Published in Washington, D.C.. . . . Vol. 15, No. 13 -- April 5-12, 1999 . . . . www.insightmag.com http://www.insightmag.com/articles/story4.html Is U.S. Ready for Cyberwarfare? By Timothy W. Maier Terrorists and global crime syndicates have targeted the U.S. government and corporate America for attack. And the PC may be the ultimate weapon of mass destruction. It was so easy. With the click of a mouse, a hacker recently infiltrated the computer system of a Pennsylvania manufacturer and changed components for specialty steel used to build bridges. Had it gone undetected, that slight variation could have caused the collapse of thousands of bridges worldwide. The hacker saboteur never was caught. Scary stuff. Fortunately, those bridges never collapsed, says Jay Valentine, chief executive officer of InfoGlide, the Texas-based company known for its Similarity search engine to detect Internet fraud. "They tried to change the steel content for building bridges under freezing conditions," Valentine tells Insight. The manufacturer -- whose name Valentine won't disclose because of a confidentiality agreement -- discovered the problem before the damage could be done, he says. Nevertheless, incidents such as this have created so much fear that cyberexperts are warning of a possible electronic Pearl Harbor. As a result, President Clinton asked Congress for $1.46 billion in fiscal 2000 to create a cyberdefense. Is the fear justified? "It's very serious," says Mark Fabro, worldwide director of assessments for Toronto-based Secure Computing Professional Services. "We are under attack now," he says, warning that terrorists are trying to initiate the year 2000, or Y2K, problem early. "Halfway through last year we started to see timing clocks being pushed ahead," he reports. "I'd say ... the No. 1 target is the U.S. government." The Center for Strategic and International Studies in Washington recently released Cybercrime, Cyberterrorism, Cyberwarfare, a monograph that calls on the federal government to revamp intelligence organizations to work more closely with the corporate world about the growing threat of cyberterrorism. For example, in 1998 a team of National Security Agency computer specialists posing as hackers for North Korea penetrated the command-and-control structure of the U.S. Pacific Command in Honolulu -- which is in charge of 100,000 U.S. troops that would be activated in wars with North Korea or China -- and could have shut it down. They also could have disabled the U.S. power grid, causing a nationwide blackout. Today, with dozens of free hacking programs such as Smurf, Teardrup and John the Ripper available on the Internet, the threat is even more intense. With 1 billion people expected online by 2005, it only will get worse. "We have identified six different foreign nations that have hired advanced computer programmers to break into U.S. computers," Valentine says. "Iraq, Syria and Iran, for sure. But we suspect Libya, India and Azerbaijan," the first Soviet Republic to declare independence. Harvey Kushner, chairman of the criminal-justice department at Long Island University and an internationally renowned expert on terrorism, warns, "You can take down a society much quicker with computers than a bomb." And InfoGlide's independent research on e-commerce crime shows organized-criminal gangs are in many ways trying to do just that while operating openly on the World Wide Web. Valentine says his company's research points to Mafia and Chinese Triad involvement coming mostly from Eastern Europe and the Far East. For example, last year during the World Cup, earnings from betting scams on the Internet were traced to the Russian Mafia. The concern that the threat is more dangerous than ever is shared by dozens of cyberexperts interviewed by Insight. As consultants, contractors and producers of software, they may benefit from ringing the security alarm, but there is little doubt that they are, in fact, alarmed. Is the threat as serious as they claim? A 1995 Government Accounting Office, or GAO, report certainly suggests so. This widely quoted report says 250,000 hacker intrusions occurred inside the Pentagon in 1995. Few reporters have questioned those statistics, and the number has appeared widely as the chief indicator that the problem is real. Kushner thinks the reported incidents deliberately are being underreported to avoid a mass panic. "The government underplays it to keep down the backlash," Kushner says. "It has been severely underplayed over the last couple of years." Perhaps. But the truth is that the 250,000 figure was inflated. It is not a true picture, even by the GAO's standards. In fact, the Pentagon says there only were 500 actual incidents in 1995. It says the numbers were extrapolated from an estimate calculated by the Defense Information Systems Agency, which believed only .2 percent of all intrusions were reported. George Smith, editor of The Crypt Newsletter, says the GAO "multiplied its figure by 500 and came up with 250,000." Since then, computer scientists such as Kevin Ziese have investigated some of those hacking cases and confirm that the 250,000 figure is bogus. Last year, Ziese told Time Inc.'s Netly News that the figure had included user and other mistakes and did not represent espionage penetration. But that has not stopped the government and the media from consistently misrepresenting the number to support the claim that even the nation's most secure computers are vulnerable. Forget the 250,000 number, says Bill Hancock, chief executive officer of Network-1 Security Solutions and an expert forensic witness who has participated in more than 600 criminal prosecutions and authored 23 computer books. What's important in that GAO report is "65 percent of the hackers got in," he warns. The same holds true, he notes, of U.S. Navy computers: A first-quarter Navy security report shows there were 2,473 computer incidents. Of those, 18 were called "intrusions" in which hackers may have obtained sensitive information. Valentine advises that the emphasis should not be on reported incidents so much as on the organized criminal fraud being run by rings operating in e-commerce. Internet auction houses and securities firms are among the victims. Yael Sachs, president of Israel-based Aladdin Knowledge Systems' Internet Security Unit, says the real number of attacks may never be known because the crime is difficult to detect. Internet hackers have changed "the sociology of crime completely," she says. Terrorism crime used to have certain physical risks as a result of leaving evidence and only could be committed in a limited time period when people were not around, Sachs observes. "The Internet has changed all of that because it is very hard to trace," she says. "If I want to tamper with Wall Street I can do it while I'm sitting in the Cayman Islands. I can direct something to hit every trading house. Essentially you will never know I was there because nothing looks different." In one case, a cybercriminal created a mirror bank where people logged in and unknowingly gave their personal identification numbers to the bank site. The real bank learned about the phony site and foiled the hacker's plan, but the scheme could have been devastating to account holders. The hacker easily might have taken $10 from each of 20,000 accounts without creating general alarm, Sachs warns. AT&T recently suffered losses when a hacker posted an advertisement that offered a "free" hard-core XXX movie. By downloading the flick, the user's computer automatically redialed a 900 number to charge the full price of the film and, in the end, cost the telephone company some $2.74 million. That probably is an underestimate, Sachs says, noting "a lot didn't come forward or didn't want to admit they had downloaded an X-rated movie." In another case, an electronic greeting card popped onto people's screens depicting a topless woman. When you clicked on it or sent it to another user it was programmed to steal the last document of whatever you were working on. What's worse, "no one would ever know a document is stolen from you," Sachs says. "It is an invisible crime" not just because it is so difficult to trace who did the hacking, but also because many times it's difficult to tell that the computer has been hacked. Hancock says the more sophisticated hackers, known as crackers, are capable of creating a financial nightmare for corporations and governments. "The bulk of financial losses -- $9 billion to $10 billion a year --involves crashing an internal network, killing e-mail," he says. "It can happen in a week. It can happen to submarines or air combat. You can kill a directory and no one goes anywhere." Deputy Secretary of Defense John Hamre declared the Pentagon under attack last year and, although his warning backfired when it was discovered the attack was launched by teenagers on a cyberjoyride, his recent warning of another attack this year has not been debunked. In February, Hamre testified in a closed-door congressional hearing that the Department of Defense, or DOD, is being hit 80 to 100 times a day by hackers, of which 10 require detailed investigation. He claimed the military-security analysts stopped hackers who had found a new method to attack DOD computers. These hackers tried to cover their tracks by committing intrusions from an overseas Website having nothing to do with the actual location of the hackers. No damage occurred. Last year the Justice Department tried to calm the growing anxiety, claiming hackers never have accessed classified information, but a different story unfolded behind the scenes. The FBI formalized a 100-investigator special crime unit to fight cyberterrorism. That was hardly enough to investigate the number of complaints, especially considering there only are four people assigned to the Los Angeles area, the site of much of the high-tech gold sought by would-be spies, Hancock says. Also last year, the House Committee on National Security dropped a bombshell that contradicted the Justice Department's assurances. In a letter to Congress, Pennsylvania Republican Rep. Curt Weldon announced 15 elite hackers (eight Americans, five Britons and two Russians) had penetrated classified DOD servers in 1997 and downloaded classified software from the Defense Information Systems Agency. The letter, obtained by Insight, stated this was "not just a simple attack on Web pages or personnel records; this attack found the software that manages and monitors our defense backbone and removed it from the server, placing all our defense systems at risk. According to computer security site AntiOnline 30, people have copies of this program. With it they can shut down communication between sites, track GPS [global positioning systems] which guide our weapons and commercial aircraft, and monitor communications between warfighters." The hackers have not been caught. Weldon recently declared the United States has been drawn into a "cyberwar." The government is not the only one fighting this war. Corporations may be more of a general target because tampering with food or pharmaceutical products could create such a panic that it would send Wall Street into a tailspin. The threat is not even necessarily from the outside but could come from the inside, where a disgruntled employee might exact revenge for personal reasons or serve as a foreign spy, says Frank Johns, managing director of Virginia-based Pinkerton Global Intelligence Services. Johns says desperate corporations are hiring foreign programmers to reprogram their machines for Y2K, and that may be a potential problem. "There is no way to tell what they are putting in the machines because most people over 40 who are making these hiring decisions don't have real computer skills or knowledge," he says. And right now, Johns says, the best time for cyberterrorists to attack is likely to be during the Y2K crisis, when corporations are certain to be distracted. He says the terrorist goal will be to shut down service and network access, opening the way for grave mischief. Kushner, who wrote Terrorism in America: A Structured Approach to Understanding the Terrorist Threat and The Future of Terrorism: Violence in the New Millennium, says the food industry is especially vulnerable. "Tampering with computers literally could change the formulation of cereal and could contaminate a wide portion of the population," or "the cracker may get in and reformulate a vitamin," he says, with dangerous consequences. A cyberterrorist then might claim every baby-food jar had been tampered with, setting off a worldwide panic. It wouldn't matter if it were true; the fact that it can be done will assure panic, Kushner says. "Terrorism is theater," he explains. "Terrorists initiate fear often without implementing the act itself." For example, imagine this: A hacker cracks the computer codes to fly a plane, taking over the navigation controls and resulting in a deadly crash. The Federal Aviation Administration, or FAA, certainly wouldn't want such information to reach the public for fear of creating a general transportation panic. So they might not admit anything. But it did happen three years ago, says Kushner, who writes on FAA issues. "There was evidence on board that the computer was tampered with," Kushner reveals. Kushner's explosive claim has yet to be proved or even acknowledged by the FAA. He is cautious about revealing names and details of the crash -- other than to note it was not a U.S. plane and the crash occurred in the Pacific Rim. A check on mysterious plane crashes during that time points to a deadly incident on Oct. 2, 1996, in which Aeroperu Flight 603 crashed shortly after takeoff from Lima, en route to Santiago, killing 70 people. A tape of the pilot's last conversation with the tower still leaves many unanswered questions. "I don't have any instruments," the pilot said. "What's happening? What altitude am I at? Why is my ground-crash alarm on? Am I over land or sea?" "You're over sea," the tower reported, and the plane soon crashed into the Pacific. This possible sabotage doesn't surprise Fabro, whose company provides briefings on security issues both to the government and private sector. "I have seen attacks from the outside that have kept me awake for a long time. It drives me nuts. I know it is possible to route two subway trains into each other or crash a plane or the stock market." Did a cracker crash that plane? The FBI refused all interviews for this story. However, Director Louis Freeh put it this way two years ago in a speech at the International Computer Crime Conference: "We had a recent terrorism case where an individual maintained plans in his laptop computer to attack airliners and other targets." Freeh never identified the suspect but noted that the computer was confiscated and the encrypted files deciphered. Perhaps too late.