TOPICS > Science

Gauging the Impact, Motivations of Today’s Hackers

June 1, 2011 at 12:00 AM EST
Cyber attacks are having a big impact on governments, businesses, individuals and even PBS, the NewsHour and Frontline. Judy Woodruff examines the proliferation of criminal hacking and its fallout with ICANN security chief Jeff Moss, Alan Paller of The SANS Institute and cyber threat consultant Mischel Kwon.
LISTEN SEE PODCASTS

TRANSCRIPT

GWEN IFILL: Next, the growing problem of cyber-attacks and its consequences.

We have a two-part look, beginning with this Ray Suarez report on how it hit close to home.

RAY SUAREZ:  The late rappers Tupac Shakur and Biggie Smalls alive after all, together in New Zealand? That was the fake story posted Sunday night on the PBS NewsHour’s website by hackers. Readers were surprised, to say the least, with some even wondering if it were true.

But a group known as LulzSec announced on Twitter that it had posted the story after breaking into PBS servers and databases. It also published passwords of PBS staffers and log-in information for PBS websites. Hackers said it was retaliation for the PBS program “Frontline” and its recent documentary on WikiLeaks and the leak of U.S. diplomatic cables last November.

The NewsHour put out its own message about the hacking Sunday night using various social media, and the phony Tupac story was quickly pulled down, but that wasn’t the end of it.

KWAME HOLMAN: And late today, both the “Frontline” website and the NewsHour’s were attacked.

RAY SUAREZ:  The NewsHour’s home page went down entirely during Monday evening’s broadcast and was finally restored Tuesday afternoon.

During that time, staffers had to reroute online content to other online services, Tumblr and YouTube. WikiLeaks defenders have struck before. Last December, one group bombarded a Swiss bank and MasterCard for trying to shut off funds to the site’s founder, Julian Assange.

And more broadly, computer attacks on both government and private systems have been growing worldwide. Over the weekend, defense contractor Lockheed Martin said it had been the target of what it called a significant and tenacious hack, but managed to thwart it in time.

The company wouldn’t reveal the origins of the attack, but it said in a statement, “Our systems remain secure. No customer, program or employee personal data has been compromised.”

Other attacks have inflicted serious damage to companies and their customers. In late April, Sony had to cut off 100 million user accounts from its PlayStation video game system’s online network. The company later acknowledged a hacker had gained access to personal data of users, potentially including credit card information.

Sony said it has made considerable security enhancements since the incident, but Congress will want to hear more tomorrow, when Sony representatives appear at a House hearing. In the meantime, the company’s online service is not fully restored, and the costs are staggering. Sony says it may end up spending more than $170 million improving its online security and protecting its customers.

That’s what makes hacking different from other crimes. Around the world, when businesses are threatened, mere vandalism can become extortion: Pay me, or I will break your windows, I will burn your stock, I will destroy your place of business.

But severe damage is done to companies through hacking, the sales that aren’t made, the staff time that is burned up fixing up the mess and making sure it doesn’t happen again. But, for all that, there’s no apparent cash flow back to the hacker.

In London today, an international conference heard warnings that the problem is growing exponentially, with up to 70,000 malicious programs designed to disrupt systems being discovered every day.

President Barack Obama has already made cyber-security a priority, and U.S. government agencies say they have gotten more aggressive about tackling cyber-crime. The Department of Homeland Security is beginning to employ a new automated system to protect federal computer systems. The Pentagon set up a new cyber command alongside the National Security Agency in Fort Meade, Md.

And reports Tuesday said Pentagon officials are ready to declare that attacks on key government systems constitute an act of war. Portions of the Pentagon’s new cyber-strategy are expected to become public next month.

JIM LEHRER: And to Judy Woodruff.

JUDY WOODRUFF: And we zero in now on the proliferation of hacking and its fallout with three people who know the subject well.

Jeff Moss is the founder of the Black Hat and DefCon hacker conventions. He currently serves as the chief security officer for the Internet Corporation for Assigned Names and Numbers, known as ICANN, which manages computer domain names. Alan Paller is director of research at The SANS Institute, which teaches graduate-level courses on computer security. And Mischel Kwon is the former director for the U.S. computer Emergency Readiness Team, where she was responsible for reducing cyber-threats on the country. She now runs her own consulting firm.

Welcome to all three of you. We appreciate your being here.

And I just want to give — tell our viewers some late-breaking news this afternoon, and that is that Google reported that they have learned that Chinese hackers have broken into the Gmail accounts of hundreds of U.S. government officials and other political activists in this country. They say that it’s all been fixed, but it’s just the latest development in this topic that we’re addressing tonight.

Let’s start with you, though, Alan Paller. Not everybody is hacking for the same reason. What are the motivations behind these kinds of attacks?

ALAN PALLER, SANS Institute: There are three groups doing most of the hacking. One are the spies. And there are two kinds of spies, the military spies and the economic spies.

In China, they’re the same people, but in a lot of countries, they’re different. So, one, the very sophisticated are the spies. The second group is the people who are organized — are criminals who used to do drug trade, and they have found that cyber-crime is just a better payoff.

The person who used the run this area for the Secret Service often said that any organized crime group not doing this should be sued for malpractice. It’s too good a crime.

And then the third are these hacktivists, who may have the best of motives, but they cause enormous damage, as you have been experiencing the last few days.

JUDY WOODRUFF: That’s right.

So, Jeff Moss, who — tell us more about who these people are. They’re — they’re very different people, depending on what’s going on.

JEFF MOSS, Internet Corporation for Assigned Names and Numbers: Right.

Well, like Alan said, the different groups have different motivations. I just want to point out that, in a lot of these groups, everyone depends on the Internet functioning, spies, organized crime. If the network is down, they don’t get to steal anything from you.

And what we’re starting to see is some of the hacktivists are interested in disrupting parts of the network. And that’s a bit of a change. It reminds me a little bit of the time of blackmail against online poker dealers. They try to extort money, except now they’re not trying to extort anything, except to get their message out.

And if you think about it, this is not the most effective way to get their message out.

JUDY WOODRUFF: And that’s just one type of hacking, though, that you’re talking about.

JEFF MOSS: Right.

Yes. And if you look at like the PlayStation 3 network hackers, and you read their transcripts that were posted online, they look like college kids having fun taking apart a challenge. They don’t sound like criminals.

But I think what happens is, these groups get infiltrated by other criminals who take advantage of some of the naïveté, and use them as a stepping-stone for their own criminal purposes. So, you see a lot of intermingling purposes of groups, everything from a security researcher that releases a new tool, then gets misappropriated by a criminal, to people who just want to explore.

JUDY WOODRUFF: Mischel Kwon, how easy is it to break into somebody else’s website?

MISCHEL KWON, U.S. Computer Emergency Readiness Team: Well, unfortunately, it’s easier than we want it to be.

Having — having systems that are complicated today is one of the reasons. And keeping those systems up to date and current and without vulnerabilities is difficult and it’s expensive. Creating the code behind the website in a secure manner is expensive and difficult to do. The training for those programmers is expensive.

JUDY WOODRUFF: Is it something that has to be constantly updated?

MISCHEL KWON: It’s something that has to be constantly updated and checked to ensure that there are no vulnerabilities.

In addition to that, hacking has really matured to the point that most hacks are available today for purchase. So, you can either purchase the hack and perform the hack yourself, or…

JUDY WOODRUFF: You mean directions, instructions for hack…

MISCHEL KWON: Directions, instructions. These organized units even have help desks to help you learn how to do the attacks.

In addition to that, you can hire people to do the attacks. With it being this simple and this easy, attacks are happening more and more every day.

JUDY WOODRUFF: And if they’re out there, if they have got help desks, if they are making their — their skills available to others, Alan Paller, how easy is it to find them?

ALAN PALLER: It’s very difficult to find them because there are so many of them.

There are hundreds of thousands of people who are, at one level or another, hacking into other people’s computers. The FBI has done an incredibly good job at finding enough of them to make it very expensive from a going-to-jail perspective for a lot of American hackers, but that doesn’t do anything to the hackers who are in other countries.

JUDY WOODRUFF: And that of course raises the question, is, what happens to these people? If very few of them are found, the ones who are pinned down, who are charged and found, what’s the — I mean, how — how are they held accountable?

ALAN PALLER: It used to be they weren’t put in jail and they were given jobs as experts — but no more. Now they go to jail for a minimum of two to three years. And the president has just put out a new proposed bill that would significantly lengthen the — the sentences for cyber-crime.

JUDY WOODRUFF: But, Jeff Moss, this is a pretty small percentage of all those who are doing the hacking; is that right?

JEFF MOSS: Right. It’s a minuscule drop in the lake.

JUDY WOODRUFF: And help us understand how disruptive these things are. Obviously, we’re talking about on a very different scale. The Pentagon is one thing — Sony, PBS completely on a — at a completely different level.

But how much disruption, what kind of damage are we talking about being done?

JEFF MOSS: Well, it can be anything from reputational damage, where maybe there’s nothing really worth stealing at your company that’s not public anyway. But you take a huge reputational hit. People won’t trust you anymore, trust what you say that. And that’s what you see mostly with news organizations.

Or it could be something like a Lockheed Martin, where they really have defense secrets that are of high-value. And, for them, that’s their golden eggs. That’s what they wish to protect.

So, depending upon the motivation of the attacker — the attacker isn’t trying to steal your secrets, they just want to embarrass you, that’s an easier problem to deal with — having a more secure website, having a media plan to respond to such attacks. And if you’re a large company, honestly, today, you’re constantly being attacked one way or the other.

It might not be making the news, but large organizations should be really used to this by now.

JUDY WOODRUFF: And we should point out, here at the NewsHour, as I come back to you, Mischel Kwon, that visitors to the PBS website, their — they were not compromised. It was just our site that was.

But, again, on the cost, I mean, we heard $170 million could be the cost to a company like Sony for what it’s been going through. And it’s still dealing with this.

MISCHEL KWON: And, at times, it’s hard to put a number on the actual damage that can happen.

There are financial institutions that have gone out of business because of cyber-attacks. So, this is very serious. It’s something that we really have to pay attention to.

JUDY WOODRUFF: And what can companies do? I mean, I have been reading today there’s now — there’s insurance available. But many companies don’t have it.

MISCHEL KWON: There’s insurance available. Some companies in some sectors are required to have insurance.

But I think the good news here and what we have to really pay attention to is that this is a learning experience, that people need to learn more about how to protect their organizations, how to upgrade their systems, what help they can get to improve their security, and use this as an opportunity to improve their systems and improve their security, and be more aware of what can happen to them.

JUDY WOODRUFF: But there’s a cost associated with that, isn’t there, Alan Paller?

ALAN PALLER: There is. And I think, for too long, the corporations and governments have been what we call blaming the users, sort of telling the small business he has to protect himself, telling the big business he has to protect himself.

It’s very much like automobiles 50 years ago. We said that the drivers had to be safe drivers, and that would solve all the problems. But we didn’t solve most of the — we didn’t do as well on automobile safety until we fixed the cars and we fixed the roads.

We haven’t done enough to make software that people buy safe. And, more importantly, we haven’t done enough to make a better Internet that is one where you know who you’re dealing with.

JUDY WOODRUFF: So, are you saying it’s not available, or that it’s available, and not enough organizations have it and are using it?  

ALAN PALLER: It’s not available. We haven’t put the attention on the cars and the roads. We have put all the attention on the drivers.

So, we say to small companies, you should do a better job of securing your systems. But these attacks are sophisticated enough that it’s very challenging for even the largest companies to protect themselves. The small companies don’t have a chance.

JUDY WOODRUFF: I want to come back to you, Jeff Moss, on holding hackers accountable. I mean, there’s been this sense almost of a cult of something sort of interesting and to be admired about hackers. But I — but that’s changing, isn’t it?

JEFF MOSS: Well, I always tell people hacking is a way to describe somebody’s skill set. You can have criminal hackers and you can have college exploratory hackers. It’s just a — it’s a way of describing skills.

And so I always try to use the term computer criminal to describe what they’re up to. The term hacker, it gets too confusing for people.

JUDY WOODRUFF: And in terms of accountability…

JEFF MOSS: Yes, that’s the hard — that’s the hard part, because, in olden days, hackers had a skill set, and they kept it to themselves. And it was hard to get information on how to break into systems.

But now — I think Alan alluded to it — the problem is information is so available readily online, that you could go Google how to break into systems, you could learn everything you needed to know, and never have to talk to another person.

And that makes it more difficult, because if your motivations are different, and you’re not altruistic and you’re not doing this to enhance the overall security of society, you want to do this to make money, you can do this in your own house, and never make friends who will then share the same beliefs. And that makes finding them harder, because detecting criminals online is very difficult.

JUDY WOODRUFF: Mischel Kwon, as we — as we wrap this up, what does the future look like? I mean, does it look like, with new software, with a little more expense, with a little more alert operation, that this kind of thing can be prevented, or what?

MISCHEL KWON: Well, I think, as we move our lives to the Internet, as we move our lives more and more to automated platforms, whether it be your mobile phone or your P.C. at home or your system at work, more of your life is now on the Internet.

We’re going to have to take different actions to protect ourselves. Just like the criminals have moved with us to the Internet, we also have to bring better protections. It may be that we design a different way of doing the Internet. It may be that we rely less and less on individual companies to protect ourselves, and move to a more global, secure, cloud-type environment.

There are lots of different ways that we could move to accomplish a more secure platform, a more secure technology. But we will have to spend more time looking at, as Alan said, the roads and the transportation vehicles.

JUDY WOODRUFF: And it looks like more of us are going to be doing this as it goes on.

Mischel Kwon, we thank you. Alan Paller, Jeff Moss, thank you, all three.