JIM LEHRER: And still to come on the NewsHour tonight: searching for a job; the Italy summit; and the stimulus debate. That all follows a look at the cyber attacks hitting major U.S. government agencies.
Jeffrey Brown has our report.
JEFFREY BROWN: The attacks began July 4th weekend targeting computers at the White House, Pentagon, the State, Treasury and Homeland Security departments, among other government agencies, and several private organizations, including the New York Stock Exchange.
The other major target: South Korean agencies. Today that country’s national intelligence service reportedly told lawmakers there that it believes North Korea or North Korean sympathizers were behind the attacks.
We get more now from Randy Sabett, formerly at the National Security Agency, which was also a target of these attacks. He now works on cyber security issues as a lawyer in private practice.
And Rod Beckstrom, president of the Internet Corporation for Assigned Names and Numbers and former director of the National Cyber Security Center at the Department of Homeland Security.
Rod Beckstrom, first, simply, what exactly is a cyber attack? And, specifically, what are these attacks intended to do?
ROD BECKSTROM, former director, National Cyber Security Center: Sure. Thank you. You know, a cyber attack is when a hacker, somebody who writes computer code, writes something malicious to attack and infest either one machine or, more likely, a whole network of machines.
And then that network of these agents can either be used to commit an act of crime and steal money or to attack government Web sites, as in the case of what we’ve seen here, where it appears that a hacker wrote some code that was probably mounted on a Web site in South Korea, spread to somewhere between 30,000 and 50,000 machines, and then began to send out all these malicious requests to government servers in the U.S., Korea, and some companies.
JEFFREY BROWN: Now, Randy Sabett, we now know that these kinds of attacks are not all that uncommon.
RANDY SABETT, cybersecurity attorney: Right.
Nature of the attack
JEFFREY BROWN: What do the length, the breadth of targets of these attacks tell you about this case?
RANDY SABETT: Well, I think the nature of the attack and the specific targets that were chosen, you know, some of the initial speculation was that this was perhaps a nation-state-backed, as you've pointed out, type of attack.
But in some of the folks that I've been talking to today and in some of the later reports that have come out, it appears in some cases that this may not be nation-state-backed, but, in fact, may be simply a hacker trying to get attention.
If you think about what a nation-state attack would want to accomplish, simply disrupting a number of U.S. government Web sites wouldn't be the main target.
On the other hand, there is a possibility that an attack like this could be used as a distraction. So while the disruptive nature of this attack against these Web sites, simply bringing them down is not necessarily gaining access to sensitive information, there may be, you know, because of the distraction, there may be other attacks going on that we don't know about.
JEFFREY BROWN: Well, how much disruption was there?
ROD BECKSTROM: Absolutely.
JEFFREY BROWN: What did they actually accomplish in this case?
RANDY SABETT: Well, this is a distributed denial-of-service attack, which, as Rod pointed out...
JEFFREY BROWN: Say that again, so everybody gets that, distributed denial...
RANDY SABETT: ... of-service attack, a DDOS.
JEFFREY BROWN: OK. Which means?
RANDY SABETT: Which means there are a number of computers, personal computers, corporate computers, any number of computers that have been infected with what's called malware or, you know, software that the attackers then use -- as Rod pointed out, they launch this code that's been put on these computers that then cause a number of essentially bogus requests to be, you know, launched against these Web sites, thereby not allowing legitimate requests to get through.
Essentially, the Web sites are flooded with requests. The analogy would be, in the telephone world, you know, the old-fashioned telephone world, you have someone's phone being called by, you know, several hundred or several thousand people all at the same time so the legitimate call can't get through.
Hunting for the perpetrator
JEFFREY BROWN: So, Rod Beckstrom, is there a world of potential perpetrators out there? Randy Sabett says maybe it wasn't a government; maybe it's a hacker.
ROD BECKSTROM: Yes.
JEFFREY BROWN: Can a lone hacker do something like this? How do you find out who did it?
ROD BECKSTROM: Absolutely. You know, this is not a sophisticated attack here, as Randy talked about. In fact, this is like a scud missile attack. This is old technology that was used in this attack that's been around since 2004. It could be as simple as somebody who wanted to make this political statement or harass these two countries and their governments and a few other private parties, just paid a cyber-mercenary.
I mean, there are mercenary hackers now who will take a cash payment. This may have only been a $10,000 investment or a $50,000 investment by someone who basically wanted to overload all the government mailboxes in these systems.
Because Randy talked about the telephone system. Another analogy is the mail system, where you're receiving letters and packages. Your mailbox can take maybe 20 letters a day. And, all of a sudden, 20 million are coming in, so a lot of those are flying down on the ground and they're not going to get to you. So that's what denial-of-service is about; it's just an overload there at the mailbox point.
So one person could have done this. And then the question is, were they disgruntled or were they sponsored by a state actor or someone else?
JEFFREY BROWN: Well...
ROD BECKSTROM: It's hard to get to the bottom of that.
JEFFREY BROWN: Well, and how hard is it to get to the bottom of actually who done it?
ROD BECKSTROM: Well, you know, so this attack probably came off of a couple of Web sites in South Korea, were probably hacked by the hacker who planted the code in the photos on that Web site, maybe videos or something else in what we call the html page.
Then, users went to go look at those Web pages, and they didn't even know it, but they were downloading this malicious code Randy was talking about onto their machine, and then it goes to work.
Now, first you identify those machines that are infested, and that process is going on right now. Then you have to figure out, which Web sites did they go to where they downloaded it from and see whether the bad code is still there or it may already be cleaned up.
If it's already there, then you've got to go scroll back and try to figure out who had access to that or broke into the system of that site to plant the code. So it's a bit of what we call forensics work, to try to get to the fingerprints, digital fingerprints, and figure out where this might have come from.
Guarding against hackers
JEFFREY BROWN: Well, so, Randy Sabett, what kind of defenses are there? Are defenses in place? Or do organizations and agencies wait for something to start and scramble in? I mean, how does that work?
RANDY SABETT: For the most part, the approach that's taken today is defensive. It's the approach where you have certain defenses in place. You react, you know, in a -- depending on the type of attack that's being launched, you react accordingly.
In this case, you know, as Rod pointed out, there are a number of ways of, first of all, looking at where it's coming from and then reacting to it by, in this case, with a distributed denial-of-service attack, you have to make certain changes to your settings and essentially bring the Web site back up.
But because of the nature of Web sites -- I mean, one of the interesting things abut this attack is its sustained nature. This started several days ago, and it continues. And some of the Web sites have -- that were initially attacked came back up, but then went down again.
So from a defense perspective, you can put in place countermeasures, but ultimately, because of the nature of the Web and the way that the various Web sites work, the attacks could, in fact, continue.
JEFFREY BROWN: And is the defense coordinated? I mean, I just ticked off a bunch of agencies, U.S. government agencies, New York Stock Exchange, and the list goes on.
RANDY SABETT: Sure.
JEFFREY BROWN: Are they working together? Or is it sort of every agency for itself trying to debug itself and open up its Web site?
RANDY SABETT: I think the answer there is a combination. In other words, we are looking today at a number of different policy issues across the U.S. government related to cybersecurity policy.
One of the issues is coordination within the government, but then also in terms of public-private sector coordination. There are a number of different entities that do work together to convey information to each other, but I do think there are certain commentators out there who view there being a need for greater cooperation amongst the different entities.
JEFFREY BROWN: Well, Rod Beckstrom, where are we in that larger effort to deal with this?
Administration crafting new policy
ROD BECKSTROM: Sure. There's a number of steps, as Randy said. The first thing you do, if you're a company or government agency and you're attacked, one of the first things you can do is call your network service provider or your ISP and say, "This is happening. Can you please start blocking and filtering things that appear to be malicious with this attack?" And usually they can.
The American ISPs and internationally ISPs are getting very sophisticated at that. You make that call.
Then you start working internally with your I.T. staff. Then, after you do that, you start also reaching out to your partners in a collaborative fashion, which I was involved with running the National Cyber Security Center, which was such a collaboration center on security.
ICANN, as the global Internet corporation that handles the naming and address for every mailbox in the Internet globally, over 200 million, we have relationships with every single country in the world and play somewhat of a diplomatic role when these things occur, particularly if they affect the naming and addressing system, which this one doesn't yet, but it involves multiple countries.
So there's a whole lot of different networking that goes on organically, as well as in a somewhat structured fashion that can contribute.
JEFFREY BROWN: And briefly, Randy Sabett, the U.S. -- the Obama administration is working on trying to come up with its own policy on this, as well, right?
RANDY SABETT: Yes. I think the Obama administration, in fact, has gone further in the area of cybersecurity than any other administration in terms of focusing on the issues, putting together a comprehensive cyber policy review, the 60-day review, as it was known, that was completed several weeks ago.
And we're now looking -- you know, the administration is looking at what to do next from the standpoint of, again, coordination across government, coordination with the private sector, and then some of the broader policy issues related to both defensive and offensive types of issues, a whole number of different things across the government related to this.
JEFFREY BROWN: All right, fascinating. Randy Sabett and Rod Beckstrom, thank you both very much.
RANDY SABETT: Thank you.
ROD BECKSTROM: Thank you.
JIM LEHRER: You can ask Jeff's guests questions about these Internet attacks and how to protect against them in a forum on our Web site.