Modernizing Authentication — What It Takes to Transform Secure Access
It happened over a winter weekend in 2000, in a small bedroom in rural Wales littered with cigarette butts, New Age books and empty soda cans. There, using a no-name computer cobbled together from spare parts, 18-year-old Raphael Gray sat down at his keyboard and, fueled by what he called "sheer adrenaline," proceeded over the next 48 hours to click and pry his way through state-of-the-art firewalls located on corporate servers and databanks halfway round the world.
Before he finished, Gray, a.k.a. "Curador," had lifted some 26,000 credit card numbers from corporate Web sites hosted by companies in five countries-all by exploiting years-old software bugs that most teen hackers learn about before they can drive. "My initial reaction was that this couldn't be happening," recalls Chris Keller, founder of Buffalo, N.Y.-based SalesGate, Inc., one of the companies Curador hacked that weekend. "We had things set up and things in place so that kind of thing would never happen."
But it does-much more than many CIOs may realize. It's not news that hackers are often way ahead at exploiting the ever-growing number of bugs in complex software programs that can turn even state-of-the-art firewalls into the cyber equivalents of Swiss cheese. As you read this, there are at least 50,000 computer viruses crawling along the branches of the Web searching for glitches to exploit, and hundreds more are created each day-with graffiti-like names such as Chernobyl, SirCam, LoveLetter and-this just in-a new wireless virus called AirSnort, released on the Internet in late August. The program lets "whackers"-wireless hackers-snatch sensitive data as it is transmitted through the air.
But the Raphael Grays and AirSnort programs of the world are not what worry the nation's top information scientists and security experts the most. "All that stuff is child's play," says Eugene Spafford, co-founder of Carnegie-Mellon University's national Computer Emergency Response Team and the director of the Center for Education and Research in Information Assurance and Security at Purdue University. Every other kid, he says, can hack into a computer network, download ready-made viruses off the Net or flood servers to a standstill with a barrage of fake e-mail.
What really worries security experts like Spafford is something far more threatening: Everyone from teenagers to terrorists and hostile governments now has the ability to blast away at the very foundations of the nation's fragile digital grid by crashing satellite systems, unplugging the Federal Reserve System from Wall Street, even taking down the phone system and disrupting the movements of the stock exchange. Indeed, some of these things are already happening, the result of either hacking or random software bugs that bite without warning. On June 28 and 29, Nasdaq trading was disrupted for nearly two hours when software bugs surfaced during routine testing of the exchange's systems. During the peak of California's electricity crisis, prankster hackers cracked into a segment of the electrical grid and left messages that made it clear that with a little more sophistication, they could cripple power plants, water systems and hospitals. Perhaps most frightening is an operation the Pentagon calls Moonlight Maze. In 1998, the Defense Department discovered that professional hackers using Internet connections based in Russia had been stealing secrets from the DOD and its top research labs. The hackers remain at large and their efforts are continuing, unabated.
Much of the problem, experts say, is bad software and the realization that data systems-much like the physical infrastructure of roads, bridges and electrical power grids-weren't built very well in the first place. "The reason hackers can feast is because software bugs give them entry, and patches give them entry again," says Spafford. For example, of 1,200 Department of Commerce workstations scanned recently for problems, fully 30 percent had Category Red vulnerabilities, meaning they could be hacked by any grade-schooler with a penchant for trouble.
With thousands of computers now guiding ambulances, bank accounts, police dispatch units, fire brigades, transportation switches, overnight-mail dispatching schedules, nuclear power plant fail-safe devices and telecommunications grids, government and corporate interests are becoming intertwined as never before-and equally susceptible to politically motivated attacks and error-spurred outages. In short, whatever threatens our vast data grid, what's bad for the Pentagon and the Department of Energy is very bad for General Motors and the rest of corporate America. "We're all connected now by information networks in ways we've never been before," Senator Robert Bennett (R-Utah), told a Senate panel on security in July. John Tritak, director of the Department of Commerce's Critical Infrastructure Assurance Office, describes the increasingly interconnected world as "a growing web of dependencies in a veritable digital nervous system," noting that "what happens in one sector could very well have serious impact on another." Nobody is immune from the risks, and there is no such thing as safe networking. "There is no Internet pixie dust. People who think there is absolute security protection are deluding themselves," says Steve Bellovin, a security expert at AT&T Labs.
The Internet boosts the vulnerability stakes. "Every year, there's new research, good technology and good products, yet every year the situation gets worse," says Bruce Schneier, a cyrptographer and author of Secrets and Lies: Digital Security in a Networked World. Schneier says that as technology evolves into more sophisticated uses and flavors, it also becomes more complex-too complex to be secure. AT&T's Bellovin takes it even further, suggesting that we're only a few doomsday clicks away from the ability to bring down the entire Internet-and therefore, pretty much everything with it. "Systems and software complexity is the enemy," Schneier says. "The Internet is the most complex machine mankind has ever built. Every year it will get more and more complex and less and less secure."
But don't look to Uncle Sam for any quick fixes. So far, the government's efforts to fight back have been largely rhetorical and, say congressional auditors, frustrated by political infighting and ineptitude. According to a report issued in April by the General Accounting Office, the congressional watchdog agency, the three-year-old National Infrastructure Protection Center-created by the Clinton White House to mobilize government and the private sector to build a safer information grid-is being hampered by lack of expert staff, outdated computer equipment, bureaucratic snafus and chronic underfunding. "The NIPC has developed only limited capabilities for strategic analysis of threat and vulnerability and often is not able to provide timely information on changes in threat conditions or warnings of imminent attacks," said the report. Further, the GAO said, "the NIPC does not yet have adequate staff and technical expertise." Example: The chief of the analysis and warning section position, which was to have been filled immediately by the Central Intelligence Agency, went vacant for nearly 18 months, and the agency continues to operate with only 13 of 24 analysts that NIPC officials estimate are needed to develop even minimally sophisticated threat-analysis abilities. "As a result, there are no specific priorities, milestones or program performance measures to guide NIPC actions or to provide a basis for evaluating its progress," the GAO report said.
And don't look to private industry for help, either. GAO investigators also cited a distressing lack of industry cooperation with government emergency response teams. "Establishing the trusted relationships and information-sharing protocols necessary to support such coordination have met with mixed success," the report said. For example, while the Federal Bureau of Investigation has identified more than 5,000 "key assets" in the nation's critical infrastructures-from leading research labs and universities to hospitals, telecommunications lines, rail and shipping routes, air and data traffic, fiber-optic cables, chemical storage sites and medical supplies, for example-agents "have not yet been successful in obtaining the agreement of the industry sectors responsible for these assets" to get a precise idea of where the grid is most vulnerable. In some instances, agents seeking to compile such data say they've had to rely on the Yellow Pages to get certain information about the companies. Further, only one industry, the electric utilities sector, is communicating regularly about potential intrusions and vulnerabilities with NIPC investigators. Everyone else-from telecommunications to manufacturing-is mostly holding back.
The private sector has its own problems to wrestle. Many corporations are relying too heavily on technology to ease the security threat, experts say. And that is creating a Maginot Line mentality among many CIOs, lulling them into believing that their computers and systems are safe. According to a February 2001 poll taken by Menlo Park, Calif.-based RHI Consulting of 1,400 CIOs across the U.S., 91 percent said their systems are secure from error-prone collapses and cyberattacks. In a June survey by CIO Insight, a majority of 556 CIOs and senior IT executives polled rated security as being a big issue for companies of all sizes, but said their non-IT colleagues simply didn't share their concern.