it to their own needs. With UNIX, for instance, the other major operating system, you can look at the code, and you can see where it looks like. You can see where the vulnerabilities are, and you can have your own smart people address that. So there are fundamentally different approaches there. Most internet security experts believe you should have an open system, so that everybody sees, and everybody is on the same playing field.
Whether I'm speaking as a person with just an internet account or somebody with a business, when the cyber goblin gets me, who should I be mad at? Should I be mad at the goblin? Should I be mad at the guy who sold me the software? Should I be mad at the government for not protecting me?
You might start with yourself in terms of how badly you were gouged. If you're doing your banking online, if you're doing your stock trading online, if you're buying a house or a car online, you might want to think a little bit about how you're doing it, why you're doing it, what the consequences are, how to monitor your online identity. Leave a paper trail for yourself, leave back-ups of your activity for yourself, check things out, check your credit rating every few months to see if there's something strange on there. There's a whole range of activities that you have to now take part in, just like a homeowner has to have insurance, has to have locks and fire alarms and everything for their house. You, as a citizen of cyberspace, and somebody doing business out there has to take some responsibility for your money, and for what's happening.
Beyond that, you have to look at the merchants and the financial institutions that you're doing business with, and what responsibility they take for what is going on with your online activity, and the vendors of the software that are supposedly making it secure for you. . . .
So where does the big burden lie--on me, the user, or on the company that is selling me the tool?
Well, it's only been in the last few weeks that Visa International has issued a new set of regulations for the merchants using its credit cards online to adhere to. And if you look at this set of new regulations, they are the most fundamental things about internet security: have a firewall in place, have the latest version of software in place, use encryption for any files that are accessible from the internet. It's hard to believe that this basic level of internet security is what is being required of people now. . . . We're already tens of millions, billions of dollars into e-commerce, aren't we? This is the second or third Christmas where we're going to be talking about how much is being spent online. So there's some culpability there. There's some need for a more serious look. . . .
You've been monitoring crime, probably more specifically than anybody else that I've talked to. Was there a case that sort of blew your socks off?
In the mid-1990s, there was a rumor about something called BlackNet. And the rumor was that there were these crackers online who were stealing and selling information, and you could ask them for whatever you wanted. They could go get it, email it to you, and it was all done with encrypted accounts and anonymous remailers, and all very cloak-and-dagger on the Net. Some people said this was real, some people said it was an FBI sting. Some people said it was a hoax. BlackNet itself turned out to be a hoax, perpetrated by a bright young "cyperpunk," as they're called.
But while that urban legend was passing around the internet, there was a real "BlackNet" operation going on. It was eventually called "Phonemasters" by the federal investigators. This was a gang of crackers, across the country, Philadelphia, Santiago, Dallas, and in Canada, Switzerland, and as far away as Sicily. They were involved in stealing credit card information and reselling that information. They had a menu of activities they could perform. They had Madonna's home phone number, they could hack into the FBI's national crime database. They hacked into a telephone company to find out where the federal wiretaps were for the Drug Enforcement Administration, beeped the dealers that were being tapped and said, "Hey, you're being tapped by the DEA." And that blew drug investigations out of the water. These guys were serious. . . . It took years to get a conviction and a sentence in that case.
Some of the groundbreaking work was done in terms of tapping data transmissions and all kinds of stuff, and it took a long time. But that is what we're talking about when we're talking about financial fraud, about cyber crime on the Net, the range of things that can happen. And you know, these guys were amateurs in the sense of criminal activity. So you can imagine what a serious criminal organization that takes that kind of hacking seriously could do. . . .
What, as a community, is going to happen to make the internet safer?
. . . We have a highway, this internet, this global cyberspace, but we don't have any yellow lines. We don't have any speed limits. We don't have any driver's license. We don't have any license plates. We barely have car insurance. It's not required. You get my analogy. We want this internet, this global cyberspace, to be completely free, completely open. Everyone does. I do. But we also want to conduct business there, and we want to relax there, and have our children be educated there, and seek entertainment there. Those kinds of activities require law enforcement, require international treaties, and require responsibility--corporate responsibility and personal responsibility. So we have a long way to go before cyberspace is as safe, even as safe as the interstate highways. And, as you know, the highways aren't all that safe. . . .
What have we learned so far from the big attacks that we've experienced to date?
The Citibank case, where some Russian hackers, notably "Vladimir Lenin" operating in St. Petersburg in Russia hacked into Citibank in New York. They succeeded in committing wire fraud, basically, to the extent of $10 million before they were caught, arrested, tried, convicted and everything else. There are a lot of lessons in that case. Nobody wants to talk about the Citibank case much, because the bankers don't want you to think about problems with online banking and the internet. The dotcom companies don't want you to think about the consequences of cybercrime. . . . This wasn't even an internet crime. This was just a dial-in system where you made transactions to and from your account over the phone. And these systems were compromised early on. I suggest that that kind of activity on the internet is even easier, not harder. And in fact, Citibank, in order to deal with those vulnerabilities after the fact, instituted "smart cards"--cards for the customer to swipe and identify themselves, similar to an ATM card. My suggestion is, if you're conducting online banking, and you are using a password and user ID, you are not using adequate authentication to the network. You are exposing yourself to vulnerability.
What did we learn from the Martin Luther King Day crash at AT&T?
Well, the Martin Luther King Day telephone crash, back in the early 1990s, affected the public switch network, the telephone system from coast to coast, for many hours. There was significant infrastructure collapse. . . . We hear a lot of talk about information warfare, and the preparation for information warfare, and the need to build up defenses against infrastructure attacks. And some of the doubters say, "Well, where is the evidence of infrastructure attacks?" And no one will talk about it, and maybe there hasn't been one. But the Martin Luther King Day crash in the early 1990s is an incident that I understand to be an infrastructure attack, although AT&T only acknowledges a software glitch. There was never any prosecution, any arrest or prosecution in the case. There is evidence that it was a single command issued by a hacker that brought down the public switch network that day. . . .
What is it going to take to make cyberspace a safer place?
I think it will have to do with tort law, civil liability and exposure. And of course, no one wants to talk about government regulation. But I always point out to people that when they come into their office in the morning and switch on their lights and they get electricity, and they pick up their phone and they get a dial tone, to some extent, like it or not, the availability and the constancy of those utilities has to do with government regulation. If we are going to look at the internet as a place to do business, as something as vital as the phone system, or the power grid, or the air traffic control system itself, then you have to start looking at what you will require from those who want to be the bulwarks of that . . . .
Who are the bad guys? Who's the enemy in this new cyber world?
In terms of criminal activity? Well, it ranges from petty theft, really, to state-sponsored terrorism. And you have everything in between. You have the cyberspace mugger who's going to steal your personal identity, and destroy your credit by committing fraud in your name, or stalk your children or your loved ones online. There are organized crime syndicates that are going to be engaged in stealing massive numbers of credit cards and selling them and using them for credit card fraud globally. There are governments and corporate entities, globally, that want to steal technology: cutting-edge technology, biotech, high-tech, and low-tech technology. They want to compress the arc of time for their economies to develop and catch up with the Big Eight economies. And somewhere out there there's a cyber Unabomber, who is concocting for his own bizarre motives some really unpleasant event that could impact the lives of thousands or millions.
And there are the cults. Aum Shinri Kyo is the cult that hacked aggressively into technology companies to steal technology that they were interested in. There are the Osama bin Ladens of the world. Some people mock that specter, but those folks have satellites, they use encryption, and they are on the Net, both to gather information and to disseminate information, to gather intelligence and conduct operations. And then, of course, there are governments. What will happen in the Straits of Taiwan between Taiwan and China, and all the hot spots in the world, is also taking place in cyberspace. They're looking at ways to attack each other's digital infrastructure
The problem is a lot more complex then just people with green hair and body piercing.
Some of the folks with green hair and body piercing are very bright kids who solve puzzles that people with computer engineering backgrounds can't solve. But the juvenile hackers and the young hackers get caught, and they end up in the headlines because they get caught. And the reason they get caught is that they're not professionals. They are out for the adventure. They are out for bragging rights. They are out for exploration. The professionals, the ex-KGB agents, or the ex-CIA agents, the person from German intelligence, or Israeli intelligence--they're not going to get caught. And when they are detected, the people who detect them are not going to want to acknowledge that they've been there.
Groups who are responsible to the public, even corporate groups, seem to be having a bit more difficulty because of this incredible brain drain from academia, from the military, and from the public sector. How serious a problem is that?
It's a big problem. Information security isn't really something that's inculcated by software engineers as they come out of graduate school. . . . You could count on the fingers of one hand the academic institutions that are doing serious research and development in computer security and internet security. And when those programs develop young people that are really gifted. . . . they don't stay in academia. . . . They get into the corporate world, and they are tempted away into the consulting end of things, into the accounting firms, and the security companies that are wanting to cash in on the threat. And on the government side, the government will take somebody from the military or law enforcement, train them on cutting-edge technology and computer forensics, how to detect and thwart cyber attacks and threats to the infrastructure, and all these critical issues of online espionage and information warfare. And then those people get tempted away by those corporate sector salaries, and they leave public service for the private sector. So there's a brain drain all the way down the line. . . .
What happened with the Aum Shinri Kyo incident?
The important point that the story of the Aum cult brings home is the plausibility of the cyber terrorist threat. We may never see a cyber attack, but it would be irresponsible for those who are entrusted with national security to not consider the consequences. For example, if someone had said before it happened that a small New Age cult would launch a Sarin gas attack on the Tokyo subway system to spur some Armageddon that would somehow leave their cult leader in charge of the world, you would think it was implausible. But it happened.
And the Aum cult was not only was preparing for chemical warfare and other kinds of warfare. They were actively engaging in hacking into Japanese corporations and other entities around the world to gain technology they wanted--laser technology, for instance--because they wanted to build their own laser guns. And they, in fact, targeted and were recruiting software engineers and scientists and bright young people who had skills that they wanted. And they did drive up to the gates of Mitsubishi in the middle of the night, break in, get into the main computers, and hack into those computers to get trade secrets, proprietary information.
It's not difficult to surmise that they involved themselves in other hacking capers. But even this year, years after the Sarin gas attack . . . it turns out that a front organization that is controlled by the Aum cult was the contractor that developed software for 90 Japanese government agencies, including the Japanese police and elements of the Japanese Defense Department. And literally a day before this software was to be deployed, somebody put two and two together, and blew the whistle, and said, "Wait a minute. Look who developed this software." Now, was there anything funny in the code? We'll probably never know. But the danger of it is astounding, and the plausibility. You wouldn't believe it if I had told you, "A cult could be writing software that could be downloaded into the police department or the military wing of your government." People wouldn't believe it. But it almost happened, literally. It was within 24 hours of being deployed in Japan.
Cybercrime News Archive
^macro[showdigestcomments;^uri;Interview: Richard Power (Computer Security Expert) ]