Adversaries armed with information target the United States.
As it empowers economies and societies worldwide, the technology revolution also is unwittingly empowering forces that could undo its gains and inflict considerable harm on its beneficiaries. New hardware and software capabilities are providing greater ammunition to information warriors, spies, criminals and digital vandals.
These cyberspace denizens find their targets of opportunity increasing in number. E-commerce is well established and growing, with major financial institutions conducting trillions of dollars of business online. Utilities rely on automation to operate increasingly complex infrastructure elements. All levels of government are turning to information systems to provide vital service to their citizens. And, most of the world’s modern military forces are metamorphosing into network-centric organisms.
As bright as the future is for information technology advances, powerful new cyberthreats loom as a dark cloud on the horizon. Malicious viruses are likely to be more destructive and even self-directing. Intrusions for monetary gain, including extortion, recently have become a major growth industry. The number of countries planning for information warfare is rapidly growing, and many of them are targeting the United States.
Michael A. Vatis is the director of the Federal Bureau of Investigation’s (FBI’s) National Infrastructure Protection Center (NIPC). This center was formed three years ago to consolidate the nation’s information infrastructure protection. Vatis notes that the spectrum of threats that the NIPC deals with today does not differ significantly from what was anticipated when it was founded. Accordingly, the center has not had to change its direction from its original planning.
This threat spectrum is still broad, Vatis continues. Cyberthreats can range from a disgruntled employee to a hostile foreign government that sees information warfare as the only way to impose real damage on the territorial United States. Other potential hazards include malicious hackers, individual or organized criminals, terrorists and foreign intelligence services.
“All the threats are very real, and most of them have already materialized,” he declares.
The most significant attacks have come from individuals and criminal groups, Vatis relates. The infamous “I Love You” virus that crippled computer systems this spring spread around the world in a matter of hours. In less than 24 hours, the FBI traced its origins back to the Philippines and ultimately to a single subject. While the response was successful, Vatis rues that the NIPC could not prevent the virus’s damage.
This highlights the problem inherent in the proliferation of e-mail as a communications medium. E-mail messages can spread viruses around the world faster than people can become aware of the virus, let alone stop it from damaging their systems.
“It’s clear that people should be concerned about the continuing threat from malicious viruses,” Vatis warns. “Viruses will continue to evolve and become more destructive, more quick-spreading and more dangerous. They may evolve to the point where they can transmit without someone having to open an e-mail attachment. [They would infect] merely by receiving an e-mail.” Users must maintain up-to-date anti-viral software, and they also must pay attention to alerts and advisories issued by the NIPC and other organizations, he emphasizes.
Another illustrative threat came from the denial-of-service attacks on e-commerce and online news sites in February. Vatis notes that these came as no surprise to the NIPC. It had issued warnings for this type of attack two months earlier. Vatis explains that the center saw that this exploit was being developed, and some of its tools were being deployed.
With these warnings, the NIPC posted a detection tool on its World Wide Web site. The detection tool allows managers to determine if their network is taken over by a hacker. When this takeover occurs, the captured network is used to flood other sites with meaningless communications. Despite the warnings and the preventive tool, many sites such as Yahoo, eBay, Amazon.com and CNN.com subsequently fell to the onslaught.
In the wake of the service denials, the NIPC coordinated efforts by several FBI field offices, which traced the source of many of the attacks to Canada. Working closely with the Royal Canadian Mounted Police, they helped identify a youth who was arrested by Canadian authorities and charged with causing many of these denials of service.
“We’re not out of the woods by any means with regard to distributed denial-of-service attacks,” Vatis cautions. “The tools [used] to commit those attacks are still out there, and they are evolving. Given the general state of security and how easy it is for hackers to take over someone’s system and insert malicious code, the prospect of distributed denial-of-service attacks is still very high.”
All of these threats apply across the board to companies, state and local governments, the U.S. Defense Department and other federal organizations. However, the biggest threat to the federal government is from foreign nation-states, Vatis offers. This includes foreign intelligence operations as well as hostile military activities. “We need to make those [two threats] big national security priorities for the federal government as a whole,” he declares. State and local government and the private sector also are likely targets for these two activities.
Organized cyberterrorism remains a menace. A terrorist group can cause significant damage to a critical infrastructure. The motivation could be to coerce a policy change by the U.S. government or intimidate the general populace.
The United States has not yet seen a sophisticated terrorist attack, Vatis allows. However, terrorist groups have launched some low-grade attacks. “The writing is on the wall,” he says. “Terrorists are making a lot of use of information technology for fundraising, secure communications and propagandizing. We’re beginning to see discussions of the prospect of using that same information technology as a weapon.”
The ultimate threat, however, comes from information warfare. Vatis explains that the same techniques used to break into critical infrastructure or government systems can be applied to corrupting vital data or even shutting down entire systems. The only country that can militarily destroy the United States is Russia, but other nations lacking that capability can incorporate information warfare as an effective war plan for attacking the United States, he continues.
Taking out the civilian critical infrastructure is the likely goal of an information warfare attack on the United States, Vatis warns. Targets would include the electrical power grid, banks, investment firms, public safety organizations and civil government operations. These institutions are critical to the country’s economy and underpin national security as well, he points out.
Vatis warns that, while the United States has not seen an information warfare attack, other countries are now developing the capability to wage information warfare—and many of them have the United States as their prime target. Nations also are developing their capabilities to engage in cyberespionage. Vatis notes that some foreign intelligence services are seeking to obtain classified or sensitive but unclassified information from government, military or corporate high-technology sources.
Other types of international threats already have materialized. One attempt at online extortion involved several people working from Kazakhstan. They broke into the computer network of Bloomberg LP and stole confidential information, which they attempted to ransom under threat of publication. Bloomberg contacted the FBI immediately, and the bureau worked with the London metropolitan police and authorities in Kazakhstan. These groups tricked the extortionists into traveling to London to close the deal, where they were arrested. The U.S. Justice Department is currently seeking their extradition.
Vatis notes a marked increase in organized criminal activity. This tends to take the form of intrusions followed by extortion threats. Profit is the main motive behind these extortions, he states. In some cases, the pirated information can be worth more in cyberspace. In one incident, a group known as the phonemasters broke into several telecommunications companies’ networks to steal calling card information, which they then sold to Italian organized crime and several other groups.
In terms of raw numbers, however, the most incidents involve insiders. These may include unhappy workers, revenge-minded former employees, and even cyberspies planted in an organization or a company. Vatis adds that individual hackers still are a significant problem.
Since the NIPC’s founding about three years ago, the center has been ramping up its capabilities in both personnel and equipment. Approximately 120 people, mostly FBI personnel but also representatives of other federal agencies, staff the center. They are augmented by 200 agents in FBI field offices who conduct investigations of intrusions, denial-of-service attacks, viruses and other forms of cyberattacks. The NIPC also has conducted extensive training sessions for FBI agents as well as for investigators from other federal agencies and state and local law enforcement.
The center has published several analytical products for government agencies and private companies, and it regularly posts alerts on its Web site. It also warns of attacks through its InfraGard program, where members participate in local chapter activities, have access to an alert network and can access a secure Web site with current information about infrastructure protection.
A vital component of the NIPC’s mission is its partnerships with the private sector. The success of this effort relies on businesses sharing information with the NIPC on threats, incidents and exploited vulnerabilities. Vatis says that this program has worked well both in responsiveness and effectiveness. When the effort commenced three years ago, companies were reluctant to participate in a program that involved contributing sensitive information to government law enforcement officials. Their worries included the security of their sensitive information, privacy concerns and interference with company operations. He credits an extensive outreach and education effort with bringing around many companies.
The result has been a steady increase in the center’s caseload, which Vatis attributes to improved reporting by more companies. In September 1998, the NIPC had approximately 600 cases pending. Last year, that number had risen to 800. Now, the center has about 1,200 cases pending.
This industry involvement also has paid dividends in apprehending cybercriminals. After the Melissa virus affected systems worldwide, America Online provided a vital tip to the New Jersey State Police. They and the FBI field office in Newark, New Jersey, were able to quickly arrest the responsible individual, who ultimately pled guilty to one federal felony and four state felony counts. Vatis notes that this one attack damaged a million computers at a price tag of $80 million.
Vatis characterizes the response by business and government to NIPC efforts as excellent. “We have had more and more companies reporting incidents to us, assisting us in investigations and paying serious attention to the need to improve their security,” he says. State and local law enforcement, which have been the beneficiaries of NIPC training, also are working with the center to protect themselves from cyberattacks. A forum that represents that sector is working to draft a sectorwide plan for cyberdefense, which Vatis offers is ahead of other similar efforts.
The biggest problem facing the NIPC is its ability to maintain effective resources, Vatis says. The problem has grown considerably since the center’s inception, but personnel numbers have not increased. He expresses doubt that the current number is adequate for keeping pace with the rapid growth of computer crime.