Legal ambiguities preclude software from being fully defined and defendable.
Spyware is a general term for a group of software programs that enter a computer’s hard drive during Web browsing. These programs then transmit data back to a third party. In most cases, Spyware is used as a marketing tool to study client behavior for marketing purposes. But it also can be used to record passwords and other sensitive information, leading to security breaches.
The U.S. government is growing concerned about a family of computer programs that can infiltrate and compromise system integrity. These programs attach to a host computer during Internet browsing and send data to a third party about how that machine is operated. Although most of this code is used for legitimate business or marketing purposes, many types can circumvent firewall protections, leading to security breaches.
Some data on the Internet comes with invisible strings attached. Although many users are aware of “cookie” programs that attach information to a computer, other types of programs can cause machines to surrender sensitive data. Known collectively as “spyware,” this is a broad family of software products that reside on a host computer and monitor its activities. Some are benign and necessary—anti-virus software falls under this definition. But others can track a user’s Web page preferences or monitor keystrokes and passwords then transmit that data to hackers.
Although government cybercrime groups have discussed the threat of spyware, a major difficulty in launching initiatives against it is that no official definition exists, explains Mark Eckenwiler, deputy chief of the U.S. Department of Justice’s Computer Crime and Intellectual Property Section, Washington, D.C. “That’s part of the problem. Like identity theft, it means different things to different people,” he says.
Eckenwiler believes that the biggest issue with spyware is user consent. This extends to a number of functions that appear on desktop systems, from pop-up advertisements to price comparison features. If users agree to accept any of these functions that operate on their computers, few legal objections can be brought against the activities. “I think it raises some difficult questions about whether that’s something the government ought to interfere in. Certainly, if the user has consented, as a criminal matter, the statutes that we work with like the Computer Fraud and Abuse Act just wouldn’t have any application,” he says.
Users can agree to almost anything occurring on their computers. “I can, for instance, buy software or use the built-in functions in the operating system to do things like destroy data. Normally, destroying data is a bad activity—you might say, ‘I don’t want that to happen to my computer,’ but people delete files all the time,” Eckenwiler says.
From an organizational perspective, having strong usage policies in place is one way to counter some spyware threats, although Eckenwiler does not believe they are a panacea. He notes that robust policies do not occur in a vacuum but are communicated to the employee or user base through efforts such as log-in banners, employment agreements and policy postings circulated via e-mail. “Not only is there an institutional view of what’s permissible and what’s not, it’s made binding upon the folks who work or otherwise make use of the network,” he says.
The U.S. Army Corps of Engineers, Washington, D.C., is an example of an organization that is struggling to come to terms with the ambiguous nature of these programs. Thomas J. Aubin, the organization’s information assurance program manager, has found no satisfactory solution to the issue. He adds that because spyware resides on many legitimate programs, it creates a number of challenges for an organization’s information technology architecture because many tools associated with this kind of software are designed to work around firewalls.
To keep its systems clean of malicious software, the Corps of Engineers scans every piece of electronic equipment it owns at least twice a year—roughly 60,000 items. Aubin’s staff visits different units on a regular basis. Scans usually occur during the weekend so as not to interrupt the business cycle. After every machine in the unit is examined, a report highlighting any vulnerabilities is produced, and the unit then has 10 days to correct any problems. “If it’s bad enough, we will re-scan them within that 10 days. At the end of 10 days, we ask them to come back and tell us what they did about what we found,” he says.
Although it is a part of the U.S. Army, the Army Corps of Engineers is not structured like a combat organization but rather is divided into nine global regions with a presence in 93 countries. Each region is divided into districts that are established by local watersheds and rivers. A region can have from three to nine districts. Aubin explains that a pattern is not set for this arrangement. It is determined by local geography. Districts are subdivided into project offices that are responsible for individual dams and other infrastructure.
Each district has its own network with a firewall and intrusion detection system between it and the main backbone, the Corps of Engineers enterprise information system. The backbone features two gateways to the Internet that also are protected by firewalls and defensive software, Aubin adds. Additionally, two nonsecure Internet protocol router network gateways connect to the Army’s network. A new region has been established in Iraq, with three districts in that country and one in Afghanistan. It is connected to the backbone via satellite, he says.
The Corps of Engineers has implemented stringent security measures because it was the victim of a major cyberattack, Aubin explains. In the late 1990s, a group of Russian hackers broke into the Corps’ and a number of other U.S. government computer systems. This was the “Moonlight Maze” incident. “The Russians hacked into our network and were using our computers to jump to industry and other government and military computers,” he says.
The hackers gathered sensitive data, processed it in Corps of Engineers computers and held it there for 30 days before moving it to England or Canada. There it resided on other computers for another 30 days before being encrypted and sent on to Russia.
The Central Intelligence Agency and the Federal Bureau of Investigation became aware of the hackers’ activities and asked the Corps to continue operating its systems as normal to track the intruders, Aubin relates. Once enough evidence had been accumulated, the Russian government was approached, and the hackers were arrested. “As a result of that whole operation, the Army funded us, and we got a lot of firewalls and intrusion detection equipment,” he says.
The U.S. Defense Department has contracts to provide the Corps of Engineers with free anti-virus software. According to Aubin, there are three types in use: Trend, Norton and McAffe. “We now require all of our units to have one of those three on our servers and a different one on desktop computers. So you’ve got two anti-virus programs, and in some places they’re using three,” Aubin offers.
Aubin notes that at Corps of Engineers headquarters in Washington, D.C., network administrators use Antigen software, which uses the updates from all three types of anti-virus software. He adds that the agency has not suffered from any types of malicious code attacks in some years. Although incidents do occur, network security has greatly improved since Moonlight Maze.
There has been ongoing discussion between government and industry regarding spyware, but the definition is ambiguous so these types of programs are grouped together with worms and viruses because they can act without user consent. “When people talk about spyware, sometimes they’re really not talking about a piece of software that acquires private communications about the user. They may just be talking about something that subverts the user’s control of the computer,” Eckenwiler explains.
Like other forms of malicious code, spyware that represents a threat to computer networks is a violation of federal and state laws. However, Eckenwiler cautions that the criminal investigation process usually works after an incident has occurred. “People come to us with a report that some event has occurred, and if there’s enough evidence to go forward, then an investigation is launched. That’s a lot of machinery to gear up,” he says.
As with any crime, the police cannot be everywhere. Threats to an organization’s computer networks must be countered by an active network defense. “Law enforcement is plainly part of the equation. We do have an important role to play in terms of deterrence. But it’s just one leg of the stool. I think having one’s eyes open with respect to the kinds of electronic threats that are out there and taking proactive measures is an equal part of avoiding this problem,” observes Eckenwiler.