JEFFREY BROWN: And now to our second look at privacy online and a story about protecting computers from cyber-attacks.
NewsHour correspondent Tom Bearden reports.
MAN: Utahans’ Social Security numbers, names, addresses, birth dates.
TOM BEARDEN: Nine hundred thousand people had their names, addresses, and Social Security numbers stolen when the Utah Health Department’s server was hacked. This kind of thing happens more often than most people realize: Web sites taken down, high-tech secrets stolen, intellectual property rights violated, and individuals swindled.
But Douglas Maughan says there’s much more at stake than just crime. He heads the Department of Homeland Security’s Cyber Security Division.
DOUGLAS MAUGHAN, Department of Homeland Security Cyber Security Division: The infrastructure that needs to be protected are those critical infrastructures, not just the Internet, but the finance sector, electric sector, oil and gas. And all of the major critical infrastructures are running systems that are commodity and subject to attack.
TOM BEARDEN: Those sectors are increasingly vulnerable because they’re now connected to outside systems. People can directly access their bank accounts, for example.
Clifford Neuman is the director of the University of Southern California’s Center for Computer System Security.
CLIFFORD NEUMAN, director, University of Southern California Center for Computer System Security: If we interconnect more and more, it means that an adversary that is able to compromise one part of the system, a part that we might not have thought of as being critical, is able to have impact on other parts of the system.
TOM BEARDEN: Even a prank like changing a highway sign reveals vulnerability.
Computer scientist Alefiya Hussain.
ALEFIYA HUSSAIN, computer scientist: There are several reports of how people have actually infiltrated these networks and — by changing these overhead signs created incidences on these highways.
TOM BEARDEN: All these scientists work at DETERlab, a 500-computer government-funded testing facility where students, researchers and security companies can try out hardware and software to prevent and defeat cyber-attacks.
TERRY BENZEL, Information Research Institute: I’m working on the annual plan. I need to make sure that we get that updated.
TOM BEARDEN: Deputy Director Terry Benzel says there’s plenty of work to do.
TERRY BENZEL: Despite, you know, millions and millions of dollars of government investment in cyber-security and industry investment in cyber-security, we are still as a nation wholly vulnerable, no question about it.
TOM BEARDEN: If we’re so vulnerable, are you surprised we haven’t suffered more serious attacks on infrastructure?
TERRY BENZEL: Yes. So, all of us in my community, we talk about cyber-Pearl Harbor. And it’s not if. It’s when.
TOM BEARDEN: And DETER network research director John Wroclawski says it’s not just hackers and would-be terrorists.
JOHN WROCLAWSKI, network research director: The other half of the problem and in fact the much more common thing is just some untoward event, you know, when you think about the major power grid failures that we occasionally have, you know, the blackouts, things like that.
TOM BEARDEN: So how does DETERlab help?
TERRY BENZEL: So, here by having a fixed facility that you run your experiments in, you can run multiple what-if scenarios, collect your data, repeat those and share your results with the rest of the research community.
TOM BEARDEN: I’m reminded of a guy who built a race car and take to it the track and see if it works.
TERRY BENZEL: Exactly. Right.
TOM BEARDEN: Wroclawski says it’s a very special racetrack.
JOHN WROCLAWSKI: The racetrack that can create all sorts of conditions that the car would face and also has a lot of instrumentation to understand what happens when that car faces them.
TOM BEARDEN: DETERlab was started in 2003 with money from the National Science Foundation, which is a also funder of the NewsHour, and the Department of Homeland Security.
Benzel says one of DETERlab’s most powerful features is the ability to provide accurate simulations of very large computer networks.
TERRY BENZEL: When we want to run our tests, we need a secure, safe environment to run those tests on that we can’t run if it’s going to break the Internet. If what we’re trying to do is test something which breaks the Internet or breaks network security in an enterprise, we give you an environment to be able to do that in a safe way.
TOM BEARDEN: DETERlab runs simulations of cyber-attacks, like one called a distributed denial of service. Attackers secretly plant software on personal and corporate machines and then use those computers to send an avalanche of messages to a website. The servers under attack are overwhelmed and the site shuts down.
MAN: And so we’re studying the various components of the experiment.
TOM BEARDEN: Ted Farber and Mike Ryan showed us how they simulate, then defeat such an attack.
MAN: See, the attack represents itself as the infections happen as explosions. That lets the researcher know qualitatively that the worm is spreading. You will see a representation of the attack as it sort of focuses across the network forming.
TOM BEARDEN: The simulation goes on to show how the software being tested reroutes the traffic to other parts of the network and takes the pressure off the targeted site. DETERlab also allows companies to simulate their own internal or enterprise networks and see how various attack scenarios play out.
ALEFIYA HUSSAIN: So our goal is to sort of add security by design, to enable you to design your networks in a way so that you can actually, rather than add security as an afterthought, you can actually design security into your system right from the start.
YOUNG CHO, University of Southern California: Today’s lecture, lecture four.
TOM BEARDEN: DETERlab has also revolutionized how cyber-security is taught. USC assistant professor Young Cho says he used to teach these classes in rooms full of equipment that had to be shared, severely limiting student access. They also couldn’t do experiments that posed any danger to the equipment.
YOUNG CHO: By transitioning this class into using DETER, we now can do several different kinds of experiments and destroy whatever is happening in that network. And yet you could just swap out the image.
TOM BEARDEN: Now students can log in to DETERlab from practically anywhere to run and monitor their experiments remotely.
UCLA student Erik Kline runs a lot of experiments that way.
I would think it’s a feeling of power to have 500 machines under your control.
ERIK KLINE, UCLA student: Sometimes it is. But I can’t get those machines to do anything that one might call evil. So, I mean, it’s nice to — for example, when you’re doing a denial of service defense attacks, I mean, defense measurements, you can get 500 machines to attack one of the machines and you are like, oh, yeah. But I can’t get them to attack anything outside the test bed, which of course is a good thing from, you know, a legal standpoint.
TOM BEARDEN: From society’s standpoint, yes.
ERIK KLINE: Yes, exactly. But it’s kind of fun to be able to go, oh, that guy, I don’t like him. Let me just send my 500 minions after him. But I guess that’s what I’m trying to fix, not cause.
TOM BEARDEN: At DETERlab, they want to encourage more and even younger students to use the facility.
But they also see their mission as educating utilities and others who they think are the most at risk.
Do you get pushback from companies who say this just isn’t worth my time?
DOUGLAS MAUGHAN: Sure. A lot of this is an unfunded mandate. They may not have — security is not necessarily a primary concern for them. They’re — especially in critical infrastructure, they’re more worried about things like availability of service.
So, again, it’s an education problem to try to help them understand the nature of the threat and the criticality of what would happen if they were compromised and try to get them to provide those services and those capabilities in their infrastructure.
TOM BEARDEN: The people who run DETERlab hope the lesson is learned before a future cyber-attack causes massive disruption.
JEFFREY BROWN: Tom has more on this story in a blog post you can find on our website, NewsHour.PBS.org.