Virtually Helpless

The threat of cyberwar looms large. Our best homeland defense may be surprisingly small

It is all very impressive. Yet none of the systems upon which the city's economic life depends could withstand the major denial-of-service attack terrorists are now capable of delivering. "The odds of some kind of cyberattack have gone from probability to a certainty," says Fred Rica, a threat-assessment guru with PricewaterhouseCoopers, LLP.

The question is, what scope of attack should the city expect? Rica's answer: Prepare for the worst.

Opening skirmishes have already taken place. "Banks and financial service organizations are experiencing a lot of benign attacks on the parameters of their systems," says Steve Buerle, security practice director with ThruPoint, Inc., one of the country's leading cyber-detective agencies.

illustration: McKibillo

Indeed, while no overt cyberwar has been declared on the U.S., the country's defenses are clearly being tested. According to officials at CERT (the federally funded Computer Emergency Response Team, based at Carnegie Mellon University), the number of "incidents"—cases of malicious hacking—is growing rapidly. Between 1994 and 2001, the yearly number of virtual break-ins at the country's defense agencies grew from 225 to 40,076. Breaches at private companies and other government agencies grew at only a slightly lower rate, increasing from 2340 to 52,658.

The Bush administration has made several attempts to set up meaningful protection, such as the Federal Computer Incident Response Center and the Cyber Warning and Information Network. But the very nature of cyberwarfare puts large and complex organizations—private or public—at a disadvantage.

As a result, although most computer systems now in place in New York's major private and public institutions have some form of protective software, almost all of them are sitting ducks. Rica points out that part of the reason for this is that as systems age, they become more vulnerable. Moreover, even when new defensive software is available, companies and agencies don't always have the money or the inclination to buy in.

Cheaper and faster are the hackers, people Michael Wilson says should be deployed to defend the city and the nation at large. "We've been relying on people in the spook establishment who have an arm's length of clearances and are ostensibly squeaky clean, but it just doesn't work," he says. "For you to be any good in this area, you have to have done moves on the street. But that kind of person can't pass clearance tests."

Others agree. "We need to treat hackers today the way we treated German rocket scientists after World War II," says John Arquilla, senior consultant with the Rand Corporation. "Hackers can be cultivated rather than punished. They are an underutilized resource."

Much of that resource waits untapped, right in the heart of Gotham. "New York has the world's largest hacker community," says Wilson. Of the 1000 top hackers in the world, he believes 20 are to be found here in the city, along with between 200 to 300 cyberwarriors known as "script kiddies." Those numbers might sound small, but in cyberwarfare, every hacker is an army.

Commissioning a major defense contractor to craft a response to cyberwar is like sending a tank to do the work of a scooter. "The U.S. defense establishment is trying to instill a mindset that is inherently foreign to the people they've selected to do the job," warns Wilson. "You need to build a defensive organization that can react like a 14-year-old."

Indeed, organized military response has been shockingly poor, at best. Despite the $1.6 billion the Pentagon spent on computer defenses last year, the General Accounting Office recently blasted the DOD for having networks "beset by vulnerabilities." When the Defense Department tested itself, it held an exercise in which teams from the National Security Agency used hacker programs to break into 36 Pentagon computer networks and nine city power grids and 911 systems, all at once. According to one source close to that exercise, Pentagon systems administrators were able to detect just two of the mock attacks.

There have also been real incidents in which only a dose of perverse luck prevented disaster. During the Gulf War, Dutch hackers stole information about U.S. troop movements from Defense Department computers and tried to sell it to the Iraqis, who thought it was a hoax and turned it down.

That case shows how hard it can be to predict who will try to break in. But correctly identifying the attacker is as important as knowing what systems are being bombed. In 1998, more than 500 Pentagon computer systems were compromised in a series of attacks code-named "Solar Sunrise." The assault was first thought to have originated in the United Arab Emirates but later found to have been the work of a couple of California high school students and their 17-year-old Israeli mentor.

Homeland Security will have to move quickly to distinguish a serious foe from a juvenile pest. And it will need to make a realistic determination of who is capable of launching an attack in the first place.

Bush administration efforts to show that Al Qaeda terror cells are planning to launch cyberattacks against the U.S. may appeal to public imagination, but there has been little indication that Osama bin Laden has the cadre of geeks needed to launch such an operation.

« Previous Page
Next Page »