Electronic attackers: computer crimes keep government and industry on the defensive.
An onslaught of increasingly sophisticated cyber attacks has prompted the government and private sector to step up efforts to share information and secure networks around the country.
Yet the complexity of new malicious code and the elusive nature of cyber attackers have become significant impediments to detecting or preventing most intrusions.
Computer crimes have quickly increased in recent years and have overtaken the ability of the government and the private sector to fully protect their systems.
"We are constantly in the reactive mode," says Jerry Dixson, director of the national cyber security division at the Department of Homeland Security.
Long gone are the days of young whiz kids hacking into computers to fulfill curiosity or to prove their computer prowess. Today's cyber criminals are as technologically agile, but more perceptive and evasive.
"Software we found through investigations has gotten really sophisticated. It almost requires a PhD," Dixson says.
The Federal Bureau of Investigation identified more than a million computer addresses in June as potential victims of "Bot Net" cyber crime. The FBI defines a Bot Net as a collection of computers that is controlled by a criminal. The attacker gains control of a computer through a piece of malicious software, which infects the system without most owners' knowledge, Dixson explains.
"The majority of victims are not even aware that their computer has been compromised or their personal information exploited," says James Finch, FBI assistant director for the cyber division, in a statement. The crimes were discovered during "Operation Bot Roast," a major initiative created to disrupt intruders and raise public awareness of such attacks, the agency says. The FBI is working with Carnegie Mellon University's computer incident research and development center to notify victimized computer owners.
Malicious codes are one of the most serious threats because of their stealth and the level of financial damage they can inflict, says Ron Ritchey, principal at Booz Allen Hamilton, a technology consulting firm.
"There is a lot of money to be made from making new malicious code. Criminals can make $200,000 a year," Ritchey says.
A movement toward browser-based attacks has also emerged, he says. These entail a person's computer being attacked when logged on to an infected website. Dixson says that browser attacks can occur on seemingly innocuous web pages, like news outlets. Users can be compromised if even one line of code is infected on that site.
The intricacy of these sophisticated attacks has trumped old ways of securing networks.
"Typical perimeter security such as firewalls are becoming increasingly ineffective," Ritchey warns. Companies are moving to individual computer protection like desktop encryption. "Encryption is going to be the law of the land pretty quickly," he says. Behavioral modeling is also used to detect possible intrusions, by monitoring such activity as high bandwidth consumption, which can signal an impending attack.
Tracking patterns of strange behavior is a good way to detect an incursion, but finding the person or group behind the crime is much more difficult. The bad guys can generate attacks faster than they can be detected and traced. "The rate of prosecution is miniscule compared to the rate of attack," Ritchey says. Companies have had some amount of success by making trap doors, such as creating a file with specific corporate data that would attract a criminal, he says.
The government and private sector alike recognize that cyber crime threatens everyone. "We all use the Internet," Dixson says. This thinking has prompted both sides to forge partnerships and increase information sharing.
A DHS-led computer simulation in 2006, called "Cyberstorm," paired government, private sector and international partners to develop recovery and response plans in the event of a major attack. Microsoft experts served as advisors, Dixson says.
A second Cyberstorm is scheduled for March 2008, he says. Participants in the second exercise will come up with a "what-if" scenario and create a response plan. The main focus will be on telecommunications, Dixson says.
DHS also collaborated with private firms when it wrote a computer breach scenario in the National Response Plan, which describes 15 possible domestic incidents and creates a road map for the government to respond and assist local governments, he says.
On the Defense Department side, the Air Force has reached out to the private sector as it develops its new cyber command, the service's future focal point for computer warfare. Lt. Gen. Robert J. Elder Jr., commander of 8th Air Force, is in charge of the new organization. He has worked with the banking and finance sector to learn about computer security.
The Air Force has also signaled a desire to work with the private sector to train airmen in cybersecurity. "My guess is we'll have extensive internships with the private sector," says Maj. Gen. Charles Ickes II, Air National Guard special assistant to the deputy chief of staff for operations, plans and requirements. The service plans to engage Guard and Reserve personnel who work at computer firms such as Microsoft and Dell, Ickes explains.
Despite collaborative efforts to protect against computer incursions, the government and private sector face significant operational problems, the Government Accountability Office says in a June report.
GAO criticizes both sides for not always detecting or reporting Internet-based crimes and says that law enforcement organizations have difficulty retaining personnel with such expertise.
Computer crime accounted for $67.2 billion in annual losses for U.S. organizations, says GAO.
While public and private entities have initiated efforts to address these problems, federal agencies can take additional action, the report says.
"There remains a lack of understanding about the true magnitude of cyber crime and its impact because it is not always detected or reported," GAO asserts. "Businesses do not always want to report problems because there is a perception that their information will be disclosed publicly, which could, in turn, cause harm to their business."
Ritchey agrees that companies are not always willing to share private information. They don't want to hand "embarrassing information" to the government, he says, because "having an intrusion looks like a failure."
Dixson, on the other hand, believes that incident reporting is succeeding. "Every year, the number of incidents reported doubles," he says. This information helps law enforcement get a jump-start on catching attackers. Microsoft and the Bot Net Task Force, a public-private effort started by Microsoft, came forward and reported criminal activity to the FBI during "Operation Bot Roast," which helped the agency find some of the criminals, the FBI says. Three people were charged or arrested during the sting for computer fraud and violations.
Information technology personnel who are scared to report attacks further hinder crime reporting, GAO says. They "[ear for their jobs after an incident and seek to conceal the breach from senior management."
But Ritchey disagrees. Within companies, internal reporting is typically good, he says.
Furthermore, the U.S. computer emergency readiness team--the operational arm of DHS's national cyber security division--allows personnel to report incidents without fear of retribution, Ritchey and Dixson both point out. The computer emergency readiness team at DHS coordinates defense and response to computer attacks. It also acts as a clearinghouse for such threats and keeps all data from the private sector confidential with "the assurance that the information will be protected from public disclosure," the team's website says.
Other challenges remain to mitigating computer crime, GAO says, such as the need to improve security for organizations and individual users, as well as raising public awareness about criminal behavior. Dixson notes that the national cyber security division is working with IT companies on software assurance to address this challenge.
To help individual users, DHS is "encouraging folks to use two factor authentication," Dixson says. Companies could start requiring their clients to use two different electronic credentials when accessing an account, for example. This method, however, entails expensive infrastructure costs, Ritchey says. He notes that companies are struggling with the cost versus benefit of security measures.
GAO also suggests that law enforcement personnel struggle to prosecute Internet crimes because there is a limited pool of highly trained specialists. Additionally, the report says that law enforcement efforts are hampered by the cross border nature of such crime. Officials have a hard time figuring out the laws and legal procedures of multiple jurisdictions, GAO says.
Analysts acknowledge the immense difficulty of mitigating attacks and providing ironclad security. "It will take years to implement security measures," Ritchey says. Yet he doesn't believe attacks will keep increasing over the years because there are significant security measures in place. That doesn't mean the struggle will end, Ritchey predicts. "It definitely is an arms race" between the criminals and the victims.
Email your comments to Bwagner@ndia.org
RELATED ARTICLE: Cyber attacks in Estonia serve as wake-up call.
IN LATE APRIL, a wave of cyber attacks began disrupting nationwide network operations in the small Baltic state of Estonia. The attacks compromised both public and private websites and sent a wave of panic through a country that is known for being especially "wired."
The first attacks coincided with the removal of a bronze statue of a World-War II era Soviet soldier from the town square in the capital city of Tallin. Estonia blamed the computer attacks on the Russian government.
Immediately following the attacks on Estonia's computer networks, a flood of stories hit the Internet that painted a dark and stormy picture of future "cyber-wars" that would result from the incursions.
For computer security experts, these doomsday scenarios were far from reality. The attacks are characterized as "cyber protest or activism," says Dorothy Denning, a computer security expert at the Naval Postgraduate School. They were coupled with street-level protests by ethnic Russians living in Estonia, she notes.
Now that the dust has cleared, analysts believe that the attacks were most likely a result of political tensions between Russia and Estonia over the statue, and not a full-scale cyberwar that was meant to physically harm Estonian citizens through electronic attack.
The incident was more of a wake-up call than a threat to global computer security, says Ron Ritchey, principal at Booz Alien Hamilton.
The United States need not be worried, Ritchey says, because U.S. Internet service providers are much more capable of handling the type of attacks Estonia experienced, called denial of service attacks. They involve an attacker overwhelming a network with traffic or disrupting service to specific systems or Internet users.
Others agree that such an attack would have little national impact in the United States. When Estonian computers were first compromised, Capitol Hill asked the Department of Homeland Security if such an attack could happen in the United States, says Jerry Dixson, director of the national cyber security division at DHS. "I only think it could have regional impact," he says.
Although the incident was not seen as a major attack, it still had significant impact on Estonia. The parliament, banking systems and media outlets were compromised, prompting the country to reach out for help.
The "worldwide community helped to protect them" and contain the situation, Ritchey says. The Defense Department sent a team of officials from DHS, FBI and the Secret Service to assist, says Dixson. The team is still analyzing the vast amount of information and will "try to learn something from this."