Cracking Cyber Security

ORLANDO, Florida – He may be in Disneyland, but Richard Clarke, a veteran intelligence officer, refuses to dwell on fantasy land. He refuses to believe that everyone who goes to the Internet has good intentions, that anyone who has a Web or e-mail address only wants to have fun.

On the contrary, Clarke believes the Internet has opened up a whole new world replete with big bad wolves that huff and puff and blow houses away. You see, Clarke lives in reality land. He has to. Being the newly appointed adviser on cyber security by US President George W. Bush, he needs to be tuned in to the realities of the World Wide Web, including the wolves that lurk in the shadows of its dark forests.

"Many businessmen used to think that the Internet is completely safe. They used to believe that it will grow continuously, that hundreds of millions of people will soon access the Net using their handheld devices. But the reality is different. Surveys show that real people think the Internet is dangerous. No wonder growth has slowed down. Many still don’t trust websites," he told delegates to the CA World 2002 conference of Computer Associates’ vendors and users here early this week.

Clarke recalled that cyber security used to be a geek subject, until February last year when, in a span of 44 hours, it became a national issue.

In those 44 hours – from 10:30 a.m. of Feb. 7 to 6:30 a.m. of Feb. 9 – massive denial-of-service attacks knocked offline eight of the Internet’s most popular sites such as Yahoo, eBay, Buy.com, Microsoft’s MSN.com, ZDNet and ETrade.

While so-called "e-vandals" had been defacing and blocking websites for years, and while the infamous Love Bug and other worms and viruses had caused millions of dollars in damage to Internet users in the past, never before had so many major sites been successfully hit in such quick succession. The attacks proved one important point, though: That the Internet is not a creation of Walt Disney. "It’s reality land out there," Clarke stressed. "In reality land, attackers are growing more sophisticated. In reality land, software programs are full of errors and holes. In reality land, networks are not secure."

Clear and present danger

The US Computer Emergency Response Team, a government agency working on emergencies in the computer industry, has received 26,000 reports of computer intrusions in the first three months of this year. This number has surpassed the total for all of 2000. According to Clarke, terrorists were not behind these intrusions as they are still considered far off in using the Internet as a means of launching attacks. They may have used commercial planes in toppling the World Trade Center and damaging the Pentagon but terrorists are still not showing any signs of going to the Web armed with electronic explosives. But this doesn’t mean they’re not planning to do it. "I am hearing an echo of what I heard in 1997. The CIA (Central Intelligence Agency) then warned airline companies that a 747 jet loaded with fuel could be used as a bomb. No one believed them. No one took the necessary precautions. Everyone was thinking it wouldn’t happen," he said.

"And now other companies are saying the same thing about cyber security. They wouldn’t want to take the necessary steps to secure their networks. They still believe no one would break in. But it’s happening, I tell you."

The identities of those who launched the denial-of-service attacks on big-name websites last year have not been established, although US authorities believe they could be amateur hackers just wanting to try their skills in breaking the walls of codes that shielded those sites.

According to the National Infrastructure Protection Center, the availability of prefabricated scripting programs that can create viruses and other harmful codes without requiring much programming expertise has been enticing teenagers to give hacking a try. The hacker who called himself "Mafiaboy," for one, used such scripts to bring down targeted sites, and analysts believe the one who created the Anna Kournikova virus which wreaked havoc on the Web also last year used scripting toolkits.

Clarke sees a terrifying future for these teenage hackers. For him, they can become cyber terrorists. "We have not yet seen traditional terrorists engage in cyber warfare. Maybe its not al-Qaeda, not Bin Laden but new groups. New groups will definitely emerge and terrorize us through the Web."

Dealing with reality

What can be done to prepare for these cyber terrorists?

According to Clarke, the Bush administration is now drafting a National Strategy for Cyber Security, an agenda that would involve all stakeholders in Internet security. The US government, he said, has taken the lead to secure its networks from attacks. Just recently the US Army announced a major move to analyze the vulnerability of its networks and automate security management for more than 1.5 million workstations around the world.

The move will involve the worldwide deployment of the Security Threat Avoidance Technology Scanner, a vulnerability assessment tool, on all post, camp and station networks of the US Army, including mobile subscriber networks and the Army’s tactical Internet. The tool the US Army has acquired is similar to what the National Aeronautics and Space Administration (NASA) is using to keep tabs on vulnerabilities. It allows non-stop monitoring of networks to search for holes which hackers could exploit.

Clarke said private companies should do the same thing. He said companies should never engage in penny-pinching when it comes to security because no one can ever tell when and where an attack would come.

He revealed that even President Bush had requested the US Congress for a 64-percent increase on the government’s budget for cyber security, and for state governments to do the same. "We have to invest more money on security," he stressed.

Clarke noted that the US government is not planning to regulate the Internet in any way and that it is up to private corporations and individuals to ensure that they are protected.

"The US Armed Forces cannot defend your company. If you don’t, I tell you, one day the big bad wolf will come and will huff and puff and blow our networks down," he said. "This is reality land."