Monday, Nov. 10, 2003

The Code Warriors

By Eric Roston David Aucsmith; Dan Geer; Charles Palmer; Sal Stolfo; Michael Vatis

Cantor Fitzgerald, the financial-services firm that occupied the top floors of a World Trade Center tower, has more real-world experience with computers and terrorism than any other company. It lost more than 700 of its 1,000 New York City employees on Sept. 11. Despite obstacles that were unforeseeable in any emergency contingency plan and that challenged the limits of emotional endurance, survivors managed to reopen with the bond markets 47 hours later.

How did they do it? Within three hours of the attack, technology employees made it to a seven-month-old backup facility across the Hudson River in Roselle Park, N.J., and contacted the London office. Reassigning tasks on the fly between London and Roselle Park, they brought processing and storage systems online, installed truckloads of new equipment with help from Microsoft and Cisco Systems, and in isolated cases even reconstituted passwords of fallen colleagues, who--like me and probably you--made them personal and easily remembered.

Behind the superlative heroism of this tale lie the two key mandates of the new century: prevent physical attacks and make computers safe from intruders. As the nation girds against mortal threats, many experts fear we will overlook the danger to our information, wealth and identities, all now reduced to 0s and 1s spinning through silicon. The more we rely on computers, the more vulnerable we are to attack or failure.

How ready are businesses and governments for what onlookers more than 10 years ago began calling a "digital Pearl Harbor"? Physical attacks are targeted to specific geographic areas; if you're not there, you're probably safe. But if you have computers or are affected by them--and that's everybody--you're at risk of inconvenience, intrusion or, technologists fear, much worse. Building better defenses to protect home computers, business networks and civic infrastructure must therefore be--however cliched it is to say--the Next Big Thing. In 1999 security incidents reported to the CERT Command Center, a federally funded research group, totaled 9,859; from January to September of this year, there were 114,855. Security spending has grown 28% a year since 2001, the Gartner research firm reports, while overall tech budgets have expanded just 6%. And a three-day war game in July 2002 run by Gartner and the U.S. Naval War College tentatively answered the Pearl Harbor question. It is possible, they concluded, that without proper cybersecurity--both tools and behavior--highly skilled hackers could disrupt the nation's electrical, financial and telecommunications systems.

In a year in which viruses and worms made the front page and identity theft reached an all-time high, TIME's Board of Technologists keyed us into current cyberthreats and offered us its best solutions. On hand for our round table were David Aucsmith, architect and chief technology officer of Microsoft's Security Business Unit; Dan Geer, a consultant, entrepreneur and lead author of a recent report on the potential risk that widespread use of Microsoft products places on security; Charles Palmer, director of IBM Security & Privacy Research; Sal Stolfo, a Columbia University computer-science professor and member of Professionals for Cyber Defense; and Michael Vatis, an attorney with Fried, Frank, Harris, Shriver & Jacobson and director of the FBI's National Infrastructure Protection Center from 1998 to 2001.

SECURITY 101

"I always say, 'As far as we know,' no one has written a virus or worm that can bring down all the communications. But that opening disclaimer is very important." --Charles Palmer

Sept. 11 taught us that the spectrum of potential threats is as wide as the imagination. The same could be said for vulnerabilities to the computers we depend on. Families must guard their computers against novice vandals planting viruses or against more advanced intruders leeching your computing power to launch a cyberattack on someone else. Despite the spate of devastating viruses this year--Slammer in January, Blaster and Sobig in August--the threat has evolved past the 17-year-old hacker, past the lone thief who steals and reveals credit-card data. Businesses must now watch for organized-crime groups adept at lifting valuable, private information and extorting money with it. The Federal Government and key industries must keep aspiring cyberterrorists from busting open dams or shorting out our electric grid from a keyboard in Pakistan. Reason: al-Qaeda and other terrorist groups have started scoping infrastructure and learning about cyberattack techniques.

The main reason for our vulnerability is that scientists created the Internet as an open network to share information; they never anticipated its dark side. Now, having unleashed it, they must retroactively make it closed and safe from these threats. "Value has moved into cyberspace," Aucsmith said, "and there are real criminals moving there as well." He noted that Willie Sutton, the legendary bank robber, said he cracked safes "because that's where the money is."

THE HUMAN THREAT

"If you can fault our industry--we realized a little bit too late that we did indeed connect everybody, including the bad guys." --David Aucsmith

Humans strike at computer systems in one of two ways, through malevolence or incompetence. Unfortunately for law-enforcement agencies and the people they protect, the bad guys are getting much better at what they do.

The FBI in the past two years has reinforced its cybercrime division as mercenaries in the global capitals of hackerdom--Russia, Brazil, the Philippines--team up with traditional organized-crime groups to infiltrate ATM systems or hold corporate databases hostage. Before he became mayor of New York City, Michael Bloomberg helped the FBI and Scotland Yard foil a plot by a Kazakh national who was threatening to break into the computers of Bloomberg's financial-information company unless he was paid off. In November 2000 the FBI busted two Russians who had been trying to extort money from an American Internet company--undercover agents had lured them to the U.S. with compliments and a fake job offer. And the FBI, burned in 2001 by the Robert Hanssen spy scandal, knows as well as anyone else the danger caused by internal security threats, which nationwide are growing even faster than external ones.

Incompetence can be just as wily an opponent. Before the desktop revolution, the average computer user had to know much more about how computers work than he or she does today. Now we don't need to know much but still foul up what we should know, like not opening attachments to unsolicited e-mail. Consumers also repeatedly fail to install security available to them. Manufacturers regularly issue programs called patches that fix newly found flaws in software. Microsoft gives consumers several options for patch delivery, from automatic downloads to manual installation. Free security upgrades: What could be easier?

Virus writers take advantage of the gap between the time a patch is issued to cover a newly discovered flaw and the time users actually download the patch. In that window, they are able to study the flaw, write their destructive virus and let it loose. And they have been getting better at it--so much better, in fact, that Microsoft last month introduced a stricter security regimen. The company will release its patches monthly to make life more predictable for corporate and individual customers. At the end of October, Bill Gates previewed the firm's Longhorn operating system (due in 2006), emphasizing its security advances.

Companies are trying to automate security so that customers needn't worry about it: today's software is in many cases so overgrown and bloated that the complexity overwhelms programmers. The number of flaws increases geometrically with the volume of code. "Complexity is the enemy of security," Palmer said.

The software industry is learning from the credit-card industry, which has digitized crime watching based on card users' behavior. Basically, the credit-card companies monitor your card patterns, and when something out of the ordinary happens--a card is used overseas, yet the cardholder rarely travels, for example--the alarm goes off. Is the cardholder really in London? It sounds creepy and intrusive, but tracking exceptions to detect intruders is the basis for several new security approaches. And it has already become an invisible part of our lives. Stolfo has a start-up called System Detection, a two-year-old company whose tools scan networks and applications for code that shouldn't be there. Surveillance of this variety is effective--and it is going to be more pervasive. A number of start-ups are developing technology that sniffs out "aberrant" behavior. Like it or not, somebody is going to be watching.

MARKET SPEED

"I don't personally want to bash any individual company or manufacturer. I would rather bash them all." --Sal Stolfo

Suppose 90% of the world's automobiles used the same engine, and an undetected flaw suddenly emerged that shut them all down. We're talking global gridlock.

That's the worst nightmare for Microsoft, the company that provides 90% of the world's desktop operating systems and a similar proportion of its Internet browsers. Microsoft earned its market share, but with that dominance comes the vulnerability of what computer geeks call monoculture. The near monopoly undermines security by making everyone's computers susceptible to the same flaws (you need only note the $2 billion in losses caused by the Sobig worm to understand). Critics point to parallels in the natural world to explain what happens when life becomes too dependent on a single source. "The Irish potato famine killed a country. The boll weevil killed an economy," Geer said. "It is self-evident that the desktops of the world are clones ripe for the slaughter"--unless they are Macs or run the open-source Linux software, both underdogs that hackers are less likely to subvert. The latter's ability to be guarded and upgraded on the fly by a universe of programmers offers some protection against the megaviruses. Linux's tamper resistance is one reason governments in particular are showing great interest in Linux-based operating systems.

Unfortunately, most business customers don't know how to determine their own security risk. "They just wing it, largely," Vatis said. Companies such as AIG and Chubb offer cyberinsurance, but the industry lacks the actuarial data it has for traditional lines. Large companies can't just redesign products with more deeply embedded security features, because customers don't take well to mandates to completely trash their old systems for new ones. "It would be considerably easier if I were allowed to start from the ground, build a secure system and deploy," said Aucsmith. Until that happens, the data we entrust to companies might be guarded by the cyberequivalent of a dozing senior citizen with a fake cop badge.

CYBERNATIONAL SECURITY

"As long as the state of security remains where it is today, the government will never have attack-response capabilities. We will remain too much of a target-rich environment." --Michael Vatis

Put more bluntly, our country's critical data systems are the World Trade towers, and the hijacked planes are heading in their direction. Criminals have discovered how much easier it is to rob banks with a keyboard than a mask and gun. Will terrorists figure out how to shut down the banking system and strangle the economy? Information technology controls the nation's physical infrastructure--nuclear plants, air-traffic control, water systems--like a central nervous system. "Hits against the IT network will cascade to the other critical infrastructures," Stolfo said. (Consider the cascading effect of this year's blackout.)

A 2002 National Academy of Sciences report stated that our willingness and ability to deal with threats relative to their magnitude had grown worse since the organization's first report in 1991. "Nobody owns the problem," Stolfo said. Professionals for Cyber Defense, Stolfo's group, and Vatis have independently called for a Manhattan Project for security that would take responsibility for safeguarding these critical networks.

That's an awesome task, and it won't be completed overnight. "These threats are not new," asserts Robert Liscouski, Assistant Secretary of Homeland Security, who is shuffling several far-flung federal agencies into one National Cyber Security Division (NCSD). He says "digital Pearl Harbor" scenarios are exaggerated: "That's a bit of an overplay for me, and I get paid to worry about this stuff." In October, Amit Yoran, a former vice president of the Internet security firm Symantec, became head of the NCSD, which will attempt to seek and destroy vulnerabilities in cyberspace, issue warnings in real time and foster communication with the vast private sector, which owns 85% of the infrastructure.

The Federal Government is nipping at the problem elsewhere. Hard-core technophiles get queasy at the notion of Congress creating laws that tell them how to do their arcane jobs. Yet three of the most significant laws of the past 10 years--the Health Insurance Portability and Accountability Act (1996), the Gramm-Leach-Bliley financial-modernization law (1999) and last year's Sarbanes-Oxley corporate-reform act--all have mandates to protect and secure data. Still needed, Geer argued, are laws that hold companies liable for holes in their security that make us vulnerable to attacks from elsewhere. Responsibility for passive negligence "might be better than, God help us, the U.S. Senate imposing an argument about what the limits of liability should be," he said.

Generals, the saying goes, are always fighting the last war. With the nation understandably focused on aviation security and biological, nuclear and chemical threats, technologists hope their message--that network vulnerabilities are real and that a significant failure could muck up everything else--is getting through. Security risk is a shifting balance between individual and institutional responsibilities and vigilance. Or, as Geer succinctly put it, "The price of freedom is the probability of crime."